diff --git a/tests/test-ruleparse-etopen-01/emerging-all.rules b/tests/test-ruleparse-etopen-01/emerging-all.rules
index 6569ed543..e03a7880e 100644
--- a/tests/test-ruleparse-etopen-01/emerging-all.rules
+++ b/tests/test-ruleparse-etopen-01/emerging-all.rules
@@ -360,8 +360,6 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Exploit MS
 
 #alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET NETBIOS SMB DCERPC PnP QueryResConfList exploit attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 00|"; within:10; distance:4; nocase; content:"|36 00|"; within:2; distance:19; pcre:"/(\x00\\\x00.*?){2}\x00{2}\xFF{2}.{128,}[\x04-\xFF][\x00-\xFF]{3}\x00{4}$/Rs"; flowbits:isset,netbios.pnp.bind.attempt; reference:cve,CAN-2005-1983; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2002203; classtype:attempted-admin; sid:2002203; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Windows Media Player parsing BMP file with 0 size offset to start of image"; flow:established,from_server; content:"BM"; depth:400; byte_test:8,=,0,4,relative; reference:url,www.milw0rm.com/id.php?id=1500; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; reference:url,doc.emergingthreats.net/bin/view/Main/2002802; classtype:attempted-user; sid:2002802; rev:8; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2017_09_28;)
-
 #alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT DOS Microsoft Windows SRV.SYS MAILSLOT"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|"; distance:21; content:"|01 00 00 00 00 00|"; distance:1; within:6; byte_test:2,=,17,0,little,relative; content:"|5C|MAILSLOT|5C|"; within:10; distance:2; reference:url,www.milw0rm.com/exploits/2057; reference:url,www.microsoft.com/technet/security/bulletin/MS06-035.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2003067; classtype:attempted-dos; sid:2003067; rev:5; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2010_07_30;)
 
 #alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET NETBIOS NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040)"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; within:9; distance:4; content:"|1f 00|"; distance:20; within:2; reference:url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2003081; classtype:misc-attack; sid:2003081; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
@@ -684,18 +682,6 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET 27020:27050 (msg:"ET GAMES STEAM Connec
 
 #alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 ACK"; content:"|f1 be|"; depth:2; dsize:16; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011747; classtype:policy-violation; sid:2011747; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 IPv6 Inbound Connect Request (Windows Source)"; dsize:10<>23; flow:established,to_server; content:"|05 01 00 04|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003284; classtype:protocol-command-decode; sid:2003284; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
-
-#alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 IPv6 Inbound Connect Request (Linux Source)"; dsize:10<>23; flow:established,to_server; content:"|05 01 00 04|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003285; classtype:protocol-command-decode; sid:2003285; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
-
-#alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Bind Inbound (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 02|"; depth:2; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003288; classtype:protocol-command-decode; sid:2003288; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
-
-#alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Bind Inbound (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 02|"; depth:2; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003289; classtype:protocol-command-decode; sid:2003289; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
-
-#alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Bind Inbound (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 02 00 01|"; depth:4; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003290; classtype:protocol-command-decode; sid:2003290; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
-
-#alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Bind Inbound (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 02 00 01|"; depth:4; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003291; classtype:protocol-command-decode; sid:2003291; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
-
 alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET P2P Ares Server Connection"; flow:established,to_server; dsize:<70; content:"r|be|bloop|00|dV"; content:"Ares|00 0a|"; distance:16; reference:url,aresgalaxy.sourceforge.net; reference:url,doc.emergingthreats.net/bin/view/Main/2008591; classtype:policy-violation; sid:2008591; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET 6969 (msg:"ET P2P BitTorrent Announce"; flow: to_server,established; content:"/announce"; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000369; classtype:policy-violation; sid:2000369; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
@@ -736,8 +722,6 @@ alert tcp any any -> any any (msg:"ET P2P Phatbot Control Connection"; flow: est
 
 alert tcp $EXTERNAL_NET 2234 -> $HOME_NET any (msg:"ET P2P Soulseek Filesearch Results"; flow: from_server,established; content:"|09 00 00 00 78|"; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001187; classtype:policy-violation; sid:2001187; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp [174.129.0.0/16,67.202.0.0/18,79.125.0.0/17,184.72.0.0/15,75.101.128.0/17,174.129.0.0/16,204.236.128.0/17] !53 -> $HOME_NET !53 (msg:"ET POLICY Incoming UDP Packet From Amazon EC2 Cloud";  reference:url,doc.emergingthreats.net/2010816; classtype:command-and-control; sid:2010816; rev:6; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_08_20;)
-
 #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY REG files version 5 download"; flow: established; content:"Windows Registry Editor Version 5.00"; content:"|0D 0A|"; content:"["; content:"HKEY_"; nocase; reference:url,www.ss64.com/nt/regedit.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000421; classtype:misc-activity; sid:2000421; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
 #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY REG files version 5 Unicode download"; flow: established; content:"W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|R|00|e|00|g|00|i|00|s|00|t|00|r|00|y|00| |00|E|00|d|00|i|00|t|00|o|00|r|00| |00|V|00|e|00|r|00|s|00|i|00|o|00|n|00| |00|5|00|.|00|0|00|0|00|"; content:"|0D 0A|"; content:"[|00|"; content:"H|00|K|00|E|00|Y|00|_|00|"; nocase; reference:url,www.ss64.com/nt/regedit.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000422; classtype:misc-activity; sid:2000422; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
@@ -920,7 +904,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Google Talk TLS Cli
 
 #alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT MSN file transfer reject"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance: 0; content:"Invitation-Command|3A|"; content:"CANCEL"; distance: 0; content:"Cancel-Code|3A|"; nocase; content:"REJECT"; nocase; distance: 0; reference:url,doc.emergingthreats.net/2001243; classtype:policy-violation; sid:2001243; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT MSN status change"; flow:established,to_server; content:"CHG "; depth:55; reference:url,doc.emergingthreats.net/2002192; classtype:policy-violation; sid:2002192; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT MSN status change"; flow:established,to_server; content:"CHG "; depth:55; reference:url,doc.emergingthreats.net/2002192; classtype:policy-violation; sid:2002192; rev:4; metadata:created_at 2010_07_30, deprecation_reason Relevance, former_category CHAT, updated_at 2010_07_30;)
 
 #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MSN Game Loading"; flow:established,to_server; content:"|6D 73 6E 67 61 6D 65 2E 61 73 70 78|"; depth:90; reference:url,doc.emergingthreats.net/2002312; classtype:policy-violation; sid:2002312; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
@@ -1576,14 +1560,8 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Visagesoft
 
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Viscom Movie Player Pro SDK ActiveX DrawText method Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MOVIEPLAYER.MoviePlayerCtrl.1"; nocase; distance:0; content:"DrawText"; nocase; reference:url,www.shinnai.net/exploits/X6hU4E0E7P5H3qH5yXrn.txt; reference:url,secunia.com/advisories/38156/; reference:url,doc.emergingthreats.net/2010944; classtype:attempted-user; sid:2010944; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Webmoney Advisor ActiveX Redirect Method Remote DoS Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; content:"3AFFD7F7-FD3D-4C9D-8F83-03296A1A8840"; nocase; distance:0; content:"Redirect"; nocase; reference:url,exploit-db.com/exploits/12431; reference:url,doc.emergingthreats.net/2011723; classtype:attempted-user; sid:2011723; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag ActiveX, updated_at 2019_04_15;)
-
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Webmoney Advisor ActiveX Control DoS Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TOOLBAR3Lib.ToolbarObj"; nocase; distance:0; content:"Redirect"; nocase; reference:url,exploit-db.com/exploits/12431; reference:url,doc.emergingthreats.net/2011724; classtype:attempted-user; sid:2011724; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag ActiveX, updated_at 2019_04_15;)
-
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Yahoo CD Player ActiveX Open Stack Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"5622772D-6C27-11D3-95E5-006008D14F3B"; nocase; distance:0; content:"Open"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5622772D-6C27-11D3-95E5-006008D14F3B/si"; reference:url,www.shinnai.net/exploits/pD9YWswsoR3EIcE9bf3N.txt; reference:url,doc.emergingthreats.net/2010945; classtype:attempted-user; sid:2010945; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Yahoo CD Player ActiveX Open Stack Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"YoPlayer.YoPlyCd.1"; nocase; distance:0; content:"open"; nocase; reference:url,www.shinnai.net/exploits/pD9YWswsoR3EIcE9bf3N.txt; reference:url,doc.emergingthreats.net/2010946; classtype:attempted-user; sid:2010946; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag ActiveX, updated_at 2019_04_15;)
-
 #alert tcp $EXTERNAL_NET any -> $HOME_NET 4274 (msg:"ET WEB_SPECIFIC_APPS Possible Xedus Webserver Directory Traversal Attempt"; flow: to_server,established; content:"/../data/log.txt"; content:"/../WINNT/"; nocase; reference:url,www.gulftech.org/?node=research&article_id=00047-08302004; reference:url,doc.emergingthreats.net/2001238; classtype:web-application-activity; sid:2001238; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
 #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zen Cart Remote Code Execution"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"admin/record_company.php/password_forgotten.php"; content:"action=insert"; nocase; depth:100; reference:url,www.securityfocus.com/bid/35467; reference:url,www.milw0rm.com/exploits/9004; reference:url,doc.emergingthreats.net/2009663; classtype:web-application-activity; sid:2009693; rev:4; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2010_07_30;)
@@ -1636,40 +1614,14 @@ alert tcp $HOME_NET 139 -> any any (msg:"ET EXPLOIT Pwdump3e Password Hash Retri
 
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Spyware 2020"; flow: to_server,established; content:"|48 6F 73 74 3A 20 77 77 77 2E 32 30 32 30 73 65 61 72 63 68 2E 63 6F 6D|"; content:"|49 70 41 64 64 72|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.2020search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000327; classtype:trojan-activity; sid:2000327; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ADWARE_PUP 2nd-thought (W32.Daqa.C) Download"; flow: from_server,established; content:"|67 6f 69 64 72 2e 63 61 62|"; nocase; content:"|48 6f 73 74 3a 20 77 77 77 2e 77 65 62 6e 65 74 69 6e 66 6f 2e 6e 65 74|"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.secondthought.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001447; classtype:pup-activity; sid:2001447; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Altnet PeerPoints Manager Start"; flow: to_server,established; uricontent:"/pm/start.asp"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000906; classtype:policy-violation; sid:2000906; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Altnet PeerPoints Manager Data Submission"; flow: to_server,established; uricontent:"/backoffice.net/stats/Add.aspx"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000598; classtype:policy-violation; sid:2000598; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Altnet PeerPoints Manager Settings Download"; flow: to_server,established; uricontent:"/pointsmanager/settings.cab?"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000907; classtype:policy-violation; sid:2000907; rev:10; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Advertising.com Reporting Data"; flow: to_server,established; uricontent:"/site="; uricontent:"/mnum="; uricontent:"/bins="; uricontent:"/rich="; uricontent:"/logs="; uricontent:"/betr=";  reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002304; classtype:policy-violation; sid:2002304; rev:8; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED C4tdownload.com Access, Likely Spyware"; flow: to_server,established; content:"Host|3a|"; nocase; content:".c4tdownload.com"; within:26; nocase; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001531; classtype:trojan-activity; sid:2001531; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Default-homepage-network.com Access"; flow: to_server,established; content:"wsh.RegWrite"; nocase; content:"default-homepage-network.com/start.cgi?"; nocase; reference:url,default-homepage-network.com/start.cgi?new-hkcu; reference:url,doc.emergingthreats.net/bin/view/Main/2001222; classtype:trojan-activity; sid:2001222; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Evidencenuker.com Fake AV Updating"; flow:established,to_server; uricontent:"/products/evidencenuker/update.php?version="; nocase; reference:url,www.evidencenuker.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003568; classtype:trojan-activity; sid:2003568; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fun Web Products MyWay Agent Traffic"; flow: to_server,established; content:"FunWebProducts-MyWay|3b|"; nocase; threshold: type limit, track by_src, count 10, seconds 60; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001043; classtype:policy-violation; sid:2001043; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Pacimedia Spyware 2"; flow: to_server,established; uricontent:"/xml/check.php?"; nocase; uricontent:"u="; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002194; classtype:policy-violation; sid:2002194; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED YourSiteBar Data Submision"; flow: to_server,established; uricontent:"/ist/scripts/istsvc_ads_data.php?version="; nocase; reference:url,www.ysbweb.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001698; classtype:trojan-activity; sid:2001698; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS User Agent Containing http Suspicious - Likely Spyware/Trojan"; flow:to_server,established; content:"User-Agent|3a|"; nocase; content:!"rss"; nocase; pcre:"/User-Agent\:[^\n]+http\:\/\//i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003394; classtype:trojan-activity; sid:2003394; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET HUNTING Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Mozilla/5.0|0d 0a|"; nocase; content:!"|0d 0a|Host|3a| download.releasenotes.nokia.com"; content:!"Mozilla/5.0|0d 0a|Connection|3a| Close|0d 0a 0d 0a|"; reference:url,doc.emergingthreats.net/2009295; classtype:trojan-activity; sid:2009295; rev:9; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent (Internet Antivirus Pro)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| Internet Antivirus Pro|0d 0a|"; reference:url,doc.emergingthreats.net/2009440; classtype:trojan-activity; sid:2009440; rev:6; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent (ClickAdsByIE)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| ClickAdsByIE"; reference:url,doc.emergingthreats.net/2009445; classtype:trojan-activity; sid:2009456; rev:5; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP IE homepage hijacking"; flow: from_server,established; content:"wsh.RegWrite"; nocase; content:"HKLM\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Main\\\\Start Page"; nocase; reference:url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000514; classtype:pup-activity; sid:2000514; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET ADWARE_PUP MarketScore.com Spyware SSL Access"; flow: to_server,established; content:"www.marketscore.com"; content:"InstantSSL1"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001563; classtype:pup-activity; sid:2001563; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
 alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT ping request"; content:"d1|3a|ad2|3a|id20|3a|"; depth:12; nocase; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008581; classtype:policy-violation; sid:2008581; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
 alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT announce_peers request"; content:"d1|3a|ad2|3a|id20|3a|"; nocase; depth:14; content:"e1|3a|q13|3a|announce_peer1|3a|"; nocase; distance:55; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008585; classtype:policy-violation; sid:2008585; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
@@ -1700,7 +1652,7 @@ alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Voiper Fuzzing Scan"
 
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sality Virus User Agent Detected (SPM_ID=)"; flow:established,to_server; content:"User-Agent|3a| SPM_ID="; nocase; reference:url,doc.emergingthreats.net/2003651; classtype:trojan-activity; sid:2003651; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET HUNTING OUTBOUND Suspicious Email Attachment"; flow: to_server,established; content:"Content-Disposition|3A|"; nocase; content:"filename="; distance:0; pcre:"/^\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[x])|c(rt|[ho]m|li|pl|md|pp)|d(iz|ll)|e(m[fl]|xe|bs)|h(lp|sq|ta)|jse?|m(d[abzew]|s[tcgip]|htm|ht)|p(cd|if|l[xsc]|[lm]|ot)|r(eg|ar)|s(cr|ct|[hy]s|wf)|v(b[es]?|xd)|w(m[dfsz]|p[msz]|s[cfh])|xl[tw]|folder|fol|ba[st]|i(sp|n[sif])|lnk|nws|ocx|zip|url)[\x27\x22\n\r\s]/iR"; reference:url,doc.emergingthreats.net/2000562; classtype:suspicious-filename-detect; sid:2000562; rev:12; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET HUNTING OUTBOUND Suspicious Email Attachment"; flow: to_server,established; content:"Content-Disposition|3A|"; nocase; content:"filename="; distance:0; pcre:"/^\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[x])|c(rt|[ho]m|li|pl|md|pp)|d(iz|ll)|e(m[fl]|xe|bs)|h(lp|sq|ta)|jse?|m(d[abzew]|s[tcgip]|htm|ht)|p(cd|if|l[xsc]|[lm]|ot)|r(eg|ar)|s(cr|ct|[hy]s|wf)|v(b[es]?|xd)|w(m[dfsz]|p[msz]|s[cfh])|xl[tw]|folder|fol|ba[st]|i(sp|n[sif])|lnk|nws|ocx|zip|url)[\x27\x22\n\r\s]/iR"; reference:url,doc.emergingthreats.net/2000562; classtype:suspicious-filename-detect; sid:2000562; rev:12; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_05_03;)
 
 #alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM Allaple ICMP Sweep Reply Inbound"; icode:0; itype:0; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_dst; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; reference:url,doc.emergingthreats.net/2003293; classtype:trojan-activity; sid:2003293; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
@@ -1722,8 +1674,6 @@ alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Voiper Fuzzing Scan"
 
 #alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible INTO OUTFILE Arbitrary File Write SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"INTO%20"; nocase; within:200; content:"OUTFILE"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]INTO.+OUTFILE/i"; reference:url,www.milw0rm.com/papers/372; reference:url,www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection; reference:url,websec.wordpress.com/2007/11/17/mysql-into-outfile/; reference:url,doc.emergingthreats.net/2010038; classtype:web-application-attack; sid:2010038; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 404 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 404 Not Found|0d 0a|"; depth:24; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010517; classtype:web-application-attack; sid:2010517; rev:3; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2017_09_08;)
-
 #alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SELECT INSTR in Cookie, Possible ORACLE Related Blind SQL Injection Attempt"; flow:established,to_server; content:"|0d 0a|Cookie|3A|"; nocase; content:"SELECT%20"; nocase; within:200; content:"INSTR"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]SELECT.+INSTR/i"; reference:url,www.psoug.org/reference/substr_instr.html; reference:url,www.easywebtech.com/artical/Oracle_INSTR.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010286; classtype:web-application-attack; sid:2010286; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
 #alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SELECT SUBSTR/ING in Cookie, Possible Blind SQL Injection Attempt"; flow:established,to_server; content:"|0d 0a|Cookie|3A|"; nocase; content:"SELECT%20"; nocase; within:200; content:"SUBSTR"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]SELECT.+SUBSTR/i"; reference:url,www.1keydata.com/sql/sql-substring.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010287; classtype:web-application-attack; sid:2010287; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
@@ -1760,8 +1710,6 @@ alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Voiper Fuzzing Scan"
 
 #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Spam Inbound Variant 3"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS_LABEL_NR."; nocase; within:50; pcre:"/filename=\x22UPS_LABEL_NR\.[A-Z]+_[0-9]{4}-\d+\.ZIP\x22/i"; reference:url,doc.emergingthreats.net/2011151; classtype:trojan-activity; sid:2011151; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Fake Anti-Virus Download Inst_58s6.exe"; flow:established,to_server; uricontent:"/Inst_58s6.exe"; nocase; reference:url,cyveillanceblog.com/general-cyberintel/malware-google-search-results; reference:url,doc.emergingthreats.net/2010339; classtype:trojan-activity; sid:2010339; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Hostile domain, NeoSploit FakeAV google.analytics.com.*.info"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"|0d 0a|Host|3a| google.analytics.com."; nocase; content:".info|0d 0a|"; within:15; reference:url,www.malwaredomainlist.com/forums/index.php?action=printpage#-#-topic=3781.0; reference:url,doc.emergingthreats.net/2010866; classtype:trojan-activity; sid:2010866; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
 #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Java Deployment Toolkit Launch Method Remote Code Execution Attempt"; flow:established,to_client; content:"-J-jar -J"; pcre:"/(launch\x28.+-J-jar -J|-J-jar -J.+launch\x28)/i"; reference:url,seclists.org/fulldisclosure/2010/Apr/119; reference:url,www.darknet.org.uk/2010/04/serious-java-bug-exposes-users-to-code-execution/; reference:url,doc.emergingthreats.net/2011053; classtype:attempted-user; sid:2011053; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
@@ -1816,40 +1764,10 @@ alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Voiper Fuzzing Scan"
 
 #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (28)"; flow:to_client,established; content:"clsid"; nocase; content:"A2E30750-6C3D-11D3-B653-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2E30750-6C3D-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009642; classtype:web-application-attack; sid:2009642; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING Adobe Exploited Check-In"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:".php?&&reader_version="; nocase; reference:url,doc.emergingthreats.net/2011715; classtype:trojan-activity; sid:2011715; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
 #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Malvertising drive by kit encountered - bmb cookie"; flow:established,to_client; content:"HTTP/1"; depth:6; content:"Set-Cookie|3a| bmb="; nocase; reference:url,doc.emergingthreats.net/2011222; classtype:bad-unknown; sid:2011222; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TROJAN Likely FakeRean Download"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/installer/InstallerClean.exe"; nocase; reference:url,doc.emergingthreats.net/2010053; classtype:trojan-activity; sid:2010053; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TROJAN Likely Possible Rogue A/V Win32/FakeXPA Download"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/Soft_21.exe"; nocase; reference:url,doc.emergingthreats.net/2010060; classtype:trojan-activity; sid:2010060; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, pdf exploit"; flow:established,to_server; uricontent:"/ssp/files/annonce.pdf"; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010444; classtype:bad-unknown; sid:2010444; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, rogue antivirus (IAInstall.exe)"; flow:established,to_server; uricontent:"/download/IAInstall.exe"; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010447; classtype:bad-unknown; sid:2010447; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, trojan zbot"; flow:established,to_server; uricontent:"/globaldirectory/updatetool.exe"; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010448; classtype:bad-unknown; sid:2010448; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, exploit redirect"; flow:established,to_server; uricontent:"/fkzd/2.htm"; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010449; classtype:bad-unknown; sid:2010449; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malwareurl.com - potential oficla download (annonce.pdf)"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/ssp/files/annonce.pdf"; nocase; pcre:"/\/ssp\/files\/annonce\.pdf$/Ui"; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010532; classtype:trojan-activity; sid:2010532; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malwareurl.com - potential oficla download (loadjavad.php)"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/ssp/loadjavad.php"; nocase; pcre:"/\/ssp\/loadjavad\.php$/Ui"; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010534; classtype:trojan-activity; sid:2010534; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malwareurl - wywg executable download Likely Malware"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/wywg/"; nocase; uricontent:".exe"; nocase; pcre:"/\/wywg\/[a-z0-9]{2,5}\/[a-z0-9]+\.exe$/Ui"; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010716; classtype:trojan-activity; sid:2010716; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit Exploit Kit Java exploit drive-by host likely infected (nte)"; flow:established,to_server; uricontent:"/nte/"; nocase; content:"|0d 0a|accept-encoding|3a| pack200-gzip,gzip|0d 0a|"; nocase; content:"|0d 0a|content-type|3a| application/x-java-archive|0d 0a|"; nocase; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| Mozilla"; nocase; content:" Java/"; nocase; within:50; reference:url,www.malwaredomainlist.com/forums/index.php?action=printpage%3btopic=3781.0; reference:url,doc.emergingthreats.net/2010871; classtype:exploit-kit; sid:2010871; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
 #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Fake AV Related CSS Download"; flow:established,from_server; content:"#hello_nod32_guys_how_u_doing"; nocase; reference:url,doc.emergingthreats.net/2011670; classtype:trojan-activity; sid:2011670; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Executable requested from /wp-content/languages"; flow:established,to_server; uricontent:"/wp-content/languages/"; nocase; uricontent:".exe"; nocase; reference:url,www.malewareurl.com; reference:url,doc.emergingthreats.net/2011220; classtype:trojan-activity; sid:2011220; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot update (av-i386-daily.zip)"; flow:established,to_server; uricontent:"av_base/av-i386-daily.zip"; nocase; reference:url,doc.emergingthreats.net/2010565; reference:md5,06e69bfb6fffa17c4fc1e23af71b345c; classtype:trojan-activity; sid:2010568; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot update (av_base/pay.php)"; flow:established,to_server; uricontent:"av_base/pay.php"; nocase; reference:url,doc.emergingthreats.net/2010566; reference:md5,06e69bfb6fffa17c4fc1e23af71b345c; classtype:trojan-activity; sid:2010566; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot update (av_base/ip.php)"; flow:established,to_server; uricontent:"av_base/ip.php"; nocase; reference:md5,06e69bfb6fffa17c4fc1e23af71b345c; reference:url,doc.emergingthreats.net/2010567; classtype:trojan-activity; sid:2010567; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
 #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Trojan.Win32.Small.yml client registration"; flow:established,to_client; content:"|0d 0a|Content-Length|3a| "; depth:500; content:"|0d 0a 0d 0a|xxyysign|0d 0a|xxyyMyIP="; within:27; reference:url,doc.emergingthreats.net/2008950; classtype:trojan-activity; sid:2008950; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
 #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Trojan.Win32.Small.yml client command"; flow:established,to_client; content:"|0d 0a|Content-Length|3a| "; depth:500; content:"|0d 0a 0d 0a|xxyysign|0d 0a|xxyyUserNamePassWord="; within:40; reference:url,doc.emergingthreats.net/2008951; classtype:trojan-activity; sid:2008951; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
@@ -1892,8 +1810,6 @@ alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Voiper Fuzzing Scan"
 
 #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Foxit Reader ActiveX OpenFile method Remote Code Execution Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"FOXITREADEROCXLib.FoxitReaderOCX"; nocase; distance:0; content:"OpenFile "; nocase; reference:url,www.exploit-db.com/exploits/11196; reference:url,doc.emergingthreats.net/2010930; classtype:attempted-user; sid:2010930; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> $HOME_NET any (msg:"ET DELETED Pitbull IRCbotnet Commands"; flow:from_server,established; content:"PRIVMSG|20|"; pcre:"/PRIVMSG.*@(portscan|nmap|back|udpflood|tcpflood|httpflood|linuxhelp|rfi|system|milw0rm|logcleaner|sendmail|join|part|help)/i";  reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007625; classtype:trojan-activity; sid:2007625; rev:6; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-
 #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED libPNG - Possible NULL-pointer crash in png_handle_iCCP"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; byte_test:4,>,0x80000000,0,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001190; classtype:misc-activity; sid:2001190; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
 #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED libPNG - Height exceeds limit"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; byte_test:4,>,0x80000000,12,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001192; classtype:misc-activity; sid:2001192; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
@@ -1904,17 +1820,13 @@ alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Voiper Fuzzing Scan"
 
 #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Malvertising drive by kit encountered - Loading..."; flow:established,to_client; content:"HTTP/1"; depth:6; content:"<html><head></head><body>Loading...<div id=|22|page|22| style=|22|display|3a| none|22|>"; nocase; reference:url,doc.emergingthreats.net/2011223; classtype:bad-unknown; sid:2011223; rev:5; metadata:created_at 2010_07_30, former_category CURRENT_EVENTS, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malvertising drive by kit collecting browser info"; flow:established,to_server; uricontent:"/plugins.php?p=appName"; nocase; reference:url,doc.emergingthreats.net/2011224; classtype:bad-unknown; sid:2011224; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING client requesting drive by - /x/?src="; flow:established,to_server; uricontent:"/x/?src="; nocase; uricontent:"&o=o"; nocase; reference:url,doc.emergingthreats.net/2011230; classtype:bad-unknown; sid:2011230; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
 #alert http $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js)"; flow:established,from_server; content:"<script src=http|3a|//"; nocase; content:!"nextgen-gallery"; nocase; within:15; content:"/ngg.js>"; nocase; within:50; reference:url,doc.emergingthreats.net/bin/view/Main/2008387; reference:url,infosec20.blogspot.com/2008/07/asprox-payload-morphed.html; classtype:trojan-activity; sid:2008387; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
 #alert http $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js)"; flow:established,from_server; content:"<script src=http|3a|//"; nocase; content:"/b.js>"; nocase; within:50; reference:url,doc.emergingthreats.net/bin/view/Main/2008388; classtype:trojan-activity; sid:2008388; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
 #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Gom Player V 2.1.16 ActiveX Command Execution Function call attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"GOMWEBCTRLLib.GomWeb"; nocase; distance:0; content:"Command"; nocase; reference:url,www.packetstormsecurity.org/0909-exploits/gomplayer-exec.txt; reference:url,doc.emergingthreats.net/2010368; classtype:web-application-attack; sid:2010368; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN ProxyReconBot POST method to Mail"; flow:established,to_server; content:"POST "; depth:5; content:"|3A|25 HTTP/"; within:200; reference:url,doc.emergingthreats.net/2003870; classtype:misc-attack; sid:2003870; rev:7; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_04_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN ProxyReconBot POST method to Mail"; flow:established,to_server; content:"POST "; depth:5; content:"|3A|25 HTTP/"; within:200; reference:url,doc.emergingthreats.net/2003870; classtype:misc-attack; sid:2003870; rev:7; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2022_05_03;)
 
 alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SIP erase_registrations/add registrations attempt"; content:"REGISTER "; depth:9; content:"User-Agent|3a| Hacker"; reference:url,www.hackingvoip.com/sec_tools.html; reference:url,doc.emergingthreats.net/2008640; classtype:attempted-recon; sid:2008640; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
@@ -1996,8 +1908,6 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY CCProxy in
 
 #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Internet Explorer Plugin.ocx Heap Overflow"; flow: from_server,established; content:"06DD38D0-D187-11CF-A80D-00C04FD74AD8"; nocase; content:".load("; nocase; reference:url,www.hnc3k.com/ievulnerabil.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2001181; classtype:misc-attack; sid:2001181; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential exploit redirect, in.cgi pepsi"; flow:established,to_server; uricontent:"ts/in.cgi?pepsi"; nocase; pcre:"/ts\/in\.cgi\?pepsi\d+/Ui"; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010222; classtype:bad-unknown; sid:2010222; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
 #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Internet Information Service adsiis.dll activex remote DOS"; flow:to_client,established; content:"CLSID"; nocase; content:"D6BFA35E-89F2-11D0-8527-00C04FD8D503"; distance:0; nocase; content:"GetObject"; nocase; reference:cve,2008-4300; reference:url,securityreason.com/securityalert/4325; reference:url,doc.emergingthreats.net/2008621; classtype:web-application-attack; sid:2008621; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
 #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Image22 ActiveX DrawIcon Method Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"1DC09FDF-2EF8-4CE9-ADEA-4D6A98A2F779"; nocase; distance:0; content:"DrawIcon"; nocase; reference:url,exploit-db.com/exploits/14321/; reference:url,doc.emergingthreats.net/2011250; classtype:web-application-attack; sid:2011250; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
@@ -2016,7 +1926,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY CCProxy in
 
 #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX JamDTA ActiveX Control SaveToFile Arbitrary File Overwrite"; flow:to_client,established; content:"clsid"; nocase; content:"0B8F9DC9-A99C-40AD-BE40-88DDE92BAC41"; nocase; distance:0; content:"SaveToFile"; nocase; reference:bugtraq,33345; reference:url,doc.emergingthreats.net/2009115; classtype:web-application-attack; sid:2009115; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IncrediMail 2.0 Authenticate Method Remote Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"INCREDISPOOLERLib.Pop"; nocase; distance:0; content:"Authenticate"; nocase; reference:url,packetstormsecurity.org/1004-exploits/incredimail20-overflow.txt; reference:url,exploit-db.com/exploits/12030; reference:url,doc.emergingthreats.net/2011049; classtype:attempted-user; sid:2011049; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IncrediMail 2.0 Authenticate Method Remote Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"INCREDISPOOLERLib.Pop"; nocase; distance:0; content:"Authenticate"; nocase; reference:url,packetstormsecurity.org/1004-exploits/incredimail20-overflow.txt; reference:url,exploit-db.com/exploits/12030; reference:url,doc.emergingthreats.net/2011049; classtype:attempted-user; sid:2011049; rev:6; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
 #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Sun Java Runtime Environment ActiveX Control Multiple Remote Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; nocase; distance:0; pcre:"/(setInstallerType|setAdditionalPackages|installLatestJRE|compareVersion|installJRE|getStaticCLSID|launch)/i"; reference:url,xforce.iss.net/xforce/xfdb/50508; reference:bugtraq,34931; reference:url,milw0rm.com/exploits/8665; reference:url,doc.emergingthreats.net/2009434; classtype:web-application-attack; sid:2009434; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
@@ -2104,8 +2014,6 @@ alert tcp any 1024: -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server
 
 #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-2"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"ComponentManager.Installer.1"; distance:0; nocase; content:"UpdateComponents"; nocase; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb; reference:url,www.kb.cert.org/vuls/id/789121; reference:url,doc.emergingthreats.net/2010561; classtype:web-application-attack; sid:2010561; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED ClearSite device_admin.php cs_base_path Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/include/admin/device_admin.php?"; nocase; uricontent:"cs_base_path="; nocase; pcre:"/cs_base_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/65117; reference:cve,CVE-2010-2145; classtype:web-application-attack; sid:2011556; rev:1; metadata:created_at 2010_09_27, updated_at 2019_08_22;)
-
 #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee Remediation Client Enginecom.Dll ActiveX Code Execution Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Enginecom.imagineLANEngine.1"; nocase; distance:0; content:"DeleteSnapshot"; nocase; reference:url,fgc.fortinet.com/encyclopedia/vulnerability/mcafee.remediation.client.enginecom.dll.activex.access.html; reference:url,doc.emergingthreats.net/2010692; classtype:attempted-user; sid:2010692; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
 #alert tcp any any -> $HOME_NET [139,445] (msg:"ET NETBIOS windows recycler request - suspicious"; flow:to_server,established; content:"|00 00 5C 00 72 00 65 00 63 00 79 00 63 00 6C 00 65 00 72 00 5C|"; reference:url,about-threats.trendmicro.com/ArchiveMalware.aspx?name=WORM_AUTORUN.ZBC; reference:url,www.symantec.com/connect/forums/virus-alert-crecyclers-1-5-21-1482476501-1644491937-682003330-1013svchostexe; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FFakerecy.A; reference:url,support.microsoft.com/kb/971029; classtype:suspicious-filename-detect; sid:2011526; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
@@ -2266,8 +2174,6 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET CHAT Google IM traffic Ja
 
 #alert tcp any any -> any $HTTP_PORTS (msg:"ET POLICY Proxy Judge Discovery/Evasion (proxyjudge.cgi)"; flow: established,to_server; content:"/proxyjudge.cgi"; http_uri; nocase; reference:url,doc.emergingthreats.net/2003048; classtype:policy-violation; sid:2003048; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious Microsoft Windows NT 6.1 User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| "; nocase; http_header; content:"|3b 20|Windows NT 6.1|3b 20|"; http_header; threshold:type limit, track by_src, seconds 60, count 1; reference:url,www.microsoft.com/windows/windows-7/default.aspx; reference:url,doc.emergingthreats.net/2010228; classtype:policy-violation; sid:2010228; rev:7; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Winamp Streaming User Agent"; flow:established,to_server; content:"Winamp"; http_header; nocase; pcre:"/User-Agent\x3a[^\n]+Winamp/Hi"; reference:url,doc.emergingthreats.net/2003168; classtype:policy-violation; sid:2003168; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
 #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Way Of The Warrior visualizza.php plancia Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/visualizza.php?"; http_uri; nocase; content:"plancia="; http_uri; nocase; pcre:"/(\.\.\/){1,}/U"; reference:url,secunia.com/advisories/32515/; reference:url,milw0rm.com/exploits/6992; reference:url,doc.emergingthreats.net/2008824; classtype:web-application-attack; sid:2008824; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2016_07_01;)
@@ -2440,8 +2346,6 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET CHAT Google IM traffic Ja
 
 #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Small.wpx or Related Downloader Posting Data"; flow:to_server,established; content:"POST"; http_method; content:"=|22|boturl|22|"; nocase; fast_pattern; content:"=|22|filename|22|"; nocase; content:"=|22|compips|22|"; nocase; content:"=|22|loadername|22|"; nocase; content:"=|22|loaderid|22|"; nocase; content:"=|22|uptime|22|"; nocase; content:"=|22|comptime|22|"; nocase; content:"=|22|winver|22|"; nocase; reference:url,doc.emergingthreats.net/2008319; classtype:trojan-activity; sid:2008319; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 20 -> $HOME_NET any (msg:"ET ADWARE_PUP Abox Download"; flow:established,to_server; content:"|5c 00 43 00 61 00 72 00 6d 00 65 00 6e 00 00 00 16 00 00 00 73 00 75 00 63|"; nocase; offset:160; depth:26; reference:url,doc.emergingthreats.net/bin/view/Main/2001440; classtype:pup-activity; sid:2001440; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
 #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Java Deployment Toolkit CSLID Command Execution Attempt"; flow:to_client,established; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; nocase; content:"launch"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA/si"; reference:url,seclists.org/fulldisclosure/2010/Apr/119; reference:url,doc.emergingthreats.net/2011010; classtype:attempted-user; sid:2011010; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NOS Microsystems Adobe Reader/Acrobat getPlus Get_atlcomHelper ActiveX Control Multiple Stack Overflows Remote Code Execution Attempt"; flow:established,to_client; content:"E2883E8F-472F-4fb0-9522-AC9BF37916A7"; nocase; content:"offer-"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E2883E8F-472F-4fb0-9522-AC9BF37916A7.+offer-(ineligible|preinstalled|declined|accepted)/si"; reference:url,www.securityfocus.com/bid/37759; reference:url,www.kb.cert.org/vuls/id/773545; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; reference:url,www.exploit-db.com/exploits/11172/; reference:cve,2009-3958; reference:url,doc.emergingthreats.net/2010665; classtype:attempted-user; sid:2010665; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
@@ -2464,7 +2368,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible N
 
 #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (35)"; flow:to_client,established; content:"clsid"; nocase; content:"C5702CCC-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCC-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009604; classtype:web-application-attack; sid:2009604; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (37)"; flow:to_client,established; content:"clsid"; nocase; content:"C5702CCE-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCE-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009606; classtype:web-application-attack; sid:2009606; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (37)"; flow:to_client,established; content:"clsid"; nocase; content:"C5702CCE-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCE-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009606; classtype:web-application-attack; sid:2009606; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2022_05_03;)
 
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (1)"; flow:to_client,established; content:"F0E42D50-368C-11D0-AD81-00A0C90DC8D9"; nocase; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html; reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008407; classtype:web-application-attack; sid:2008407; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
@@ -3518,8 +3422,6 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Acunetix
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET 5938 (msg:"ET POLICY TeamViewer Keep-alive outbound"; flow:established,to_server; dsize:5; content:"|17 24 1B 00 00|"; flowbits:set,ET.teamviewerkeepaliveout; flowbits:noalert; reference:url,www.teamviewer.com; reference:url,en.wikipedia.org/wiki/TeamViewer; reference:url,doc.emergingthreats.net/2008794; classtype:misc-activity; sid:2008794; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Notes1.pdf Download Suspicious Possible Exploit Attempt"; flow:established,to_server; content:"/Notes1.pdf"; http_uri; classtype:policy-violation; sid:2011325; rev:3; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2021_06_23;)
-
 #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 2)"; content:"|82 ed 5f 4c 5d 52 43 78 03 d9 95 8f 84 49 4a 48 71 74 45 d3|"; reference:url,doc.emergingthreats.net/2010385; classtype:shellcode-detect; sid:2010385; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
 #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 3)"; content:"|9f 90 4b ef a3 76 76 74 97 36 e4 aa bc 46 2f 77 45 6a 69 63|"; reference:url,doc.emergingthreats.net/2010386; classtype:shellcode-detect; sid:2010386; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
@@ -3650,12 +3552,8 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT RealPla
 
 #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Java JAR file download"; flow:from_server,established; content:"PK"; depth:500; content:"META-INF/"; within:100; content:"MANIFEST"; within:100; classtype:not-suspicious; sid:2011854; rev:3; metadata:created_at 2010_10_26, updated_at 2010_10_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious HTTP GET to JPG with query string"; flow:established,to_server; content:"GET"; nocase; http_method; content:".jpg?"; nocase; http_uri; classtype:trojan-activity; sid:2011873; rev:4; metadata:created_at 2010_10_29, former_category HUNTING, updated_at 2021_06_23;)
-
 #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Mac User-Agent Typo Likely Hostile/Trojan Infection"; flow:established,to_server; content:"User-Agent|3a| Mozilla/5.0 (Macintosh|3b|"; http_header; content:"(KHTML, like Geco,"; http_header; reference:url,doc.emergingthreats.net/2008954; classtype:trojan-activity; sid:2008954; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 180solutions Spyware (tracked event reported)"; flow: to_server,established; uricontent:"/TrackedEvent.aspx?"; nocase; uricontent:"eid="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001397; classtype:trojan-activity; sid:2001397; rev:12; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
 #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin XSS Attempt -- calendar.php"; flow:established,to_server; content:"/calendar.php?"; nocase; http_uri; content:"| 3C |"; http_uri; content:"SCRIPT"; nocase; http_uri; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2909; reference:url,www.vbulletin.com/forum/showthread.php?postid=1355012; reference:url,doc.emergingthreats.net/2004592; classtype:web-application-attack; sid:2004592; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
 #alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php SELECT"; flow:established,to_server; content:"/main_page.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003939; classtype:web-application-attack; sid:2003939; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
@@ -3992,7 +3890,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Novell iPr
 
 #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED m28sx twitter worm redirect access"; flow:established,to_server; content:"/undo/red.php"; http_uri; content:"Host|3a| gdfgdfgdgdfgdfg.in.ua"; nocase; http_header; reference:url,isc.sans.edu/diary.html?storyid=10297; classtype:trojan-activity; sid:2012209; rev:2; metadata:created_at 2011_01_21, updated_at 2011_01_21;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow Attempt"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"/OvCgi/Main/Snmp.exe"; http_uri; nocase; content:"Host="; nocase; content:"Oid="; nocase; within:50; isdataat:600,relative; pcre:"/\x2FOvCgi\x2FMain\x2FSnmp\x2Eexe.+id\x3D.{600}/smi"; reference:cve,2009-3849; reference:url,doc.emergingthreats.net/2010687; classtype:web-application-attack; sid:2010687; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow Attempt"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"/OvCgi/Main/Snmp.exe"; http_uri; nocase; content:"Host="; nocase; content:"Oid="; nocase; within:50; isdataat:600,relative; pcre:"/\x2FOvCgi\x2FMain\x2FSnmp\x2Eexe.+id\x3D.{600}/smi"; reference:cve,2009-3849; reference:url,doc.emergingthreats.net/2010687; classtype:web-application-attack; sid:2010687; rev:5; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
 #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture Insecure Read Method File Access Attempt"; flow:established,to_client; content:"68AC0D5F-0424-11D5-822F-00C04F6BA8D9"; nocase; content:"ImportBodyText"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*68AC0D5F-0424-11D5-822F-00C04F6BA8D9/si"; reference:cve,2010-3595; classtype:attempted-user; sid:2012231; rev:2; metadata:created_at 2011_01_27, updated_at 2011_01_27;)
 
@@ -4042,7 +3940,7 @@ alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Possible Inbound VOI
 
 #alert http $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Likely Spambot Web-based Control Traffic"; flow: to_server,established; content:"User-Agent|3a| Godzilla"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001711; classtype:trojan-activity; sid:2001711; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 8081 (msg:"ET DELETED Virtumonde Spyware siae3123.exe GET (8081)"; flow: to_server,established; content:"siae3123.exe"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000307; classtype:trojan-activity; sid:2000307; rev:26; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 8081 (msg:"ET DELETED Virtumonde Spyware siae3123.exe GET (8081)"; flow: to_server,established; content:"siae3123.exe"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000307; classtype:trojan-activity; sid:2000307; rev:26; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
 #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Night Dragon CMD Shell"; flow:established,to_server; content:"|68 57 24 13 00 33|Microsoft"; offset:12; depth:15; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:trojan-activity; sid:2012307; rev:1; metadata:created_at 2011_02_11, updated_at 2011_02_11;)
 
@@ -4104,10 +4002,6 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Opera Window.O
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fake Google Toolbar User-Agent"; flow:established,to_server; content:"|3b| GTB0.0|3b| "; http_header; classtype:trojan-activity; sid:2012516; rev:2; metadata:created_at 2011_03_16, updated_at 2011_03_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NACHA/Zeus Phishing Executable Download Attempt"; flow:established,to_server; content:"GET "; depth:4; content:"nacha.org."; nocase; uricontent:".exe"; nocase; pcre:"/\x0d\x0aHost\: (www\.)?nacha\.org\./i"; reference:url,garwarner.blogspot.com/2009/11/newest-zeus-nacha-electronic-payments.html; reference:url,doc.emergingthreats.net/2010342; classtype:trojan-activity; sid:2010342; rev:5; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus Bot / Zbot Checkin (/us01d/in.php)"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/us01d/in.php"; nocase; reference:url,garwarner.blogspot.com/2010/01/american-bankers-association-version-of.html; reference:url,doc.emergingthreats.net/2010729; classtype:trojan-activity; sid:2010729; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
 #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot/Zeus HTTP POST"; flow:to_server,established; content:"POST"; depth:4; http_method; content:".php?"; http_uri; content:"zip="; http_uri; content:"type="; http_uri; content:"name="; http_uri; content:"q="; http_uri; content:"item="; http_uri; content:"id="; http_uri; content:"rdp="; http_uri; reference:url,doc.emergingthreats.net/2008661; classtype:trojan-activity; sid:2008661; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
 #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zbot/Zeus Dropper Infection - /check"; flow:established,to_server; content:"/check"; http_uri; content:"User-Agent|3a| Microsoft Internet Explorer|0d 0a|"; http_header; content:"Cache-Control|3a| no-cache|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009212; classtype:trojan-activity; sid:2009212; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
@@ -4116,8 +4010,6 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Opera Window.O
 
 #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ZeuS http client library detected"; flow:established,to_server; content:"GET "; depth:4; content:"Accept|3a| */*|0D 0A|Connection|3a| Close|0d 0a|User-Agent|3a| "; classtype:trojan-activity; sid:2011811; rev:3; metadata:created_at 2010_10_13, updated_at 2010_10_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus GET Request to CnC"; flow:established,to_server; content:"GET"; http_method; content:"HTTP/1.1|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a|"; content:!"Content-Type|3a| "; http_header; content:"|0d 0a|Content-Length|3a| "; content:!"0"; distance:0; within:1; content:"Connection|3a| Keep-Alive|0D 0A|Cache-Control|3a| no-cache|0D 0A 0D 0A|"; classtype:command-and-control; sid:2011817; rev:3; metadata:created_at 2010_10_14, updated_at 2020_08_20;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus http client library detected"; flow:established,to_server; content:"Accept|3a| */*|0D 0A|Connection|3a| Close|0D 0A|User-Agent|3a| "; http_header; classtype:trojan-activity; sid:2011818; rev:4; metadata:created_at 2010_10_15, updated_at 2010_10_15;)
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE X-Tag Zeus Mitmo user agent"; flow:established,to_server; content:"|29 20|X-Tag/"; nocase; reference:url,eternal-todo.com/blog/thoughts-facts-zeus-mitmo; classtype:trojan-activity; sid:2011926; rev:5; metadata:created_at 2010_11_16, updated_at 2010_11_16;)
@@ -4150,8 +4042,6 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE X-Tag Zeus Mitmo u
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable Unicode Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"|5C|u"; nocase; within:3; content:"|5C|u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012535; rev:2; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mozilla 3.0 and Indy Library User-Agent Likely Hostile"; flow:established,to_server; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; classtype:pup-activity; sid:2012536; rev:3; metadata:created_at 2011_03_22, former_category ADWARE_PUP, updated_at 2011_03_22;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.small Generic Checkin"; flow:established,to_server; content:"/install.asp?mac="; http_uri; content:"User-Agent|3a| MyAgent"; http_header; classtype:command-and-control; sid:2012541; rev:2; metadata:created_at 2011_03_22, former_category MALWARE, updated_at 2011_03_22;)
 
 #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX RealPlayer CDDA URI Overflow Uninitialized Pointer Attempt"; flow:established,to_client; content:"CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA"; nocase; content:"cdda|3A|//"; nocase; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA/si"; reference:bid,44450; reference:cve,2010-3747; classtype:attempted-user; sid:2012543; rev:3; metadata:created_at 2011_03_24, updated_at 2011_03_24;)
@@ -4170,8 +4060,6 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variab
 
 #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Exploit io.exe download served"; flow:established,from_server; content:"|3b 20|filename=io.exe|0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2012610; rev:2; metadata:created_at 2011_03_31, former_category CURRENT_EVENTS, updated_at 2011_03_31;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Unknown Malware PUTLINK Command Message"; flow:established,from_server; content:"CMD PUTLINK http|3A|//"; nocase; content:"Inject|3A|"; nocase; distance:0; classtype:pup-activity; sid:2012615; rev:2; metadata:created_at 2011_04_01, former_category ADWARE_PUP, updated_at 2011_04_01;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED .dll Request Without User-Agent Likely Malware"; flow:established,to_server; content:".dll"; nocase; http_uri; content:!"User-Agent|3A|"; nocase; http_header; classtype:trojan-activity; sid:2012618; rev:2; metadata:created_at 2011_04_01, updated_at 2011_04_01;)
 
 #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service"; flow:established,to_client; content:"clsid"; nocase; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; content:"AllowScriptAccess"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*D27CDB6E-AE6D-11cf-96B8-444553540000\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15698/; classtype:attempted-dos; sid:2012056; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
@@ -4250,8 +4138,6 @@ alert tcp $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Windows 7 CMD Shell
 
 #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Gh0st Remote Access Trojan Server Response"; flowbits:isset,ET.ghost; flow:to_client,established; content:"Gh0st"; depth:5; nocase; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081211; reference:url,doc.emergingthreats.net/2008889; classtype:trojan-activity; sid:2008889; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED IP Check Domain (showmyipaddress.com in HTTP Host)"; flow:established,to_server; content:"Host|3a| www.showmyipaddress.com"; nocase; http_header; classtype:policy-violation; sid:2012691; rev:2; metadata:created_at 2011_04_18, former_category POLICY, updated_at 2018_07_31;)
-
 alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"GPL SQL Slammer Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2102003; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
 alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"GPL WORM Slammer Worm propagation attempt OUTBOUND"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2102004; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
@@ -4356,8 +4242,6 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Remote Desktop
 
 alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Remote Desktop POS User Login Request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=pos|0d 0a|"; nocase; reference:cve,2001-0540; classtype:protocol-command-decode; sid:2012711; rev:1; metadata:created_at 2011_04_22, updated_at 2011_04_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Pinkslipbot Trojan Downloader"; flow:to_server,established; uricontent:"/jl/jloader.pl?u="; nocase; content:"&it=2"; nocase; http_uri; content:"&b="; nocase; http_uri; content:"&n="; nocase; http_uri; pcre:"/\x26n\x3d[a-z]{5}\d{4}/U"; reference:url,doc.emergingthreats.net/2010742; classtype:trojan-activity; sid:2010742; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2019_08_22;)
-
 #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash Unicode SWF File Embedded in Office File Caution - Could be Hostile"; flow:established,from_server; flowbits:isset,OLE.CompoundFile; content:"S|00|W|00|F|00|"; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; reference:cve,2011-0611; classtype:attempted-user; sid:2012622; rev:5; metadata:created_at 2011_04_01, updated_at 2011_04_01;)
 
 alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap SET attempt UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101950; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
@@ -4544,24 +4428,6 @@ alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"GPL RPC xdmcp info query"; co
 
 #alert http $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"GPL DELETED story.pl arbitrary file read attempt"; flow:to_server,established; content:"/story.pl"; http_uri; content:"next=../"; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:2101868; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"GPL DELETED story.pl access"; flow:to_server,established; uricontent:"/story.pl"; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:2101869; rev:6; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT ZwSetSystemInformation - Undocumented API Which Can be Used for Rootkit Functionality"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"ZwSetSystemInformation"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012769; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT ZwWriteVirtualMemory - Undocumented API Which Can be Used for CnC Functionality"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"ZwSystemDebugControl"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:command-and-control; sid:2012770; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT SetSfcFileException - Undocumented API Which Can be Used for Disabling Windows File Protections"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"SetSfcFileException"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012771; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NtQueueApcThread - Undocumented API Which Can be Used for Thread Injection/Downloading"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtQueueApcThread"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012772; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NtResumeThread - Undocumented API Which Can be Used to Resume Thread Injection"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtQueueApcThread"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012773; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NoExecuteAddFileOptOutList - Undocumented API to Add Executable to DEP Exception List"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NoExecuteAddFileOptOutList"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012774; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT ModifyExecuteProtectionSupport - Undocumented API to Modify DEP"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"ModifyExecuteProtectionSupport"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012775; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT LdrLoadDll - Undocumented Low Level API to Load DLL"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"LdrLoadDll"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012776; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D StartUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; nocase; http_uri; content:"StartUpdata.ini"; nocase; http_uri; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012782; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D BackgroundUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/BackgroundUpdata.ini"; http_uri; nocase; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012783; rev:3; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
@@ -4646,10 +4512,6 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Adobe
 
 #alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Butterfly/Mariposa Bot Join Acknowledgment"; dsize:21; content:"|38|"; depth:1; flowbits:isset,ET.ButterflyJoin; classtype:trojan-activity; sid:2011296; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED EXE Using Suspicious IAT NtUnmapViewOfSection Possible Malware Process Hollowing"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtUnmapViewOfSection"; nocase; fast_pattern:only; reference:url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012817; rev:4; metadata:created_at 2011_05_18, former_category HUNTING, updated_at 2021_06_23;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NamedPipe - May Indicate Reverse Shell/Backdoor Functionality"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NamedPipe"; nocase; fast_pattern:only; pcre:"/(Create|Connect|Peek)NamedPipe/i"; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012778; rev:3; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Compose Message Access"; flow: to_server,established; content:"curmbox="; http_uri; nocase; content:"hotmail.msn.com"; http_header; nocase; content:"/cgi-bin/compose?/"; nocase; http_uri; reference:url,doc.emergingthreats.net/2000037; classtype:policy-violation; sid:2000037; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Message Access"; flow: to_server,established; content:"hotmail.msn.com"; http_header; content:"/cgi-bin/getmsg?msg=MSG"; http_uri; reference:url,doc.emergingthreats.net/2000036; classtype:policy-violation; sid:2000036; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
@@ -4676,8 +4538,6 @@ alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"GPL SQL MYSQL show databa
 
 alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP CWD .... attempt"; flow:to_server,established; content:"CWD "; content:" ...."; reference:bugtraq,4884; classtype:denial-of-service; sid:2101779; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED DNSTools authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:2101740; rev:6; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
-
 #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED SecureSite authentication bypass attempt"; flow:to_server,established; content:"secure_site, ok"; nocase; reference:bugtraq,4621; classtype:web-application-attack; sid:2101744; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
 alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cachefsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:2101746; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
@@ -4692,12 +4552,8 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rwalld reques
 
 #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT XMLHttpRequest attempt"; flow:to_client,established; content:"new XMLHttpRequest|28|"; content:"file|3A|//"; nocase; reference:bugtraq,4628; reference:cve,2002-0354; classtype:web-application-attack; sid:2101735; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED DNSTools administrator authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; nocase; content:"user_dnstools_administrator=true"; nocase; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:2101739; rev:7; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
-
 alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP CWD ~<CR><NEWLINE> attempt"; flow:to_server,established; content:"CWD "; content:" ~|0D 0A|"; reference:bugtraq,2601; reference:cve,2001-0421; classtype:denial-of-service; sid:2101728; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED SGI InfoSearch fname access"; flow:to_server,established; uricontent:"/infosrch.cgi"; reference:arachnids,290; reference:bugtraq,1031; reference:cve,2000-0207; classtype:web-application-activity; sid:2101727; rev:8; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.B/E CnC Checkin Request"; flow:established,to_server; content:"/Kernel.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:command-and-control; sid:2012844; rev:2; metadata:attack_target Mobile_Client, created_at 2011_05_25, former_category MOBILE_MALWARE, updated_at 2011_05_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request"; flow:established,to_server; content:"/bs?Version="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:command-and-control; sid:2012845; rev:2; metadata:attack_target Mobile_Client, created_at 2011_05_25, former_category MOBILE_MALWARE, updated_at 2011_05_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
@@ -5116,8 +4972,6 @@ alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Robtex.com Block Messa
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:"search/rpty.php"; http_uri; nocase; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013022; rev:2; metadata:attack_target Mobile_Client, created_at 2011_06_13, former_category MOBILE_MALWARE, updated_at 2011_06_13, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent Detected (DigitAl56K/6.3)"; flow:established,to_server; content:"User-Agent|3a| DigitAl56K/"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008659; classtype:trojan-activity; sid:2008659; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Java/PDF Exploit kit from /Home/games/ initial landing"; flow:established,to_server; content:"/Home/games/2fdp.php?f="; http_uri; classtype:exploit-kit; sid:2013025; rev:2; metadata:created_at 2011_06_13, former_category EXPLOIT_KIT, updated_at 2011_06_13;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Exploit kit mario.jar"; flow:established,to_server; content:"pack200"; http_header; content:" Java/"; http_header; content:"/mario.jar"; http_uri; classtype:exploit-kit; sid:2013024; rev:3; metadata:created_at 2011_06_13, former_category EXPLOIT_KIT, updated_at 2011_06_13;)
@@ -5166,8 +5020,6 @@ alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Robtex.com Block Messa
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FakeAV scanner page encountered Initializing Virus Protection System"; flow:to_client,established; content:"<span id=|22|loadspan|22|>Initializing Virus Protection System...</span>"; classtype:bad-unknown; sid:2011343; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (GabPath)"; flow:to_server,established; content:"User-Agent|3a| GabPath"; http_header; classtype:pup-activity; sid:2011293; rev:7; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2010_09_28;)
-
 #alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Webtrends Scanner UDP Probe"; content:"|0A|help|0A|quite|0A|"; classtype:attempted-recon; sid:2100637; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
 #alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd UDP exportall request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2101926; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
@@ -5334,8 +5186,6 @@ alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nessus FTP Scan detec
 
 #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE SymbOS/SymGam Receiving SMS Message Template from CnC Server"; flow:established,to_client; content:"<smslist>"; content:"<sms id="; distance:0; content:"upnumber="; distance:0; content:"<|2F|smslist>"; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:command-and-control; sid:2013266; rev:2; metadata:created_at 2011_07_14, former_category MOBILE_MALWARE, updated_at 2011_07_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C|x41|5C|x41|5C|x41|5C|x41"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013273; rev:2; metadata:created_at 2011_07_14, former_category SHELLCODE, updated_at 2017_09_08;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sohanad Checkin via HTTP"; flow:established,to_server; content:"GET"; http_method; content:"/cs/bux/check.php"; http_uri; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2007898; classtype:command-and-control; sid:2007898; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Word RTF pFragments Stack Overflow Attempt"; flowbits:isset,OLE.CompoundFile; flow:established,to_client; content:"rtf"; nocase; content:"|7B 5C|sp|7B 5C|sn pFragments|7D 7B 5C|sv"; nocase; within:100; reference:url,labs.m86security.com/2011/07/resurrection-of-cve-2010-3333-in-the-wild/; reference:bid,44652; reference:cve,2010-3333; classtype:attempted-user; sid:2013280; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
@@ -5504,8 +5354,6 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bifrose Client Che
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Accept-encode HTTP header with UA indicating infected host"; flow:established,to_server; content:"Accept-encode|3a| "; fast_pattern; http_header; content:"Accept-Encoding|3a| "; http_header; threshold:type limit, count 1, seconds 360, track by_src; classtype:trojan-activity; sid:2013385; rev:3; metadata:created_at 2011_08_09, updated_at 2011_08_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware/CommonName Reporting"; flow:established,to_server; content:"/report.asp?TB="; http_uri; content:"&status="; http_uri; content:"&data="; http_uri; content:"&BABE="; http_uri; content:"&BATCH="; http_uri; content:"&UDT="; http_uri; content:"&GRP="; http_uri; classtype:pup-activity; sid:2013389; rev:2; metadata:created_at 2011_08_10, former_category ADWARE_PUP, updated_at 2011_08_10;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent 3653Client"; flow:established,to_server; content:"User-Agent|3A 20|3653Client"; http_header; classtype:trojan-activity; sid:2013390; rev:2; metadata:created_at 2011_08_10, updated_at 2011_08_10;)
 
 #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious 1px iframe related to Mass Wordpress Injections"; flow:established,from_server; content:"/?go=1|22 20|width=|22|1|22 20|height=|22|1|22|></iframe>"; fast_pattern; content:"<html"; nocase; distance:0; classtype:bad-unknown; sid:2013380; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_10, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
@@ -5542,8 +5390,6 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professi
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Chekafe.D Initial Checkin"; flow:established,to_server; content:"/count.php?id="; http_uri; content:"&isInst="; http_uri; content:"&lockcode="; http_uri; content:"&pc="; http_uri; content:"&PcType="; http_uri; content:"&AvName="; http_uri; content:"&ProCount="; http_uri; classtype:command-and-control; sid:2013447; rev:3; metadata:created_at 2011_08_22, former_category MALWARE, updated_at 2011_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfSideKick Activity (iinfo)"; flow:established,to_server; content:"/iinfo.htm?host="; http_uri; content:"&action=update"; http_uri; content:"&ver="; http_uri; content:"&bundle="; http_uri; content:"&client="; http_uri; content:"&bp_id="; http_uri; content:"&prmerr="; http_uri; content:"&ir="; http_uri; classtype:pup-activity; sid:2013448; rev:6; metadata:created_at 2011_08_22, former_category ADWARE_PUP, updated_at 2011_08_22;)
-
 #alert tcp $EXTERNAL_NET 6000:10000 -> $HOME_NET any (msg:"ET MALWARE Vobfus/Changeup/Chinky Download Command"; flow:to_client,established; content:"|3a 2e|dl http|3a|"; depth:11; reference:url,www.symantec.com/connect/blogs/w32changeup-threat-profile; reference:url,doc.emergingthreats.net/2010973; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=beb8bc1ba5dbd8de0761ef362bc8b0a4; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fVobfus; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-081806-2906-99&tabid=2; reference:md5,f8880b851ea5ed92dd97657574fb4f70; classtype:trojan-activity; sid:2010973; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NSPlayer User-Agent Windows Media Player streaming detected"; flow:established,to_server; content:"User-Agent|3A 20|NSPlayer|2F|"; http_header; threshold: type limit, track by_src, seconds 300, count 1; reference:url,msdn.microsoft.com/en-us/library/cc234851; classtype:policy-violation; sid:2011874; rev:3; metadata:created_at 2010_10_29, updated_at 2010_10_29;)
@@ -5600,8 +5446,6 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tom Sawyer Possib
 
 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downbot/Shady Rat Remote Shell Connection"; flow:established,from_server; dsize:<90; content:"|2F 2A 0A 40 2A 2A 2A 40 2A 40 40 40 40 40 40 40 40 40 40 40|"; depth:20; flowbits:set,et.shadyratinit; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013379; rev:3; metadata:created_at 2011_08_09, updated_at 2011_08_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zugo Toolbar Spyware/Adware download request"; flow:established,to_server; content:".exe?filename="; http_uri; content:"&dddno="; http_uri; fast_pattern; content:"&channel="; http_uri; content:"&go="; http_uri; reference:url,zugo.com/privacy-policy/; classtype:pup-activity; sid:2013658; rev:2; metadata:created_at 2011_09_15, former_category ADWARE_PUP, updated_at 2011_09_15;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Exploit kit worms.jar"; flow:established,to_server; content:"pack200"; http_header; content:" Java/"; http_header; content:"/worms.jar"; http_uri; classtype:exploit-kit; sid:2013661; rev:2; metadata:created_at 2011_09_15, former_category EXPLOIT_KIT, updated_at 2011_09_15;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PinBall Corp. Related suspicious activity"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| PinBallCorp-BSAI"; reference:url,doc.emergingthreats.net/2009908; classtype:trojan-activity; sid:2009908; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
@@ -5920,18 +5764,12 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS NT NULL session";
 
 alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS DOS RFPoison"; flow:to_server,established; content:"|5C 00 5C 00|*|00|S|00|M|00|B|00|S|00|E|00|R|00|V|00|E|00|R|00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00|"; reference:arachnids,454; classtype:attempted-dos; sid:2100529; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ip any any <> 127.0.0.0/8 any (msg:"GPL SCAN loopback traffic";  reference:url,rr.sans.org/firewall/egress.php; classtype:bad-unknown; sid:2100528; rev:6; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
-
 #alert ip any any -> any any (msg:"GPL SCAN same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:2100527; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"GPL POLICY udp port 0 traffic";  reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:2100525; rev:10; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
-
 #alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"GPL POLICY tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:2100524; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
 #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC ip reserved bit set"; fragbits:R; classtype:misc-activity; sid:2100523; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"GPL DELETED MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; classtype:policy-violation; sid:2100540; rev:12; metadata:created_at 2010_09_23, former_category CHAT, updated_at 2019_05_21;)
-
 #alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:2100543; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
 #alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:2100544; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
@@ -5992,12 +5830,8 @@ alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"GPL POLICY PCAnywhere F
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/OpenCapture CnC Checkin"; flow:established,to_server; content:"/check_counter.php?pi="; http_uri; content:"&gu="; http_uri; content:"&ac="; http_uri; classtype:command-and-control; sid:2013722; rev:2; metadata:created_at 2011_10_01, updated_at 2011_10_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Win32/OnLineGames User-Agent (Revolution Win32)"; flow:established,to_server; content:"User-Agent|3A 20|Revolution|20 28|Win32|29|"; http_header; classtype:trojan-activity; sid:2013725; rev:2; metadata:created_at 2011_10_01, former_category TROJAN, updated_at 2017_10_30;)
-
 #alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED W32/iGrabber Info Stealer FTP Upload"; flow:established,to_server; content:"iGrabber Logs"; offset:4; depth:13; classtype:trojan-activity; sid:2013727; rev:1; metadata:created_at 2011_10_01, updated_at 2011_10_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware/Helpexpress User Agent HXLogOnly"; flow:established,to_server; content:"User-Agent|3A 20|HXLogOnly"; http_header; classtype:pup-activity; sid:2013729; rev:2; metadata:created_at 2011_10_01, former_category ADWARE_PUP, updated_at 2011_10_01;)
-
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA Sunway ForceControl Activex Control Vulnerability"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"BD9E5104-2F20-4A9F-AB14-82D558FF374E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BD9E5104-2F20-4A9F-AB14-82D558FF374E/si"; reference:bugtraq,49747; classtype:attempted-user; sid:2013735; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (GetExtendedColor)"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"2BBD45A5-28AE-11D1-ACAC-0800170967D9"; nocase; distance:0; content:".GetExtendedColor"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2BBD45A5-28AE-11D1-ACAC-0800170967D9/si"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013734; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
@@ -6010,7 +5844,7 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA PcVue Activex Contr
 
 #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX DivX Plus Web Player DivXPlaybackModule File URL Buffer Overflow Attempt"; flow:established,to_client; content:"67DABFBF-D0AB-41fa-9C46-CC0F21721616"; nocase; content:"file|3A 2F 2F|"; nocase; distance:0; isdataat:200,relative; content:!"|0A|"; within:200; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*67DABFBF-D0AB-41fa-9C46-CC0F21721616/smi"; reference:url,www.dl.packetstormsecurity.net/1109-advisories/sa45550.txt; classtype:attempted-user; sid:2013750; rev:3; metadata:created_at 2011_10_11, updated_at 2011_10_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Yandexbot Request Inbound"; flow:established,to_server; content:"User-Agent|3a| YandexBot"; http_header; classtype:policy-violation; sid:2013253; rev:4; metadata:attack_target Web_Server, created_at 2011_07_12, deployment Perimeter, former_category POLICY, signature_severity Informational, tag WebCrawler, updated_at 2011_07_12, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Yandexbot Request Inbound"; flow:established,to_server; content:"User-Agent|3a| YandexBot"; http_header; classtype:policy-violation; sid:2013253; rev:4; metadata:attack_target Web_Server, created_at 2011_07_12, deployment Perimeter, former_category POLICY, signature_severity Informational, tag WebCrawler, updated_at 2022_05_03, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
 
 #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE alt.binaries.pictures.tinygirls"; flow:to_client,established; content:"alt.binaries.pictures.tinygirls"; nocase; classtype:policy-violation; sid:2101837; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
@@ -6092,8 +5926,6 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Cerberus RAT
 
 #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Nukebot related infection - Unique HTTP get request"; flow:established,to_server; content:".dll|0d 0a|e|20|HTTP/1.1"; rawbytes; content:!"User-Agent|3a|"; nocase; reference:url,www.websense.com/securitylabs/alerts/alert.php?AlertID=743; reference:url,doc.emergingthreats.net/2003432; classtype:trojan-activity; sid:2003432; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Nukebot Checkin"; flow:established,to_server; content:"POST "; rawbytes; depth:5; uricontent:"/script.php?"; content:!"User-Agent|3a|"; nocase; pcre:"/\/script\.php?\d{8}/Ui"; content:"Kernel|3a|"; reference:url,www.websense.com/securitylabs/alerts/alert.php?AlertID=743; reference:url,doc.emergingthreats.net/2003433; classtype:trojan-activity; sid:2003433; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE nte Binary Download Attempt (multiple malware variants served)"; flow:established,to_server; content:"GET"; http_method; content:"/nte/"; http_uri; content:!"Referer|3a| "; http_header; content:"User-Agent|3a| Java"; http_header; pcre:"/(\.php|\.asp|\.py|\.exe|\.htm|\.html)\/[A-Z0-9]+$/Ui"; reference:url,www.malwaredomainlist.com; reference:url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on; classtype:trojan-activity; sid:2011576; rev:4; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Lowercase User-Agent header purporting to be MSIE"; flow:established,to_server; content:"user-agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; content:!"|0d 0a|VIA|3a 20|"; http_header; classtype:trojan-activity; sid:2012607; rev:4; metadata:created_at 2011_03_31, updated_at 2011_03_31;)
@@ -6148,8 +5980,6 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"GPL CHAT IRC DCC file t
 
 alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Ruskill/Palevo KCIK IRC Command"; flow:established,to_server; content:"KCIK |7b|"; depth:6; reference:url,ore.carnivore.it/malware/hash/d4dc8459a34ea14d856e529d3a9e0362; reference:url,sebdraven.tumblr.com/post/6769853139/palevo-analysises; classtype:trojan-activity; sid:2013247; rev:5; metadata:created_at 2011_07_11, updated_at 2011_07_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User Agent Maxthon"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1|3b| Maxthon"; http_header; reference:url,doc.emergingthreats.net/2011118; classtype:trojan-activity; sid:2011118; rev:4; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32.Duqu User-Agent"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 6.0|3B| en-US|3B| rv|3A|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; http_header; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:trojan-activity; sid:2013782; rev:3; metadata:created_at 2011_10_20, updated_at 2011_10_20;)
 
 #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Agobot-SDBot Commands"; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; pcre:"/((cvar\.set)|(http\.(execute|update))|((aol)spam\.(setlist|settemplate|start|stop|setuser|setpass))|sniffer\.(addstring|delstring)|pingstop|udpstop|scan(all|stats|del|stop)|clone(stop|start)|c_(raw|mode|nick|join|part|privmsg|action))/i"; reference:url,doc.emergingthreats.net/2003157; classtype:trojan-activity; sid:2003157; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
@@ -6220,8 +6050,6 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Svl
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Yaq Checkin"; flow:established,to_server; content:"/Submit.php?id="; http_uri; content:"&action="; http_uri; within:10; content:"&mac="; http_uri; within:10; content:"&lockcode="; http_uri; within:30; content:"&homepc="; http_uri; within:15; content:"User-Agent|3A 20|getinfo|0D 0A|"; http_header; classtype:command-and-control; sid:2013900; rev:2; metadata:created_at 2011_11_11, former_category MALWARE, updated_at 2011_11_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent GeneralDownloadApplication"; flow:established,to_server; content:"User-Agent|3A 20|GeneralDownloadApplication"; http_header; classtype:trojan-activity; sid:2013901; rev:2; metadata:created_at 2011_11_11, former_category TROJAN, updated_at 2017_11_29;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.BlackControl Retrieving IP Information"; flow:established,to_server; content:"/v2/ip_query_country.php?key="; http_uri; content:"&timezone="; http_uri; content:"User-Agent|3A 20|1|0D 0A|"; http_header; fast_pattern; classtype:trojan-activity; sid:2013902; rev:3; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent GetFile"; flow:established,to_server; content:"User-Agent|3A 20|GetFile|0D 0A|"; http_header; classtype:trojan-activity; sid:2013903; rev:2; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
@@ -6248,10 +6076,6 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy-Net Trojan Con
 
 #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Eu4 Keepalive to CnC"; flow:established,to_server; content:"|ea a2 0d a1 b4 a9 a2 18 12 34 67 eb aa 6f ab 3f|"; offset:16; depth:16; dsize:48; classtype:command-and-control; sid:2013925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_18, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Banker.OT Checkin"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"praquem="; http_client_body; fast_pattern;  content:"&titulo="; http_client_body; content:"&texto="; http_client_body; reference:url,doc.emergingthreats.net/2007823; classtype:trojan-activity; sid:2007823; rev:8; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated Javascript padded charcodes 25"; flow:established,from_server; content:"75"; depth:500; content:"86"; within:4; content:"74"; within:4; content:"92"; within:4; content:"84"; within:4; classtype:bad-unknown; sid:2013950; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rimecud.A User-Agent (needit)"; flow:to_server,established; content:"User-Agent|3a| needit|0d 0a|"; http_header; reference:md5,1b1fff82c72277aff808291d53df7fd8; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013951; rev:3; metadata:created_at 2011_11_23, updated_at 2011_11_23;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TR/Rimecud.aksa User-Agent (indy)"; flow:to_server,established; content:"User-Agent|3a| indy|0d 0a|"; http_header; reference:md5,1536a7072981ce5140efe6b9c193bb7e; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013952; rev:3; metadata:created_at 2011_11_23, updated_at 2011_11_23;)
@@ -6296,8 +6120,6 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC msqueue bi
 
 alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC msqueue little endian bind attempt"; flow:to_server,established; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103157; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"GPL NETBIOS name query overflow attempt TCP"; flow:to_server,established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; classtype:attempted-admin; sid:2103195; rev:5; metadata:created_at 2010_09_23, former_category NETBIOS, updated_at 2017_11_10;)
-
 alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103180; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
 alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103430; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
@@ -6664,12 +6486,8 @@ alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP SITE EXEC attempt"; f
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Likely Generic Java Exploit Attempt Request for Java to decimal host"; flow:established,to_server; content:" Java/1"; http_header; pcre:"/Host\x3a \d{8,10}(\x0d\x0a|\x3a\d{1,5}\x0d\x0a)/H"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013487; rev:5; metadata:created_at 2011_08_30, former_category CURRENT_EVENTS, updated_at 2011_08_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TROJAN SEO HTTP REFERER landing capture rewrite, likely Fake AV"; flow:established,to_server; content:"GET"; http_method; content:"|0d 0a|Referer|3a| "; content:"search?"; nocase; within:50; content:"q="; nocase; within:100; uricontent:".com"; nocase; pcre:"/\/[a-z]+\/[a-z0-9]{120,}\/[a-z0-9]+\/.+\.com$/U"; reference:url,doc.emergingthreats.net/2011066; classtype:trojan-activity; sid:2011066; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
-
 #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Jorik DDOS Instructions From CnC Server"; flow:established,to_client; content:"|7C|ddos|7C|"; pcre:"/\x7Cddos\x7C(syn|http)\x7C/"; classtype:command-and-control; sid:2013998; rev:3; metadata:created_at 2011_12_08, former_category MALWARE, updated_at 2011_12_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Adware.Ibryte User-Agent (ic Windows NT 5.1 MSIE 6.0 Firefox/ Def)"; flow:established,to_server; content:"User-Agent|3A 20|ic Windows NT 5.1 MSIE 6.0 Firefox/ Def"; http_header; classtype:pup-activity; sid:2013999; rev:2; metadata:created_at 2011_12_08, former_category ADWARE_PUP, updated_at 2011_12_08;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBKrypt.dytr Checkin"; flow:to_server,established; content:"/gate.php?id="; http_uri; content:"&pc="; http_uri; content:"&os="; http_uri; content:"&version="; http_uri; content:!"User-Agent|3a|"; http_header; reference:md5,090986b0e303779bde1ddad3c65a9d78; classtype:command-and-control; sid:2014003; rev:3; metadata:created_at 2011_08_16, former_category MALWARE, updated_at 2011_08_16;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan Dropper User-Agent Firefox/3.6.3"; flow:established,to_server; content:"User-Agent|3A| Firefox/3.6.3"; http_header; classtype:trojan-activity; sid:2013341; rev:3; metadata:created_at 2011_08_02, updated_at 2011_08_02;)
@@ -6684,162 +6502,18 @@ alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP SITE EXEC attempt"; f
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Altnet PeerPoints Manager Traffic User-Agent (Peer Points)"; flow: established,to_server; content:"User-Agent|3a|"; nocase; http_header; content:"Peer Points"; http_header; within:150; pcre:"/User-Agent\:[^\n]+Peer Points/iH"; reference:url,doc.emergingthreats.net/2001640; classtype:policy-violation; sid:2001640; rev:23; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Antivermins.com Spyware/Adware User-Agent (AntiVermeans)"; flow:to_server,established; content:"User-Agent|3a| AntiVermeans"; nocase; http_header; reference:url,www.bleepingcomputer.com/forums/topic69886.htm; reference:url,doc.emergingthreats.net/2003531; classtype:pup-activity; sid:2003531; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Baidu.com Agent User-Agent (Desktop Web System)"; flow:to_server,established; content:"User-Agent|3a| Desktop Web System"; nocase; http_header; reference:url,doc.emergingthreats.net/2003604; classtype:trojan-activity; sid:2003604; rev:8; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED User-Agent (BlueSky)"; flow:to_server,established; content:"User-Agent|3a| BlueSky|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011084; classtype:trojan-activity; sid:2011084; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP xxxtoolbar.com Spyware Install User-Agent"; flow:to_server,established; content:"User-Agent|3a 32 8b 86 85 86 8e 85 86 8c 0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003429; classtype:pup-activity; sid:2003429; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Deepdo.com Toolbar/Spyware User Agent (DeepdoUpdate)"; flow:established,to_server; content:"User-Agent|3a| DeepdoUpdate/"; nocase; http_header; reference:url,doc.emergingthreats.net/2006386; classtype:pup-activity; sid:2006386; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Evidencenuker.com Fake AV/Anti-Spyware User-Agent (EVNUKER)"; flow:to_server,established; content:"User-Agent|3a| EVNUKER"; nocase; http_header; reference:url,doc.emergingthreats.net/2003567; classtype:pup-activity; sid:2003569; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2016_07_01;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet-antivirus.com Related Fake AV User-Agent (Update Internet Antivirus)"; flow:established,to_server; content:"User-Agent|3a| Update Internet Antivirus"; http_header; reference:url,doc.emergingthreats.net/2008647; classtype:pup-activity; sid:2008647; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Cleancop.co.kr Fake AV User-Agent (CleancopUpdate)"; flow:established,to_server; content:"User-Agent|3a| Cleancop"; http_header; reference:url,doc.emergingthreats.net/2008484; classtype:pup-activity; sid:2008484; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchtool.co.kr Fake Product User-Agent (searchtoolup)"; flow:established,to_server; content:"User-Agent|3a| searchtool"; http_header; reference:url,doc.emergingthreats.net/2008485; classtype:pup-activity; sid:2008485; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Dokterfix.com Fake AV User-Agent (Magic NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| Magic NetInstaller|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007977; classtype:pup-activity; sid:2007977; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Easydownloadsoft.com Fake Anti-Virus User-Agent (IM Downloader)"; flow:established,to_server; content:"User-Agent|3a| IM Downloader|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2008000; classtype:pup-activity; sid:2008000; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alfaantivirus.com Fake Anti-Virus User-Agent (IM Download)"; flow:established,to_server; content:"User-Agent|3a| IM Download|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2007759; classtype:pup-activity; sid:2007759; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP IEDefender (iedefender.com) Fake Antispyware User Agent (IEDefender 2.1)"; flow:established,to_server; content:"User-Agent|3a| IEDefender "; nocase; http_header; reference:url,doc.emergingthreats.net/2007690; classtype:pup-activity; sid:2007690; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED User-Agent (GM Login)"; flow:to_server,established; content:"User-Agent|3a| GM Login|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011273; classtype:trojan-activity; sid:2011273; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CoolStreaming Toolbar (Conduit related) User-Agent (Coolstreaming Tool-Bar)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Coolstreaming"; nocase; http_header; reference:url,doc.emergingthreats.net/2003652; classtype:pup-activity; sid:2003652; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UbrenQuatroRusDldr Downloader User-Agent (UbrenQuatroRusDldr 096044)"; flow:established,to_server; content:"User-Agent|3a| UbrenQuatroRusDldr"; http_header; reference:url,doc.emergingthreats.net/2008202; classtype:pup-activity; sid:2008202; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BndVeano4GetDownldr Downloader User-Agent (BndVeano4GetDownldr)"; flow:established,to_server; content:"User-Agent|3a| BndVeano4GetDownldr"; http_header; reference:url,doc.emergingthreats.net/2008203; classtype:pup-activity; sid:2008203; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Geopia.com Fake Anti-Spyware/AV User-Agent (fs3update)"; flow:to_server,established; content:"User-Agent|3a| fs3update|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007935; classtype:pup-activity; sid:2007935; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Geopia.com Fake Anti-Spyware/AV User-Agent (fian3manager)"; flow:to_server,established; content:"User-Agent|3a| fian3manager|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007938; classtype:pup-activity; sid:2007938; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Movies-etc User-Agent (IOInstall)"; flow: to_server,established; content:"User-Agent|3a| IOInstall"; nocase; http_header; reference:url,www.movies-etc.com; reference:url,doc.emergingthreats.net/2002404; classtype:pup-activity; sid:2002404; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/InternetAntivirus User-Agent (Internet Antivirus Pro)"; flow:to_server,established; content:"User-Agent|3a| Internet Antivirus"; nocase; http_header; reference:url,doc.emergingthreats.net/2010218; classtype:pup-activity; sid:2010218; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P JoltID Agent New Code Download"; flow: established; content:"PeerEnabler"; http_header; fast_pattern:only; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,doc.emergingthreats.net/2001652; classtype:trojan-activity; sid:2001652; rev:34; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP No-ad.co.kr Fake AV Related User-Agent (U2Clean)"; flow: established,to_server; content:"User-Agent|3a| U2Clean"; http_header; reference:url,doc.emergingthreats.net/2009289; classtype:pup-activity; sid:2009289; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Viruskill.co.kr Fake AV User-Agent Detected (virus_kill)"; flow:to_server,established; content:"User-Agent|3a| virus_kill"; http_header; reference:url,doc.emergingthreats.net/2009150; classtype:pup-activity; sid:2009150; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorvaccine.co.kr Related Spyware-User Agent (ers)"; flow:established,to_server; content:"User-Agent|3a| ers|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007809; classtype:pup-activity; sid:2007809; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Karine.co.kr Related Spyware User Agent (chk Profile)"; flow:established,to_server; content:"User-Agent|3a| chk Profile|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2006429; classtype:pup-activity; sid:2006429; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Pcclear.co.kr/Pcclear.com Fake AV User-Agent (PCClearPlus)"; flow:to_server,established; content:"User-Agent|3a| PCClear"; http_header; reference:url,www.pcclear.com; reference:url,www.pcclear.co.kr; reference:url,doc.emergingthreats.net/2008198; classtype:pup-activity; sid:2008198; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP yeps.co.kr Related User-Agent (ISecu)"; flow:established,to_server; content:"User-Agent|3a| ISecu"; http_header; reference:url,doc.emergingthreats.net/2008204; classtype:pup-activity; sid:2008204; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Nguide.co.kr Fake Security Tool User-Agent (nguideup)"; flow:to_server,established; content:"User-Agent|3a| nguideup|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007947; classtype:pup-activity; sid:2007947; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Msconfig.co.kr Related User Agent (BACKMAN)"; flow:to_server,established; content:"User-Agent|3a| BACKMAN|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007958; classtype:pup-activity; sid:2007958; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Msconfig.co.kr Related User-Agent (GLOBALx)"; flow:to_server,established; content:"User-Agent|3a| GLOBAL"; http_header; reference:url,doc.emergingthreats.net/2007959; classtype:pup-activity; sid:2007959; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adwave/MarketScore User-Agent (WTA)"; flow: to_server,established; content:"User-Agent|3a| WTA_"; http_header; reference:url,www.adwave.com/our_mission.aspx; reference:url,www.marketscore.com; reference:url,doc.emergingthreats.net/2002394; classtype:pup-activity; sid:2002394; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P JoltID Agent New Code Download"; flow: established; content:"PeerEnabler"; http_header; fast_pattern:only; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,doc.emergingthreats.net/2001652; classtype:trojan-activity; sid:2001652; rev:34; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED User-Agent (MSIE XPSP2)"; flow:to_server,established; content:"MSIE XPSP2"; fast_pattern:only; http_header; reference:url,doc.emergingthreats.net/2003200; classtype:trojan-activity; sid:2003200; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Msgplus.net Spyware/Adware User-Agent (MsgPlus3)"; flow:to_server,established; content:"User-Agent|3a| MsgPlus3"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Messenger%20Plus!&threatid=14931; reference:url,doc.emergingthreats.net/2003529; classtype:pup-activity; sid:2003529; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Recuva User-Agent (OpenPage) - likely trojan dropper"; flow:to_server,established; content:"User-Agent|3a| OpenPage"; http_header; reference:url,doc.emergingthreats.net/2011101; classtype:pup-activity; sid:2011101; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Pivim Multibar User-Agent (Pivim Multibar)"; flow:established,to_server; content:"User-Agent|3a| Pivim"; http_header; reference:url,doc.emergingthreats.net/2009765; classtype:pup-activity; sid:2009765; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Popupblockade.com Spyware Related User-Agent (PopupBlockade/1.63.0.2/Reg)"; flow:established,to_server; content:"User-Agent|3a| PopupBlockade"; http_header; reference:url,doc.emergingthreats.net/2008894; classtype:pup-activity; sid:2008894; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP FakeAV Windows Protection Suite/ReleaseXP.exe User-Agent (Releasexp)"; flow:established,to_server; content:"User-Agent|3a| Releasexp|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2009796; classtype:pup-activity; sid:2009796; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AV2010 Rogue Security Application User-Agent (AV2010)"; flow:to_server,established; content:"User-Agent|3a| AV2010|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008656; classtype:pup-activity; sid:2008656; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Generic.Malware.dld User-Agent (Sickloader)"; flow:to_server,established; content:"User-Agent|3a| Sickloader"; nocase; http_header; reference:url,doc.emergingthreats.net/2003644; classtype:pup-activity; sid:2003644; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Speed-runner.com Fake Speed Test User-Agent (SRInstaller)"; flow:to_server,established; content:"User-Agent|3a| SRInstaller|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008145; classtype:pup-activity; sid:2008145; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Speed-runner.com Fake Speed Test User-Agent (SpeedRunner)"; flow:to_server,established; content:"User-Agent|3a| SpeedRunner|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008146; classtype:pup-activity; sid:2008146; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Speed-runner.com Fake Speed Test User-Agent (SRRecover)"; flow:to_server,established; content:"User-Agent|3a| SRRecover|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008151; classtype:pup-activity; sid:2008151; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Spyaxe Spyware User-Agent (spyaxe)"; flow:to_server,established; content:" spyaxe "; fast_pattern:only; http_header;  reference:url,doc.emergingthreats.net/2002807; classtype:trojan-activity; sid:2002807; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_20;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyhealer Fake Anti-Spyware Install User-Agent (SpyHealer)"; flow:to_server,established; content:"User-Agent|3a| SpyHeal"; nocase; http_header; reference:url,doc.emergingthreats.net/2003399; classtype:pup-activity; sid:2003399; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Informer from RBC)"; flow:to_server,established; content:"Informer from RBC"; fast_pattern:only; http_header; reference:url,www.kliksoftware.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003205; classtype:pup-activity; sid:2003205; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Dummy)"; flow: established,to_server; content:"User-Agent|3a| Dummy"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007570; classtype:pup-activity; sid:2007570; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (AntiSpyware) - Likely 2squared.com related"; flow: established,to_server; content:"User-Agent|3a| AntiSpyware"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007575; classtype:pup-activity; sid:2007575; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Internet Explorer (compatible))"; flow:to_server,established; content:"User-Agent|3a| Internet Explorer (compatible)|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007772; classtype:pup-activity; sid:2007772; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (HTTP_CONNECT)"; flow:to_server,established; content:"User-Agent|3a| HTTP_CONNECT|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007899; classtype:pup-activity; sid:2007899; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (popup)"; flow:to_server,established; content:"User-Agent|3a| popup|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007946; classtype:pup-activity; sid:2007946; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (2 spaces)"; flow:to_server,established; content:"User-Agent|3a 20 20 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007993; classtype:pup-activity; sid:2007993; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (bdsclk) - Possible Admoke Admware"; flow: to_server,established; content:"User-Agent|3a| bdsclk"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008743; classtype:pup-activity; sid:2008743; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (IE_6.0)"; flow:to_server,established; content:"User-Agent|3a| IE_6.0"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2009021; classtype:pup-activity; sid:2009021; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (get_site1)"; flow:to_server,established; content:"User-Agent|3a| get_site"; http_header; reference:url,doc.emergingthreats.net/2009111; classtype:pup-activity; sid:2009111; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (GETJOB)"; flow:to_server,established; content:"User-Agent|3a| GETJOB"; http_header; reference:url,doc.emergingthreats.net/2009124; classtype:pup-activity; sid:2009124; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (HelpSrvc)"; flow:established,to_server; content:"User-Agent|3a| HelpSrvc|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009439; classtype:pup-activity; sid:2009439; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (ONANDON)"; flow:established,to_server; content:"User-Agent|3a| ONANDON|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2009995; classtype:pup-activity; sid:2009995; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (CrazyBro)"; flow:established,to_server; content:"User-Agent|3a| CrazyBro"; nocase; http_header; reference:url,doc.emergingthreats.net/2010333; reference:url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml; reference:md5,e4664144f8e95cfec510d5efa24a35e7; reference:md5,fd2d6bb1d2a9803c49f1e175d558a934; classtype:pup-activity; sid:2010333; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| M|4f|zilla/"; http_header; reference:url,doc.emergingthreats.net/2003513; classtype:trojan-activity; sid:2003513; rev:11; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP yeps.co.kr Related User-Agent (ISUpd)"; flow:established,to_server; content:"User-Agent|3a| ISUpd"; http_header; reference:url,doc.emergingthreats.net/2008205; classtype:pup-activity; sid:2008205; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
 #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Kargany Loader Obfuscated Payload Download"; flow:established,from_server; content:"Content-Disposition|3a| "; http_header; nocase; content:"windows-update-"; distance:0; http_header; content:".exe"; distance:0; http_header; content:!"|0d 0a|MZ"; classtype:trojan-activity; sid:2014019; rev:4; metadata:created_at 2011_12_10, updated_at 2011_12_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (dbcount)"; flow:to_server,established; content:"User-Agent|3a| dbcount|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011679; classtype:pup-activity; sid:2011679; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ADWARE_PUP User-Agent (RangeCheck/0.1)"; flow:established,to_server; content:"User-Agent|3a| RangeCheck/0.1|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2011718; classtype:pup-activity; sid:2011718; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WinButler User-Agent (WinButler)"; flow:to_server,established; content:"User-Agent|3a| WinButler|0d 0a|"; http_header; reference:url,www.winbutler.com; reference:url,www.prevx.com/filenames/239975745155427649-0/WINBUTLER.EXE.html; reference:url,doc.emergingthreats.net/2008190; classtype:pup-activity; sid:2008190; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winsoftware.com Fake AV User-Agent (DNS Extractor)"; flow:to_server,established; content:"User-Agent|3a| DNS Extractor"; nocase; http_header; reference:url,doc.emergingthreats.net/2003567; classtype:pup-activity; sid:2003567; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Yodao Desktop Dict)"; flow:to_server,established; content:"User-Agent|3a| Yodao"; http_header; reference:url,doc.emergingthreats.net/2011123; classtype:pup-activity; sid:2011123; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zango-Hotbar User-Agent (zbu-hb-)"; flow:to_server,established; content:"zbu-hb-"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+zbu-hb-/Hi"; reference:url,doc.emergingthreats.net/2003305; classtype:trojan-activity; sid:2003305; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent User-Agent (PinballCorp)"; flow:to_server,established; content:"User-Agent|3a| PinballCorp"; nocase; http_header; reference:url,doc.emergingthreats.net/2011691; classtype:pup-activity; sid:2011691; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (gomtour)"; flow:to_server,established; content:"User-Agent|3a| gomtour|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011087; classtype:pup-activity; sid:2011087; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (i-scan)"; flow:to_server,established; content:"User-Agent|3a| i-scan"; nocase; http_header; reference:url,doc.emergingthreats.net/2011105; classtype:pup-activity; sid:2011105; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iWon Spyware (iWonSearchAssistant)"; flow:to_server,established; content:"User-Agent|3a| iWonSearch"; http_header; reference:url,www.spywareguide.com/product_show.php?id=461; reference:url,doc.emergingthreats.net/2002169; classtype:pup-activity; sid:2002169; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ADWARE_PUP User-Agent (iexplore)"; flow:established,to_server; content:"User-Agent|3a| iexplore|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2000466; classtype:pup-activity; sid:2000466; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Download UBAgent) - lop.com and other spyware"; flow:to_server,established; content:"Download UBAgent"; http_header; fast_pattern:only; reference:url,www.spywareinfo.com/articles/lop/; reference:url,doc.emergingthreats.net/2003345; classtype:pup-activity; sid:2003345; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Worm.Pyks HTTP C&C Traffic User-Agent (skw00001)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| skw000"; http_header; reference:url,doc.emergingthreats.net/2003588; classtype:pup-activity; sid:2003588; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (KRMAK) Butterfly Bot download"; flow:to_server,established; content:"User-Agent|3a| KRMAK"; http_header; classtype:pup-activity; sid:2011297; rev:3; metadata:created_at 2010_09_28, former_category ADWARE_PUP, updated_at 2010_09_28;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (mrgud)"; flow:established,to_server; content:"User-Agent|3a| mrgud"; http_header; nocase; classtype:pup-activity; sid:2012172; rev:5; metadata:created_at 2011_01_12, former_category ADWARE_PUP, updated_at 2011_01_12;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Possible Windows executable sent ASCII-hex-encoded"; flow:established,from_server; content:"ascii"; http_header; nocase; content:"|0d 0a 0d 0a|4d5a"; nocase; reference:md5,513077916da4e86827a6000b40db95d5; reference:url,www.xanalysis.blogspot.com/2008/11/cve-2008-2992-adobe-pdf-exploitation.html; classtype:pup-activity; sid:2012804; rev:5; metadata:created_at 2011_05_14, former_category ADWARE_PUP, updated_at 2011_05_14;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Egspy Infection Report via HTTP"; flow:established,to_server; content:"/keylogkontrol/"; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410; reference:url,doc.emergingthreats.net/2008047; classtype:trojan-activity; sid:2008047; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown checkin"; flow:established,to_server; content:"POST"; http_method; content:"/c.php"; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/4.0 compatible|3b| MSIE 8.0|3b| Windows NT 5.1|3b| Trident/4.0|3b| |0d 0a|"; http_header; classtype:trojan-activity; sid:2013803; rev:5; metadata:created_at 2011_10_26, updated_at 2011_10_26;)
@@ -6852,18 +6526,12 @@ alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP SITE EXEC attempt"; f
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested net.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/net.class"; http_uri; classtype:exploit-kit; sid:2014034; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User-Agent (Toolbar) Possibly Malware/Spyware"; flow:to_server,established; content:"User-Agent|3a| Toolbar"; http_header; content:!"cf.icq.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2003463; classtype:pup-activity; sid:2003463; rev:17; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Searchmeup Spyware Install (toolbar)"; flow: to_server,established; content:"/dkprogs/toolbar.txt"; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001473; classtype:trojan-activity; sid:2001473; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Searchmeup Spyware Install (toolbar)"; flow: to_server,established; content:"/dkprogs/toolbar.txt"; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001473; classtype:trojan-activity; sid:2001473; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HSN.com Toolbar Spyware User-Agent (HSN)"; flow:to_server,established; content:"User-Agent|3a| "; nocase; http_header; content:"HSN"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+HSN/iH"; reference:url,doc.emergingthreats.net/2003495; classtype:trojan-activity; sid:2003495; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Minor, tag Spyware_User_Agent, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Webbuying.net Spyware Install User-Agent (wbi_v0.90)"; flow:to_server,established; content:" wbi_v0."; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+wbi_v\d/iH"; reference:url,doc.emergingthreats.net/2003441; classtype:pup-activity; sid:2003441; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Wild Tangent Agent User-Agent (WildTangent)"; flow: to_server,established; content:"WildTangent"; fast_pattern:only; pcre:"/User-Agent\:[^\n]+Wildtangent/iH"; reference:url,doc.emergingthreats.net/2001639; classtype:trojan-activity; sid:2001639; rev:30; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole PDF Exploit Request /fdp2.php"; flow:established,to_server; content:"/fdp2.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014035; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_12_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET MALWARE Double HTTP/1.1 Header Inbound - Likely Hostile Traffic"; flow:established,to_server; content:" HTTP/1.1|20|HTTP/1.1|0d 0a|"; depth:300; classtype:bad-unknown; sid:2014047; rev:3; metadata:created_at 2011_12_30, updated_at 2011_12_30;)
 
 #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Double HTTP/1.1 Header Outbound - Likely Infected or Hostile Traffic"; flow:established,to_server; content:" HTTP/1.1|20|HTTP/1.1|0d 0a|"; depth:300; classtype:bad-unknown; sid:2013745; rev:5; metadata:created_at 2011_10_05, updated_at 2011_10_05;)
@@ -6874,8 +6542,6 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET MALWARE Double HTT
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 3"; flow:established,to_server; content:"/fdp1.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014052; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_30, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Likely Flash exploit download request score.swf"; flow:established,to_server; content:"/score.swf"; http_uri; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014053; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
 #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT User-Agent used in Injection Attempts"; flow:established,to_server; content:"User-Agent|3a| MOT-MPx220/1.400 Mozilla/4.0"; http_header; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-December/016882.html; classtype:trojan-activity; sid:2014054; rev:2; metadata:created_at 2011_12_30, former_category CURRENT_EVENTS, updated_at 2011_12_30;)
 
 #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Hilgild!gen.A CnC Communication"; flow:established,to_server; content:"Y|00|M|00|S|00|G|00 2e 00 2e 00 2e 00 2e 00|"; depth:16; content:"|f6 f6 f6 f6 f6 f6 f6 f6 f6|"; dsize:1024; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:command-and-control; sid:2014055; rev:1; metadata:created_at 2011_12_31, former_category MALWARE, updated_at 2011_12_31;)
@@ -6920,8 +6586,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS WordPre
 
 #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV FakeAlertRena.n Checkin Response from Server"; flow:established,from_server; flowbits:isset,ET.fakealert.rena.n; content:"Content-Length|3a| 2|0d 0a|"; content:"|0d 0a 0d 0a|OK"; distance:0; classtype:command-and-control; sid:2013136; rev:6; metadata:created_at 2011_06_29, former_category MALWARE, updated_at 2011_06_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dictcn Trojan Downloader Node Server Type"; flow:established,to_client; content:"Server|3A| Dict/"; fast_pattern:only;  classtype:trojan-activity; sid:2013326; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_27, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2020_08_20;)
-
 #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Executable served from Amazon S3"; flow:established,to_client; content:"Server|3A| AmazonS3"; content:"MZ"; isdataat:80,relative; content:"PE"; distance:0; reference:url,blog.trendmicro.com/cybercriminals-using-amazon-web-services-aws-to-host-malware/; reference:url,www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud; classtype:bad-unknown; sid:2013437; rev:5; metadata:created_at 2011_08_19, updated_at 2011_08_19;)
 
 #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED EXE Download When Server Claims To Send Audio File - DOS Mode"; flow:established,to_client; content:"Content-Type|3A 20|audio|2F|"; nocase; content:"MZ"; content:"This program cannot be run in DOS mode"; distance:0; content:"PE"; distance:0; classtype:trojan-activity; sid:2013442; rev:3; metadata:created_at 2011_08_22, updated_at 2011_08_22;)
@@ -6940,18 +6604,6 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Bomgar Remote Assi
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET !1433 (msg:"ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1b 00 01 02 00 1c 00|"; distance:1; within:18; content:"|03 00|"; distance:1; within:2; content:"|00 04 ff 08 00 01 55 00 00 00|"; distance:1; within:10; flowbits:set,ET.MSSQL; classtype:bad-unknown; sid:2013409; rev:3; metadata:created_at 2011_08_16, updated_at 2011_08_16;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Delivering Java Exploit to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; content:"<applet"; nocase; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:exploit-kit; sid:2013961; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 2"; flow:established,to_server; content:"/2ddfp.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013786; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 2"; flow:established,to_server; content:"/1ddfp.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013787; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP exploit"; flow:established,to_server; content:"/pch.php?f="; http_uri; pcre:"/pch\.php\?f=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013548; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP exploit 2"; flow:established,to_server; content:"/hcp_vbs.php?f="; http_uri; pcre:"/hcp_vbs\.php\?f=\d+&d=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013549; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?v Download Secondary Request"; flow:established,to_server; content:".php?v"; http_uri; pcre:"/\.php\?v[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013667; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Saturn Exploit Kit binary download request"; flow:established,to_server; content:"/dl/"; depth:4; http_uri; fast_pattern; content:".php?"; http_uri; pcre:"/\/dl\/\w{1,4}\.php\?[0-9]$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013775; rev:2; metadata:created_at 2011_10_14, former_category EXPLOIT_KIT, updated_at 2011_10_14;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Saturn Exploit Kit probable Java MIDI exploit request"; flow:established,to_server; content:"/dl/jsm.php"; depth:14; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013777; rev:2; metadata:created_at 2011_10_14, former_category EXPLOIT_KIT, updated_at 2011_10_14;)
@@ -6960,8 +6612,6 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET !1433 (msg:"ET POLICY Outbound MSSQL Co
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SEO Exploit Kit - client exploited"; flow:established,to_server; content:"/exe.php?exp="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2011813; rev:6; metadata:created_at 2010_10_13, former_category EXPLOIT_KIT, updated_at 2010_10_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Request tkr"; flow:established,to_server; content:".php?"; http_uri; content:"src="; http_uri; distance:0; content:"&gpr="; http_uri; distance:0; content:"&tkr="; http_uri; distance:0; pcre:"/[\?&]src=\d+&gpr=\d+&tkr[ib]?=[a-f0-9]+/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013363; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_08_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit reporting Java and PDF state"; flow:established,to_server; content:"_js?java="; http_uri; fast_pattern; content:"&adobe_pdf="; http_uri; distance:0; pcre:"/\/[a-f0-9]{60,}_js\?/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013690; rev:3; metadata:created_at 2011_09_24, former_category EXPLOIT_KIT, updated_at 2011_09_24;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Java requesting malicious JAR"; flow:established,to_server; content:"_jar"; http_uri; fast_pattern; content:"|20|Java/"; http_header; pcre:"/\/[a-f0-9]{60,}_jar$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013691; rev:3; metadata:created_at 2011_09_24, former_category EXPLOIT_KIT, updated_at 2011_09_24;)
@@ -6970,10 +6620,6 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET !1433 (msg:"ET POLICY Outbound MSSQL Co
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit request for pdf_err__Error__Unspecified"; flow:established,to_server; content:"/pdf_err__Error__Unspecified error..gif"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013693; rev:7; metadata:created_at 2011_09_24, former_category EXPLOIT_KIT, updated_at 2011_09_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix-style Exploit Kit Java Request with semicolon in URI"; flow:established,to_server; content:"/?"; http_uri; content:"|3b| 1|3b| "; http_uri; content:"|29| Java/1."; http_header; pcre:"/\/\?[a-z0-9]{65,}\x3b \d\x3b \d/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2011988; rev:5; metadata:created_at 2010_12_01, former_category EXPLOIT_KIT, updated_at 2017_04_13;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole-like Java Exploit request to .jar?t="; flow:established,to_server; content:".jar?t="; http_uri; nocase; fast_pattern; content:"&h="; http_uri; distance:0; content:"|29| Java/1."; http_header; pcre:"/\.jar\?t=\d+&h=[^&]+$/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014094; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Document.write Long Backslash UTF-16 Encoded Content - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:"document.write|28 22 5C|u"; nocase; isdataat:100,relative; content:!"|29|"; within:100; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:70; content:"|5C|u"; nocase; distance:4; within:2; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:exploit-kit; sid:2014096; rev:6; metadata:created_at 2012_01_04, former_category EXPLOIT_KIT, updated_at 2012_01_04;)
 
 #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Excessive new Array With Newline - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:exploit-kit; sid:2014097; rev:3; metadata:created_at 2012_01_04, former_category EXPLOIT_KIT, updated_at 2012_01_04;)
@@ -6986,8 +6632,6 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Docume
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit pdfopen.pdf"; flow:established,to_server; content:"pdfopen.pdf"; http_uri; reference:url,doc.emergingthreats.net/2011180; classtype:exploit-kit; sid:2011180; rev:4; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit Newplayer.pdf"; flow:established,to_server; content:"/newplayer.pdf"; http_uri; reference:cve,2009-4324; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:exploit-kit; sid:2012941; rev:7; metadata:created_at 2011_06_07, former_category EXPLOIT_KIT, updated_at 2017_04_10;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit Printf.pdf"; flow:established,to_server; content:"/printf.pdf"; http_uri; reference:cve,2008-2992; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:exploit-kit; sid:2012942; rev:7; metadata:created_at 2011_06_07, former_category EXPLOIT_KIT, updated_at 2011_06_07;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit Geticon.pdf"; flow:established,to_server; content:"/geticon.pdf"; http_uri; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:exploit-kit; sid:2012943; rev:7; metadata:created_at 2011_06_07, former_category EXPLOIT_KIT, updated_at 2011_06_07;)
@@ -7044,10 +6688,6 @@ alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.UFRStealer.A
 
 #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 4"; flow:established,to_server; content:"|DD DD DD DD D5 D6 D6 D6 D6 D4 D4 D4 D4 DA DA DA DA|"; offset:5; depth:17; classtype:trojan-activity; sid:2013525; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole - Help and Control Panel Exploit Request"; flow:established,to_server; content:"/cph2.php?c="; http_uri; reference:url,jsunpack.jeek.org/?report=2b1d42ba5b47676db4864855ac239a73fb8217ff; classtype:trojan-activity; sid:2014125; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_01_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole Likely Flash Exploit Request /field.swf"; flow:established,to_server; content:"/field.swf"; http_uri; classtype:trojan-activity; sid:2014126; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_01_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Hex Obfuscated Content"; flow:established,to_client; content:"unescape|28|"; fast_pattern; content:"|5C|x"; distance:1; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; pcre:"/unescape\x28(\x22|\x27)\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}/smi"; classtype:shellcode-detect; sid:2013272; rev:3; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
 
 #alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC enumerate printers request attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; fast_pattern; within:12; distance:5; nocase; content:"|05|"; distance:1; content:"|00|"; within:1; distance:1; byte_test:1,&,3,0,relative; content:"|00 00|"; within:2; distance:19; flowbits:isset,dce.printer.bind; classtype:attempted-recon; sid:2102349; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
@@ -7304,10 +6944,6 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe R
 
 #alert tcp $HOME_NET any -> $EXTERNAL_NET 3389 (msg:"ET DELETED MS Terminal Server User A Login, possible Morto Outbound"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash=a|0d 0a|"; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2013531; rev:2; metadata:created_at 2011_09_03, updated_at 2011_09_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 4"; flow:established,to_server; content:"/adfp2.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014157; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 4"; flow:established,to_server; content:"/addfp1.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014158; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/Mentory CnC Server Providing Update Details"; flow:established,to_client; content:"[UPDATE]|0D 0A|VER ="; content:"URL ="; distance:0; content:"[PATTERN]|0D 0A|VER ="; distance:0; content:"URL ="; distance:0; reference:md5,6724bb601611dcc0140960c59c7b3393; classtype:command-and-control; sid:2014166; rev:2; metadata:created_at 2012_01_28, former_category MALWARE, updated_at 2012_01_28;)
 
 #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/Mentory CnC Server Providing File Info Details"; flow:established,to_client; content:"[DBINFO]|0D 0A|Info ="; content:"Version ="; distance:0; content:"[TotalCount]|0D 0A|Count ="; distance:0; content:"[GaruYac"; distance:0; reference:md5,6724bb601611dcc0140960c59c7b3393; classtype:command-and-control; sid:2014167; rev:2; metadata:created_at 2012_01_28, former_category MALWARE, updated_at 2012_01_28;)
@@ -7332,8 +6968,6 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSA
 
 #alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2102514; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"GPL DELETED BGP spoofed connection reset attempt"; flow:established; flags:RSF*; threshold:type both,track by_dst,count 10,seconds 10; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2102523; rev:8; metadata:created_at 2010_09_23, former_category MISC, updated_at 2019_05_21;)
-
 alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102524; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
 alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102525; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
@@ -7364,8 +6998,6 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"GPL MISC HP Web JetAdmin fil
 
 #alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"GPL MISC rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir"; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; reference:bugtraq,10247; reference:cve,2004-0426; reference:nessus,12230; classtype:string-detect; sid:2102561; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $EXTERNAL_NET 137 -> $HOME_NET any (msg:"GPL NETBIOS NS lookup response name overflow attempt"; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; reference:bugtraq,10333; reference:bugtraq,10334; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2102563; rev:6; metadata:created_at 2010_09_23, former_category NETBIOS, updated_at 2017_08_24;)
-
 #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RETR format string attempt"; flow:to_server,established; content:"RETR"; nocase; pcre:"/^RETR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9800; classtype:attempted-admin; sid:2102574; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*package_prefix[\r\n\s]*=>[\r\n\s]*\2|package_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*procedure_prefix[\r\n\s]*=>[\r\n\s]*\2|procedure_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck93.html; classtype:attempted-user; sid:2102576; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
@@ -7452,14 +7084,6 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.RSh
 
 #alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Refused"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x85/"; reference:url,doc.emergingthreats.net/2001119; classtype:not-suspicious; sid:2001119; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Tax Landing Page with JavaScript Attack"; flow:established,from_server; content:"Please wait, till tax confirmation is ready."; fast_pattern:only; content:"try{"; content:"catch("; classtype:attempted-admin; sid:2014274; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 6"; flow:established,to_server; content:"/ap1.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014280; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Download Secondary Request ?pagpag"; flow:established,to_server; content:".php?pagpag="; http_uri; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014282; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated Javascript 171 charcodes >= 48"; flow:established,from_server; content:"G<H6>F=7.49B7F"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014298; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.ABUD Checkin"; flow:established,to_server; content:"/imagedump/image.php?size="; http_uri; content:"&thumbnail="; http_uri; reference:md5,00b714468f1bc2254559dd8fd84186f1; classtype:command-and-control; sid:2014300; rev:1; metadata:created_at 2012_03_02, former_category MALWARE, updated_at 2012_03_02;)
 
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/NSIS.TrojanDownloader Second Stage Download Instructions from Server"; flow:established,to_client; content:"|3B 20|Ini download file modue"; nocase; content:"DownUrl="; nocase; distance:0; content:"FileName="; nocase; distance:0; content:"SaveType="; nocase; distance:0; pcre:"/FileName\x3D[^\r\n]*\x2E(dll|exe)/i"; reference:md5,3ce5da32903b52394cff2517df51f599; classtype:trojan-activity; sid:2014312; rev:2; metadata:created_at 2012_03_06, updated_at 2012_03_06;)
@@ -7476,22 +7100,14 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX ASUS Net4Switch A
 
 #alert udp any 53 -> $HOME_NET any (msg:"ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; threshold: type both, track by_src, count 50, seconds 10; reference:url,doc.emergingthreats.net/bin/view/Main/2008470; classtype:bad-unknown; sid:2008470; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 4569 (msg:"ET SCAN Enumiax Inter-Asterisk Exchange Protocol Username Scan"; content:"|00 00|"; content:"|06 0D 06 01 30 13 02 07 08|"; distance:40; within:10; reference:url,sourceforge.net/projects/enumiax/; reference:url,doc.emergingthreats.net/2008606; classtype:attempted-recon; sid:2008606; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 4569 (msg:"ET SCAN Enumiax Inter-Asterisk Exchange Protocol Username Scan"; content:"|00 00|"; content:"|06 0D 06 01 30 13 02 07 08|"; distance:40; within:10; reference:url,sourceforge.net/projects/enumiax/; reference:url,doc.emergingthreats.net/2008606; classtype:attempted-recon; sid:2008606; rev:3; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
 alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Port Unreachable Response to Xprobe2 OS Fingerprint Scan"; itype:3; dsize:>69; content:"securityfocus"; content:"securityfocus"; distance:50; within:15; reference:url,xprobe.sourceforge.net/; reference:url,doc.emergingthreats.net/2009298; classtype:attempted-recon; sid:2009298; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
 #alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible jBroFuzz Fuzzer Detected"; flow:to_server,established; content:"Host|3a| localhost"; fast_pattern; http_header; content:"User-Agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| en-GB|3b| rv|3b|1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"; http_header; threshold: type threshold, track by_src, count 3, seconds 6; reference:url,www.owasp.org/index.php/Category%3aOWASP_JBroFuzz; reference:url,doc.emergingthreats.net/2009476; classtype:attempted-recon; sid:2009476; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED RogueAV Wordpress Injection Campaign Compromised Page Served to Local Client"; flow:established,to_client; content:".rr.nu/mm.php?d=1|22|><|2F|script>"; nocase; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/05/mass-injection-of-wordpress-sites.aspx; classtype:attempted-user; sid:2014337; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_03_09, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2019_09_09;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Compromised Wordpress Redirect"; flow:established,to_server; content:"GET"; http_method; content:"/mm.php?d=1"; http_uri; content:".rr.nu"; http_header; pcre:"/Host\x3A\x20[^\r\n]*.rr.nu/H"; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/02/mass-injection-of-wordpress-sites.aspx; classtype:attempted-user; sid:2014334; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_03_09, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2019_09_09;)
-
 alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE SMTP Subject Line Contains C Path and EXE Possible Trojan Reporting Execution Path/Binary Name"; flow:established,to_server; content:"Subject|3A 20|"; content:"C|3A 5C|"; nocase; fast_pattern; within:100; content:".exe"; within:40; pcre:"/Subject\x3A\x20[^\r\n]*C\x3A\x5C[^\r\n]*\x2Eexe/i"; reference:md5,24e937b9f3fd6a04dde46a2bc75d4b18; classtype:bad-unknown; sid:2014343; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED INBOUND Blackhole Java Exploit request similar to /content/jav.jar"; flow:established,to_server; content:"/content/jav"; http_uri; content:".jar"; http_uri; pcre:"/\/content\/jav\d?\.jar$/U"; classtype:trojan-activity; sid:2014346; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET DELETED RougeAV Wordpress Injection Campaign Compromised Page Served From Local Compromised Server"; flow:established,from_server; content:".rr.nu/mm.php?d=1|22|><|2F|script>"; nocase; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/05/mass-injection-of-wordpress-sites.aspx; classtype:successful-admin; sid:2014338; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_03_09, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2019_09_09;)
-
 #alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.Riern.K Checkin Off Port"; flow:established,from_client; content:"|01|new_host_"; depth:10; fast_pattern; content:"|ff ff ff ff ff 00 00 00 00 00 00 00 00|"; distance:0; classtype:command-and-control; sid:2014358; rev:2; metadata:created_at 2012_03_09, former_category MALWARE, updated_at 2012_03_09;)
 
 alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Remote Desktop Administrator Login Request"; flow:established,to_server; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=admin"; distance:0; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2012709; rev:5; metadata:created_at 2011_04_22, updated_at 2011_04_22;)
@@ -7500,8 +7116,6 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely Scalax
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kazy Checkin"; flow:established,to_server; content:"/guidcheck.php?q="; http_uri; content:"&g="; http_uri; content:"&n="; http_uri; content:"&h="; http_uri; content:!"User-Agent|3A|"; nocase; http_header; reference:md5,bb129d433271951abb0e5262060a4583; classtype:command-and-control; sid:2014357; rev:4; metadata:created_at 2012_03_09, former_category MALWARE, updated_at 2012_03_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Proxied Traffic (mitmproxy agent)"; flow: to_server,established; content:"Proxy-agent|3a| ManInTheMiddle-Proxy"; http_header; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001586; classtype:pup-activity; sid:2001586; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
 alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET HUNTING Suspicious Percentage Symbol Usage in FTP Username"; flow:established,to_server; content:"USER "; depth:5; nocase; content:!"|0d 0a|"; within:50; content:"%"; distance:0; reference:url,www.checkpoint.com/defense/advisories/public/2010/sbp-16-Aug.html; classtype:bad-unknown; sid:2011487; rev:2; metadata:created_at 2010_09_29, former_category FTP, updated_at 2010_09_29;)
 
 #alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT Computer Associates Brightstor ARCServe Backup Mediasvr.exe Remote Exploit"; flow:established,to_server; content:"|00 06 09 7e|"; offset:16; depth:4; content:"|00 00 00 bf 00 00 00 00 00 00 00 00|"; distance:4; within:12; reference:url,www.milw0rm.com/exploits/3604; reference:url,doc.emergingthreats.net/bin/view/Main/2003518; classtype:attempted-admin; sid:2003518; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
@@ -7560,15795 +7174,15441 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET HUNTING Suspicious Percenta
 
 #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit"; flow:to_server,established; content:".jsp?"; nocase; http_uri; content:"JSESSIONID="; nocase; isdataat:5132; reference:cve,2008-5457; reference:url,infosec20.blogspot.com/2009/04/oracle-weblogic-iis-remote-buffer.html; reference:url,doc.emergingthreats.net/2009216; classtype:attempted-admin; sid:2009216; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP exploit 3"; flow:established,to_server; content:"/pch2.php?c="; http_uri; pcre:"/pch2.php?c=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013746; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Blocker Checkin"; flow:established,to_server; content:"/gate.php?cmd="; http_uri; content:"&botnet="; http_uri; content:"&userid="; http_uri; content:"&os="; http_uri; reference:md5,1d8841128e63ed7e26200d4ed3bc8e05; classtype:command-and-control; sid:2014364; rev:2; metadata:created_at 2012_03_13, former_category MALWARE, updated_at 2012_03_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT FTP File Interaction"; flow:established,to_client; content:"ftp"; nocase; content:"file"; nocase; within:8; pcre:"/ftp(open|get)file/i"; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012779; rev:4; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
-
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Likely Malicious PDF Containing StrReverse"; flow:established,to_client; content:"%PDF-"; content:"StrReverse|28|"; distance:0; nocase; reference:url,doc.emergingthreats.net/2011246; classtype:bad-unknown; sid:2011246; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP A-d-w-a-r-e.com Activity (cmd)"; flow: established,to_server; content:"/app/VT00/ucmd.php?V="; http_uri; nocase; reference:url,www.a-d-w-a-r-e.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001735; classtype:pup-activity; sid:2001735; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Abcsearch.com Spyware Reporting"; flow:established,to_server; content:"/cgi-bin/search/mxml.fcgi?"; nocase; http_uri; content:"Terms="; nocase; http_uri; content:"&affiliate="; nocase; http_uri; content:"&subid="; nocase; http_uri; content:"&Hits_Per_Page="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003438; classtype:pup-activity; sid:2003438; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Abox Install Report"; flow: to_server,established; content:"&time="; nocase; http_uri; content:"/new_install?id="; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.adultbox.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001441; classtype:pup-activity; sid:2001441; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
 #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Cutwail Landing Page WAIT PLEASE"; flow:established,from_server; content:"<h1>WAIT PLEASE</h1>"; nocase; depth:300; classtype:bad-unknown; sid:2014377; rev:2; metadata:created_at 2012_03_14, updated_at 2012_03_14;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED AdultfriendFinder.com Spyware Iframe Download"; flow:to_server,established; content:"/promo/affiframe.jsp?Pid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002353; classtype:trojan-activity; sid:2002353; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advert-network.com Related Spyware Updating"; flow:established,to_server; content:"/cnconfig.gz?ct="; http_uri; content:"&bp="; http_uri; content:"&vs="; http_uri; content:"&country="; http_uri; content:"&grp="; http_uri; content:"&tcpc="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008419; classtype:pup-activity; sid:2008419; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Casalemedia Access, Likely Spyware"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:".ak-networks.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001529; classtype:trojan-activity; sid:2001529; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advert-network.com Related Spyware Checking for Updates"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/check.php?tcpc="; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008425; classtype:pup-activity; sid:2008425; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DownLoader.30525 Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/ctrv.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2006404; classtype:command-and-control; sid:2006404; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advertisementserver.com Spyware Initial Checkin"; flow:to_server,established; content:"?UID="; nocase; http_uri; content:"&DIST="; nocase; http_uri; content:"&NPR="; nocase; http_uri; content:"User-Agent|3a| Microsoft URL Control"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007601; classtype:pup-activity; sid:2007601; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Cnzz.com/Baidu Related Spyware Stat Reporting"; flow:established,to_server; content:"/stat.php?id="; nocase; http_uri; content:"&web_id="; nocase; http_uri; content:"Host|3a|"; nocase; http_header; content:!"Referer|3a| "; nocase; http_header; reference:url,vil.nai.com/vil/content/v_140364.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2003607; classtype:trojan-activity; sid:2003607; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advertising.com Data Post (villains)"; flow: to_server,established; content:"/Games/villains.aspx"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001228; classtype:pup-activity; sid:2001228; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Doctorpro.co.kr Related Fake Anti-Spyware Install Checkin"; flow:established,to_server; content:"/install_count.html?id="; nocase; http_uri; content:"&MAC="; nocase; http_uri; pcre:"/MAC=0\w-\w\w-\w\w-\w\w-\w\w-\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006425; classtype:trojan-activity; sid:2006425; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advertising.com Data Post (cakedeal)"; flow: to_server,established; content:"/Games/cakedeal.aspx"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001230; classtype:pup-activity; sid:2001230; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Doctorpro.co.kr Related Fake Anti-Spyware Checkin"; flow:established,to_server; content:"/access_count.html?id="; nocase; http_uri; content:"&MAC="; nocase; http_uri; pcre:"/MAC=0\w-\w\w-\w\w-\w\w-\w\w-\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006426; classtype:trojan-activity; sid:2006426; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wintools Download/Configure"; flow: to_server,established; content:"/WTools"; nocase; http_uri; content:".cab"; nocase; http_uri; reference:url,www.intermute.com/spyware/HuntBar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001450; classtype:pup-activity; sid:2001450; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP GET invalid method case outbound"; flow:established,to_server; content:"get "; depth:4; nocase; content:!"GET "; depth:4; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014379; rev:2; metadata:created_at 2012_03_15, updated_at 2012_03_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Casalemedia Access, Likely Spyware"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:".ak-networks.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001529; classtype:trojan-activity; sid:2001529; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FlashPoint Agent Retrieving New Code"; flow: to_server,established; content:"/ftxmon.php?"; http_uri; reference:url,www.flashpoint.bm; reference:url,doc.emergingthreats.net/bin/view/Main/2000905; classtype:trojan-activity; sid:2000905; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ak-networks.com Spyware Code Download"; flow: to_server,established; content:"/SyncAkSoft.da_"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001530; classtype:pup-activity; sid:2001530; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing with prototype catch"; flow:established,from_server; content:"if(window.document)try{new"; content:".prototype}catch("; distance:0; fast_pattern; classtype:bad-unknown; sid:2014369; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_13, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ak-networks.com Spyware Code Install"; flow: to_server,established; content:"/akcore.dl_"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001737; classtype:pup-activity; sid:2001737; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp any any -> $HOME_NET 3389 (msg:"ET EXPLOIT Microsoft RDP Server targetParams Exploit Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|7f 65 82 01 94|"; distance:24; within:5; content:"|30 19|"; distance:9; within:2; byte_test:1,<,6,3,relative; reference:url,msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; classtype:attempted-admin; sid:2014383; rev:2; metadata:created_at 2012_03_13, updated_at 2012_03_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alexa Spyware Reporting URL"; flow:established,to_server; content:"/image_server.cgi?size=small&url=http|3a|/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002349; classtype:pup-activity; sid:2002349; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Malware Related Numerical .co Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|00|"; fast_pattern; nocase; distance:0; pcre:"/\x00[0-9]{4,7}\x02co\x00/i"; reference:url,sign.kaffenews.com/?p=104; reference:url,www.isc.sans.org/diary.html?storyid=10165; classtype:bad-unknown; sid:2012144; rev:3; metadata:created_at 2011_01_05, updated_at 2011_01_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alexa Spyware Reporting"; flow:established,to_server; content:"/data?"; nocase; http_uri; content:"cli="; nocase; http_uri; content:"&dat="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&uid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003219; classtype:pup-activity; sid:2003219; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Probable Scalaxy exploit kit secondary request"; flow:established,to_server; content:"=1.6.0_"; http_uri; pcre:"/^\/[a-z][0-9a-z_+=-]{10,30}\?\w=[0-9.]+\&\w=1.6.0_\d\d$/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014024; rev:4; metadata:created_at 2011_12_13, former_category EXPLOIT_KIT, updated_at 2011_12_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alexa Spyware Redirecting User"; flow:established,to_server; content:"/redirect?http"; nocase; http_uri; content:"Host|3a| redirect.alexa.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003619; classtype:pup-activity; sid:2003619; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Popuptraffic.com Bot Reporting"; flow: to_server,established; content:"/scripts/click.php?"; nocase; http_uri; content:"hid="; http_uri; reference:url,popuptraffic.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000577; classtype:policy-violation; sid:2000577; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Avres Agent Receiving Instructions"; flow: to_server,established; content:"/ie/updatenew/"; http_uri; content:"CONFIG"; nocase; reference:url,www.avres.net; reference:url,ar.avres.net/ie/updatenew/; reference:url,doc.emergingthreats.net/bin/view/Main/2000903; classtype:pup-activity; sid:2000903; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Privacyprotector.com Fake Anti-Spyware Checkin"; flow: to_server,established; content:"/?action="; nocase; http_uri; content:"&type="; nocase; http_uri; content:"&pc_id="; nocase; http_uri; content:"&abbr="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003548; classtype:trojan-activity; sid:2003548; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BTGrab.com Spyware Downloading Ads"; flow: to_server,established; content:"/a/Drk.syn?"; nocase; http_uri; content:"adcontext="; nocase; http_uri; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; reference:url,doc.emergingthreats.net/bin/view/Main/2001999; classtype:pup-activity; sid:2001999; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED rcprograms"; flow: to_server,established; content:"update.rcprograms.com"; nocase; http_header; reference:url,sarc.com/avcenter/venc/data/adware.rcprograms.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000024; classtype:trojan-activity; sid:2000024; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Baidu.com Spyware Bar Reporting"; flow:to_server,established; content:"/update/barcab/"; nocase; http_uri; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003340; classtype:pup-activity; sid:2003340; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Searchmiracle.com Access, Likely Spyware"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:".searchmiracle.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.elitebar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001532; classtype:trojan-activity; sid:2001532; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Baidu.com Spyware Bar Pulling Content"; flow:to_server,established; content:"/update/cab/loadmovie.swf"; nocase; http_uri; content:"bar.baidu.com"; nocase; http_header; fast_pattern; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003341; classtype:pup-activity; sid:2003341; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Speedera Agent"; flow: to_server,established; content:"/io/downloads"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001320; classtype:trojan-activity; sid:2001320; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Baidu.com Spyware Bar Pulling Data"; flow:to_server,established; content:"/cpro/ui/ui"; nocase; http_uri; content:"baidu.com"; nocase; http_header; content:!"Referer|3a| "; nocase; http_header; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003578; classtype:pup-activity; sid:2003578; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Spylog.ru Related Spyware Checkin"; flow:established,to_server; content:"/cnt?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&rn="; nocase; http_uri; content:"&c="; nocase; http_uri; content:"&tl="; nocase; http_uri; content:"&ls="; nocase; http_uri; content:"&ln="; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&j="; nocase; http_uri; content:"&wh="; nocase; http_uri; content:"&px="; nocase; http_uri; content:"&sl="; nocase; http_uri; content:"&r="; nocase; http_uri; content:"&fr="; nocase; http_uri; content:"&pg="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007649; classtype:trojan-activity; sid:2007649; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Baidu.com Spyware Bar Activity"; flow:to_server,established; content:"/n?cmd="; nocase; http_uri; content:"&class="; nocase; http_uri; content:"&pn="; nocase; http_uri; content:"&tn"; nocase; http_uri; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003605; classtype:pup-activity; sid:2003605; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Statblaster Receiving New configuration (allfiles)"; flow: to_server,established; content:"/updatestats/all_files"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001523; classtype:policy-violation; sid:2001523; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Baidu.com Spyware Sobar Bar Activity"; flow:to_server,established; content:"/sobar/sobar"; nocase; http_uri; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003630; classtype:pup-activity; sid:2003630; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Virtumonde Spyware siae3123.exe GET"; flow: to_server,established; content:"siae3123.exe"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000306; classtype:trojan-activity; sid:2000306; rev:29; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bargain Buddy"; flow: to_server,established; content:"/download/bargin_buddy"; nocase; http_uri; reference:url,www.doxdesk.com/parasite/BargainBuddy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000574; classtype:pup-activity; sid:2000574; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Virtumonde Spyware Information Post"; flow: to_server,established; content:"POST"; nocase; http_method; content:"e_g_StatisticsUploadDelay"; nocase; content:"g_AffiliateID"; nocase; content:"virtumonde.com"; http_header; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000308; classtype:trojan-activity; sid:2000308; rev:24; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Begin2Search.com Spyware"; flow: to_server,established; content:"/cgi-bin/fav_del.fcgi?id"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.begin2search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001885; classtype:pup-activity; sid:2001885; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Weatherbug"; flow: to_server,established; content:"WxAlertIsapi"; nocase; http_uri; threshold: type limit, track by_src, count 1, seconds 3600; reference:url,doc.emergingthreats.net/bin/view/Main/2001235; classtype:misc-activity; sid:2001235; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Best-targeted-traffic.com Spyware Ping"; flow:established,to_server; content:"/ping.php?"; nocase; http_uri; content:"ul=http"; nocase; http_uri; content:"unq="; nocase; http_uri; content:"User-Agent|3a| Opera "; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003211; classtype:pup-activity; sid:2003211; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Weatherbug Wxbug Capture"; flow: to_server,established; content:"GET"; nocase; http_method; content:"Host|3a|"; nocase; http_header; content:"wxbug.com"; nocase; http_header; threshold: type limit, track by_src, count 1, seconds 3600; reference:url,doc.emergingthreats.net/bin/view/Main/2002364; classtype:misc-activity; sid:2002364; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bestcount.net Spyware Downloading vxgame"; flow:established,to_server; content:"/vxgame1/vxv.php"; nocase; http_uri; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2002956; classtype:pup-activity; sid:2002956; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Weatherbug Activity"; flow:established,to_server; content:"/WeatherWindow/WeatherWindow"; nocase; http_uri; content:"?rnd="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003420; classtype:trojan-activity; sid:2003420; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bestcount.net Spyware Initial Infection Download"; flow:established,to_server; content:"/win32.exe"; nocase; http_uri; pcre:"/\/adv\/\d+\/win32\.exe/Ui"; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2002957; classtype:pup-activity; sid:2002957; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Weatherbug Design60 Upload Activity"; flow:established,to_server; content:"/GetDesign60.aspx?Magic="; nocase; http_uri; content:"?ZipCode="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003421; classtype:trojan-activity; sid:2003421; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bestcount.net Spyware Exploit Download"; flow:established,to_server; content:"/sploit.anr"; nocase; http_uri; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2003153; classtype:pup-activity; sid:2003153; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Weatherbug Command Activity"; flow:established,to_server; content:"/connection/connectionv"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003422; classtype:trojan-activity; sid:2003422; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Binet (download complete)"; flow: to_server,established; content:"/download/cabs/"; nocase; http_uri; content:"download_complete.htm"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000366; classtype:pup-activity; sid:2000366; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Weatherbug Vista Gadget Activity"; flow:established,to_server; content:"/Command/VistaGadget_v"; nocase; http_uri; content:"UserId="; nocase; http_uri; content:"&AppVersion="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003534; classtype:trojan-activity; sid:2003534; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Binet (set_pix)"; flow: to_server,established; content:"/download/cabs/set_pix.php"; nocase; http_uri; content:"abetterinternet.com"; nocase; http_header; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000367; classtype:pup-activity; sid:2000367; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Yesadvertising Banking Spyware RETRIEVE"; flow: to_server,established; content:"/img1big.gif"; nocase; http_uri; reference:url,isc.sans.org/presentations/banking_malware.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000336; classtype:trojan-activity; sid:2000336; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Binet (randreco.exe)"; flow: to_server,established; content:"/download/cabs/RANDRECO/randreco.exe"; nocase; http_uri; content:"abetterinternet.com|0d 0a|"; nocase; http_header; fast_pattern; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000371; classtype:pup-activity; sid:2000371; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Yesadvertising Banking Spyware INFORMATION SUBMIT"; flow: to_server,established; content:"/cgi-bin/yes.pl"; nocase; http_uri; reference:url,isc.sans.org/presentations/banking_malware.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000337; classtype:trojan-activity; sid:2000337; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Binet Ad Retrieval"; flow: to_server,established; content:"/bba/flashimages/"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000593; classtype:pup-activity; sid:2000593; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Fake Antivirus Download Antivirus_21.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/download/Antivirus_"; http_uri; content:".exe"; http_uri; pcre:"/download\x2FAntivirus_\d+\x2Eexe/Ui"; reference:url,doc.emergingthreats.net/2010050; classtype:trojan-activity; sid:2010050; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Twaintec Download Attempt"; flow: to_server,established; content:"/downloads/cabs/TWTDLL/twaintec.cab"; nocase; http_uri; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001198; classtype:pup-activity; sid:2001198; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely TDSS Download (codec.exe)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/codec.exe"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010054; classtype:trojan-activity; sid:2010054; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Twaintec Ad Retrieval"; flow: to_server,established; content:"/twain/servlet/Twain?adcontext="; nocase; http_uri; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001199; classtype:pup-activity; sid:2001199; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Fake Antivirus Download AntivirusPlus.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/AntivirusPlus"; http_uri; content:".exe"; http_uri; reference:url,doc.emergingthreats.net/2010062; classtype:trojan-activity; sid:2010062; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Twaintec Reporting Data"; flow: to_server,established; content:"/downloads/record_download.asp"; nocase; http_uri; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001216; classtype:pup-activity; sid:2001216; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Fake AV GET installer.1.exe"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/installer."; http_uri; nocase; content:".exe"; http_uri; nocase; pcre:"/\/installer\.\d+\.exe/Ui"; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010452; classtype:trojan-activity; sid:2010452; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bfast.com Spyware"; flow: to_server,established; content:"/bfast/serve?bfmid"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001398; classtype:pup-activity; sid:2001398; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Fake AV GET installer_1.exe"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/installer_"; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/\/installer_\d+\.exe/Ui"; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010453; classtype:trojan-activity; sid:2010453; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bizconcept.info Spyware Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/zuzu.php?&r="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2005319; classtype:pup-activity; sid:2005319; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Fake AV Download (download/install.php)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"download/install.php"; http_uri; pcre:"/\x0d\x0aHost\: [a-z\x2e]+(security|virus|pro|anti|scan|mypc|total|protect|check|guard|defend)/i"; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2009-December/004891.html; reference:url,malwareurl.com; reference:url,www.malwaredomainlist.com; reference:url,doc.emergingthreats.net/2010465; classtype:trojan-activity; sid:2010465; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bonziportal Traffic"; flow: to_server,established; content:"/bonziportal/bin/"; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59256; reference:url,doc.emergingthreats.net/bin/view/Main/2001345; classtype:pup-activity; sid:2001345; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Fake Antivirus Download Setup_2012.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/Setup_"; nocase; http_uri; content:".exe"; nocase; pcre:"/Setup_20\d+\x2Eexe/Ui"; reference:url,doc.emergingthreats.net/xxxxxxx; classtype:trojan-activity; sid:2010684; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bravesentry.com Fake Antispyware Download"; flow:established,to_server; content:"/bravesentry.exe"; nocase; http_uri; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; reference:url,doc.emergingthreats.net/bin/view/Main/2002954; classtype:pup-activity; sid:2002954; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Malware Download Request"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/images/GR_OLD_CR.EXE"; nocase; http_uri; reference:url,www.prevx.com/filenames/X22210989379038527-X1/GR_OLD_CR.EXE.html; reference:url,doc.emergingthreats.net/2011148; classtype:trojan-activity; sid:2011148; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bravesentry.com Fake Antispyware Updating"; flow:established,to_server; content:"/update.php?v="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&vs="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; content:"Host|3a| "; http_header; content:".bravesentry.com"; nocase; http_header; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; reference:url,doc.emergingthreats.net/bin/view/Main/2003541; classtype:pup-activity; sid:2003541; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Downloader Possible AV KILLER"; flow:established,to_server; content:"GET"; nocase; http_method; content:"SoftName="; http_uri; nocase; content:"SoftVersion="; http_uri; nocase; content:"UserIP="; http_uri; nocase; content:"Mac="; http_uri; nocase; reference:url,doc.emergingthreats.net/2009487; classtype:trojan-activity; sid:2009487; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Clickspring.net Spyware Reporting"; flow: to_server,established; content:"Host|3a| www.bullseye-network.com"; nocase; http_header; reference:url,sarc.com/avcenter/venc/data/adware.bargainbuddy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001501; classtype:pup-activity; sid:2001501; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AVKiller with Backdoor checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"id="; http_client_body; nocase; content:"&ip_int="; http_client_body; nocase; content:"&os="; http_client_body; nocase; content:"&av="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2009812; classtype:command-and-control; sid:2009812; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bundleware Spyware Download"; flow: to_server,established; content:"/app/InternetFuel/AppWrap.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001451; classtype:pup-activity; sid:2001451; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Antispywareexpert.com Fake AS Install Checkin"; flow:established,to_server; content:"/?action="; http_uri; content:"&pc_id="; http_uri; content:"&abbr="; http_uri; content:"&a="; http_uri; content:"&l="; http_uri; content:"&addt"; reference:url,doc.emergingthreats.net/2008502; classtype:command-and-control; sid:2008502; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bundleware Spyware CHM Download"; flow: to_server,established; content:"Referer|3a| ms-its|3a|mhtml|3a|file|3a|//C|3a|counter.mht!http|3a|//"; nocase; content:"/counter/HELP3.CHM|3a 3a|/help.htm"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001452; classtype:pup-activity; sid:2001452; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Antivirus2008 Fake AV Install Report"; flow:established,to_server; content:"?type=scanner&pin="; http_uri; content:"&lnd="; http_uri; reference:url,doc.emergingthreats.net/2008511; classtype:trojan-activity; sid:2008511; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bundleware Spyware cab Download"; flow: to_server,established; content:"/counter/counter_v3.cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001458; classtype:pup-activity; sid:2001458; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Autorun.qvi Related HTTP Get on Off Port"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/get_r.php?fid="; http_uri; content:"&mac="; http_uri; within:15; content:"&version="; http_uri; distance:0; content:"&uuid="; http_uri; distance:0; reference:url,doc.emergingthreats.net/2008755; classtype:trojan-activity; sid:2008755; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP C4tdownload.com Spyware Activity"; flow: to_server,established; content:"/js.php?event_type=onload&recurrence="; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002088; classtype:pup-activity; sid:2002088; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bandook iwebho/BBB-phish trojan leaking user data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Type|3a20|application/x-www-form-urlencoded|0d0a|Host|3a20|"; depth:55; http_header; content:"Content-Length|3a20|"; http_header; content:"VISITED_URL"; depth:100; http_client_body; reference:url,www.secureworks.com/research/threats/bbbphish; reference:url,doc.emergingthreats.net/2003937; classtype:trojan-activity; sid:2003937; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DownLoader.30525 Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/ctrv.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2006404; classtype:command-and-control; sid:2006404; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.OPX HTTP Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"TIPO=CLIENTE&NOME="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2007901; classtype:command-and-control; sid:2007901; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CNSMIN (3721.com) Spyware Activity"; flow:established,to_server; content:"/download/CnsMin"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003417; classtype:pup-activity; sid:2003417; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.ili HTTP Checkin"; flow:established,to_server; content:"/ctrl/cnt_boot.php?pgv="; http_uri; nocase; reference:url,doc.emergingthreats.net/2007940; classtype:command-and-control; sid:2007940; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CNSMIN (3721.com) Spyware Activity 2"; flow:established,to_server; content:"/download/CnsUp"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003418; classtype:pup-activity; sid:2003418; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Trojan (General) HTTP Checkin"; flow:established,to_server; content:".php?PC="; http_uri; content:"&Data="; http_uri; content:"&Mac="; http_uri; reference:url,doc.emergingthreats.net/2007984; classtype:command-and-control; sid:2007984; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CNSMIN (3721.com) Spyware Activity 3"; flow:established,to_server; content:"/download/autolvsw.ini?"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003419; classtype:pup-activity; sid:2003419; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.JU Related HTTP Post-infection Checkin"; flow:established,to_server; content:"/envio.php?"; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"tipo="; http_client_body; reference:url,doc.emergingthreats.net/2008267; classtype:command-and-control; sid:2008267; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CWS qck.cc Spyware Installer (in.php)"; flow:established,to_server; content:"/x/in.php?wm="; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002089; classtype:pup-activity; sid:2002089; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Agent.zrm/Infostealer.Bancos Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"appdata="; http_uri; nocase; content:"hd="; nocase; http_uri; content:"mac="; nocase; http_uri; content:"computador="; http_uri; nocase; reference:url,doc.emergingthreats.net/2008519; classtype:command-and-control; sid:2008519; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, malware_family Bancos, tag Banking_Trojan, updated_at 2018_04_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CWS qck.cc Spyware Installer (web.php)"; flow:established,to_server; content:"/x/tbd_web.php?wm="; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002095; classtype:pup-activity; sid:2002095; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Generic Banker Trojan Downloader Config to client"; flow:established,to_client; content:"|0d 0a 0d 0a|[Controlinfo]"; nocase; content:"CntInfo="; within:9; nocase; content:"UseSepControl="; within:30; nocase; content:"Names="; within:20; reference:url,doc.emergingthreats.net/2009090; classtype:trojan-activity; sid:2009090; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CWS Spy-Sheriff.com Infeced Buy Page Request"; flow:established,to_server; content:"/?advid="; nocase; http_uri; content:"spy-sheriff.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002933; classtype:pup-activity; sid:2002933; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker/Bancos/Infostealer Possible Rootkit - HTTP HEAD Request"; flow:established,to_server; content:"HEAD"; http_method; nocase; content:".php?action="; http_uri; nocase; content:"&uid="; nocase; http_uri; content:"&locale="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&build="; nocase; http_uri; reference:url,www.pctools.com/mrc/infections/id/Trojan.Banker/; reference:url,www.anti-spyware-101.com/remove-trojanbanker; reference:url,doc.emergingthreats.net/2009750; classtype:trojan-activity; sid:2009750; rev:6; metadata:created_at 2010_07_30, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2018_04_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spywaremover Activity"; flow: to_server,established; content:"/download/cabs/THNALL1L/thnall1l.exe"; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087903; reference:url,doc.emergingthreats.net/bin/view/Main/2001521; classtype:pup-activity; sid:2001521; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patcher/Bankpatch Module Download Request"; flow:established,to_server; content:"/dl/AcroIEHelpe"; nocase; http_uri; content:".dll"; http_uri; nocase; pcre:"/\/dl\/AcroIEHelpe(r)?(\d)?\.dll/U"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-081817-1808-99&tabid=2; reference:url,doc.emergingthreats.net/2009409; classtype:trojan-activity; sid:2009409; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casino on Net Install"; flow: to_server,established; content:"/newdownload/newsetup/"; nocase; http_uri; content:"casinone"; nocase; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001041; classtype:pup-activity; sid:2001041; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload HTTP Checkin Detected"; flow:established,to_server; content:"php?mac="; nocase; http_uri; content:"&hdd="; nocase; http_uri; content:"++++++++"; nocase; content:"&ver="; nocase; http_uri; content:"&ie="; http_uri; nocase; reference:url,doc.emergingthreats.net/2007864; classtype:command-and-control; sid:2007864; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casino on Net Ping Hit"; flow: to_server,established; content:"/Ping/Ping.txt"; nocase; http_uri; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001032; classtype:pup-activity; sid:2001032; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload HTTP Checkin Detected (quem=)"; flow:established,to_server; content:".php"; nocase; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"quem="; depth:5; http_client_body; content:"praquem="; http_client_body; fast_pattern; offset:5; nocase; reference:url,doc.emergingthreats.net/2008283; classtype:command-and-control; sid:2008283; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casino on Net Data Download"; flow: to_server,established; content:"/sdl/casinov"; nocase; http_uri; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001033; classtype:pup-activity; sid:2001033; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BANLOAD Downloader GET Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"mac="; http_uri; content:"sys="; http_uri; content:"yp="; http_uri; content:"rand="; http_uri; nocase; pcre:"/mac=[0-9A-Fa-f]{12}&/Ui"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojbanloe.html; reference:url,doc.emergingthreats.net/2009453; classtype:command-and-control; sid:2009453; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Catchonlife.com Spyware"; flow: to_server,established; content:"/nw3/r1.txt?"; http_uri; content:"catchonlife"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003358; classtype:pup-activity; sid:2003358; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"c=voip&ord="; nocase; http_uri; content:"=&SCRNSZ"; http_uri; content:"&BRSRSZ="; http_uri; content:"&TIMEZONE="; http_uri; reference:url,doc.emergingthreats.net/2010266; classtype:command-and-control; sid:2010266; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Cnzz.com/Baidu Related Spyware Stat Reporting"; flow:established,to_server; content:"/stat.php?id="; nocase; http_uri; content:"&web_id="; nocase; http_uri; content:"Host|3a|"; nocase; http_header; content:!"Referer|3a| "; nocase; http_header; reference:url,vil.nai.com/vil/content/v_140364.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2003607; classtype:trojan-activity; sid:2003607; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Urlzone/Bebloh Communication with Controller"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?type=slg&id="; http_uri; nocase; pcre:"/\?type=slg&id=[0-9A-Z]{18}/U"; reference:url,threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BEBLOH.KO&VSect=Td; reference:url,doc.emergingthreats.net/2009351; classtype:trojan-activity; sid:2009351; rev:8; metadata:created_at 2010_07_30, former_category TROJAN, malware_family URLZone, tag Banking_Trojan, updated_at 2018_04_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Traffic"; flow: to_server,established; content:"/cc/"; http_uri; content:"Host|3a| update.cc.cometsystems.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2000931; classtype:pup-activity; sid:2000931; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bredavi Configuration Update Response"; flow:established,from_server; content:"|0d 0a 0d 0a 21|new_config|0a|"; nocase; reference:url,doc.emergingthreats.net/2010790; classtype:trojan-activity; sid:2010790; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CometSystems Spyware"; flow: to_server,established; content:"/comet/request"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001050; classtype:pup-activity; sid:2001050; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bredolab Downloader Communicating With Controller (2)"; flow:established,to_server; content:"action="; nocase; http_uri; content:"&guid="; nocase; http_uri; content:"&rnd="; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&entity="; http_uri; nocase; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader%3aWin32/Bredolab.B; reference:url,doc.emergingthreats.net/2009354; classtype:trojan-activity; sid:2009354; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Traffic (context.xml)"; flow: to_server,established; content:"/context/1/up_context_1.xml"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083029; reference:url,doc.emergingthreats.net/bin/view/Main/2001655; classtype:pup-activity; sid:2001655; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bredolab Check In"; flow:established,to_server; content:"GET"; nocase; http_method; content:"v="; http_uri; content:"&s="; http_uri; content:"&uid="; http_uri; content:"&p="; http_uri; content:"&q="; content:"User-Agent|3a 0d 0a|"; http_header; reference:url,www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/; reference:url,doc.emergingthreats.net/2009360; classtype:trojan-activity; sid:2009360; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Reporting"; flow: to_server,established; content:"Host|3a| log.cc.cometsystems.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001658; classtype:pup-activity; sid:2001658; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Metafisher/Bzub/Cimuz/Tanspy Reporting User Activity"; flow:established,to_server; content:"ver="; nocase; http_uri; content:"&lg="; nocase; http_uri; content:"&phid="; nocase; http_uri; content:"&r="; http_uri; pcre:"/phid=[A-F0-9]{64}/Ui"; reference:url,doc.emergingthreats.net/2009349; classtype:trojan-activity; sid:2009349; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Update Download"; flow: to_server,established; content:"/cc/5/masterconfig/"; nocase; http_uri; content:"/update.xml?v="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002351; classtype:pup-activity; sid:2002351; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cinmus.Checkin 1"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?version="; nocase; http_uri; content:"lversion="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"&fid="; nocase; http_uri; content:"&vpc="; nocase; http_uri; content:"&run="; nocase; http_uri; content:"&from="; http_uri; reference:url,doc.emergingthreats.net/2008623; classtype:command-and-control; sid:2008623; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Context Report"; flow: to_server,established; content:"/context/1/up_context_1.xml?v="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002352; classtype:pup-activity; sid:2002352; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cinmus.Checkin 2"; flow:to_server,established; content:"GET"; http_method; nocase; content:"?fid="; nocase; http_uri; content:"&kid="; nocase; http_uri; content:"&cnt="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"&kw="; nocase; http_uri; content:"&from="; http_uri; reference:url,doc.emergingthreats.net/2008624; classtype:command-and-control; sid:2008624; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Cursor DL"; flow: to_server,established; content:"/czcontent/cursor"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003307; classtype:pup-activity; sid:2003307; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citi-bank.ru Related Trojan Checkin"; flow:established,to_server; content:".php?hid=NT"; nocase; http_uri; content:"&wp="; nocase; http_uri; content:"&sp="; nocase; http_uri; content:"&eep="; nocase; http_uri; content:"&edp="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008153; classtype:command-and-control; sid:2008153; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Conduit Connect Toolbar Message Download(Many report to be benign)"; flow: to_server,established; content:"/Message/"; http_uri; content:"User-Agent|3a| EI"; nocase; http_header; pcre:"/\/Message\/\S+\/\S+\.xml/Ui"; reference:url,www.conduit.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003218; classtype:pup-activity; sid:2003218; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Conficker/MS08-067 Worm Traffic Outbound"; flowbits:isset,ET.ms08067_header; flow:established,to_server; content:"If-None-Match|3A| |22|60794|2D|12b3|2D|e4169440|22|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008739; classtype:trojan-activity; sid:2008739; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Content-loader.com Spyware Install"; flow: to_server,established; content:"/getexe/?wmid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003074; classtype:pup-activity; sid:2003074; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoreFlooder.Q C&C Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/a?"; nocase; http_uri; content:"wg="; http_client_body; nocase; content:"&cn="; http_client_body; nocase; content:"&i="; http_client_body; nocase; content:"&panic="; http_client_body; nocase; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FCOREFLOOD%2EQ; reference:url,doc.emergingthreats.net/2008353; classtype:command-and-control; sid:2008353; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Content-loader.com Spyware Install 2"; flow: to_server,established; content:"/getdata/getdata.php?wmid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003075; classtype:pup-activity; sid:2003075; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxy.Corpes.j Infection Report"; flow:established,to_server; content:".php?tma="; http_uri; content:"&mode="; http_uri; pcre:"/mode=\d+D[0-9A-F]{150}/U"; reference:url,doc.emergingthreats.net/2008144; classtype:trojan-activity; sid:2008144; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Content-loader.com (ownusa.info) Spyware Install"; flow: to_server,established; content:"/fdial2.php?o="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003076; classtype:pup-activity; sid:2003076; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cosmu Process Dump Report"; flow:established,to_server; content:"] Dumping processes {|0d 0a|"; reference:url,doc.emergingthreats.net/2011234; classtype:trojan-activity; sid:2011234; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ContextPanel Reporting"; flow: to_server,established; content:"/cplog/?logtype="; nocase; http_uri; content:"contextpanel.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001456; classtype:pup-activity; sid:2001456; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Crypt.CFI.Gen Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"User-Agent|3a| BIE|0d 0a|"; http_header; content:"cname="; http_client_body; reference:url,doc.emergingthreats.net/2009204; classtype:command-and-control; sid:2009204; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CoolDeskAlert Spyware Activity"; flow:to_server,established; content:"/alert/get_xml"; nocase; http_uri; content:"deskbar_id={"; nocase; reference:url,cooldeskalert.com; reference:url,www.benedelman.org/spyware/images/bannerfarms-ad_w_a_r_e-globalstore-log-061006.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003462; classtype:pup-activity; sid:2003462; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DNS Changer HTTP Post Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"x="; http_client_body; content:!"User-Agent|3a| "; http_header; pcre:"/^x=[0-9a-zA-Z]{50}/P"; reference:url,doc.emergingthreats.net/2008263; classtype:command-and-control; sid:2008263; rev:13; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Coolsearch Spyware Install"; flow: to_server,established; content:"coolsearch.biz/united.htm"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001479; classtype:pup-activity; sid:2001479; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DNSChanger.AT or related Infection Checkin Post"; flow:established,to_server; content:"POST /cgi-bin/generator HTTP/1.0|0d 0a|Content-Length|3a| "; depth:50; content:"|0d 0a 0d 0a|"; within:10; reference:url,doc.emergingthreats.net/2008940; classtype:command-and-control; sid:2008940; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Corpsespyware.net BlackList - pcpeek"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"pcpeek-webcam-sex.com"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002766; classtype:pup-activity; sid:2002766; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Daonol C&C Communication"; flow:established,to_server; content:"/x/?0"; http_uri; nocase; content:"|0d 0a|SS|3a|"; nocase; content:"|0d 0a|Xost|3a|"; nocase; pcre:"/\/x\/\?0\w{35}$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaonol; reference:url,blog.fireeye.com/research/2009/10/gumblar-not-gumby.html; reference:url,www.iss.net/threats/gumblar.html; reference:url,blog.scansafe.com/journal/2009/10/15/gumblar-website-botnet-awakes.html; reference:url,doc.emergingthreats.net/2010164; classtype:command-and-control; sid:2010164; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Corpsespyware.net Distribution - bos.biz"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"businessopportunityseeker.biz"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002767; classtype:pup-activity; sid:2002767; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf HTTP Checkin (1)"; flow:established,to_server; content:"/mydown.asp?"; nocase; http_uri; content:"reg="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&tgid="; nocase; http_uri; content:"&address="; nocase; http_uri; content:"&mydo="; nocase; http_uri; content:"&flag="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007838; classtype:command-and-control; sid:2007838; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Corpsespyware.net Distribution - studiolacase"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"studiolacase.com"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002769; classtype:pup-activity; sid:2002769; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Download via HTTP"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/mdfexcute/"; http_uri; content:"Windows 98)"; http_header; reference:url,doc.emergingthreats.net/2007911; classtype:trojan-activity; sid:2007911; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Corpsespyware.net - msits.exe access"; flow:to_server,established; content:"/msits.exe"; nocase; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002770; classtype:pup-activity; sid:2002770; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Checkin via HTTP (up)"; flow:established,to_server; content:"/up.html?"; nocase; http_uri; content:"set="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&MAC="; http_uri; nocase; reference:url,doc.emergingthreats.net/2007939; classtype:command-and-control; sid:2007939; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Corpsespyware.net - msys.exe access"; flow:to_server,established; content:"/msys.exe"; nocase; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002771; classtype:pup-activity; sid:2002771; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Checkin via HTTP (6)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?v="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&=w"; http_uri; nocase; reference:url,doc.emergingthreats.net/2008071; classtype:command-and-control; sid:2008071; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Couponage Download"; flow: to_server,established; content:".dl_"; nocase; http_uri; content:"couponage.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001453; classtype:pup-activity; sid:2001453; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Checkin via HTTP (7)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?macros="; nocase; http_uri; content:"&botstatus="; http_uri; nocase; reference:url,doc.emergingthreats.net/2008090; classtype:command-and-control; sid:2008090; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Couponage Configure"; flow: to_server,established; content:".da_"; nocase; content:"couponage.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001454; classtype:pup-activity; sid:2001454; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Delf followon POST Data PUSH Packet"; flow:established,to_server; content:"tip="; depth:4; nocase; content:"&cli="; nocase; content:"&tipo="; nocase; reference:url,www.threatexpert.com/threats/trojan-downloader-win32-delf.html; reference:url,doc.emergingthreats.net/2009824; classtype:trojan-activity; sid:2009824; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DelFin Project Spyware (payload)"; flow: established,to_server; content:"/in/payload/payload.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002816; classtype:pup-activity; sid:2002816; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dialer"; flow: established,to_server; content:"/getnumtemp.asp?nip=0"; http_uri; nocase; reference:url,isc.sans.org/diary.php?storyid=1388; reference:url,doc.emergingthreats.net/2003083; classtype:trojan-activity; sid:2003083; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DelFin Project Spyware (setup)"; flow: established,to_server; content:"/in/defaults/setup.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002817; classtype:pup-activity; sid:2002817; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Dialer.buv Sending Information Home"; flow:established,to_server; content:"/exit.php?if="; http_uri; nocase; content:"&cl="; content:"&id="; content:"&ov="; content:"&site="; content:"&tk="; reference:url,doc.emergingthreats.net/2008430; classtype:trojan-activity; sid:2008430; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DelFin Project Spyware (setup-alt)"; flow: established,to_server; content:"/in/defaults/setup-alt.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003472; classtype:pup-activity; sid:2003472; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dialer.Win32.E-Group.n Checkin"; flow:to_server,established; content:"login="; nocase; http_uri; content:"&brokerid="; nocase; http_uri; content:"&extlogin="; nocase; http_uri; content:"&autosize="; nocase; http_uri; content:"&icp="; nocase; http_uri; content:"&id_site="; nocase; http_uri; content:"&dl_tracker="; nocase; http_uri; content:"&connection_type="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008490; classtype:command-and-control; sid:2008490; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DelFin Project Spyware (payload-alt)"; flow: established,to_server; content:"/in/payload/payload-alt.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003473; classtype:pup-activity; sid:2003473; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $HOME_NET any (msg:"ET MALWARE dlink router access attempt"; flow:established,to_server; content:"GET /dlink/hwiz.html HTTP/1.0|0d 0a 0d 0a|"; content:!"|0d 0a|Host|3a| "; reference:url,doc.emergingthreats.net/2008945; classtype:trojan-activity; sid:2008945; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DesktopTraffic Toolbar Spyware"; flow: to_server,established; content:"cgi-bin/ezl_kws.fcgi?cat"; nocase; http_uri; reference:url,research.spysweeper.com/threat_library/threat_details.php?threat=desktoptraffic.net_hijack; reference:url,doc.emergingthreats.net/bin/view/Main/2001884; classtype:pup-activity; sid:2001884; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Dluca HTTP Checkin"; flow:established,to_server; content:"?id={"; nocase; http_uri; content:"&srv="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&docid="; nocase; http_uri; content:"&time="; nocase; http_uri; content:"&cstate="; nocase; http_uri; content:"&state="; nocase; http_uri; content:"&flash="; nocase; http_uri; content:"&pin="; nocase; http_uri; content:"&OSInfo2="; nocase; content:"&cinfo="; nocase; http_uri; content:"&smd="; nocase; http_uri; content:"&rts="; nocase; http_uri; content:"&retryattempt="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007595; classtype:command-and-control; sid:2007595; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Deskwizz.com Spyware Install Code Download"; flow: to_server,established; content:"/ax/acdt-pid"; nocase; http_uri; content:".exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003444; classtype:pup-activity; sid:2003444; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clicker.BC User Agent Detected (linkrunner)"; flow:established,to_server; content:"User-Agent|3a| linkrunner"; nocase; http_header; reference:url,doc.emergingthreats.net/2003648; classtype:trojan-activity; sid:2003648; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Direct-web.co.kr Related Spyware Checkin"; flow:established,to_server; content:".php?appname="; nocase; http_uri; content:"&appseq="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"&type="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007978; classtype:pup-activity; sid:2007978; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Agent.bwr CnC Beacon"; flow:established,to_server; content:"?m="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&hdd="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006377; classtype:command-and-control; sid:2006377; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2010_07_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Doctorpro.co.kr Related Fake Anti-Spyware Install Checkin"; flow:established,to_server; content:"/install_count.html?id="; nocase; http_uri; content:"&MAC="; nocase; http_uri; pcre:"/MAC=0\w-\w\w-\w\w-\w\w-\w\w-\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006425; classtype:trojan-activity; sid:2006425; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.26001 Url Pattern Detected"; flow:established,to_server; content:"install.php?"; nocase; http_uri; content:"wall_id="; nocase; http_uri; content:"&maddr=0"; nocase; http_uri; content:"&action="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006400; classtype:trojan-activity; sid:2006400; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Doctorpro.co.kr Related Fake Anti-Spyware Checkin"; flow:established,to_server; content:"/access_count.html?id="; nocase; http_uri; content:"&MAC="; nocase; http_uri; pcre:"/MAC=0\w-\w\w-\w\w-\w\w-\w\w-\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006426; classtype:trojan-activity; sid:2006426; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.26001 Url Pattern Detected (lunch_id)"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"aff_id="; nocase; http_uri; content:"lunch_id="; nocase; http_uri; content:"&maddr=0"; nocase; http_uri; reference:url,doc.emergingthreats.net/2006401; classtype:trojan-activity; sid:2006401; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Fake Anti-Spyware Mac Check"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/nchkmac.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006427; classtype:pup-activity; sid:2006427; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Downloader or Virut C&C Ack"; flow:established,to_server; content:"uid="; nocase; http_uri; content:"&version="; nocase; http_uri; content:"&actionname="; nocase; http_uri; content:"&action="; nocase; http_uri; content:"&success="; nocase; http_uri; content:"&debug="; nocase; http_uri; content:"&nocache="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007587; classtype:command-and-control; sid:2007587; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Fake Anti-Spyware Checkin (open)"; flow:established,to_server; content:"/open.php?sn="; nocase; http_uri; pcre:"/sn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006428; classtype:pup-activity; sid:2006428; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.49651 Checkin"; flow:established,to_server; content:"/boot.php/boot.php?"; nocase; http_uri; content:"partner="; nocase; http_uri; content:"&mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007952; classtype:command-and-control; sid:2007952; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Fake Anti-Spyware Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/chkblack.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006431; classtype:pup-activity; sid:2006431; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.49651 Install Report"; flow:established,to_server; content:"/install.php?"; nocase; http_uri; content:"partner="; nocase; http_uri; content:"&mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007953; classtype:trojan-activity; sid:2007953; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Fake Anti-Spyware Checkin (ret)"; flow:established,to_server; content:"/ret.php?"; nocase; http_uri; content:"mode="; nocase; http_uri; content:"&cname="; nocase; http_uri; content:"&cn="; nocase; http_uri; pcre:"/cn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006432; classtype:pup-activity; sid:2006432; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.49651 Online Report"; flow:established,to_server; content:"/up.html?"; nocase; http_uri; content:"set="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"&mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007954; classtype:trojan-activity; sid:2007954; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Fake Anti-Spyware Post (api_result)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/api_result.php?"; nocase; http_uri; content:"mode="; nocase; http_uri; content:"&PartID="; nocase; http_uri; content:"&mac="; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006433; classtype:pup-activity; sid:2006433; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cygo Checkin"; flow:established,to_server; content:"/count.php?"; nocase; http_uri; content:"type="; nocase; http_uri; content:"partner="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"ver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007955; classtype:command-and-control; sid:2007955; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Viruscheck.co.kr Related Fake Anti-Spyware Post (chkvs)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/chkvs.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007642; classtype:pup-activity; sid:2007642; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.VB.CEJ HTTP Checkin"; flow:established,to_server; content:"/down"; http_uri; content:"/down/?"; http_uri; content:"s="; http_uri; content:"&t="; http_uri; content:"&v="; http_uri; pcre:"/\/down\d+\/down\/\?s=[A-F0-9]+\&t=\d+\/\d+\/20/U"; reference:url,doc.emergingthreats.net/2008087; classtype:command-and-control; sid:2008087; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TROJAN_VB Microjoin"; flow:established,to_server; content:"/bundle/loader.exe"; nocase; http_uri; reference:url,de.trendmicro-europe.com/consumer/vinfo/encyclopedia.php?VName=TROJ_VB.AWW; reference:url,doc.emergingthreats.net/bin/view/Main/2003084; classtype:pup-activity; sid:2003084; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Emo/Downloader.vr Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; content:"v="; http_uri; content:"&rs="; http_uri; content:"&n="; http_uri; content:"&uid="; http_uri; reference:url,doc.emergingthreats.net/2008546; reference:url,www.malwaredomainlist.com/mdl.php?search=emo+&colsearch=All&quantity=50; classtype:trojan-activity; sid:2008546; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Related Reporting Install"; flow: to_server,established; content:"/count/count.php?&mm"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001416; classtype:pup-activity; sid:2001416; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Dropper User-Agent (XXXwww)"; flow:established,to_server; content:"User-Agent|3a| XXXwww"; http_header; classtype:trojan-activity; sid:2014387; rev:1; metadata:created_at 2012_03_16, updated_at 2012_03_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Related Reporting"; flow: to_server,established; content:"/count/count.php?&mm2cpr"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001423; classtype:pup-activity; sid:2001423; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Agent.cah Checkin Request"; flow:established,to_server; content:"?v="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&r1="; nocase; http_uri; content:"&tm=201"; nocase; http_uri; content:"&av="; nocase; http_uri; content:"&os=Windows"; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"cht="; http_uri; reference:url,doc.emergingthreats.net/2007644; classtype:command-and-control; sid:2007644; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Spyware Reporting (check url)"; flow: to_server,established; content:"/go/check?build="; nocase; http_uri; content:"&source="; nocase; http_uri; content:"&merchants="; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2003504; classtype:pup-activity; sid:2003504; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper.Win32.VB.on Keylog/System Info Report via HTTP"; flow:established,to_server; content:"post================================"; content:"=====|0d 0a|Resource Name "; distance:0; content:"|0d 0a|User Name/Value "; distance:0; content:"*************STEAM PASSWORDS**********"; distance:0; content:"Number of procesor|3a|"; distance:0; reference:url,doc.emergingthreats.net; classtype:trojan-activity; sid:2007987; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ESyndicate Spyware Install (esyndicateinst.exe)"; flow: to_server,established; content:"/files/eSyndicateInst.exe"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; reference:url,doc.emergingthreats.net/bin/view/Main/2002009; classtype:pup-activity; sid:2002009; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper mdodo.com Related Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Mdodo"; http_header; reference:url,doc.emergingthreats.net/2008195; classtype:trojan-activity; sid:2008195; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ESyndicate Spyware Install (sepinst.exe)"; flow: to_server,established; content:"/files/SEPInst.exe"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; reference:url,doc.emergingthreats.net/bin/view/Main/2002010; classtype:pup-activity; sid:2002010; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper 6dzone.com Related Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| 6dzone|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008196; classtype:trojan-activity; sid:2008196; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EZSearch Spyware Reporting Search Strings"; flow:established,to_server; content:"/partner/rt.php?q="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002317; classtype:pup-activity; sid:2002317; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Duntek establishing remote connection"; flow:established,to_server; content:"rfe.php?"; nocase; http_uri; content:"cmp=dun_tekfirst"; nocase; http_uri; content:"guid="; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-102514-0554-99; reference:url,doc.emergingthreats.net/2003537; classtype:trojan-activity; sid:2003537; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EZSearch Spyware Reporting Search Category"; flow:established,to_server; content:"/partner/rt.php?cat="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002318; classtype:pup-activity; sid:2002318; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE E-Jihad 3.0 DDoS HTTP Activity OUTBOUND"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Attacker|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:denial-of-service; sid:2007686; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EZSearch Spyware Reporting 2"; flow:established,to_server; content:"/partner/bom.php?e="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002319; classtype:pup-activity; sid:2002319; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE E-Jihad 3.0 DDoS HTTP Activity INBOUND"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Attacker|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:denial-of-service; sid:2007687; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Ebates Install"; flow: to_server,established; content:"/ebates.exe"; http_uri; reference:url,www.pestpatrol.com/PestInfo/e/ebates_moneymaker.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001038; classtype:pup-activity; sid:2001038; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Egspy Install Report via HTTP"; flow:established,to_server; content:"/control.php?pcad="; nocase; http_uri; content:"&tarih="; nocase; http_uri; content:"&saat="; nocase; http_uri; content:"&veri="; http_uri; reference:url,doc.emergingthreats.net/2008136; classtype:trojan-activity; sid:2008136; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Effectivebrands.com Spyware Checkin"; flow:established,to_server; content:"/iis2ebs.asp"; nocase; http_uri; content:"effectivebrands.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003304; classtype:pup-activity; sid:2003304; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Eleonore Exploit Pack activity"; flow:established,to_server; content:"?spl="; http_uri; content:"&br="; http_uri; content:"&vers="; http_uri; content:"&s="; http_uri; pcre:"/\?spl=\d+&br=[A-Za-z]+&vers=\d\.\d&s=[a-z0-9]+[^&]$/U"; reference:url,www.offensivecomputing.net/?q=node/1419; reference:url,doc.emergingthreats.net/2010248; classtype:trojan-activity; sid:2010248; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Effectivebrands.com Spyware Checkin 2"; flow:established,to_server; content:"/iis2ucms.asp"; nocase; http_uri; content:"effectivebrands.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003360; classtype:pup-activity; sid:2003360; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Eleonore Exploit Pack activity variant May 2010"; flow:established,to_server; content:".php?spl="; http_uri; pcre:"/\?spl=MS[0-9]{2}-[0-9]{3}$/U"; reference:url,www.offensivecomputing.net/?q=node/1419; reference:url,doc.emergingthreats.net/2010248; classtype:trojan-activity; sid:2011128; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Epilot.com Spyware Reporting"; flow:established,to_server; content:"/getresults.aspx"; nocase; http_uri; content:"?aff="; nocase; http_uri; content:"&ip="; nocase; http_uri; content:"&keyword="; nocase; http_uri; content:"&source="; nocase; http_uri; reference:url,www.intermute.com/spysubtract/researchcenter/ClientMan.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003414; classtype:pup-activity; sid:2003414; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FSG Packed Binary via HTTP Inbound"; flow:from_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/2002773; classtype:trojan-activity; sid:2002773; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Epilot.com Spyware Reporting Clicks"; flow:established,to_server; content:"/click.aspx?"; nocase; http_uri; content:"?xp="; nocase; http_uri; content:"Host|3a| "; nocase; http_header; content:"epilot.com"; nocase; http_header; reference:url,www.intermute.com/spysubtract/researchcenter/ClientMan.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003416; classtype:pup-activity; sid:2003416; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rogue A/V Win32/FakeXPA GET Request"; flow:to_server,established; content:"?campaign="; http_uri; content:"&country="; http_uri; content:"&counter="; http_uri; content:"&campaign="; http_uri; content:"&landid="; http_uri; reference:url,doc.emergingthreats.net/2009209; classtype:trojan-activity; sid:2009209; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP F1Organizer Install Attempt"; flow: to_server,established; content:"/f1/objects/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000585; classtype:pup-activity; sid:2000585; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKE/ROGUE AV HTTP Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"mid="; content:"&wv="; content:"&r="; content:"&tp="; content:"&exe="; fast_pattern; content:"&ls="; content:"&uid="; reference:url,doc.emergingthreats.net/2009514; classtype:trojan-activity; sid:2009514; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP F1Organizer Reporting"; flow: to_server,established; content:"/f1/audit/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000582; classtype:pup-activity; sid:2000582; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKE/ROGUE AV Encoded data= HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http_header; content:"data=/CjEfcLas0KCj/"; http_client_body; nocase; reference:url,doc.emergingthreats.net/2009553; classtype:trojan-activity; sid:2009553; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP GET invalid method case outbound"; flow:established,to_server; content:"get "; depth:4; nocase; content:!"GET "; depth:4; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014379; rev:2; metadata:created_at 2012_03_15, updated_at 2012_03_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake/Rogue AV Landing Page Encountered"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"land="; nocase; http_uri; content:"affid="; nocase; http_uri; pcre:"/\.php\?(land=\d+|affid=\d{5})&(land=\d+|affid=\d{5})$/Ui"; reference:url,en.wikipedia.org/wiki/Scareware; reference:url,doc.emergingthreats.net/2010347; classtype:trojan-activity; sid:2010347; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP F1Organizer Config Download"; flow: to_server,established; content:"/F1/Cmd4F1"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001221; classtype:pup-activity; sid:2001221; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Fake-Rean Installer Activity (Malwareurl.com Top 30)"; flow:to_server; content:"|2F|installer|2F|Installer|2E|exe"; nocase; http_uri; pcre:"/[1-3]\x2Finstaller\x2FInstaller\x2Eexe/Ui"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojfakereane.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010221; classtype:trojan-activity; sid:2010221; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Findwhat.com Spyware (clickthrough)"; flow: to_server,established; content:"/bin/findwhat.dll?clickthrough&"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003579; classtype:pup-activity; sid:2003579; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Feral Checkin via HTTP"; flow:established,to_server; content:"?ucid="; nocase; http_uri; content:"&wmid="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007286; classtype:trojan-activity; sid:2007286; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Findwhat.com Spyware (sendmedia)"; flow: to_server,established; content:"/bin/findwhat.dll?sendmedia&"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003581; classtype:pup-activity; sid:2003581; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Win32.Flystud"; flow:to_server,established; content:"loading.html?fn="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&cid="; nocase; http_uri; content:"&pn="; nocase; http_uri; content:"&clientid="; nocase; http_uri; content:"channel="; nocase; http_uri; content:"&stn="; nocase; http_uri; reference:url,doc.emergingthreats.net/2011086; classtype:trojan-activity; sid:2011086; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FlashPoint Agent Retrieving New Code"; flow: to_server,established; content:"/ftxmon.php?"; http_uri; reference:url,www.flashpoint.bm; reference:url,doc.emergingthreats.net/bin/view/Main/2000905; classtype:trojan-activity; sid:2000905; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fragus Exploit Kit Landing"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"hello="; nocase; http_uri; pcre:"/\.php\?(id=|pid=|hello=)\d+&(id=|pid=|hello=)\d+&(id=|pid=|hello=)\d+$/Ui"; reference:url,jsunpack.jeek.org/dec/go?report=d60344851322218108076f1ad8d21435de9d5b7c; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2011693; classtype:exploit-kit; sid:2011693; rev:5; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP FlashTrack Agent Retrieving New App Code"; flow: to_server,established; content:"/apps/r.exe"; http_uri; reference:url,www.flashpoint.bm; reference:url,doc.emergingthreats.net/bin/view/Main/2000936; classtype:pup-activity; sid:2000936; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fullspace.cc or Related Checkin (1)"; flow:established,to_server; content:"/config.php?ver="; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&action="; nocase; http_uri; content:"&ras="; nocase; http_uri; content:"&verfull="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008397; classtype:command-and-control; sid:2008397; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Flingstone Spyware Install (cxtpls)"; flow: established,to_server; content:"/softwares/cxtpls_loader_ff.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001710; classtype:pup-activity; sid:2001710; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS.Gamania Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"un="; http_client_body; content:"&pw="; http_client_body; content:"&sn="; http_client_body; content:"&l="; http_client_body; content:"&gd1="; http_client_body; content:"&pn="; http_client_body; reference:url,doc.emergingthreats.net/2008431; classtype:command-and-control; sid:2008431; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Flingstone Spyware Install (sportsinteraction)"; flow: established,to_server; content:"/softwares/SportsInteraction.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001705; classtype:pup-activity; sid:2001705; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Gemini/Fake AV Download URL Detected"; flow:established,to_server; content:"/Layouts/Landings/CentralLandings/"; nocase; http_uri; content:"/images/"; nocase; http_uri; pcre:"/\x2FLayouts\x2FLandings\x2FCentralLandings\x2F\d+\x2Fimages\x2F/Ui"; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,doc.emergingthreats.net/2010450; classtype:trojan-activity; sid:2010450; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing with prototype catch"; flow:established,from_server; content:"if(window.document)try{new"; content:".prototype}catch("; distance:0; fast_pattern; classtype:bad-unknown; sid:2014369; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_13, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader Infostealer - GET Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| wget 3.0|0d 0a|"; nocase; http_header; content:"aid="; nocase; http_uri; content:"os="; nocase; http_uri; content:"uid="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009539; classtype:command-and-control; sid:2009539; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products Install"; flow: to_server,established; content:"/install_ie.jsp?product="; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000599; classtype:pup-activity; sid:2000599; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Agent.QBY CnC Post"; flow:established,to_server; content:"cike.php?fid="; nocase; http_uri; content: "&cid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&tid="; nocase; http_uri; content:"&sn="; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?uid=4f05faef-6a70-4957-8990-b316d8487f63; reference:url,doc.emergingthreats.net/2010138; classtype:command-and-control; sid:2010138; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products SmileyCentral"; flow: to_server,established; content:"/images/smileycentral/"; nocase; http_uri; content:"FunWebProducts"; nocase; http_header; fast_pattern; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001013; classtype:pup-activity; sid:2001013; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Keylogger Infection Report via POST"; flow:established,to_server; content:"texto=|25 30 44 25 30 41 25 30 44 25 30 41|Computer"; content:"|25 30 44 25 30 41|IP|25 32 45 25 32 45 25 32 45 25 32 45 25 32 45|"; distance:0; reference:url,doc.emergingthreats.net/2008521; classtype:trojan-activity; sid:2008521; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products Smileychooser Spyware"; flow: to_server,established; content:"/SmileyChooser.html?"; nocase; http_uri; content:"v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002305; classtype:pup-activity; sid:2002305; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Spambot HTTP Checkin"; flow:established,to_server; content:"os="; http_uri; content:"&user="; http_uri; content:"&status="; http_uri; content:"&uptime="; http_uri; content:"&cmd="; http_uri; reference:url,doc.emergingthreats.net/2008261; classtype:command-and-control; sid:2008261; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products Smileychooser Spyware"; flow: to_server,established; content:"/SmileyChooser.html?"; nocase; http_uri; content:"v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002310; classtype:pup-activity; sid:2002310; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unnamed Generic.Malware http get"; flow:established,to_server; content:"/ww20/script.php?id="; nocase; http_uri; content:"&config="; nocase; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2003431; classtype:trojan-activity; sid:2003431; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products Cursorchooser Spyware"; flow: to_server,established; content:"/CursorChooser.html?"; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002306; classtype:pup-activity; sid:2002306; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Trojan Checkin (double Content-Type headers)"; flow:to_server,established; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"Content-Type|3a| text/html"; http_header; content:"Content-type|3a| image/gif"; http_header; reference:url,doc.emergingthreats.net/2010282; classtype:command-and-control; sid:2010282; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products SmileyCentral IEsp2 Install"; flow: to_server,established; content:"/download/install_ie_sp2.jhtml?"; nocase; http_uri; content:"product="; nocase; http_uri; content:"utmCall="; nocase; http_uri; content:"bOrganic="; nocase; http_uri; reference:url,www.myfuncards.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003151; classtype:pup-activity; sid:2003151; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gimmiv.A.dll Infection"; flow: to_server,established; content:"/test"; http_uri; content:".php"; http_uri; content:"?abc="; http_uri; content:"?def="; http_uri; reference:url,www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin32%2fGimmiv.A; reference:url,doc.emergingthreats.net/2008689; classtype:trojan-activity; sid:2008689; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gamehouse.com Activity"; flow: to_server,established; content:"/game-quit-count.jsp?ghgamecode="; http_uri; reference:url,www.gamehouse.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003348; classtype:pup-activity; sid:2003348; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Glacial Dracon C&C Communication"; flow:established,to_server; content:"?id="; nocase; http_uri; content:"&ve="; nocase; http_uri; content:"&h="; nocase; http_uri; content:"&c[]="; nocase; depth:5; http_client_body; content:"&t[]="; nocase; http_client_body; content:"&u[]="; nocase; http_client_body; content:"&d[]="; nocase; http_client_body; content:"&p[]="; nocase; http_client_body; reference:md5,fd3d061ee86987e8f3f245c2dc0ceb46; reference:md5,912692cb4e3f960c9cb4bbc96fa17c9d; reference:url,doc.emergingthreats.net/2010163; classtype:command-and-control; sid:2010163; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gator Cookie"; flow: to_server,established; content:"webpdpcookie"; content:".gator.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000025; classtype:pup-activity; sid:2000025; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Bobax trojan infection"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/reg|3f|u="; http_uri; content:"|26|v="; http_uri; reference:url,www.lurhq.com/bobax.html; reference:url,doc.emergingthreats.net/2001901; classtype:trojan-activity; sid:2001901; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gator New Code Download"; flow: to_server,established; content:"/gatorcme/"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000597; classtype:pup-activity; sid:2000597; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX EdrawSoft Office Viewer Component ActiveX FtpUploadFile Stack Buffer Overflow"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"F6FE8878-54D2-4333-B9F0-FC543B1BE1ED"; nocase; distance:0; content:"FtpUploadFile"; nocase; reference:url,packetstormsecurity.org/files/109298/EdrawSoft-Office-Viewer-Component-ActiveX-5.6-Buffer-Overflow.html; classtype:attempted-user; sid:2014390; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP shell browser vulnerability W9x/XP"; flow: from_server,established; content:"shell|3a|windows"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000519; classtype:pup-activity; sid:2000519; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX EdrawSoft Office Viewer Component ActiveX FtpUploadFile Format String Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"OfficeViewer.OfficeViewer"; nocase; distance:0; content:"FtpUploadFile"; nocase; reference:url,packetstormsecurity.org/files/109298/EdrawSoft-Office-Viewer-Component-ActiveX-5.6-Buffer-Overflow.html; classtype:attempted-user; sid:2014391; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP shell browser vulnerability NT/2K"; flow: from_server,established; content:"shell|3a|winnt"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000520; classtype:pup-activity; sid:2000520; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Exploit kit download payload likely Hiloti Gozi FakeAV etc"; flow:to_server,established; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"/eH"; http_uri; fast_pattern; pcre:"/\/[a-z0-9]+\.[a-z0-9]{2,4}\/eH[a-z0-9]{60,}$/Ui"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FHiloti.gen%21D; reference:url,doc.emergingthreats.net/2011103; classtype:exploit-kit; sid:2011103; rev:10; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GlobalPhon.com Dialer"; flow: to_server,established; content:"Host|3a| www.globalphon.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001656; classtype:pup-activity; sid:2001656; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Exploit kit attack activity likely hostile"; flow:to_server,established; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"/oH"; http_uri; fast_pattern; pcre:"/\/[a-z0-9]+\.[a-z0-9]{2,4}\/oH[a-z0-9]{60,}$/Ui"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FHiloti.gen%21D; reference:url,doc.emergingthreats.net/2011104; classtype:exploit-kit; sid:2011104; rev:10; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GlobalPhon.com Dialer Download"; flow: to_server,established; content:"/dialer/internazionale_ver"; nocase; http_uri; content:".CAB"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001657; classtype:pup-activity; sid:2001657; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hitpop Checkin"; flow:established,to_server; content:"/stat.htm?id="; nocase; http_uri; content:"&agt="; nocase; http_uri; content:"&r=http"; http_uri; nocase; content:"&OS="; nocase; http_uri; content:"&ntime="; nocase; http_uri; content:"&rtime="; nocase; http_uri; reference:url,atlas-public.ec2.arbor.net/docs/Hitpop_DDoS_Malware_Analysis_PUBLIC.pdf; reference:url,doc.emergingthreats.net/2008275; classtype:command-and-control; sid:2008275; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GlobalPhon.com Dialer (add_ocx)"; flow: to_server,established; content:"/add_ocx.asp?"; nocase; http_uri; content: "id="; nocase; http_uri; content:"globalphon.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001660; classtype:pup-activity; sid:2001660; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon User Agent Detected (SykO)"; flow:established,to_server; content:"User-Agent|3a| SykO"; http_header; nocase; reference:url,doc.emergingthreats.net/2003649; classtype:trojan-activity; sid:2003649; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GrandstreetInteractive.com Install"; flow: to_server,established; content:"/tdtb.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002012; classtype:pup-activity; sid:2002012; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon User Agent Detected (IE_7.0)"; flow:established,to_server; content:"User-Agent|3a| IE_7.0"; http_header; nocase; reference:url,doc.emergingthreats.net/2003932; classtype:trojan-activity; sid:2003932; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GrandstreetInteractive.com Update"; flow: to_server,established; content:"/wupdsnff.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002013; classtype:pup-activity; sid:2002013; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KillAV/Dropper/Mdrop/Hupigon - HTTP GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".asp?mac="; nocase; http_uri; content:"&xxx="; nocase; http_uri; content:"User-Agent|3a| baidu|0d 0a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2009811; classtype:trojan-activity; sid:2009811; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP host-domain-lookup.com spyware related Checkin"; flow:established,to_server; content:"?udata="; http_uri; content:"mission_supgrade|3a|"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007749; classtype:pup-activity; sid:2007749; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Inject.BV Trojan User Agent Detected (faserx)"; flow:established,to_server; content:"User-Agent|3a| faser"; http_header; nocase; reference:url,doc.emergingthreats.net/2003637; classtype:trojan-activity; sid:2003637; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Install (2)"; flow: to_server,established; content:"/install/process/upsale/hotbar"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000921; classtype:pup-activity; sid:2000921; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Insidebar.co.kr Related Infection Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"e=inside&s="; http_client_body; content:"&ver="; http_client_body; content:"&p="; http_client_body; reference:url,doc.emergingthreats.net/2008760; classtype:command-and-control; sid:2008760; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Install (3)"; flow: to_server,established; content:"/installs/hotbar/programs/"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000922; classtype:pup-activity; sid:2000922; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Klom.A Connecting to Controller"; flow:established,to_server; content:"/s_13_0?m="; nocase; http_uri; content:"r="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,www.bitdefender.com/VIRUS-1000126-en--Trojan.Klom.A.html; reference:url,doc.emergingthreats.net/2003538; classtype:trojan-activity; sid:2003538; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Reporting Information"; flow: to_server,established; content:"POST"; nocase; http_method; content:"/reports/hotbar/"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000923; classtype:pup-activity; sid:2000923; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Knockbot Proxy Response From Controller"; flow:established,from_server; content:"|0d 0a 0d 0a|command|7c|file|7c|http"; depth:250; nocase; content:"|7c|"; within:150; reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; reference:url,doc.emergingthreats.net/2010787; classtype:trojan-activity; sid:2010787; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Upgrading"; flow: to_server,established; content:"/updates/hotbar/"; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000924; classtype:pup-activity; sid:2000924; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Koblu"; flow:established,to_server; content:"GET"; nocase; http_method; content:"sid="; nocase; http_uri; content:"&sa="; nocase; http_uri; content: "&p="; http_uri; content:"&q=cards&rf="; http_uri; content:"&enc="; http_uri; content:"&enk=&xsc=&xsp=&xsm="; http_uri; reference:url,doc.emergingthreats.net/2010230; classtype:trojan-activity; sid:2010230; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Activity"; flow: to_server,established; content:"/dynamic/hotbar/"; nocase; http_uri; threshold: type limit, count 1, track by_src, seconds 360; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000929; classtype:pup-activity; sid:2000929; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Koobface fetch C&C command detected"; flow:established, to_server; content:".php"; nocase; http_uri; content:"f=0&a="; fast_pattern; content:"&v="; content:"&c="; content:"&s="; content:"&l="; content:"&ck="; content:"&c_fb="; content:"&c_ms="; content:"&c_hi="; content:"&c_be="; content:"&c_fr="; content:"&c_yb="; content:"&c_tg="; content:"&c_nl="; content:"&c_fu="; reference:url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf; reference:url,doc.emergingthreats.net/2010153; classtype:command-and-control; sid:2010153; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Adopt/Zango"; flow: to_server,established; content:"/adopt.jsp?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"&sz="; nocase; http_uri; content:"cid="; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003364; classtype:pup-activity; sid:2003364; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Korklic.A"; flow:to_server,established; content:"GET"; nocase; http_method; content:"mode=boot&MyValue="; http_uri; content:"&code="; http_uri; pcre:"/MyValue=[a-f0-9]{2}\:[a-f0-9]{2}\:[a-f0-9]{2}\:[a-f0-9]{2}\:/Ui"; reference:url,doc.emergingthreats.net/2009003; classtype:trojan-activity; sid:2009003; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar.com Related Spyware Install Report"; flow:established,to_server; content:"/ciconfig.aspx?did="; http_uri; content:"&brandid="; http_uri; content:"&os="; http_uri; content:"&pkg_ver="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008917; classtype:pup-activity; sid:2008917; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Lager Trojan Reporting Spam"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/sp/post.php"; nocase; http_uri; content:"data="; depth:400; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732; reference:url,doc.emergingthreats.net/2003190; classtype:trojan-activity; sid:2003190; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP IEHelp.net Spyware Installer"; flow:established,to_server; content:"/counter/help.chm"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002090; classtype:pup-activity; sid:2002090; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET 1025:5000 (msg:"ET MALWARE Possible Web-based DDoS-command being issued"; flow: established,from_server; content: "Server|3a| nginx/0."; offset: 17; depth: 19; content: "Content-Type|3a| text/html"; content:"|3a|80|3b|255.255.255.255"; fast_pattern; reference:url,doc.emergingthreats.net/2003296; classtype:trojan-activity; sid:2003296; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP IEHelp.net Spyware checkin"; flow:established,to_server; content:"/l/gpr.php?"; nocase; http_uri; content: "ID1="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002096; classtype:pup-activity; sid:2002096; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MBR Trojan (Sinowal/Mebroot/) Phoning Home"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ld/mat"; nocase; http_uri; content:".php"; nocase; http_uri; content:"id="; http_client_body; depth:3; content:"&hit="; http_client_body; reference:url,doc.emergingthreats.net/2007747; classtype:trojan-activity; sid:2007747; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GlobalPhon.com Dialer (no_pop)"; flow: to_server,established; content:"/no_pop.asp?"; nocase; http_uri; content: "id="; nocase; http_uri; content:"globalphon.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001659; classtype:pup-activity; sid:2001659; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mcboo.com/Bundlext.com related Trojan Checkin URL"; flow:established,to_server; content:"/ack.php?version="; http_uri; content:"&uid="; http_uri; content:"&status="; http_uri; reference:url,doc.emergingthreats.net/2008758; classtype:command-and-control; sid:2008758; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ISearchTech.com XXXPornToolbar Reporting"; flow: to_server,established; content:"/ist/scripts/log_downloads.php"; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000927; classtype:pup-activity; sid:2000927; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MEREDROP/micr0s0fts.cn Related Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/update.asp"; http_uri; content:"ver="; http_client_body; depth:4; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; http_client_body; reference:url,doc.emergingthreats.net/2008891; classtype:command-and-control; sid:2008891; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ISearchTech.com XXXPornToolbar Activity (1)"; flow: to_server,established; content:"/ist/bars/"; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000928; classtype:pup-activity; sid:2000928; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Metajuan trojan checkin"; flow:established,to_server; content:"trafc-2/rfe"; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-030112-0714-99; reference:url,doc.emergingthreats.net/2007811; classtype:command-and-control; sid:2007811; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Incredisearch.com Spyware Ping"; flow: established,to_server; content:"/ping.asp"; nocase; http_uri; content:"incredisearch.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001793; classtype:pup-activity; sid:2001793; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.MisleadApp Fake Security Product Install"; flow:established,to_server; content:"GET"; nocase; http_method; content:"hash?http"; nocase; http_uri; pcre:"/\/(ucleaner|udefender|ufixer)\.com\/demo\.php\?/Ui"; reference:url,doc.emergingthreats.net/2007566; classtype:trojan-activity; sid:2007566; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Incredisearch.com Spyware Activity"; flow: established,to_server; content:"Host|3a| www.incredisearch.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001794; classtype:pup-activity; sid:2001794; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Monkif Downloader Checkin"; flow:to_server,established; content:"/cgi/"; http_uri; content:".php?"; nocase; http_uri; content:"x640<x"; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fMonkif.C; reference:url,doc.emergingthreats.net/2009126; classtype:command-and-control; sid:2009126; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Instafinder.com spyware"; flow: established,to_server; content:"/404/update/instafi"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003376; classtype:pup-activity; sid:2003376; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nanspy Bot Checkin"; flow:established,to_server; content:"HEAD"; nocase; http_method; content:"/bbcount.php?action="; http_uri; content:"&uid="; http_uri; content:"&locale="; http_uri; content:"&build="; http_uri; reference:url,doc.emergingthreats.net/2010158; classtype:command-and-control; sid:2010158; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet Fuel.com Install"; flow: to_server,established; content:"/cgi-bin/omnidirect.cgi?&debug_log="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002015; classtype:pup-activity; sid:2002015; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Navipromo related update"; flow:established,to_client; content:"|0d 0a|Server|3a| lighttpd|0d 0a 0d 0a|<HTML><CFG>_SYSTEM_DIR_"; reference:url,doc.emergingthreats.net/2009694; classtype:trojan-activity; sid:2009694; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet Optomizer Reporting Data"; flow: to_server,established; content:"/io/downloads/"; nocase; http_uri; content:"/wsi8/optimize"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001308; classtype:pup-activity; sid:2001308; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nine Ball Infection ya.ru Post"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/gate/"; http_uri; content:".php"; http_uri; content:"|0d 0a 0d 0a|"; content:"ya.ru/"; distance:67; within:6; reference:url,www.martinsecurity.net/page/3; reference:url,doc.emergingthreats.net/2011186; classtype:trojan-activity; sid:2011186; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP jmnad1.com Spyware Install (1)"; flow: to_server,established; content:"/install.qg?"; nocase; http_uri; content: "ID="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002019; reference:url,wilderssecurity.com/threads/hijack-this-log-sandoxer-jmnad1.42146/; classtype:pup-activity; sid:2002019; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NoBo Downloader Dropper GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| NoBo"; http_header; reference:url,www.spynomore.com/trojan-nobo-v1-3.htm; reference:url,doc.emergingthreats.net/2009443; classtype:trojan-activity; sid:2009443; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP jmnad1.com Spyware Install (2)"; flow: to_server,established; content:"/download/mw_4s_stub.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002016; classtype:pup-activity; sid:2002016; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Obitel trojan calling home"; flow:established,to_server; content:"/gate.php?hash="; http_uri; content:"/gate.php?hash="; content:" HTTP/1."; distance:8; within:16; reference:url,www.abuse.ch/?p=143; reference:url,doc.emergingthreats.net/2008405; classtype:trojan-activity; sid:2008405; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar.com Related Spyware Activity Report"; flow:established,to_server; content:"/trackedevent.aspx?eid="; http_uri; content:"&brand="; http_uri; content:"&os="; http_uri; content:"&mt="; http_uri; content:"&pkg_ver="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008918; classtype:pup-activity; sid:2008918; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Oficla Russian Malware Bundle C&C instruction response with runurl"; flow:established,to_client; content:"|0d 0a 0d 0a|[info]runurl|3a|"; content:"|7c|taskid|3a|"; within:100; content:"|7c|delay|3a|"; within:30; content:"|7c|upd|3a|"; within:20; content:"[/info]"; distance:0; reference:url,malwarelab.org/2009/11/russian-malware-bundle/; reference:url,doc.emergingthreats.net/2010723; classtype:command-and-control; sid:2010723; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Malicious Applet Access (justexploit kit)"; flow:to_server,established; content:"/sdfg.jar"; http_uri; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3570.0; reference:url,doc.emergingthreats.net/2010438; classtype:exploit-kit; sid:2010438; rev:6; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Oficla Russian Malware Bundle C&C instruction response"; flow:established,to_client; content:"|0d 0a 0d 0a|[info]kill|3a|"; content:"|7c|delay|3a|"; within:50; content:"|7c|upd|3a|"; within:20; content:"[/info]"; distance:0; reference:url,malwarelab.org/2009/11/russian-malware-bundle/; reference:url,doc.emergingthreats.net/2010724; classtype:command-and-control; sid:2010724; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Thespyguard.com Spyware Install"; flow:established,to_server; content:"/soft/installers/spyguardf.php"; nocase; http_uri; reference:url,www.thespyguard.com; reference:url,www.kliksoftware.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003201; classtype:pup-activity; sid:2003201; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Oficla Russian Malware Bundle C&C instruction response (2)"; flow:established,to_client; content:"|0d 0a 0d 0a|[info]delay|3a|"; content:"|7c|upd|3a|"; within:20; content:"[/info]"; distance:0; reference:url,malwarelab.org/2009/11/russian-malware-bundle/; reference:url,doc.emergingthreats.net/2010744; classtype:command-and-control; sid:2010744; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hitvirus Fake AV Install"; flow:established,to_server; content:"/soft/installers/hitvirusf.php"; nocase; http_uri; content:"get.hitvirus.com"; nocase; http_header; reference:url,www.kliksoftware.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003203; classtype:pup-activity; sid:2003203; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE onmuz.com Infection Activity"; flow:established,to_server; content:"pid=patchup_notpid_update^on"; http_uri; content:"/logonmuz"; http_uri; reference:url,doc.emergingthreats.net/2008973; classtype:trojan-activity; sid:2008973; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Thespyguard.com Spyware Updating"; flow:established,to_server; content:"/soft/update/get.php"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"mail="; nocase; http_uri; content:"Host|3a| www.kliksoftware.com"; nocase; http_header; reference:url,www.kliksoftware.com; reference:url,www.thespyguard.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003204; classtype:pup-activity; sid:2003204; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Opachki Link Hijacker Traffic Redirection"; flow:established,to_server; content:"/?do=rphp"; nocase; http_uri; content:"&sub="; nocase; http_uri; content:"&b="; nocase; http_uri; content:"&q="; nocase; http_uri; content:"&orig="; nocase; http_uri; reference:url,www.secureworks.com/research/threats/opachki/?threat=opachki; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2; reference:url,doc.emergingthreats.net/2010224; classtype:trojan-activity; sid:2010224; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP KMIP.net Spyware"; flow:established,to_server; content:"/iesocks?peer_id="; nocase; http_uri; content:"ver="; nocase; http_uri; reference:url,www.kmip.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003298; classtype:pup-activity; sid:2003298; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Prg Trojan HTTP POST v1"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?2="; http_uri; content:"&n="; http_uri; content:"&v="; http_uri; content:"&i="; http_uri; content:"&sp="; http_uri; content:"&lcp="; http_uri; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2007688; classtype:trojan-activity; sid:2007688; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP KMIP.net Spyware 2"; flow:established,to_server; content:"/sp?c=N&i="; nocase; http_uri; content:"&v="; nocase; http_uri; reference:url,www.kmip.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003526; classtype:pup-activity; sid:2003526; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?1="; http_uri; content:"&i="; http_uri; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9_]+&i=/Ui"; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2007724; classtype:trojan-activity; sid:2007724; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Kwsearchguide.com Related Spyware Checkin"; flow:established,to_server; content:"/statics.php?maddr="; nocase; http_uri; content:"&ipaddr="; nocase; http_uri; content:"&ovt="; nocase; http_uri; content:"&verno="; nocase; http_uri; content:"&action="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008067; classtype:pup-activity; sid:2008067; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 82 (msg:"ET MALWARE LD Pinch Checkin (HTTP POST on port 82)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; content:"a="; content:"&b="; content:"&d="; content:"&c="; nocase; reference:url,doc.emergingthreats.net/2008366; classtype:command-and-control; sid:2008366; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Kwsearchguide.com Related Spyware Keepalive"; flow:established,to_server; content:"/alive.php?ovt=new_link"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008069; classtype:pup-activity; sid:2008069; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-PWS.Win32.VB.tr Checkin Detected"; flow:established,to_server; content:"POST"; nocase; http_method; content:".asp"; http_uri; content:"id="; content:"&tit="; content:"&comm"; content:"Run|2B|Successfully"; fast_pattern; reference:url,doc.emergingthreats.net/2008506; classtype:command-and-control; sid:2008506; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LocalNRD Spyware Checkin"; flow: to_server,established; content:"/a/Drk.syn?"; nocase; http_uri; content: "adcontext"; nocase; http_uri; reference:url,www.localnrd.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; classtype:pup-activity; sid:2001340; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Generic PSW Agent server reply"; flow:from_server,established; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"|0d 0a|[Uptade]|0d 0a|Web="; content:"|0d 0a|[Guncellestirme]|0d 0a|Version="; within:100; reference:url,doc.emergingthreats.net/2008662; classtype:trojan-activity; sid:2008662; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malwarealarm.com Fake AV/AntiSpyware Updating"; flow:established,to_server; content:"/update.php?v="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&vs="; nocase; http_uri; content:"Host|3a| www.MalwareAlarm.com"; nocase; http_header; reference:url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003611; classtype:pup-activity; sid:2003611; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PassSickle Reporting User Activity"; flow:established,to_server; content:".php?id="; nocase; http_uri; content:"&data="; nocase; http_uri; content:"PassSickle"; http_header; nocase; pcre:"/^User-Agent\:[^\n]+PassSickle/Hmi"; reference:url,doc.emergingthreats.net/2002859; classtype:trojan-activity; sid:2002859; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp any any -> $HOME_NET 3389 (msg:"ET EXPLOIT Microsoft RDP Server targetParams Exploit Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|7f 65 82 01 94|"; distance:24; within:5; content:"|30 19|"; distance:9; within:2; byte_test:1,<,6,3,relative; reference:url,msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; classtype:attempted-admin; sid:2014383; rev:2; metadata:created_at 2012_03_13, updated_at 2012_03_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pasta Downloader - GET Checkin to Fake GIF"; flow:established,to_server; content:"GET"; nocase; http_method; content:".gif?"; content:!"c.gif?"; nocase; http_uri; content:!"__utm.gif?"; http_uri; nocase; http_uri; content:"t="; nocase; http_uri; content:"q="; nocase; http_uri; content:"p="; nocase; http_uri; content:"pn="; nocase; http_uri; reference:url,malwarebytes.org/malwarenet.php?name=Trojan.Pasta; reference:url,doc.emergingthreats.net/2009522; classtype:command-and-control; sid:2009522; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malwarealarm.com Fake AV/AntiSpyware Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/madownload.php?&advid="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"Host|3a| download.MalwareAlarm.com"; nocase; http_header; reference:url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003612; classtype:pup-activity; sid:2003612; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Personal Defender 2009 - prinimalka.py"; flow:established,to_server; content:"/prinimalka.py"; http_uri; reference:url,malwarebytes.besttechie.net/2008/11/03/removal-instructions-for-personal-defender-2009/; reference:url,doc.emergingthreats.net/2009405; classtype:trojan-activity; sid:2009405; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Configuration Access"; flow: to_server,established; content:"/oss/remoteconfig.asp"; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000902; classtype:pup-activity; sid:2000902; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Personal Defender 2009 - trash.py"; flow:established,to_server; content:"/trash.py"; http_uri; reference:url,malwarebytes.besttechie.net/2008/11/03/removal-instructions-for-personal-defender-2009/; reference:url,doc.emergingthreats.net/2009406; classtype:trojan-activity; sid:2009406; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Access"; flow: to_server,established; content:"proxyhttp|0b|marketscore|03|com"; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001359; classtype:pup-activity; sid:2001359; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit VBscript download"; flow:established,to_client; content:"Createobject(StrReverse("; nocase; content:"|22|tcejbOmetsySeliF.gnitpircS|22|))"; nocase; distance:0; flowbits:set,et.exploitkitlanding; reference:url,doc.emergingthreats.net/2011184; classtype:exploit-kit; sid:2011184; rev:4; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore Spyware Uploading Data"; flow: to_server,established; content:"/scripts/contentidpost.dll"; nocase; http_uri; content:"OSS-Proxy"; nocase; http_header; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003253; classtype:pup-activity; sid:2003253; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Piptea.a Related Trojan Checkin (3)"; flow:established,to_server; content:"/cd/un.php?id="; http_uri; content:"&ver="; http_uri; pcre:"/\/cd\/un\.php.id=[A-F0-9\-]+&ver=/U"; reference:url,doc.emergingthreats.net/2008384; classtype:command-and-control; sid:2008384; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Upgrading"; flow: to_server,established; content:"/oss/upgrchk_2a.asp"; nocase; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001587; classtype:pup-activity; sid:2001587; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pointfree.co.kr Trojan/Spyware Infection Checkin"; flow:established,to_server; content:"log.php?mac="; http_uri; content:"&hdd="; content:"&ver="; http_uri; content:"&ie="; http_uri; content:"&win="; http_uri; reference:url,doc.emergingthreats.net/2008972; classtype:command-and-control; sid:2008972; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Activity (1)"; flow: to_server,established; content:"/oss/dittorules.asp"; nocase; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001588; classtype:pup-activity; sid:2001588; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxy.Win32.Agent.mx CnC Beacon"; flow:established,to_server; content:"q.php"; nocase; http_uri; content:"&m="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&x="; nocase; http_uri; content:"&i="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006405; classtype:command-and-control; sid:2006405; rev:4; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2010_07_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Activity (2)"; flow: to_server,established; content:"/oss/routerrules2.asp"; nocase; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001589; classtype:pup-activity; sid:2001589; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pushdo Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"m="; http_uri; content:"&a="; http_uri; content:"&os="; http_uri; pcre:"/&os=[a-f0-9]{50}/U"; reference:url,doc.emergingthreats.net/2008493; classtype:command-and-control; sid:2008493; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MediaTickets Spyware Install"; flow: to_server,established; content:"/mtrslib2.js"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001481; classtype:pup-activity; sid:2001481; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Qhosts Trojan Check-in"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"UserID="; http_client_body; content:"&wv="; http_client_body; content:"&res="; http_client_body; content:"&lng="; http_client_body; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-100116-5901-99; reference:url,doc.emergingthreats.net/2009517; classtype:trojan-activity; sid:2009517; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Medialoads.com Spyware Config"; flow: to_server,established; content:"/dw/cgi/download.cgi?"; nocase; http_uri; content:"sn="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"Host|3a|config.medialoads.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001503; classtype:pup-activity; sid:2001503; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rcash.co.kr Bootup Checkin via HTTP"; flow:established,to_server; content:"/install/Boot.asp?macaddr="; nocase; http_uri; content:"&partner="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007807; classtype:command-and-control; sid:2007807; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Medialoads.com Spyware Reporting (register.cgi)"; flow: to_server,established; content:"/dw/cgi/register.cgi?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"Host|3a|config.medialoads.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001509; classtype:pup-activity; sid:2001509; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Renos/ssd.com HTTP Checkin"; flow:established,to_server; content:"/dlp.php?"; nocase; http_uri; content:"&m="; nocase; http_uri; content:"&ydf="; nocase; http_uri; content:"&e="; nocase; http_uri; content:"&w=___"; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&apzx="; nocase; http_uri; content:"&apz="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007834; classtype:command-and-control; sid:2007834; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Medialoads.com Spyware Identifying Country of Origin"; flow: to_server,established; content:"/dw/cgi/country.cgi"; nocase; http_uri; content:"User-Agent|3a|"; nocase; http_header; content:"NSISDL"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001507; classtype:pup-activity; sid:2001507; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RhiFrem Trojan Activity - cmd"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?mod=cmd&user="; http_uri; content:"User-Agent|3A|  Mozilla/5.0 Gecko/20050212 Firefox/1.5.0.2"; http_header; pcre:"/^GET\x20[^\x0D\x0A]+\x3Fmod\x3Dcmd\x26user\x3D\w+[^\x0D\x0A]*\x20HTTP\x2F1\x2E0\x0D\x0A.*\x0D\x0AHost\x3A\x20\w+/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; reference:url,doc.emergingthreats.net/2008139; classtype:trojan-activity; sid:2008139; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Metarewards Spyware Activity"; flow: to_server,established; content:"Host|3a| www.metareward.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001666; classtype:pup-activity; sid:2001666; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RhiFrem Trojan Activity - log"; flow:to_server,established; content:"POST"; nocase; http_method; content:"?mod=log&user="; fast_pattern; http_uri; content:"User-Agent|3A| Mozilla/5.0 Gecko/20050212 Firefox/1.5.0.2"; http_header; pcre:"/^POST\x20[^\x0D\x0A]+\x3Fmod\x3Dlog\x26user\x3D\w+[^\x0D\x0A]*\x20HTTP\x2F1\x2E0\x0D\x0A.*\x0D\x0AHost\x3A\x20\w+.*\x0D\x0A\x0D\x0Acurr\x3D.*\x26next\x3D/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; reference:url,doc.emergingthreats.net/2008140; classtype:trojan-activity; sid:2008140; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Microgaming.com Spyware Installation (dlhelper)"; flow: established,to_server; content:"/dlhelper.cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001641; classtype:pup-activity; sid:2001641; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake AV CnC Checkin cycle_report"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/cycle_report.cgi?type=g"; nocase; http_uri; reference:md5,fa078834dd3b4c6604d12823a6f9f17e; classtype:command-and-control; sid:2011820; rev:3; metadata:created_at 2010_10_15, former_category MALWARE, updated_at 2010_10_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Microgaming.com Spyware Installation (2)"; flow: established,to_server; content:"/DownloadHNew.asp?"; nocase; http_uri; content:"btag="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001643; classtype:pup-activity; sid:2001643; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Comotor.A!dll Reporting 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/cy/dl.php"; nocase; http_uri; content:"id="; http_uri; nocase; reference:md5,5e1c680e70e423dd02e31ab9d689e40b; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FComotor.A!dll&ThreatID=-2147346593; classtype:trojan-activity; sid:2011849; rev:4; metadata:created_at 2010_10_25, updated_at 2010_10_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Microgaming.com Spyware Reporting Installation"; flow: established,to_server; content:"/dlhelper/downloadlogger2.asp?"; nocase; http_uri; content:"time="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001644; classtype:pup-activity; sid:2001644; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Hostile HTTP Header GET structure"; flow:established,to_server; content:"GET"; nocase; http_method; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|"; fast_pattern; content:".php"; nocase; http_uri; content:"|0d 0a|Host|3a 20|"; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|"; distance:0; content:!"|0d 0a|Host|3a| update.nai.com"; distance:0; content:!"|0d 0a|Host|3a 20|toolbarqueries.google."; http_header; content:!".ceipmsn.com|0d 0a|Pragma|3a 20|"; http_header; content:!"Host|3a| stats.mbamupdates.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2011858; rev:12; metadata:created_at 2010_10_27, updated_at 2010_10_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Microgaming.com Spyware Casino App Install"; flow: established,to_server; content:"/viper/thunderluck/00"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001645; classtype:pup-activity; sid:2001645; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Feodo Banking Trojan Account Details Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"AccountSummary"; nocase; fast_pattern; content:"userid|3A|"; nocase; distance:0; content:"password|3A|"; nocase; distance:0; content:"screenid|3A|"; nocase; distance:0; content:"origination|3A|"; nocase; distance:0; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html#more; classtype:trojan-activity; sid:2011862; rev:4; metadata:created_at 2010_10_28, updated_at 2010_10_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mindset Interactive Install (1)"; flow: to_server,established; content:"/mindset5/data"; nocase; http_uri; reference:url,www.mindsetinteractive.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000583; classtype:pup-activity; sid:2000583; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Krap.ar Infection URL Request"; flow:established,to_server; content:"type="; http_uri; nocase; content:"email="; http_uri; nocase; content:"hwinfo="; http_uri; nocase; reference:md5,df29b9866397fd311a5259c5d4bc00dd; classtype:trojan-activity; sid:2012076; rev:2; metadata:created_at 2010_12_18, updated_at 2010_12_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mindset Interactive Install (2)"; flow: to_server,established; content:"/mindset/data"; nocase; http_uri; reference:url,www.mindsetinteractive.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000584; classtype:pup-activity; sid:2000584; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BackDoor-DRV.gen.c Reporting-2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/zok.php?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"url="; nocase; http_uri; content:"sid="; nocase; http_uri; content:"tm="; nocase; http_uri; content:"hlto="; http_uri; nocase; reference:md5,d5ff6df296c068fcc0ddd303984fa6b9; classtype:trojan-activity; sid:2012114; rev:3; metadata:created_at 2010_12_30, former_category MALWARE, updated_at 2010_12_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mirarsearch.com Spyware Posting Data"; flow:established,to_server; content:"/v70match.cgi?"; nocase; http_uri; content:"key1="; nocase; http_uri; content:"&key2="; nocase; http_uri; content:"&match="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003577; classtype:pup-activity; sid:2003577; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Storm/Waledac 3.0 Checkin 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:".htm"; http_uri; content:"Host|3a| "; http_header; content:"Content-Length|3a| "; http_header; content:".htm HTTP/1.1"; pcre:"/Host\x3a [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/"; pcre:"/Content-Length\x3a [1-9]/"; classtype:command-and-control; sid:2012137; rev:5; metadata:created_at 2011_01_05, former_category MALWARE, updated_at 2011_01_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware-Mirar Reporting (BAR)"; flow:to_server,established; content:"download.cgi?BUILDNAME="; nocase; http_uri; content:"&AFFILIATE="; http_uri; content:"&ID="; http_uri; content:"&ERROR=0"; http_uri; content:"User-Agent|3a| BAR"; http_header; reference:url,doc.emergingthreats.net/2009234; classtype:pup-activity; sid:2009234; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy Banker Outbound Communication Attempt"; flow:established,to_server; content:"praquem="; nocase; content:"titulo="; distance:0; nocase; content:"Dir+System32"; nocase; distance:0; reference:md5,58b3c37b61d27cdc0a55321f4c12ef04; classtype:trojan-activity; sid:2012225; rev:4; metadata:created_at 2011_01_24, updated_at 2011_01_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP My-Stats.com Spyware Checkin"; flow: established,to_server; content:"/ad-partner/SelectConfirm.php?"; nocase; http_uri; content:"dummy="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001747; classtype:pup-activity; sid:2001747; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Banbra Banking Trojan Communication"; flow:established,to_server; content:"para="; nocase; content:"titulo="; nocase; distance:0; content:"mensagem="; nocase; distance:0; reference:md5,7ce03717d6879444d8e45b7cf6470c67; classtype:trojan-activity; sid:2012226; rev:4; metadata:created_at 2011_01_24, updated_at 2011_01_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sears.com/Kmart.com My SHC Community spyware download"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/CSetup_xp.cab"; http_uri; reference:url,community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get-spyware.aspx; reference:url,www.benedelman.org/news/010108-1.html; reference:url,doc.emergingthreats.net/bin/view/Main/2007996; classtype:pup-activity; sid:2007996; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon.AZG Checkin"; flow:established,to_server; content:"GET"; http_method; nocase; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a|"; http_header; nocase; content:"eve="; nocase; http_uri; content:"username="; nocase; http_uri; content:"anma="; nocase; http_uri; content:"ver="; nocase; http_uri; reference:url,www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?idvirus=143511&sind=0; reference:url,vil.nai.com/vil/content/v_145056.htm; reference:url,doc.emergingthreats.net/2008515; classtype:command-and-control; sid:2008515; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MySideSearch.com Spyware Install"; flow:established,to_server; content:".php?aff=mysidesearch&act=install"; http_uri; content:"User-Agent|3a| NSISDL/1.2 (Mozilla)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008915; classtype:pup-activity; sid:2008915; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Unknown Web Backdoor Keep-Alive"; flow:established,to_server; urilen:13; content:"POST"; http_method; nocase; content:"/bbs/info.asp"; http_uri; classtype:trojan-activity; sid:2012250; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyWebSearch Toolbar Receiving Configuration"; flow: to_server,established; content:"/speedbar/mySpeedbarCfg"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000600; classtype:pup-activity; sid:2000600; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan/Win32.CodecPack Reporting"; flow:to_server,established; content:"GET"; nocase; http_method; content:"ADTECH|3b|"; http_uri; content:"loc=100|3b|"; http_uri; content:"target=_blank|3b|"; http_uri; content:"grp|3d 5b|group|5d 3b|"; http_uri; content:"misc="; classtype:trojan-activity; sid:2012285; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyWebSearch Toolbar Receiving Config 2"; flow: to_server,established; content:"/mySpeedbarCfg2.jsp"; nocase; http_uri; content:"MyWebSearch"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003222; classtype:pup-activity; sid:2003222; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32 Troxen Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/report3.ashx?"; http_uri; nocase; content:"m="; nocase; http_uri; content:"mid="; nocase; http_uri; content:"d="; nocase; http_uri; content:"uid="; http_uri; nocase; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32/Troxen!rts; reference:md5,664a5147e6258f10893c3fd375f16ce4; classtype:trojan-activity; sid:2012289; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyWebSearch Toolbar Posting Activity Report"; flow:to_server,established; content:"/jsp/cfg_redir2.jsp?id="; nocase; http_uri; content:"url=http"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003617; classtype:pup-activity; sid:2003617; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy.Win32.Agent.bijs Reporting 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app/count/inst.php?"; http_uri; nocase; content:"ucode="; nocase; http_uri; content:"pcode="; http_uri; nocase; reference:md5,846ac24b003c6d468a833bff58db5f5c; classtype:trojan-activity; sid:2012290; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP New.net Spyware updating"; flow:established,to_server; content:"/download/NewDotNet/"; nocase; http_uri; content:"/upgrade.cab?"; nocase; http_uri; content:"upg="; nocase; http_uri; content:"ec="; nocase; http_uri; reference:url,www.new.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003240; classtype:pup-activity; sid:2003240; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy.Win32.Agent.bijs Reporting 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app/count/boot.php?"; nocase; http_uri; content:"ucode="; nocase; http_uri; content:"pcode="; nocase; http_uri; reference:md5,846ac24b003c6d468a833bff58db5f5c; classtype:trojan-activity; sid:2012288; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Malware Related Numerical .co Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|00|"; fast_pattern; nocase; distance:0; pcre:"/\x00[0-9]{4,7}\x02co\x00/i"; reference:url,sign.kaffenews.com/?p=104; reference:url,www.isc.sans.org/diary.html?storyid=10165; classtype:bad-unknown; sid:2012144; rev:3; metadata:created_at 2011_01_05, updated_at 2011_01_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA Sunway ForceControl Activex Control Remote Code Execution Vulnerability 2"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"3310FA24-A027-47B3-8C49-1091077317E9"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3310FA24-A027-47B3-8C49-1091077317E9/si"; reference:bugtraq,49747; classtype:attempted-user; sid:2013736; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Probable Scalaxy exploit kit secondary request"; flow:established,to_server; content:"=1.6.0_"; http_uri; pcre:"/^\/[a-z][0-9a-z_+=-]{10,30}\?\w=[0-9.]+\&\w=1.6.0_\d\d$/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014024; rev:4; metadata:created_at 2011_12_13, former_category EXPLOIT_KIT, updated_at 2011_12_13;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Lookup of Known BlackEnergy DDOS Botnet CnC Server greenter.ru"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|greenter|02|ru"; nocase; distance:0; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110116; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20100913; classtype:command-and-control; sid:2012202; rev:2; metadata:created_at 2011_01_18, updated_at 2011_01_18;)
 
-#alert tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Session Established Flowbit Set"; flow:to_server,established; flowbits:isset,ms.rdp.synack; flowbits:unset,ms.rdp.synack; flowbits:set,ms.rdp.established; flowbits:noalert; reference:cve,2012-0152; classtype:not-suspicious; sid:2014386; rev:2; metadata:created_at 2012_03_15, former_category DOS, updated_at 2012_03_15;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Lookup of Twitter m28sx Worm"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"gdfgdfgdgdfgdfg|02|in|02|ua"; nocase; distance:0; reference:url,isc.sans.edu/diary.html?storyid=10297; classtype:trojan-activity; sid:2012210; rev:2; metadata:created_at 2011_01_21, updated_at 2011_01_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP New.net Spyware Checkin"; flow:established,to_server; content:"/?version="; nocase; http_uri; content:"discard_tag="; nocase; http_uri; content:"source="; nocase; http_uri; content:"ptr="; nocase; http_uri; content:"br=NewDotNet"; nocase; http_uri; content:"ec="; nocase; http_uri; reference:url,www.new.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003241; classtype:pup-activity; sid:2003241; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Java Exploit Kit Success Check-in Executable Download Likely"; flow:established,to_server; content:".php?"; http_uri; content:"=javajsm"; http_uri; classtype:exploit-kit; sid:2012389; rev:3; metadata:created_at 2011_02_27, former_category EXPLOIT_KIT, updated_at 2011_02_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Oenji.com Install"; flow: to_server,established; content:"/Bundled/OemjiInstall"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001538; classtype:pup-activity; sid:2001538; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tatanga Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?build="; http_uri; content:"&id="; http_uri; content:"&SA=1-0"; http_uri; content:"&SP=1-"; http_uri; reference:url,securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojtatangac.html; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=4b5eb54de32f86819c638878ac2c7985&id=740958; reference:url,www.malware-control.com/statics-pages/06198e9b72e1bb0c256769c5754ed821.php; classtype:command-and-control; sid:2012391; rev:3; metadata:created_at 2011_02_28, former_category MALWARE, updated_at 2011_02_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyspotter.com Access Likely Spyware"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:".oemji.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001539; classtype:pup-activity; sid:2001539; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_05_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Vilsel.akd Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app_count/ag4_del_count.php?"; nocase; http_uri; content:"mac="; nocase; http_uri; content:"pid="; nocase; http_uri; reference:md5,2d6cede13913b17bc2ea7c7f70ce5fa8; classtype:trojan-activity; sid:2012439; rev:4; metadata:created_at 2011_03_08, updated_at 2011_03_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OfferOptimizer.com Spyware"; flow: to_server,established; content:"/ctx/keyword_context.php?"; nocase; http_uri; content:"urlContext=http"; nocase; http_uri; reference:url,www.offeroptimizer.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001341; classtype:pup-activity; sid:2001341; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Agent.bqkb Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/updata/"; nocase; http_uri; content:"lg1="; nocase; http_uri; content:"lg2="; nocase; http_uri; content:"lg3="; nocase; http_uri; content:"lg5="; nocase; http_uri; content:"lg6="; nocase; http_uri; content:"lg7="; nocase; http_uri; reference:md5,de85ae919d48325189bead995e8052e7; classtype:trojan-activity; sid:2012440; rev:4; metadata:created_at 2011_03_08, former_category MALWARE, updated_at 2011_03_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OneStepSearch Host Activity"; flow: to_server,established; content:"GET"; nocase; http_method; content:"host|3a| upgrade.onestepsearch.net"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007855; classtype:pup-activity; sid:2007855; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Monkif Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/photo/"; http_uri; content:"6x5x5772=712x5772=716x"; http_uri; classtype:command-and-control; sid:2012505; rev:4; metadata:created_at 2011_03_15, former_category MALWARE, updated_at 2011_03_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OutBlaze.com Spyware Activity"; flow: to_server,established; content:"/scripts/adpopper/webservice.main"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002044; classtype:pup-activity; sid:2002044; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rimecud.B Activity"; flow:to_server,established; content:"POST"; nocase; http_method; content:"&acc=ups"; http_uri; content:"&nick="; http_uri; content:"&botver=Beta&code="; http_uri; content:"User-Agent|3a 20|"; nocase; http_header; content:"|3b 20|es-ES|3b|"; distance:39; http_header; content:"plist|3d 2d 2d 2d|"; depth:9; http_client_body; content:"Passwords"; distance:0; http_client_body; reference:md5,01dd7102b9d36ec8556eed2909b74f52; classtype:trojan-activity; sid:2012517; rev:2; metadata:created_at 2011_03_17, updated_at 2011_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Outerinfo.com Spyware Install"; flow: to_server,established; content:"/ctxad-"; nocase; http_uri; pcre:"/ctxad-\d+\.sig/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2001495; classtype:pup-activity; sid:2001495; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Spy.Win32.Zbot.djrm Checkin"; flow:to_server,established; content:"/index.html?mac="; http_uri; content:"&ver="; http_uri; content:"&os="; http_uri; content:"&dtime="; fast_pattern; http_uri; content:"User-Agent|3a| baidu|0d 0a|"; http_header; reference:md5,b895249cce7d2c27cb9c480feb36560c; reference:md5,f70a5f52d4c0071963602c25b62865cb; classtype:command-and-control; sid:2014399; rev:3; metadata:created_at 2012_03_15, former_category MALWARE, updated_at 2012_03_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EMO/PCPrivacyCleaner Rougue Secuirty App GET Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"action="; nocase; http_uri; content:"addt="; nocase; http_uri; content:"pc|5F|id="; nocase; http_uri; content:"abbr="; nocase; http_uri; reference:url,www.spywaresignatures.com/details/pcprivacycleaner.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2008456; classtype:pup-activity; sid:2008456; rev:5; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Rimecud /qvod/ff.txt Checkin"; flow:established,to_server; content:"/qvod/ff.txt"; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRimecud; reference:md5,f97e1c4aefbd2595fcfeb0f482c47517; reference:md5,f96a29bcf6cba870efd8f7dd9344c39e; reference:md5,fae8675502d909d6b546c111625bcfba; classtype:trojan-activity; sid:2014401; rev:2; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Pacimedia Spyware 1"; flow:to_server,established; content:"/mcp/mcp.cgi"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002083; classtype:pup-activity; sid:2002083; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS-Banker.gen.b Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/curubacom.php?"; http_uri; nocase; content:"op="; http_uri; nocase; reference:md5,e3fdf31ce57b3807352971a62f85c55b; classtype:trojan-activity; sid:2012592; rev:5; metadata:created_at 2011_03_28, updated_at 2011_03_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware PlusDream - GET Config Download/Update"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?kind="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&addresses="; nocase; http_uri; content:"&hdmacid="; nocase; reference:url,doc.emergingthreats.net/2009712; classtype:pup-activity; sid:2009712; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Best Spyware Scanner FaveAV Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/BestSpywareScanner_Setup.exe"; nocase; http_uri; classtype:trojan-activity; sid:2012590; rev:5; metadata:created_at 2011_03_28, updated_at 2011_03_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Popuptraffic.com Bot Reporting"; flow: to_server,established; content:"/scripts/click.php?"; nocase; http_uri; content:"hid="; http_uri; reference:url,popuptraffic.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000577; classtype:policy-violation; sid:2000577; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Clicker.Win32.Agent.qqf Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"|2f|sogou"; http_uri; pcre:"/\x2fsogou(config)?\x2f/Ui"; reference:md5,f468778836fd27a2ccca88c99f6dd3e9; classtype:trojan-activity; sid:2012643; rev:2; metadata:created_at 2011_04_06, updated_at 2011_04_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Privacyprotector.com Fake Anti-Spyware Install"; flow: to_server,established; content:"/privacyprotectorfreesetup.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003547; classtype:pup-activity; sid:2003547; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 897 (msg:"ET DELETED Backdoor PcClient.CAK.Pakes POST on non-http Port"; flow:established,to_server; content:"POST"; nocase; http_method; content:".jsp"; nocase; depth:35; pcre:"/\/\d{8,}\/\d{4,}\/\d{4,}\.jsp/"; reference:url,doc.emergingthreats.net/2009093; classtype:trojan-activity; sid:2009093; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Privacyprotector.com Fake Anti-Spyware Checkin"; flow: to_server,established; content:"/?action="; nocase; http_uri; content:"&type="; nocase; http_uri; content:"&pc_id="; nocase; http_uri; content:"&abbr="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003548; classtype:trojan-activity; sid:2003548; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Weatherbug Activity"; flow: to_server,established; content:"weatherbug.com|0d 0a|"; nocase; http_header; threshold: type limit, track by_src, count 1, seconds 3600; reference:url,doc.emergingthreats.net/bin/view/Main/2001267; classtype:misc-activity; sid:2001267; rev:18; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> any any (msg:"ET ADWARE_PUP Pynix.dll BHO Activity"; flow: established,to_server; content:"ABETTERINTERNET.EXE"; nocase; http_uri; content:"bho=PYNIX.DLL"; nocase; http_uri; reference:url,www.pynix.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001748; classtype:pup-activity; sid:2001748; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Bifrose.Backdoor Checkin Attempt via Facebook"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/omaha/update.php?"; http_uri; content:"User-Agent|3A 20|Facebook Update/"; http_header; content:"winhttp|3b|"; http_header; reference:md5,61661202e320dd91e4f7e4a10616eefc; classtype:trojan-activity; sid:2014404; rev:3; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED rcprograms"; flow: to_server,established; content:"update.rcprograms.com"; nocase; http_header; reference:url,sarc.com/avcenter/venc/data/adware.rcprograms.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000024; classtype:trojan-activity; sid:2000024; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (png)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".png"; nocase; http_uri; content:".png HTTP"; nocase; pcre:"/\.png$/Ui"; reference:url,doc.emergingthreats.net/2010070; classtype:trojan-activity; sid:2010070; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Rdxrp.com Traffic"; flow: to_server,established; content:"/rdxr020304.dat"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001311; classtype:pup-activity; sid:2001311; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (jpeg)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".jpeg"; nocase; http_uri; content:".jpeg HTTP"; nocase; pcre:"/\.jpeg$/i"; reference:url,doc.emergingthreats.net/2010068; classtype:trojan-activity; sid:2010068; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Regnow.com Gamehouse.com Access"; flow: to_server,established; content:"/affiliates/template.jsp?"; nocase; http_uri; content:"AID="; nocase; http_uri; reference:url,www.gamehouse.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001224; classtype:pup-activity; sid:2001224; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (bmp)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".bmp"; nocase; http_uri; content:".bmp HTTP"; nocase; pcre:"/\.bmp$/i"; reference:url,doc.emergingthreats.net/2010069; classtype:trojan-activity; sid:2010069; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Salongas Infection"; flow: to_server,established; content:"/sp.htm?id="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000601; classtype:pup-activity; sid:2000601; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Downloader.Win32.Small Checkin"; flow:to_server,established; content:"GET"; http_method; nocase; content:"|2e|ashx|3f|m|3d|"; http_uri; content:"|2d|"; distance:2; within:1; http_uri; content:"|26|mid|3d|"; http_uri; distance:0; content:"|26|tid|3d|"; http_uri; distance:0; content:"|26|d|3d|"; http_uri; distance:0; content:"|26|uid|3d|"; http_uri; distance:0; content:"|26|t|3d|"; http_uri; distance:0; reference:md5,48432bdd116dccb684c8cef84579b963; classtype:command-and-control; sid:2012839; rev:4; metadata:created_at 2011_05_23, former_category MALWARE, updated_at 2011_05_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Search Relevancy Spyware"; flow: established,to_server; content:"/SearchRelevancy/SearchRelevancy.dll"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.relevancy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001696; classtype:pup-activity; sid:2001696; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi posting form data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"name=\"upload_file\""; http_client_body; content:"URL|3a|"; http_client_body; classtype:trojan-activity; sid:2012871; rev:4; metadata:created_at 2011_05_27, updated_at 2011_05_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 1"; flow: to_server,established; content:"/rd/Clk.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002296; classtype:pup-activity; sid:2002296; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CPL Trojan Downloader Request"; flow:established,to_server; content:".cpl?|20|HTTP/1.1"; nocase; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2012910; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_06_01, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 2"; flow: to_server,established; content:"/rd/feed/TextFeed.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002297; classtype:pup-activity; sid:2002297; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic adClicker Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"web"; http_uri; content:"getinfo"; http_uri; content:".aspx?"; http_uri; content:"ver="; http_uri; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; classtype:command-and-control; sid:2012934; rev:4; metadata:created_at 2011_06_06, former_category MALWARE, updated_at 2011_06_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 3"; flow: to_server,established; content:"/rd/feed/XMLFeed.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002298; classtype:pup-activity; sid:2002298; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WebToolbar.Win32.WhenU.r Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/prod/MEADInst.exe"; http_uri; nocase; reference:md5,27867435a1b6b3f35daf13faac6f77b7; classtype:trojan-activity; sid:2013034; rev:4; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 4"; flow: to_server,established; content:"/rd/feed/JavaScriptFeed.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002299; classtype:pup-activity; sid:2002299; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper.MSIL.Agent.ate Checkin"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/bot.php?"; http_uri; content:"hwid="; http_uri; content:"pcname="; http_uri; reference:md5,4860e53b7e71cd57956e10ef48342b5f; classtype:command-and-control; sid:2013071; rev:4; metadata:created_at 2011_06_21, former_category MALWARE, updated_at 2011_06_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 5"; flow: to_server,established; content:"/rd/feed/JavaScriptFeedSE.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002300; classtype:pup-activity; sid:2002300; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:2100257; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 6"; flow: to_server,established; content:"/rd/SearchResults.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002301; classtype:pup-activity; sid:2002301; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/UFR POST to CnC"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ufr/ufr.php"; http_uri; content:"UFR"; http_client_body; classtype:command-and-control; sid:2013424; rev:3; metadata:created_at 2011_08_18, updated_at 2011_08_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 7"; flow: to_server,established; content:"/rd/jsp/BidRank/index.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002302; classtype:pup-activity; sid:2002302; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cridex.B/Feodo Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/in"; offset:11; depth:3; http_uri; content:".ru"; http_header; pcre:"/\/\w{3}\/\w\d_\w\w\w\/in\/?$/Ui"; pcre:"/Host\x3a\s[a-z]{15,19}\.ru(\x3a8080)?/Hm"; reference:md5,7ed139b53e24e4385c4c59cd2aa0e5f7; reference:url,labs.m86security.com/2012/03/the-cridex-trojan-targets-137-financial-organizations-in-one-go/; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html; reference:url,about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_CRIDEX.IC; classtype:command-and-control; sid:2014405; rev:10; metadata:created_at 2012_02_29, former_category MALWARE, updated_at 2012_02_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 8"; flow: to_server,established; content:"/SFToolBar.html"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002303; classtype:pup-activity; sid:2002303; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/VB.HV Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/popcode.php?aid="; http_uri; content:"&lc="; http_uri; content:"&domain="; http_uri; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3AWin32%2FVB.HV; classtype:command-and-control; sid:2013456; rev:5; metadata:created_at 2011_08_24, former_category MALWARE, updated_at 2011_08_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmeup Spyware Install (d.exe)"; flow: to_server,established; content:"/x30/d.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001484; classtype:pup-activity; sid:2001484; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NgrBot IRC CnC Channel Join"; flow:established,to_server; content:"PASS ngrBot"; content:"NICK"; distance:0; reference:url,stopmalvertising.com/rootkits/analysis-of-ngrbot.html; classtype:command-and-control; sid:2013451; rev:3; metadata:created_at 2011_08_24, former_category MALWARE, updated_at 2011_08_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Install (v3cab)"; flow: to_server,established; content:"/cab/v3cab.cab"; http_uri; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001540; classtype:pup-activity; sid:2001540; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 8888 -> any any (msg:"ET MOBILE_MALWARE iOS Keylogger iKeyMonitor access"; flow:from_server,established; content:"/><title>Keystrokes - iKeyMonitor</title><style "; reference:url,moreinfo.thebigboss.org/moreinfo/depiction.php?file=ikeymonitorDp; classtype:policy-violation; sid:2014406; rev:2; metadata:created_at 2012_03_21, updated_at 2012_03_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Searchmiracle.com Access, Likely Spyware"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:".searchmiracle.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.elitebar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001532; classtype:trojan-activity; sid:2001532; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/iGrabber Info Stealer FTP Upload"; flow:established,to_server; content:"iGrabber Logs"; classtype:trojan-activity; sid:2013543; rev:3; metadata:created_at 2011_09_06, updated_at 2011_09_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Install (install)"; flow: to_server,established; content:"/sideb.exe"; content:"Host|3a| install.searchmiracle.com"; nocase; http_header; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001744; classtype:pup-activity; sid:2001744; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus/Aeausuc P2P Variant Retrieving Peers List"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/gameover"; http_uri; pcre:"/gameover(\d+)?\.php/U"; content:" HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|X-ID|3a|"; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:2013740; rev:9; metadata:created_at 2011_10_05, updated_at 2011_10_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Install - silent.exe"; flow: to_server,established; content:"/silent.exe"; nocase; http_uri; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002091; classtype:pup-activity; sid:2002091; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Einstein CnC Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?id="; http_uri; content:"&ext="; http_uri; pcre:"/\x2F[a-z]{5}\x2Ephp\x3Fid\x3D/U"; reference:url,www.cyberesi.com/2011/10/06/trojan-matryoshka-and-trojan-einstein/; classtype:command-and-control; sid:2013767; rev:3; metadata:created_at 2011_10_12, former_category MALWARE, updated_at 2011_10_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Search Scout Related Spyware (content)"; flow: established,to_server; content:"Host|3a| content.searchscout.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001650; classtype:pup-activity; sid:2001650; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Scar.dvov Searchstar.co.kr related Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/juso_return.php?mode="; http_uri; content:"&pluslook_p"; http_uri; reference:md5,07ed70b6e7775a510d725c9f032c70d8; classtype:command-and-control; sid:2013781; rev:4; metadata:created_at 2011_10_19, former_category MALWARE, updated_at 2011_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Search Scout Related Spyware (results)"; flow: established,to_server; content:"Host|3a| results.searchscout.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001653; classtype:pup-activity; sid:2001653; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sefbov.E Reporting"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CallBack/SomeScripts/mgsGetMGList.php"; nocase; http_uri; reference:md5,f50d954f1fd38c6eb10e7e399caab480; classtype:trojan-activity; sid:2013868; rev:4; metadata:created_at 2011_11_08, updated_at 2011_11_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Seekmo.com Spyware Data Upload"; flow:established,to_server; content:".aspx?"; http_uri; content:"eid="; http_uri; content:"&pkg_ver="; http_uri; content:"&ver="; http_uri; content:"&brand="; http_uri; content:"&mt="; http_uri; content:"&partid="; content:"&altdid="; http_uri; content:"&os="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008356; classtype:pup-activity; sid:2008356; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS.TIBIA Checkin or Data Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/arq.php"; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a|"; http_header; classtype:command-and-control; sid:2013948; rev:4; metadata:created_at 2011_11_23, former_category MALWARE, updated_at 2011_11_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Servicepack.kr Fake Patch Software Checkin"; flow:established,to_server; content:".php?kind="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&ver2="; nocase; http_uri; content:"&ver3="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&supportid="; nocase; http_uri; content:"&uniq="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008016; classtype:pup-activity; sid:2008016; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS.TIBIA Checkin or Data Post 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/arq.php"; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV2|0d 0a|"; http_header; classtype:command-and-control; sid:2013949; rev:4; metadata:created_at 2011_11_23, former_category MALWARE, updated_at 2011_11_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sexmaniack Install Tracking"; flow: to_server,established; content:"/counted.php?ref="; nocase; http_uri; content:"Host|3a| counter.sexmaniack.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001460; classtype:pup-activity; sid:2001460; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (dwplayer)"; flow:established,to_server; content:"User-Agent|3a| dwplayer"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008489; classtype:policy-violation; sid:2008489; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Informational, tag User_Agent, updated_at 2017_10_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop At Home Select.com Install Attempt"; flow: to_server,established; content:"/mindset/bunsetup.cab"; nocase; http_uri; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000580; classtype:pup-activity; sid:2000580; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE VMProtect Packed Binary Inbound via HTTP - Likely Hostile"; flow:established,from_server; content:"VirtualProtect|00|"; reference:url,doc.emergingthreats.net/2009080; classtype:trojan-activity; sid:2009080; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Shop At Home Select.com Install Download"; flow: from_server,established; content:"|ab 3b d4 97 d4 a7 b4 1d da 6e 6d 0f f4 aa 4f|"; content:"|46 b3 3b 8b 38 cc 2c 2a a4 c3 07 67 67 df 65 41|"; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000581; classtype:pup-activity; sid:2000581; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT ZwProtectVirtualMemory - Undocumented API Which Can be Used for Rootkit Functionality"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"ZwProtectVirtualMemory"; distance:0; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012768; rev:7; metadata:created_at 2011_05_03, former_category MALWARE, updated_at 2011_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop at Home Select Spyware Heartbeat"; flow: established,to_server; content:"/s.dll?MfcISAPICommand=heartbeat&param="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001708; classtype:pup-activity; sid:2001708; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT SetKeyboardState - Can Be Used for Keylogging"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"SetKeyboardState"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012780; rev:6; metadata:created_at 2011_05_03, former_category POLICY, updated_at 2011_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop at Home Select Spyware Install"; flow: established,to_server; content:"/arcadecash/setup"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002037; classtype:pup-activity; sid:2002037; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert http any any -> $HOME_NET any (msg:"ET DELETED Windows executable sent when remote host claims to send image, Win32"; flow: established,from_server; content:"Content-Type|3a| image"; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2001684; classtype:trojan-activity; sid:2001684; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shopnav Spyware Install"; flow: to_server,established; content:"/toolbarv3.cgi?UID="; nocase; http_uri; content:"&version="; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.shopnav.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002000; classtype:pup-activity; sid:2002000; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Windows executable sent when remote host claims to send Javascript"; flow:established,from_server; content:"Content-Type|3a| application/"; content:"javascript|0d 0a|"; within:14; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008367; classtype:trojan-activity; sid:2008367; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SideStep Bar Install"; flow: to_server,established; content:"/servlet/sbinstservlet"; nocase; http_uri; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001016; classtype:pup-activity; sid:2001016; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT ActiveX Control PlayerPT.ocx Access 2"; flow:from_server,established; content:"<object"; nocase; content:"E065E4A-BD9D-4547-8F90-985DC62A5591"; nocase; distance:0; content:"|2e|SetSource("; distance:0; reference:url,retrogod.altervista.org/9sg_linksys_playerpt.htm; classtype:command-and-control; sid:2014417; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_23, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SideStep Bar Reporting Data"; flow: to_server,established; content:"/servlet/sblogservlet"; nocase; http_uri; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001017; classtype:pup-activity; sid:2001017; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT ActiveX Control PlayerPT.ocx Access 1"; flow:from_server,established; content:"<script"; nocase; content:"PLAYERPT.PlayerPTCtrl.1"; nocase; distance:0; content:"|2e|SetSource("; distance:0; pcre:"/(ActiveXObject|CreateObject)\s*\(\s*(\x22|\x27)PLAYERPT\.PlayerPTCtrl\.1/iG"; reference:url,retrogod.altervista.org/9sg_linksys_playerpt.htm; classtype:command-and-control; sid:2014416; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_23, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SideStep Bar Reporting Data (sbstart)"; flow: to_server,established; content:"/servlet/SbStartservlet"; nocase; http_uri; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002821; classtype:pup-activity; sid:2002821; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X Client for RDP ClientSystem Class ActiveX Control InstallClient Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TuxClientSystem.ClientSystem.1"; nocase; distance:0; content:"InstallClient"; nocase; reference:url,www.exploit-db.com/exploits/18624/; classtype:attempted-user; sid:2014423; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Smartpops.com Spyware Install rh.exe"; flow: to_server,established; content:"/install/RH/rh.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001505; classtype:pup-activity; sid:2001505; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ExportSettings Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TuxScripting.TuxSystem.1"; nocase; distance:0; content:"ExportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014421; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Smartpops.com Spyware Install"; flow: to_server,established; content:"/install/SE/sed.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001516; classtype:pup-activity; sid:2001516; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ExportSettings Remote File Overwrite Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"5BD64392-DA66-4852-9715-CFBA98D25296"; nocase; distance:0; content:"ExportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014420; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Smartpops.com Spyware Update"; flow: to_server,established; content:"/data/spv15.dat?v="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001513; classtype:pup-activity; sid:2001513; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ImportSettings Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TuxScripting.TuxSystem.1"; nocase; distance:0; content:"ImportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014419; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Soft-Show.cn Related Fake AV Install"; flow:established,to_server; content:"/setup/setup.asp?id="; nocase; http_uri; content:"&pcid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&taday="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008135; classtype:pup-activity; sid:2008135; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ImportSettings Remote File Overwrite Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"5BD64392-DA66-4852-9715-CFBA98D25296"; nocase; distance:0; content:"ImportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014418; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Soft-Show.cn Related Fake AV Install Ad Pull"; flow:established,to_server; content:"/setup/adClick.asp?Id="; nocase; http_uri; content:"&WebId="; nocase; http_uri; content:"&sDate="; nocase; http_uri; content:"&ver="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008148; classtype:pup-activity; sid:2008148; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32.PowerPointer checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"<packet>"; http_client_body; content:"</packet>"; http_client_body; classtype:command-and-control; sid:2014040; rev:3; metadata:created_at 2011_12_28, former_category MALWARE, updated_at 2011_12_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Softcashier.com Spyware Install Checkin"; flow:established,to_server; content:".php?wmid="; nocase; http_uri; content:"&subid="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&lid="; nocase; http_uri; content:"&hs="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007861; classtype:pup-activity; sid:2007861; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Clicker.Win32.VB.gnf Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/channel/onSale.htm?"; nocase; http_uri; content:"pid="; nocase; http_uri; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanClicker%3AWin32%2FVB.GE; classtype:trojan-activity; sid:2014066; rev:4; metadata:created_at 2012_01_02, updated_at 2012_01_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Softwarereferral.com Adware Checkin"; flow:established,to_server; content:"wmid="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&lid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007696; classtype:pup-activity; sid:2007696; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN Win32.OnlineGames.Bft Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/urlrcv.php?"; nocase; http_uri; content:"mc="; nocase; http_uri; content:"sc="; nocase; http_uri; content:"uuid="; nocase; http_uri; reference:md5,e488fca95cb923a0ecd329642c076e0d; reference:url,www.thespywaredetector.com/spywareinfo.aspx?ID=1874131; classtype:trojan-activity; sid:2014084; rev:5; metadata:created_at 2012_01_03, updated_at 2012_01_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Possible Spambot Pulling IP List to Spam"; flow:established,to_server; content:"/devrandom/access.php"; nocase; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 (compatible)"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002990; classtype:pup-activity; sid:2002990; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus POST Request to CnC - cookie variation"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|20|HTTP/1."; content:"|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|en-us|0d 0a|Cookie|3a 20|cid="; distance:1; within:51; content:"User-Agent|3a 20|Mozilla"; distance:0; content:"Host|3a 20|"; distance:0; content:"Content-Length|3a 20|"; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0d 0a|"; distance:0; content:"|3a| no-cache|0d 0a 0d 0a|"; distance:0; reference:url,zeustracker.abuse.ch/monitor.php?search=209.59.216.103; classtype:command-and-control; sid:2014107; rev:3; metadata:created_at 2012_01_10, former_category MALWARE, updated_at 2012_01_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Possible Spambot getting new exe"; flow:established,to_server; content:"/traff/ppiigg.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002991; classtype:pup-activity; sid:2002991; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf/Troxen/Zema Reporting 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?m="; http_uri; content:"&s="; http_uri; content:"&v="; http_uri; content:"User-Agent|3a| build"; http_header; pcre:"/\.php\?m=[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}&[vs]=/Ui"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014114; rev:4; metadata:created_at 2012_01_12, updated_at 2012_01_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Specificclick.net Spyware Activity"; flow: to_server,established; content:"/adopt.sm?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"&sz="; nocase; http_uri; content:"&redir="; nocase; http_uri; content:"&nmv="; nocase; http_uri; content:"&nrsz="; nocase; http_uri; content:"&r="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003450; classtype:pup-activity; sid:2003450; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf/Troxen/Zema Reporting 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?s="; http_uri; content:"&m="; http_uri; content:"User-Agent|3a| build"; http_header; pcre:"/\.php\?s=\d&m=[A-F0-9]{16}$/Ui"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014115; rev:3; metadata:created_at 2012_01_12, updated_at 2012_01_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Speedera Agent"; flow: to_server,established; content:"/io/downloads"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001320; classtype:trojan-activity; sid:2001320; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye Checkin version 1.3.25 or later 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"data=6Prm67"; depth:11; http_client_body; classtype:command-and-control; sid:2014044; rev:5; metadata:created_at 2011_12_28, former_category MALWARE, updated_at 2011_12_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Speedera Agent (Specific)"; flow: to_server,established; content:"/io/downloads/3/wsem302.dl"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001321; classtype:pup-activity; sid:2001321; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UPDATE Protocol Trojan Communication detected on http ports"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/update?product=windows"; http_uri; content:"X-Status|3A|"; http_header; content:"X-Size|3A|"; http_header; content:"X-Sn|3A|"; http_header; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b|SV1|3b 0d 0a|"; http_header; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014223; rev:4; metadata:created_at 2012_02_14, updated_at 2012_02_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spy-Not.com Spyware Updating"; flow:to_server,established; content:"/updates1/SKVersion.ini"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003377; classtype:pup-activity; sid:2003377; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE UPDATE Protocol Trojan Communication detected on non-http ports"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/update?product=windows"; http_uri; content:"X-Status|3A|"; http_header; content:"X-Size|3A|"; http_header; content:"X-Sn|3A|"; http_header; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b|SV1|3b 0d 0a|"; http_header; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014224; rev:4; metadata:created_at 2012_02_14, updated_at 2012_02_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spy-Not.com Spyware Pulling Fake Sigs"; flow:to_server,established; content:"/updates1/SKSignatures.zip"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003375; classtype:pup-activity; sid:2003375; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Duptwux/Ganelp FTP Username - onthelinux"; flow:established,to_server; content:"USER onthelinux"; classtype:trojan-activity; sid:2014239; rev:3; metadata:created_at 2012_02_18, updated_at 2012_02_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpySherriff Spyware Activity"; flow: to_server,established; content:"/progs_exe/jbsrak/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002984; classtype:pup-activity; sid:2002984; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Java Rhino Exploit Attempt - evilcode.class"; flow:established,to_client; content:"code=|22|evilcode.class|22|"; nocase; fast_pattern:only; reference:cve,2011-3544; classtype:attempted-user; sid:2014429; rev:5; metadata:created_at 2012_03_26, former_category CURRENT_EVENTS, updated_at 2012_03_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Jupitersatellites.biz Spyware Download"; flow: to_server,established; content:"/traff/ppiigg.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002987; classtype:pup-activity; sid:2002987; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SelfStarterInternet.InfoStealer Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/login.aspx?ReturnUrl=/card/Pay_query.aspx"; http_uri; content:"VIEWSTATE="; nocase; http_client_body; content:"EVENTVALIDATION="; nocase; distance:0; http_client_body; content:"&txtUser="; nocase; distance:0; http_client_body; content:"&txtPwd="; nocase; distance:0; http_client_body; content:"&btnEnter="; nocase; distance:0; http_client_body; reference:md5,67c748f3ecc0278f1f94596f86edc509; classtype:command-and-control; sid:2014307; rev:4; metadata:created_at 2012_03_05, former_category MALWARE, updated_at 2012_03_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpySheriff Intial Phone Home"; flow:established,to_server; content:"trial.php?rest="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"trial.php"; nocase; content:!"User-Agent|3a| "; http_header; reference:url,vil.nai.com/vil/content/v_135033.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2003251; classtype:pup-activity; sid:2003251; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 4 byte"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02 04|"; distance:1; within:2; byte_test:4,<,0x06,0,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014434; rev:10; metadata:created_at 2012_03_24, updated_at 2012_03_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpyShredder Fake Anti-Spyware Install Download"; flow:established,to_server; content:"&advid="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"?=______"; http_uri; content:"&vs="; nocase; http_uri; content:"&YZYYYYYYYYYYYYYYYYYYYYYYYYYY"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007593; classtype:pup-activity; sid:2007593; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 3 byte"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02 03|"; distance:1; within:2; byte_test:3,<,0x06,0,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014433; rev:10; metadata:created_at 2012_03_24, updated_at 2012_03_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyaxe Spyware DB Update"; flow: to_server,established; content:"/updates/database/dbver.php"; nocase; http_uri; content:"spywareaxe"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002804; classtype:pup-activity; sid:2002804; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Dropper.Wlock Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"hardware_id="; http_client_body; content:"&user_id="; http_client_body; content:"&os_ver="; http_client_body; content:"&os_sp="; http_client_body; content:"&os_arch="; http_client_body; reference:md5,881e21645e5ffe1ffb959835f8fdf71d; classtype:command-and-control; sid:2013768; rev:4; metadata:created_at 2011_10_12, former_category MALWARE, updated_at 2011_10_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyaxe Spyware DB Version Check"; flow: to_server,established; content:"/updates/database/dbver.dat"; nocase; http_uri; content:"spywareaxe"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002805; classtype:pup-activity; sid:2002805; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt"; flags:R; flow:to_server; flowbits:isset,ms.rdp.synack; flowbits:isnotset,ms.rdp.established; flowbits:unset,ms.rdp.synack; reference:cve,2012-0152; classtype:attempted-dos; sid:2014384; rev:8; metadata:created_at 2012_03_13, updated_at 2012_03_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyaxe Spyware Checkin"; flow: to_server,established; content:"/download.php?sid="; nocase; http_uri; content:"spyaxe"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002806; classtype:pup-activity; sid:2002806; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible Multiple Levels of Javascript Encoding & Compression Filters in PDF, Possibly Hostile PDF"; flow:established,to_client; content:"PDF-"; depth:300; content:"/Filter"; nocase; distance:0; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; reference:url,www.symantec.com/connect/blogs/journey-center-pdf-stream; reference:url,doc.emergingthreats.net/2011008; classtype:misc-activity; sid:2011008; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Spylog.ru Related Spyware Checkin"; flow:established,to_server; content:"/cnt?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&rn="; nocase; http_uri; content:"&c="; nocase; http_uri; content:"&tl="; nocase; http_uri; content:"&ls="; nocase; http_uri; content:"&ln="; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&j="; nocase; http_uri; content:"&wh="; nocase; http_uri; content:"&px="; nocase; http_uri; content:"&sl="; nocase; http_uri; content:"&r="; nocase; http_uri; content:"&fr="; nocase; http_uri; content:"&pg="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007649; classtype:trojan-activity; sid:2007649; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Karagany/Kazy Obfuscated Payload Download"; flow:established,to_client; content:"Content-Disposition|3a| "; http_header; content:"windows-update-"; fast_pattern; http_header; distance:0; content:".exe"; distance:0; http_header; content:!"|0d 0a 0d 0a|MZ"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FKaragany.I; reference:url,www.virustotal.com/file/6c7ae03b8b660826f0c58bbec4208bf03e704201131b3b5c5709e5837bfdd218/analysis/1334672726/; classtype:trojan-activity; sid:2014230; rev:5; metadata:created_at 2012_02_16, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyspotter.com Install"; flow: to_server,established; content:"/SpySpotterInstall.cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001536; classtype:pup-activity; sid:2001536; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Backdoor.Kbot Config Retrieval"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/getcfg.php"; http_uri; content:"oop="; http_client_body; depth:4; reference:md5,b8ee86e57261fd3fb422a2b20a3c3e09; classtype:trojan-activity; sid:2014291; rev:4; metadata:created_at 2012_02_29, updated_at 2012_02_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyspotter.com Access"; flow: to_server,established; content:"Host|3a| "; http_header; content:"spyspotter.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001537; classtype:pup-activity; sid:2001537; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest InTrust Annotation Objects ActiveX Control Add Access Potential Remote Code Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AnnotationX.AnnList.1"; nocase; distance:0; content:".Add("; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18674/; classtype:attempted-user; sid:2014454; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpywareLabs Application Install"; flow: to_server,established; content:"/DistID/BaseInstalls/V"; nocase; http_uri; content:"User-Agent|3a|"; nocase; http_header; content:"Wise"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001522; classtype:pup-activity; sid:2001522; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TRENDnet TV-IP121WN UltraMJCam ActiveX Control OpenFileDlg Access Potential Remote Stack Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11"; nocase; distance:0; content:".OpenFileDlg"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18675/; classtype:attempted-user; sid:2014455; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware Stormer Reporting Data"; flow: established,to_server; content:"/showme.aspx?keyword="; nocase; http_uri; content:"ecomdata1="; nocase; http_client_body; reference:url,www.spywarestormer.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001570; classtype:pup-activity; sid:2001570; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TRENDnet TV-IP121WN UltraMJCam ActiveX Control OpenFileDlg Access Potential Remote Stack Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"UltraMJCam.UltraMJCam.1"; nocase; distance:0; content:".OpenFileDlg"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18675/; classtype:attempted-user; sid:2014456; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware Stormer/Error Guard Activity"; flow: established,to_server; content:"/sell.cgi?errorguard/1/errorguard"; nocase; http_uri; reference:url,www.spywarestormer.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001571; classtype:pup-activity; sid:2001571; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible UserManager SelectServer method Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT"; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"E5D2CE27-5FA0-11D2-A666-204C4F4F5020"; nocase; distance:0; content:"SelectServer"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E5D2CE27-5FA0-11D2-A666-204C4F4F5020/si"; reference:url,exploit-db.com/exploits/16002/; classtype:web-application-attack; sid:2012218; rev:3; metadata:created_at 2011_01_21, updated_at 2011_01_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Statblaster Receiving New configuration (allfiles)"; flow: to_server,established; content:"/updatestats/all_files"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001523; classtype:policy-violation; sid:2001523; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot Request to CnC 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"Accept|3a| */*|0d 0a|If-None-Match|3a| "; fast_pattern; depth:28; http_header; content:"Cache-Control|3a| no-cache|0d 0a|User-Agent|3a| Mozilla"; distance:0; http_header; content:"Connection|3a| Close|0d 0a 0d 0a|"; distance:0; http_header; classtype:command-and-control; sid:2013348; rev:8; metadata:created_at 2011_08_04, former_category MALWARE, updated_at 2011_08_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Statblaster.MemoryWatcher Download"; flow: to_server,established; content:"/memorywatcher.exe"; http_uri; reference:url,www.memorywatcher.com/eula.aspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001442; classtype:pup-activity; sid:2001442; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert tcp $HOME_NET 1723 -> $EXTERNAL_NET any (msg:"ET POLICY PPTP Requester is not authorized to establish a command channel"; flow:to_client,established,no_stream; content:"|00 01|"; offset:2; depth:4; content:"|00 02|"; offset:8; depth:10; content:"|04|"; offset:12; depth:13; reference:url,tools.ietf.org/html/rfc2637; reference:url,doc.emergingthreats.net/2009387; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2009-June/002705.html; classtype:attempted-admin; sid:2009387; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfSidekick Activity (ipixel)"; flow: established,to_server; content:"/ipixel.htm?cid="; nocase; http_uri; content:"&pck_id="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001994; classtype:pup-activity; sid:2001994; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"GPL MISC return code buffer overflow attempt"; flow:to_client,established,no_stream; content:"200"; isdataat:64,relative; pcre:"/^200\s[^\n]{64}/smi"; reference:bugtraq,4900; reference:cve,2002-0909; classtype:protocol-command-decode; sid:2101792; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfSidekick Activity (rinfo)"; flow: established,to_server; content:"/rinfo.htm?"; nocase; http_uri; content:"host="; nocase; http_uri; content:"action="; nocase; http_uri; content:"client=SSK"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002738; classtype:pup-activity; sid:2002738; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED iframebiz - adv***.php"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/adv"; nocase; http_uri; pcre:"/adv\d+\.php/Ui"; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002707; classtype:trojan-activity; sid:2002707; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfAccuracy.com Spyware Pulling Ads"; flow:to_server,established; content:"/sacc/popup.php"; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99; reference:url,doc.emergingthreats.net/bin/view/Main/2003391; classtype:pup-activity; sid:2003391; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3128:9000 (msg:"ET DELETED Possible Hupigon Connect"; flow:established,from_server; flowbits:set,ET.Hupinit2; dsize:<28; content:"HTTP/1.0 200 "; depth:13; flowbits:noalert; reference:url,doc.emergingthreats.net/2009290; classtype:trojan-activity; sid:2009290; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfAssistant.com Spyware Install"; flow: to_server,established; content:"/distribution/questmod-1.dll"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001510; classtype:pup-activity; sid:2001510; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 3128:9000 -> $HOME_NET any (msg:"ET DELETED Hupigon CnC Client Status"; flow:established,to_server; flowbits:isset,ET.Hupinit2; dsize:<6; content:"|0d 0a|"; reference:url,doc.emergingthreats.net/2009291; classtype:command-and-control; sid:2009291; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfAssistant.com Spyware Reporting"; flow: to_server,established; content:"/sa/?a="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001514; classtype:pup-activity; sid:2001514; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3128:9000 (msg:"ET DELETED Hupigon CnC Server Response"; flow:established,from_server; flowbits:isset,ET.Hupinit2; dsize:3; content:"|0d 0a|"; reference:url,doc.emergingthreats.net/2009292; classtype:command-and-control; sid:2009292; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SysVenFak Fake AV Package Victim Checkin (victim.php)"; flow:established,to_server; content:"/victim.php?"; http_uri; pcre:"/victim\.php\?\d\d\d\d\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007945; classtype:pup-activity; sid:2007945; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patcher/Bankpatch V2 Communication with Controller"; flow:established,to_server; content:"id="; nocase; http_uri; content:"&check="; nocase; http_uri; content:"&version2="; http_uri; nocase; pcre:"/\?id=[A-Za-z]+_[A-Za-z0-9]+&/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FBanker.O; classtype:trojan-activity; sid:2009408; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sytes.net Related Spyware Reporting"; flow:to_server,established; content:"/Reporting/admin/upload.php"; nocase; http_uri; content:"POST"; nocase; http_method; content:"sytes.net"; nocase; http_header; reference:url,www.sophos.com/security/analyses/w32forbotdv.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003533; classtype:pup-activity; sid:2003533; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBKrypt.cmtp Login to Server"; flow:to_server,established; content:"USER|20|lodosxxx"; reference:url,vil.nai.com/vil/content/v_377875.htm; classtype:trojan-activity; sid:2013092; rev:4; metadata:created_at 2011_06_22, updated_at 2011_06_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TargetNetworks.net Spyware Reporting (req)"; flow: to_server,established; content:"/request/req.cgi?gu="; nocase; http_uri; content:"&sid="; nocase; http_uri; content:"&kw="; nocase; http_uri; reference:url,www.targetnetworks.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001997; classtype:pup-activity; sid:2001997; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $SQL_SERVERS $ORACLE_PORTS -> $EXTERNAL_NET any (msg:"GPL SQL Oracle misparsed login response"; flow:to_server,established; content:"description=|28|"; nocase; content:!"connect_data=|28|sid="; nocase; content:!"address=|28|protocol=tcp"; nocase; classtype:suspicious-login; sid:2101675; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TargetNetworks.net Spyware Reporting (tn)"; flow: to_server,established; content:"/data/tn.dat?v="; nocase; http_uri; content:"&sid="; nocase; http_uri; reference:url,www.targetnetworks.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002046; classtype:pup-activity; sid:2002046; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"ET EXPLOIT Arkeia full remote access without password or authentication"; flow:to_server,established; content:"|464F3A20596F75206861766520737563|"; content:"|6520636C69656E7420696E666F726D61|"; reference:url,metasploit.com/research/vulns/arkeia_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; classtype:attempted-admin; sid:2001742; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP thebestsoft4u.com Spyware Install (1)"; flow: to_server,established; content:"/pa/glx.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001482; classtype:pup-activity; sid:2001482; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MSUpdater post-auth checkin"; flow:established,to_server; content:"/search6"; http_uri; fast_pattern; content:"?h1="; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|Windows NT 5.2)"; http_header; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014214; rev:2; metadata:created_at 2012_02_07, updated_at 2012_02_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP thebestsoft4u.com Spyware Install (2)"; flow: to_server,established; content:"/pa/proxyrnd.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001485; classtype:pup-activity; sid:2001485; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Italian Spam Campaign"; flow:established,to_server; content:"/Dettagli.zip"; http_uri; reference:md5,c64504b68d34b18a370f5e77bd0b0337; classtype:trojan-activity; sid:2014458; rev:3; metadata:created_at 2012_04_03, updated_at 2012_04_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Tibsystems Spyware Install (1)"; flow: to_server,established; content:"/fcgi-bin/iza2.fcgi?m="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001729; classtype:pup-activity; sid:2001729; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer CTableRowCellsCollectionCacheItem.GetNext Memory Use-After-Free Attempt"; flow:established,to_client; content:"document.getElementById|28 27|tableid|27 29|.cloneNode"; nocase; content:"cells.urns"; nocase; distance:0; content:"cells.item"; nocase; distance:0; reference:url,dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:bid,37894; reference:cve,2010-0248; classtype:attempted-user; sid:2014463; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_04, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Tibsystems Spyware Install (2)"; flow: to_server,established; content:"/tb/loader2.ocx"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001734; classtype:pup-activity; sid:2001734; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DwnLdr-JMZ Downloading Binary"; flow:established,to_server; content:"/ngt.exe"; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla|0d 0a|"; http_header; reference:url,sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DwnLdr-JMZ/detailed-analysis.aspx; classtype:trojan-activity; sid:2014464; rev:2; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ToolbarPartner Spyware Spambot Retrieving Target Emails"; flow: established,to_server; content:"/mailz.php?id="; nocase; http_uri; reference:url,toolbarpartner.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001895; classtype:pup-activity; sid:2001895; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DwnLdr-JMZ Downloading Binary 2"; flow:established,to_server; content:"/?path=qx200.exe"; http_uri; reference:url,sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DwnLdr-JMZ/detailed-analysis.aspx; classtype:trojan-activity; sid:2014465; rev:2; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TopMoxie Reporting Data to External Host"; flow: to_server,established; content:"/downloads/record_download.asp"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/downloads\/record_download\.asp/i"; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000588; classtype:pup-activity; sid:2000588; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Class Download By Vulnerable Client"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; content:"|0D 0A 0D 0A CA FE BA BE|"; classtype:trojan-activity; sid:2014475; rev:6; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Toprebates.com Install (1)"; flow: established,to_server; content:"/mailz.php?id="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001646; classtype:pup-activity; sid:2001646; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to Zaletelly CnC Domain zaletellyxx.be"; flow:established,to_server; content:"Host|3a| zaletelly"; http_header; nocase; content:".be|0d 0a|"; http_header; within:9; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32/Gamarue.F; classtype:command-and-control; sid:2014476; rev:2; metadata:created_at 2012_04_05, former_category MALWARE, updated_at 2012_04_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Toprebates.com Install (2)"; flow: established,to_server; content:"/builds/"; nocase; http_uri; content:"AutoTrack_Install.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001647; classtype:pup-activity; sid:2001647; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to Zaletelly CnC Domain atserverxx.info"; flow:established,to_server; content:"Host|3a| atserver"; http_header; nocase; content:".info|0d 0a|"; http_header; within:11; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32/Gamarue.F; classtype:command-and-control; sid:2014477; rev:2; metadata:created_at 2012_04_05, former_category MALWARE, updated_at 2012_04_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Toprebates.com User Confirming Membership"; flow: established,to_server; content:"/cgi/account.plx?pid="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001648; classtype:pup-activity; sid:2001648; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Class Download"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; content:"|0D 0A 0D 0A CA FE BA BE|"; classtype:trojan-activity; sid:2014474; rev:6; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Ezula Installer Download"; flow: from_server,established; content:"|65 5a 75 6c 61 20 49 6e 73 74 61 6c 6c 61 74 69 6f 6e 00 49|"; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001335; classtype:pup-activity; sid:2001335; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Datamaikon Checkin NewAgent"; flow:to_server,established; content:"/index.dat?"; http_uri; content:" NewAgent|0d 0a|Host|3a| "; http_header; pcre:"/\/index.dat\?\d{5,9}$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDatamaikon.gen!A&ThreatID=-2147312276; reference:md5,77d68770fcdc6052bd8d761d14a14f5a; classtype:command-and-control; sid:2014467; rev:4; metadata:created_at 2012_04_04, former_category MALWARE, updated_at 2012_04_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spywaremover Activity"; flow: to_server,established; content:"/spywareremovers.php?"; http_uri; content:"Host|3a| topantispyware.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topantispyware.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001520; classtype:pup-activity; sid:2001520; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft PicturePusher ActiveX Cross Site File Upload Attack"; flow:from_server,established; content:"507813C3-0B26-47AD-A8C0-D483C7A21FA7"; nocase; pcre:"/http\://.*?[\w]{4,}=1/i"; pcre:"/(PostURL|AddSeperator|AddString|Post)/i"; reference:url,milw0rm.com/exploits/6699; reference:url,doc.emergingthreats.net/2008673; classtype:web-application-attack; sid:2008673; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Topconverting Spyware Install"; flow: to_server,established; content:"/activex/weirdontheweb_topc.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002004; classtype:pup-activity; sid:2002004; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - Intel Arch"; flow:established,to_client; content:"|0D 0A 0D 0A CE FA ED FE|"; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014516; rev:4; metadata:created_at 2012_04_06, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Topconverting Spyware Reporting"; flow: to_server,established; content:"/trigger.php?partner="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002040; classtype:pup-activity; sid:2002040; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - PowerPC Arch"; flow:established,to_client; content:"|0D 0A 0D 0A FE ED FA CE|"; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014517; rev:4; metadata:created_at 2012_04_06, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Traffic Syndicate Add/Remove"; flow: to_server,established; content:"/Support/AddRemove.aspx?id="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001313; classtype:pup-activity; sid:2001313; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - Multi Arch w/PowerPC"; flow:established,to_client; content:"|0D 0A 0D 0A CA FE BA BE|"; content:"|FE ED FA CE|"; distance:0; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014515; rev:4; metadata:created_at 2012_04_06, updated_at 2012_04_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Traffic Syndicate Agent Updating (1)"; flow: to_server,established; content:"/TbLinkConfig.asmx"; nocase; http_uri; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001315; classtype:pup-activity; sid:2001315; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Disk Image Download"; flow:established,to_client; content:"|0D 0A 0D 0A|"; content:"<plist version="; distance:0; content:"Apple_partition_map"; distance:0; content:"Apple_HFS"; distance:0; classtype:misc-activity; sid:2014518; rev:5; metadata:created_at 2012_04_06, updated_at 2012_04_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Traffic Syndicate Agent Updating (2)"; flow: to_server,established; content:"/TbInstConfig.asmx"; nocase; http_uri; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001316; classtype:pup-activity; sid:2001316; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Taidoor.Backdoor Command Request CnC Checkin"; flow:established,to_server; content:".php?id="; http_uri; content:"&ext="; fast_pattern; http_uri; pcre:"/\x2F[a-z]{5}\x2Ephp\x3Fid\x3D.+[a-f0-9]{12}&ext\x3D/Ui"; reference:url,www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks; classtype:command-and-control; sid:2014528; rev:2; metadata:created_at 2012_04_06, former_category MALWARE, updated_at 2012_04_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Trafficsector.com Spyware Install"; flow: to_server,established; content:"/install.php?"; nocase; http_uri; content:"afid="; nocase; http_uri; content:"&user_id="; http_uri; content:"trafficsector"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002736; classtype:pup-activity; sid:2002736; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/LockScreen Scareware Geolocation Request"; flow:established,to_server; content:"/loc/gate.php?getpic=getpic"; http_uri; reference:url,www.abuse.ch/?p=3610; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_police_trojan.pdf; classtype:trojan-activity; sid:2014309; rev:3; metadata:created_at 2012_03_05, updated_at 2012_03_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Transponder Spyware Activity"; flow:established,to_server; content:"/sendROIcookie.cfm?refer="; nocase; http_uri; reference:url,www.doxdesk.com/parasite/Transponder.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002320; classtype:pup-activity; sid:2002320; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED osCommerce vulnerable web application extras update.php exists"; flow:to_client,established; content:"Select an SQL file to install"; reference:url,retrogod.altervista.org/oscommerce_22_adv.html; reference:url,doc.emergingthreats.net/2002863; classtype:attempted-recon; sid:2002863; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Travel Update Spyware"; flow:established,to_server; content:"/abt?data="; nocase; http_uri; pcre:"/\/abt\?data=\S{150}/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2003297; classtype:pup-activity; sid:2003297; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Known Fraudulent DigiNotar SSL Certificate for google.com 2"; flow:established,from_server; content:"|0c 76 da 9c 91 0c 4e 2c 9e fe 15 d0 58 93 3c 4c|"; content:"google.com"; within:250; reference:url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx; classtype:misc-activity; sid:2013501; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_08_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware/Spyware Trymedia.com EXE download"; flow:established,to_server; content:"GET"; nocase; http_method; content:".exe?nva="; http_uri; content:"&aff="; http_uri; content:"&token="; http_uri; content:"User-Agent|3a| Macrovision_DM"; nocase; http_header; reference:url,www.browserdefender.com/site/trymedia.com; reference:url,www.threatexpert.com/reports.aspx?find=Adware.Trymedia; reference:url,doc.emergingthreats.net/2009091; classtype:pup-activity; sid:2009091; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Athena Web Registration Remote Command Execution Attempt"; flow: to_server,established; content:"/athenareg.php?pass= |3b|"; nocase; http_uri; reference:cve,CAN-2004-1782; reference:bugtraq,9349; reference:url,doc.emergingthreats.net/2001949; classtype:web-application-attack; sid:2001949; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP /jk/exp.wmf Exploit Code Load Attempt"; flow:to_server,established; content:"/jk/exp.wmf"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002999; classtype:pup-activity; sid:2002999; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Malicious TDS /indigo?"; flow:to_server,established; content:"/indigo?"; http_uri; pcre:"/\/indigo\?\d+/U"; classtype:exploit-kit; sid:2014539; rev:2; metadata:created_at 2012_04_11, updated_at 2012_04_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PopupSh.ocx Access Attempt"; flow:to_server,established; content:"/PopupSh.ocx"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003000; classtype:pup-activity; sid:2003000; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Farfli User Agent Detected"; flow:established,to_server; content:"/rpt"; http_uri; fast_pattern; content:"User-Agent|3a| "; http_header; content:!"User-Agent|3a| Mozilla"; http_header; pcre:"/^User-Agent\x3a [a-z0-9]{92}/Hmi"; reference:url,doc.emergingthreats.net/2007646; classtype:trojan-activity; sid:2007646; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sidelinker.com-Upspider.com Spyware Count"; flow:established,to_server; content:"/Pro/cnt.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; content:"&pid="; nocase; http_uri; pcre:"/\/Pro\/cnt\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d+/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008158; classtype:pup-activity; sid:2008158; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Tivoli Provisioning Manager Express Isig.isigCtl.1 ActiveX RunAndUploadFile Method Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"84B74E82-3475-420E-9949-773B4FB91771"; nocase; distance:0; content:"RunAndUploadFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111680/IBM-Tivoli-Provisioning-Manager-Express-Overflow.html; classtype:attempted-user; sid:2014550; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP V-Clean.com Fake AV Checkin"; flow:established,to_server; content:"/bill_mod/bill_count.php?C_FLAG="; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 5.5|3b| Windows 98)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008180; classtype:pup-activity; sid:2008180; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Tivoli Provisioning Manager Express Isig.isigCtl.1 ActiveX RunAndUploadFile Method Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Isig.isigCtl.1"; nocase; distance:0; content:"RunAndUploadFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111680/IBM-Tivoli-Provisioning-Manager-Express-Overflow.html; classtype:attempted-user; sid:2014551; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP VPP Technologies Spyware"; flow:established,to_server; content:"/DittoIA.jsh?pid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002348; classtype:pup-activity; sid:2002348; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Dell IT Assistant detectIESettingsForITA.ocx ActiveX Control readRegVal Remote Registry Dump Vulnerability"; flow:to_client,established; content:"CLSID"; nocase; content:"6286EF1A-B56E-48EF-90C3-743410657F3C"; nocase; distance:0; content:"readRegVal"; nocase; distance:0; reference:url,exploit-db.com/exploits/17557/; classtype:attempted-user; sid:2014552; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP VPP Technologies Spyware Reporting URL"; flow:established,to_server; content:"/js.vppimage?key="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002350; classtype:pup-activity; sid:2002350; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Dell IT Assistant detectIESettingsForITA.ocx ActiveX Control readRegVal Remote Registry Dump Vulnerability 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"DETECTIESETTINGS.detectIESettingsCtrl.1"; nocase; distance:0; content:"readRegVal"; nocase; distance:0; reference:url,exploit-db.com/exploits/17557/; classtype:attempted-user; sid:2014553; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Virtumonde Spyware siae3123.exe GET"; flow: to_server,established; content:"siae3123.exe"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000306; classtype:trojan-activity; sid:2000306; rev:29; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Krunchy/BZub HTTP Checkin/Update"; flow:established,to_server; content:".php?action="; http_uri; content:"&guid="; http_uri; content:"GET"; nocase; http_method; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2007775; classtype:trojan-activity; sid:2007775; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Virtumonde Spyware Information Post"; flow: to_server,established; content:"POST"; nocase; http_method; content:"e_g_StatisticsUploadDelay"; nocase; content:"g_AffiliateID"; nocase; content:"virtumonde.com"; http_header; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000308; classtype:trojan-activity; sid:2000308; rev:24; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Password Stealer Reporting - ?a=%NN&b="; flow:to_server,established; content:"POST"; nocase; http_method; content:"a=%"; http_raw_uri; content:"&b="; http_uri; pcre:"/a=\%[0-9a-fA-F]{2}\&b/Ii"; reference:url,doc.emergingthreats.net/2009082; classtype:trojan-activity; sid:2009082; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Virtumonde Spyware Code Download mmdom.exe"; flow: to_server,established; content:"/mmdom.exe"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001525; classtype:pup-activity; sid:2001525; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE Download With Content Type Specified As Empty"; flow:established,to_client; content:"Content-Type|3A 20 0D 0A|"; content:"|0d 0a 0d 0a|"; distance:0; content:"MZ"; within:2; isdataat:80,relative; content:"This program "; distance:0; content:"PE|00|"; distance:0; reference:md5,d51218653323e48672023806f6ace26b; classtype:trojan-activity; sid:2014567; rev:5; metadata:created_at 2012_04_16, updated_at 2012_04_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Virtumonde Spyware Code Download bkinst.exe"; flow: to_server,established; content:"/bkinst.exe"; nocase; http_uri; content:"virtumonde.com"; http_header; reference:url,www.lurhq.com/iframeads.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001526; classtype:pup-activity; sid:2001526; rev:23; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Edraw Diagram Component 5 ActiveX LicenseName Access Potential buffer overflow DOS"; flow:to_client,established; content:"CLSID"; nocase; content:"6116A7EC-B914-4CCE-B186-66E0EE7067CF"; nocase; distance:0; content:"LicenseName"; nocase; distance:0; reference:url,exploit-db.com/exploits/18461/; classtype:attempted-user; sid:2014585; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vombanetworks.com Spyware Installer Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/scripts/get_cookie.php"; nocase; http_uri; content:"vomba="; http_client_body; depth:6; content:"&ff="; content:"&vombashots="; content:"&vombashots_ff="; content:"&hwd="; content:"&ver="; content:"&vinfo=Windows"; reference:url,doc.emergingthreats.net/bin/view/Main/2007870; classtype:pup-activity; sid:2007870; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Edraw Diagram Component 5 ActiveX LicenseName Access Potential buffer overflow DOS 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"EDBoardLib.EDBoard"; nocase; distance:0; content:"LicenseName"; nocase; distance:0; reference:url,exploit-db.com/exploits/18461/; classtype:attempted-user; sid:2014586; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Weatherbug"; flow: to_server,established; content:"WxAlertIsapi"; nocase; http_uri; threshold: type limit, track by_src, count 1, seconds 3600; reference:url,doc.emergingthreats.net/bin/view/Main/2001235; classtype:misc-activity; sid:2001235; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Quest vWorkspace Broker Client ActiveX Control SaveMiniLaunchFile Remote File Creation/Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"D9397163-A2DB-4A4A-B2C9-34E876AF2DFC"; nocase; distance:0; content:"SaveMiniLaunchFile("; nocase; distance:0; reference:url,exploit-db.com/exploits/18704/; classtype:attempted-user; sid:2014587; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Weatherbug Wxbug Capture"; flow: to_server,established; content:"GET"; nocase; http_method; content:"Host|3a|"; nocase; http_header; content:"wxbug.com"; nocase; http_header; threshold: type limit, track by_src, count 1, seconds 3600; reference:url,doc.emergingthreats.net/bin/view/Main/2002364; classtype:misc-activity; sid:2002364; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest vWorkspace Broker Client ActiveX Control SaveMiniLaunchFile Remote File Creation/Overwrite 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"PNLLM.Client.1"; nocase; distance:0; content:"SaveMiniLaunchFile("; nocase; distance:0; reference:url,exploit-db.com/exploits/18704/; classtype:attempted-user; sid:2014588; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Weatherbug Activity"; flow:established,to_server; content:"/WeatherWindow/WeatherWindow"; nocase; http_uri; content:"?rnd="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003420; classtype:trojan-activity; sid:2003420; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Oracle Hyperion Financial Management TList6 ActiveX Control Remote Code Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"65996200-3B87-11D4-A21F-00E029189826"; nocase; distance:0; content:".SaveData("; nocase; distance:0; reference:url,securityfocus.com/archive/1/520353; classtype:attempted-user; sid:2014593; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Weatherbug Design60 Upload Activity"; flow:established,to_server; content:"/GetDesign60.aspx?Magic="; nocase; http_uri; content:"?ZipCode="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003421; classtype:trojan-activity; sid:2003421; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Oracle Hyperion Financial Management TList6 ActiveX Control Remote Code Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TList.TList.6"; fast_pattern; nocase; distance:0; content:".SaveData("; nocase; distance:0; reference:url,securityfocus.com/archive/1/520353; classtype:attempted-user; sid:2014594; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Weatherbug Command Activity"; flow:established,to_server; content:"/connection/connectionv"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003422; classtype:trojan-activity; sid:2003422; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Winwebsec.B Checkin"; flow:established,to_server; content:"/temp1.jpg"; http_uri; content:"User-Agent|3a 20|HTTP Client|0d 0a|"; http_header; reference:md5,9c9109cea5845272d6abd1b5523c8de7; classtype:command-and-control; sid:2014578; rev:3; metadata:created_at 2012_04_16, former_category MALWARE, updated_at 2012_04_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Weatherbug Vista Gadget Activity"; flow:established,to_server; content:"/Command/VistaGadget_v"; nocase; http_uri; content:"UserId="; nocase; http_uri; content:"&AppVersion="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003534; classtype:trojan-activity; sid:2003534; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of /Subtype"; flow:established,to_client; content:"|0d 0a 0d 0a|PDF-"; content:"/"; distance:0; content:!"Subtype"; within:7; content:"#"; within:19; pcre:"/\x2F(?!Subtype)(S|#53)(u|#75)(b|#62)(t|#74)(y|#79)(p|#70)(e|#65)/"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011528; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_22, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Webbuying.net Spyware Installing"; flow:established,to_server; content:"/inst.php?"; nocase; http_uri; content:"d="; nocase; http_uri; content:"&cl="; nocase; http_uri; content:"&l="; nocase; http_uri; content:"&e="; nocase; http_uri; content:"&v=wbi_v"; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&time="; nocase; http_uri; content:"&win="; nocase; http_uri; content:"&un=0"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003442; classtype:pup-activity; sid:2003442; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of Action"; flow:established,to_client; content:"|0d 0a 0d 0a|PDF-"; content:"/"; distance:0; content:!"Action"; within:6; content:"#"; within:16; pcre:"/\x2F(?!Action)(A|#41)(c|#63)(t|#74)(i|#69)(o|#6F)(n|#6E)/"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011529; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Webhancer Agent Activity"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:"webhancer.com"; nocase; http_header; within:32; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001678; classtype:pup-activity; sid:2001678; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of Pages"; flow:established,to_client; content:"|0d 0a 0d 0a|PDF-"; content:"/"; distance:0; content:!"Pages"; within:5; content:"#"; within:13; pcre:"/\x2F(?!Pages)(P|#40)(a|#61)(g|#67)(e|#65)(s|#73)/"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011536; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Websearch.com Outbound Dialer Retrieval"; flow: to_server,established; content:"/1/rdgUS10.exe"; nocase; http_uri; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2001517; classtype:pup-activity; sid:2001517; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible PDF Launch Function Remote Code Execution Attempt with Name Representation Obfuscation"; flow:to_client,established; content:"|0d 0a 0d 0a|PDF-"; content:"/"; distance:0; content:!"Launch"; within:6; content:"#"; within:16; content:".exe"; nocase; distance:0; pcre:"/\x2F(?!Launch)(L|#4C)(a|#61)(u|#75)(n#6E)(c|#63)(h|#68).+\x2F(W|#57)(i|#69)(n|#6E).+\x2Eexe/sm"; reference:url,www.kb.cert.org/vuls/id/570177; reference:url,www.h-online.com/security/news/item/Criminals-attempt-to-exploit-unpatched-hole-in-Adobe-Reader-979286.html; reference:url,www.sudosecure.net/archives/673; reference:url,www.h-online.com/security/news/item/Adobe-issues-official-workaround-for-PDF-vulnerability-971932.html; reference:url,blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/; reference:url,www.m86security.com/labs/i/PDF-Launch-Feature-Used-to-Install-Zeus,trace.1301~.asp; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011329; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Weird on the Web /180 Solutions Checkin"; flow: to_server,established; content:"/notifier/config.ini?v="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002036; classtype:pup-activity; sid:2002036; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unkown exploit kit version check"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x="; http_uri; content:"&u="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; content:"&java"; http_uri; fast_pattern; content:"&pdf="; http_uri; content:"&flash="; content:"&qt="; http_uri; classtype:exploit-kit; sid:2014569; rev:5; metadata:created_at 2012_04_16, former_category EXPLOIT_KIT, updated_at 2012_04_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com WhenUSave Data Retrieval (Searchdb)"; flow: to_server,established; content:"/SearchDB?update="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000919; classtype:pup-activity; sid:2000919; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Potential Malicious PDF (EmbeddedFiles) improper case"; flow:from_server,established; content:"|0d 0a 0d 0a|%PDF"; content:"/EmbeddedFiles"; within:128; nocase; content:!"/EmbeddedFiles"; distance:-14; within:14; reference:url,blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/; classtype:trojan-activity; sid:2014575; rev:4; metadata:created_at 2012_04_16, updated_at 2012_04_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent Agent Installation"; flow: to_server,established; content:"/Recovery/Checkin.aspx?version"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001307; classtype:pup-activity; sid:2001307; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (hell.php)"; flow:established,to_server; content:"/hell.php"; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014615; rev:3; metadata:created_at 2012_04_18, updated_at 2012_04_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent Agent Checking In"; flow: to_server,established; content:"/CDADeliveries/Checkin.aspx"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001309; classtype:pup-activity; sid:2001309; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee SaaS MyCioScan ShowReport Method Call Remote Command Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"209EBDEE-065C-11D4-A6B8-00C04F0D38B7"; nocase; distance:0; content:"ShowReport"; nocase; distance:0; reference:url,packetstormsecurity.org/files/108767/McAfee-SaaS-MyCioScan-ShowReport-Remote-Command-Execution.html; classtype:attempted-user; sid:2014619; rev:2; metadata:created_at 2012_04_20, updated_at 2012_04_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent Agent Traffic"; flow: to_server,established; content:"/CDAFiles/DP/SysConfig"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001310; classtype:pup-activity; sid:2001310; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee SaaS MyCioScan ShowReport Method Call Remote Command Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MYCIOSCNLib.Scan"; nocase; distance:0; content:"ShowReport"; nocase; distance:0; reference:url,packetstormsecurity.org/files/108767/McAfee-SaaS-MyCioScan-ShowReport-Remote-Command-Execution.html; classtype:attempted-user; sid:2014620; rev:2; metadata:created_at 2012_04_20, updated_at 2012_04_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent Agent"; flow: to_server,established; content:"/CDAFiles/"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001314; classtype:pup-activity; sid:2001314; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Cisco 4200 Wireless Lan Controller Long Authorisation Denial of Service Attempt"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/screens/frameset.html"; fast_pattern; http_uri; nocase; content:"Authorization|3A 20|Basic"; nocase; content:!"|0a|"; distance:2; within:118; isdataat:120,relative; pcre:"/^Authorization\x3A Basic.{120}/Hmi"; reference:url,www.securityfocus.com/bid/35805; reference:url,www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml; reference:cve,2009-1164; reference:url,doc.emergingthreats.net/2010674; classtype:attempted-dos; sid:2010674; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent New Install"; flow: to_server,established; content:"/NewUser/Checkin.aspx"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001322; classtype:pup-activity; sid:2001322; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32 Jadtre/Wapomi/Nimnul/Viking.AY ICMP ping"; icode:0; itype:8; dsize:36; content:"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"; classtype:trojan-activity; sid:2014595; rev:4; metadata:created_at 2012_04_16, updated_at 2012_04_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent Install"; flow: to_server,established; content:"/updatestats/AI_Euro.exe"; nocase; http_uri; reference:mcafee,122249; reference:url,doc.emergingthreats.net/bin/view/Main/2002008; classtype:pup-activity; sid:2002008; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Es11 Keepalive to CnC"; flow:established,to_server; content:"|89 e7 52 d4 68 64 a7 73 bd 7e 3f 5c f7 99 3a 2e|"; offset:16; depth:16; dsize:48; reference:md5,4a17e9bd99f496c518ddfaaef93384b0; classtype:command-and-control; sid:2014630; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_20, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Windupdates.com Spyware Install"; flow: established,to_server; content:"/cab/CDTInc/ie/"; nocase; http_uri; content:".cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001700; classtype:pup-activity; sid:2001700; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Customer List"; flow:to_server,established; pcre:"/\Wcustomer\slist(s)?\W/ism"; reference:url,doc.emergingthreats.net/2002655; classtype:policy-violation; sid:2002655; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Windupdates.com Spyware Loggin Data"; flow: established,to_server; content:"/logging.php?p="; nocase; http_uri; content:"Host|3a| public.windupdates.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001701; classtype:pup-activity; sid:2001701; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Transaction History"; flow:to_server,established; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/2002654; classtype:policy-violation; sid:2002654; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winfixmaster.com Fake Anti-Spyware Install"; flow: to_server,established; content:"/dispatcher.php?action="; nocase; http_uri; content:"Host|3a| www.winfix"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003543; classtype:pup-activity; sid:2003543; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Credit History"; flow:to_server,established; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/2002653; classtype:policy-violation; sid:2002653; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winferno Registry Fix Spyware Download"; flow: to_server,established; content:"/freeze_rpc6bundle_us/REGISTRYFIXDLL.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003353; classtype:pup-activity; sid:2003353; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Annual Income"; flow:to_server,established; pcre:"/\Wannual\sincome(s)?\W/ism"; reference:url,doc.emergingthreats.net/2002652; classtype:policy-violation; sid:2002652; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winxdefender.com Fake AV Package Post Install Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/checkupdate.php"; nocase; http_uri; content:"User-Agent|3a| Opera"; http_header; content:"Computer ID|3a| "; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008197; classtype:pup-activity; sid:2008197; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Payment History"; flow:to_server,established; pcre:"/\Wpayment\shistory\W/ism"; reference:url,doc.emergingthreats.net/2002651; classtype:policy-violation; sid:2002651; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (1)"; flow: to_server,established; content:"/fa/evil.html"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001461; classtype:pup-activity; sid:2001461; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Account Balance"; flow:to_server,established; pcre:"/\Waccount\sbalance(s)?\W/ism"; reference:url,doc.emergingthreats.net/2002650; classtype:policy-violation; sid:2002650; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs Occuring"; flow: to_server,established; content:"/fa/?d=get"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001462; classtype:pup-activity; sid:2001462; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Appraisal"; flow:to_server,established; pcre:"/\Wappraisal(s)?\W/ism"; reference:url,doc.emergingthreats.net/2002649; classtype:policy-violation; sid:2002649; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (2)"; flow: to_server,established; content:"src=http|3a|//xpire.info/i.exe"; nocase; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2001463; classtype:pup-activity; sid:2001463; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Password"; flow:to_server,established; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; reference:url,doc.emergingthreats.net/2002648; classtype:policy-violation; sid:2002648; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (3)"; flow: to_server,established; content:"/i.exe"; nocase; http_uri; content:"xpire.info"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001464; classtype:pup-activity; sid:2001464; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Credit Card, JCB"; flow:to_server,established; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; reference:url,doc.emergingthreats.net/2002642; classtype:policy-violation; sid:2002642; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (4)"; flow: to_server,established; content:"/dl/adv121.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001466; classtype:pup-activity; sid:2001466; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - AMA CPT Code"; flow:to_server,established; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; reference:url,doc.emergingthreats.net/2002640; classtype:policy-violation; sid:2002640; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (5)"; flow: to_server,established; content:"/dl/adv121/x.chm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001467; classtype:pup-activity; sid:2001467; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - DSM-IV Code"; flow:to_server,established; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2}?)|(v[167][0-9]\.[0-9]{1,2})))/ism"; reference:url,doc.emergingthreats.net/2002639; classtype:policy-violation; sid:2002639; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs CHM Exploit"; flow: to_server,established; content:"/fa/ied_s7m.chm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001468; classtype:pup-activity; sid:2001468; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - ADA Procedure Code"; flow:to_server,established; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; reference:url,doc.emergingthreats.net/2002638; classtype:policy-violation; sid:2002638; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (6)"; flow: to_server,established; content:"/fa/x.chm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001469; classtype:pup-activity; sid:2001469; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - FDA NDC Code"; flow:to_server,established; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; reference:url,doc.emergingthreats.net/2002637; classtype:policy-violation; sid:2002637; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (7)"; flow: to_server,established; content:"/fa/xpl3.htm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001470; classtype:pup-activity; sid:2001470; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - ICD-10 Code"; flow:to_server,established; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; reference:url,doc.emergingthreats.net/2002636; classtype:policy-violation; sid:2002636; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Spyware Exploit"; flow: to_server,established; content:"/2DimensionOfExploitsEnc.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001471; classtype:pup-activity; sid:2001471; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - HCPCS Code"; flow:to_server,established; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; reference:url,doc.emergingthreats.net/2002635; classtype:policy-violation; sid:2002635; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Install Report"; flow: to_server,established; content:"counter.htm"; nocase; pcre:"//user\d+/counter\.htm/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2001541; classtype:pup-activity; sid:2001541; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Date of Birth"; flow:to_server,established; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; reference:url,doc.emergingthreats.net/2002634; classtype:policy-violation; sid:2002634; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Yesadvertising Banking Spyware RETRIEVE"; flow: to_server,established; content:"/img1big.gif"; nocase; http_uri; reference:url,isc.sans.org/presentations/banking_malware.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000336; classtype:trojan-activity; sid:2000336; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Internal Use Only"; flow:to_server,established; pcre:"/\Winternal\suse\sonly\W/ism"; reference:url,doc.emergingthreats.net/2002633; classtype:policy-violation; sid:2002633; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Yesadvertising Banking Spyware INFORMATION SUBMIT"; flow: to_server,established; content:"/cgi-bin/yes.pl"; nocase; http_uri; reference:url,isc.sans.org/presentations/banking_malware.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000337; classtype:trojan-activity; sid:2000337; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Law Enorcement Sensitive"; flow:to_server,established; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; reference:url,doc.emergingthreats.net/2002632; classtype:policy-violation; sid:2002632; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Yourscreen.com Spyware Download"; flow: to_server,established; content:"/data/yourscreen_data.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003354; classtype:pup-activity; sid:2003354; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Protected"; flow:to_server,established; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002631; classtype:policy-violation; sid:2002631; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zenotecnico Adware"; flow: to_server,established; content:"/cl/clientdump"; http_uri; content:"zenotecnico"; nocase; http_header; reference:url,www.zenotecnico.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001947; classtype:pup-activity; sid:2001947; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Proprietary"; flow:to_server,established; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002630; classtype:policy-violation; sid:2002630; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Supergames.aavalue.com Spyware"; flow: established,to_server; content:"/toolbars/msg/msg_serverside.xml"; nocase; http_uri; content:"aavalue.com"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189; reference:url,doc.emergingthreats.net/bin/view/Main/2003525; classtype:pup-activity; sid:2003525; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Sensitive"; flow:to_server,established; pcre:"/(?<!law\senforcement)\Wsensitive\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002629; classtype:policy-violation; sid:2002629; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP adservs.com Spyware"; flow: to_server,established; content:"/binaries/relevance.dat"; http_uri; content:"adservs"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002740; classtype:pup-activity; sid:2002740; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Sealed"; flow:to_server,established; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002628; classtype:policy-violation; sid:2002628; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iframebiz - sploit.anr"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/sploit.anr"; nocase; http_uri; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002708; classtype:pup-activity; sid:2002708; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Top Secret"; flow:to_server,established; pcre:"/(?<!//)\Wtop\ssecret[^\w/a]/ism"; reference:url,doc.emergingthreats.net/2002627; classtype:policy-violation; sid:2002627; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iframebiz - loaderadv***.jar"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/loaderadv"; nocase; http_uri; pcre:"/loaderadv\d+\.jar/Ui"; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002709; classtype:pup-activity; sid:2002709; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Confidential"; flow:to_server,established; pcre:"/(?<!//)\Wconfidential[^\w/]/ism"; reference:url,doc.emergingthreats.net/2002625; classtype:policy-violation; sid:2002625; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iframebiz - /qwertyuiyw12ertyuytre/adv***.php"; flow:established,to_server; content:"/qwertyuiyw12ertyuytre"; nocase; http_uri; reference:url,iframecash.biz; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADR.QC&VSect=T; reference:url,doc.emergingthreats.net/bin/view/Main/2008681; classtype:pup-activity; sid:2008681; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Restricted"; flow:to_server,established; pcre:"/(?<!//)\Wrestricted[^\w/]/ism"; reference:url,doc.emergingthreats.net/2002624; classtype:policy-violation; sid:2002624; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP K8l.info Spyware Activity"; flow: to_server,established; content:"/media/servlet/view/dynamic/url/zone?"; nocase; http_uri; content:"zid="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&DHWidth="; nocase; http_uri; content:"&DHHeight="; nocase; http_uri; content:"Ref="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003451; classtype:pup-activity; sid:2003451; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Private"; flow:to_server,established; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002623; classtype:policy-violation; sid:2002623; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Suggestion)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"User-Agent|3a| Suggestion|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011229; classtype:pup-activity; sid:2011229; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Non-US Restricted Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002410; classtype:policy-violation; sid:2002410; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP HTML.Psyme.Gen Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/channel/channelCode.htm?"; nocase; http_uri; content:"pid="; nocase; http_uri; reference:md5,de1adb1df396863e7e3967271e7db734; classtype:pup-activity; sid:2011856; rev:3; metadata:created_at 2010_10_26, former_category ADWARE_PUP, updated_at 2010_10_26;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Non-US Confidential Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002411; classtype:policy-violation; sid:2002411; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.0"; flow:established,to_server; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; content:"Host|3a 20|"; content:!"Referer|3a 20|"; http_header; content:".php?"; nocase; http_uri; classtype:pup-activity; sid:2011938; rev:5; metadata:created_at 2010_11_20, former_category ADWARE_PUP, updated_at 2010_11_20;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Non-US Top Secret Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002412; classtype:policy-violation; sid:2002412; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.1"; flow:established,to_server; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; content:"Host|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:".php?"; nocase; http_uri; content:!"Connection|3a| "; http_header; classtype:pup-activity; sid:2011939; rev:7; metadata:created_at 2010_11_20, former_category ADWARE_PUP, updated_at 2010_11_20;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Non-US Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+(?<!TOP\s)SECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002413; classtype:policy-violation; sid:2002413; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Suspicious Russian Content-Language Ru Which May Be Malware Related"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; http_header; fast_pattern:only; classtype:pup-activity; sid:2012228; rev:5; metadata:created_at 2011_01_25, former_category ADWARE_PUP, updated_at 2011_01_25;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Restricted"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002414; classtype:policy-violation; sid:2002414; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Suspicious Chinese Content-Language zh-cn Which May be Malware Related"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; http_header; fast_pattern:only; classtype:pup-activity; sid:2012229; rev:7; metadata:created_at 2011_01_25, former_category ADWARE_PUP, updated_at 2011_01_25;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Confidential Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002415; classtype:policy-violation; sid:2002415; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32-Adware.Hotclip.A Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/filetadak/app_check.php?"; nocase; http_uri; content:"kind="; nocase; http_uri; content:"pid=donkeys"; nocase; http_uri; reference:url,spydig.com/spyware-info/Win32-Adware-Hotclip-A.html; classtype:pup-activity; sid:2014069; rev:4; metadata:created_at 2012_01_02, former_category ADWARE_PUP, updated_at 2012_01_02;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Confidential"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002416; classtype:policy-violation; sid:2002416; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malicious ad_track.php file Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ad_track.php"; nocase; http_uri; content:"etekey="; nocase; http_uri; content:"track.ete.cn"; nocase; http_header; classtype:pup-activity; sid:2014183; rev:4; metadata:created_at 2012_02_06, former_category ADWARE_PUP, updated_at 2012_02_06;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO COSMIC Top Secret Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002417; classtype:policy-violation; sid:2002417; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Fake Antivirus Download Antivirus_21.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/download/Antivirus_"; http_uri; content:".exe"; http_uri; pcre:"/download\x2FAntivirus_\d+\x2Eexe/Ui"; reference:url,doc.emergingthreats.net/2010050; classtype:trojan-activity; sid:2010050; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Secret Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002418; classtype:policy-violation; sid:2002418; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely TDSS Download (codec.exe)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/codec.exe"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010054; classtype:trojan-activity; sid:2010054; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002419; classtype:policy-violation; sid:2002419; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Fake Antivirus Download AntivirusPlus.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/AntivirusPlus"; http_uri; content:".exe"; http_uri; reference:url,doc.emergingthreats.net/2010062; classtype:trojan-activity; sid:2010062; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002420; classtype:policy-violation; sid:2002420; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Fake AV GET installer.1.exe"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/installer."; http_uri; nocase; content:".exe"; http_uri; nocase; pcre:"/\/installer\.\d+\.exe/Ui"; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010452; classtype:trojan-activity; sid:2010452; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002421; classtype:policy-violation; sid:2002421; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Fake AV GET installer_1.exe"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/installer_"; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/\/installer_\d+\.exe/Ui"; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010453; classtype:trojan-activity; sid:2010453; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.E Keepalive to CnC"; flow:established,to_server; dsize:>30; content:"|90 48 5c d5 ec 70 a3 8b 41 72 28 50 ec f6 d5 2a|"; offset:16; depth:16; reference:md5,fc414168a5b4ca074ea6e03f770659ef; classtype:command-and-control; sid:2013337; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_08_01, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Fake AV Download (download/install.php)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"download/install.php"; http_uri; pcre:"/\x0d\x0aHost\: [a-z\x2e]+(security|virus|pro|anti|scan|mypc|total|protect|check|guard|defend)/i"; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2009-December/004891.html; reference:url,malwareurl.com; reference:url,www.malwaredomainlist.com; reference:url,doc.emergingthreats.net/2010465; classtype:trojan-activity; sid:2010465; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002422; classtype:policy-violation; sid:2002422; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Fake Antivirus Download Setup_2012.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/Setup_"; nocase; http_uri; content:".exe"; nocase; pcre:"/Setup_20\d+\x2Eexe/Ui"; reference:url,doc.emergingthreats.net/xxxxxxx; classtype:trojan-activity; sid:2010684; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002423; classtype:policy-violation; sid:2002423; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Malware Download Request"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/images/GR_OLD_CR.EXE"; nocase; http_uri; reference:url,www.prevx.com/filenames/X22210989379038527-X1/GR_OLD_CR.EXE.html; reference:url,doc.emergingthreats.net/2011148; classtype:trojan-activity; sid:2011148; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002424; classtype:policy-violation; sid:2002424; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cutwail Redirection Page 1"; flow:established,from_server; content:"document.location="; depth:200; content:".php?"; within:100; pcre:"/\.php\?[^&]{1,8}=[a-f0-9]{16}[\x22\x27\x3b\x20\x0a\x0d]/"; classtype:bad-unknown; sid:2014378; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Unclassified COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002429; classtype:policy-violation; sid:2002429; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Downloader Possible AV KILLER"; flow:established,to_server; content:"GET"; nocase; http_method; content:"SoftName="; http_uri; nocase; content:"SoftVersion="; http_uri; nocase; content:"UserIP="; http_uri; nocase; content:"Mac="; http_uri; nocase; reference:url,doc.emergingthreats.net/2009487; classtype:trojan-activity; sid:2009487; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002430; classtype:policy-violation; sid:2002430; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AVKiller with Backdoor checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"id="; http_client_body; nocase; content:"&ip_int="; http_client_body; nocase; content:"&os="; http_client_body; nocase; content:"&av="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2009812; classtype:command-and-control; sid:2009812; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002431; classtype:policy-violation; sid:2002431; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Antispywareexpert.com Fake AS Install Checkin"; flow:established,to_server; content:"/?action="; http_uri; content:"&pc_id="; http_uri; content:"&abbr="; http_uri; content:"&a="; http_uri; content:"&l="; http_uri; content:"&addt"; reference:url,doc.emergingthreats.net/2008502; classtype:command-and-control; sid:2008502; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret CNWDI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002434; classtype:policy-violation; sid:2002434; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Antivirus2008 Fake AV Install Report"; flow:established,to_server; content:"?type=scanner&pin="; http_uri; content:"&lnd="; http_uri; reference:url,doc.emergingthreats.net/2008511; classtype:trojan-activity; sid:2008511; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret TK"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002436; classtype:policy-violation; sid:2002436; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Autorun.qvi Related HTTP Get on Off Port"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/get_r.php?fid="; http_uri; content:"&mac="; http_uri; within:15; content:"&version="; http_uri; distance:0; content:"&uuid="; http_uri; distance:0; reference:url,doc.emergingthreats.net/2008755; classtype:trojan-activity; sid:2008755; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US FGI"; flow:to_server,established; content:"Subject|3A|"; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002438; classtype:policy-violation; sid:2002438; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bandook iwebho/BBB-phish trojan leaking user data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Type|3a20|application/x-www-form-urlencoded|0d0a|Host|3a20|"; depth:55; http_header; content:"Content-Length|3a20|"; http_header; content:"VISITED_URL"; depth:100; http_client_body; reference:url,www.secureworks.com/research/threats/bbbphish; reference:url,doc.emergingthreats.net/2003937; classtype:trojan-activity; sid:2003937; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US FOUO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002439; classtype:policy-violation; sid:2002439; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.OPX HTTP Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"TIPO=CLIENTE&NOME="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2007901; classtype:command-and-control; sid:2007901; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002440; classtype:policy-violation; sid:2002440; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.ili HTTP Checkin"; flow:established,to_server; content:"/ctrl/cnt_boot.php?pgv="; http_uri; nocase; reference:url,doc.emergingthreats.net/2007940; classtype:command-and-control; sid:2007940; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002441; classtype:policy-violation; sid:2002441; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Trojan (General) HTTP Checkin"; flow:established,to_server; content:".php?PC="; http_uri; content:"&Data="; http_uri; content:"&Mac="; http_uri; reference:url,doc.emergingthreats.net/2007984; classtype:command-and-control; sid:2007984; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002443; classtype:policy-violation; sid:2002443; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.JU Related HTTP Post-infection Checkin"; flow:established,to_server; content:"/envio.php?"; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"tipo="; http_client_body; reference:url,doc.emergingthreats.net/2008267; classtype:command-and-control; sid:2008267; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002444; classtype:policy-violation; sid:2002444; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Agent.zrm/Infostealer.Bancos Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"appdata="; http_uri; nocase; content:"hd="; nocase; http_uri; content:"mac="; nocase; http_uri; content:"computador="; http_uri; nocase; reference:url,doc.emergingthreats.net/2008519; classtype:command-and-control; sid:2008519; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, malware_family Bancos, tag Banking_Trojan, updated_at 2018_04_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Unclassified PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002446; classtype:policy-violation; sid:2002446; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Generic Banker Trojan Downloader Config to client"; flow:established,to_client; content:"|0d 0a 0d 0a|[Controlinfo]"; nocase; content:"CntInfo="; within:9; nocase; content:"UseSepControl="; within:30; nocase; content:"Names="; within:20; reference:url,doc.emergingthreats.net/2009090; classtype:trojan-activity; sid:2009090; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002447; classtype:policy-violation; sid:2002447; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker/Bancos/Infostealer Possible Rootkit - HTTP HEAD Request"; flow:established,to_server; content:"HEAD"; http_method; nocase; content:".php?action="; http_uri; nocase; content:"&uid="; nocase; http_uri; content:"&locale="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&build="; nocase; http_uri; reference:url,www.pctools.com/mrc/infections/id/Trojan.Banker/; reference:url,www.anti-spyware-101.com/remove-trojanbanker; reference:url,doc.emergingthreats.net/2009750; classtype:trojan-activity; sid:2009750; rev:6; metadata:created_at 2010_07_30, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2018_04_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002448; classtype:policy-violation; sid:2002448; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patcher/Bankpatch Module Download Request"; flow:established,to_server; content:"/dl/AcroIEHelpe"; nocase; http_uri; content:".dll"; http_uri; nocase; pcre:"/\/dl\/AcroIEHelpe(r)?(\d)?\.dll/U"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-081817-1808-99&tabid=2; reference:url,doc.emergingthreats.net/2009409; classtype:trojan-activity; sid:2009409; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002450; classtype:policy-violation; sid:2002450; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload HTTP Checkin Detected"; flow:established,to_server; content:"php?mac="; nocase; http_uri; content:"&hdd="; nocase; http_uri; content:"++++++++"; nocase; content:"&ver="; nocase; http_uri; content:"&ie="; http_uri; nocase; reference:url,doc.emergingthreats.net/2007864; classtype:command-and-control; sid:2007864; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002451; classtype:policy-violation; sid:2002451; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload HTTP Checkin Detected (quem=)"; flow:established,to_server; content:".php"; nocase; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"quem="; depth:5; http_client_body; content:"praquem="; http_client_body; fast_pattern; offset:5; nocase; reference:url,doc.emergingthreats.net/2008283; classtype:command-and-control; sid:2008283; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US SAMI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002453; classtype:policy-violation; sid:2002453; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BANLOAD Downloader GET Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"mac="; http_uri; content:"sys="; http_uri; content:"yp="; http_uri; content:"rand="; http_uri; nocase; pcre:"/mac=[0-9A-Fa-f]{12}&/Ui"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojbanloe.html; reference:url,doc.emergingthreats.net/2009453; classtype:command-and-control; sid:2009453; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002454; classtype:policy-violation; sid:2002454; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"c=voip&ord="; nocase; http_uri; content:"=&SCRNSZ"; http_uri; content:"&BRSRSZ="; http_uri; content:"&TIMEZONE="; http_uri; reference:url,doc.emergingthreats.net/2010266; classtype:command-and-control; sid:2010266; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002455; classtype:policy-violation; sid:2002455; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Urlzone/Bebloh Communication with Controller"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?type=slg&id="; http_uri; nocase; pcre:"/\?type=slg&id=[0-9A-Z]{18}/U"; reference:url,threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BEBLOH.KO&VSect=Td; reference:url,doc.emergingthreats.net/2009351; classtype:trojan-activity; sid:2009351; rev:8; metadata:created_at 2010_07_30, former_category TROJAN, malware_family URLZone, tag Banking_Trojan, updated_at 2018_04_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret STOP"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002457; classtype:policy-violation; sid:2002457; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bredavi Configuration Update Response"; flow:established,from_server; content:"|0d 0a 0d 0a 21|new_config|0a|"; nocase; reference:url,doc.emergingthreats.net/2010790; classtype:trojan-activity; sid:2010790; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Private"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002458; classtype:policy-violation; sid:2002458; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bredolab Downloader Communicating With Controller (2)"; flow:established,to_server; content:"action="; nocase; http_uri; content:"&guid="; nocase; http_uri; content:"&rnd="; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&entity="; http_uri; nocase; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader%3aWin32/Bredolab.B; reference:url,doc.emergingthreats.net/2009354; classtype:trojan-activity; sid:2009354; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Restricted"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!//)\Wrestricted[^\w/]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002459; classtype:policy-violation; sid:2002459; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bredolab Check In"; flow:established,to_server; content:"GET"; nocase; http_method; content:"v="; http_uri; content:"&s="; http_uri; content:"&uid="; http_uri; content:"&p="; http_uri; content:"&q="; content:"User-Agent|3a 0d 0a|"; http_header; reference:url,www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/; reference:url,doc.emergingthreats.net/2009360; classtype:trojan-activity; sid:2009360; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Top Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!//)\Wtop\ssecret[^\w/a]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002462; classtype:policy-violation; sid:2002462; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Metafisher/Bzub/Cimuz/Tanspy Reporting User Activity"; flow:established,to_server; content:"ver="; nocase; http_uri; content:"&lg="; nocase; http_uri; content:"&phid="; nocase; http_uri; content:"&r="; http_uri; pcre:"/phid=[A-F0-9]{64}/Ui"; reference:url,doc.emergingthreats.net/2009349; classtype:trojan-activity; sid:2009349; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Sealed"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002463; classtype:policy-violation; sid:2002463; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cinmus.Checkin 1"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?version="; nocase; http_uri; content:"lversion="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"&fid="; nocase; http_uri; content:"&vpc="; nocase; http_uri; content:"&run="; nocase; http_uri; content:"&from="; http_uri; reference:url,doc.emergingthreats.net/2008623; classtype:command-and-control; sid:2008623; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Sensitive"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!law\senforcement)\Wsensitive\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002464; classtype:policy-violation; sid:2002464; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cinmus.Checkin 2"; flow:to_server,established; content:"GET"; http_method; nocase; content:"?fid="; nocase; http_uri; content:"&kid="; nocase; http_uri; content:"&cnt="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"&kw="; nocase; http_uri; content:"&from="; http_uri; reference:url,doc.emergingthreats.net/2008624; classtype:command-and-control; sid:2008624; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Proprietary"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002465; classtype:policy-violation; sid:2002465; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citi-bank.ru Related Trojan Checkin"; flow:established,to_server; content:".php?hid=NT"; nocase; http_uri; content:"&wp="; nocase; http_uri; content:"&sp="; nocase; http_uri; content:"&eep="; nocase; http_uri; content:"&edp="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008153; classtype:command-and-control; sid:2008153; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Protected"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002466; classtype:policy-violation; sid:2002466; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Conficker/MS08-067 Worm Traffic Outbound"; flowbits:isset,ET.ms08067_header; flow:established,to_server; content:"If-None-Match|3A| |22|60794|2D|12b3|2D|e4169440|22|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008739; classtype:trojan-activity; sid:2008739; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Law Enorcement Sensitive"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002467; classtype:policy-violation; sid:2002467; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoreFlooder.Q C&C Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/a?"; nocase; http_uri; content:"wg="; http_client_body; nocase; content:"&cn="; http_client_body; nocase; content:"&i="; http_client_body; nocase; content:"&panic="; http_client_body; nocase; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FCOREFLOOD%2EQ; reference:url,doc.emergingthreats.net/2008353; classtype:command-and-control; sid:2008353; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Internal Use Only"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Winternal\suse\sonly\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002468; classtype:policy-violation; sid:2002468; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxy.Corpes.j Infection Report"; flow:established,to_server; content:".php?tma="; http_uri; content:"&mode="; http_uri; pcre:"/mode=\d+D[0-9A-F]{150}/U"; reference:url,doc.emergingthreats.net/2008144; classtype:trojan-activity; sid:2008144; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Date of Birth"; flow:to_server,established; content:"Subject|3A|"; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002469; classtype:policy-violation; sid:2002469; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cosmu Process Dump Report"; flow:established,to_server; content:"] Dumping processes {|0d 0a|"; reference:url,doc.emergingthreats.net/2011234; classtype:trojan-activity; sid:2011234; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP HCPCS Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002470; classtype:policy-violation; sid:2002470; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Crypt.CFI.Gen Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"User-Agent|3a| BIE|0d 0a|"; http_header; content:"cname="; http_client_body; reference:url,doc.emergingthreats.net/2009204; classtype:command-and-control; sid:2009204; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP ICD-10 Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002471; classtype:policy-violation; sid:2002471; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DNS Changer HTTP Post Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"x="; http_client_body; content:!"User-Agent|3a| "; http_header; pcre:"/^x=[0-9a-zA-Z]{50}/P"; reference:url,doc.emergingthreats.net/2008263; classtype:command-and-control; sid:2008263; rev:13; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP FDA NDC Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002472; classtype:policy-violation; sid:2002472; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DNSChanger.AT or related Infection Checkin Post"; flow:established,to_server; content:"POST /cgi-bin/generator HTTP/1.0|0d 0a|Content-Length|3a| "; depth:50; content:"|0d 0a 0d 0a|"; within:10; reference:url,doc.emergingthreats.net/2008940; classtype:command-and-control; sid:2008940; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP ADA Procedure Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002473; classtype:policy-violation; sid:2002473; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Daonol C&C Communication"; flow:established,to_server; content:"/x/?0"; http_uri; nocase; content:"|0d 0a|SS|3a|"; nocase; content:"|0d 0a|Xost|3a|"; nocase; pcre:"/\/x\/\?0\w{35}$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaonol; reference:url,blog.fireeye.com/research/2009/10/gumblar-not-gumby.html; reference:url,www.iss.net/threats/gumblar.html; reference:url,blog.scansafe.com/journal/2009/10/15/gumblar-website-botnet-awakes.html; reference:url,doc.emergingthreats.net/2010164; classtype:command-and-control; sid:2010164; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP DSM-IV Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2}?)|(v[167][0-9]\.[0-9]{1,2})))/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002474; classtype:policy-violation; sid:2002474; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.Delf User-Agent (Varlok_11000)"; flow:established,to_server; content:"User-Agent|3a| Varlok_"; http_header; nocase; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2003931; classtype:trojan-activity; sid:2003931; rev:7; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2017_10_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP AMA CPT Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002475; classtype:policy-violation; sid:2002475; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf HTTP Checkin (1)"; flow:established,to_server; content:"/mydown.asp?"; nocase; http_uri; content:"reg="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&tgid="; nocase; http_uri; content:"&address="; nocase; http_uri; content:"&mydo="; nocase; http_uri; content:"&flag="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007838; classtype:command-and-control; sid:2007838; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Credit Card, JCB"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002477; classtype:policy-violation; sid:2002477; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Download via HTTP"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/mdfexcute/"; http_uri; content:"Windows 98)"; http_header; reference:url,doc.emergingthreats.net/2007911; classtype:trojan-activity; sid:2007911; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Password"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002483; classtype:policy-violation; sid:2002483; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Checkin via HTTP (up)"; flow:established,to_server; content:"/up.html?"; nocase; http_uri; content:"set="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&MAC="; http_uri; nocase; reference:url,doc.emergingthreats.net/2007939; classtype:command-and-control; sid:2007939; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Appraisal"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wappraisal(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002484; classtype:policy-violation; sid:2002484; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Checkin via HTTP (6)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?v="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&=w"; http_uri; nocase; reference:url,doc.emergingthreats.net/2008071; classtype:command-and-control; sid:2008071; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Account Balance"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Waccount\sbalance(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002485; classtype:policy-violation; sid:2002485; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Checkin via HTTP (7)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?macros="; nocase; http_uri; content:"&botstatus="; http_uri; nocase; reference:url,doc.emergingthreats.net/2008090; classtype:command-and-control; sid:2008090; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Payment History"; flow:to_server,established; content:"Subject|3A|"; content:"payment history"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002486; classtype:policy-violation; sid:2002486; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Delf followon POST Data PUSH Packet"; flow:established,to_server; content:"tip="; depth:4; nocase; content:"&cli="; nocase; content:"&tipo="; nocase; reference:url,www.threatexpert.com/threats/trojan-downloader-win32-delf.html; reference:url,doc.emergingthreats.net/2009824; classtype:trojan-activity; sid:2009824; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Annual Income"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wannual\sincome(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002487; classtype:policy-violation; sid:2002487; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dialer"; flow: established,to_server; content:"/getnumtemp.asp?nip=0"; http_uri; nocase; reference:url,isc.sans.org/diary.php?storyid=1388; reference:url,doc.emergingthreats.net/2003083; classtype:trojan-activity; sid:2003083; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Credit History"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002488; classtype:policy-violation; sid:2002488; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Dialer.buv Sending Information Home"; flow:established,to_server; content:"/exit.php?if="; http_uri; nocase; content:"&cl="; content:"&id="; content:"&ov="; content:"&site="; content:"&tk="; reference:url,doc.emergingthreats.net/2008430; classtype:trojan-activity; sid:2008430; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Transaction History"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002489; classtype:policy-violation; sid:2002489; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dialer.Win32.E-Group.n Checkin"; flow:to_server,established; content:"login="; nocase; http_uri; content:"&brokerid="; nocase; http_uri; content:"&extlogin="; nocase; http_uri; content:"&autosize="; nocase; http_uri; content:"&icp="; nocase; http_uri; content:"&id_site="; nocase; http_uri; content:"&dl_tracker="; nocase; http_uri; content:"&connection_type="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008490; classtype:command-and-control; sid:2008490; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Customer List"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcustomer\slist(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002490; classtype:policy-violation; sid:2002490; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diazom Trojan User-Agent in Use (cv_v2.0.1)"; flow:established,to_server; content:"User-agent|3a| cv_v"; http_header; reference:url,ww.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-032316-0426-99&tabid=2; reference:url,doc.emergingthreats.net/2003598; classtype:trojan-activity; sid:2003598; rev:7; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2017_10_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Non-US Restricted"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002495; classtype:policy-violation; sid:2002495; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $HOME_NET any (msg:"ET MALWARE dlink router access attempt"; flow:established,to_server; content:"GET /dlink/hwiz.html HTTP/1.0|0d 0a 0d 0a|"; content:!"|0d 0a|Host|3a| "; reference:url,doc.emergingthreats.net/2008945; classtype:trojan-activity; sid:2008945; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Non-US Confidential"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002496; classtype:policy-violation; sid:2002496; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Dluca HTTP Checkin"; flow:established,to_server; content:"?id={"; nocase; http_uri; content:"&srv="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&docid="; nocase; http_uri; content:"&time="; nocase; http_uri; content:"&cstate="; nocase; http_uri; content:"&state="; nocase; http_uri; content:"&flash="; nocase; http_uri; content:"&pin="; nocase; http_uri; content:"&OSInfo2="; nocase; content:"&cinfo="; nocase; http_uri; content:"&smd="; nocase; http_uri; content:"&rts="; nocase; http_uri; content:"&retryattempt="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007595; classtype:command-and-control; sid:2007595; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Non-US Top Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002497; classtype:policy-violation; sid:2002497; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clicker.BC User Agent Detected (linkrunner)"; flow:established,to_server; content:"User-Agent|3a| linkrunner"; nocase; http_header; reference:url,doc.emergingthreats.net/2003648; classtype:trojan-activity; sid:2003648; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Non-US Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+(?<!TOP\s)SECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002498; classtype:policy-violation; sid:2002498; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Agent.bwr CnC Beacon"; flow:established,to_server; content:"?m="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&hdd="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006377; classtype:command-and-control; sid:2006377; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2010_07_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Restricted"; flow:to_server,established; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002499; classtype:policy-violation; sid:2002499; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.26001 Url Pattern Detected"; flow:established,to_server; content:"install.php?"; nocase; http_uri; content:"wall_id="; nocase; http_uri; content:"&maddr=0"; nocase; http_uri; content:"&action="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006400; classtype:trojan-activity; sid:2006400; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Confidential Atomal"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002500; classtype:policy-violation; sid:2002500; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.26001 Url Pattern Detected (lunch_id)"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"aff_id="; nocase; http_uri; content:"lunch_id="; nocase; http_uri; content:"&maddr=0"; nocase; http_uri; reference:url,doc.emergingthreats.net/2006401; classtype:trojan-activity; sid:2006401; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Confidential"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002501; classtype:policy-violation; sid:2002501; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Downloader or Virut C&C Ack"; flow:established,to_server; content:"uid="; nocase; http_uri; content:"&version="; nocase; http_uri; content:"&actionname="; nocase; http_uri; content:"&action="; nocase; http_uri; content:"&success="; nocase; http_uri; content:"&debug="; nocase; http_uri; content:"&nocache="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007587; classtype:command-and-control; sid:2007587; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO COSMIC Top Secret Atomal"; flow:to_server,established; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002502; classtype:policy-violation; sid:2002502; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.49651 Checkin"; flow:established,to_server; content:"/boot.php/boot.php?"; nocase; http_uri; content:"partner="; nocase; http_uri; content:"&mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007952; classtype:command-and-control; sid:2007952; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Secret Atomal"; flow:to_server,established; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002503; classtype:policy-violation; sid:2002503; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.49651 Install Report"; flow:established,to_server; content:"/install.php?"; nocase; http_uri; content:"partner="; nocase; http_uri; content:"&mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007953; classtype:trojan-activity; sid:2007953; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Secret"; flow:to_server,established; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002504; classtype:policy-violation; sid:2002504; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.49651 Online Report"; flow:established,to_server; content:"/up.html?"; nocase; http_uri; content:"set="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"&mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007954; classtype:trojan-activity; sid:2007954; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002505; classtype:policy-violation; sid:2002505; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cygo Checkin"; flow:established,to_server; content:"/count.php?"; nocase; http_uri; content:"type="; nocase; http_uri; content:"partner="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"ver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007955; classtype:command-and-control; sid:2007955; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002506; classtype:policy-violation; sid:2002506; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.VB.CEJ HTTP Checkin"; flow:established,to_server; content:"/down"; http_uri; content:"/down/?"; http_uri; content:"s="; http_uri; content:"&t="; http_uri; content:"&v="; http_uri; pcre:"/\/down\d+\/down\/\?s=[A-F0-9]+\&t=\d+\/\d+\/20/U"; reference:url,doc.emergingthreats.net/2008087; classtype:command-and-control; sid:2008087; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002507; classtype:policy-violation; sid:2002507; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.Downloader.pgp Checkin"; flow:established,to_server; content:"?id="; http_uri; content:"&e="; http_uri; content:"&err="; http_uri;content:"&c="; http_uri; reference:url,doc.emergingthreats.net/2008492; classtype:trojan-activity; sid:2008492; rev:5; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_05_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential REL TO"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002508; classtype:policy-violation; sid:2002508; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Emo/Downloader.vr Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; content:"v="; http_uri; content:"&rs="; http_uri; content:"&n="; http_uri; content:"&uid="; http_uri; reference:url,doc.emergingthreats.net/2008546; reference:url,www.malwaredomainlist.com/mdl.php?search=emo+&colsearch=All&quantity=50; classtype:trojan-activity; sid:2008546; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret REL TO"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002509; classtype:policy-violation; sid:2002509; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Dropper User-Agent (XXXwww)"; flow:established,to_server; content:"User-Agent|3a| XXXwww"; http_header; classtype:trojan-activity; sid:2014387; rev:1; metadata:created_at 2012_03_16, updated_at 2012_03_16;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Unclassified COMSEC"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002514; classtype:policy-violation; sid:2002514; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Agent.cah Checkin Request"; flow:established,to_server; content:"?v="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&r1="; nocase; http_uri; content:"&tm=201"; nocase; http_uri; content:"&av="; nocase; http_uri; content:"&os=Windows"; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"cht="; http_uri; reference:url,doc.emergingthreats.net/2007644; classtype:command-and-control; sid:2007644; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential COMSEC"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002515; classtype:policy-violation; sid:2002515; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper.Win32.VB.on Keylog/System Info Report via HTTP"; flow:established,to_server; content:"post================================"; content:"=====|0d 0a|Resource Name "; distance:0; content:"|0d 0a|User Name/Value "; distance:0; content:"*************STEAM PASSWORDS**********"; distance:0; content:"Number of procesor|3a|"; distance:0; reference:url,doc.emergingthreats.net; classtype:trojan-activity; sid:2007987; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret COMSEC"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002516; classtype:policy-violation; sid:2002516; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper mdodo.com Related Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Mdodo"; http_header; reference:url,doc.emergingthreats.net/2008195; classtype:trojan-activity; sid:2008195; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret CNWDI"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002519; classtype:policy-violation; sid:2002519; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper 6dzone.com Related Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| 6dzone|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008196; classtype:trojan-activity; sid:2008196; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret TK"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002521; classtype:policy-violation; sid:2002521; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Duntek establishing remote connection"; flow:established,to_server; content:"rfe.php?"; nocase; http_uri; content:"cmp=dun_tekfirst"; nocase; http_uri; content:"guid="; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-102514-0554-99; reference:url,doc.emergingthreats.net/2003537; classtype:trojan-activity; sid:2003537; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US FGI"; flow:to_server,established; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002523; classtype:policy-violation; sid:2002523; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE E-Jihad 3.0 DDoS HTTP Activity OUTBOUND"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Attacker|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:denial-of-service; sid:2007686; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US FOUO"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002524; classtype:policy-violation; sid:2002524; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE E-Jihad 3.0 DDoS HTTP Activity INBOUND"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Attacker|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:denial-of-service; sid:2007687; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential NOFORN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002525; classtype:policy-violation; sid:2002525; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Egspy Install Report via HTTP"; flow:established,to_server; content:"/control.php?pcad="; nocase; http_uri; content:"&tarih="; nocase; http_uri; content:"&saat="; nocase; http_uri; content:"&veri="; http_uri; reference:url,doc.emergingthreats.net/2008136; classtype:trojan-activity; sid:2008136; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret NOFORN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002526; classtype:policy-violation; sid:2002526; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Eleonore Exploit Pack activity"; flow:established,to_server; content:"?spl="; http_uri; content:"&br="; http_uri; content:"&vers="; http_uri; content:"&s="; http_uri; pcre:"/\?spl=\d+&br=[A-Za-z]+&vers=\d\.\d&s=[a-z0-9]+[^&]$/U"; reference:url,www.offensivecomputing.net/?q=node/1419; reference:url,doc.emergingthreats.net/2010248; classtype:trojan-activity; sid:2010248; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential ORCON"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002704; classtype:policy-violation; sid:2002704; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Eleonore Exploit Pack activity variant May 2010"; flow:established,to_server; content:".php?spl="; http_uri; pcre:"/\?spl=MS[0-9]{2}-[0-9]{3}$/U"; reference:url,www.offensivecomputing.net/?q=node/1419; reference:url,doc.emergingthreats.net/2010248; classtype:trojan-activity; sid:2011128; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret ORCON"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002528; classtype:policy-violation; sid:2002528; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FSG Packed Binary via HTTP Inbound"; flow:from_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/2002773; classtype:trojan-activity; sid:2002773; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Unclassified PROPIN"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002530; classtype:policy-violation; sid:2002530; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rogue A/V Win32/FakeXPA GET Request"; flow:to_server,established; content:"?campaign="; http_uri; content:"&country="; http_uri; content:"&counter="; http_uri; content:"&campaign="; http_uri; content:"&landid="; http_uri; reference:url,doc.emergingthreats.net/2009209; classtype:trojan-activity; sid:2009209; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential PROPIN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002531; classtype:policy-violation; sid:2002531; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKE/ROGUE AV HTTP Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"mid="; content:"&wv="; content:"&r="; content:"&tp="; content:"&exe="; fast_pattern; content:"&ls="; content:"&uid="; reference:url,doc.emergingthreats.net/2009514; classtype:trojan-activity; sid:2009514; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret PROPIN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002532; classtype:policy-violation; sid:2002532; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKE/ROGUE AV Encoded data= HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http_header; content:"data=/CjEfcLas0KCj/"; http_client_body; nocase; reference:url,doc.emergingthreats.net/2009553; classtype:trojan-activity; sid:2009553; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential RD"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002534; classtype:policy-violation; sid:2002534; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake/Rogue AV Landing Page Encountered"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"land="; nocase; http_uri; content:"affid="; nocase; http_uri; pcre:"/\.php\?(land=\d+|affid=\d{5})&(land=\d+|affid=\d{5})$/Ui"; reference:url,en.wikipedia.org/wiki/Scareware; reference:url,doc.emergingthreats.net/2010347; classtype:trojan-activity; sid:2010347; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret RD"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002535; classtype:policy-violation; sid:2002535; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Fake-Rean Installer Activity (Malwareurl.com Top 30)"; flow:to_server; content:"|2F|installer|2F|Installer|2E|exe"; nocase; http_uri; pcre:"/[1-3]\x2Finstaller\x2FInstaller\x2Eexe/Ui"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojfakereane.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010221; classtype:trojan-activity; sid:2010221; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US SAMI"; flow:to_server,established; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002537; classtype:policy-violation; sid:2002537; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Feral Checkin via HTTP"; flow:established,to_server; content:"?ucid="; nocase; http_uri; content:"&wmid="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007286; classtype:trojan-activity; sid:2007286; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential SPECAT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002538; classtype:policy-violation; sid:2002538; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Win32.Flystud"; flow:to_server,established; content:"loading.html?fn="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&cid="; nocase; http_uri; content:"&pn="; nocase; http_uri; content:"&clientid="; nocase; http_uri; content:"channel="; nocase; http_uri; content:"&stn="; nocase; http_uri; reference:url,doc.emergingthreats.net/2011086; classtype:trojan-activity; sid:2011086; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret SPECAT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002539; classtype:policy-violation; sid:2002539; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fragus Exploit Kit Landing"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"hello="; nocase; http_uri; pcre:"/\.php\?(id=|pid=|hello=)\d+&(id=|pid=|hello=)\d+&(id=|pid=|hello=)\d+$/Ui"; reference:url,jsunpack.jeek.org/dec/go?report=d60344851322218108076f1ad8d21435de9d5b7c; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2011693; classtype:exploit-kit; sid:2011693; rev:5; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret STOP"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002541; classtype:policy-violation; sid:2002541; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fullspace.cc or Related Checkin (1)"; flow:established,to_server; content:"/config.php?ver="; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&action="; nocase; http_uri; content:"&ras="; nocase; http_uri; content:"&verfull="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008397; classtype:command-and-control; sid:2008397; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Private"; flow:to_server,established; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002542; classtype:policy-violation; sid:2002542; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS.Gamania Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"un="; http_client_body; content:"&pw="; http_client_body; content:"&sn="; http_client_body; content:"&l="; http_client_body; content:"&gd1="; http_client_body; content:"&pn="; http_client_body; reference:url,doc.emergingthreats.net/2008431; classtype:command-and-control; sid:2008431; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Restricted"; flow:to_server,established; pcre:"/(?<!//)\Wrestricted[^\w/]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002543; classtype:policy-violation; sid:2002543; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Gemini/Fake AV Download URL Detected"; flow:established,to_server; content:"/Layouts/Landings/CentralLandings/"; nocase; http_uri; content:"/images/"; nocase; http_uri; pcre:"/\x2FLayouts\x2FLandings\x2FCentralLandings\x2F\d+\x2Fimages\x2F/Ui"; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,doc.emergingthreats.net/2010450; classtype:trojan-activity; sid:2010450; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Confidential"; flow:to_server,established; pcre:"/(?<!//)\Wconfidential[^\w/]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002544; classtype:policy-violation; sid:2002544; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader Infostealer - GET Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| wget 3.0|0d 0a|"; nocase; http_header; content:"aid="; nocase; http_uri; content:"os="; nocase; http_uri; content:"uid="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009539; classtype:command-and-control; sid:2009539; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Top Secret"; flow:to_server,established; pcre:"/(?<!//)\Wtop\ssecret[^\w/a]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002546; classtype:policy-violation; sid:2002546; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Agent.QBY CnC Post"; flow:established,to_server; content:"cike.php?fid="; nocase; http_uri; content: "&cid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&tid="; nocase; http_uri; content:"&sn="; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?uid=4f05faef-6a70-4957-8990-b316d8487f63; reference:url,doc.emergingthreats.net/2010138; classtype:command-and-control; sid:2010138; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Sealed"; flow:to_server,established; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002547; classtype:policy-violation; sid:2002547; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Keylogger Infection Report via POST"; flow:established,to_server; content:"texto=|25 30 44 25 30 41 25 30 44 25 30 41|Computer"; content:"|25 30 44 25 30 41|IP|25 32 45 25 32 45 25 32 45 25 32 45 25 32 45|"; distance:0; reference:url,doc.emergingthreats.net/2008521; classtype:trojan-activity; sid:2008521; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Sensitive"; flow:to_server,established; pcre:"/(?<!law\senforcement)\Wsensitive\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002548; classtype:policy-violation; sid:2002548; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Spambot HTTP Checkin"; flow:established,to_server; content:"os="; http_uri; content:"&user="; http_uri; content:"&status="; http_uri; content:"&uptime="; http_uri; content:"&cmd="; http_uri; reference:url,doc.emergingthreats.net/2008261; classtype:command-and-control; sid:2008261; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Proprietary"; flow:to_server,established; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002549; classtype:policy-violation; sid:2002549; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unnamed Generic.Malware http get"; flow:established,to_server; content:"/ww20/script.php?id="; nocase; http_uri; content:"&config="; nocase; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2003431; classtype:trojan-activity; sid:2003431; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Protected"; flow:to_server,established; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002550; classtype:policy-violation; sid:2002550; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Trojan Checkin (double Content-Type headers)"; flow:to_server,established; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"Content-Type|3a| text/html"; http_header; content:"Content-type|3a| image/gif"; http_header; reference:url,doc.emergingthreats.net/2010282; classtype:command-and-control; sid:2010282; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Law Enorcement Sensitive"; flow:to_server,established; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002551; classtype:policy-violation; sid:2002551; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gimmiv.A.dll Infection"; flow: to_server,established; content:"/test"; http_uri; content:".php"; http_uri; content:"?abc="; http_uri; content:"?def="; http_uri; reference:url,www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin32%2fGimmiv.A; reference:url,doc.emergingthreats.net/2008689; classtype:trojan-activity; sid:2008689; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Internal Use Only"; flow:to_server,established; pcre:"/\Winternal\suse\sonly\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002552; classtype:policy-violation; sid:2002552; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Glacial Dracon C&C Communication"; flow:established,to_server; content:"?id="; nocase; http_uri; content:"&ve="; nocase; http_uri; content:"&h="; nocase; http_uri; content:"&c[]="; nocase; depth:5; http_client_body; content:"&t[]="; nocase; http_client_body; content:"&u[]="; nocase; http_client_body; content:"&d[]="; nocase; http_client_body; content:"&p[]="; nocase; http_client_body; reference:md5,fd3d061ee86987e8f3f245c2dc0ceb46; reference:md5,912692cb4e3f960c9cb4bbc96fa17c9d; reference:url,doc.emergingthreats.net/2010163; classtype:command-and-control; sid:2010163; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Date of Birth"; flow:to_server,established; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002553; classtype:policy-violation; sid:2002553; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Bobax trojan infection"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/reg|3f|u="; http_uri; content:"|26|v="; http_uri; reference:url,www.lurhq.com/bobax.html; reference:url,doc.emergingthreats.net/2001901; classtype:trojan-activity; sid:2001901; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - HCPCS Code"; flow:to_server,established; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002554; classtype:policy-violation; sid:2002554; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX EdrawSoft Office Viewer Component ActiveX FtpUploadFile Stack Buffer Overflow"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"F6FE8878-54D2-4333-B9F0-FC543B1BE1ED"; nocase; distance:0; content:"FtpUploadFile"; nocase; reference:url,packetstormsecurity.org/files/109298/EdrawSoft-Office-Viewer-Component-ActiveX-5.6-Buffer-Overflow.html; classtype:attempted-user; sid:2014390; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - ICD-10 Code"; flow:to_server,established; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002555; classtype:policy-violation; sid:2002555; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX EdrawSoft Office Viewer Component ActiveX FtpUploadFile Format String Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"OfficeViewer.OfficeViewer"; nocase; distance:0; content:"FtpUploadFile"; nocase; reference:url,packetstormsecurity.org/files/109298/EdrawSoft-Office-Viewer-Component-ActiveX-5.6-Buffer-Overflow.html; classtype:attempted-user; sid:2014391; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - FDA NDC Code"; flow:to_server,established; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002556; classtype:policy-violation; sid:2002556; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Exploit kit download payload likely Hiloti Gozi FakeAV etc"; flow:to_server,established; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"/eH"; http_uri; fast_pattern; pcre:"/\/[a-z0-9]+\.[a-z0-9]{2,4}\/eH[a-z0-9]{60,}$/Ui"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FHiloti.gen%21D; reference:url,doc.emergingthreats.net/2011103; classtype:exploit-kit; sid:2011103; rev:10; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - ADA Procedure Code"; flow:to_server,established; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002557; classtype:policy-violation; sid:2002557; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Exploit kit attack activity likely hostile"; flow:to_server,established; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"/oH"; http_uri; fast_pattern; pcre:"/\/[a-z0-9]+\.[a-z0-9]{2,4}\/oH[a-z0-9]{60,}$/Ui"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FHiloti.gen%21D; reference:url,doc.emergingthreats.net/2011104; classtype:exploit-kit; sid:2011104; rev:10; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - DSM-IV Code"; flow:to_server,established; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2}?)|(v[167][0-9]\.[0-9]{1,2})))/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002558; classtype:policy-violation; sid:2002558; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hitpop Checkin"; flow:established,to_server; content:"/stat.htm?id="; nocase; http_uri; content:"&agt="; nocase; http_uri; content:"&r=http"; http_uri; nocase; content:"&OS="; nocase; http_uri; content:"&ntime="; nocase; http_uri; content:"&rtime="; nocase; http_uri; reference:url,atlas-public.ec2.arbor.net/docs/Hitpop_DDoS_Malware_Analysis_PUBLIC.pdf; reference:url,doc.emergingthreats.net/2008275; classtype:command-and-control; sid:2008275; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - AMA CPT Code"; flow:to_server,established; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002559; classtype:policy-violation; sid:2002559; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon User Agent Detected (SykO)"; flow:established,to_server; content:"User-Agent|3a| SykO"; http_header; nocase; reference:url,doc.emergingthreats.net/2003649; classtype:trojan-activity; sid:2003649; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Credit Card, JCB"; flow:to_server,established; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002561; classtype:policy-violation; sid:2002561; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon User Agent Detected (IE_7.0)"; flow:established,to_server; content:"User-Agent|3a| IE_7.0"; http_header; nocase; reference:url,doc.emergingthreats.net/2003932; classtype:trojan-activity; sid:2003932; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Password"; flow:to_server,established; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002567; classtype:policy-violation; sid:2002567; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KillAV/Dropper/Mdrop/Hupigon - HTTP GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".asp?mac="; nocase; http_uri; content:"&xxx="; nocase; http_uri; content:"User-Agent|3a| baidu|0d 0a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2009811; classtype:trojan-activity; sid:2009811; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Appraisal"; flow:to_server,established; pcre:"/\Wappraisal(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002568; classtype:policy-violation; sid:2002568; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Inject.BV Trojan User Agent Detected (faserx)"; flow:established,to_server; content:"User-Agent|3a| faser"; http_header; nocase; reference:url,doc.emergingthreats.net/2003637; classtype:trojan-activity; sid:2003637; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Account Balance"; flow:to_server,established; pcre:"/\Waccount\sbalance(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002569; classtype:policy-violation; sid:2002569; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Insidebar.co.kr Related Infection Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"e=inside&s="; http_client_body; content:"&ver="; http_client_body; content:"&p="; http_client_body; reference:url,doc.emergingthreats.net/2008760; classtype:command-and-control; sid:2008760; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Payment History"; flow:to_server,established; pcre:"/\Wpayment\shistory\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002570; classtype:policy-violation; sid:2002570; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Klom.A Connecting to Controller"; flow:established,to_server; content:"/s_13_0?m="; nocase; http_uri; content:"r="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,www.bitdefender.com/VIRUS-1000126-en--Trojan.Klom.A.html; reference:url,doc.emergingthreats.net/2003538; classtype:trojan-activity; sid:2003538; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Annual Income"; flow:to_server,established; pcre:"/\Wannual\sincome(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002571; classtype:policy-violation; sid:2002571; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Knockbot Proxy Response From Controller"; flow:established,from_server; content:"|0d 0a 0d 0a|command|7c|file|7c|http"; depth:250; nocase; content:"|7c|"; within:150; reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; reference:url,doc.emergingthreats.net/2010787; classtype:trojan-activity; sid:2010787; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Credit History"; flow:to_server,established; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002572; classtype:policy-violation; sid:2002572; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Koblu"; flow:established,to_server; content:"GET"; nocase; http_method; content:"sid="; nocase; http_uri; content:"&sa="; nocase; http_uri; content: "&p="; http_uri; content:"&q=cards&rf="; http_uri; content:"&enc="; http_uri; content:"&enk=&xsc=&xsp=&xsm="; http_uri; reference:url,doc.emergingthreats.net/2010230; classtype:trojan-activity; sid:2010230; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Transaction History"; flow:to_server,established; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002573; classtype:policy-violation; sid:2002573; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Koobface fetch C&C command detected"; flow:established, to_server; content:".php"; nocase; http_uri; content:"f=0&a="; fast_pattern; content:"&v="; content:"&c="; content:"&s="; content:"&l="; content:"&ck="; content:"&c_fb="; content:"&c_ms="; content:"&c_hi="; content:"&c_be="; content:"&c_fr="; content:"&c_yb="; content:"&c_tg="; content:"&c_nl="; content:"&c_fu="; reference:url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf; reference:url,doc.emergingthreats.net/2010153; classtype:command-and-control; sid:2010153; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Customer List"; flow:to_server,established; pcre:"/\Wcustomer\slist(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002574; classtype:policy-violation; sid:2002574; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Korklic.A"; flow:to_server,established; content:"GET"; nocase; http_method; content:"mode=boot&MyValue="; http_uri; content:"&code="; http_uri; pcre:"/MyValue=[a-f0-9]{2}\:[a-f0-9]{2}\:[a-f0-9]{2}\:[a-f0-9]{2}\:/Ui"; reference:url,doc.emergingthreats.net/2009003; classtype:trojan-activity; sid:2009003; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Non-US Restricted"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002575; classtype:policy-violation; sid:2002575; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Lager Trojan Reporting Spam"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/sp/post.php"; nocase; http_uri; content:"data="; depth:400; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732; reference:url,doc.emergingthreats.net/2003190; classtype:trojan-activity; sid:2003190; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Non-US Confidential"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002576; classtype:policy-violation; sid:2002576; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET 1025:5000 (msg:"ET MALWARE Possible Web-based DDoS-command being issued"; flow: established,from_server; content: "Server|3a| nginx/0."; offset: 17; depth: 19; content: "Content-Type|3a| text/html"; content:"|3a|80|3b|255.255.255.255"; fast_pattern; reference:url,doc.emergingthreats.net/2003296; classtype:trojan-activity; sid:2003296; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Non-US Top Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002577; classtype:policy-violation; sid:2002577; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MBR Trojan (Sinowal/Mebroot/) Phoning Home"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ld/mat"; nocase; http_uri; content:".php"; nocase; http_uri; content:"id="; http_client_body; depth:3; content:"&hit="; http_client_body; reference:url,doc.emergingthreats.net/2007747; classtype:trojan-activity; sid:2007747; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Non-US Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+(?<!TOP\s)SECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002578; classtype:policy-violation; sid:2002578; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mcboo.com/Bundlext.com related Trojan Checkin URL"; flow:established,to_server; content:"/ack.php?version="; http_uri; content:"&uid="; http_uri; content:"&status="; http_uri; reference:url,doc.emergingthreats.net/2008758; classtype:command-and-control; sid:2008758; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Restricted"; flow:to_server,established; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002579; classtype:policy-violation; sid:2002579; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MEREDROP/micr0s0fts.cn Related Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/update.asp"; http_uri; content:"ver="; http_client_body; depth:4; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; http_client_body; reference:url,doc.emergingthreats.net/2008891; classtype:command-and-control; sid:2008891; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Confidential Atomal"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002580; classtype:policy-violation; sid:2002580; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Metajuan trojan checkin"; flow:established,to_server; content:"trafc-2/rfe"; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-030112-0714-99; reference:url,doc.emergingthreats.net/2007811; classtype:command-and-control; sid:2007811; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Confidential"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002581; classtype:policy-violation; sid:2002581; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.MisleadApp Fake Security Product Install"; flow:established,to_server; content:"GET"; nocase; http_method; content:"hash?http"; nocase; http_uri; pcre:"/\/(ucleaner|udefender|ufixer)\.com\/demo\.php\?/Ui"; reference:url,doc.emergingthreats.net/2007566; classtype:trojan-activity; sid:2007566; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO COSMIC Top Secret Atomal"; flow:to_server,established; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002582; classtype:policy-violation; sid:2002582; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Monkif Downloader Checkin"; flow:to_server,established; content:"/cgi/"; http_uri; content:".php?"; nocase; http_uri; content:"x640<x"; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fMonkif.C; reference:url,doc.emergingthreats.net/2009126; classtype:command-and-control; sid:2009126; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Secret Atomal"; flow:to_server,established; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002583; classtype:policy-violation; sid:2002583; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nanspy Bot Checkin"; flow:established,to_server; content:"HEAD"; nocase; http_method; content:"/bbcount.php?action="; http_uri; content:"&uid="; http_uri; content:"&locale="; http_uri; content:"&build="; http_uri; reference:url,doc.emergingthreats.net/2010158; classtype:command-and-control; sid:2010158; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Secret"; flow:to_server,established; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002584; classtype:policy-violation; sid:2002584; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Navipromo related update"; flow:established,to_client; content:"|0d 0a|Server|3a| lighttpd|0d 0a 0d 0a|<HTML><CFG>_SYSTEM_DIR_"; reference:url,doc.emergingthreats.net/2009694; classtype:trojan-activity; sid:2009694; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002585; classtype:policy-violation; sid:2002585; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nine Ball Infection ya.ru Post"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/gate/"; http_uri; content:".php"; http_uri; content:"|0d 0a 0d 0a|"; content:"ya.ru/"; distance:67; within:6; reference:url,www.martinsecurity.net/page/3; reference:url,doc.emergingthreats.net/2011186; classtype:trojan-activity; sid:2011186; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002586; classtype:policy-violation; sid:2002586; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NoBo Downloader Dropper GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| NoBo"; http_header; reference:url,www.spynomore.com/trojan-nobo-v1-3.htm; reference:url,doc.emergingthreats.net/2009443; classtype:trojan-activity; sid:2009443; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002587; classtype:policy-violation; sid:2002587; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Obitel trojan calling home"; flow:established,to_server; content:"/gate.php?hash="; http_uri; content:"/gate.php?hash="; content:" HTTP/1."; distance:8; within:16; reference:url,www.abuse.ch/?p=143; reference:url,doc.emergingthreats.net/2008405; classtype:trojan-activity; sid:2008405; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential REL TO"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002588; classtype:policy-violation; sid:2002588; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Oficla Russian Malware Bundle C&C instruction response with runurl"; flow:established,to_client; content:"|0d 0a 0d 0a|[info]runurl|3a|"; content:"|7c|taskid|3a|"; within:100; content:"|7c|delay|3a|"; within:30; content:"|7c|upd|3a|"; within:20; content:"[/info]"; distance:0; reference:url,malwarelab.org/2009/11/russian-malware-bundle/; reference:url,doc.emergingthreats.net/2010723; classtype:command-and-control; sid:2010723; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret REL TO"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002589; classtype:policy-violation; sid:2002589; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Oficla Russian Malware Bundle C&C instruction response"; flow:established,to_client; content:"|0d 0a 0d 0a|[info]kill|3a|"; content:"|7c|delay|3a|"; within:50; content:"|7c|upd|3a|"; within:20; content:"[/info]"; distance:0; reference:url,malwarelab.org/2009/11/russian-malware-bundle/; reference:url,doc.emergingthreats.net/2010724; classtype:command-and-control; sid:2010724; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Unclassified COMSEC"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002594; classtype:policy-violation; sid:2002594; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Oficla Russian Malware Bundle C&C instruction response (2)"; flow:established,to_client; content:"|0d 0a 0d 0a|[info]delay|3a|"; content:"|7c|upd|3a|"; within:20; content:"[/info]"; distance:0; reference:url,malwarelab.org/2009/11/russian-malware-bundle/; reference:url,doc.emergingthreats.net/2010744; classtype:command-and-control; sid:2010744; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential COMSEC"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002595; classtype:policy-violation; sid:2002595; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE onmuz.com Infection Activity"; flow:established,to_server; content:"pid=patchup_notpid_update^on"; http_uri; content:"/logonmuz"; http_uri; reference:url,doc.emergingthreats.net/2008973; classtype:trojan-activity; sid:2008973; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret COMSEC"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002596; classtype:policy-violation; sid:2002596; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Opachki Link Hijacker Traffic Redirection"; flow:established,to_server; content:"/?do=rphp"; nocase; http_uri; content:"&sub="; nocase; http_uri; content:"&b="; nocase; http_uri; content:"&q="; nocase; http_uri; content:"&orig="; nocase; http_uri; reference:url,www.secureworks.com/research/threats/opachki/?threat=opachki; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2; reference:url,doc.emergingthreats.net/2010224; classtype:trojan-activity; sid:2010224; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret CNWDI"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002599; classtype:policy-violation; sid:2002599; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Prg Trojan HTTP POST v1"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?2="; http_uri; content:"&n="; http_uri; content:"&v="; http_uri; content:"&i="; http_uri; content:"&sp="; http_uri; content:"&lcp="; http_uri; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2007688; classtype:trojan-activity; sid:2007688; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret TK"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002601; classtype:policy-violation; sid:2002601; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?1="; http_uri; content:"&i="; http_uri; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9_]+&i=/Ui"; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2007724; classtype:trojan-activity; sid:2007724; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US FGI"; flow:to_server,established; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002603; classtype:policy-violation; sid:2002603; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 82 (msg:"ET MALWARE LD Pinch Checkin (HTTP POST on port 82)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; content:"a="; content:"&b="; content:"&d="; content:"&c="; nocase; reference:url,doc.emergingthreats.net/2008366; classtype:command-and-control; sid:2008366; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US FOUO"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002604; classtype:policy-violation; sid:2002604; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-PWS.Win32.VB.tr Checkin Detected"; flow:established,to_server; content:"POST"; nocase; http_method; content:".asp"; http_uri; content:"id="; content:"&tit="; content:"&comm"; content:"Run|2B|Successfully"; fast_pattern; reference:url,doc.emergingthreats.net/2008506; classtype:command-and-control; sid:2008506; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential NOFORN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002605; classtype:policy-violation; sid:2002605; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Generic PSW Agent server reply"; flow:from_server,established; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"|0d 0a|[Uptade]|0d 0a|Web="; content:"|0d 0a|[Guncellestirme]|0d 0a|Version="; within:100; reference:url,doc.emergingthreats.net/2008662; classtype:trojan-activity; sid:2008662; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret NOFORN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002606; classtype:policy-violation; sid:2002606; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PassSickle Reporting User Activity"; flow:established,to_server; content:".php?id="; nocase; http_uri; content:"&data="; nocase; http_uri; content:"PassSickle"; http_header; nocase; pcre:"/^User-Agent\:[^\n]+PassSickle/Hmi"; reference:url,doc.emergingthreats.net/2002859; classtype:trojan-activity; sid:2002859; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential ORCON"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002608; classtype:policy-violation; sid:2002608; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pasta Downloader - GET Checkin to Fake GIF"; flow:established,to_server; content:"GET"; nocase; http_method; content:".gif?"; content:!"c.gif?"; nocase; http_uri; content:!"__utm.gif?"; http_uri; nocase; http_uri; content:"t="; nocase; http_uri; content:"q="; nocase; http_uri; content:"p="; nocase; http_uri; content:"pn="; nocase; http_uri; reference:url,malwarebytes.org/malwarenet.php?name=Trojan.Pasta; reference:url,doc.emergingthreats.net/2009522; classtype:command-and-control; sid:2009522; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret ORCON"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002609; classtype:policy-violation; sid:2002609; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Personal Defender 2009 - prinimalka.py"; flow:established,to_server; content:"/prinimalka.py"; http_uri; reference:url,malwarebytes.besttechie.net/2008/11/03/removal-instructions-for-personal-defender-2009/; reference:url,doc.emergingthreats.net/2009405; classtype:trojan-activity; sid:2009405; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Unclassified PROPIN"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002611; classtype:policy-violation; sid:2002611; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Personal Defender 2009 - trash.py"; flow:established,to_server; content:"/trash.py"; http_uri; reference:url,malwarebytes.besttechie.net/2008/11/03/removal-instructions-for-personal-defender-2009/; reference:url,doc.emergingthreats.net/2009406; classtype:trojan-activity; sid:2009406; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential PROPIN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002612; classtype:policy-violation; sid:2002612; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit VBscript download"; flow:established,to_client; content:"Createobject(StrReverse("; nocase; content:"|22|tcejbOmetsySeliF.gnitpircS|22|))"; nocase; distance:0; flowbits:set,et.exploitkitlanding; reference:url,doc.emergingthreats.net/2011184; classtype:exploit-kit; sid:2011184; rev:4; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret PROPIN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002613; classtype:policy-violation; sid:2002613; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Piptea.a Related Trojan Checkin (3)"; flow:established,to_server; content:"/cd/un.php?id="; http_uri; content:"&ver="; http_uri; pcre:"/\/cd\/un\.php.id=[A-F0-9\-]+&ver=/U"; reference:url,doc.emergingthreats.net/2008384; classtype:command-and-control; sid:2008384; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential RD"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002615; classtype:policy-violation; sid:2002615; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pointfree.co.kr Trojan/Spyware Infection Checkin"; flow:established,to_server; content:"log.php?mac="; http_uri; content:"&hdd="; content:"&ver="; http_uri; content:"&ie="; http_uri; content:"&win="; http_uri; reference:url,doc.emergingthreats.net/2008972; classtype:command-and-control; sid:2008972; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret RD"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002616; classtype:policy-violation; sid:2002616; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxy.Win32.Agent.mx CnC Beacon"; flow:established,to_server; content:"q.php"; nocase; http_uri; content:"&m="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&x="; nocase; http_uri; content:"&i="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006405; classtype:command-and-control; sid:2006405; rev:4; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2010_07_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US SAMI"; flow:to_server,established; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002618; classtype:policy-violation; sid:2002618; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pushdo Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"m="; http_uri; content:"&a="; http_uri; content:"&os="; http_uri; pcre:"/&os=[a-f0-9]{50}/U"; reference:url,doc.emergingthreats.net/2008493; classtype:command-and-control; sid:2008493; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential SPECAT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002619; classtype:policy-violation; sid:2002619; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Qhosts Trojan Check-in"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"UserID="; http_client_body; content:"&wv="; http_client_body; content:"&res="; http_client_body; content:"&lng="; http_client_body; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-100116-5901-99; reference:url,doc.emergingthreats.net/2009517; classtype:trojan-activity; sid:2009517; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret SPECAT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002620; classtype:policy-violation; sid:2002620; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rcash.co.kr Bootup Checkin via HTTP"; flow:established,to_server; content:"/install/Boot.asp?macaddr="; nocase; http_uri; content:"&partner="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007807; classtype:command-and-control; sid:2007807; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret STOP"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002622; classtype:policy-violation; sid:2002622; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Renos/ssd.com HTTP Checkin"; flow:established,to_server; content:"/dlp.php?"; nocase; http_uri; content:"&m="; nocase; http_uri; content:"&ydf="; nocase; http_uri; content:"&e="; nocase; http_uri; content:"&w=___"; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&apzx="; nocase; http_uri; content:"&apz="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007834; classtype:command-and-control; sid:2007834; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> [69.63.176.0/20,69.63.176.0/20,204.15.20.0/22] $HTTP_PORTS (msg:"ET DELETED facebook activity"; flow:established,to_server; threshold: type both, track by_dst, count 2, seconds 120; reference:url,compnetworking.about.com/od/traceipaddresses/f/facebook-ip-address.htm; reference:url,doc.emergingthreats.net/2010952; classtype:policy-violation; sid:2010952; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RhiFrem Trojan Activity - cmd"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?mod=cmd&user="; http_uri; content:"User-Agent|3A|  Mozilla/5.0 Gecko/20050212 Firefox/1.5.0.2"; http_header; pcre:"/^GET\x20[^\x0D\x0A]+\x3Fmod\x3Dcmd\x26user\x3D\w+[^\x0D\x0A]*\x20HTTP\x2F1\x2E0\x0D\x0A.*\x0D\x0AHost\x3A\x20\w+/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; reference:url,doc.emergingthreats.net/2008139; classtype:trojan-activity; sid:2008139; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic Dropper HTTP Bot grabbing config"; flow: to_server,established; content:".txt"; nocase; http_uri; fast_pattern; content:"Pragma|3a| no-cache"; http_header; content:"User-Agent|3a| "; http_header; pcre:"/User-Agent\x3a \d{6}\x0d\x0a/H"; reference:url,doc.emergingthreats.net/2008664; classtype:trojan-activity; sid:2008664; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RhiFrem Trojan Activity - log"; flow:to_server,established; content:"POST"; nocase; http_method; content:"?mod=log&user="; fast_pattern; http_uri; content:"User-Agent|3A| Mozilla/5.0 Gecko/20050212 Firefox/1.5.0.2"; http_header; pcre:"/^POST\x20[^\x0D\x0A]+\x3Fmod\x3Dlog\x26user\x3D\w+[^\x0D\x0A]*\x20HTTP\x2F1\x2E0\x0D\x0A.*\x0D\x0AHost\x3A\x20\w+.*\x0D\x0A\x0D\x0Acurr\x3D.*\x26next\x3D/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; reference:url,doc.emergingthreats.net/2008140; classtype:trojan-activity; sid:2008140; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PeopleOnPage Ping"; flow: to_server,established; content:"Host|3a| srv.peopleonpage.com"; nocase; http_header; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/s\/l\/firstping/i"; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001446; classtype:policy-violation; sid:2001446; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake AV CnC Checkin cycle_report"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/cycle_report.cgi?type=g"; nocase; http_uri; reference:md5,fa078834dd3b4c6604d12823a6f9f17e; classtype:command-and-control; sid:2011820; rev:3; metadata:created_at 2010_10_15, former_category MALWARE, updated_at 2010_10_15;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET HUNTING Suspicious Self Signed SSL Certificate CN of common Possible SSL CnC"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"common1|1b|0"; classtype:command-and-control; sid:2013805; rev:4; metadata:attack_target Client_Endpoint, created_at 2011_10_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Comotor.A!dll Reporting 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/cy/dl.php"; nocase; http_uri; content:"id="; http_uri; nocase; reference:md5,5e1c680e70e423dd02e31ab9d689e40b; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FComotor.A!dll&ThreatID=-2147346593; classtype:trojan-activity; sid:2011849; rev:4; metadata:created_at 2010_10_25, updated_at 2010_10_25;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET HUNTING Suspicious Self Signed SSL Certificate with admin@common Possible SSL CnC"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"admin@common"; classtype:command-and-control; sid:2013806; rev:4; metadata:attack_target Client_Endpoint, created_at 2011_10_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Hostile HTTP Header GET structure"; flow:established,to_server; content:"GET"; nocase; http_method; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|"; fast_pattern; content:".php"; nocase; http_uri; content:"|0d 0a|Host|3a 20|"; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|"; distance:0; content:!"|0d 0a|Host|3a| update.nai.com"; distance:0; content:!"|0d 0a|Host|3a 20|toolbarqueries.google."; http_header; content:!".ceipmsn.com|0d 0a|Pragma|3a 20|"; http_header; content:!"Host|3a| stats.mbamupdates.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2011858; rev:12; metadata:created_at 2010_10_27, updated_at 2010_10_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Cipher_Suite length greater than Client_Hello Length)"; flow:to_server,established; content:"|16 03 00|"; depth:3; content:"|01|"; distance:2; within:1; byte_extract:3,0,SSL.Client_Hello.length,relative; byte_jump:1,34,relative; byte_test:2,>,SSL.Client_Hello.length,0,relative; reference:md5,a01d75158cf4618677f494f9626b1c4c; classtype:trojan-activity; sid:2014635; rev:1; metadata:created_at 2012_04_24, updated_at 2012_04_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Feodo Banking Trojan Account Details Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"AccountSummary"; nocase; fast_pattern; content:"userid|3A|"; nocase; distance:0; content:"password|3A|"; nocase; distance:0; content:"screenid|3A|"; nocase; distance:0; content:"origination|3A|"; nocase; distance:0; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html#more; classtype:trojan-activity; sid:2011862; rev:4; metadata:created_at 2010_10_28, updated_at 2010_10_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maljava Dropper for OS X"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/install_flash_player.py"; nocase; http_uri; reference:url,www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once; classtype:trojan-activity; sid:2014638; rev:4; metadata:created_at 2012_04_25, updated_at 2012_04_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Krap.ar Infection URL Request"; flow:established,to_server; content:"type="; http_uri; nocase; content:"email="; http_uri; nocase; content:"hwinfo="; http_uri; nocase; reference:md5,df29b9866397fd311a5259c5d4bc00dd; classtype:trojan-activity; sid:2012076; rev:2; metadata:created_at 2010_12_18, updated_at 2010_12_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maljava Dropper for Windows"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/install_flash_player.tmp2"; nocase; http_uri; reference:url,www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once; classtype:trojan-activity; sid:2014637; rev:3; metadata:created_at 2012_04_25, updated_at 2012_04_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BackDoor-DRV.gen.c Reporting-2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/zok.php?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"url="; nocase; http_uri; content:"sid="; nocase; http_uri; content:"tm="; nocase; http_uri; content:"hlto="; http_uri; nocase; reference:md5,d5ff6df296c068fcc0ddd303984fa6b9; classtype:trojan-activity; sid:2012114; rev:3; metadata:created_at 2010_12_30, former_category MALWARE, updated_at 2010_12_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito Exploit Kit payload request to images.php?t=N"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:15; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014640; rev:1; metadata:created_at 2012_04_26, former_category EXPLOIT_KIT, updated_at 2012_04_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Storm/Waledac 3.0 Checkin 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:".htm"; http_uri; content:"Host|3a| "; http_header; content:"Content-Length|3a| "; http_header; content:".htm HTTP/1.1"; pcre:"/Host\x3a [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/"; pcre:"/Content-Length\x3a [1-9]/"; classtype:command-and-control; sid:2012137; rev:5; metadata:created_at 2011_01_05, former_category MALWARE, updated_at 2011_01_05;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32.Idicaf/Atraps"; flow:to_server,established; dsize:780; content:"|00 00 00 00 00 00 00 00|"; depth:8; content:"|00 00 00 00|"; distance:4; within:4; content:"|00 9C 00 00 00|"; distance:31; within:5; fast_pattern; content:"|00 00 00|"; distance:1; within:3; content:"|00 00 00|"; distance:1; within:3; content:"|00 00|"; distance:2; within:2; content:"|00|"; distance:172; within:1; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014228; rev:7; metadata:created_at 2012_02_14, updated_at 2012_02_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy Banker Outbound Communication Attempt"; flow:established,to_server; content:"praquem="; nocase; content:"titulo="; distance:0; nocase; content:"Dir+System32"; nocase; distance:0; reference:md5,58b3c37b61d27cdc0a55321f4c12ef04; classtype:trojan-activity; sid:2012225; rev:4; metadata:created_at 2011_01_24, updated_at 2011_01_24;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry Method Access Potential Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"pdfxctrlLib.PdfPrinterPreferences"; nocase; distance:0; content:"InitFromRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014651; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Banbra Banking Trojan Communication"; flow:established,to_server; content:"para="; nocase; content:"titulo="; nocase; distance:0; content:"mensagem="; nocase; distance:0; reference:md5,7ce03717d6879444d8e45b7cf6470c67; classtype:trojan-activity; sid:2012226; rev:4; metadata:created_at 2011_01_24, updated_at 2011_01_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry Method Access Potential Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"2EE01CFA-139F-431E-BB1D-5E56B4DCEC18"; nocase; distance:0; content:"InitFromRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014650; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon.AZG Checkin"; flow:established,to_server; content:"GET"; http_method; nocase; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a|"; http_header; nocase; content:"eve="; nocase; http_uri; content:"username="; nocase; http_uri; content:"anma="; nocase; http_uri; content:"ver="; nocase; http_uri; reference:url,www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?idvirus=143511&sind=0; reference:url,vil.nai.com/vil/content/v_145056.htm; reference:url,doc.emergingthreats.net/2008515; classtype:command-and-control; sid:2008515; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX StoreInRegistry Method Access Potential Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"2EE01CFA-139F-431E-BB1D-5E56B4DCEC18"; nocase; distance:0; content:"StoreInRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014648; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Unknown Web Backdoor Keep-Alive"; flow:established,to_server; urilen:13; content:"POST"; http_method; nocase; content:"/bbs/info.asp"; http_uri; classtype:trojan-activity; sid:2012250; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX StoreInRegistry Method Access Potential Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"pdfxctrlLib.PdfPrinterPreferences"; nocase; distance:0; content:"StoreInRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014649; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan/Win32.CodecPack Reporting"; flow:to_server,established; content:"GET"; nocase; http_method; content:"ADTECH|3b|"; http_uri; content:"loc=100|3b|"; http_uri; content:"target=_blank|3b|"; http_uri; content:"grp|3d 5b|group|5d 3b|"; http_uri; content:"misc="; classtype:trojan-activity; sid:2012285; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest Explain Plan Display ActiveX Control SaveToFile Insecure Method Access"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"F7014877-6F5A-4019-A3B2-74077F2AE126"; nocase; distance:0; content:".SaveToFile|28|"; nocase; distance:0; reference:url,secunia.com/advisories/48681/; classtype:attempted-user; sid:2014652; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32 Troxen Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/report3.ashx?"; http_uri; nocase; content:"m="; nocase; http_uri; content:"mid="; nocase; http_uri; content:"d="; nocase; http_uri; content:"uid="; http_uri; nocase; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32/Troxen!rts; reference:md5,664a5147e6258f10893c3fd375f16ce4; classtype:trojan-activity; sid:2012289; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest Explain Plan Display ActiveX Control SaveToFile Insecure Method Access 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"QExplain2.ExplainPlanDisplayX"; nocase; distance:0; content:".SaveToFile|28|"; nocase; distance:0; reference:url,secunia.com/advisories/48681/; classtype:attempted-user; sid:2014653; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy.Win32.Agent.bijs Reporting 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app/count/inst.php?"; http_uri; nocase; content:"ucode="; nocase; http_uri; content:"pcode="; http_uri; nocase; reference:md5,846ac24b003c6d468a833bff58db5f5c; classtype:trojan-activity; sid:2012290; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Neosploit Java Exploit Kit request to /? plus hex 32"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; content:" Java/"; http_header; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:exploit-kit; sid:2013975; rev:3; metadata:created_at 2011_12_01, former_category EXPLOIT_KIT, updated_at 2011_12_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy.Win32.Agent.bijs Reporting 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app/count/boot.php?"; nocase; http_uri; content:"ucode="; nocase; http_uri; content:"pcode="; nocase; http_uri; reference:md5,846ac24b003c6d468a833bff58db5f5c; classtype:trojan-activity; sid:2012288; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unkown exploit kit jar download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=MSIE"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".jar"; http_uri; classtype:exploit-kit; sid:2014568; rev:3; metadata:created_at 2012_04_16, former_category EXPLOIT_KIT, updated_at 2012_04_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA Sunway ForceControl Activex Control Remote Code Execution Vulnerability 2"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"3310FA24-A027-47B3-8C49-1091077317E9"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3310FA24-A027-47B3-8C49-1091077317E9/si"; reference:bugtraq,49747; classtype:attempted-user; sid:2013736; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC NICK command"; flow:to_server,established; content:"NICK|20|"; nocase; content:"|0a|"; within:40; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002024; classtype:misc-activity; sid:2002024; rev:19; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Lookup of Known BlackEnergy DDOS Botnet CnC Server greenter.ru"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|greenter|02|ru"; nocase; distance:0; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110116; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20100913; classtype:command-and-control; sid:2012202; rev:2; metadata:created_at 2011_01_18, updated_at 2011_01_18;)
+alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC JOIN command"; flow:to_server,established; content:"JOIN|2023|"; nocase; content:"|0a|"; within:40; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002025; classtype:misc-activity; sid:2002025; rev:19; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Lookup of Twitter m28sx Worm"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"gdfgdfgdgdfgdfg|02|in|02|ua"; nocase; distance:0; reference:url,isc.sans.edu/diary.html?storyid=10297; classtype:trojan-activity; sid:2012210; rev:2; metadata:created_at 2011_01_21, updated_at 2011_01_21;)
+alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT PWDump4 Password dumping exe copied to victim"; flow:to_server,established; content:"|4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 50 00 57 00 44 00 55 00 4D 00 50 00 34 00 2E 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-pwdump4.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008444; classtype:suspicious-filename-detect; sid:2008444; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.Banker.AAD CnC Communication"; flow:established,to_server; content:"filename=|22|C|3A 5C|WINDOWS|5C|system32"; nocase; http_header; content:"Content-Type|3A| C|3A 5C|WINDOWS|5C|system32"; nocase; http_header; reference:md5,8556aec7ff96824e2da9d1b948ed7029; classtype:command-and-control; sid:2012300; rev:3; metadata:created_at 2011_02_07, former_category TROJAN, updated_at 2017_03_22;)
+alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT Pwdump6 Session Established test file created on victim"; flow:to_server,established; content:"|5c 00 74 00 65 00 73 00 74 00 2e 00 70 00 77 00 64|"; reference:url,xinn.org/Snort-pwdump6.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008445; classtype:suspicious-filename-detect; sid:2008445; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Java Exploit Kit Success Check-in Executable Download Likely"; flow:established,to_server; content:".php?"; http_uri; content:"=javajsm"; http_uri; classtype:exploit-kit; sid:2012389; rev:3; metadata:created_at 2011_02_27, former_category EXPLOIT_KIT, updated_at 2011_02_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"ET EXPLOIT VLC web interface buffer overflow attempt"; flow:to_server,established; content:"|2F|requests|2F|status|2E|xml|3F|"; http_uri; nocase; content:"input|3D|smb|3A 2F|"; http_uri; nocase; pcre:"/\x2Frequests\x2Fstatus\x2Exml\x3F[^\x0A\x0D]*input\x3D[^\x0A\x0D\x26\x3B]{1000}/iU"; reference:url,milw0rm.org/exploits/9029; reference:url,doc.emergingthreats.net/2009511; classtype:web-application-attack; sid:2009511; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tatanga Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?build="; http_uri; content:"&id="; http_uri; content:"&SA=1-0"; http_uri; content:"&SP=1-"; http_uri; reference:url,securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojtatangac.html; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=4b5eb54de32f86819c638878ac2c7985&id=740958; reference:url,www.malware-control.com/statics-pages/06198e9b72e1bb0c256769c5754ed821.php; classtype:command-and-control; sid:2012391; rev:3; metadata:created_at 2011_02_28, former_category MALWARE, updated_at 2011_02_28;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt"; flow:established,to_server; content:"/includes/Cache/Lite/Output.php?mosConfig_absolute_path="; nocase; http_uri; pcre:"/=\s*(https|ftps|php|http|ftp)\x3A\x2F/Ui"; reference:url,www.securityfocus.com/bid/29716/info; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/29716.rb; reference:url,doc.emergingthreats.net/2010223; classtype:web-application-attack; sid:2010223; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Vilsel.akd Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app_count/ag4_del_count.php?"; nocase; http_uri; content:"mac="; nocase; http_uri; content:"pid="; nocase; http_uri; reference:md5,2d6cede13913b17bc2ea7c7f70ce5fa8; classtype:trojan-activity; sid:2012439; rev:4; metadata:created_at 2011_03_08, updated_at 2011_03_08;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible VLC Media Player M3U File FTP URL Processing Stack Buffer Overflow Attempt"; flowbits:isset,ET.m3u.download; flow:established,to_client; content:"ftp|3A|//"; nocase; content:"PRAV"; within:10; isdataat:2000,relative; content:!"|0A|"; within:2000; reference:url,securitytracker.com/alerts/2010/Jul/1024172.html; reference:url,doc.emergingthreats.net/2011242; classtype:attempted-user; sid:2011242; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Agent.bqkb Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/updata/"; nocase; http_uri; content:"lg1="; nocase; http_uri; content:"lg2="; nocase; http_uri; content:"lg3="; nocase; http_uri; content:"lg5="; nocase; http_uri; content:"lg6="; nocase; http_uri; content:"lg7="; nocase; http_uri; reference:md5,de85ae919d48325189bead995e8052e7; classtype:trojan-activity; sid:2012440; rev:4; metadata:created_at 2011_03_08, former_category MALWARE, updated_at 2011_03_08;)
+alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC USER command"; flow:to_server,established; content:"USER|20|"; nocase; content:"|203a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002023; classtype:misc-activity; sid:2002023; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Monkif Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/photo/"; http_uri; content:"6x5x5772=712x5772=716x"; http_uri; classtype:command-and-control; sid:2012505; rev:4; metadata:created_at 2011_03_15, former_category MALWARE, updated_at 2011_03_15;)
+alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC PRIVMSG command"; flow:established,to_server; content:"PRIVMSG|20|"; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002026; classtype:misc-activity; sid:2002026; rev:21; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rimecud.B Activity"; flow:to_server,established; content:"POST"; nocase; http_method; content:"&acc=ups"; http_uri; content:"&nick="; http_uri; content:"&botver=Beta&code="; http_uri; content:"User-Agent|3a 20|"; nocase; http_header; content:"|3b 20|es-ES|3b|"; distance:39; http_header; content:"plist|3d 2d 2d 2d|"; depth:9; http_client_body; content:"Passwords"; distance:0; http_client_body; reference:md5,01dd7102b9d36ec8556eed2909b74f52; classtype:trojan-activity; sid:2012517; rev:2; metadata:created_at 2011_03_17, updated_at 2011_03_17;)
+alert tcp any 6666:7000 -> any any (msg:"ET CHAT IRC PING command"; flow:from_server,established; content:"PING|20|"; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002027; classtype:misc-activity; sid:2002027; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Spy.Win32.Zbot.djrm Checkin"; flow:to_server,established; content:"/index.html?mac="; http_uri; content:"&ver="; http_uri; content:"&os="; http_uri; content:"&dtime="; fast_pattern; http_uri; content:"User-Agent|3a| baidu|0d 0a|"; http_header; reference:md5,b895249cce7d2c27cb9c480feb36560c; reference:md5,f70a5f52d4c0071963602c25b62865cb; classtype:command-and-control; sid:2014399; rev:3; metadata:created_at 2012_03_15, former_category MALWARE, updated_at 2012_03_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unkown exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014658; rev:1; metadata:created_at 2012_04_30, former_category EXPLOIT_KIT, updated_at 2012_04_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Rimecud /qvod/ff.txt Checkin"; flow:established,to_server; content:"/qvod/ff.txt"; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRimecud; reference:md5,f97e1c4aefbd2595fcfeb0f482c47517; reference:md5,f96a29bcf6cba870efd8f7dd9344c39e; reference:md5,fae8675502d909d6b546c111625bcfba; classtype:trojan-activity; sid:2014401; rev:2; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Infostealer exe Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/crack."; http_uri; content:".exe"; http_uri; pcre:"/\/crack\.\d+\.exe$/Ui"; classtype:trojan-activity; sid:2010059; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS-Banker.gen.b Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/curubacom.php?"; http_uri; nocase; content:"op="; http_uri; nocase; reference:md5,e3fdf31ce57b3807352971a62f85c55b; classtype:trojan-activity; sid:2012592; rev:5; metadata:created_at 2011_03_28, updated_at 2011_03_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE P2P Zeus or ZeroAccess Request To CnC"; flow:established,to_server; dsize:20; content:"|E5 AA C0 31|"; depth:4; content:"|5B 74 08 4D 9B 39 C1|"; distance:5; within:7; reference:url,www.abuse.ch/?p=3499; reference:url,www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-ZeroAcess-Botnet-final.pdf; classtype:command-and-control; sid:2013911; rev:9; metadata:created_at 2011_11_11, former_category MALWARE, updated_at 2011_11_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Best Spyware Scanner FaveAV Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/BestSpywareScanner_Setup.exe"; nocase; http_uri; classtype:trojan-activity; sid:2012590; rev:5; metadata:created_at 2011_03_28, updated_at 2011_03_28;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014662; rev:1; metadata:created_at 2012_05_02, former_category DOS, updated_at 2012_05_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/PaPaPaEdge.Adware/Gambling Poker-Edge Checkin"; flow:established,to_server; content:"/xml_action.php?user="; http_uri; content:"&appid="; http_uri; content:"&hwid="; http_uri; content:"&id="; http_uri; content:".poker-edge.com|0d 0a|"; http_header; reference:md5,f9d226bf9807c72432050f7dcb396b06; classtype:pup-activity; sid:2014403; rev:2; metadata:created_at 2012_03_20, former_category ADWARE_PUP, updated_at 2012_03_20;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Negative Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,&,0x80,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014663; rev:1; metadata:created_at 2012_05_02, former_category DOS, updated_at 2012_05_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Clicker.Win32.Agent.qqf Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"|2f|sogou"; http_uri; pcre:"/\x2fsogou(config)?\x2f/Ui"; reference:md5,f468778836fd27a2ccca88c99f6dd3e9; classtype:trojan-activity; sid:2012643; rev:2; metadata:created_at 2011_04_06, updated_at 2011_04_06;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt Negative INT"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_test:1,&,0x80,1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014430; rev:13; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 897 (msg:"ET DELETED Backdoor PcClient.CAK.Pakes POST on non-http Port"; flow:established,to_server; content:"POST"; nocase; http_method; content:".jsp"; nocase; depth:35; pcre:"/\/\d{8,}\/\d{4,}\/\d{4,}\.jsp/"; reference:url,doc.emergingthreats.net/2009093; classtype:trojan-activity; sid:2009093; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee Virtual Technician MVT.MVTControl.6300 ActiveX Control GetObject method Remote Code Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF"; nocase; distance:0; content:".GetObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/18805/; classtype:attempted-user; sid:2014708; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Weatherbug Activity"; flow: to_server,established; content:"weatherbug.com|0d 0a|"; nocase; http_header; threshold: type limit, track by_src, count 1, seconds 3600; reference:url,doc.emergingthreats.net/bin/view/Main/2001267; classtype:misc-activity; sid:2001267; rev:18; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee Virtual Technician MVT.MVTControl.6300 ActiveX Control GetObject method Remote Code Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MVT.MVTControl.6300"; nocase; distance:0; content:".GetObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/18805/; classtype:attempted-user; sid:2014709; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Bifrose.Backdoor Checkin Attempt via Facebook"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/omaha/update.php?"; http_uri; content:"User-Agent|3A 20|Facebook Update/"; http_header; content:"winhttp|3b|"; http_header; reference:md5,61661202e320dd91e4f7e4a10616eefc; classtype:trojan-activity; sid:2014404; rev:3; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Samsung NET-i Viewer Active-X SEH Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"FA6E2EA9-D816-4F00-940B-609C9E8847A4"; nocase; distance:0; content:"RequestScreenOptimization"; nocase; distance:0; reference:url,packetstormsecurity.com/files/112363; classtype:attempted-user; sid:2014710; rev:3; metadata:created_at 2012_05_04, former_category ACTIVEX, updated_at 2012_05_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (png)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".png"; nocase; http_uri; content:".png HTTP"; nocase; pcre:"/\.png$/Ui"; reference:url,doc.emergingthreats.net/2010070; classtype:trojan-activity; sid:2010070; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"WebexUCFObject.WebexUCFObject"; nocase; distance:0; content:"NewObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/16604/; classtype:attempted-user; sid:2014713; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (jpeg)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".jpeg"; nocase; http_uri; content:".jpeg HTTP"; nocase; pcre:"/\.jpeg$/i"; reference:url,doc.emergingthreats.net/2010068; classtype:trojan-activity; sid:2010068; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow 2"; flow:to_client,established; content:"CLSID"; nocase; content:"32E26FD9-F435-4A20-A561-35D4B987CFDC"; nocase; distance:0; content:"NewObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/16604/; classtype:attempted-user; sid:2014714; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (bmp)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".bmp"; nocase; http_uri; content:".bmp HTTP"; nocase; pcre:"/\.bmp$/i"; reference:url,doc.emergingthreats.net/2010069; classtype:trojan-activity; sid:2010069; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Simbot.Backdoor Checkin"; flow:established,to_server; content:"/rclgx.php?id="; depth:14; http_uri; reference:md5,a4edc9d31bc0ad763b3424e9306f4d7c; classtype:command-and-control; sid:2014719; rev:2; metadata:created_at 2012_05_08, former_category MALWARE, updated_at 2012_05_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Downloader.Win32.Small Checkin"; flow:to_server,established; content:"GET"; http_method; nocase; content:"|2e|ashx|3f|m|3d|"; http_uri; content:"|2d|"; distance:2; within:1; http_uri; content:"|26|mid|3d|"; http_uri; distance:0; content:"|26|tid|3d|"; http_uri; distance:0; content:"|26|d|3d|"; http_uri; distance:0; content:"|26|uid|3d|"; http_uri; distance:0; content:"|26|t|3d|"; http_uri; distance:0; reference:md5,48432bdd116dccb684c8cef84579b963; classtype:command-and-control; sid:2012839; rev:4; metadata:created_at 2011_05_23, former_category MALWARE, updated_at 2011_05_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader/Agent.dxh.1 Reporting to CnC"; flow:established,to_server; dsize:80<>110; content:"!"; depth:1; content:"|5C 7C 3F 2F|"; within:6; content:".exe|5C 7C 3F 2F|"; distance:0; reference:md5,ded49b8c92d7ab6725649f04f30df8ce; classtype:command-and-control; sid:2014720; rev:2; metadata:created_at 2012_05_08, former_category MALWARE, updated_at 2012_05_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi posting form data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"name=\"upload_file\""; http_client_body; content:"URL|3a|"; http_client_body; classtype:trojan-activity; sid:2012871; rev:4; metadata:created_at 2011_05_27, updated_at 2011_05_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Boatz Checkin"; flow:to_server,established; content:"/clients.php?os="; http_uri; content:"&name="; distance:0; http_uri; content:"&id="; distance:0; http_uri; content:"&loc="; distance:0; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/pastebin-shares-botnet-source-code; classtype:command-and-control; sid:2014721; rev:2; metadata:created_at 2012_05_08, former_category MALWARE, updated_at 2012_05_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CPL Trojan Downloader Request"; flow:established,to_server; content:".cpl?|20|HTTP/1.1"; nocase; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2012910; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_06_01, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspicious lcon http header in response seen with Medfos/Midhos downloader"; flow:to_client,established; content:"|0d 0a|lcon|3a 20|"; http_header; reference:md5,63491dcc8e897bf442599febe48b824d; classtype:trojan-activity; sid:2014723; rev:2; metadata:created_at 2012_05_08, updated_at 2012_05_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic adClicker Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"web"; http_uri; content:"getinfo"; http_uri; content:".aspx?"; http_uri; content:"ver="; http_uri; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; classtype:command-and-control; sid:2012934; rev:4; metadata:created_at 2011_06_06, former_category MALWARE, updated_at 2011_06_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Snap Bot Checkin"; flow:to_server,established; content:"id="; depth:3; http_client_body; content:"&s5_uidx="; distance:0; http_client_body; content:"&os="; distance:0; http_client_body; content:"&s5="; distance:0; http_client_body; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:command-and-control; sid:2014731; rev:2; metadata:created_at 2012_05_11, former_category MALWARE, updated_at 2012_05_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WebToolbar.Win32.WhenU.r Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/prod/MEADInst.exe"; http_uri; nocase; reference:md5,27867435a1b6b3f35daf13faac6f77b7; classtype:trojan-activity; sid:2013034; rev:4; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Snap Bot Receiving DDoS Command"; flow:to_client,established; content:"|0d 0a 0d 0a|"; content:"|7c|ddos|7c|"; distance:1; within:10; nocase; pcre:"/^\d+\x7cddos\x7c([^\x7c]+\x7c){5}[^\x7c]+$/mi"; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:trojan-activity; sid:2014733; rev:5; metadata:created_at 2012_05_11, updated_at 2012_05_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper.MSIL.Agent.ate Checkin"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/bot.php?"; http_uri; content:"hwid="; http_uri; content:"pcname="; http_uri; reference:md5,4860e53b7e71cd57956e10ef48342b5f; classtype:command-and-control; sid:2013071; rev:4; metadata:created_at 2011_06_21, former_category MALWARE, updated_at 2011_06_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Snap Bot Receiving Download Command"; flow:to_client,established; content:"|0d 0a 0d 0a|"; content:"|7c|dlexec|7c|"; nocase; distance:1; within:12; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; pcre:"/^\d+\x7cdlexec\x7c([^\x7c]+\x7c){3}[^\x7c]+$/mi"; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:trojan-activity; sid:2014732; rev:4; metadata:created_at 2012_05_11, updated_at 2012_05_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:2100257; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Java Exploit request to /24842.jar"; flow:established,to_server; content:"/24842.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014749; rev:1; metadata:created_at 2012_05_14, former_category EXPLOIT_KIT, updated_at 2012_05_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/UFR POST to CnC"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ufr/ufr.php"; http_uri; content:"UFR"; http_client_body; classtype:command-and-control; sid:2013424; rev:3; metadata:created_at 2011_08_18, updated_at 2011_08_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Votwup.Backdoor Checkin"; flow:established,to_server; content:"/ddos?uid="; http_uri; content:"&ver="; http_uri; reference:md5,1325e4e44b5bf2f8dfe550dec016da53; classtype:command-and-control; sid:2014760; rev:2; metadata:created_at 2012_05_17, former_category MALWARE, updated_at 2012_05_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cridex.B/Feodo Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/in"; offset:11; depth:3; http_uri; content:".ru"; http_header; pcre:"/\/\w{3}\/\w\d_\w\w\w\/in\/?$/Ui"; pcre:"/Host\x3a\s[a-z]{15,19}\.ru(\x3a8080)?/Hm"; reference:md5,7ed139b53e24e4385c4c59cd2aa0e5f7; reference:url,labs.m86security.com/2012/03/the-cridex-trojan-targets-137-financial-organizations-in-one-go/; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html; reference:url,about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_CRIDEX.IC; classtype:command-and-control; sid:2014405; rev:10; metadata:created_at 2012_02_29, former_category MALWARE, updated_at 2012_02_29;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SpyBanker Infection Confirmation Email 2"; flow:established,to_server; content:"From|3A 20 22|Infected|22|"; reference:md5,f091e8ed0e8f4953ff10ce3bd06dbe54; classtype:trojan-activity; sid:2014762; rev:2; metadata:created_at 2012_05_17, updated_at 2012_05_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/VB.HV Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/popcode.php?aid="; http_uri; content:"&lc="; http_uri; content:"&domain="; http_uri; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3AWin32%2FVB.HV; classtype:command-and-control; sid:2013456; rev:5; metadata:created_at 2011_08_24, former_category MALWARE, updated_at 2011_08_24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Win32/MultiPasswordRecovery.A cs-crash PWS"; flow:to_server,established; content:"X-Mailer|3a| Blat "; content:"Subject|3A 20|Contents of file|3A 20|stdin.txt"; content:"name|3D|"; distance:0; content:".mpf"; within:24; classtype:trojan-activity; sid:2014793; rev:3; metadata:created_at 2012_05_19, updated_at 2012_05_19;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NgrBot IRC CnC Channel Join"; flow:established,to_server; content:"PASS ngrBot"; content:"NICK"; distance:0; reference:url,stopmalvertising.com/rootkits/analysis-of-ngrbot.html; classtype:command-and-control; sid:2013451; rev:3; metadata:created_at 2011_08_24, former_category MALWARE, updated_at 2011_08_24;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"GPL RPC kerberos principal name overflow UDP"; content:"j"; depth:1; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2102578; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET 8888 -> any any (msg:"ET MOBILE_MALWARE iOS Keylogger iKeyMonitor access"; flow:from_server,established; content:"/><title>Keystrokes - iKeyMonitor</title><style "; reference:url,moreinfo.thebigboss.org/moreinfo/depiction.php?file=ikeymonitorDp; classtype:policy-violation; sid:2014406; rev:2; metadata:created_at 2012_03_21, updated_at 2012_03_21;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"GPL RPC kerberos principal name overflow TCP"; flow:to_server,established; content:"j"; depth:1; offset:4; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2102579; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/iGrabber Info Stealer FTP Upload"; flow:established,to_server; content:"iGrabber Logs"; classtype:trojan-activity; sid:2013543; rev:3; metadata:created_at 2011_09_06, updated_at 2011_09_06;)
+#alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; flowbits:unset,smb.trans2; byte_test:2,>,15,34,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103143; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus/Aeausuc P2P Variant Retrieving Peers List"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/gameover"; http_uri; pcre:"/gameover(\d+)?\.php/U"; content:" HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|X-ID|3a|"; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:2013740; rev:9; metadata:created_at 2011_10_05, updated_at 2011_10_05;)
+#alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103144; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Einstein CnC Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?id="; http_uri; content:"&ext="; http_uri; pcre:"/\x2F[a-z]{5}\x2Ephp\x3Fid\x3D/U"; reference:url,www.cyberesi.com/2011/10/06/trojan-matryoshka-and-trojan-einstein/; classtype:command-and-control; sid:2013767; rev:3; metadata:created_at 2011_10_12, former_category MALWARE, updated_at 2011_10_12;)
+#alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; flowbits:unset,smb.trans2; byte_test:2,>,15,34,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103145; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Scar.dvov Searchstar.co.kr related Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/juso_return.php?mode="; http_uri; content:"&pluslook_p"; http_uri; reference:md5,07ed70b6e7775a510d725c9f032c70d8; classtype:command-and-control; sid:2013781; rev:4; metadata:created_at 2011_10_19, former_category MALWARE, updated_at 2011_10_19;)
+#alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103146; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sefbov.E Reporting"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CallBack/SomeScripts/mgsGetMGList.php"; nocase; http_uri; reference:md5,f50d954f1fd38c6eb10e7e399caab480; classtype:trojan-activity; sid:2013868; rev:4; metadata:created_at 2011_11_08, updated_at 2011_11_08;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|07 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103135; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS.TIBIA Checkin or Data Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/arq.php"; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a|"; http_header; classtype:command-and-control; sid:2013948; rev:4; metadata:created_at 2011_11_23, former_category MALWARE, updated_at 2011_11_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103136; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS.TIBIA Checkin or Data Post 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/arq.php"; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV2|0d 0a|"; http_header; classtype:command-and-control; sid:2013949; rev:4; metadata:created_at 2011_11_23, former_category MALWARE, updated_at 2011_11_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|07 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103137; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole Landing Page applet param window.document"; flow:established,from_server; content:"<applet"; content:"<param"; distance:0; content:"window.document"; distance:0; classtype:bad-unknown; sid:2014414; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103138; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (dwplayer)"; flow:established,to_server; content:"User-Agent|3a| dwplayer"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008489; classtype:policy-violation; sid:2008489; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Informational, tag User_Agent, updated_at 2017_10_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|01 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103139; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE VMProtect Packed Binary Inbound via HTTP - Likely Hostile"; flow:established,from_server; content:"VirtualProtect|00|"; reference:url,doc.emergingthreats.net/2009080; classtype:trojan-activity; sid:2009080; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103140; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NtQueryInformationProcess Possibly Checking for Debugger"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"NtQueryInformationProcess"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012764; rev:5; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|01 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103141; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT GetStartupInfo"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"GetStartupInfo"; distance:0; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012765; rev:7; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Delf Checkin via HTTP (8)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"name="; http_client_body; depth:5; reference:url,doc.emergingthreats.net/2008268; classtype:trojan-activity; sid:2008268; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT ZwProtectVirtualMemory - Undocumented API Which Can be Used for Rootkit Functionality"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"ZwProtectVirtualMemory"; distance:0; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012768; rev:7; metadata:created_at 2011_05_03, former_category MALWARE, updated_at 2011_05_03;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page getElementByID Qwe - May 22nd 2012"; flow:established,to_client; content:"getElementById']('qwe')"; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014800; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_23, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT Checking for Debugger"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"DebuggerPresent"; nocase; distance:0; pcre:"/(Is|CheckRemote)DebuggerPresent/i"; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012763; rev:9; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown java_ara Bin Download"; flow:established,to_server; content:"java_ara&name="; http_uri; content:"/forum/"; http_uri; content:".php?"; http_uri; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014805; rev:2; metadata:created_at 2012_05_24, former_category CURRENT_EVENTS, updated_at 2012_05_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT SetKeyboardState - Can Be Used for Keylogging"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"SetKeyboardState"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012780; rev:6; metadata:created_at 2011_05_03, former_category POLICY, updated_at 2011_05_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Wimmie.A Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/count.php?m=w&n="; http_uri; content:"_"; distance:0; http_uri; content:"@."; distance:0; http_uri; content:"|16 00 00 00|down"; http_client_body; depth:8; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; reference:md5,61474931882dce7b1c67e1f22d26187e; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AVBS%2FWimmie.A; reference:md5,6fd7493e56fdc3b0dd8ecd24aea20da1; classtype:command-and-control; sid:2014804; rev:6; metadata:created_at 2011_11_05, former_category MALWARE, updated_at 2011_11_05;)
 
-#alert http any any -> $HOME_NET any (msg:"ET DELETED Windows executable sent when remote host claims to send image, Win32"; flow: established,from_server; content:"Content-Type|3a| image"; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2001684; classtype:trojan-activity; sid:2001684; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Thetatic.A Client POST Get CMD Checkin"; flow:established,to_server; content:"POST"; http_method; content:"CONTENT-TYPE|3a| application/x-www-form-urlencoded"; fast_pattern; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| Win32|3b| WinHttp.WinHttpRequest.5)"; http_header; content:"cstype="; http_client_body; depth:7; content:"&authname="; distance:0; http_client_body; classtype:trojan-activity; sid:2014794; rev:4; metadata:created_at 2012_05_22, updated_at 2012_05_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Windows executable sent when remote host claims to send Javascript"; flow:established,from_server; content:"Content-Type|3a| application/"; content:"javascript|0d 0a|"; within:14; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008367; classtype:trojan-activity; sid:2008367; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DYNAMIC_DNS HTTP Request to a *.dyndns.* domain"; flow:established,to_server; content:".dyndns."; http_header; nocase; pcre:"/\.dyndns\.(?=(biz|info|org|tv))\x0d\x0a/iH"; classtype:bad-unknown; sid:2012927; rev:4; metadata:created_at 2011_06_03, updated_at 2011_06_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT GetComputerName"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"GetComputerName"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012766; rev:5; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DYNAMIC_DNS HTTP Request to a *.dyndns-*.com domain"; flow:established,to_server; content:".dyndns-"; http_header; nocase; pcre:"/\.dyndns-(?=(at-home|at-work|blog|free|home|ip|mail|office|pics|remote|server|web|wiki|work))\.com\x0d\x0a/iH"; classtype:bad-unknown; sid:2012928; rev:7; metadata:created_at 2011_06_03, updated_at 2011_06_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT ActiveX Control PlayerPT.ocx Access 2"; flow:from_server,established; content:"<object"; nocase; content:"E065E4A-BD9D-4547-8F90-985DC62A5591"; nocase; distance:0; content:"|2e|SetSource("; distance:0; reference:url,retrogod.altervista.org/9sg_linksys_playerpt.htm; classtype:command-and-control; sid:2014417; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_23, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CrazyWinnings.com Activity"; flow: established,to_server; content:"/scripts/protect.php?promo=promo"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001733; classtype:trojan-activity; sid:2001733; rev:8; metadata:created_at 2010_07_30, updated_at 2016_09_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT ActiveX Control PlayerPT.ocx Access 1"; flow:from_server,established; content:"<script"; nocase; content:"PLAYERPT.PlayerPTCtrl.1"; nocase; distance:0; content:"|2e|SetSource("; distance:0; pcre:"/(ActiveXObject|CreateObject)\s*\(\s*(\x22|\x27)PLAYERPT\.PlayerPTCtrl\.1/iG"; reference:url,retrogod.altervista.org/9sg_linksys_playerpt.htm; classtype:command-and-control; sid:2014416; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_23, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito Exploit Kit landing page request to images.php?t=4xxxxxxx"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:22; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014641; rev:4; metadata:created_at 2012_04_26, former_category EXPLOIT_KIT, updated_at 2012_04_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X Client for RDP ClientSystem Class ActiveX Control InstallClient Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TuxClientSystem.ClientSystem.1"; nocase; distance:0; content:"InstallClient"; nocase; reference:url,www.exploit-db.com/exploits/18624/; classtype:attempted-user; sid:2014423; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET DELETED Storm Controller Response to Drone via tcp"; flowbits:isset,BE.stormtcp.init; flow:established,from_server; dsize:4; reference:url,doc.emergingthreats.net/bin/view/Main/StormWorm; classtype:trojan-activity; sid:2007641; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ExportSettings Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TuxScripting.TuxSystem.1"; nocase; distance:0; content:"ExportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014421; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Making initial outbound connection"; flowbits:isnotset,BE.stormtcp.init; flow:established,to_server; dsize:4; flowbits:noalert; flowbits:set,BE.stormtcp.init; reference:url,doc.emergingthreats.net/bin/view/Main/StormWorm; classtype:trojan-activity; sid:2007640; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ExportSettings Remote File Overwrite Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"5BD64392-DA66-4852-9715-CFBA98D25296"; nocase; distance:0; content:"ExportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014420; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Sefnit Checkin 3"; flow:established,to_server; content:"?re="; http_uri; content:"&r="; distance:0; http_uri; content:"&u="; distance:0; http_uri; content:"&cid="; distance:0; http_uri; content:"&rc="; distance:0; http_uri; content:"&pa="; distance:0; http_uri; content:"&ref1="; distance:0; http_uri; content:"&ref2="; distance:0; http_uri; classtype:trojan-activity; sid:2014246; rev:3; metadata:created_at 2012_02_21, updated_at 2012_02_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ImportSettings Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TuxScripting.TuxSystem.1"; nocase; distance:0; content:"ImportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014419; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Packed Executable Download"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; isdataat:100,relative; content:"This program "; distance:0; content:"PE|00 00|"; distance:0; content:!"data"; within:400; content:!"text"; within:400; content:!"rsrc"; within:400; classtype:misc-activity; sid:2014819; rev:3; metadata:created_at 2012_05_30, updated_at 2012_05_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ImportSettings Remote File Overwrite Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"5BD64392-DA66-4852-9715-CFBA98D25296"; nocase; distance:0; content:"ImportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014418; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 88 (msg:"ET MALWARE Virus.Win32.Sality.aa Checkin"; flow:established,to_server; content:".txt"; http_uri; pcre:"/\.txt$/U"; content:"User-Agent|3a| Download|0d 0a|"; http_header; reference:md5,1e0e6717f72b66f6fc83f2ef6c00dcb7; classtype:command-and-control; sid:2014826; rev:5; metadata:created_at 2012_04_09, former_category MALWARE, updated_at 2012_04_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Trojan User-Agent (Windows Updates Manager)"; flow:to_server,established; content:"User-Agent|3a| Windows Updates Manager"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003585; classtype:pup-activity; sid:2003585; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Spam Inbound Variant 4"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS_AIR_CARGO_bar-coded-lot-labels-EXAMPLE.zip|22|"; nocase; within:100; classtype:trojan-activity; sid:2012235; rev:3; metadata:created_at 2011_01_27, updated_at 2011_01_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32.PowerPointer checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"<packet>"; http_client_body; content:"</packet>"; http_client_body; classtype:command-and-control; sid:2014040; rev:3; metadata:created_at 2011_12_28, former_category MALWARE, updated_at 2011_12_28;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Inbound bad attachment v.4"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS_AIR_CARGO_bar-coded-lot-labels-EXAMPLE.zip|22| "; nocase; within:100; classtype:trojan-activity; sid:2012442; rev:2; metadata:created_at 2011_03_09, updated_at 2011_03_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Clicker.Win32.VB.gnf Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/channel/onSale.htm?"; nocase; http_uri; content:"pid="; nocase; http_uri; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanClicker%3AWin32%2FVB.GE; classtype:trojan-activity; sid:2014066; rev:4; metadata:created_at 2012_01_02, updated_at 2012_01_02;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS FedEX Spam Inbound"; flow:established,to_server; content:"name=|22|FEDEX"; nocase; content:".zip|22|"; within:47; nocase; pcre:"/name=\x22FEDEX(\s|_|\-)?[a-z0-9\-_\.\s]{0,42}\.zip\x22/i"; classtype:trojan-activity; sid:2014827; rev:2; metadata:created_at 2012_05_30, updated_at 2012_05_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN Win32.OnlineGames.Bft Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/urlrcv.php?"; nocase; http_uri; content:"mc="; nocase; http_uri; content:"sc="; nocase; http_uri; content:"uuid="; nocase; http_uri; reference:md5,e488fca95cb923a0ecd329642c076e0d; reference:url,www.thespywaredetector.com/spywareinfo.aspx?ID=1874131; classtype:trojan-activity; sid:2014084; rev:5; metadata:created_at 2012_01_03, updated_at 2012_01_03;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Post Express Spam Inbound"; flow:established,to_server; content:"name=|22|Post_Express_Label_"; nocase; content:".zip|22|"; within:15; nocase; pcre:"/name=\x22Post_Express_Label_[a-z0-9\-_\.\s]{0,10}\.zip\x22/i"; classtype:trojan-activity; sid:2014829; rev:1; metadata:created_at 2012_05_30, updated_at 2012_05_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus POST Request to CnC - cookie variation"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|20|HTTP/1."; content:"|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|en-us|0d 0a|Cookie|3a 20|cid="; distance:1; within:51; content:"User-Agent|3a 20|Mozilla"; distance:0; content:"Host|3a 20|"; distance:0; content:"Content-Length|3a 20|"; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0d 0a|"; distance:0; content:"|3a| no-cache|0d 0a 0d 0a|"; distance:0; reference:url,zeustracker.abuse.ch/monitor.php?search=209.59.216.103; classtype:command-and-control; sid:2014107; rev:3; metadata:created_at 2012_01_10, former_category MALWARE, updated_at 2012_01_10;)
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM successful chat join"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 98|"; depth:2; offset:10; classtype:policy-violation; sid:2102458; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf/Troxen/Zema Reporting 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?m="; http_uri; content:"&s="; http_uri; content:"&v="; http_uri; content:"User-Agent|3a| build"; http_header; pcre:"/\.php\?m=[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}&[vs]=/Ui"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014114; rev:4; metadata:created_at 2012_01_12, updated_at 2012_01_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Feodo/Cridex Traffic Detected"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/zb/v_01_a/in/"; http_uri; classtype:trojan-activity; sid:2014841; rev:2; metadata:created_at 2012_06_01, updated_at 2012_06_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf/Troxen/Zema Reporting 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?s="; http_uri; content:"&m="; http_uri; content:"User-Agent|3a| build"; http_header; pcre:"/\.php\?s=\d&m=[A-F0-9]{16}$/Ui"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014115; rev:3; metadata:created_at 2012_01_12, updated_at 2012_01_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS webshell used In timthumb attacks GIF98a 16129xX with PHP"; flow:to_client,established; file_data; content:"|0d 0a 0d 0a|GIF89a|01 3f|"; content:"<?"; within:720; reference:url,blog.sucuri.net/2012/05/list-of-domains-hosting-webshells-for-timthumb-attacks.html; classtype:web-application-attack; sid:2014848; rev:3; metadata:created_at 2012_06_01, updated_at 2012_06_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye Checkin version 1.3.25 or later 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"data=6Prm67"; depth:11; http_client_body; classtype:command-and-control; sid:2014044; rev:5; metadata:created_at 2011_12_28, former_category MALWARE, updated_at 2011_12_28;)
+#alert http $HOME_NET any -> any any (msg:"ET MALWARE Flamer WuSetupV module traffic 2"; flow:established,to_server; content:"?ac=1"; http_uri; content:"&fd="; http_uri; distance:0; content:"&gb="; http_uri; distance:0; content:"&rt="; http_uri; reference:md5,1f61d280067e2564999cac20e386041c; classtype:trojan-activity; sid:2014850; rev:5; metadata:created_at 2012_06_04, updated_at 2012_06_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UPDATE Protocol Trojan Communication detected on http ports"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/update?product=windows"; http_uri; content:"X-Status|3A|"; http_header; content:"X-Size|3A|"; http_header; content:"X-Sn|3A|"; http_header; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b|SV1|3b 0d 0a|"; http_header; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014223; rev:4; metadata:created_at 2012_02_14, updated_at 2012_02_14;)
+#alert http $HOME_NET any -> any any (msg:"ET MALWARE Flamer WuSetupV module traffic 1"; flow:established,to_server; content:"?mp=1"; http_uri; content:"&jz="; http_uri; distance:0; content:"&fd="; http_uri; distance:0; content:"&am="; http_uri; distance:0; content:"&ef="; http_uri; distance:0; content:"&pr="; http_uri; distance:0; content:"&ec="; http_uri; distance:0; content:"&ov="; http_uri; distance:0; content:"&pl="; http_uri; distance:0; reference:md5,1f61d280067e2564999cac20e386041c; classtype:trojan-activity; sid:2014849; rev:3; metadata:created_at 2012_06_04, updated_at 2012_06_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE UPDATE Protocol Trojan Communication detected on non-http ports"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/update?product=windows"; http_uri; content:"X-Status|3A|"; http_header; content:"X-Size|3A|"; http_header; content:"X-Sn|3A|"; http_header; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b|SV1|3b 0d 0a|"; http_header; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014224; rev:4; metadata:created_at 2012_02_14, updated_at 2012_02_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sakura Exploit Kit Version 1.1 document.write Fake 404 - Landing Page"; flow:established,to_client; content:"document.write(|22|404|22 3B|"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:exploit-kit; sid:2014852; rev:3; metadata:created_at 2012_06_05, former_category EXPLOIT_KIT, updated_at 2012_06_05;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Duptwux/Ganelp FTP Username - onthelinux"; flow:established,to_server; content:"USER onthelinux"; classtype:trojan-activity; sid:2014239; rev:3; metadata:created_at 2012_02_18, updated_at 2012_02_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAvCn-A Checkin 2"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/support/sr"; http_uri; fast_pattern:only; urilen:11; classtype:trojan-activity; sid:2014856; rev:2; metadata:created_at 2012_06_05, updated_at 2012_06_05;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Java Rhino Exploit Attempt - evilcode.class"; flow:established,to_client; content:"code=|22|evilcode.class|22|"; nocase; fast_pattern:only; reference:cve,2011-3544; classtype:attempted-user; sid:2014429; rev:5; metadata:created_at 2012_03_26, former_category CURRENT_EVENTS, updated_at 2012_03_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MP4 Embedded in PDF File - Potential Flash Exploit"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"stream"; distance:0; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; reference:cve,2012-0754; reference:url,blog.9bplus.com/observing-the-enemy-cve-2012-0754-pdf-interac; classtype:bad-unknown; sid:2014865; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_07, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SelfStarterInternet.InfoStealer Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/login.aspx?ReturnUrl=/card/Pay_query.aspx"; http_uri; content:"VIEWSTATE="; nocase; http_client_body; content:"EVENTVALIDATION="; nocase; distance:0; http_client_body; content:"&txtUser="; nocase; distance:0; http_client_body; content:"&txtPwd="; nocase; distance:0; http_client_body; content:"&btnEnter="; nocase; distance:0; http_client_body; reference:md5,67c748f3ecc0278f1f94596f86edc509; classtype:command-and-control; sid:2014307; rev:4; metadata:created_at 2012_03_05, former_category MALWARE, updated_at 2012_03_05;)
+alert http any any -> $HOME_NET any (msg:"ET POLICY SN and CN From MS TS Revoked Cert Chain Seen"; flow:established,from_server; content:"|c1 00 8b 3c 3c 88 11 d1 3e f6 63 ec df 40|"; content:"Microsoft Root Authority"; distance:105; within:24; content:"Microsoft Enforced Licensing Intermediate PCA"; distance:0; content:"|61 1a 02 b7 00 02 00 00 00 12|"; distance:0; content:"Microsoft Enforced Licensing Registration Authority CA"; distance:378; within:54; reference:url,blog.crysys.hu/2012/06/the-flame-malware-wusetupv-exe-certificate-chain/; reference:url,rmhrisk.wpengine.com/?p=52; reference:url,msdn.microsoft.com/en-us/library/aa448396.aspx; reference:md5,1f61d280067e2564999cac20e386041c; classtype:bad-unknown; sid:2014870; rev:4; metadata:created_at 2012_06_08, updated_at 2012_06_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 4 byte"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02 04|"; distance:1; within:2; byte_test:4,<,0x06,0,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014434; rev:10; metadata:created_at 2012_03_24, updated_at 2012_03_24;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Self Signed SSL Certificate (Reaserch)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"Security Reaserch WWEB Group|2c| LLC"; classtype:trojan-activity; sid:2014871; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 3 byte"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02 03|"; distance:1; within:2; byte_test:3,<,0x06,0,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014433; rev:10; metadata:created_at 2012_03_24, updated_at 2012_03_24;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Self Signed SSL Certificate (John Doe)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|08|John Doe0"; classtype:trojan-activity; sid:2014872; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 2 byte"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02 02|"; distance:1; within:2; byte_test:2,<,0x06,0,relative,big;  reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014432; rev:9; metadata:created_at 2012_03_24, updated_at 2020_08_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Microsoft user-agent automated process response to automated request"; flow:established,from_server; content:"<p>Your current User-Agent string appears to be from an automated process,"; classtype:trojan-activity; sid:2012692; rev:6; metadata:created_at 2011_04_19, updated_at 2011_04_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Dropper.Wlock Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"hardware_id="; http_client_body; content:"&user_id="; http_client_body; content:"&os_ver="; http_client_body; content:"&os_sp="; http_client_body; content:"&os_arch="; http_client_body; reference:md5,881e21645e5ffe1ffb959835f8fdf71d; classtype:command-and-control; sid:2013768; rev:4; metadata:created_at 2011_10_12, former_category MALWARE, updated_at 2011_10_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE W32/Bakcorox.A ProxyBot CnC Server Connection"; flow:established,to_server; content:"GET favicon.ico HTTP/1.1"; depth:24; content:"Host|3A 20|bcProxyBot.com"; fast_pattern; distance:0; reference:url,contagioexchange.blogspot.co.uk/2012/06/022-crime-win32bakcoroxa-proxy-bot-web.html; classtype:command-and-control; sid:2014887; rev:2; metadata:created_at 2012_06_12, former_category MALWARE, updated_at 2012_06_12;)
 
-#alert tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt"; flags:R; flow:to_server; flowbits:isset,ms.rdp.synack; flowbits:isnotset,ms.rdp.established; flowbits:unset,ms.rdp.synack; reference:cve,2012-0152; classtype:attempted-dos; sid:2014384; rev:8; metadata:created_at 2012_03_13, updated_at 2012_03_13;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Yahoo IM successful chat join"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 98|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001261; classtype:policy-violation; sid:2001261; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Page redirecting to driveby"; flow:from_server,established; content:"|0d 0a 0d 0a|"; content:"/Home/index.php\" width=1 height=1 scrolling=no></iframe>"; distance:0; classtype:bad-unknown; sid:2014444; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"ET DELETED Yahoo IM successful logon"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 01|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001253; classtype:policy-violation; sid:2001253; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible Multiple Levels of Javascript Encoding & Compression Filters in PDF, Possibly Hostile PDF"; flow:established,to_client; content:"PDF-"; depth:300; content:"/Filter"; nocase; distance:0; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; reference:url,www.symantec.com/connect/blogs/journey-center-pdf-stream; reference:url,doc.emergingthreats.net/2011008; classtype:misc-activity; sid:2011008; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL DELETED Yahoo IM successful logon"; flow:from_server,established; content:"YMSG"; nocase; content:"|00 01|"; distance:6; within:2; classtype:policy-violation; sid:2102450; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Karagany/Kazy Obfuscated Payload Download"; flow:established,to_client; content:"Content-Disposition|3a| "; http_header; content:"windows-update-"; fast_pattern; http_header; distance:0; content:".exe"; distance:0; http_header; content:!"|0d 0a 0d 0a|MZ"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FKaragany.I; reference:url,www.virustotal.com/file/6c7ae03b8b660826f0c58bbec4208bf03e704201131b3b5c5709e5837bfdd218/analysis/1334672726/; classtype:trojan-activity; sid:2014230; rev:5; metadata:created_at 2012_02_16, updated_at 2012_02_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT RedKit - Java Exploit Requested - 5 digit jar"; flow:established,to_server; urilen:10; content:".jar"; http_uri; pcre:"/^\/[0-9]{5}\.jar$/U"; classtype:exploit-kit; sid:2014891; rev:1; metadata:created_at 2012_06_14, former_category CURRENT_EVENTS, updated_at 2012_06_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Backdoor.Kbot Config Retrieval"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/getcfg.php"; http_uri; content:"oop="; http_client_body; depth:4; reference:md5,b8ee86e57261fd3fb422a2b20a3c3e09; classtype:trojan-activity; sid:2014291; rev:4; metadata:created_at 2012_02_29, updated_at 2012_02_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Jar File Naming Algorithm"; flow:established,to_client; content:"Content-Disposition: inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; content:"|0D 0A 0D 0A|PK"; pcre:"/=[0-9a-f]{8}\.jar/H"; classtype:exploit-kit; sid:2014892; rev:2; metadata:created_at 2012_06_14, former_category CURRENT_EVENTS, updated_at 2012_06_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest InTrust Annotation Objects ActiveX Control Add Access Potential Remote Code Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AnnotationX.AnnList.1"; nocase; distance:0; content:".Add("; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18674/; classtype:attempted-user; sid:2014454; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT RedKit - Landing Page Received - applet and code"; flow:established,to_client; content:"<applet"; content:"code="; pcre:"/code=\"[a-z]\.[a-z][\.\"][ c]/"; classtype:exploit-kit; sid:2014895; rev:2; metadata:created_at 2012_06_15, former_category CURRENT_EVENTS, updated_at 2012_06_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TRENDnet TV-IP121WN UltraMJCam ActiveX Control OpenFileDlg Access Potential Remote Stack Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11"; nocase; distance:0; content:".OpenFileDlg"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18675/; classtype:attempted-user; sid:2014455; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Camera Stream Client Possible ActiveX Control SetDirectory Method Access Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"DcsCliCtrl.DCSStrmControl.1"; nocase; distance:0; content:"SetDirectory"; nocase; distance:0; reference:url,secunia.com/advisories/48602/; classtype:attempted-user; sid:2014903; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_15, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TRENDnet TV-IP121WN UltraMJCam ActiveX Control OpenFileDlg Access Potential Remote Stack Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"UltraMJCam.UltraMJCam.1"; nocase; distance:0; content:".OpenFileDlg"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18675/; classtype:attempted-user; sid:2014456; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Camera Stream Client Possible ActiveX Control SetDirectory Method Access Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"721700FE-7F0E-49C5-BDED-CA92B7CB1245"; nocase; distance:0; content:"SetDirectory"; nocase; distance:0; reference:url,secunia.com/advisories/48602/; classtype:attempted-user; sid:2014902; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_15, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible UserManager SelectServer method Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT"; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"E5D2CE27-5FA0-11D2-A666-204C4F4F5020"; nocase; distance:0; content:"SelectServer"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E5D2CE27-5FA0-11D2-A666-204C4F4F5020/si"; reference:url,exploit-db.com/exploits/16002/; classtype:web-application-attack; sid:2012218; rev:3; metadata:created_at 2011_01_21, updated_at 2011_01_21;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO .exe File requested over FTP"; flow:established,to_server; dsize:>10; content:"RETR"; depth:4; content:".exe|0d 0a|"; distance:0; pcre:"/^RETR\s+[^\r\n]+?\x2eexe\r?$/m"; classtype:policy-violation; sid:2014906; rev:2; metadata:created_at 2012_06_15, updated_at 2012_06_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot Request to CnC 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"Accept|3a| */*|0d 0a|If-None-Match|3a| "; fast_pattern; depth:28; http_header; content:"Cache-Control|3a| no-cache|0d 0a|User-Agent|3a| Mozilla"; distance:0; http_header; content:"Connection|3a| Close|0d 0a 0d 0a|"; distance:0; http_header; classtype:command-and-control; sid:2013348; rev:8; metadata:created_at 2011_08_04, former_category MALWARE, updated_at 2011_08_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer SameID Use-After-Free"; flow:established,from_server; content:"<DIV id="; nocase; content:"<img id="; nocase; distance:0; content:".innerHTML"; distance:0; pcre:"/<DIV\s*?id[\s\r\n]*?\x3d[\s\r\n]*?(?P<divid>[^>]+).+?<img\s*id=\s*?\x22(?P<imgid>[^\x22]+).+?\<a\s*?href=\x22javascript\x3a(?P<firstfunction>[^\x28]+)\(\).+?\>.*?\<div[^\>]+?id=\x22(?P=imgid)\x22[^>]+?on[A-Za-z]+?\s*?=\s*?\x22(?P<secondfunction>[^\x28]+)\(\)\x3b\s*?\x22.+?function[\s\r\n]*?(?P=firstfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?(?P=divid)\x2einnerHTML\s*?\x3d\s*?(?P=divid)\x2einnerHTML[\s\r\n]*?\x3b.*?\x7d.*?function[\s\r\n]*?(?P=secondfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?\x28\x22(?P=imgid)\x22\x29\x2esrc\s*?\x3d/si"; reference:cve,CVE-2012-1875; classtype:attempted-user; sid:2014911; rev:10; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET 1723 -> $EXTERNAL_NET any (msg:"ET POLICY PPTP Requester is not authorized to establish a command channel"; flow:to_client,established,no_stream; content:"|00 01|"; offset:2; depth:4; content:"|00 02|"; offset:8; depth:10; content:"|04|"; offset:12; depth:13; reference:url,tools.ietf.org/html/rfc2637; reference:url,doc.emergingthreats.net/2009387; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2009-June/002705.html; classtype:attempted-admin; sid:2009387; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus iNotes Upload Module possible ActiveX Control Attachment_Times Method Access Buffer Overflow Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"0F2AAAE3-7E9E-4b64-AB5D-1CA24C6ACB9C"; nocase; distance:0; content:"Attachment_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49443/; classtype:attempted-user; sid:2014896; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_15, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SEO Exploit Kit - Landing Page"; flow:established,to_client; content:"<div id=\"obj\"></div><div id=\"pdf\"></div><div id=\"hcp\">"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2011812; rev:4; metadata:created_at 2010_10_13, former_category EXPLOIT_KIT, updated_at 2017_04_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NuclearPack - JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; pcre:"/=[.\"]\w{8}\.jar/Hi"; content:"|0D 0A 0D 0A|PK"; fast_pattern; classtype:exploit-kit; sid:2014913; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"GPL MISC return code buffer overflow attempt"; flow:to_client,established,no_stream; content:"200"; isdataat:64,relative; pcre:"/^200\s[^\n]{64}/smi"; reference:bugtraq,4900; reference:cve,2002-0909; classtype:protocol-command-decode; sid:2101792; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Variant 1 Traffic (1)"; dsize:25; content:"|10 a6|"; depth:2; threshold: type both, count 2, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007701; classtype:trojan-activity; sid:2007701; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED iframebiz - adv***.php"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/adv"; nocase; http_uri; pcre:"/adv\d+\.php/Ui"; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002707; classtype:trojan-activity; sid:2002707; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Variant 1 Traffic (2)"; dsize:25; content:"|10 a0|"; depth:2; threshold: type both, count 2, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007702; classtype:trojan-activity; sid:2007702; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3128:9000 (msg:"ET DELETED Possible Hupigon Connect"; flow:established,from_server; flowbits:set,ET.Hupinit2; dsize:<28; content:"HTTP/1.0 200 "; depth:13; flowbits:noalert; reference:url,doc.emergingthreats.net/2009290; classtype:trojan-activity; sid:2009290; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Armitage Exploit Request"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/bof.php"; http_uri; reference:url,doc.emergingthreats.net/2009032; classtype:trojan-activity; sid:2009032; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 3128:9000 -> $HOME_NET any (msg:"ET DELETED Hupigon CnC Client Status"; flow:established,to_server; flowbits:isset,ET.Hupinit2; dsize:<6; content:"|0d 0a|"; reference:url,doc.emergingthreats.net/2009291; classtype:command-and-control; sid:2009291; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Redkit Java Exploit request to b.class"; flow:established,to_server; urilen:10; content:"/b.class"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014824; rev:3; metadata:created_at 2012_05_30, updated_at 2012_05_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3128:9000 (msg:"ET DELETED Hupigon CnC Server Response"; flow:established,from_server; flowbits:isset,ET.Hupinit2; dsize:3; content:"|0d 0a|"; reference:url,doc.emergingthreats.net/2009292; classtype:command-and-control; sid:2009292; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito Landing Page Requested .php?showtopic=6digit"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.http.driveby.incognito.uri; urilen:25<>45; content:".php?showtopic="; http_uri; pcre:"/\.php\?showtopic=[0-9]{6}$/U"; classtype:exploit-kit; sid:2014922; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_06_20, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patcher/Bankpatch V2 Communication with Controller"; flow:established,to_server; content:"id="; nocase; http_uri; content:"&check="; nocase; http_uri; content:"&version2="; http_uri; nocase; pcre:"/\?id=[A-Za-z]+_[A-Za-z0-9]+&/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FBanker.O; classtype:trojan-activity; sid:2009408; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito Landing Page Received applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.incognito.uri; content:"<applet"; classtype:exploit-kit; sid:2014923; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_06_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBKrypt.cmtp Login to Server"; flow:to_server,established; content:"USER|20|lodosxxx"; reference:url,vil.nai.com/vil/content/v_377875.htm; classtype:trojan-activity; sid:2013092; rev:4; metadata:created_at 2011_06_22, updated_at 2011_06_22;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Unknown Java Malicious Jar /eeltff.jar"; flow:to_server,established; content:"/eeltff.jar"; nocase; http_uri; classtype:trojan-activity; sid:2014927; rev:1; metadata:created_at 2012_06_20, former_category CURRENT_EVENTS, updated_at 2012_06_20;)
 
-#alert tcp $SQL_SERVERS $ORACLE_PORTS -> $EXTERNAL_NET any (msg:"GPL SQL Oracle misparsed login response"; flow:to_server,established; content:"description=|28|"; nocase; content:!"connect_data=|28|sid="; nocase; content:!"address=|28|protocol=tcp"; nocase; classtype:suspicious-login; sid:2101675; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PDF embedded in XDP file (Possibly Malicious)"; flow:established, to_client; content:"<xdp|3a|xdp"; nocase; fast_pattern; content:"<pdf"; nocase; distance:0; pcre:"/\<xdp\x3axdp(\s+[^\>]*)?\>((?!\<\/xdp[^\>]*\>).)*?\<pdf/si"; reference:url,blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp; classtype:misc-attack; sid:2014926; rev:3; metadata:created_at 2012_06_20, updated_at 2012_06_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"ET EXPLOIT Arkeia full remote access without password or authentication"; flow:to_server,established; content:"|464F3A20596F75206861766520737563|"; content:"|6520636C69656E7420696E666F726D61|"; reference:url,metasploit.com/research/vulns/arkeia_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; classtype:attempted-admin; sid:2001742; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown - Java Request .jar from dl.dropbox.com"; flow:established,to_server; content:"dl.dropbox.com|0D 0A|"; http_header; content:" Java/1"; http_header; content:".jar"; http_uri; classtype:bad-unknown; sid:2014928; rev:1; metadata:created_at 2012_06_21, updated_at 2012_06_21;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MSUpdater post-auth checkin"; flow:established,to_server; content:"/search6"; http_uri; fast_pattern; content:"?h1="; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|Windows NT 5.2)"; http_header; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014214; rev:2; metadata:created_at 2012_02_07, updated_at 2012_02_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Java Url Lib User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"Java/"; nocase; http_header; pcre:"/^User-Agent\:[^\n]+Java\/\d\.\d/Hmi"; reference:url,www.mozilla.org/docs/netlib/seealso/netmods.html; reference:url,doc.emergingthreats.net/2002946; classtype:attempted-recon; sid:2002946; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Italian Spam Campaign"; flow:established,to_server; content:"/Dettagli.zip"; http_uri; reference:md5,c64504b68d34b18a370f5e77bd0b0337; classtype:trojan-activity; sid:2014458; rev:3; metadata:created_at 2012_04_03, updated_at 2012_04_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Ceckno Reporting to Controller"; flow:established,to_server; dsize:<30; content:"\:2|7c|"; depth:10; content:"|7c|"; distance:0; content:"|7c|"; distance:0; pcre:"/^\d+\x3a\d\x7c\d+\x7c[0-9a-z]+\x7c\d/i"; flowbits:set,ET.cekno.initial; reference:url,doc.emergingthreats.net/2008177; classtype:trojan-activity; sid:2008177; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer CTableRowCellsCollectionCacheItem.GetNext Memory Use-After-Free Attempt"; flow:established,to_client; content:"document.getElementById|28 27|tableid|27 29|.cloneNode"; nocase; content:"cells.urns"; nocase; distance:0; content:"cells.item"; nocase; distance:0; reference:url,dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:bid,37894; reference:cve,2010-0248; classtype:attempted-user; sid:2014463; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_04, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Gemini Malware Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?cmd=getFile&counter="; http_uri; pcre:"/\.php\?cmd=getFile&counter=\d/U"; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,doc.emergingthreats.net/2010007; classtype:trojan-activity; sid:2010007; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DwnLdr-JMZ Downloading Binary"; flow:established,to_server; content:"/ngt.exe"; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla|0d 0a|"; http_header; reference:url,sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DwnLdr-JMZ/detailed-analysis.aspx; classtype:trojan-activity; sid:2014464; rev:2; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Goldun Reporting Install"; flow:established,to_server; content:".php?codec="; http_uri; pcre:"/codec=\d+D\d+D\d/U"; reference:url,doc.emergingthreats.net/2007965; classtype:trojan-activity; sid:2007965; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DwnLdr-JMZ Downloading Binary 2"; flow:established,to_server; content:"/?path=qx200.exe"; http_uri; reference:url,sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DwnLdr-JMZ/detailed-analysis.aspx; classtype:trojan-activity; sid:2014465; rev:2; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC channel topic misc bot commands"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"|3a|"; content:"|20|332|20|"; within:50; content:"|2023|"; within:20; content:"|203a|"; pcre:"/(\.aim\w*|ascanall)\s+\w/i"; reference:url,doc.emergingthreats.net/2002386; classtype:trojan-activity; sid:2002386; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Blackhole PDF served from iframe"; flow:established,from_server; content:".pdf|27|/></iframe>"; fast_pattern:only; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:2014470; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in"; flow:established,to_server; content:"POST"; http_method; content:"/MicroinstallServiceReport.php"; http_uri; content:"report="; http_client_body; content:"&pid="; http_client_body; content:"&wv="; http_client_body; pcre:"/report=\d+&pid=\d+&wv=[A-Za-z0-9]/P"; reference:url,doc.emergingthreats.net/2010246; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; classtype:trojan-activity; sid:2010246; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Class Download By Vulnerable Client"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; content:"|0D 0A 0D 0A CA FE BA BE|"; classtype:trojan-activity; sid:2014475; rev:6; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Loader *.jpg?t=0.* in http_uri"; flow:established,to_server; content:".jpg?t=0."; http_uri; pcre:"/\.jpg\?t\x3d\d\.\d/U"; classtype:trojan-activity; sid:2013520; rev:4; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to Zaletelly CnC Domain zaletellyxx.be"; flow:established,to_server; content:"Host|3a| zaletelly"; http_header; nocase; content:".be|0d 0a|"; http_header; within:9; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32/Gamarue.F; classtype:command-and-control; sid:2014476; rev:2; metadata:created_at 2012_04_05, former_category MALWARE, updated_at 2012_04_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoreFlooder C&C Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/index.php"; http_uri; nocase; content:"r="; http_client_body; content:"&i="; http_client_body; content:"&v="; http_client_body; content:"&os="; http_client_body; content:"&panic="; fast_pattern; http_client_body; content:"&input="; http_client_body; reference:url,doc.emergingthreats.net/2009287; classtype:command-and-control; sid:2009287; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to Zaletelly CnC Domain atserverxx.info"; flow:established,to_server; content:"Host|3a| atserver"; http_header; nocase; content:".info|0d 0a|"; http_header; within:11; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32/Gamarue.F; classtype:command-and-control; sid:2014477; rev:2; metadata:created_at 2012_04_05, former_category MALWARE, updated_at 2012_04_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Bicololo.Dropper ne_unik CnC Server Response"; flow:established,to_client; content:"|0d 0a 0d 0a|ne_unik"; classtype:command-and-control; sid:2014933; rev:3; metadata:created_at 2012_06_22, former_category MALWARE, updated_at 2012_06_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Class Download"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; content:"|0D 0A 0D 0A CA FE BA BE|"; classtype:trojan-activity; sid:2014474; rev:6; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT Request to malicious info.php drive-by landing"; flow:established,to_server; content:"/info.php?n="; http_uri; fast_pattern:only; content:!"&"; http_uri; content:!"|0d 0a|Referer|3a|"; pcre:"/\/info.php\?n=\d/U"; classtype:trojan-activity; sid:2013010; rev:3; metadata:created_at 2011_06_10, former_category CURRENT_EVENTS, updated_at 2011_06_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Datamaikon Checkin NewAgent"; flow:to_server,established; content:"/index.dat?"; http_uri; content:" NewAgent|0d 0a|Host|3a| "; http_header; pcre:"/\/index.dat\?\d{5,9}$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDatamaikon.gen!A&ThreatID=-2147312276; reference:md5,77d68770fcdc6052bd8d761d14a14f5a; classtype:command-and-control; sid:2014467; rev:4; metadata:created_at 2012_04_04, former_category MALWARE, updated_at 2012_04_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Java Exploit Attempt Request for .id from octal host"; flow:established,to_server; content:".id|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012628; rev:5; metadata:created_at 2011_04_04, former_category CURRENT_EVENTS, updated_at 2011_04_04;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft PicturePusher ActiveX Cross Site File Upload Attack"; flow:from_server,established; content:"507813C3-0B26-47AD-A8C0-D483C7A21FA7"; nocase; pcre:"/http\://.*?[\w]{4,}=1/i"; pcre:"/(PostURL|AddSeperator|AddString|Post)/i"; reference:url,milw0rm.com/exploits/6699; reference:url,doc.emergingthreats.net/2008673; classtype:web-application-attack; sid:2008673; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FoxxySoftware - Landing Page Received - applet and 0px"; flow:established,to_client; content:"<applet"; content:"'0px'"; within:20; classtype:trojan-activity; sid:2014936; rev:3; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2012_06_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - Intel Arch"; flow:established,to_client; content:"|0D 0A 0D 0A CE FA ED FE|"; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014516; rev:4; metadata:created_at 2012_04_06, updated_at 2012_04_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Autodesk MapGuide Viewer ActiveX LayersViewWidth Method Access Denial of Service"; flow:to_client,established; content:"CLSID"; nocase; content:"62789780-B744-11D0-986B-00609731A21D"; nocase; distance:0; content:"LayersViewWidth"; nocase; distance:0; reference:url,1337day.com/exploits/13938; classtype:attempted-user; sid:2014942; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - PowerPC Arch"; flow:established,to_client; content:"|0D 0A 0D 0A FE ED FA CE|"; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014517; rev:4; metadata:created_at 2012_04_06, updated_at 2012_04_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Autodesk MapGuide Viewer ActiveX LayersViewWidth Method Access Denial of Service 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MGMapControl.MGMap"; nocase; distance:0; content:"LayersViewWidth"; nocase; distance:0; reference:url,1337day.com/exploits/13938; classtype:attempted-user; sid:2014943; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - Multi Arch w/PowerPC"; flow:established,to_client; content:"|0D 0A 0D 0A CA FE BA BE|"; content:"|FE ED FA CE|"; distance:0; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014515; rev:4; metadata:created_at 2012_04_06, updated_at 2012_04_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MALVERTISING Malicious Advertizing URL in.cgi"; flow:to_server,established; content:"/in.cgi?"; http_uri; classtype:bad-unknown; sid:2012883; rev:6; metadata:created_at 2011_05_27, updated_at 2011_05_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Disk Image Download"; flow:established,to_client; content:"|0D 0A 0D 0A|"; content:"<plist version="; distance:0; content:"Apple_partition_map"; distance:0; content:"Apple_HFS"; distance:0; classtype:misc-activity; sid:2014518; rev:5; metadata:created_at 2012_04_06, updated_at 2012_04_06;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32/Hupigon.CK Client Checkin"; flow:to_server,established; content:"|00 00 00 18 01 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; classtype:command-and-control; sid:2014955; rev:2; metadata:created_at 2012_06_25, former_category MALWARE, updated_at 2012_06_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Taidoor.Backdoor Command Request CnC Checkin"; flow:established,to_server; content:".php?id="; http_uri; content:"&ext="; fast_pattern; http_uri; pcre:"/\x2F[a-z]{5}\x2Ephp\x3Fid\x3D.+[a-f0-9]{12}&ext\x3D/Ui"; reference:url,www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks; classtype:command-and-control; sid:2014528; rev:2; metadata:created_at 2012_04_06, former_category MALWARE, updated_at 2012_04_06;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor Win32/Hupigon.CK Server Checkin"; flow:to_client,established; content:"|00 00 00 01 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00 01 00 01|"; distance:2; within:5; classtype:command-and-control; sid:2014956; rev:1; metadata:created_at 2012_06_26, former_category MALWARE, updated_at 2012_06_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/LockScreen Scareware Geolocation Request"; flow:established,to_server; content:"/loc/gate.php?getpic=getpic"; http_uri; reference:url,www.abuse.ch/?p=3610; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_police_trojan.pdf; classtype:trojan-activity; sid:2014309; rev:3; metadata:created_at 2012_03_05, updated_at 2012_03_05;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32/Hupigon.CK Client Idle"; flow:to_server,established; content:"|00 00 00 02 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00|"; distance:3; within:2; content:"|00|"; distance:1; within:1; classtype:trojan-activity; sid:2014957; rev:1; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
 
-#alert http $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED osCommerce vulnerable web application extras update.php exists"; flow:to_client,established; content:"Select an SQL file to install"; reference:url,retrogod.altervista.org/oscommerce_22_adv.html; reference:url,doc.emergingthreats.net/2002863; classtype:attempted-recon; sid:2002863; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor Win32/Hupigon.CK Server Idle"; flow:to_client,established; content:"|00 00 00 01 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00 1f 00 1f|"; distance:2; within:5; classtype:trojan-activity; sid:2014958; rev:1; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Known Fraudulent DigiNotar SSL Certificate for google.com 2"; flow:established,from_server; content:"|0c 76 da 9c 91 0c 4e 2c 9e fe 15 d0 58 93 3c 4c|"; content:"google.com"; within:250; reference:url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx; classtype:misc-activity; sid:2013501; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_08_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Base64 - Java Exploit Requested - /1Digit"; flow:established,to_server; urilen:2; content:" Java/1"; http_header; pcre:"/^\/[0-9]$/U"; classtype:trojan-activity; sid:2014959; rev:2; metadata:created_at 2012_06_26, former_category CURRENT_EVENTS, updated_at 2012_06_26;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Known Fraudulent DigiNotar SSL Certificate for google.com"; flow:established,from_server; content:"|0C 76 DA 9C 91 0C 4E 2C 9E FE 15 D0 58 93 3C 4C|"; content:"google.com"; within:250; reference:url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx; classtype:misc-activity; sid:2013500; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Base64 - Landing Page Received - base64encode(GetOs()"; flow:established,to_client; content:"base64encode(GetOs()"; classtype:trojan-activity; sid:2014960; rev:2; metadata:created_at 2012_06_26, former_category CURRENT_EVENTS, updated_at 2012_06_26;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Athena Web Registration Remote Command Execution Attempt"; flow: to_server,established; content:"/athenareg.php?pass= |3b|"; nocase; http_uri; reference:cve,CAN-2004-1782; reference:bugtraq,9349; reference:url,doc.emergingthreats.net/2001949; classtype:web-application-attack; sid:2001949; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Scar CnC Checkin"; flow:established,to_server; content:"/yeni_urunler.php?hdd="; http_uri; reference:md5,b345634df53511c7195d661ac755b320; classtype:command-and-control; sid:2014961; rev:2; metadata:created_at 2012_06_26, former_category MALWARE, updated_at 2012_06_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 6"; flow:established,to_server; content:"/data/ap2.php"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014279; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FoxxySoftware - Landing Page Received - foxxysoftware"; flow:established,to_client; content:"|7C|foxxysoftware|7C|"; classtype:trojan-activity; sid:2014935; rev:4; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2012_06_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing .prototype.q catch with split"; flow:established,from_server; content:".prototype.q}catch("; fast_pattern:only; content:".split("; classtype:trojan-activity; sid:2014537; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible OneDrive (storage.msn .com)"; flow:established,to_client; dsize:>19; content:"|16 03 01|"; depth:3; content:".storage.msn.com"; nocase; distance:0; reference:url,skydrive.live.com; classtype:policy-violation; sid:2014919; rev:3; metadata:created_at 2012_06_19, former_category POLICY, updated_at 2012_06_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Malicious TDS /indigo?"; flow:to_server,established; content:"/indigo?"; http_uri; pcre:"/\/indigo\?\d+/U"; classtype:exploit-kit; sid:2014539; rev:2; metadata:created_at 2012_04_11, updated_at 2012_04_11;)
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible OneDrive (storage.live .com)"; flow:established,to_client; dsize:>20; content:"|16 03 01|"; depth:3; content:".storage.live.com"; nocase; reference:url,skydrive.live.com; classtype:policy-violation; sid:2014920; rev:3; metadata:created_at 2012_06_19, former_category POLICY, updated_at 2012_06_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Farfli User Agent Detected"; flow:established,to_server; content:"/rpt"; http_uri; fast_pattern; content:"User-Agent|3a| "; http_header; content:!"User-Agent|3a| Mozilla"; http_header; pcre:"/^User-Agent\x3a [a-z0-9]{92}/Hmi"; reference:url,doc.emergingthreats.net/2007646; classtype:trojan-activity; sid:2007646; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Unknown - Java Exploit Requested - 13-14Alpha.jar"; flow:established,to_server; urilen:16<>19; content:".jar"; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/^\/[a-z]{13,14}\.jar$/U"; classtype:trojan-activity; sid:2014969; rev:2; metadata:created_at 2012_06_26, former_category CURRENT_EVENTS, updated_at 2012_06_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Dynamic DNS Exploit Pack Payload"; flow:established,to_server;  content:".php"; http_uri; content:"quote="; distance:0; http_uri; content:"tid=";http_uri; content:"fid="; http_uri; flowbits:set,et.exploitkitlanding;  classtype:bad-unknown; sid:2014445; rev:5; metadata:created_at 2012_03_30, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website"; flow:established,to_client; content:"setAttribute|28 22|src|22|, |22|http|3A|//|22| + "; nocase; content:"+ |22|/runforestrun?sid="; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014970; rev:3; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Tivoli Provisioning Manager Express Isig.isigCtl.1 ActiveX RunAndUploadFile Method Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"84B74E82-3475-420E-9949-773B4FB91771"; nocase; distance:0; content:"RunAndUploadFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111680/IBM-Tivoli-Provisioning-Manager-Express-Overflow.html; classtype:attempted-user; sid:2014550; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Googlebot UA POST to /uploadify.php"; flow:established,to_server; content:"POST"; http_method; content:"/uploadify.php"; http_uri; nocase; fast_pattern; content:"User-Agent|3a| Mozilla/5.0 (compatible|3b| Googlebot/2.1|3b|"; http_header; reference:url,blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html; classtype:attempted-recon; sid:2014982; rev:2; metadata:created_at 2012_06_29, updated_at 2012_06_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Tivoli Provisioning Manager Express Isig.isigCtl.1 ActiveX RunAndUploadFile Method Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Isig.isigCtl.1"; nocase; distance:0; content:"RunAndUploadFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111680/IBM-Tivoli-Provisioning-Manager-Express-Overflow.html; classtype:attempted-user; sid:2014551; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Landing Page Requested - /*.php?*=16HexChar"; flow:established,to_server; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; urilen:23<>60; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,10}=[a-f0-9]{16}$/U"; pcre:"/[0-9]{1,16}[a-f]{1,16}[0-9]{1,16}$/U"; classtype:trojan-activity; sid:2014973; rev:18; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Dell IT Assistant detectIESettingsForITA.ocx ActiveX Control readRegVal Remote Registry Dump Vulnerability"; flow:to_client,established; content:"CLSID"; nocase; content:"6286EF1A-B56E-48EF-90C3-743410657F3C"; nocase; distance:0; content:"readRegVal"; nocase; distance:0; reference:url,exploit-db.com/exploits/17557/; classtype:attempted-user; sid:2014552; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SonciWALL Aventail AuthCredential Format String Exploit 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Aventail.EPInterrogator.10.0.4.018"; nocase; distance:0; content:"AuthCredential"; nocase; distance:0; reference:url,packetstormsecurity.org/files/92931/SonciWALL-Aventail-epi.dll-AuthCredential-Format-String-Exploit.html; classtype:attempted-user; sid:2014991; rev:3; metadata:created_at 2012_06_29, updated_at 2012_06_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Dell IT Assistant detectIESettingsForITA.ocx ActiveX Control readRegVal Remote Registry Dump Vulnerability 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"DETECTIESETTINGS.detectIESettingsCtrl.1"; nocase; distance:0; content:"readRegVal"; nocase; distance:0; reference:url,exploit-db.com/exploits/17557/; classtype:attempted-user; sid:2014553; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SonciWALL Aventail AuthCredential Format String Exploit"; flow:to_client,established; content:"CLSID"; nocase; content:"2A1BE1E7-C550-4D67-A553-7F2D3A39233D"; nocase; distance:0; content:"AuthCredential"; nocase; distance:0; reference:url,packetstormsecurity.org/files/92931/SonciWALL-Aventail-epi.dll-AuthCredential-Format-String-Exploit.html; classtype:attempted-user; sid:2014992; rev:3; metadata:created_at 2012_06_29, updated_at 2012_06_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Krunchy/BZub HTTP Checkin/Update"; flow:established,to_server; content:".php?action="; http_uri; content:"&guid="; http_uri; content:"GET"; nocase; http_method; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2007775; classtype:trojan-activity; sid:2007775; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert icmp any any -> any any (msg:"ET DOS Microsoft Windows 7 ICMPv6 Router Advertisement Flood"; itype:134; icode:0; byte_test:1,&,0x08,2; content:"|03|"; offset:20; depth:1; byte_test:1,&,0x40,2,relative; byte_test:1,&,0x80,2,relative; threshold:type threshold, track by_src, count 10, seconds 1; reference:url,www.samsclass.info/ipv6/proj/proj8x-124-flood-router.htm; classtype:attempted-dos; sid:2014996; rev:3; metadata:created_at 2012_07_02, updated_at 2012_07_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Password Stealer Reporting - ?a=%NN&b="; flow:to_server,established; content:"POST"; nocase; http_method; content:"a=%"; http_raw_uri; content:"&b="; http_uri; pcre:"/a=\%[0-9a-fA-F]{2}\&b/Ii"; reference:url,doc.emergingthreats.net/2009082; classtype:trojan-activity; sid:2009082; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp [184.154.42.194,50.116.22.209,69.64.43.135,69.64.43.137,69.64.43.142,216.17.107.104,216.17.102.194,216.17.106.90,216.17.107.174,64.6.100.124,46.17.98.214] any -> $HOME_NET any (msg:"ET SCAN critical.io Scan"; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,critical.io/; classtype:network-scan; sid:2014893; rev:5; metadata:created_at 2012_06_14, updated_at 2012_06_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE Download With Content Type Specified As Empty"; flow:established,to_client; content:"Content-Type|3A 20 0D 0A|"; content:"|0d 0a 0d 0a|"; distance:0; content:"MZ"; within:2; isdataat:80,relative; content:"This program "; distance:0; content:"PE|00|"; distance:0; reference:md5,d51218653323e48672023806f6ace26b; classtype:trojan-activity; sid:2014567; rev:5; metadata:created_at 2012_04_16, updated_at 2012_04_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Compressed Executable SZDD Compress.exe Format Over HTTP"; flow:established,to_client; content:"|0d 0a 0d 0a|SZDD"; content:"PE|00 00|"; distance:0; reference:url,blog.fireeye.com/research/2012/07/inside-customized-threat.html#more; reference:url,www.cabextract.org.uk/libmspack/doc/szdd_kwaj_format.html; classtype:bad-unknown; sid:2015004; rev:3; metadata:created_at 2012_07_03, updated_at 2012_07_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Edraw Diagram Component 5 ActiveX LicenseName Access Potential buffer overflow DOS"; flow:to_client,established; content:"CLSID"; nocase; content:"6116A7EC-B914-4CCE-B186-66E0EE7067CF"; nocase; distance:0; content:"LicenseName"; nocase; distance:0; reference:url,exploit-db.com/exploits/18461/; classtype:attempted-user; sid:2014585; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET INFO FTP STOR to External Network"; flow:established,to_server; content:"STOR "; depth:5; classtype:misc-activity; sid:2015016; rev:2; metadata:created_at 2012_07_04, updated_at 2012_07_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Edraw Diagram Component 5 ActiveX LicenseName Access Potential buffer overflow DOS 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"EDBoardLib.EDBoard"; nocase; distance:0; content:"LicenseName"; nocase; distance:0; reference:url,exploit-db.com/exploits/18461/; classtype:attempted-user; sid:2014586; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zusy Gettime Checkin"; flow:established,to_server; content:"/gettime.html?"; fast_pattern; http_uri; content:"HTTP/1.0"; http_header; content:"If-None-Match|3A 20|"; http_header; reference:md5,a152772516cef409ddd58f90917a3b44; classtype:command-and-control; sid:2015022; rev:2; metadata:created_at 2012_07_04, former_category MALWARE, updated_at 2012_07_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Quest vWorkspace Broker Client ActiveX Control SaveMiniLaunchFile Remote File Creation/Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"D9397163-A2DB-4A4A-B2C9-34E876AF2DFC"; nocase; distance:0; content:"SaveMiniLaunchFile("; nocase; distance:0; reference:url,exploit-db.com/exploits/18704/; classtype:attempted-user; sid:2014587; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pushbot User-Agent"; flow:to_server,established; content:"User-Agent|3A 20|cvc_v105"; fast_pattern:only; http_header; reference:url,www.cert.pl/news/5587/langswitch_lang/en; classtype:trojan-activity; sid:2015002; rev:6; metadata:created_at 2012_07_03, updated_at 2012_07_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest vWorkspace Broker Client ActiveX Control SaveMiniLaunchFile Remote File Creation/Overwrite 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"PNLLM.Client.1"; nocase; distance:0; content:"SaveMiniLaunchFile("; nocase; distance:0; reference:url,exploit-db.com/exploits/18704/; classtype:attempted-user; sid:2014588; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pushbot server response"; flow:to_client,established; content:"|0d 0a 0d 0a|ZG%|20|!GX"; reference:url,www.cert.pl/news/5587/langswitch_lang/en; classtype:trojan-activity; sid:2015003; rev:4; metadata:created_at 2012_07_03, updated_at 2012_07_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Oracle Hyperion Financial Management TList6 ActiveX Control Remote Code Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"65996200-3B87-11D4-A21F-00E029189826"; nocase; distance:0; content:".SaveData("; nocase; distance:0; reference:url,securityfocus.com/archive/1/520353; classtype:attempted-user; sid:2014593; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Incognito - Malicious PDF Requested - /getfile.php"; flow:established,to_server; content:"/getfile.php?i="; http_uri; content:"&key="; http_uri; content:!" Java/1"; http_header; classtype:trojan-activity; sid:2015024; rev:1; metadata:created_at 2012_07_04, former_category CURRENT_EVENTS, updated_at 2012_07_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Oracle Hyperion Financial Management TList6 ActiveX Control Remote Code Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TList.TList.6"; fast_pattern; nocase; distance:0; content:".SaveData("; nocase; distance:0; reference:url,securityfocus.com/archive/1/520353; classtype:attempted-user; sid:2014594; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack exploit pack /mix/ Java exploit"; flow:established,to_server; content:"/mix/"; http_uri; depth:5; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015010; rev:3; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2012_07_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Winwebsec.B Checkin"; flow:established,to_server; content:"/temp1.jpg"; http_uri; content:"User-Agent|3a 20|HTTP Client|0d 0a|"; http_header; reference:md5,9c9109cea5845272d6abd1b5523c8de7; classtype:command-and-control; sid:2014578; rev:3; metadata:created_at 2012_04_16, former_category MALWARE, updated_at 2012_04_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Rational ClearQuest Activex Control RegisterSchemaRepoFromFileByDbSet Insecure Method Access"; flow:to_client,established; content:"CLSID"; nocase; content:"88DD90B6-C770-4CFF-B7A4-3AFD16BB8824"; nocase; distance:0; content:"RegisterSchemaRepoFromFileByDbSet"; nocase; distance:0; reference:url,11337day.com/exploits/18917; classtype:attempted-user; sid:2015032; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing Loading... Please Wait"; flow:established,from_server; content:"Please Wait"; fast_pattern:only; content:">Loading..."; content:"<script"; distance:0; classtype:trojan-activity; sid:2014538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Crystal Reports Viewer Activex Control ServerResourceVersion Insecure Method Access"; flow:to_client,established; content:"CLSID"; nocase; content:"88DD90B6-C770-4CFF-B7A4-3AFD16BB8824"; nocase; distance:0; content:"ServerResourceVersion"; nocase; distance:0; reference:url,1337day.com/exploits/15098; classtype:attempted-user; sid:2015036; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing Loading... Wait Please"; flow:established,from_server; content:"Wait Please"; fast_pattern:only; content:">Loading..."; content:"<script"; distance:0; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013972; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Crystal Reports Viewer Activex Control ServerResourceVersion Insecure Method Access 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"CrystalPrintControlLib.CrystalPrintControl"; nocase; distance:0; content:"ServerResourceVersion"; nocase; distance:0; reference:url,1337day.com/exploits/15098; classtype:attempted-user; sid:2015037; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of /Subtype"; flow:established,to_client; content:"|0d 0a 0d 0a|PDF-"; content:"/"; distance:0; content:!"Subtype"; within:7; content:"#"; within:19; pcre:"/\x2F(?!Subtype)(S|#53)(u|#75)(b|#62)(t|#74)(y|#79)(p|#70)(e|#65)/"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011528; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_22, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack - 32Char.php by Java Client"; flow:established,to_server; urilen:52<>130; content:".php?"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z]{1,10}\/[a-z0-9]{32}\.php\?/U"; classtype:exploit-kit; sid:2015042; rev:2; metadata:created_at 2012_07_07, former_category CURRENT_EVENTS, updated_at 2012_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Pdfjsc.XD Related Checkin (microsoft_predator_client header field)"; flow:established,to_server; content:"microsoft_predator_client"; nocase; http_header; reference:url,www.fourteenforty.jp/products/yarai/CVE2011-0609/; reference:url,www.kahusecurity.com/2011/apec-spearphish-2/; reference:md5,3d91d9df315ffeb9bb1c774452b3114b; classtype:pup-activity; sid:2014584; rev:5; metadata:created_at 2012_04_16, former_category ADWARE_PUP, updated_at 2012_04_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Monkif CnC response in fake JPEG"; flow:established,from_server; content:"|0d 0a 0d 0a ff d8 ff e0|"; content:"JFIF|00 01 01|"; distance:2; content:"lppt>++"; fast_pattern; within:50; content:"bm|60|95"; distance:0; content:"|7c|0"; distance:0; reference:url,2009.brucon.org/material/Julia_Wolf_Brucon_final.pdf; reference:url,research.zscaler.com/2010/03/trojan-monkif-is-still-active-and.html; reference:url,blogs.mcafee.com/mcafee-labs/monkif-botnet-hides-commands-in-jpegs; classtype:command-and-control; sid:2012507; rev:5; metadata:created_at 2011_03_15, former_category MALWARE, updated_at 2011_03_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing for Loading prototype catch"; flow:established,from_server; content:">Loading..."; fast_pattern:only; content:").prototype."; content:"}catch("; within:10; classtype:trojan-activity; sid:2014540; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Proxy Connection detected"; flow:established; content:"Proxy-Connection|3a| "; http_header; reference:url,doc.emergingthreats.net/2001449; classtype:attempted-user; sid:2001449; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of Action"; flow:established,to_client; content:"|0d 0a 0d 0a|PDF-"; content:"/"; distance:0; content:!"Action"; within:6; content:"#"; within:16; pcre:"/\x2F(?!Action)(A|#41)(c|#63)(t|#74)(i|#69)(o|#6F)(n|#6E)/"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011529; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Spambot getting new exe url"; flow:established,to_server; content:"404.txt"; nocase; http_uri; content:"404"; content:!"User-Agent|3a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002989; classtype:trojan-activity; sid:2002989; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of Pages"; flow:established,to_client; content:"|0d 0a 0d 0a|PDF-"; content:"/"; distance:0; content:!"Pages"; within:5; content:"#"; within:13; pcre:"/\x2F(?!Pages)(P|#40)(a|#61)(g|#67)(e|#65)(s|#73)/"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011536; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Payload Requested - 32AlphaNum?s=1 Java Request"; flow:established,to_server; urilen:37; content:"?s=1"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z0-9]{32}\?s=1$/Ui"; classtype:trojan-activity; sid:2015055; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible PDF Launch Function Remote Code Execution Attempt with Name Representation Obfuscation"; flow:to_client,established; content:"|0d 0a 0d 0a|PDF-"; content:"/"; distance:0; content:!"Launch"; within:6; content:"#"; within:16; content:".exe"; nocase; distance:0; pcre:"/\x2F(?!Launch)(L|#4C)(a|#61)(u|#75)(n#6E)(c|#63)(h|#68).+\x2F(W|#57)(i|#69)(n|#6E).+\x2Eexe/sm"; reference:url,www.kb.cert.org/vuls/id/570177; reference:url,www.h-online.com/security/news/item/Criminals-attempt-to-exploit-unpatched-hole-in-Adobe-Reader-979286.html; reference:url,www.sudosecure.net/archives/673; reference:url,www.h-online.com/security/news/item/Adobe-issues-official-workaround-for-PDF-vulnerability-971932.html; reference:url,blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/; reference:url,www.m86security.com/labs/i/PDF-Launch-Feature-Used-to-Install-Zeus,trace.1301~.asp; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011329; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Incognito - Java Exploit Requested - /gotit.php by Java Client"; flow:established,to_server; content:"/gotit.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015030; rev:3; metadata:created_at 2012_07_07, former_category CURRENT_EVENTS, updated_at 2012_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unkown exploit kit version check"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x="; http_uri; content:"&u="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; content:"&java"; http_uri; fast_pattern; content:"&pdf="; http_uri; content:"&flash="; content:"&qt="; http_uri; classtype:exploit-kit; sid:2014569; rev:5; metadata:created_at 2012_04_16, former_category EXPLOIT_KIT, updated_at 2012_04_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito - Payload Request - /load.php by Java Client"; flow:established,to_server; content:"/load.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015031; rev:3; metadata:created_at 2012_07_07, updated_at 2012_07_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Potential Malicious PDF (EmbeddedFiles) improper case"; flow:from_server,established; content:"|0d 0a 0d 0a|%PDF"; content:"/EmbeddedFiles"; within:128; nocase; content:!"/EmbeddedFiles"; distance:-14; within:14; reference:url,blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/; classtype:trojan-activity; sid:2014575; rev:4; metadata:created_at 2012_04_16, updated_at 2012_04_16;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 5250 (msg:"ET DELETED MISC Computer Associates Negative Content-Length Buffer Overflow"; flow:established,to_server; content:"Content-Length|3A|"; nocase; pcre:"/^Content-Length\x3a\s*-\d+/smi"; reference:bugtraq,16354; reference:cve,2005-3653; reference:url,doc.emergingthreats.net/bin/view/Main/2002791; classtype:web-application-attack; sid:2002791; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/GameVance User-Agent (aw v3)"; flow:established,to_server; content:"User-Agent|3A 20|aw v3"; http_header; classtype:pup-activity; sid:2014606; rev:4; metadata:created_at 2012_04_17, former_category ADWARE_PUP, updated_at 2012_04_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito/RedKit Exploit Kit vulnerable Java payload request to /1digit.html"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; urilen:7; content:".html"; http_uri; content:" Java/1"; http_header; pcre:"/\/[0-9]\.html$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014750; rev:2; metadata:created_at 2012_05_14, former_category EXPLOIT_KIT, updated_at 2012_05_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (hell.php)"; flow:established,to_server; content:"/hell.php"; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014615; rev:3; metadata:created_at 2012_04_18, updated_at 2012_04_18;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT ttdbserv Solaris overflow"; dsize:>999; flow:to_server,established; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:2100571; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee SaaS MyCioScan ShowReport Method Call Remote Command Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"209EBDEE-065C-11D4-A6B8-00C04F0D38B7"; nocase; distance:0; content:"ShowReport"; nocase; distance:0; reference:url,packetstormsecurity.org/files/108767/McAfee-SaaS-MyCioScan-ShowReport-Remote-Command-Execution.html; classtype:attempted-user; sid:2014619; rev:2; metadata:created_at 2012_04_20, updated_at 2012_04_20;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fmacqvmqafqwmebl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fmacqvmqafqwmebl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015287; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee SaaS MyCioScan ShowReport Method Call Remote Command Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MYCIOSCNLib.Scan"; nocase; distance:0; content:"ShowReport"; nocase; distance:0; reference:url,packetstormsecurity.org/files/108767/McAfee-SaaS-MyCioScan-ShowReport-Remote-Command-Execution.html; classtype:attempted-user; sid:2014620; rev:2; metadata:created_at 2012_04_20, updated_at 2012_04_20;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hrpgglxvqwjesffr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hrpgglxvqwjesffr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015288; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Cisco 4200 Wireless Lan Controller Long Authorisation Denial of Service Attempt"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/screens/frameset.html"; fast_pattern; http_uri; nocase; content:"Authorization|3A 20|Basic"; nocase; content:!"|0a|"; distance:2; within:118; isdataat:120,relative; pcre:"/^Authorization\x3A Basic.{120}/Hmi"; reference:url,www.securityfocus.com/bid/35805; reference:url,www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml; reference:cve,2009-1164; reference:url,doc.emergingthreats.net/2010674; classtype:attempted-dos; sid:2010674; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rxbkqfydlnzopqrn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rxbkqfydlnzopqrn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015289; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32 Jadtre/Wapomi/Nimnul/Viking.AY ICMP ping"; icode:0; itype:8; dsize:36; content:"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"; classtype:trojan-activity; sid:2014595; rev:4; metadata:created_at 2012_04_16, updated_at 2012_04_16;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tdsorylshsxjeawf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tdsorylshsxjeawf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015290; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Es11 Keepalive to CnC"; flow:established,to_server; content:"|89 e7 52 d4 68 64 a7 73 bd 7e 3f 5c f7 99 3a 2e|"; offset:16; depth:16; dsize:48; reference:md5,4a17e9bd99f496c518ddfaaef93384b0; classtype:command-and-control; sid:2014630; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_20, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain elfxqghdubihhsgd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|elfxqghdubihhsgd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015291; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP W32/GameVance Adware Server Reponse To Client Checkin"; flow:established,to_client; content:"|0d 0a 0d 0a|cfgint="; content:"cid="; within:30; content:"eus="; within:30; content:"esint="; within:30; content:"sc2dcnt="; within:30; content:"domfqcap="; within:30; content:"domtm="; within:30; content:"css="; within:30; classtype:pup-activity; sid:2014605; rev:6; metadata:created_at 2012_04_17, former_category ADWARE_PUP, updated_at 2012_04_17;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gqtcxunxhyujqjkf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gqtcxunxhyujqjkf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015292; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Customer List"; flow:to_server,established; pcre:"/\Wcustomer\slist(s)?\W/ism"; reference:url,doc.emergingthreats.net/2002655; classtype:policy-violation; sid:2002655; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qxggipnnfmnihkic.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qxggipnnfmnihkic|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015293; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Transaction History"; flow:to_server,established; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/2002654; classtype:policy-violation; sid:2002654; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sdxkjaophbtufumx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sdxkjaophbtufumx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015294; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Credit History"; flow:to_server,established; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/2002653; classtype:policy-violation; sid:2002653; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain clkujrjqvexvbmoi.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|clkujrjqvexvbmoi|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015295; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Annual Income"; flow:to_server,established; pcre:"/\Wannual\sincome(s)?\W/ism"; reference:url,doc.emergingthreats.net/2002652; classtype:policy-violation; sid:2002652; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fqyyxagzkrpvxtki.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fqyyxagzkrpvxtki|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015296; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Payment History"; flow:to_server,established; pcre:"/\Wpayment\shistory\W/ism"; reference:url,doc.emergingthreats.net/2002651; classtype:policy-violation; sid:2002651; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain owldagkyzrkhqnjo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|owldagkyzrkhqnjo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015297; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Account Balance"; flow:to_server,established; pcre:"/\Waccount\sbalance(s)?\W/ism"; reference:url,doc.emergingthreats.net/2002650; classtype:policy-violation; sid:2002650; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rccjvgsgffokiwze.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rccjvgsgffokiwze|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015298; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Appraisal"; flow:to_server,established; pcre:"/\Wappraisal(s)?\W/ism"; reference:url,doc.emergingthreats.net/2002649; classtype:policy-violation; sid:2002649; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain blorcdyiipxcwyxv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|blorcdyiipxcwyxv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015299; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Password"; flow:to_server,established; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; reference:url,doc.emergingthreats.net/2002648; classtype:policy-violation; sid:2002648; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dpewaddpoewiycnj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dpewaddpoewiycnj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015300; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Credit Card, JCB"; flow:to_server,established; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; reference:url,doc.emergingthreats.net/2002642; classtype:policy-violation; sid:2002642; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nwpykqeizraqthry.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nwpykqeizraqthry|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015301; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - AMA CPT Code"; flow:to_server,established; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; reference:url,doc.emergingthreats.net/2002640; classtype:policy-violation; sid:2002640; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pchgijctfprxhnje.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pchgijctfprxhnje|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015302; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - DSM-IV Code"; flow:to_server,established; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2}?)|(v[167][0-9]\.[0-9]{1,2})))/ism"; reference:url,doc.emergingthreats.net/2002639; classtype:policy-violation; sid:2002639; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zisiiogqigzzqqeq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zisiiogqigzzqqeq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015303; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - ADA Procedure Code"; flow:to_server,established; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; reference:url,doc.emergingthreats.net/2002638; classtype:policy-violation; sid:2002638; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain cpittmwbqtjrjpql.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cpittmwbqtjrjpql|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015304; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - FDA NDC Code"; flow:to_server,established; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; reference:url,doc.emergingthreats.net/2002637; classtype:policy-violation; sid:2002637; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mvuvchtcxxibeubd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mvuvchtcxxibeubd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015305; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - ICD-10 Code"; flow:to_server,established; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; reference:url,doc.emergingthreats.net/2002636; classtype:policy-violation; sid:2002636; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain oblcasnhxbbocpfj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|oblcasnhxbbocpfj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015306; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - HCPCS Code"; flow:to_server,established; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; reference:url,doc.emergingthreats.net/2002635; classtype:policy-violation; sid:2002635; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xixftoplsduqqorx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xixftoplsduqqorx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015307; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Date of Birth"; flow:to_server,established; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; reference:url,doc.emergingthreats.net/2002634; classtype:policy-violation; sid:2002634; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bpnqmxkpxxgbdnby.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bpnqmxkpxxgbdnby|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015308; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Internal Use Only"; flow:to_server,established; pcre:"/\Winternal\suse\sonly\W/ism"; reference:url,doc.emergingthreats.net/2002633; classtype:policy-violation; sid:2002633; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kvzstpqmeoxtcwko.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kvzstpqmeoxtcwko|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015309; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Law Enorcement Sensitive"; flow:to_server,established; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; reference:url,doc.emergingthreats.net/2002632; classtype:policy-violation; sid:2002632; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nbqypqrjiqxlfvdj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nbqypqrjiqxlfvdj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015310; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Protected"; flow:to_server,established; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002631; classtype:policy-violation; sid:2002631; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain whddmvrxufbkkoew.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|whddmvrxufbkkoew|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015311; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Proprietary"; flow:to_server,established; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002630; classtype:policy-violation; sid:2002630; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ymrhcvphevonympo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ymrhcvphevonympo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015312; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Sensitive"; flow:to_server,established; pcre:"/(?<!law\senforcement)\Wsensitive\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002629; classtype:policy-violation; sid:2002629; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jveqgnmjxkocqifr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jveqgnmjxkocqifr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015313; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Sealed"; flow:to_server,established; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002628; classtype:policy-violation; sid:2002628; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lavvckpordclbduy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lavvckpordclbduy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015314; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Top Secret"; flow:to_server,established; pcre:"/(?<!//)\Wtop\ssecret[^\w/a]/ism"; reference:url,doc.emergingthreats.net/2002627; classtype:policy-violation; sid:2002627; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vhhzcvbegxbjsxke.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vhhzcvbegxbjsxke|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015315; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Confidential"; flow:to_server,established; pcre:"/(?<!//)\Wconfidential[^\w/]/ism"; reference:url,doc.emergingthreats.net/2002625; classtype:policy-violation; sid:2002625; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xmwettbvtbhvrjuo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xmwettbvtbhvrjuo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015316; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Restricted"; flow:to_server,established; pcre:"/(?<!//)\Wrestricted[^\w/]/ism"; reference:url,doc.emergingthreats.net/2002624; classtype:policy-violation; sid:2002624; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iujniiokeyjbmerc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iujniiokeyjbmerc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015317; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Private"; flow:to_server,established; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002623; classtype:policy-violation; sid:2002623; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kzxrowftdocgyghs.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kzxrowftdocgyghs|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015318; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Non-US Restricted Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002410; classtype:policy-violation; sid:2002410; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gacdiuwnhonuulpe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gacdiuwnhonuulpe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015319; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Non-US Confidential Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002411; classtype:policy-violation; sid:2002411; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ifrhgnqeeotnzrmz.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ifrhgnqeeotnzrmz|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015320; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Non-US Top Secret Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002412; classtype:policy-violation; sid:2002412; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rmdlgyreitjsjkfq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rmdlgyreitjsjkfq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015321; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Non-US Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+(?<!TOP\s)SECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002413; classtype:policy-violation; sid:2002413; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uqspvdwyltgcyhft.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uqspvdwyltgcyhft|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015322; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Restricted"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002414; classtype:policy-violation; sid:2002414; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ezfydrexncoidbus.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ezfydrexncoidbus|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015323; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Confidential Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002415; classtype:policy-violation; sid:2002415; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hfveiooumeyrpchg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hfveiooumeyrpchg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015324; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Confidential"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002416; classtype:policy-violation; sid:2002416; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qlihxnncwioxkdls.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qlihxnncwioxkdls|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015325; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO COSMIC Top Secret Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002417; classtype:policy-violation; sid:2002417; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sqwlonyduvpowdgy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sqwlonyduvpowdgy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015326; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Secret Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002418; classtype:policy-violation; sid:2002418; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dyjvewshptsboygd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dyjvewshptsboygd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015327; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002419; classtype:policy-violation; sid:2002419; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain febcbuyswmishvpl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|febcbuyswmishvpl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015328; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002420; classtype:policy-violation; sid:2002420; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain plmekaayiholtevt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|plmekaayiholtevt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015329; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002421; classtype:policy-violation; sid:2002421; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rpckbgrziwbdrmhr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rpckbgrziwbdrmhr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015330; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.E Keepalive to CnC"; flow:established,to_server; dsize:>30; content:"|90 48 5c d5 ec 70 a3 8b 41 72 28 50 ec f6 d5 2a|"; offset:16; depth:16; reference:md5,fc414168a5b4ca074ea6e03f770659ef; classtype:command-and-control; sid:2013337; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_08_01, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain cyosongjihugkjbg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cyosongjihugkjbg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015331; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002422; classtype:policy-violation; sid:2002422; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain eefysywrvkgxuqdf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eefysywrvkgxuqdf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015332; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002423; classtype:policy-violation; sid:2002423; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nkrbvqxzfwicmhwb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nkrbvqxzfwicmhwb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015333; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002424; classtype:policy-violation; sid:2002424; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qphhsudsmeftdaht.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qphhsudsmeftdaht|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015334; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Unclassified COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002429; classtype:policy-violation; sid:2002429; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain axtopsbtntqnfdyk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|axtopsbtntqnfdyk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015335; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002430; classtype:policy-violation; sid:2002430; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ddkudnuklgiwtdyw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ddkudnuklgiwtdyw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015336; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002431; classtype:policy-violation; sid:2002431; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mkwwclogcvgeekws.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mkwwclogcvgeekws|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015337; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret CNWDI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002434; classtype:policy-violation; sid:2002434; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain opldkflyvlkywuec.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|opldkflyvlkywuec|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015338; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret TK"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002436; classtype:policy-violation; sid:2002436; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yvxfekhokspfuwqr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yvxfekhokspfuwqr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015339; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US FGI"; flow:to_server,established; content:"Subject|3A|"; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002438; classtype:policy-violation; sid:2002438; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bdprvpxdejpohqpt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bdprvpxdejpohqpt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015340; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US FOUO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002439; classtype:policy-violation; sid:2002439; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ljbvfrsvcevyfhor.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ljbvfrsvcevyfhor|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015341; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002440; classtype:policy-violation; sid:2002440; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain noqzuukouyfuyrmd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|noqzuukouyfuyrmd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015342; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002441; classtype:policy-violation; sid:2002441; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xvcewyydwsmdgaju.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xvcewyydwsmdgaju|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015343; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002443; classtype:policy-violation; sid:2002443; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zatiscwwtipqlycd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zatiscwwtipqlycd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015344; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002444; classtype:policy-violation; sid:2002444; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jjgshrjdcynohyuk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jjgshrjdcynohyuk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015345; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Unclassified PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002446; classtype:policy-violation; sid:2002446; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mouwwvcwwlilnxub.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mouwwvcwwlilnxub|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015346; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002447; classtype:policy-violation; sid:2002447; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vuhaojpwxgsxuitu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vuhaojpwxgsxuitu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015347; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002448; classtype:policy-violation; sid:2002448; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yayfefhrwawquwcw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yayfefhrwawquwcw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015348; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002450; classtype:policy-violation; sid:2002450; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iiloishkjwvqldlq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iiloishkjwvqldlq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015349; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002451; classtype:policy-violation; sid:2002451; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain knauycqgsdhgbwjo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|knauycqgsdhgbwjo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015350; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US SAMI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002453; classtype:policy-violation; sid:2002453; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uumwyzhctrwdsrdp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uumwyzhctrwdsrdp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015351; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002454; classtype:policy-violation; sid:2002454; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wzbdwenwshfzglwt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wzbdwenwshfzglwt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015352; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002455; classtype:policy-violation; sid:2002455; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hiplksflttfkpsxn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hiplksflttfkpsxn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015353; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret STOP"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002457; classtype:policy-violation; sid:2002457; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jnfrqmekhoevppvw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jnfrqmekhoevppvw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015354; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Private"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002458; classtype:policy-violation; sid:2002458; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ttqtkmthptxvwiku.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ttqtkmthptxvwiku|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015355; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Restricted"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!//)\Wrestricted[^\w/]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002459; classtype:policy-violation; sid:2002459; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vygzhvfiuommkqfj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vygzhvfiuommkqfj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015356; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Top Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!//)\Wtop\ssecret[^\w/a]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002462; classtype:policy-violation; sid:2002462; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fhuidtlqttqxgjvn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fhuidtlqttqxgjvn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015357; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Sealed"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002463; classtype:policy-violation; sid:2002463; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain imjosxuhbcdonrco.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|imjosxuhbcdonrco|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015358; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Sensitive"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!law\senforcement)\Wsensitive\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002464; classtype:policy-violation; sid:2002464; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rtvqcdpbqxgwnrcn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rtvqcdpbqxgwnrcn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015359; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Proprietary"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002465; classtype:policy-violation; sid:2002465; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tykvyflnjhbnqpnr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tykvyflnjhbnqpnr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015360; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Protected"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002466; classtype:policy-violation; sid:2002466; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ehyewyqydfpidbdp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ehyewyqydfpidbdp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015361; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Law Enorcement Sensitive"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002467; classtype:policy-violation; sid:2002467; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gmokuosvnbkshdtd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gmokuosvnbkshdtd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015362; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Internal Use Only"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Winternal\suse\sonly\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002468; classtype:policy-violation; sid:2002468; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qsbourrdxgxgwepy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qsbourrdxgxgwepy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015363; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Date of Birth"; flow:to_server,established; content:"Subject|3A|"; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002469; classtype:policy-violation; sid:2002469; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sxpskxdgoczvcjgp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sxpskxdgoczvcjgp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015364; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP HCPCS Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002470; classtype:policy-violation; sid:2002470; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dhedppigtpbwrmpc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dhedppigtpbwrmpc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015365; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP ICD-10 Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002471; classtype:policy-violation; sid:2002471; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain flthmyjeuhdygshf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|flthmyjeuhdygshf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015366; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP FDA NDC Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002472; classtype:policy-violation; sid:2002472; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain osflhkaowydftniw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|osflhkaowydftniw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015367; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP ADA Procedure Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002473; classtype:policy-violation; sid:2002473; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rxupwhkznihnxzqx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rxupwhkznihnxzqx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015368; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP DSM-IV Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2}?)|(v[167][0-9]\.[0-9]{1,2})))/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002474; classtype:policy-violation; sid:2002474; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bgjzhlasdrwwnenj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bgjzhlasdrwwnenj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015369; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP AMA CPT Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002475; classtype:policy-violation; sid:2002475; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain elxegvkalqvkyoxc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|elxegvkalqvkyoxc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015370; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Credit Card, JCB"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002477; classtype:policy-violation; sid:2002477; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nrkhysgoltauclop.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nrkhysgoltauclop|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015371; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Password"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002483; classtype:policy-violation; sid:2002483; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pwyloytoagndnrex.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pwyloytoagndnrex|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015372; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Appraisal"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wappraisal(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002484; classtype:policy-violation; sid:2002484; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zenquqdskekaudbe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zenquqdskekaudbe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015373; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Account Balance"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Waccount\sbalance(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002485; classtype:policy-violation; sid:2002485; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain cldcrgtnuwvgnbfd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cldcrgtnuwvgnbfd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015374; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Payment History"; flow:to_server,established; content:"Subject|3A|"; content:"payment history"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002486; classtype:policy-violation; sid:2002486; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mroeqjdaukskbgua.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mroeqjdaukskbgua|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015375; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Annual Income"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wannual\sincome(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002487; classtype:policy-violation; sid:2002487; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain owekhoeuhmdiehrw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|owekhoeuhmdiehrw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015376; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Credit History"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002488; classtype:policy-violation; sid:2002488; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ydrngsmrdiiyvoiy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ydrngsmrdiiyvoiy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015377; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Transaction History"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002489; classtype:policy-violation; sid:2002489; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bkhyiqitpoxewhmt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bkhyiqitpoxewhmt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015378; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Customer List"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcustomer\slist(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002490; classtype:policy-violation; sid:2002490; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain krtbityuhlewigfe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|krtbityuhlewigfe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015379; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Non-US Restricted"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002495; classtype:policy-violation; sid:2002495; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nvjgyermzsmynaeq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nvjgyermzsmynaeq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015380; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Non-US Confidential"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002496; classtype:policy-violation; sid:2002496; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jwkpdxqbemsmclal.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jwkpdxqbemsmclal|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015381; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Non-US Top Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002497; classtype:policy-violation; sid:2002497; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lccwpflcdjrdfjib.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lccwpflcdjrdfjib|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015382; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Non-US Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+(?<!TOP\s)SECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002498; classtype:policy-violation; sid:2002498; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uinyjmxfqinkxbda.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uinyjmxfqinkxbda|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015383; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Restricted"; flow:to_server,established; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002499; classtype:policy-violation; sid:2002499; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xndfbivuonkxfxrq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xndfbivuonkxfxrq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015384; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Confidential Atomal"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002500; classtype:policy-violation; sid:2002500; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hvpmffxpfnlquqxo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hvpmffxpfnlquqxo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015385; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Confidential"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002501; classtype:policy-violation; sid:2002501; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kbgsbqjugdqrgtdw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kbgsbqjugdqrgtdw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015386; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO COSMIC Top Secret Atomal"; flow:to_server,established; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002502; classtype:policy-violation; sid:2002502; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tisubmfvqrgnloxr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tisubmfvqrgnloxr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015387; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Secret Atomal"; flow:to_server,established; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002503; classtype:policy-violation; sid:2002503; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vmibswhnpqhqwyih.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vmibswhnpqhqwyih|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015388; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Secret"; flow:to_server,established; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002504; classtype:policy-violation; sid:2002504; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gvujhzvjxwptrtdg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gvujhzvjxwptrtdg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015389; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002505; classtype:policy-violation; sid:2002505; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iblpdiqdmmsbnuxb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iblpdiqdmmsbnuxb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015390; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002506; classtype:policy-violation; sid:2002506; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain shxrsvasoncjnxpn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|shxrsvasoncjnxpn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015391; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002507; classtype:policy-violation; sid:2002507; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ummxjwieppswcnrg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ummxjwieppswcnrg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015392; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential REL TO"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002508; classtype:policy-violation; sid:2002508; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fuyfrockpfclxccd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fuyfrockpfclxccd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015393; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret REL TO"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002509; classtype:policy-violation; sid:2002509; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain haqmuqqukywrcxfa.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|haqmuqqukywrcxfa|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015394; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Unclassified COMSEC"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002514; classtype:policy-violation; sid:2002514; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qhcplcuugevvyham.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qhcplcuugevvyham|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015395; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential COMSEC"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002515; classtype:policy-violation; sid:2002515; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tmrtbcienxrbnsjc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tmrtbcienxrbnsjc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015396; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret COMSEC"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002516; classtype:policy-violation; sid:2002516; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dueebwwdllfburag.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dueebwwdllfburag|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015397; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret CNWDI"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002519; classtype:policy-violation; sid:2002519; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fzsirujgdbvabrjm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fzsirujgdbvabrjm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015398; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret TK"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002521; classtype:policy-violation; sid:2002521; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pghnrmkoeoetfwsm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pghnrmkoeoetfwsm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015399; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US FGI"; flow:to_server,established; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002523; classtype:policy-violation; sid:2002523; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rlvqmipovrqbmvqd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rlvqmipovrqbmvqd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015400; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US FOUO"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002524; classtype:policy-violation; sid:2002524; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ctjbmgjudwisgshv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ctjbmgjudwisgshv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015401; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential NOFORN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002525; classtype:policy-violation; sid:2002525; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain eyxejlabqaytqmjx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eyxejlabqaytqmjx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015402; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret NOFORN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002526; classtype:policy-violation; sid:2002526; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ogmjjmqdhlbyabzg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ogmjjmqdhlbyabzg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015403; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential ORCON"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002704; classtype:policy-violation; sid:2002704; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qlbpfyrupyadvjsl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qlbpfyrupyadvjsl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015404; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret ORCON"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002528; classtype:policy-violation; sid:2002528; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain atnwerhvttvbivra.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|atnwerhvttvbivra|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015405; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Unclassified PROPIN"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002530; classtype:policy-violation; sid:2002530; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dydderasilekaegh.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dydderasilekaegh|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015406; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential PROPIN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002531; classtype:policy-violation; sid:2002531; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mfqfrnqllqcrayiw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mfqfrnqllqcrayiw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015407; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret PROPIN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002532; classtype:policy-violation; sid:2002532; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pkglwwwmjxokzzfq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pkglwwwmjxokzzfq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015408; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential RD"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002534; classtype:policy-violation; sid:2002534; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yrrnrgliojezjctg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yrrnrgliojezjctg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015409; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret RD"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002535; classtype:policy-violation; sid:2002535; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bxhzugppnulxghvm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bxhzugppnulxghvm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015410; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US SAMI"; flow:to_server,established; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002537; classtype:policy-violation; sid:2002537; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lfvcngdbzjrzgyby.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lfvcngdbzjrzgyby|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015411; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential SPECAT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002538; classtype:policy-violation; sid:2002538; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nkkijjyioljbfysn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nkkijjyioljbfysn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015412; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret SPECAT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002539; classtype:policy-violation; sid:2002539; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gqortbbbsnksxpmm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gqortbbbsnksxpmm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015457; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret STOP"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002541; classtype:policy-violation; sid:2002541; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xqwkdyjydkggsppd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xqwkdyjydkggsppd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015413; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Private"; flow:to_server,established; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002542; classtype:policy-violation; sid:2002542; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tdndpphrtyniynvz.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tdndpphrtyniynvz|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015455; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Restricted"; flow:to_server,established; pcre:"/(?<!//)\Wrestricted[^\w/]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002543; classtype:policy-violation; sid:2002543; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain axmvnmubgwlmqfrp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|axmvnmubgwlmqfrp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015414; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Confidential"; flow:to_server,established; pcre:"/(?<!//)\Wconfidential[^\w/]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002544; classtype:policy-violation; sid:2002544; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kwyyhhqtwxupnhyu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kwyyhhqtwxupnhyu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015454; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Top Secret"; flow:to_server,established; pcre:"/(?<!//)\Wtop\ssecret[^\w/a]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002546; classtype:policy-violation; sid:2002546; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hrkusbnevtmyisab.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hrkusbnevtmyisab|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015453; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Sealed"; flow:to_server,established; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002547; classtype:policy-violation; sid:2002547; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xiwlnutkxsqxwjge.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xiwlnutkxsqxwjge|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015452; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Sensitive"; flow:to_server,established; pcre:"/(?<!law\senforcement)\Wsensitive\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002548; classtype:policy-violation; sid:2002548; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain keabgwmpzqhpmlng.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|keabgwmpzqhpmlng|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015415; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Proprietary"; flow:to_server,established; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002549; classtype:policy-violation; sid:2002549; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mjpflkwqskuqbjnk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mjpflkwqskuqbjnk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015416; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Protected"; flow:to_server,established; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002550; classtype:policy-violation; sid:2002550; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain veihxoqukuetxqbn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|veihxoqukuetxqbn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015451; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Law Enorcement Sensitive"; flow:to_server,established; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002551; classtype:policy-violation; sid:2002551; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vqcicnuhtwhxmtjd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vqcicnuhtwhxmtjd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015417; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Internal Use Only"; flow:to_server,established; pcre:"/\Winternal\suse\sonly\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002552; classtype:policy-violation; sid:2002552; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yvqnltydqtpresfu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yvqnltydqtpresfu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015418; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Date of Birth"; flow:to_server,established; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002553; classtype:policy-violation; sid:2002553; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lwtcxuzbdrsnpqfb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lwtcxuzbdrsnpqfb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015450; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - HCPCS Code"; flow:to_server,established; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002554; classtype:policy-violation; sid:2002554; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iefwvulgninlkoxe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iefwvulgninlkoxe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015419; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - ICD-10 Code"; flow:to_server,established; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002555; classtype:policy-violation; sid:2002555; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ljubdldgqwbarplc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ljubdldgqwbarplc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015420; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - FDA NDC Code"; flow:to_server,established; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002556; classtype:policy-violation; sid:2002556; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jrfyaswntteouafv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jrfyaswntteouafv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015449; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - ADA Procedure Code"; flow:to_server,established; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002557; classtype:policy-violation; sid:2002557; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain upgghggmbusopaxv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|upgghggmbusopaxv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015421; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - DSM-IV Code"; flow:to_server,established; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2}?)|(v[167][0-9]\.[0-9]{1,2})))/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002558; classtype:policy-violation; sid:2002558; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wuvjdexaqtmqkvgk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wuvjdexaqtmqkvgk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015422; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - AMA CPT Code"; flow:to_server,established; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002559; classtype:policy-violation; sid:2002559; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hektxucstnbuncix.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hektxucstnbuncix|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015423; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Credit Card, JCB"; flow:to_server,established; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002561; classtype:policy-violation; sid:2002561; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yjsovtnpgbwqcbbd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yjsovtnpgbwqcbbd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015448; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Password"; flow:to_server,established; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002567; classtype:policy-violation; sid:2002567; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wedkgpdcxlrunbmu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wedkgpdcxlrunbmu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015447; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Appraisal"; flow:to_server,established; pcre:"/\Wappraisal(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002568; classtype:policy-violation; sid:2002568; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mxpgggggukxqteoy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mxpgggggukxqteoy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015446; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Account Balance"; flow:to_server,established; pcre:"/\Waccount\sbalance(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002569; classtype:policy-violation; sid:2002569; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ksacasnubklrikdl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ksacasnubklrikdl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015445; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Payment History"; flow:to_server,established; pcre:"/\Wpayment\shistory\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002570; classtype:policy-violation; sid:2002570; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jiyxdlvawkranmin.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jiyxdlvawkranmin|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015424; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Annual Income"; flow:to_server,established; pcre:"/\Wannual\sincome(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002571; classtype:policy-violation; sid:2002571; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tplczomvebjmhsgk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tplczomvebjmhsgk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015425; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Credit History"; flow:to_server,established; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002572; classtype:policy-violation; sid:2002572; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bloxgsfzinxmdspt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bloxgsfzinxmdspt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015444; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Transaction History"; flow:to_server,established; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002573; classtype:policy-violation; sid:2002573; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vuaivypissryzhij.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vuaivypissryzhij|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015426; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Customer List"; flow:to_server,established; pcre:"/\Wcustomer\slist(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002574; classtype:policy-violation; sid:2002574; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gdoqznfilmtulxxv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gdoqznfilmtulxxv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015427; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Non-US Restricted"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002575; classtype:policy-violation; sid:2002575; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xfymtpavzblzbknq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xfymtpavzblzbknq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015443; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Non-US Confidential"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002576; classtype:policy-violation; sid:2002576; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iiewprjomieydnix.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iiewprjomieydnix|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015428; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Non-US Top Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002577; classtype:policy-violation; sid:2002577; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lsvdxjpwykxxvryd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lsvdxjpwykxxvryd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015441; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Non-US Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+(?<!TOP\s)SECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002578; classtype:policy-violation; sid:2002578; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ropypfmcqjjfdiel.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ropypfmcqjjfdiel|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015429; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Restricted"; flow:to_server,established; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002579; classtype:policy-violation; sid:2002579; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain utfenjxpvwtroioi.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|utfenjxpvwtroioi|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015430; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Confidential Atomal"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002580; classtype:policy-violation; sid:2002580; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ehsmldxnregnruez.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ehsmldxnregnruez|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015440; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Confidential"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002581; classtype:policy-violation; sid:2002581; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain edtmjcvfnfcbweed.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|edtmjcvfnfcbweed|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015431; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO COSMIC Top Secret Atomal"; flow:to_server,established; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002582; classtype:policy-violation; sid:2002582; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hhishrpjdixwtctz.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hhishrpjdixwtctz|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015432; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Secret Atomal"; flow:to_server,established; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002583; classtype:policy-violation; sid:2002583; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qouubrmdxtgnnjvm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qouubrmdxtgnnjvm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015433; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Secret"; flow:to_server,established; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002584; classtype:policy-violation; sid:2002584; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain stkbtccbckhdkbii.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|stkbtccbckhdkbii|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015434; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002585; classtype:policy-violation; sid:2002585; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ccdifvomwhtynpay.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ccdifvomwhtynpay|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015439; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002586; classtype:policy-violation; sid:2002586; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dcyjurmfwhgvyoio.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dcyjurmfwhgvyoio|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015435; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002587; classtype:policy-violation; sid:2002587; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fhnpjsnknkuvhazm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fhnpjsnknkuvhazm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015436; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential REL TO"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002588; classtype:policy-violation; sid:2002588; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pozrtgdmhvhvdscn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pozrtgdmhvhvdscn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015437; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret REL TO"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002589; classtype:policy-violation; sid:2002589; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rsoxjlibxohdcyov.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rsoxjlibxohdcyov|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015438; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Unclassified COMSEC"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002594; classtype:policy-violation; sid:2002594; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2101274; rev:19; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential COMSEC"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002595; classtype:policy-violation; sid:2002595; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"ZwUnmapViewOfSection"; fast_pattern; nocase; distance:0; reference:url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012816; rev:8; metadata:created_at 2011_05_18, former_category MALWARE, updated_at 2011_05_18;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret COMSEC"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002596; classtype:policy-violation; sid:2002596; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ppsvcvrcgkllplyn.ru"; flow:established,to_server; content:"|3a| ppsvcvrcgkllplyn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015462; rev:2; metadata:created_at 2012_07_13, updated_at 2012_07_13;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret CNWDI"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002599; classtype:policy-violation; sid:2002599; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bloxgsfzinxmdspt.ru"; flow:established,to_server; content:"|3a| bloxgsfzinxmdspt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015244; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret TK"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002601; classtype:policy-violation; sid:2002601; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ruhctasjmpqbyvhm.ru"; flow:established,to_server; content:"|3a| ruhctasjmpqbyvhm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015463; rev:3; metadata:created_at 2012_07_13, updated_at 2012_07_13;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US FGI"; flow:to_server,established; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002603; classtype:policy-violation; sid:2002603; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible AdminStudio Activex Control LaunchProcess Method Access Arbitrary Code Execution"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"LaunchHelp.HelpLauncher.1"; nocase; distance:0; content:"LaunchProcess"; nocase; distance:0; reference:url,packetstormsecurity.org/files/114564/AdminStudio-LaunchHelp.dll-ActiveX-Arbitrary-Code-Execution.html; classtype:attempted-user; sid:2015464; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US FOUO"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002604; classtype:policy-violation; sid:2002604; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Vundo.dam http Checkin after infection"; flow:established,to_server; content:"install.php?"; nocase; http_uri; content:"afid="; nocase; http_uri; content:"&user_id="; nocase; http_uri; content:"&version="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007572; classtype:trojan-activity; sid:2007572; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential NOFORN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002605; classtype:policy-violation; sid:2002605; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Likely Infected HTTP POST to PHP with User-Agent of HTTP Client"; flow:established,to_server; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"User-Agent|3a 20|HTTP Client|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2012385; rev:3; metadata:created_at 2011_02_27, updated_at 2011_02_27;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret NOFORN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002606; classtype:policy-violation; sid:2002606; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fmacqvmqafqwmebl.ru"; flow:established,to_server; content:"|3a| fmacqvmqafqwmebl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015087; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential ORCON"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002608; classtype:policy-violation; sid:2002608; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hrpgglxvqwjesffr.ru"; flow:established,to_server; content:"|3a| hrpgglxvqwjesffr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015088; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret ORCON"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002609; classtype:policy-violation; sid:2002609; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rxbkqfydlnzopqrn.ru"; flow:established,to_server; content:"|3a| rxbkqfydlnzopqrn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015089; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Unclassified PROPIN"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002611; classtype:policy-violation; sid:2002611; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tdsorylshsxjeawf.ru"; flow:established,to_server; content:"|3a| tdsorylshsxjeawf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015090; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential PROPIN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002612; classtype:policy-violation; sid:2002612; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain elfxqghdubihhsgd.ru"; flow:established,to_server; content:"|3a| elfxqghdubihhsgd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015091; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret PROPIN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002613; classtype:policy-violation; sid:2002613; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gqtcxunxhyujqjkf.ru"; flow:established,to_server; content:"|3a| gqtcxunxhyujqjkf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015092; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential RD"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002615; classtype:policy-violation; sid:2002615; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sdxkjaophbtufumx.ru"; flow:established,to_server; content:"|3a| sdxkjaophbtufumx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015094; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret RD"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002616; classtype:policy-violation; sid:2002616; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain clkujrjqvexvbmoi.ru"; flow:established,to_server; content:"|3a| clkujrjqvexvbmoi.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015095; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US SAMI"; flow:to_server,established; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002618; classtype:policy-violation; sid:2002618; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fqyyxagzkrpvxtki.ru"; flow:established,to_server; content:"|3a| fqyyxagzkrpvxtki.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015096; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential SPECAT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002619; classtype:policy-violation; sid:2002619; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain owldagkyzrkhqnjo.ru"; flow:established,to_server; content:"|3a| owldagkyzrkhqnjo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015097; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret SPECAT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002620; classtype:policy-violation; sid:2002620; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rccjvgsgffokiwze.ru"; flow:established,to_server; content:"|3a| rccjvgsgffokiwze.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015098; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret STOP"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002622; classtype:policy-violation; sid:2002622; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain blorcdyiipxcwyxv.ru"; flow:established,to_server; content:"|3a| blorcdyiipxcwyxv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015099; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> [69.63.176.0/20,69.63.176.0/20,204.15.20.0/22] $HTTP_PORTS (msg:"ET DELETED facebook activity"; flow:established,to_server; threshold: type both, track by_dst, count 2, seconds 120; reference:url,compnetworking.about.com/od/traceipaddresses/f/facebook-ip-address.htm; reference:url,doc.emergingthreats.net/2010952; classtype:policy-violation; sid:2010952; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dpewaddpoewiycnj.ru"; flow:established,to_server; content:"|3a| dpewaddpoewiycnj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015100; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic Dropper HTTP Bot grabbing config"; flow: to_server,established; content:".txt"; nocase; http_uri; fast_pattern; content:"Pragma|3a| no-cache"; http_header; content:"User-Agent|3a| "; http_header; pcre:"/User-Agent\x3a \d{6}\x0d\x0a/H"; reference:url,doc.emergingthreats.net/2008664; classtype:trojan-activity; sid:2008664; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nwpykqeizraqthry.ru"; flow:established,to_server; content:"|3a| nwpykqeizraqthry.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015101; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PeopleOnPage Ping"; flow: to_server,established; content:"Host|3a| srv.peopleonpage.com"; nocase; http_header; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/s\/l\/firstping/i"; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001446; classtype:policy-violation; sid:2001446; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pchgijctfprxhnje.ru"; flow:established,to_server; content:"|3a| pchgijctfprxhnje.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015102; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET HUNTING Suspicious Self Signed SSL Certificate CN of common Possible SSL CnC"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"common1|1b|0"; classtype:command-and-control; sid:2013805; rev:4; metadata:attack_target Client_Endpoint, created_at 2011_10_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zisiiogqigzzqqeq.ru"; flow:established,to_server; content:"|3a| zisiiogqigzzqqeq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015103; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET HUNTING Suspicious Self Signed SSL Certificate with admin@common Possible SSL CnC"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"admin@common"; classtype:command-and-control; sid:2013806; rev:4; metadata:attack_target Client_Endpoint, created_at 2011_10_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain cpittmwbqtjrjpql.ru"; flow:established,to_server; content:"|3a| cpittmwbqtjrjpql.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015104; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Cipher_Suite length greater than Client_Hello Length)"; flow:to_server,established; content:"|16 03 00|"; depth:3; content:"|01|"; distance:2; within:1; byte_extract:3,0,SSL.Client_Hello.length,relative; byte_jump:1,34,relative; byte_test:2,>,SSL.Client_Hello.length,0,relative; reference:md5,a01d75158cf4618677f494f9626b1c4c; classtype:trojan-activity; sid:2014635; rev:1; metadata:created_at 2012_04_24, updated_at 2012_04_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mvuvchtcxxibeubd.ru"; flow:established,to_server; content:"|3a| mvuvchtcxxibeubd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015105; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP exploit 4"; flow:established,to_server; content:"/hhcp.php?c="; http_uri; pcre:"/hhcp.php?c=[a-f0-9]{5}$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014284; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain oblcasnhxbbocpfj.ru"; flow:established,to_server; content:"|3a| oblcasnhxbbocpfj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015106; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maljava Dropper for OS X"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/install_flash_player.py"; nocase; http_uri; reference:url,www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once; classtype:trojan-activity; sid:2014638; rev:4; metadata:created_at 2012_04_25, updated_at 2012_04_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xixftoplsduqqorx.ru"; flow:established,to_server; content:"|3a| xixftoplsduqqorx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015107; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maljava Dropper for Windows"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/install_flash_player.tmp2"; nocase; http_uri; reference:url,www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once; classtype:trojan-activity; sid:2014637; rev:3; metadata:created_at 2012_04_25, updated_at 2012_04_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bpnqmxkpxxgbdnby.ru"; flow:established,to_server; content:"|3a| bpnqmxkpxxgbdnby.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015108; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito Exploit Kit payload request to images.php?t=N"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:15; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014640; rev:1; metadata:created_at 2012_04_26, former_category EXPLOIT_KIT, updated_at 2012_04_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kvzstpqmeoxtcwko.ru"; flow:established,to_server; content:"|3a| kvzstpqmeoxtcwko.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015109; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32.Idicaf/Atraps"; flow:to_server,established; dsize:780; content:"|00 00 00 00 00 00 00 00|"; depth:8; content:"|00 00 00 00|"; distance:4; within:4; content:"|00 9C 00 00 00|"; distance:31; within:5; fast_pattern; content:"|00 00 00|"; distance:1; within:3; content:"|00 00 00|"; distance:1; within:3; content:"|00 00|"; distance:2; within:2; content:"|00|"; distance:172; within:1; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014228; rev:7; metadata:created_at 2012_02_14, updated_at 2012_02_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nbqypqrjiqxlfvdj.ru"; flow:established,to_server; content:"|3a| nbqypqrjiqxlfvdj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015110; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Recieved - applet PluginDetect and 10hexchar title"; flow:established,to_client; file_data; content:"PluginDetect"; content:"<applet"; pcre:"/<title>[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2014644; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain whddmvrxufbkkoew.ru"; flow:established,to_server; content:"|3a| whddmvrxufbkkoew.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015111; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry Method Access Potential Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"pdfxctrlLib.PdfPrinterPreferences"; nocase; distance:0; content:"InitFromRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014651; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ymrhcvphevonympo.ru"; flow:established,to_server; content:"|3a| ymrhcvphevonympo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015112; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry Method Access Potential Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"2EE01CFA-139F-431E-BB1D-5E56B4DCEC18"; nocase; distance:0; content:"InitFromRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014650; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jveqgnmjxkocqifr.ru"; flow:established,to_server; content:"|3a| jveqgnmjxkocqifr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015113; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX StoreInRegistry Method Access Potential Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"2EE01CFA-139F-431E-BB1D-5E56B4DCEC18"; nocase; distance:0; content:"StoreInRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014648; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lavvckpordclbduy.ru"; flow:established,to_server; content:"|3a| lavvckpordclbduy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015114; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX StoreInRegistry Method Access Potential Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"pdfxctrlLib.PdfPrinterPreferences"; nocase; distance:0; content:"StoreInRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014649; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vhhzcvbegxbjsxke.ru"; flow:established,to_server; content:"|3a| vhhzcvbegxbjsxke.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015115; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest Explain Plan Display ActiveX Control SaveToFile Insecure Method Access"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"F7014877-6F5A-4019-A3B2-74077F2AE126"; nocase; distance:0; content:".SaveToFile|28|"; nocase; distance:0; reference:url,secunia.com/advisories/48681/; classtype:attempted-user; sid:2014652; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xmwettbvtbhvrjuo.ru"; flow:established,to_server; content:"|3a| xmwettbvtbhvrjuo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015116; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest Explain Plan Display ActiveX Control SaveToFile Insecure Method Access 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"QExplain2.ExplainPlanDisplayX"; nocase; distance:0; content:".SaveToFile|28|"; nocase; distance:0; reference:url,secunia.com/advisories/48681/; classtype:attempted-user; sid:2014653; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iujniiokeyjbmerc.ru"; flow:established,to_server; content:"|3a| iujniiokeyjbmerc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015117; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Neosploit Java Exploit Kit request to /? plus hex 32"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; content:" Java/"; http_header; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:exploit-kit; sid:2013975; rev:3; metadata:created_at 2011_12_01, former_category EXPLOIT_KIT, updated_at 2011_12_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kzxrowftdocgyghs.ru"; flow:established,to_server; content:"|3a| kzxrowftdocgyghs.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015118; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unkown exploit kit jar download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=MSIE"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".jar"; http_uri; classtype:exploit-kit; sid:2014568; rev:3; metadata:created_at 2012_04_16, former_category EXPLOIT_KIT, updated_at 2012_04_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gacdiuwnhonuulpe.ru"; flow:established,to_server; content:"|3a| gacdiuwnhonuulpe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015119; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC NICK command"; flow:to_server,established; content:"NICK|20|"; nocase; content:"|0a|"; within:40; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002024; classtype:misc-activity; sid:2002024; rev:19; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ifrhgnqeeotnzrmz.ru"; flow:established,to_server; content:"|3a| ifrhgnqeeotnzrmz.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015120; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC JOIN command"; flow:to_server,established; content:"JOIN|2023|"; nocase; content:"|0a|"; within:40; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002025; classtype:misc-activity; sid:2002025; rev:19; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rmdlgyreitjsjkfq.ru"; flow:established,to_server; content:"|3a| rmdlgyreitjsjkfq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015121; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT PWDump4 Password dumping exe copied to victim"; flow:to_server,established; content:"|4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 50 00 57 00 44 00 55 00 4D 00 50 00 34 00 2E 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-pwdump4.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008444; classtype:suspicious-filename-detect; sid:2008444; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uqspvdwyltgcyhft.ru"; flow:established,to_server; content:"|3a| uqspvdwyltgcyhft.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015122; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT Pwdump6 Session Established test file created on victim"; flow:to_server,established; content:"|5c 00 74 00 65 00 73 00 74 00 2e 00 70 00 77 00 64|"; reference:url,xinn.org/Snort-pwdump6.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008445; classtype:suspicious-filename-detect; sid:2008445; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ezfydrexncoidbus.ru"; flow:established,to_server; content:"|3a| ezfydrexncoidbus.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015123; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"ET EXPLOIT VLC web interface buffer overflow attempt"; flow:to_server,established; content:"|2F|requests|2F|status|2E|xml|3F|"; http_uri; nocase; content:"input|3D|smb|3A 2F|"; http_uri; nocase; pcre:"/\x2Frequests\x2Fstatus\x2Exml\x3F[^\x0A\x0D]*input\x3D[^\x0A\x0D\x26\x3B]{1000}/iU"; reference:url,milw0rm.org/exploits/9029; reference:url,doc.emergingthreats.net/2009511; classtype:web-application-attack; sid:2009511; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hfveiooumeyrpchg.ru"; flow:established,to_server; content:"|3a| hfveiooumeyrpchg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015124; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt"; flow:established,to_server; content:"/includes/Cache/Lite/Output.php?mosConfig_absolute_path="; nocase; http_uri; pcre:"/=\s*(https|ftps|php|http|ftp)\x3A\x2F/Ui"; reference:url,www.securityfocus.com/bid/29716/info; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/29716.rb; reference:url,doc.emergingthreats.net/2010223; classtype:web-application-attack; sid:2010223; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qlihxnncwioxkdls.ru"; flow:established,to_server; content:"|3a| qlihxnncwioxkdls.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015125; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible VLC Media Player M3U File FTP URL Processing Stack Buffer Overflow Attempt"; flowbits:isset,ET.m3u.download; flow:established,to_client; content:"ftp|3A|//"; nocase; content:"PRAV"; within:10; isdataat:2000,relative; content:!"|0A|"; within:2000; reference:url,securitytracker.com/alerts/2010/Jul/1024172.html; reference:url,doc.emergingthreats.net/2011242; classtype:attempted-user; sid:2011242; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sqwlonyduvpowdgy.ru"; flow:established,to_server; content:"|3a| sqwlonyduvpowdgy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015126; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC USER command"; flow:to_server,established; content:"USER|20|"; nocase; content:"|203a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002023; classtype:misc-activity; sid:2002023; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dyjvewshptsboygd.ru"; flow:established,to_server; content:"|3a| dyjvewshptsboygd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015127; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC PRIVMSG command"; flow:established,to_server; content:"PRIVMSG|20|"; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002026; classtype:misc-activity; sid:2002026; rev:21; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain febcbuyswmishvpl.ru"; flow:established,to_server; content:"|3a| febcbuyswmishvpl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015128; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp any 6666:7000 -> any any (msg:"ET CHAT IRC PING command"; flow:from_server,established; content:"PING|20|"; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002027; classtype:misc-activity; sid:2002027; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain plmekaayiholtevt.ru"; flow:established,to_server; content:"|3a| plmekaayiholtevt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015129; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unkown exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014658; rev:1; metadata:created_at 2012_04_30, former_category EXPLOIT_KIT, updated_at 2012_04_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rpckbgrziwbdrmhr.ru"; flow:established,to_server; content:"|3a| rpckbgrziwbdrmhr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015130; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Excessive JavaScript replace /g - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:"replace|28 2F|"; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; classtype:exploit-kit; sid:2014098; rev:4; metadata:created_at 2012_01_04, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain cyosongjihugkjbg.ru"; flow:established,to_server; content:"|3a| cyosongjihugkjbg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015131; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Infostealer exe Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/crack."; http_uri; content:".exe"; http_uri; pcre:"/\/crack\.\d+\.exe$/Ui"; classtype:trojan-activity; sid:2010059; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain eefysywrvkgxuqdf.ru"; flow:established,to_server; content:"|3a| eefysywrvkgxuqdf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015132; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE P2P Zeus or ZeroAccess Request To CnC"; flow:established,to_server; dsize:20; content:"|E5 AA C0 31|"; depth:4; content:"|5B 74 08 4D 9B 39 C1|"; distance:5; within:7; reference:url,www.abuse.ch/?p=3499; reference:url,www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-ZeroAcess-Botnet-final.pdf; classtype:command-and-control; sid:2013911; rev:9; metadata:created_at 2011_11_11, former_category MALWARE, updated_at 2011_11_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nkrbvqxzfwicmhwb.ru"; flow:established,to_server; content:"|3a| nkrbvqxzfwicmhwb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015133; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014662; rev:1; metadata:created_at 2012_05_02, former_category DOS, updated_at 2012_05_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qphhsudsmeftdaht.ru"; flow:established,to_server; content:"|3a| qphhsudsmeftdaht.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015134; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Negative Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,&,0x80,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014663; rev:1; metadata:created_at 2012_05_02, former_category DOS, updated_at 2012_05_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain axtopsbtntqnfdyk.ru"; flow:established,to_server; content:"|3a| axtopsbtntqnfdyk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015135; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt Negative INT"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_test:1,&,0x80,1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014430; rev:13; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ddkudnuklgiwtdyw.ru"; flow:established,to_server; content:"|3a| ddkudnuklgiwtdyw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015136; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing for prototype catch substr"; flow:established,from_server; content:"try{prototype|3b|}catch("; fast_pattern; content:"substr"; distance:0; classtype:trojan-activity; sid:2014661; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mkwwclogcvgeekws.ru"; flow:established,to_server; content:"|3a| mkwwclogcvgeekws.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015137; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee Virtual Technician MVT.MVTControl.6300 ActiveX Control GetObject method Remote Code Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF"; nocase; distance:0; content:".GetObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/18805/; classtype:attempted-user; sid:2014708; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain opldkflyvlkywuec.ru"; flow:established,to_server; content:"|3a| opldkflyvlkywuec.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015138; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee Virtual Technician MVT.MVTControl.6300 ActiveX Control GetObject method Remote Code Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MVT.MVTControl.6300"; nocase; distance:0; content:".GetObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/18805/; classtype:attempted-user; sid:2014709; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yvxfekhokspfuwqr.ru"; flow:established,to_server; content:"|3a| yvxfekhokspfuwqr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015139; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Samsung NET-i Viewer Active-X SEH Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"FA6E2EA9-D816-4F00-940B-609C9E8847A4"; nocase; distance:0; content:"RequestScreenOptimization"; nocase; distance:0; reference:url,packetstormsecurity.com/files/112363; classtype:attempted-user; sid:2014710; rev:3; metadata:created_at 2012_05_04, former_category ACTIVEX, updated_at 2012_05_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bdprvpxdejpohqpt.ru"; flow:established,to_server; content:"|3a| bdprvpxdejpohqpt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015140; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"WebexUCFObject.WebexUCFObject"; nocase; distance:0; content:"NewObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/16604/; classtype:attempted-user; sid:2014713; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ljbvfrsvcevyfhor.ru"; flow:established,to_server; content:"|3a| ljbvfrsvcevyfhor.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015141; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow 2"; flow:to_client,established; content:"CLSID"; nocase; content:"32E26FD9-F435-4A20-A561-35D4B987CFDC"; nocase; distance:0; content:"NewObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/16604/; classtype:attempted-user; sid:2014714; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain noqzuukouyfuyrmd.ru"; flow:established,to_server; content:"|3a| noqzuukouyfuyrmd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015142; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Simbot.Backdoor Checkin"; flow:established,to_server; content:"/rclgx.php?id="; depth:14; http_uri; reference:md5,a4edc9d31bc0ad763b3424e9306f4d7c; classtype:command-and-control; sid:2014719; rev:2; metadata:created_at 2012_05_08, former_category MALWARE, updated_at 2012_05_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xvcewyydwsmdgaju.ru"; flow:established,to_server; content:"|3a| xvcewyydwsmdgaju.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015143; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader/Agent.dxh.1 Reporting to CnC"; flow:established,to_server; dsize:80<>110; content:"!"; depth:1; content:"|5C 7C 3F 2F|"; within:6; content:".exe|5C 7C 3F 2F|"; distance:0; reference:md5,ded49b8c92d7ab6725649f04f30df8ce; classtype:command-and-control; sid:2014720; rev:2; metadata:created_at 2012_05_08, former_category MALWARE, updated_at 2012_05_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zatiscwwtipqlycd.ru"; flow:established,to_server; content:"|3a| zatiscwwtipqlycd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015144; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Boatz Checkin"; flow:to_server,established; content:"/clients.php?os="; http_uri; content:"&name="; distance:0; http_uri; content:"&id="; distance:0; http_uri; content:"&loc="; distance:0; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/pastebin-shares-botnet-source-code; classtype:command-and-control; sid:2014721; rev:2; metadata:created_at 2012_05_08, former_category MALWARE, updated_at 2012_05_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jjgshrjdcynohyuk.ru"; flow:established,to_server; content:"|3a| jjgshrjdcynohyuk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015145; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspicious lcon http header in response seen with Medfos/Midhos downloader"; flow:to_client,established; content:"|0d 0a|lcon|3a 20|"; http_header; reference:md5,63491dcc8e897bf442599febe48b824d; classtype:trojan-activity; sid:2014723; rev:2; metadata:created_at 2012_05_08, updated_at 2012_05_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mouwwvcwwlilnxub.ru"; flow:established,to_server; content:"|3a| mouwwvcwwlilnxub.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015146; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Snap Bot Checkin"; flow:to_server,established; content:"id="; depth:3; http_client_body; content:"&s5_uidx="; distance:0; http_client_body; content:"&os="; distance:0; http_client_body; content:"&s5="; distance:0; http_client_body; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:command-and-control; sid:2014731; rev:2; metadata:created_at 2012_05_11, former_category MALWARE, updated_at 2012_05_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vuhaojpwxgsxuitu.ru"; flow:established,to_server; content:"|3a| vuhaojpwxgsxuitu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015147; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Snap Bot Receiving DDoS Command"; flow:to_client,established; content:"|0d 0a 0d 0a|"; content:"|7c|ddos|7c|"; distance:1; within:10; nocase; pcre:"/^\d+\x7cddos\x7c([^\x7c]+\x7c){5}[^\x7c]+$/mi"; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:trojan-activity; sid:2014733; rev:5; metadata:created_at 2012_05_11, updated_at 2012_05_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yayfefhrwawquwcw.ru"; flow:established,to_server; content:"|3a| yayfefhrwawquwcw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015148; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Snap Bot Receiving Download Command"; flow:to_client,established; content:"|0d 0a 0d 0a|"; content:"|7c|dlexec|7c|"; nocase; distance:1; within:12; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; pcre:"/^\d+\x7cdlexec\x7c([^\x7c]+\x7c){3}[^\x7c]+$/mi"; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:trojan-activity; sid:2014732; rev:4; metadata:created_at 2012_05_11, updated_at 2012_05_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iiloishkjwvqldlq.ru"; flow:established,to_server; content:"|3a| iiloishkjwvqldlq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015149; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malicious file bitdefender_isecurity.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/programas/bitdefender-internet-security/2011/bitdefender_isecurity.exe"; http_uri; nocase; reference:md5,283ae10839fff3e183193efde3e633eb; classtype:pup-activity; sid:2014735; rev:3; metadata:created_at 2012_05_11, former_category ADWARE_PUP, updated_at 2012_05_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain knauycqgsdhgbwjo.ru"; flow:established,to_server; content:"|3a| knauycqgsdhgbwjo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015150; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Java Exploit request to /24842.jar"; flow:established,to_server; content:"/24842.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014749; rev:1; metadata:created_at 2012_05_14, former_category EXPLOIT_KIT, updated_at 2012_05_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uumwyzhctrwdsrdp.ru"; flow:established,to_server; content:"|3a| uumwyzhctrwdsrdp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015151; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Votwup.Backdoor Checkin"; flow:established,to_server; content:"/ddos?uid="; http_uri; content:"&ver="; http_uri; reference:md5,1325e4e44b5bf2f8dfe550dec016da53; classtype:command-and-control; sid:2014760; rev:2; metadata:created_at 2012_05_17, former_category MALWARE, updated_at 2012_05_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wzbdwenwshfzglwt.ru"; flow:established,to_server; content:"|3a| wzbdwenwshfzglwt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015152; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SpyBanker Infection Confirmation Email 2"; flow:established,to_server; content:"From|3A 20 22|Infected|22|"; reference:md5,f091e8ed0e8f4953ff10ce3bd06dbe54; classtype:trojan-activity; sid:2014762; rev:2; metadata:created_at 2012_05_17, updated_at 2012_05_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hiplksflttfkpsxn.ru"; flow:established,to_server; content:"|3a| hiplksflttfkpsxn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015153; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page JavaScript Split String Obfuscation of CharCode"; flow:established,to_client; content:"|22|h|22|+|22|arCode|22 3B|"; classtype:trojan-activity; sid:2014773; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jnfrqmekhoevppvw.ru"; flow:established,to_server; content:"|3a| jnfrqmekhoevppvw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015154; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Malicious PDF qweqwe="; flow:established,to_client; content:"><qwe qweqwe="; reference:url,jsunpack.jeek.org/dec/go?report=4d25f4f01ff5cdbee35a23fcd9e047b69d917b47; classtype:trojan-activity; sid:2014774; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ttqtkmthptxvwiku.ru"; flow:established,to_server; content:"|3a| ttqtkmthptxvwiku.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015155; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole PDF Payload Request"; flow:established,to_server; content:"/content/"; http_uri; content:".php?f="; http_uri; pcre:"/\x2Fcontent\x2F[a-z0-9]{1,6}\x2Ephp\x3Ff\x3D[0-9]{1,5}$/Ui"; classtype:trojan-activity; sid:2014775; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vygzhvfiuommkqfj.ru"; flow:established,to_server; content:"|3a| vygzhvfiuommkqfj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015156; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole PDF Payload Request With Double Colon"; flow:established,to_server; content:"/content/"; http_uri; content:".php?f="; http_uri; content:"|3A 3A|"; http_uri; pcre:"/\x2Fcontent\x2F[a-z0-9]{1,6}\x2Ephp\x3Ff\x3D[0-9]{1,5}\x3A\x3A[0-9]{1,5}$/Ui"; classtype:trojan-activity; sid:2014776; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fhuidtlqttqxgjvn.ru"; flow:established,to_server; content:"|3a| fhuidtlqttqxgjvn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015157; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Win32/MultiPasswordRecovery.A cs-crash PWS"; flow:to_server,established; content:"X-Mailer|3a| Blat "; content:"Subject|3A 20|Contents of file|3A 20|stdin.txt"; content:"name|3D|"; distance:0; content:".mpf"; within:24; classtype:trojan-activity; sid:2014793; rev:3; metadata:created_at 2012_05_19, updated_at 2012_05_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain imjosxuhbcdonrco.ru"; flow:established,to_server; content:"|3a| imjosxuhbcdonrco.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015158; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"GPL RPC kerberos principal name overflow UDP"; content:"j"; depth:1; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2102578; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rtvqcdpbqxgwnrcn.ru"; flow:established,to_server; content:"|3a| rtvqcdpbqxgwnrcn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015159; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"GPL RPC kerberos principal name overflow TCP"; flow:to_server,established; content:"j"; depth:1; offset:4; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2102579; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tykvyflnjhbnqpnr.ru"; flow:established,to_server; content:"|3a| tykvyflnjhbnqpnr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015160; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; flowbits:unset,smb.trans2; byte_test:2,>,15,34,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103143; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gmokuosvnbkshdtd.ru"; flow:established,to_server; content:"|3a| gmokuosvnbkshdtd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015162; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103144; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qsbourrdxgxgwepy.ru"; flow:established,to_server; content:"|3a| qsbourrdxgxgwepy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015163; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; flowbits:unset,smb.trans2; byte_test:2,>,15,34,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103145; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sxpskxdgoczvcjgp.ru"; flow:established,to_server; content:"|3a| sxpskxdgoczvcjgp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015164; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103146; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dhedppigtpbwrmpc.ru"; flow:established,to_server; content:"|3a| dhedppigtpbwrmpc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015165; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|07 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103135; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain flthmyjeuhdygshf.ru"; flow:established,to_server; content:"|3a| flthmyjeuhdygshf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015166; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103136; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain osflhkaowydftniw.ru"; flow:established,to_server; content:"|3a| osflhkaowydftniw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015167; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|07 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103137; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rxupwhkznihnxzqx.ru"; flow:established,to_server; content:"|3a| rxupwhkznihnxzqx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015168; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103138; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bgjzhlasdrwwnenj.ru"; flow:established,to_server; content:"|3a| bgjzhlasdrwwnenj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015169; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|01 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103139; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain elxegvkalqvkyoxc.ru"; flow:established,to_server; content:"|3a| elxegvkalqvkyoxc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015170; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103140; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nrkhysgoltauclop.ru"; flow:established,to_server; content:"|3a| nrkhysgoltauclop.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015171; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|01 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103141; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pwyloytoagndnrex.ru"; flow:established,to_server; content:"|3a| pwyloytoagndnrex.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015172; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PCMightyMax Agent PCMM.Installer"; flow:to_server; content:"User-Agent|3A 20|PCMM.Installer"; http_header; classtype:pup-activity; sid:2014798; rev:2; metadata:created_at 2012_05_22, former_category ADWARE_PUP, updated_at 2012_05_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zenquqdskekaudbe.ru"; flow:established,to_server; content:"|3a| zenquqdskekaudbe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015173; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Delf Checkin via HTTP (8)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"name="; http_client_body; depth:5; reference:url,doc.emergingthreats.net/2008268; classtype:trojan-activity; sid:2008268; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain cldcrgtnuwvgnbfd.ru"; flow:established,to_server; content:"|3a| cldcrgtnuwvgnbfd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015174; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page getElementByID Qwe - May 22nd 2012"; flow:established,to_client; content:"getElementById']('qwe')"; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014800; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_23, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mroeqjdaukskbgua.ru"; flow:established,to_server; content:"|3a| mroeqjdaukskbgua.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015175; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown java_ara Bin Download"; flow:established,to_server; content:"java_ara&name="; http_uri; content:"/forum/"; http_uri; content:".php?"; http_uri; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014805; rev:2; metadata:created_at 2012_05_24, former_category CURRENT_EVENTS, updated_at 2012_05_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain owekhoeuhmdiehrw.ru"; flow:established,to_server; content:"|3a| owekhoeuhmdiehrw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015176; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Wimmie.A Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/count.php?m=w&n="; http_uri; content:"_"; distance:0; http_uri; content:"@."; distance:0; http_uri; content:"|16 00 00 00|down"; http_client_body; depth:8; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; reference:md5,61474931882dce7b1c67e1f22d26187e; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AVBS%2FWimmie.A; reference:md5,6fd7493e56fdc3b0dd8ecd24aea20da1; classtype:command-and-control; sid:2014804; rev:6; metadata:created_at 2011_11_05, former_category MALWARE, updated_at 2011_11_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ydrngsmrdiiyvoiy.ru"; flow:established,to_server; content:"|3a| ydrngsmrdiiyvoiy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015177; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spygalaxy.ws Spyware Checkin"; flow: to_server,established; content:"/install.php?id="; nocase; http_uri; content:"Host|3a| spygalaxy.ws|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001489; classtype:pup-activity; sid:2001489; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bkhyiqitpoxewhmt.ru"; flow:established,to_server; content:"|3a| bkhyiqitpoxewhmt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015178; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Spyware Checkin"; flow: to_server,established; content:"/install.gz"; nocase; http_uri; content:"Host|3a| xpire.info|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001491; classtype:pup-activity; sid:2001491; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain krtbityuhlewigfe.ru"; flow:established,to_server; content:"|3a| krtbityuhlewigfe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015179; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Thetatic.A Client POST Get CMD Checkin"; flow:established,to_server; content:"POST"; http_method; content:"CONTENT-TYPE|3a| application/x-www-form-urlencoded"; fast_pattern; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| Win32|3b| WinHttp.WinHttpRequest.5)"; http_header; content:"cstype="; http_client_body; depth:7; content:"&authname="; distance:0; http_client_body; classtype:trojan-activity; sid:2014794; rev:4; metadata:created_at 2012_05_22, updated_at 2012_05_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nvjgyermzsmynaeq.ru"; flow:established,to_server; content:"|3a| nvjgyermzsmynaeq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015180; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malicious pusk.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/pusk.exe"; nocase; http_uri; reference:md5,eae75c0e34d11e6daef216cfc3fbbb04; classtype:pup-activity; sid:2014810; rev:4; metadata:created_at 2012_05_25, former_category ADWARE_PUP, updated_at 2012_05_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jwkpdxqbemsmclal.ru"; flow:established,to_server; content:"|3a| jwkpdxqbemsmclal.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015181; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DYNAMIC_DNS HTTP Request to a *.dyndns.* domain"; flow:established,to_server; content:".dyndns."; http_header; nocase; pcre:"/\.dyndns\.(?=(biz|info|org|tv))\x0d\x0a/iH"; classtype:bad-unknown; sid:2012927; rev:4; metadata:created_at 2011_06_03, updated_at 2011_06_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uinyjmxfqinkxbda.ru"; flow:established,to_server; content:"|3a| uinyjmxfqinkxbda.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015183; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DYNAMIC_DNS HTTP Request to a *.dyndns-*.com domain"; flow:established,to_server; content:".dyndns-"; http_header; nocase; pcre:"/\.dyndns-(?=(at-home|at-work|blog|free|home|ip|mail|office|pics|remote|server|web|wiki|work))\.com\x0d\x0a/iH"; classtype:bad-unknown; sid:2012928; rev:7; metadata:created_at 2011_06_03, updated_at 2011_06_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xndfbivuonkxfxrq.ru"; flow:established,to_server; content:"|3a| xndfbivuonkxfxrq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015184; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CrazyWinnings.com Activity"; flow: established,to_server; content:"/scripts/protect.php?promo=promo"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001733; classtype:trojan-activity; sid:2001733; rev:8; metadata:created_at 2010_07_30, updated_at 2016_09_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hvpmffxpfnlquqxo.ru"; flow:established,to_server; content:"|3a| hvpmffxpfnlquqxo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015185; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito Exploit Kit landing page request to images.php?t=4xxxxxxx"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:22; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014641; rev:4; metadata:created_at 2012_04_26, former_category EXPLOIT_KIT, updated_at 2012_04_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kbgsbqjugdqrgtdw.ru"; flow:established,to_server; content:"|3a| kbgsbqjugdqrgtdw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015186; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET DELETED Storm Controller Response to Drone via tcp"; flowbits:isset,BE.stormtcp.init; flow:established,from_server; dsize:4; reference:url,doc.emergingthreats.net/bin/view/Main/StormWorm; classtype:trojan-activity; sid:2007641; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tisubmfvqrgnloxr.ru"; flow:established,to_server; content:"|3a| tisubmfvqrgnloxr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015187; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Making initial outbound connection"; flowbits:isnotset,BE.stormtcp.init; flow:established,to_server; dsize:4; flowbits:noalert; flowbits:set,BE.stormtcp.init; reference:url,doc.emergingthreats.net/bin/view/Main/StormWorm; classtype:trojan-activity; sid:2007640; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vmibswhnpqhqwyih.ru"; flow:established,to_server; content:"|3a| vmibswhnpqhqwyih.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015188; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Sefnit Checkin 3"; flow:established,to_server; content:"?re="; http_uri; content:"&r="; distance:0; http_uri; content:"&u="; distance:0; http_uri; content:"&cid="; distance:0; http_uri; content:"&rc="; distance:0; http_uri; content:"&pa="; distance:0; http_uri; content:"&ref1="; distance:0; http_uri; content:"&ref2="; distance:0; http_uri; classtype:trojan-activity; sid:2014246; rev:3; metadata:created_at 2012_02_21, updated_at 2012_02_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gvujhzvjxwptrtdg.ru"; flow:established,to_server; content:"|3a| gvujhzvjxwptrtdg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015189; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Packed Executable Download"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; isdataat:100,relative; content:"This program "; distance:0; content:"PE|00 00|"; distance:0; content:!"data"; within:400; content:!"text"; within:400; content:!"rsrc"; within:400; classtype:misc-activity; sid:2014819; rev:3; metadata:created_at 2012_05_30, updated_at 2012_05_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT BMP with invalid bfOffBits"; flow:established,to_client; content:"|0d 0a 0d 0a|BM"; fast_pattern; byte_test:4,>,14,0,relative; content:"|0000000000000000|"; distance:4; within:8; reference:url,www.microsoft.com/technet/security/Bulletin/ms06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; reference:url,doc.emergingthreats.net/bin/view/Main/2002803; classtype:attempted-user; sid:2002803; rev:10; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 88 (msg:"ET MALWARE Virus.Win32.Sality.aa Checkin"; flow:established,to_server; content:".txt"; http_uri; pcre:"/\.txt$/U"; content:"User-Agent|3a| Download|0d 0a|"; http_header; reference:md5,1e0e6717f72b66f6fc83f2ef6c00dcb7; classtype:command-and-control; sid:2014826; rev:5; metadata:created_at 2012_04_09, former_category MALWARE, updated_at 2012_04_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iblpdiqdmmsbnuxb.ru"; flow:established,to_server; content:"|3a| iblpdiqdmmsbnuxb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015190; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Spam Inbound Variant 4"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS_AIR_CARGO_bar-coded-lot-labels-EXAMPLE.zip|22|"; nocase; within:100; classtype:trojan-activity; sid:2012235; rev:3; metadata:created_at 2011_01_27, updated_at 2011_01_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain shxrsvasoncjnxpn.ru"; flow:established,to_server; content:"|3a| shxrsvasoncjnxpn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015191; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Inbound bad attachment v.4"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS_AIR_CARGO_bar-coded-lot-labels-EXAMPLE.zip|22| "; nocase; within:100; classtype:trojan-activity; sid:2012442; rev:2; metadata:created_at 2011_03_09, updated_at 2011_03_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ummxjwieppswcnrg.ru"; flow:established,to_server; content:"|3a| ummxjwieppswcnrg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015192; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS FedEX Spam Inbound"; flow:established,to_server; content:"name=|22|FEDEX"; nocase; content:".zip|22|"; within:47; nocase; pcre:"/name=\x22FEDEX(\s|_|\-)?[a-z0-9\-_\.\s]{0,42}\.zip\x22/i"; classtype:trojan-activity; sid:2014827; rev:2; metadata:created_at 2012_05_30, updated_at 2012_05_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fuyfrockpfclxccd.ru"; flow:established,to_server; content:"|3a| fuyfrockpfclxccd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015193; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS UPS Spam Inbound"; flow:established,to_server; content:"name=|22|"; nocase; content:"UPS"; nocase; within:11; content:".zip|22|"; within:74; nocase; pcre:"/name=\x22([a-z_]{0,8})?UPS(\s|_|\-)?[a-z0-9\-_\.\s]{0,69}\.zip\x22/i"; classtype:trojan-activity; sid:2014828; rev:2; metadata:created_at 2012_05_30, former_category CURRENT_EVENTS, updated_at 2017_12_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain haqmuqqukywrcxfa.ru"; flow:established,to_server; content:"|3a| haqmuqqukywrcxfa.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015194; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Post Express Spam Inbound"; flow:established,to_server; content:"name=|22|Post_Express_Label_"; nocase; content:".zip|22|"; within:15; nocase; pcre:"/name=\x22Post_Express_Label_[a-z0-9\-_\.\s]{0,10}\.zip\x22/i"; classtype:trojan-activity; sid:2014829; rev:1; metadata:created_at 2012_05_30, updated_at 2012_05_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qhcplcuugevvyham.ru"; flow:established,to_server; content:"|3a| qhcplcuugevvyham.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015195; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM successful chat join"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 98|"; depth:2; offset:10; classtype:policy-violation; sid:2102458; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tmrtbcienxrbnsjc.ru"; flow:established,to_server; content:"|3a| tmrtbcienxrbnsjc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015196; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Feodo/Cridex Traffic Detected"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/zb/v_01_a/in/"; http_uri; classtype:trojan-activity; sid:2014841; rev:2; metadata:created_at 2012_06_01, updated_at 2012_06_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dueebwwdllfburag.ru"; flow:established,to_server; content:"|3a| dueebwwdllfburag.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015197; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS webshell used In timthumb attacks GIF98a 16129xX with PHP"; flow:to_client,established; file_data; content:"|0d 0a 0d 0a|GIF89a|01 3f|"; content:"<?"; within:720; reference:url,blog.sucuri.net/2012/05/list-of-domains-hosting-webshells-for-timthumb-attacks.html; classtype:web-application-attack; sid:2014848; rev:3; metadata:created_at 2012_06_01, updated_at 2012_06_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fzsirujgdbvabrjm.ru"; flow:established,to_server; content:"|3a| fzsirujgdbvabrjm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015198; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> any any (msg:"ET MALWARE Flamer WuSetupV module traffic 2"; flow:established,to_server; content:"?ac=1"; http_uri; content:"&fd="; http_uri; distance:0; content:"&gb="; http_uri; distance:0; content:"&rt="; http_uri; reference:md5,1f61d280067e2564999cac20e386041c; classtype:trojan-activity; sid:2014850; rev:5; metadata:created_at 2012_06_04, updated_at 2012_06_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pghnrmkoeoetfwsm.ru"; flow:established,to_server; content:"|3a| pghnrmkoeoetfwsm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015199; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> any any (msg:"ET MALWARE Flamer WuSetupV module traffic 1"; flow:established,to_server; content:"?mp=1"; http_uri; content:"&jz="; http_uri; distance:0; content:"&fd="; http_uri; distance:0; content:"&am="; http_uri; distance:0; content:"&ef="; http_uri; distance:0; content:"&pr="; http_uri; distance:0; content:"&ec="; http_uri; distance:0; content:"&ov="; http_uri; distance:0; content:"&pl="; http_uri; distance:0; reference:md5,1f61d280067e2564999cac20e386041c; classtype:trojan-activity; sid:2014849; rev:3; metadata:created_at 2012_06_04, updated_at 2012_06_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rlvqmipovrqbmvqd.ru"; flow:established,to_server; content:"|3a| rlvqmipovrqbmvqd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015200; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sakura Exploit Kit Version 1.1 document.write Fake 404 - Landing Page"; flow:established,to_client; content:"document.write(|22|404|22 3B|"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:exploit-kit; sid:2014852; rev:3; metadata:created_at 2012_06_05, former_category EXPLOIT_KIT, updated_at 2012_06_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ctjbmgjudwisgshv.ru"; flow:established,to_server; content:"|3a| ctjbmgjudwisgshv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015201; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Incognito/Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; content:"<applet"; depth:500; content:"lxxt>33"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014176; rev:3; metadata:created_at 2012_02_01, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain eyxejlabqaytqmjx.ru"; flow:established,to_server; content:"|3a| eyxejlabqaytqmjx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015202; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Incognito/Sakura exploit kit binary download request"; flow:established,to_server; content:"/load.php?showforum="; http_uri; pcre:"/^\/load.php\?showforum=(ato|obe|rhino|lib)$/U"; classtype:exploit-kit; sid:2014177; rev:5; metadata:created_at 2012_02_01, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ogmjjmqdhlbyabzg.ru"; flow:established,to_server; content:"|3a| ogmjjmqdhlbyabzg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015203; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAvCn-A Checkin 2"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/support/sr"; http_uri; fast_pattern:only; urilen:11; classtype:trojan-activity; sid:2014856; rev:2; metadata:created_at 2012_06_05, updated_at 2012_06_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qlbpfyrupyadvjsl.ru"; flow:established,to_server; content:"|3a| qlbpfyrupyadvjsl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015204; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Fraudulent Paypal Mailing Server Response June 04 2012"; flow:from_server,established; content:"<html>|0d 0a|<title>Paypal"; fast_pattern; content:"|3a 20|Loading<"; distance:0; classtype:trojan-activity; sid:2014858; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain atnwerhvttvbivra.ru"; flow:established,to_server; content:"|3a| atnwerhvttvbivra.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015205; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MP4 Embedded in PDF File - Potential Flash Exploit"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"stream"; distance:0; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; reference:cve,2012-0754; reference:url,blog.9bplus.com/observing-the-enemy-cve-2012-0754-pdf-interac; classtype:bad-unknown; sid:2014865; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_07, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dydderasilekaegh.ru"; flow:established,to_server; content:"|3a| dydderasilekaegh.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015206; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http any any -> $HOME_NET any (msg:"ET POLICY SN and CN From MS TS Revoked Cert Chain Seen"; flow:established,from_server; content:"|c1 00 8b 3c 3c 88 11 d1 3e f6 63 ec df 40|"; content:"Microsoft Root Authority"; distance:105; within:24; content:"Microsoft Enforced Licensing Intermediate PCA"; distance:0; content:"|61 1a 02 b7 00 02 00 00 00 12|"; distance:0; content:"Microsoft Enforced Licensing Registration Authority CA"; distance:378; within:54; reference:url,blog.crysys.hu/2012/06/the-flame-malware-wusetupv-exe-certificate-chain/; reference:url,rmhrisk.wpengine.com/?p=52; reference:url,msdn.microsoft.com/en-us/library/aa448396.aspx; reference:md5,1f61d280067e2564999cac20e386041c; classtype:bad-unknown; sid:2014870; rev:4; metadata:created_at 2012_06_08, updated_at 2012_06_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mfqfrnqllqcrayiw.ru"; flow:established,to_server; content:"|3a| mfqfrnqllqcrayiw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015207; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Self Signed SSL Certificate (Reaserch)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"Security Reaserch WWEB Group|2c| LLC"; classtype:trojan-activity; sid:2014871; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pkglwwwmjxokzzfq.ru"; flow:established,to_server; content:"|3a| pkglwwwmjxokzzfq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015208; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Self Signed SSL Certificate (John Doe)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|08|John Doe0"; classtype:trojan-activity; sid:2014872; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yrrnrgliojezjctg.ru"; flow:established,to_server; content:"|3a| yrrnrgliojezjctg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015209; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP overflow Media Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013077; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_06_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bxhzugppnulxghvm.ru"; flow:established,to_server; content:"|3a| bxhzugppnulxghvm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015210; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SutraTDS (enema) used in Blackhole campaigns"; flow:to_server,established; content:"/top2.html"; http_uri; content:"|0d 0a|Host|3a| enema."; http_header; classtype:bad-unknown; sid:2014885; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lfvcngdbzjrzgyby.ru"; flow:established,to_server; content:"|3a| lfvcngdbzjrzgyby.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015211; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Microsoft user-agent automated process response to automated request"; flow:established,from_server; content:"<p>Your current User-Agent string appears to be from an automated process,"; classtype:trojan-activity; sid:2012692; rev:6; metadata:created_at 2011_04_19, updated_at 2011_04_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nkkijjyioljbfysn.ru"; flow:established,to_server; content:"|3a| nkkijjyioljbfysn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015212; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE W32/Bakcorox.A ProxyBot CnC Server Connection"; flow:established,to_server; content:"GET favicon.ico HTTP/1.1"; depth:24; content:"Host|3A 20|bcProxyBot.com"; fast_pattern; distance:0; reference:url,contagioexchange.blogspot.co.uk/2012/06/022-crime-win32bakcoroxa-proxy-bot-web.html; classtype:command-and-control; sid:2014887; rev:2; metadata:created_at 2012_06_12, former_category MALWARE, updated_at 2012_06_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xqwkdyjydkggsppd.ru"; flow:established,to_server; content:"|3a| xqwkdyjydkggsppd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015213; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Yahoo IM successful chat join"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 98|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001261; classtype:policy-violation; sid:2001261; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain axmvnmubgwlmqfrp.ru"; flow:established,to_server; content:"|3a| axmvnmubgwlmqfrp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015214; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"ET DELETED Yahoo IM successful logon"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 01|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001253; classtype:policy-violation; sid:2001253; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain keabgwmpzqhpmlng.ru"; flow:established,to_server; content:"|3a| keabgwmpzqhpmlng.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015215; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL DELETED Yahoo IM successful logon"; flow:from_server,established; content:"YMSG"; nocase; content:"|00 01|"; distance:6; within:2; classtype:policy-violation; sid:2102450; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mjpflkwqskuqbjnk.ru"; flow:established,to_server; content:"|3a| mjpflkwqskuqbjnk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015216; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Zango Toolbar Spyware User Agent (ZangoToolbar )"; flow:to_server,established; content:"ZangoToolbar"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a.+ZangoToolbar.+\r$/Hmi"; reference:url,doc.emergingthreats.net/2003365; classtype:pup-activity; sid:2003365; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vqcicnuhtwhxmtjd.ru"; flow:established,to_server; content:"|3a| vqcicnuhtwhxmtjd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015217; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT RedKit - Java Exploit Requested - 5 digit jar"; flow:established,to_server; urilen:10; content:".jar"; http_uri; pcre:"/^\/[0-9]{5}\.jar$/U"; classtype:exploit-kit; sid:2014891; rev:1; metadata:created_at 2012_06_14, former_category CURRENT_EVENTS, updated_at 2012_06_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yvqnltydqtpresfu.ru"; flow:established,to_server; content:"|3a| yvqnltydqtpresfu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015218; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Jar File Naming Algorithm"; flow:established,to_client; content:"Content-Disposition: inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; content:"|0D 0A 0D 0A|PK"; pcre:"/=[0-9a-f]{8}\.jar/H"; classtype:exploit-kit; sid:2014892; rev:2; metadata:created_at 2012_06_14, former_category CURRENT_EVENTS, updated_at 2012_06_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iefwvulgninlkoxe.ru"; flow:established,to_server; content:"|3a| iefwvulgninlkoxe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015219; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT RedKit - Landing Page Received - applet and code"; flow:established,to_client; content:"<applet"; content:"code="; pcre:"/code=\"[a-z]\.[a-z][\.\"][ c]/"; classtype:exploit-kit; sid:2014895; rev:2; metadata:created_at 2012_06_15, former_category CURRENT_EVENTS, updated_at 2012_06_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ljubdldgqwbarplc.ru"; flow:established,to_server; content:"|3a| ljubdldgqwbarplc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015220; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Camera Stream Client Possible ActiveX Control SetDirectory Method Access Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"DcsCliCtrl.DCSStrmControl.1"; nocase; distance:0; content:"SetDirectory"; nocase; distance:0; reference:url,secunia.com/advisories/48602/; classtype:attempted-user; sid:2014903; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_15, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain upgghggmbusopaxv.ru"; flow:established,to_server; content:"|3a| upgghggmbusopaxv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015221; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Camera Stream Client Possible ActiveX Control SetDirectory Method Access Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"721700FE-7F0E-49C5-BDED-CA92B7CB1245"; nocase; distance:0; content:"SetDirectory"; nocase; distance:0; reference:url,secunia.com/advisories/48602/; classtype:attempted-user; sid:2014902; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_15, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wuvjdexaqtmqkvgk.ru"; flow:established,to_server; content:"|3a| wuvjdexaqtmqkvgk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015222; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO .exe File requested over FTP"; flow:established,to_server; dsize:>10; content:"RETR"; depth:4; content:".exe|0d 0a|"; distance:0; pcre:"/^RETR\s+[^\r\n]+?\x2eexe\r?$/m"; classtype:policy-violation; sid:2014906; rev:2; metadata:created_at 2012_06_15, updated_at 2012_06_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hektxucstnbuncix.ru"; flow:established,to_server; content:"|3a| hektxucstnbuncix.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015223; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing - UPS Number Loading.. Jun 15 2012"; flow:established,from_server; content:"|20|Number|3A 20 09|Loading|2E 2E 3C|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014907; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jiyxdlvawkranmin.ru"; flow:established,to_server; content:"|3a| jiyxdlvawkranmin.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015224; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing - Verizon Balance Due Jun 15 2012"; flow:established,from_server; content:"|20|Balance Due|3a| Loading|2c 20|please wait|2e 2e 2e|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014908; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tplczomvebjmhsgk.ru"; flow:established,to_server; content:"|3a| tplczomvebjmhsgk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015225; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; content:"|0d 0a 9c 62 d8 66 66 66 66 54|"; classtype:trojan-activity; sid:2014909; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vuaivypissryzhij.ru"; flow:established,to_server; content:"|3a| vuaivypissryzhij.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015226; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer SameID Use-After-Free"; flow:established,from_server; content:"<DIV id="; nocase; content:"<img id="; nocase; distance:0; content:".innerHTML"; distance:0; pcre:"/<DIV\s*?id[\s\r\n]*?\x3d[\s\r\n]*?(?P<divid>[^>]+).+?<img\s*id=\s*?\x22(?P<imgid>[^\x22]+).+?\<a\s*?href=\x22javascript\x3a(?P<firstfunction>[^\x28]+)\(\).+?\>.*?\<div[^\>]+?id=\x22(?P=imgid)\x22[^>]+?on[A-Za-z]+?\s*?=\s*?\x22(?P<secondfunction>[^\x28]+)\(\)\x3b\s*?\x22.+?function[\s\r\n]*?(?P=firstfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?(?P=divid)\x2einnerHTML\s*?\x3d\s*?(?P=divid)\x2einnerHTML[\s\r\n]*?\x3b.*?\x7d.*?function[\s\r\n]*?(?P=secondfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?\x28\x22(?P=imgid)\x22\x29\x2esrc\s*?\x3d/si"; reference:cve,CVE-2012-1875; classtype:attempted-user; sid:2014911; rev:10; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gdoqznfilmtulxxv.ru"; flow:established,to_server; content:"|3a| gdoqznfilmtulxxv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015227; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus iNotes Upload Module possible ActiveX Control Attachment_Times Method Access Buffer Overflow Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"0F2AAAE3-7E9E-4b64-AB5D-1CA24C6ACB9C"; nocase; distance:0; content:"Attachment_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49443/; classtype:attempted-user; sid:2014896; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_15, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iiewprjomieydnix.ru"; flow:established,to_server; content:"|3a| iiewprjomieydnix.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015228; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NuclearPack - JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; pcre:"/=[.\"]\w{8}\.jar/Hi"; content:"|0D 0A 0D 0A|PK"; fast_pattern; classtype:exploit-kit; sid:2014913; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ropypfmcqjjfdiel.ru"; flow:established,to_server; content:"|3a| ropypfmcqjjfdiel.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015229; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Variant 1 Traffic (1)"; dsize:25; content:"|10 a6|"; depth:2; threshold: type both, count 2, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007701; classtype:trojan-activity; sid:2007701; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain utfenjxpvwtroioi.ru"; flow:established,to_server; content:"|3a| utfenjxpvwtroioi.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015230; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Variant 1 Traffic (2)"; dsize:25; content:"|10 a0|"; depth:2; threshold: type both, count 2, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007702; classtype:trojan-activity; sid:2007702; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain edtmjcvfnfcbweed.ru"; flow:established,to_server; content:"|3a| edtmjcvfnfcbweed.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015231; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Armitage Exploit Request"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/bof.php"; http_uri; reference:url,doc.emergingthreats.net/2009032; classtype:trojan-activity; sid:2009032; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hhishrpjdixwtctz.ru"; flow:established,to_server; content:"|3a| hhishrpjdixwtctz.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015232; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Redkit Java Exploit request to b.class"; flow:established,to_server; urilen:10; content:"/b.class"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014824; rev:3; metadata:created_at 2012_05_30, updated_at 2012_05_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qouubrmdxtgnnjvm.ru"; flow:established,to_server; content:"|3a| qouubrmdxtgnnjvm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015233; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito Landing Page Requested .php?showtopic=6digit"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.http.driveby.incognito.uri; urilen:25<>45; content:".php?showtopic="; http_uri; pcre:"/\.php\?showtopic=[0-9]{6}$/U"; classtype:exploit-kit; sid:2014922; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_06_20, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain stkbtccbckhdkbii.ru"; flow:established,to_server; content:"|3a| stkbtccbckhdkbii.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015234; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito Landing Page Received applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.incognito.uri; content:"<applet"; classtype:exploit-kit; sid:2014923; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_06_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dcyjurmfwhgvyoio.ru"; flow:established,to_server; content:"|3a| dcyjurmfwhgvyoio.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015235; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Unknown Java Malicious Jar /eeltff.jar"; flow:to_server,established; content:"/eeltff.jar"; nocase; http_uri; classtype:trojan-activity; sid:2014927; rev:1; metadata:created_at 2012_06_20, former_category CURRENT_EVENTS, updated_at 2012_06_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fhnpjsnknkuvhazm.ru"; flow:established,to_server; content:"|3a| fhnpjsnknkuvhazm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015236; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential Blackhole Exploit Pack Binary Load Request 2"; flow:established,to_server; content:".php?e="; fast_pattern; nocase; http_uri; content:"&f="; nocase; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a|"; http_header; content:"Host|3a|"; http_header; distance:0; pcre:"/\.php\?e=\w+&f=\w+$/U"; flowbits:set,et.exploitkitlanding; reference:url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/; classtype:bad-unknown; sid:2013550; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_08, deployment Perimeter, former_category TROJAN, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pozrtgdmhvhvdscn.ru"; flow:established,to_server; content:"|3a| pozrtgdmhvhvdscn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015237; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PDF embedded in XDP file (Possibly Malicious)"; flow:established, to_client; content:"<xdp|3a|xdp"; nocase; fast_pattern; content:"<pdf"; nocase; distance:0; pcre:"/\<xdp\x3axdp(\s+[^\>]*)?\>((?!\<\/xdp[^\>]*\>).)*?\<pdf/si"; reference:url,blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp; classtype:misc-attack; sid:2014926; rev:3; metadata:created_at 2012_06_20, updated_at 2012_06_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rsoxjlibxohdcyov.ru"; flow:established,to_server; content:"|3a| rsoxjlibxohdcyov.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015238; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown - Java Request .jar from dl.dropbox.com"; flow:established,to_server; content:"dl.dropbox.com|0D 0A|"; http_header; content:" Java/1"; http_header; content:".jar"; http_uri; classtype:bad-unknown; sid:2014928; rev:1; metadata:created_at 2012_06_21, updated_at 2012_06_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ccdifvomwhtynpay.ru"; flow:established,to_server; content:"|3a| ccdifvomwhtynpay.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015239; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus/Reveton checkin to /images.rar"; flow:established,to_server; content:"/images.rar"; fast_pattern; depth:11; http_uri; content:"User-Agent|3a 20|Internet Explorer"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^Host\x3a (\d+\.){3}\d+$/Dm"; reference:md5,2697e2b81ba1c90fcd32e24715fcf40a; classtype:command-and-control; sid:2014135; rev:3; metadata:created_at 2012_01_19, former_category MALWARE, updated_at 2018_02_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ehsmldxnregnruez.ru"; flow:established,to_server; content:"|3a| ehsmldxnregnruez.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015240; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Rabio Spyware/Adware Initial Registration"; flow:established,to_server; content:"POST"; http_method; nocase; content:"REGISTER|7c|"; depth:9; http_client_body; pcre:"/REGISTER\x7c\d+\x7c\d+\x7c\d+\x7c\d/P"; reference:url,www.spywareguide.com/product_show.php?id=3770; reference:url,www.rabio.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007820; classtype:pup-activity; sid:2007820; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lsvdxjpwykxxvryd.ru"; flow:established,to_server; content:"|3a| lsvdxjpwykxxvryd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015241; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious POST to ROBOTS.TXT"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/robots.txt"; nocase; http_uri; pcre:"/^\s?\+x=[0-9]*\;\ +y=[0-9]/C"; reference:url,doc.emergingthreats.net/bin/view/Main/2002856; classtype:unknown; sid:2002856; rev:9; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain oxkjnvhjnvnegtyb.ru"; flow:established,to_server; content:"|3a| oxkjnvhjnvnegtyb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015242; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Java Url Lib User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"Java/"; nocase; http_header; pcre:"/^User-Agent\:[^\n]+Java\/\d\.\d/Hmi"; reference:url,www.mozilla.org/docs/netlib/seealso/netmods.html; reference:url,doc.emergingthreats.net/2002946; classtype:attempted-recon; sid:2002946; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xfymtpavzblzbknq.ru"; flow:established,to_server; content:"|3a| xfymtpavzblzbknq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015243; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Ceckno Reporting to Controller"; flow:established,to_server; dsize:<30; content:"\:2|7c|"; depth:10; content:"|7c|"; distance:0; content:"|7c|"; distance:0; pcre:"/^\d+\x3a\d\x7c\d+\x7c[0-9a-z]+\x7c\d/i"; flowbits:set,ET.cekno.initial; reference:url,doc.emergingthreats.net/2008177; classtype:trojan-activity; sid:2008177; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ksacasnubklrikdl.ru"; flow:established,to_server; content:"|3a| ksacasnubklrikdl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015245; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Gemini Malware Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?cmd=getFile&counter="; http_uri; pcre:"/\.php\?cmd=getFile&counter=\d/U"; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,doc.emergingthreats.net/2010007; classtype:trojan-activity; sid:2010007; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mxpgggggukxqteoy.ru"; flow:established,to_server; content:"|3a| mxpgggggukxqteoy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015246; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Goldun Reporting Install"; flow:established,to_server; content:".php?codec="; http_uri; pcre:"/codec=\d+D\d+D\d/U"; reference:url,doc.emergingthreats.net/2007965; classtype:trojan-activity; sid:2007965; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wedkgpdcxlrunbmu.ru"; flow:established,to_server; content:"|3a| wedkgpdcxlrunbmu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015247; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC channel topic misc bot commands"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"|3a|"; content:"|20|332|20|"; within:50; content:"|2023|"; within:20; content:"|203a|"; pcre:"/(\.aim\w*|ascanall)\s+\w/i"; reference:url,doc.emergingthreats.net/2002386; classtype:trojan-activity; sid:2002386; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yjsovtnpgbwqcbbd.ru"; flow:established,to_server; content:"|3a| yjsovtnpgbwqcbbd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015248; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in"; flow:established,to_server; content:"POST"; http_method; content:"/MicroinstallServiceReport.php"; http_uri; content:"report="; http_client_body; content:"&pid="; http_client_body; content:"&wv="; http_client_body; pcre:"/report=\d+&pid=\d+&wv=[A-Za-z0-9]/P"; reference:url,doc.emergingthreats.net/2010246; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; classtype:trojan-activity; sid:2010246; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jrfyaswntteouafv.ru"; flow:established,to_server; content:"|3a| jrfyaswntteouafv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015249; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Loader *.jpg?t=0.* in http_uri"; flow:established,to_server; content:".jpg?t=0."; http_uri; pcre:"/\.jpg\?t\x3d\d\.\d/U"; classtype:trojan-activity; sid:2013520; rev:4; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lwtcxuzbdrsnpqfb.ru"; flow:established,to_server; content:"|3a| lwtcxuzbdrsnpqfb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015250; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoreFlooder C&C Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/index.php"; http_uri; nocase; content:"r="; http_client_body; content:"&i="; http_client_body; content:"&v="; http_client_body; content:"&os="; http_client_body; content:"&panic="; fast_pattern; http_client_body; content:"&input="; http_client_body; reference:url,doc.emergingthreats.net/2009287; classtype:command-and-control; sid:2009287; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain veihxoqukuetxqbn.ru"; flow:established,to_server; content:"|3a| veihxoqukuetxqbn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015251; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Bicololo.Dropper ne_unik CnC Server Response"; flow:established,to_client; content:"|0d 0a 0d 0a|ne_unik"; classtype:command-and-control; sid:2014933; rev:3; metadata:created_at 2012_06_22, former_category MALWARE, updated_at 2012_06_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xiwlnutkxsqxwjge.ru"; flow:established,to_server; content:"|3a| xiwlnutkxsqxwjge.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015252; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT Request to malicious info.php drive-by landing"; flow:established,to_server; content:"/info.php?n="; http_uri; fast_pattern:only; content:!"&"; http_uri; content:!"|0d 0a|Referer|3a|"; pcre:"/\/info.php\?n=\d/U"; classtype:trojan-activity; sid:2013010; rev:3; metadata:created_at 2011_06_10, former_category CURRENT_EVENTS, updated_at 2011_06_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hrkusbnevtmyisab.ru"; flow:established,to_server; content:"|3a| hrkusbnevtmyisab.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015253; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Java Exploit Attempt Request for .id from octal host"; flow:established,to_server; content:".id|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012628; rev:5; metadata:created_at 2011_04_04, former_category CURRENT_EVENTS, updated_at 2011_04_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kwyyhhqtwxupnhyu.ru"; flow:established,to_server; content:"|3a| kwyyhhqtwxupnhyu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015254; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FoxxySoftware - Landing Page Received - applet and 0px"; flow:established,to_client; content:"<applet"; content:"'0px'"; within:20; classtype:trojan-activity; sid:2014936; rev:3; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2012_06_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tdndpphrtyniynvz.ru"; flow:established,to_server; content:"|3a| tdndpphrtyniynvz.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015255; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Autodesk MapGuide Viewer ActiveX LayersViewWidth Method Access Denial of Service"; flow:to_client,established; content:"CLSID"; nocase; content:"62789780-B744-11D0-986B-00609731A21D"; nocase; distance:0; content:"LayersViewWidth"; nocase; distance:0; reference:url,1337day.com/exploits/13938; classtype:attempted-user; sid:2014942; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wicjgufeimlbmcus.ru"; flow:established,to_server; content:"|3a| wicjgufeimlbmcus.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015256; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Autodesk MapGuide Viewer ActiveX LayersViewWidth Method Access Denial of Service 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MGMapControl.MGMap"; nocase; distance:0; content:"LayersViewWidth"; nocase; distance:0; reference:url,1337day.com/exploits/13938; classtype:attempted-user; sid:2014943; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gqortbbbsnksxpmm.ru"; flow:established,to_server; content:"|3a| gqortbbbsnksxpmm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015257; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MALVERTISING Malicious Advertizing URL in.cgi"; flow:to_server,established; content:"/in.cgi?"; http_uri; classtype:bad-unknown; sid:2012883; rev:6; metadata:created_at 2011_05_27, updated_at 2011_05_27;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE ZeroAccess udp traffic detected"; content:"|9e 98|"; offset:6; depth:2; dsize:20; classtype:trojan-activity; sid:2015474; rev:2; metadata:created_at 2012_07_14, updated_at 2012_07_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32/Hupigon.CK Client Checkin"; flow:to_server,established; content:"|00 00 00 18 01 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; classtype:command-and-control; sid:2014955; rev:2; metadata:created_at 2012_06_25, former_category MALWARE, updated_at 2012_06_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED RedKit - Landing Page Received - applet and 5digit jar"; flow:established,to_client; content:"<applet"; fast_pattern; content:".jar"; distance:0; pcre:"/\W[0-9]{5}\.jar/"; classtype:exploit-kit; sid:2014894; rev:4; metadata:created_at 2012_06_15, updated_at 2012_06_15;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor Win32/Hupigon.CK Server Checkin"; flow:to_client,established; content:"|00 00 00 01 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00 01 00 01|"; distance:2; within:5; classtype:command-and-control; sid:2014956; rev:1; metadata:created_at 2012_06_26, former_category MALWARE, updated_at 2012_06_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lccwpflcdjrdfjib.ru"; flow:established,to_server; content:"|3a| lccwpflcdjrdfjib.ru|0D 0A|"; http_header; fast_pattern:only; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015182; rev:5; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32/Hupigon.CK Client Idle"; flow:to_server,established; content:"|00 00 00 02 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00|"; distance:3; within:2; content:"|00|"; distance:1; within:1; classtype:trojan-activity; sid:2014957; rev:1; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Paymilon-A HTTP POST"; flow:established,to_server; content:"POST http|3a|//"; depth:12; content:"C|3a|\\"; distance:0; nocase; content:".exe|00 00|"; distance:0; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/malpaymilona.html; reference:url,doc.emergingthreats.net/2010918; classtype:trojan-activity; sid:2010918; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor Win32/Hupigon.CK Server Idle"; flow:to_client,established; content:"|00 00 00 01 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00 1f 00 1f|"; distance:2; within:5; classtype:trojan-activity; sid:2014958; rev:1; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NuclearPack - Landing Page Received - applet archive=32CharHex"; flow:established,to_client; content:"<applet"; content:"archive=|22|"; pcre:"/^\?[a-f0-9]{32}\" /R"; classtype:exploit-kit; sid:2014915; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Base64 - Java Exploit Requested - /1Digit"; flow:established,to_server; urilen:2; content:" Java/1"; http_header; pcre:"/^\/[0-9]$/U"; classtype:trojan-activity; sid:2014959; rev:2; metadata:created_at 2012_06_26, former_category CURRENT_EVENTS, updated_at 2012_06_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS sgrunt Dialer User Agent (sgrunt)"; flow:to_server,established; content:"sgrunt"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+sgrunt/Hi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347; reference:url,doc.emergingthreats.net/2003385; classtype:trojan-activity; sid:2003385; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Base64 - Landing Page Received - base64encode(GetOs()"; flow:established,to_client; content:"base64encode(GetOs()"; classtype:trojan-activity; sid:2014960; rev:2; metadata:created_at 2012_06_26, former_category CURRENT_EVENTS, updated_at 2012_06_26;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET MALWARE Delfsnif/Buzus.fte Remote Response"; flow:established,from_server; dsize:9; content:"|05 00 00 00|"; depth:4; content:"|cd|"; distance:4; within:1; reference:url,www.threatexpert.com/threats/virtool-win32-delfsnif-gen.html; reference:url,doc.emergingthreats.net/2009079; classtype:trojan-activity; sid:2009079; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Scar CnC Checkin"; flow:established,to_server; content:"/yeni_urunler.php?hdd="; http_uri; reference:md5,b345634df53511c7195d661ac755b320; classtype:command-and-control; sid:2014961; rev:2; metadata:created_at 2012_06_26, former_category MALWARE, updated_at 2012_06_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c3284d Malware Network Compromised Redirect (comments 1)"; flow:established,to_client; file_data; content:"#c3284d#"; distance:0; content:"#/c3284d#"; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015051; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FoxxySoftware - Landing Page Received - foxxysoftware"; flow:established,to_client; content:"|7C|foxxysoftware|7C|"; classtype:trojan-activity; sid:2014935; rev:4; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2012_06_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c3284d Malware Network Compromised Redirect (comments 2)"; flow:established,to_client; file_data; content:"<!--c3284d-->"; distance:0; content:"<!--/c3284d-->"; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015052; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible OneDrive (storage.msn .com)"; flow:established,to_client; dsize:>19; content:"|16 03 01|"; depth:3; content:".storage.msn.com"; nocase; distance:0; reference:url,skydrive.live.com; classtype:policy-violation; sid:2014919; rev:3; metadata:created_at 2012_06_19, former_category POLICY, updated_at 2012_06_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER XML-RPC for PHP Remote Code Injection"; flow:established,to_server; content:"POST"; nocase; http_method; content:"xmlrpc.php"; http_uri; content:"methodCall"; http_client_body; nocase; pcre:"/>.*?\'\s*?\)\s*?\)*?\s*?\;/PR"; reference:url,www.securityfocus.com/bid/14088/exploit; reference:cve,2005-1921; reference:url,doc.emergingthreats.net/bin/view/Main/2002158; classtype:web-application-attack; sid:2002158; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible OneDrive (storage.live .com)"; flow:established,to_client; dsize:>20; content:"|16 03 01|"; depth:3; content:".storage.live.com"; nocase; reference:url,skydrive.live.com; classtype:policy-violation; sid:2014920; rev:3; metadata:created_at 2012_06_19, former_category POLICY, updated_at 2012_06_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/OnlineGame.DaGame Variant CnC Checkin"; flow:established,to_server; content:"/logexp.php?aid="; http_uri; content:"&pid="; http_uri; content:"&kind="; http_uri; pcre:"/User\x2DAgent\x3A\x20[a-f0-9]{5,14}\x0D\x0A/H"; classtype:command-and-control; sid:2015489; rev:2; metadata:created_at 2012_07_20, former_category MALWARE, updated_at 2012_07_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Unknown - Java Exploit Requested - 13-14Alpha.jar"; flow:established,to_server; urilen:16<>19; content:".jar"; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/^\/[a-z]{13,14}\.jar$/U"; classtype:trojan-activity; sid:2014969; rev:2; metadata:created_at 2012_06_26, former_category CURRENT_EVENTS, updated_at 2012_06_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible beSTORM ActiveX (WinGraphviz.dll) Remote Heap Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"684811FB-0523-420F-9E8F-A5452C65A19C"; nocase; distance:0; content:"ToSvg"; nocase; distance:0; reference:url,exploit-db.com/exploits/19861/; classtype:attempted-user; sid:2015490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website"; flow:established,to_client; content:"setAttribute|28 22|src|22|, |22|http|3A|//|22| + "; nocase; content:"+ |22|/runforestrun?sid="; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014970; rev:3; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible CA BrightStor ARCserve Backup ActiveX AddColumn Method Access Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3"; nocase; distance:0; content:"AddColumn"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82950/CA-BrightStor-ARCserve-Backup-AddColumn-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015491; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Googlebot UA POST to /uploadify.php"; flow:established,to_server; content:"POST"; http_method; content:"/uploadify.php"; http_uri; nocase; fast_pattern; content:"User-Agent|3a| Mozilla/5.0 (compatible|3b| Googlebot/2.1|3b|"; http_header; reference:url,blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html; classtype:attempted-recon; sid:2014982; rev:2; metadata:created_at 2012_06_29, updated_at 2012_06_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible CommuniCrypt Mail SMTP ActiveX AddAttachments Method Access Stack Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"F8D07B72-B4B4-46A0-ACC0-C771D4614B82"; nocase; distance:0; content:"AddAttachments"; nocase; distance:0; reference:url,packetstormsecurity.org/files/89856/CommuniCrypt-Mail-1.16-SMTP-ActiveX-Stack-Buffer-Overflow.html; classtype:attempted-user; sid:2015493; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Landing Page Requested - /*.php?*=16HexChar"; flow:established,to_server; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; urilen:23<>60; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,10}=[a-f0-9]{16}$/U"; pcre:"/[0-9]{1,16}[a-f]{1,16}[0-9]{1,16}$/U"; classtype:trojan-activity; sid:2014973; rev:18; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible CA BrightStor ARCserve Backup ActiveX AddColumn Method Access Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ListCtrl.ocx"; fast_pattern; nocase; distance:0; content:"AddColumn"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82950/CA-BrightStor-ARCserve-Backup-AddColumn-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015492; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SonciWALL Aventail AuthCredential Format String Exploit 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Aventail.EPInterrogator.10.0.4.018"; nocase; distance:0; content:"AuthCredential"; nocase; distance:0; reference:url,packetstormsecurity.org/files/92931/SonciWALL-Aventail-epi.dll-AuthCredential-Format-String-Exploit.html; classtype:attempted-user; sid:2014991; rev:3; metadata:created_at 2012_06_29, updated_at 2012_06_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox - ProxyBotCommand - I_AM"; flow:established,to_server; content:"I_AM|0D 0A|"; depth:6; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015510; rev:2; metadata:created_at 2012_07_21, updated_at 2012_07_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SonciWALL Aventail AuthCredential Format String Exploit"; flow:to_client,established; content:"CLSID"; nocase; content:"2A1BE1E7-C550-4D67-A553-7F2D3A39233D"; nocase; distance:0; content:"AuthCredential"; nocase; distance:0; reference:url,packetstormsecurity.org/files/92931/SonciWALL-Aventail-epi.dll-AuthCredential-Format-String-Exploit.html; classtype:attempted-user; sid:2014992; rev:3; metadata:created_at 2012_06_29, updated_at 2012_06_29;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ProxyBox - ProxyBotCommand - FORCE_AUTHENTICATION*"; flow:established,to_client; content:"FORCE_AUTHENTICATION_"; depth:21; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015511; rev:2; metadata:created_at 2012_07_21, updated_at 2012_07_21;)
 
-#alert icmp any any -> any any (msg:"ET DOS Microsoft Windows 7 ICMPv6 Router Advertisement Flood"; itype:134; icode:0; byte_test:1,&,0x08,2; content:"|03|"; offset:20; depth:1; byte_test:1,&,0x40,2,relative; byte_test:1,&,0x80,2,relative; threshold:type threshold, track by_src, count 10, seconds 1; reference:url,www.samsclass.info/ipv6/proj/proj8x-124-flood-router.htm; classtype:attempted-dos; sid:2014996; rev:3; metadata:created_at 2012_07_02, updated_at 2012_07_02;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox -ProxyBotCommand - CHECK_ME"; flow:established,to_server; content:"CHECK_ME|0D 0A|Port|3a| "; depth:16; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015502; rev:2; metadata:created_at 2012_07_21, updated_at 2012_07_21;)
 
-#alert tcp [184.154.42.194,50.116.22.209,69.64.43.135,69.64.43.137,69.64.43.142,216.17.107.104,216.17.102.194,216.17.106.90,216.17.107.174,64.6.100.124,46.17.98.214] any -> $HOME_NET any (msg:"ET SCAN critical.io Scan"; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,critical.io/; classtype:network-scan; sid:2014893; rev:5; metadata:created_at 2012_06_14, updated_at 2012_06_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Oracle AutoVue ActiveX SetMarkupMode Method Access Remote Code Execution"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AutoVueX.ocx"; fast_pattern; nocase; distance:0; content:"SetMarkupMode"; nocase; distance:0; reference:url,packetstormsecurity.org/files/114364/Oracle-AutoVue-ActiveX-SetMarkupMode-Remote-Code-Execution.html; classtype:attempted-user; sid:2015465; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Compressed Executable SZDD Compress.exe Format Over HTTP"; flow:established,to_client; content:"|0d 0a 0d 0a|SZDD"; content:"PE|00 00|"; distance:0; reference:url,blog.fireeye.com/research/2012/07/inside-customized-threat.html#more; reference:url,www.cabextract.org.uk/libmspack/doc/szdd_kwaj_format.html; classtype:bad-unknown; sid:2015004; rev:3; metadata:created_at 2012_07_03, updated_at 2012_07_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SaschArt SasCam Webcam Server ActiveX Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"XHTTP.HTTP"; fast_pattern; nocase; distance:0; content:"Head"; nocase; reference:url,exploit-db.com/exploits/14215/; reference:bugtraq,41343; reference:url,doc.emergingthreats.net/2011208; classtype:attempted-user; sid:2011208; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET INFO FTP STOR to External Network"; flow:established,to_server; content:"STOR "; depth:5; classtype:misc-activity; sid:2015016; rev:2; metadata:created_at 2012_07_04, updated_at 2012_07_04;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"us="; distance:0; nocase; http_uri; content:"INSERT"; nocase; http_uri; distance:0; content:"INTO"; nocase; http_uri; distance:0; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005526; classtype:web-application-attack; sid:2005526; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/OnlineGames User Agent loadMM"; flow:established,to_server; content:"User-Agent|3A| loadMM|0D 0A|"; http_header; reference:md5,60763078b8860fd59a1d8bea2bf8900b; classtype:pup-activity; sid:2015018; rev:2; metadata:created_at 2012_07_04, former_category ADWARE_PUP, updated_at 2012_07_04;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; nocase; distance:0; http_uri; content:"SELECT"; http_uri; nocase; distance:0; content:"FROM"; http_uri; nocase; distance:0; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004492; classtype:web-application-attack; sid:2004492; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zusy Gettime Checkin"; flow:established,to_server; content:"/gettime.html?"; fast_pattern; http_uri; content:"HTTP/1.0"; http_header; content:"If-None-Match|3A 20|"; http_header; reference:md5,a152772516cef409ddd58f90917a3b44; classtype:command-and-control; sid:2015022; rev:2; metadata:created_at 2012_07_04, former_category MALWARE, updated_at 2012_07_04;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit nsswitch.conf Upload"; flow:established,to_server; content:"STOR "; content:"nsswitch.conf|0d 0a|"; distance:0; pcre:"/^\s*?STOR\s+[^\r\n]*?nsswitch\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015514; rev:2; metadata:created_at 2012_07_24, updated_at 2012_07_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pushbot User-Agent"; flow:to_server,established; content:"User-Agent|3A 20|cvc_v105"; fast_pattern:only; http_header; reference:url,www.cert.pl/news/5587/langswitch_lang/en; classtype:trojan-activity; sid:2015002; rev:6; metadata:created_at 2012_07_03, updated_at 2012_07_03;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific config files upload"; flow:established,to_server; content:"STOR "; content:".conf|0d 0a|"; distance:0; fast_pattern; pcre:"/^\s*?STOR\s+[^\r\n]*?\x2f(tgt|trace|rbp(c|p))\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015513; rev:3; metadata:created_at 2012_07_24, updated_at 2012_07_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pushbot server response"; flow:to_client,established; content:"|0d 0a 0d 0a|ZG%|20|!GX"; reference:url,www.cert.pl/news/5587/langswitch_lang/en; classtype:trojan-activity; sid:2015003; rev:4; metadata:created_at 2012_07_03, updated_at 2012_07_03;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific (CHMOD 777)"; flow:established,to_server; content:"SITE CHMOD 777 NONEXISTANT"; depth:26; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015515; rev:2; metadata:created_at 2012_07_24, updated_at 2012_07_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Incognito - Malicious PDF Requested - /getfile.php"; flow:established,to_server; content:"/getfile.php?i="; http_uri; content:"&key="; http_uri; content:!" Java/1"; http_header; classtype:trojan-activity; sid:2015024; rev:1; metadata:created_at 2012_07_04, former_category CURRENT_EVENTS, updated_at 2012_07_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit PluginDetect Rename Saigon"; flow:established,from_server; content:"var Saigon={version|3a 22|"; classtype:exploit-kit; sid:2015516; rev:3; metadata:created_at 2012_07_24, former_category CURRENT_EVENTS, updated_at 2012_07_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack exploit pack /mix/ Java exploit"; flow:established,to_server; content:"/mix/"; http_uri; depth:5; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015010; rev:3; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2012_07_03;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Msnbot Crawl"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"msnbot"; nocase; http_header; distance:0; threshold: type both, track by_src, count 10, seconds 60; reference:url,search.msn.com/msnbot.htm; reference:url,doc.emergingthreats.net/2002831; classtype:attempted-recon; sid:2002831; rev:9; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Rational ClearQuest Activex Control RegisterSchemaRepoFromFileByDbSet Insecure Method Access"; flow:to_client,established; content:"CLSID"; nocase; content:"88DD90B6-C770-4CFF-B7A4-3AFD16BB8824"; nocase; distance:0; content:"RegisterSchemaRepoFromFileByDbSet"; nocase; distance:0; reference:url,11337day.com/exploits/18917; classtype:attempted-user; sid:2015032; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pakes2 - Server Hello"; flow:established,to_client; dsize:11; content:"|01 00 01 ae 84 e3 aa 1f 90|"; offset:2; depth:9; classtype:trojan-activity; sid:2015521; rev:2; metadata:created_at 2012_07_25, updated_at 2012_07_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Crystal Reports Viewer Activex Control ServerResourceVersion Insecure Method Access"; flow:to_client,established; content:"CLSID"; nocase; content:"88DD90B6-C770-4CFF-B7A4-3AFD16BB8824"; nocase; distance:0; content:"ServerResourceVersion"; nocase; distance:0; reference:url,1337day.com/exploits/15098; classtype:attempted-user; sid:2015036; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c3284d Malware Network Compromised Redirect (comments 3)"; flow:established,from_server; file_data; content:"/*c3284d*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2015524; rev:2; metadata:created_at 2012_07_25, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Crystal Reports Viewer Activex Control ServerResourceVersion Insecure Method Access 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"CrystalPrintControlLib.CrystalPrintControl"; nocase; distance:0; content:"ServerResourceVersion"; nocase; distance:0; reference:url,1337day.com/exploits/15098; classtype:attempted-user; sid:2015037; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS JS.Runfore Malware Campaign Request"; flow:established,to_server; content:"/runforestrun?"; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014971; rev:3; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack - 32Char.php by Java Client"; flow:established,to_server; urilen:52<>130; content:".php?"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z]{1,10}\/[a-z0-9]{32}\.php\?/U"; classtype:exploit-kit; sid:2015042; rev:2; metadata:created_at 2012_07_07, former_category CURRENT_EVENTS, updated_at 2012_07_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Generic - ProxyJudge Reverse Proxy Scoring Activity"; flow:established,to_client; file_data; content:"ProxyJudge V"; nocase; classtype:trojan-activity; sid:2015532; rev:2; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Monkif CnC response in fake JPEG"; flow:established,from_server; content:"|0d 0a 0d 0a ff d8 ff e0|"; content:"JFIF|00 01 01|"; distance:2; content:"lppt>++"; fast_pattern; within:50; content:"bm|60|95"; distance:0; content:"|7c|0"; distance:0; reference:url,2009.brucon.org/material/Julia_Wolf_Brucon_final.pdf; reference:url,research.zscaler.com/2010/03/trojan-monkif-is-still-active-and.html; reference:url,blogs.mcafee.com/mcafee-labs/monkif-botnet-hides-commands-in-jpegs; classtype:command-and-control; sid:2012507; rev:5; metadata:created_at 2011_03_15, former_category MALWARE, updated_at 2011_03_15;)
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx; classtype:attempted-dos; sid:2100272; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.MWGuide keepalive"; flow:established,to_server; content:"/alive.php?aff_id="; http_uri; reference:url,doc.emergingthreats.net/2008840; classtype:pup-activity; sid:2008840; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:2100268; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.MWGuide checkin"; flow:established,to_server; content:"/sidebar_load.php?maddr="; http_uri; content:"ipaddr="; http_uri; content:"aff_id="; http_uri; reference:url,doc.emergingthreats.net/2008839; classtype:pup-activity; sid:2008839; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP trap tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101420; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Proxy Connection detected"; flow:established; content:"Proxy-Connection|3a| "; http_header; reference:url,doc.emergingthreats.net/2001449; classtype:attempted-user; sid:2001449; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"GPL SNMP community string buffer overflow attempt with evasion"; content:" |04 82 01 00|"; depth:5; offset:7; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:2101422; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Spambot getting new exe url"; flow:established,to_server; content:"404.txt"; nocase; http_uri; content:"404"; content:!"User-Agent|3a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002989; classtype:trojan-activity; sid:2002989; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"GPL SMTP SMTP relaying denied"; flow:established,from_server; content:"550 5.7.1"; depth:70; reference:arachnids,249; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:2100567; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Payload Requested - 32AlphaNum?s=1 Java Request"; flow:established,to_server; urilen:37; content:"?s=1"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z0-9]{32}\?s=1$/Ui"; classtype:trojan-activity; sid:2015055; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"GPL SMTP OUTBOUND bad file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"filename"; distance:0; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:2100721; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Incognito - Java Exploit Requested - /gotit.php by Java Client"; flow:established,to_server; content:"/gotit.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015030; rev:3; metadata:created_at 2012_07_07, former_category CURRENT_EVENTS, updated_at 2012_07_07;)
+#alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"GPL DELETED sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; reference:arachnids,140; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:2100655; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito - Payload Request - /load.php by Java Client"; flow:established,to_server; content:"/load.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015031; rev:3; metadata:created_at 2012_07_07, updated_at 2012_07_07;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|"; reference:arachnids,372; classtype:protocol-command-decode; sid:2100631; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Try Prototype Catch June 11 2012"; flow:from_server,established; content:"try{"; content:"=prototype"; within:25; content:"|3b|}catch("; within:15; classtype:bad-unknown; sid:2014888; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn *@"; flow:to_server,established; content:"expn"; nocase; content:"*@"; pcre:"/^expn\s+\*@/smi"; reference:cve,1999-1200; classtype:misc-attack; sid:2101450; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 5250 (msg:"ET DELETED MISC Computer Associates Negative Content-Length Buffer Overflow"; flow:established,to_server; content:"Content-Length|3A|"; nocase; pcre:"/^Content-Length\x3a\s*-\d+/smi"; reference:bugtraq,16354; reference:cve,2005-3653; reference:url,doc.emergingthreats.net/bin/view/Main/2002791; classtype:web-application-attack; sid:2002791; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; reference:arachnids,371; classtype:protocol-command-decode; sid:2100632; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito/RedKit Exploit Kit vulnerable Java payload request to /1digit.html"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; urilen:7; content:".html"; http_uri; content:" Java/1"; http_header; pcre:"/\/[0-9]\.html$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014750; rev:2; metadata:created_at 2012_05_14, former_category EXPLOIT_KIT, updated_at 2012_05_14;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; nocase; pcre:"/^expn\s+decode/smi"; reference:arachnids,32; reference:cve,1999-0096; reference:nessus,10248; classtype:attempted-recon; sid:2100659; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT ttdbserv Solaris overflow"; dsize:>999; flow:to_server,established; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:2100571; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; fast_pattern; distance:0; nocase; pcre:"/^expn\s+root/smi"; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; classtype:attempted-recon; sid:2100660; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fmacqvmqafqwmebl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fmacqvmqafqwmebl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015287; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi"; reference:arachnids,373; reference:bugtraq,10248; reference:cve,1999-0096; classtype:attempted-recon; sid:2100672; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hrpgglxvqwjesffr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hrpgglxvqwjesffr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015288; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; classtype:attempted-recon; sid:2101446; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rxbkqfydlnzopqrn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rxbkqfydlnzopqrn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015289; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL EXPLOIT EXPLOIT statdx"; flow:to_server,established; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:2100600; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tdsorylshsxjeawf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tdsorylshsxjeawf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015290; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_adduser database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:2100679; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain elfxqghdubihhsgd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|elfxqghdubihhsgd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015291; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:2100676; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gqtcxunxhyujqjkf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gqtcxunxhyujqjkf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015292; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32; nocase; reference:bugtraq,1204; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:2100695; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qxggipnnfmnihkic.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qxggipnnfmnihkic|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015293; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL EXPLOIT xp_cmdshell - program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2100687; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sdxkjaophbtufumx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sdxkjaophbtufumx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015294; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"GPL EXPLOIT login buffer non-evasive overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:2103274; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain clkujrjqvexvbmoi.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|clkujrjqvexvbmoi|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015295; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT formmail access"; flow:to_server,established; content:"/formmail"; nocase; http_uri; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-activity; sid:2100884; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fqyyxagzkrpvxtki.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fqyyxagzkrpvxtki|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015296; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"GPL SNMP SNMP community string buffer overflow attempt"; content:"|02 01 00 04 82 01 00|"; offset:4; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:2101409; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain owldagkyzrkhqnjo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|owldagkyzrkhqnjo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015297; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP invalid identification payload attempt"; content:"|05|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2102486; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rccjvgsgffokiwze.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rccjvgsgffokiwze|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015298; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102380; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain blorcdyiipxcwyxv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|blorcdyiipxcwyxv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015299; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP first payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102376; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dpewaddpoewiycnj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dpewaddpoewiycnj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015300; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP forth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102379; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nwpykqeizraqthry.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nwpykqeizraqthry|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015301; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102414; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pchgijctfprxhnje.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pchgijctfprxhnje|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015302; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102377; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zisiiogqigzzqqeq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zisiiogqigzzqqeq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015303; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102415; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain cpittmwbqtjrjpql.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cpittmwbqtjrjpql|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015304; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:2100319; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mvuvchtcxxibeubd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mvuvchtcxxibeubd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015305; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT tftp command attempt"; flow:to_server,established; content:"tftp%20"; nocase; classtype:web-application-attack; sid:2101340; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain oblcasnhxbbocpfj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|oblcasnhxbbocpfj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015306; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%1c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100982; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xixftoplsduqqorx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xixftoplsduqqorx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015307; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT php.cgi access"; flow:to_server,established; content:"/php.cgi"; nocase; http_uri; reference:arachnids,232; reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0238; reference:cve,1999-058; reference:nessus,10178; classtype:attempted-recon; sid:2100824; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bpnqmxkpxxgbdnby.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bpnqmxkpxxgbdnby|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015308; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert ip any any -> any any (msg:"GPL EXPLOIT EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102464; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kvzstpqmeoxtcwko.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kvzstpqmeoxtcwko|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015309; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102462; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nbqypqrjiqxlfvdj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nbqypqrjiqxlfvdj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015310; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102463; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain whddmvrxufbkkoew.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|whddmvrxufbkkoew|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015311; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED evaluate.cfm access"; flow:to_server,established; content:"/cfdocs/snippets/evaluate.cfm"; nocase; http_uri; reference:bugtraq,550; classtype:attempted-recon; sid:2100915; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ymrhcvphevonympo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ymrhcvphevonympo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015312; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute"; flow:to_client,established; content:"CLSID"; nocase; content:"3356DB7C-58A7-11D4-AA5C-006097314BF8"; nocase; distance:0; content:"installAppMgr"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82969/Symantec-AppStream-LaunchObj-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015537; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_27, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jveqgnmjxkocqifr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jveqgnmjxkocqifr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015313; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible WinZip FileView ActiveX CreateNewFolderFromName Method Access Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"A09AE68F-B14D-43ED-B713-BA413F034904"; nocase; distance:0; content:"CreateNewFolderFromName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83024/WinZip-FileView-WZFILEVIEW.FileViewCtrl.61-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_27, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lavvckpordclbduy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lavvckpordclbduy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015314; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"WZFILEVIEW.FileViewCtrl.61"; nocase; distance:0; content:"CreateNewFolderFromName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83024/WinZip-FileView-WZFILEVIEW.FileViewCtrl.61-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_27, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vhhzcvbegxbjsxke.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vhhzcvbegxbjsxke|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015315; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT Tomcat server exploit access"; flow:to_server,established; content:"/contextAdmin/contextAdmin.html"; nocase; http_uri; reference:bugtraq,1548; reference:cve,2000-0672; reference:nessus,10477; classtype:attempted-recon; sid:2101111; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xmwettbvtbhvrjuo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xmwettbvtbhvrjuo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015316; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"GPL EXPLOIT x86 Linux mountd overflow"; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:2100315; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iujniiokeyjbmerc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iujniiokeyjbmerc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015317; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell"; nocase; classtype:web-application-attack; sid:2101061; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kzxrowftdocgyghs.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kzxrowftdocgyghs|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015318; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn"; nocase; classtype:web-application-attack; sid:2101058; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gacdiuwnhonuulpe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gacdiuwnhonuulpe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015319; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT xp_filelist attempt"; flow:to_server,established; content:"xp_filelist"; nocase; classtype:web-application-attack; sid:2101059; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ifrhgnqeeotnzrmz.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ifrhgnqeeotnzrmz|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015320; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_regread attempt"; flow:to_server,established; content:"xp_regread"; nocase; classtype:web-application-activity; sid:2101069; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rmdlgyreitjsjkfq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rmdlgyreitjsjkfq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015321; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"GPL EXPLOIT AIX pdnsd overflow"; flow:to_server,established; dsize:>1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:2101261; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uqspvdwyltgcyhft.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uqspvdwyltgcyhft|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015322; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"GPL DELETED Netscape Unixware overflow"; flow:to_server,established; content:"|EB|_|9A FF FF FF FF 07 FF C3|^1|C0 89|F|9D|"; reference:arachnids,180; reference:bugtraq,908; reference:cve,1999-0744; classtype:attempted-recon; sid:2101132; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ezfydrexncoidbus.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ezfydrexncoidbus|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015323; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL EXPLOIT rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,390; classtype:attempted-user; sid:2100607; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hfveiooumeyrpchg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hfveiooumeyrpchg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015324; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"GPL EXPLOIT Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:2100302; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qlihxnncwioxkdls.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qlihxnncwioxkdls|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015325; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"GPL EXPLOIT CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; reference:bugtraq,3517; reference:cve,2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:2101398; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sqwlonyduvpowdgy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sqwlonyduvpowdgy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015326; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"GPL DELETED SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:2100304; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dyjvewshptsboygd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dyjvewshptsboygd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015327; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 81: (msg:"ET MALWARE Turkojan C&C Info Command Response (MINFO)"; flow:established,to_server; dsize:<100; content:"MINFO|7c|"; depth:6; reference:url,doc.emergingthreats.net/2008023; classtype:command-and-control; sid:2008023; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain febcbuyswmishvpl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|febcbuyswmishvpl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015328; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET 81: -> $HOME_NET any (msg:"ET MALWARE Turkojan C&C Info Command (MINFO)"; flow:established,from_server; dsize:5; content:"MINFO"; reference:url,doc.emergingthreats.net/2008022; classtype:command-and-control; sid:2008022; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain plmekaayiholtevt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|plmekaayiholtevt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015329; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?\.\.\./smi"; reference:bugtraq,9237; classtype:bad-unknown; sid:2101229; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rpckbgrziwbdrmhr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rpckbgrziwbdrmhr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015330; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; distance:1; nocase; pcre:"/^CWD\s+~root/smi"; reference:arachnids,318; reference:cve,1999-0082; classtype:bad-unknown; sid:2100336; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain cyosongjihugkjbg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cyosongjihugkjbg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015331; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP NLST overflow attempt"; flow:to_server,established; content:"NLST"; nocase; isdataat:100,relative; pcre:"/^NLST\s[^\n]{100}/smi"; reference:bugtraq,10184; reference:bugtraq,7909; reference:bugtraq,9675; reference:cve,1999-1544; classtype:attempted-admin; sid:2102374; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain eefysywrvkgxuqdf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eefysywrvkgxuqdf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015332; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP PORT bounce attempt"; flow:to_server,established; content:"PORT"; nocase; ftpbounce; pcre:"/^PORT/smi"; classtype:misc-attack; sid:2103441; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nkrbvqxzfwicmhwb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nkrbvqxzfwicmhwb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015333; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP REST with numeric argument"; flow:to_server,established; content:"REST"; nocase; pcre:"/REST\s+[0-9]+\n/i"; reference:bugtraq,7825; classtype:attempted-recon; sid:2103460; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qphhsudsmeftdaht.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qphhsudsmeftdaht|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015334; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RETR overflow attempt"; flow:to_server,established; content:"RETR"; nocase; isdataat:100,relative; pcre:"/^RETR\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; reference:cve,2004-0287; reference:cve,2004-0298; classtype:attempted-admin; sid:2102392; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain axtopsbtntqnfdyk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|axtopsbtntqnfdyk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015335; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNFR overflow attempt"; flow:to_server,established; content:"RNFR"; nocase; isdataat:100,relative; pcre:"/^RNFR\s[^\n]{100}/smi"; classtype:attempted-admin; sid:2103077; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ddkudnuklgiwtdyw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ddkudnuklgiwtdyw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015336; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNTO overflow attempt"; flow:to_server,established; content:"RNTO"; nocase; isdataat:100,relative; pcre:"/^RNTO\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2000-0133; reference:cve,2001-1021; reference:cve,2003-0466; classtype:attempted-admin; sid:2102389; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mkwwclogcvgeekws.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mkwwclogcvgeekws|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015337; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:100,relative; pcre:"/^STAT\s[^\n]{100}/smi"; reference:bugtraq,3507; reference:bugtraq,8542; reference:cve,2001-0325; reference:cve,2001-1021; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:2101379; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain opldkflyvlkywuec.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|opldkflyvlkywuec|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015338; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STOU overflow attempt"; flow:to_server,established; content:"STOU"; nocase; isdataat:100,relative; pcre:"/^STOU\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2102390; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yvxfekhokspfuwqr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yvxfekhokspfuwqr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015339; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP XMKD overflow attempt"; flow:to_server,established; content:"XMKD"; nocase; isdataat:100,relative; pcre:"/^XMKD\s[^\n]{100}/smi"; reference:bugtraq,7909; reference:cve,2000-0133; reference:cve,2001-1021; classtype:attempted-admin; sid:2102373; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bdprvpxdejpohqpt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bdprvpxdejpohqpt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015340; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP format string attempt"; flow:to_server,established; content:"%"; fast_pattern:only; pcre:"/\s+.*?%.*?%/smi"; classtype:string-detect; sid:2102417; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ljbvfrsvcevyfhor.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ljbvfrsvcevyfhor|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015341; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP format string attempt"; flow:to_server,established; content:"%p"; nocase; reference:nessus,10452; reference:bugtraq,1387; reference:bugtraq,2240; reference:bugtraq,726; reference:cve,2000-0573; reference:cve,1999-0997; classtype:attempted-admin; sid:2101530; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain noqzuukouyfuyrmd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|noqzuukouyfuyrmd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015342; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:2100356; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xvcewyydwsmdgaju.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xvcewyydwsmdgaju|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015343; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL FTP FTP Bad login"; flow:from_server,established; content:"530 "; depth:4; pcre:"/^530\s+(Login|User)/smi"; classtype:bad-unknown; sid:2100491; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zatiscwwtipqlycd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zatiscwwtipqlycd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015344; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP no password"; flow:from_client,established; content:"PASS"; nocase; pcre:"/^PASS\s*\n/smi"; reference:arachnids,322; classtype:unknown; sid:2100489; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jjgshrjdcynohyuk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jjgshrjdcynohyuk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015345; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP MKD / possible warez site"; flow:to_server,established; content:"MKD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:2100554; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mouwwvcwwlilnxub.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mouwwvcwwlilnxub|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015346; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP anonymous ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:" ftp|0D 0A|"; nocase; classtype:misc-activity; sid:2101449; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vuhaojpwxgsxuitu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vuhaojpwxgsxuitu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015347; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; classtype:suspicious-filename-detect; sid:2101445; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yayfefhrwawquwcw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yayfefhrwawquwcw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015348; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"GPL GAMES Unreal Tournament secure overflow attempt"; content:"|5C|secure|5C|"; nocase; pcre:"/\x5csecure\x5c[^\x00]{50}/smi"; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack; sid:2103080; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iiloishkjwvqldlq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iiloishkjwvqldlq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015349; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED Inbound GNUTella client request"; flags:A+; flow:established; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:2100559; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain knauycqgsdhgbwjo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|knauycqgsdhgbwjo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015350; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; classtype:policy-violation; sid:2100557; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uumwyzhctrwdsrdp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uumwyzhctrwdsrdp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015351; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; classtype:policy-violation; sid:2101432; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wzbdwenwshfzglwt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wzbdwenwshfzglwt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015352; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; classtype:policy-violation; sid:2100556; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hiplksflttfkpsxn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hiplksflttfkpsxn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015353; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED Outbound GNUTella client request"; flow:established; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:2100558; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jnfrqmekhoevppvw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jnfrqmekhoevppvw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015354; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:2100560; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ttqtkmthptxvwiku.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ttqtkmthptxvwiku|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015355; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"GPL POLICY AFS access"; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; fast_pattern:only; reference:nessus,10441; classtype:misc-activity; sid:2101504; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vygzhvfiuommkqfj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vygzhvfiuommkqfj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015356; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY Windows Media download"; flow:from_server,established; content:"Content-Type|3A|"; nocase; http_header; pcre:"/^Content-Type\x3a\s*(?=[av])(video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/Hi"; classtype:policy-violation; sid:2101437; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fhuidtlqttqxgjvn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fhuidtlqttqxgjvn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015357; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"GPL POLICY PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:2100507; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain imjosxuhbcdonrco.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|imjosxuhbcdonrco|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015358; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:2103153; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rtvqcdpbqxgwnrcn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rtvqcdpbqxgwnrcn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015359; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:2100255; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tykvyflnjhbnqpnr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tykvyflnjhbnqpnr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015360; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; classtype:bad-unknown; sid:2100253; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ehyewyqydfpidbdp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ehyewyqydfpidbdp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015361; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:2101435; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gmokuosvnbkshdtd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gmokuosvnbkshdtd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015362; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:2100261; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qsbourrdxgxgwepy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qsbourrdxgxgwepy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015363; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100259; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sxpskxdgoczvcjgp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sxpskxdgoczvcjgp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015364; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; classtype:bad-unknown; sid:2100254; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dhedppigtpbwrmpc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dhedppigtpbwrmpc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015365; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100258; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain flthmyjeuhdygshf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|flthmyjeuhdygshf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015366; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP private access tcp"; flow:to_server,established; content:"private"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101414; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain osflhkaowydftniw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|osflhkaowydftniw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015367; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP public access tcp"; flow:to_server,established; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101412; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rxupwhkznihnxzqx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rxupwhkznihnxzqx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015368; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP Location overflow"; content:"Location|3A|"; nocase; isdataat:128,relative; pcre:"/^Location\x3a[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:2101388; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bgjzhlasdrwwnenj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bgjzhlasdrwwnenj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015369; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:2101384; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain elxegvkalqvkyoxc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|elxegvkalqvkyoxc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015370; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"GPL MISC squid WCCP I_SEE_YOU message overflow attempt"; content:"|00 00 00 08|"; depth:4; byte_test:4,>,32,16; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:2103089; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nrkhysgoltauclop.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nrkhysgoltauclop|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015371; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"GPL MISC rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; reference:bugtraq,3474; reference:cve,2001-0838; classtype:misc-attack; sid:2101323; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pwyloytoagndnrex.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pwyloytoagndnrex|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015372; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP newgroup overflow attempt"; flow:to_server,established; content:"newgroup"; nocase; isdataat:21,relative; pcre:"/^newgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102430; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zenquqdskekaudbe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zenquqdskekaudbe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015373; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|"; reference:arachnids,388; classtype:attempted-user; sid:2100608; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain cldcrgtnuwvgnbfd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cldcrgtnuwvgnbfd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015374; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL DELETED Cassandra Overflow"; dsize:>512; flow:to_server,established; content:"AUTHINFO USER"; depth:16; nocase; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-user; sid:2100291; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mroeqjdaukskbgua.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mroeqjdaukskbgua|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015375; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP XPAT pattern overflow attempt"; flow:to_server,established; content:"PAT"; nocase; isdataat:1024,relative; pcre:"/^X?PAT\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:2102927; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain owekhoeuhmdiehrw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|owekhoeuhmdiehrw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015376; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"GPL MISC Connection Closed MSG from Port 80"; flow:from_server,established; content:"Connection closed by foreign host"; nocase; classtype:unknown; sid:2100488; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ydrngsmrdiiyvoiy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ydrngsmrdiiyvoiy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015377; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:2100270; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bkhyiqitpoxewhmt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bkhyiqitpoxewhmt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015378; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:2101321; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain krtbityuhlewigfe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|krtbityuhlewigfe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015379; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP sendsys overflow attempt"; flow:to_server,established; content:"sendsys"; nocase; pcre:"/^sendsys\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102424; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nvjgyermzsmynaeq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nvjgyermzsmynaeq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015380; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC source route ssrr"; ipopts:ssrr ; reference:arachnids,422; classtype:bad-unknown; sid:2100502; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jwkpdxqbemsmclal.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jwkpdxqbemsmclal|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015381; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"GPL MISC ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:2100616; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lccwpflcdjrdfjib.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lccwpflcdjrdfjib|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015382; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP article post without path attempt"; flow:to_server,established; content:"takethis"; nocase; pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si"; classtype:attempted-admin; sid:2102432; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uinyjmxfqinkxbda.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uinyjmxfqinkxbda|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015383; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP checkgroups overflow attempt"; flow:to_server,established; content:"checkgroups"; nocase; pcre:"/^checkgroups\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102427; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xndfbivuonkxfxrq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xndfbivuonkxfxrq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015384; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP ihave overflow attempt"; flow:to_server,established; content:"ihave"; nocase; pcre:"/^ihave\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102428; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hvpmffxpfnlquqxo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hvpmffxpfnlquqxo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015385; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC Nntp rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup"; nocase; pcre:"/^rmgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102431; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kbgsbqjugdqrgtdw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kbgsbqjugdqrgtdw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015386; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP sendme overflow attempt"; flow:to_server,established; content:"sendme"; nocase; pcre:"/^sendme\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102429; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tisubmfvqrgnloxr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tisubmfvqrgnloxr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015387; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP senduuname overflow attempt"; flow:to_server,established; content:"senduuname"; nocase; pcre:"/^senduuname\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102425; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vmibswhnpqhqwyih.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vmibswhnpqhqwyih|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015388; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP version overflow attempt"; flow:to_server,established; content:"version"; nocase; pcre:"/^version\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102426; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gvujhzvjxwptrtdg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gvujhzvjxwptrtdg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015389; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,384; classtype:attempted-user; sid:2100602; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iblpdiqdmmsbnuxb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iblpdiqdmmsbnuxb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015390; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; reference:arachnids,385; classtype:bad-unknown; sid:2100603; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain shxrsvasoncjnxpn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|shxrsvasoncjnxpn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015391; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,389; classtype:attempted-admin; sid:2100606; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ummxjwieppswcnrg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ummxjwieppswcnrg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015392; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:2100609; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fuyfrockpfclxccd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fuyfrockpfclxccd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015393; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,391; classtype:attempted-admin; sid:2100610; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain haqmuqqukywrcxfa.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|haqmuqqukywrcxfa|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015394; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN HTExploit Method"; flow:established,to_server; dsize:>6; content:"POTATO "; depth:7; reference:url,www.mkit.com.ar/labs/htexploit/download.php; classtype:trojan-activity; sid:2015552; rev:2; metadata:created_at 2012_07_31, updated_at 2012_07_31;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qhcplcuugevvyham.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qhcplcuugevvyham|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015395; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake-AV Conditional Redirect (Blackmuscats)"; flow:established,to_server; content:"/blackmuscats?"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/07/blackmuscats-conditional-redirections-to-faveav.html/; classtype:trojan-activity; sid:2015553; rev:3; metadata:created_at 2012_07_31, former_category CURRENT_EVENTS, updated_at 2012_07_31;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tmrtbcienxrbnsjc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tmrtbcienxrbnsjc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015396; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 2020search Update Engine"; flow: to_server,established; content:"POST"; depth: 4; nocase; content:"srng/reg.php HTTP"; within: 50; content:"|0d0a|Host|3a|"; content:"2020search.com"; within: 40; content:"IpAddr="; nocase; within: 100; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2004-03-04; reference:url,doc.emergingthreats.net/bin/view/Main/2000934; classtype:trojan-activity; sid:2000934; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dueebwwdllfburag.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dueebwwdllfburag|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015397; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SickleBot Reporting User Activity"; flow:established,to_server; content:"GET"; http_method; content:"id="; nocase; http_uri; content:"User-Agent|3a| SickleBot"; http_header; reference:url,doc.emergingthreats.net/2002776; classtype:trojan-activity; sid:2002776; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fzsirujgdbvabrjm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fzsirujgdbvabrjm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015398; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Downloader Generic - GET"; flow:established,to_server; content:"GET"; http_method; content:".php?mode="; nocase; http_uri; content:"&port="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&ltime="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009803; classtype:trojan-activity; sid:2009803; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pghnrmkoeoetfwsm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pghnrmkoeoetfwsm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015399; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tigger.a/Syzor Control Checkin"; flow:established,to_server; content:"/track.cgi"; http_uri; content:"POST"; depth:4; http_method; content:"u="; http_client_body; depth:2; content:"&t="; http_client_body; content:"&v="; http_client_body; content:"&f="; http_client_body; content:"&z="; http_client_body; reference:url,voices.washingtonpost.com/securityfix/2009/02/the_t-i-double-guh-r_trojan_ic.html?wprss=securityfix; reference:url,mnin.blogspot.com/2009/02/why-i-enjoyed-tiggersyzor.html; reference:url,doc.emergingthreats.net/2009096; classtype:command-and-control; sid:2009096; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rlvqmipovrqbmvqd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rlvqmipovrqbmvqd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015400; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tigger.a/Syzor Checkin"; flow:established,to_server; content:"POST"; depth:4; http_method; content:"/track.cgi"; http_uri; content:"u="; http_client_body; depth:2; content:"&t="; http_client_body; content:"&b="; http_client_body; content:"&v="; http_client_body; content:"&f="; http_client_body; reference:url,doc.emergingthreats.net/2009347; classtype:command-and-control; sid:2009347; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ctjbmgjudwisgshv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ctjbmgjudwisgshv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015401; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN NULL"; flow:stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:2100623; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain eyxejlabqaytqmjx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eyxejlabqaytqmjx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015402; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN XMAS"; flow:stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:2100625; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ogmjjmqdhlbyabzg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ogmjjmqdhlbyabzg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015403; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:2100626; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qlbpfyrupyadvjsl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qlbpfyrupyadvjsl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015404; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:2100627; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain atnwerhvttvbivra.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|atnwerhvttvbivra|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015405; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:2100628; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dydderasilekaegh.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dydderasilekaegh|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015406; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:2101228; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mfqfrnqllqcrayiw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mfqfrnqllqcrayiw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015407; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:2100629; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pkglwwwmjxokzzfq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pkglwwwmjxokzzfq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015408; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL SCAN sensepost.exe command shell attempt"; flow:to_server,established; content:"/sensepost.exe"; http_uri; nocase; reference:nessus,11003; classtype:web-application-activity; sid:2100989; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yrrnrgliojezjctg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yrrnrgliojezjctg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015409; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"GPL SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:2100613; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bxhzugppnulxghvm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bxhzugppnulxghvm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015410; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:2100624; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lfvcngdbzjrzgyby.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lfvcngdbzjrzgyby|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015411; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN rusers query UDP"; content:"|00 01 86 A2|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:cve,1999-0626; classtype:attempted-recon; sid:2100612; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nkkijjyioljbfysn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nkkijjyioljbfysn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015412; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00|`|00 00 00 00 00 00 00 00 01 00 00 00|"; classtype:attempted-recon; sid:2100617; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gqortbbbsnksxpmm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gqortbbbsnksxpmm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015457; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN NetGear router default password login attempt admin/password"; flow:to_server,established; content:"Authorization|3A|"; http_header; nocase; content:"YWRtaW46cGFzc3dvcmQ"; distance:0; http_header; pcre:"/^Authorization\x3a\s*Basic\s+YWRtaW46cGFzc3dvcmQ/Hi"; reference:nessus,11737; classtype:default-login-attempt; sid:2102230; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wicjgufeimlbmcus.ru Pseudo Random Domain";  content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wicjgufeimlbmcus|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015456; rev:2; metadata:created_at 2012_07_12, updated_at 2020_08_20;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:2101133; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xqwkdyjydkggsppd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xqwkdyjydkggsppd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015413; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:2101139; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tdndpphrtyniynvz.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tdndpphrtyniynvz|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015455; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL SCAN cybercop scan"; flow:to_server,established; content:"/cybercop"; http_uri; nocase; reference:arachnids,374; classtype:web-application-activity; sid:2101099; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain axmvnmubgwlmqfrp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|axmvnmubgwlmqfrp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015414; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"GPL SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; reference:arachnids,146; classtype:attempted-recon; sid:2100619; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kwyyhhqtwxupnhyu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kwyyhhqtwxupnhyu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015454; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TSPY_SPCESEND.A Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/log.php"; fast_pattern; http_uri; content:"id="; depth:3; http_client_body; content:"&link="; http_client_body; content:"&password="; http_client_body; content:"&debug="; http_client_body; content:!"User-Agent|3a 20|"; http_header; reference:url,blog.trendmicro.com/malware-uses-sendspace-to-store-stolen-documents/; classtype:command-and-control; sid:2014219; rev:4; metadata:created_at 2012_02_11, former_category MALWARE, updated_at 2012_02_11;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hrkusbnevtmyisab.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hrkusbnevtmyisab|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015453; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Krunchy/BZub HTTP POST Update"; flow:established,to_server; content:"POST"; nocase; http_method; content:"action="; fast_pattern; http_client_body; depth:7; content:"|25 35 46|script"; http_client_body; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2007776; classtype:trojan-activity; sid:2007776; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xiwlnutkxsqxwjge.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xiwlnutkxsqxwjge|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015452; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Pandex Trojan Dropper Initial Checkin"; flow:established,to_server; content:"?r="; http_uri; content:"&hdd="; fast_pattern; http_uri; content:"&gen="; http_uri; content:!"User-Agent|3A|"; nocase; http_header; classtype:command-and-control; sid:2013397; rev:3; metadata:created_at 2011_08_10, former_category MALWARE, updated_at 2011_08_10;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain keabgwmpzqhpmlng.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|keabgwmpzqhpmlng|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015415; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Downloader (Win32.Doneltart) Checkin - HTTP GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?open="; nocase; http_uri; content:"&myid="; fast_pattern; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2009814; classtype:trojan-activity; sid:2009814; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mjpflkwqskuqbjnk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mjpflkwqskuqbjnk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015416; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Agent-TMF Checkin"; flow:to_server,established; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"GET"; http_method; content:".php?gd="; fast_pattern; http_uri; pcre:"/.php\?gd=\d+_\d+_\d+$/U"; classtype:command-and-control; sid:2013701; rev:2; metadata:created_at 2011_09_28, former_category MALWARE, updated_at 2011_09_28;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain veihxoqukuetxqbn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|veihxoqukuetxqbn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015451; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Keylogger checkin"; flow:established; content:"GET"; nocase; http_method; content:"?mail="; http_uri; content:"subject=Keylogger"; http_uri; fast_pattern; content:"&body="; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)"; http_header; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008368; classtype:command-and-control; sid:2008368; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_05_03;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vqcicnuhtwhxmtjd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vqcicnuhtwhxmtjd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015417; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious PHP 302 redirect response with avtor URI and cookie"; flow:established,from_server; content:"302"; http_stat_code; content:".php?avtor="; fast_pattern; content:"Set-Cookie|3a| "; content:"avtor="; within:40; classtype:trojan-activity; sid:2013011; rev:6; metadata:created_at 2011_06_10, former_category CURRENT_EVENTS, updated_at 2011_06_10;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yvqnltydqtpresfu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yvqnltydqtpresfu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015418; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Foxit PDF Reader Title Stack Overflow"; flow:established,to_client; content:"|0d 0a 0d 0a|PDF-"; content:"|2f|Title"; nocase; distance:0; isdataat:540,relative; content:!"|0A|"; within:540; reference:url,www.exploit-db.com/exploits/15532/; classtype:attempted-user; sid:2012064; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_17, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lwtcxuzbdrsnpqfb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lwtcxuzbdrsnpqfb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015450; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Emogen Reporting via HTTP"; flow:established,to_server; content:".asp?"; nocase; http_uri; content:"mac="; fast_pattern; nocase; http_uri; content:"&name="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&id="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007986; classtype:trojan-activity; sid:2007986; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iefwvulgninlkoxe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iefwvulgninlkoxe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015419; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE RevProxy ClientHello"; flow:established,to_server; dsize:13; content:"|04 00 00 01 05 00 00 00 00 07 00 01 00|"; reference:md5,7bf026c71d4ca6cdc7b6e543f9a5bb64; classtype:trojan-activity; sid:2014348; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ljubdldgqwbarplc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ljubdldgqwbarplc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015420; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED RevProxy ServerRespone"; flow:established,to_client; dsize:9; content:"|04 00 00 01 01 00 00 00 04|"; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:trojan-activity; sid:2014349; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jrfyaswntteouafv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jrfyaswntteouafv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015449; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED RevProxy ClientPing"; flow:established,to_server; dsize:9; content:"|04 00 00 01 01 00 00 00 05|"; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:trojan-activity; sid:2014350; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain upgghggmbusopaxv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|upgghggmbusopaxv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015421; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible BarCodeWiz (BARCODEWIZLib.BarCodeWiz) ActiveX Control Buffer Overflow"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BARCODEWIZLib.BarCodeWiz"; nocase; distance:0; content:"Barcode"; nocase; distance:0; reference:url,securityfocus.com/bid/54701; classtype:attempted-user; sid:2015564; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_03, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wuvjdexaqtmqkvgk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wuvjdexaqtmqkvgk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015422; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL ICQ ActiveX Control DownloadAgent Method Access Arbitrary File Download and Execute"; flow:to_client,established; content:"CLSID"; nocase; content:"54BDE6EC-F42F-4500-AC46-905177444300"; nocase; distance:0; content:"DownloadAgent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83020/America-Online-ICQ-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015566; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_03, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hektxucstnbuncix.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hektxucstnbuncix|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015423; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL ICQ ActiveX Control DownloadAgent Method Access Arbitrary File Download and Execute 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ICQPhone.SipxPhoneManager.1"; nocase; distance:0; content:"DownloadAgent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83020/America-Online-ICQ-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015567; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_03, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yjsovtnpgbwqcbbd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yjsovtnpgbwqcbbd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015448; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Trojan File Download - BMP Requested but not received"; flow:established,from_server; flowbits:isset,ET.bmp_seen; flowbits:unset,ET.bmp_seen; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"Content-Type|3a| application|2f|octet-stream"; http_header; content:!"BM"; content:!"|00 00 00 00|"; within:4; reference:url,doc.emergingthreats.net/2009084; classtype:trojan-activity; sid:2009084; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wedkgpdcxlrunbmu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wedkgpdcxlrunbmu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015447; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible BarCodeWiz BarcodeWiz.dll ActiveX Control Barcode Method Remote Buffer Overflow Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6"; nocase; distance:0; content:"Barcode"; nocase; distance:0; reference:url,securityfocus.com/bid/54701; classtype:attempted-user; sid:2015563; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_03, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mxpgggggukxqteoy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mxpgggggukxqteoy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015446; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP request tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101418; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ksacasnubklrikdl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ksacasnubklrikdl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015445; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments(2)"; flow:established,to_client; content:"Added By FoxxySF"; fast_pattern:only; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015584; rev:4; metadata:created_at 2012_08_07, updated_at 2012_08_07;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jiyxdlvawkranmin.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jiyxdlvawkranmin|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015424; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Hit Counter Access"; flow:to_server,established; content:"/wtf/callback=getip"; fast_pattern:only; http_uri; nocase; content:".php?username="; nocase; http_uri; content:"&website="; nocase; http_uri; content:"foxxysoftware.org"; http_header; nocase; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015585; rev:2; metadata:created_at 2012_08_07, updated_at 2012_08_07;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tplczomvebjmhsgk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tplczomvebjmhsgk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015425; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Executable (Win exe under 128)"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_test:4,<,128,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009033; classtype:policy-violation; sid:2009033; rev:7; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bloxgsfzinxmdspt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bloxgsfzinxmdspt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015444; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET HUNTING Suspicious Executable (PE offset 160)"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_test:4,=,160,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009034; classtype:policy-violation; sid:2009034; rev:7; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vuaivypissryzhij.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vuaivypissryzhij|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015426; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Executable (PE offset 512)"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_test:4,=,512,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009035; classtype:policy-violation; sid:2009035; rev:7; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gdoqznfilmtulxxv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gdoqznfilmtulxxv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015427; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Java EXE Download"; flowbits:isset,ET.http.javaclient; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2013037; rev:7; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xfymtpavzblzbknq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xfymtpavzblzbknq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015443; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2013036; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_06_16, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain oxkjnvhjnvnegtyb.ru Pseudo Random Domain";  content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|oxkjnvhjnvnegtyb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015442; rev:2; metadata:created_at 2012_07_12, updated_at 2020_08_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable served from Amazon S3"; flow:established,to_client; content:"|0d 0a|Server|3A| AmazonS3"; content:"|0d 0a 0d 0a|MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,blog.trendmicro.com/cybercriminals-using-amazon-web-services-aws-to-host-malware/; reference:url,www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud; classtype:bad-unknown; sid:2013414; rev:10; metadata:created_at 2011_08_17, updated_at 2011_08_17;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iiewprjomieydnix.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iiewprjomieydnix|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015428; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable Download From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; content:"|0d 0a 0d 0a|MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2012524; rev:7; metadata:created_at 2011_03_21, updated_at 2011_03_21;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lsvdxjpwykxxvryd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lsvdxjpwykxxvryd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015441; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable Download From Russian Content-Language Website"; flow:established,to_client; content:"|0d 0a|Content-Language|3A| ru"; nocase; content:"|0d 0a 0d 0a|MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2012523; rev:8; metadata:created_at 2011_03_21, updated_at 2011_03_21;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ropypfmcqjjfdiel.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ropypfmcqjjfdiel|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015429; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE UPX compressed file download possible malware"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"UPX0"; content:"UPX1"; content:"UPX!"; reference:url,doc.emergingthreats.net/2001046; classtype:misc-activity; sid:2001046; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain utfenjxpvwtroioi.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|utfenjxpvwtroioi|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015430; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MP-FormGrabber Checkin"; flow:established,to_server; content:"/panel/gate.php?host="; nocase; http_uri; content:"&data="; nocase; distance:0; http_uri; reference:url,www.xylibox.com/2012/08/mp-formgrabber.html?spref=tw; classtype:command-and-control; sid:2015587; rev:2; metadata:created_at 2012_08_08, former_category MALWARE, updated_at 2012_08_08;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ehsmldxnregnruez.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ehsmldxnregnruez|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015440; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Windows Executable WriteProcessMemory"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"WriteProcessMemory"; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015588; rev:5; metadata:created_at 2012_08_08, former_category POLICY, updated_at 2012_08_08;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain edtmjcvfnfcbweed.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|edtmjcvfnfcbweed|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015431; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET MALWARE Palevo/BFBot/Mariposa client join attempt"; dsize:7; content:"|61|"; depth:1; flowbits:set,ET.MariposaJoin; reference:url,defintel.com/docs/Mariposa_Analysis.pdf; reference:url,defintel.blogspot.com/2009/09/half-of-fortune-100-companies.html; reference:url,doc.emergingthreats.net/2010100; reference:url,blogs.pcmag.com/securitywatch/2009/09/botnet_reported_loose_in_fortu.php; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2009-093006-0442-99&tabid=2; reference:url,www.symantec.com/connect/blogs/mariposa-butterfly; classtype:trojan-activity; sid:2010100; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hhishrpjdixwtctz.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hhishrpjdixwtctz|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015432; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FinFisher Malware Connection Handshake"; flow:to_server,established; content:"|5c 00 00 00 a0 02 72 00 0c 00 00 00 40 04 fe 00|"; depth:16; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher; classtype:trojan-activity; sid:2015595; rev:2; metadata:created_at 2012_08_09, updated_at 2012_08_09;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qouubrmdxtgnnjvm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qouubrmdxtgnnjvm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015433; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FinFisher Malware Connection Initialization"; flow:to_server,established; content:"|0c 00 00 00 40 01 73 00|"; depth:8; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher; classtype:trojan-activity; sid:2015594; rev:2; metadata:created_at 2012_08_09, updated_at 2012_08_09;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain stkbtccbckhdkbii.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|stkbtccbckhdkbii|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015434; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"6F255F99-6961-48DC-B17E-6E1BCCBC0EE3"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:url,1337day.com/exploits/17395; classtype:attempted-user; sid:2015606; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ccdifvomwhtynpay.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ccdifvomwhtynpay|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015439; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"HPESPRIT.XMLCacheMgr.1"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:url,1337day.com/exploits/17395; classtype:attempted-user; sid:2015607; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dcyjurmfwhgvyoio.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dcyjurmfwhgvyoio|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015435; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Kazaa Altnet Download Manager ActiveX Control Install Method Access Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"DEF37997-D9C9-4A4B-BF3C-88F99EACEEC2"; nocase; distance:0; content:".Install("; nocase; distance:0; reference:url,packetstormsecurity.org/files/83086/Kazaa-Altnet-Download-Manager-ActiveX-Control-Buffer-Overflow.html; classtype:attempted-user; sid:2015608; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fhnpjsnknkuvhazm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fhnpjsnknkuvhazm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015436; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smardf/Boaxxe GET to cc.php3"; flow:established,to_server; content:"/cc.php3"; http_uri; fast_pattern:only; content:"GET"; http_method; content:!"|0d 0a|Accept"; http_header; reference:md5,f856b4c526c3e5cee9d47df59295d2e1; reference:md5,232b4dbed0453e2a952630fb1076248f; classtype:trojan-activity; sid:2015617; rev:2; metadata:created_at 2012_08_11, updated_at 2012_08_11;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pozrtgdmhvhvdscn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pozrtgdmhvhvdscn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015437; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_jump:1,0,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014431; rev:15; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rsoxjlibxohdcyov.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rsoxjlibxohdcyov|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015438; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp !$DNS_SERVERS any -> [85.255.112.0/20,67.210.0.0/20,93.188.160.0/21,77.67.83.0/24,213.109.64.0/20,64.28.176.0/20] 53 (msg:"ET DELETED Ghost Click DNSChanger DNS Request (UDP)"; threshold:type threshold, track by_src, seconds 2, count 2; reference:url,www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf; classtype:trojan-activity; sid:2013906; rev:4; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2101274; rev:19; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RevProxy CnC List Request"; flow:established,to_server; content:"?net=gnutella2&get=1&client=RAZA2.5.0.0"; http_uri; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:command-and-control; sid:2014351; rev:3; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"ZwUnmapViewOfSection"; fast_pattern; nocase; distance:0; reference:url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012816; rev:8; metadata:created_at 2011_05_18, former_category MALWARE, updated_at 2011_05_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Helpexpress Spyware User-Agent HXLogOnly"; flow:established,to_server; content:"User-Agent|3A 20|HXLogOnly"; http_header; classtype:trojan-activity; sid:2013545; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_09_06, deployment Perimeter, signature_severity Minor, tag Spyware_User_Agent, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ppsvcvrcgkllplyn.ru"; flow:established,to_server; content:"|3a| ppsvcvrcgkllplyn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015462; rev:2; metadata:created_at 2012_07_13, updated_at 2012_07_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Briba Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"loginmid="; http_client_body; content:"nickid="; http_client_body; reference:url,labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/; classtype:command-and-control; sid:2015635; rev:3; metadata:created_at 2012_08_16, former_category MALWARE, updated_at 2012_08_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bloxgsfzinxmdspt.ru"; flow:established,to_server; content:"|3a| bloxgsfzinxmdspt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015244; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible CA eTrust PestPatrol ActiveX Control Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"5E644C49-F8B0-4E9A-A2ED-5F176BB18CE6"; nocase; distance:0; content:".Initialize("; nocase; distance:0; reference:url,exploit-db.com/exploits/16630/; classtype:attempted-user; sid:2015636; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ruhctasjmpqbyvhm.ru"; flow:established,to_server; content:"|3a| ruhctasjmpqbyvhm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015463; rev:3; metadata:created_at 2012_07_13, updated_at 2012_07_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"525A15D0-4938-11D4-94C7-0050DA20189B"; nocase; distance:0; content:"CheckRequirements("; nocase; distance:0; reference:url,exploit-db.com/exploits/16609/; reference:url,kb.cert.org/vuls/id/179281; classtype:attempted-user; sid:2015643; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent|3a| downloader|0d 0a|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; classtype:trojan-activity; sid:2003546; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"SnoopyX.SnoopyCtrl.1"; nocase; distance:0; content:"CheckRequirements("; nocase; distance:0; reference:url,exploit-db.com/exploits/16609/; classtype:attempted-user; sid:2015644; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible AdminStudio Activex Control LaunchProcess Method Access Arbitrary Code Execution"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"LaunchHelp.HelpLauncher.1"; nocase; distance:0; content:"LaunchProcess"; nocase; distance:0; reference:url,packetstormsecurity.org/files/114564/AdminStudio-LaunchHelp.dll-ActiveX-Arbitrary-Code-Execution.html; classtype:attempted-user; sid:2015464; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Vaklik.kku Checkin Request"; flow:to_server,established; content:".rar HTTP/1."; pcre:"/\x2f\d+?\x2erar$/U"; flowbits:set,et.trojan.valkik.kku; flowbits:noalert; reference:md5,9688d1d37a7ced200c53ec2b9332a0ad; reference:md5,81d8a235cb5f7345b5796483abe8145f; reference:md5,47a6dd02ee197f82b28cee0ab2b9bd35; classtype:command-and-control; sid:2012960; rev:8; metadata:created_at 2011_06_09, former_category MALWARE, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Vundo.dam http Checkin after infection"; flow:established,to_server; content:"install.php?"; nocase; http_uri; content:"afid="; nocase; http_uri; content:"&user_id="; nocase; http_uri; content:"&version="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007572; classtype:trojan-activity; sid:2007572; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.Kryptik/proscan.co.kr Checkin 2"; flow:established,to_server; content:"User-Agent|3a| test_hInternet"; http_header; reference:md5,bf156b649cb5da6603a5f665a7d8f13b; classtype:trojan-activity; sid:2013822; rev:3; metadata:created_at 2011_11_04, updated_at 2011_11_04;)
 
-#alert  http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL 3"; flow:established,from_server; content:"|3c|applet"; fast_pattern; content:"56|3a|14|3a|14|3a|19|3a|27|3a|50|3a|50|3a|"; within:100; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015005; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fjgtmicxtlxynlpf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fjgtmicxtlxynlpf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015258; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Likely Infected HTTP POST to PHP with User-Agent of HTTP Client"; flow:established,to_server; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"User-Agent|3a 20|HTTP Client|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2012385; rev:3; metadata:created_at 2011_02_27, updated_at 2011_02_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fjgtmicxtlxynlpf.ru"; flow:established,to_server; content:"|3a| fjgtmicxtlxynlpf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015461; rev:3; metadata:created_at 2012_07_13, updated_at 2012_07_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fmacqvmqafqwmebl.ru"; flow:established,to_server; content:"|3a| fmacqvmqafqwmebl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015087; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bdvkpbuldslsapeb.ru"; flow:established,to_server; content:"|3a| bdvkpbuldslsapeb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015061; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hrpgglxvqwjesffr.ru"; flow:established,to_server; content:"|3a| hrpgglxvqwjesffr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015088; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain eilqnjkoytyjuchn.ru"; flow:established,to_server; content:"|3a| eilqnjkoytyjuchn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015062; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rxbkqfydlnzopqrn.ru"; flow:established,to_server; content:"|3a| rxbkqfydlnzopqrn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015089; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain npxsiiwpxqqiihmo.ru"; flow:established,to_server; content:"|3a| npxsiiwpxqqiihmo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015063; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tdsorylshsxjeawf.ru"; flow:established,to_server; content:"|3a| tdsorylshsxjeawf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015090; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qtmyeslmsoxkjbku.ru"; flow:established,to_server; content:"|3a| qtmyeslmsoxkjbku.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015064; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain elfxqghdubihhsgd.ru"; flow:established,to_server; content:"|3a| elfxqghdubihhsgd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015091; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain adbjjkquyyhyqknf.ru"; flow:established,to_server; content:"|3a| adbjjkquyyhyqknf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015065; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gqtcxunxhyujqjkf.ru"; flow:established,to_server; content:"|3a| gqtcxunxhyujqjkf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015092; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ciqmhuwgvfsxdtrw.ru"; flow:established,to_server; content:"|3a| ciqmhuwgvfsxdtrw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015066; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sdxkjaophbtufumx.ru"; flow:established,to_server; content:"|3a| sdxkjaophbtufumx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015094; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mocrafrewsdjztbj.ru"; flow:established,to_server; content:"|3a| mocrafrewsdjztbj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015067; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain clkujrjqvexvbmoi.ru"; flow:established,to_server; content:"|3a| clkujrjqvexvbmoi.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015095; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain otruvbidvikzhlop.ru"; flow:established,to_server; content:"|3a| otruvbidvikzhlop.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015068; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fqyyxagzkrpvxtki.ru"; flow:established,to_server; content:"|3a| fqyyxagzkrpvxtki.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015096; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yafzvancybuwmnno.ru"; flow:established,to_server; content:"|3a| yafzvancybuwmnno.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015069; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain owldagkyzrkhqnjo.ru"; flow:established,to_server; content:"|3a| owldagkyzrkhqnjo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015097; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bhujzorkulhkpwob.ru"; flow:established,to_server; content:"|3a| bhujzorkulhkpwob.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015070; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rccjvgsgffokiwze.ru"; flow:established,to_server; content:"|3a| rccjvgsgffokiwze.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015098; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lohnrnnpvvtxedfl.ru"; flow:established,to_server; content:"|3a| lohnrnnpvvtxedfl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015071; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain blorcdyiipxcwyxv.ru"; flow:established,to_server; content:"|3a| blorcdyiipxcwyxv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015099; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ntvrnrdpyoadopbo.ru"; flow:established,to_server; content:"|3a| ntvrnrdpyoadopbo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015072; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dpewaddpoewiycnj.ru"; flow:established,to_server; content:"|3a| dpewaddpoewiycnj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015100; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wakvnkyzkyietkdr.ru"; flow:established,to_server; content:"|3a| wakvnkyzkyietkdr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015073; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nwpykqeizraqthry.ru"; flow:established,to_server; content:"|3a| nwpykqeizraqthry.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015101; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zfyafrjmmajqfvbh.ru"; flow:established,to_server; content:"|3a| zfyafrjmmajqfvbh.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015074; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pchgijctfprxhnje.ru"; flow:established,to_server; content:"|3a| pchgijctfprxhnje.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015102; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jnlkttkruqsdjqlx.ru"; flow:established,to_server; content:"|3a| jnlkttkruqsdjqlx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015075; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zisiiogqigzzqqeq.ru"; flow:established,to_server; content:"|3a| zisiiogqigzzqqeq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015103; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lsbppxhgckolsnap.ru"; flow:established,to_server; content:"|3a| lsbppxhgckolsnap.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015076; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain cpittmwbqtjrjpql.ru"; flow:established,to_server; content:"|3a| cpittmwbqtjrjpql.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015104; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vznrahwzgntmfcqk.ru"; flow:established,to_server; content:"|3a| vznrahwzgntmfcqk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015077; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mvuvchtcxxibeubd.ru"; flow:established,to_server; content:"|3a| mvuvchtcxxibeubd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015105; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xeeypppxswpquvrf.ru"; flow:established,to_server; content:"|3a| xeeypppxswpquvrf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015078; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain oblcasnhxbbocpfj.ru"; flow:established,to_server; content:"|3a| oblcasnhxbbocpfj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015106; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain inqgvoeohpcsfxmn.ru"; flow:established,to_server; content:"|3a| inqgvoeohpcsfxmn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015079; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xixftoplsduqqorx.ru"; flow:established,to_server; content:"|3a| xixftoplsduqqorx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015107; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ksgmckchdppqeicu.ru"; flow:established,to_server; content:"|3a| ksgmckchdppqeicu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015080; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bpnqmxkpxxgbdnby.ru"; flow:established,to_server; content:"|3a| bpnqmxkpxxgbdnby.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015108; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uyrorwlibbjeasoq.ru"; flow:established,to_server; content:"|3a| uyrorwlibbjeasoq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015081; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kvzstpqmeoxtcwko.ru"; flow:established,to_server; content:"|3a| kvzstpqmeoxtcwko.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015109; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wejungvnykczyjam.ru"; flow:established,to_server; content:"|3a| wejungvnykczyjam.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015082; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nbqypqrjiqxlfvdj.ru"; flow:established,to_server; content:"|3a| nbqypqrjiqxlfvdj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015110; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gmvdnpqbblixlgxj.ru"; flow:established,to_server; content:"|3a| gmvdnpqbblixlgxj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015083; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain whddmvrxufbkkoew.ru"; flow:established,to_server; content:"|3a| whddmvrxufbkkoew.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015111; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jrkjelzwleadyxsd.ru"; flow:established,to_server; content:"|3a| jrkjelzwleadyxsd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015084; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ymrhcvphevonympo.ru"; flow:established,to_server; content:"|3a| ymrhcvphevonympo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015112; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sywleisrsstsqoic.ru"; flow:established,to_server; content:"|3a| sywleisrsstsqoic.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015085; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jveqgnmjxkocqifr.ru"; flow:established,to_server; content:"|3a| jveqgnmjxkocqifr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015113; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain venrfhmthwpqlqge.ru"; flow:established,to_server; content:"|3a| venrfhmthwpqlqge.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015086; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lavvckpordclbduy.ru"; flow:established,to_server; content:"|3a| lavvckpordclbduy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015114; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ppsvcvrcgkllplyn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ppsvcvrcgkllplyn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015259; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vhhzcvbegxbjsxke.ru"; flow:established,to_server; content:"|3a| vhhzcvbegxbjsxke.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015115; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ruhctasjmpqbyvhm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ruhctasjmpqbyvhm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015260; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xmwettbvtbhvrjuo.ru"; flow:established,to_server; content:"|3a| xmwettbvtbhvrjuo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015116; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bdvkpbuldslsapeb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bdvkpbuldslsapeb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015261; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iujniiokeyjbmerc.ru"; flow:established,to_server; content:"|3a| iujniiokeyjbmerc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015117; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain eilqnjkoytyjuchn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eilqnjkoytyjuchn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015262; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kzxrowftdocgyghs.ru"; flow:established,to_server; content:"|3a| kzxrowftdocgyghs.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015118; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain npxsiiwpxqqiihmo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|npxsiiwpxqqiihmo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015263; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gacdiuwnhonuulpe.ru"; flow:established,to_server; content:"|3a| gacdiuwnhonuulpe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015119; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qtmyeslmsoxkjbku.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qtmyeslmsoxkjbku|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015264; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ifrhgnqeeotnzrmz.ru"; flow:established,to_server; content:"|3a| ifrhgnqeeotnzrmz.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015120; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain adbjjkquyyhyqknf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|adbjjkquyyhyqknf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015265; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rmdlgyreitjsjkfq.ru"; flow:established,to_server; content:"|3a| rmdlgyreitjsjkfq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015121; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ciqmhuwgvfsxdtrw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ciqmhuwgvfsxdtrw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015266; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uqspvdwyltgcyhft.ru"; flow:established,to_server; content:"|3a| uqspvdwyltgcyhft.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015122; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mocrafrewsdjztbj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mocrafrewsdjztbj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015267; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ezfydrexncoidbus.ru"; flow:established,to_server; content:"|3a| ezfydrexncoidbus.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015123; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain otruvbidvikzhlop.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|otruvbidvikzhlop|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015268; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hfveiooumeyrpchg.ru"; flow:established,to_server; content:"|3a| hfveiooumeyrpchg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015124; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yafzvancybuwmnno.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yafzvancybuwmnno|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015269; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qlihxnncwioxkdls.ru"; flow:established,to_server; content:"|3a| qlihxnncwioxkdls.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015125; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bhujzorkulhkpwob.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bhujzorkulhkpwob|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015270; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sqwlonyduvpowdgy.ru"; flow:established,to_server; content:"|3a| sqwlonyduvpowdgy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015126; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lohnrnnpvvtxedfl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lohnrnnpvvtxedfl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015271; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dyjvewshptsboygd.ru"; flow:established,to_server; content:"|3a| dyjvewshptsboygd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015127; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ntvrnrdpyoadopbo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ntvrnrdpyoadopbo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015272; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain febcbuyswmishvpl.ru"; flow:established,to_server; content:"|3a| febcbuyswmishvpl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015128; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wakvnkyzkyietkdr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wakvnkyzkyietkdr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015273; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain plmekaayiholtevt.ru"; flow:established,to_server; content:"|3a| plmekaayiholtevt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015129; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zfyafrjmmajqfvbh.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zfyafrjmmajqfvbh|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015274; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rpckbgrziwbdrmhr.ru"; flow:established,to_server; content:"|3a| rpckbgrziwbdrmhr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015130; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jnlkttkruqsdjqlx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jnlkttkruqsdjqlx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015275; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain cyosongjihugkjbg.ru"; flow:established,to_server; content:"|3a| cyosongjihugkjbg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015131; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lsbppxhgckolsnap.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lsbppxhgckolsnap|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015276; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain eefysywrvkgxuqdf.ru"; flow:established,to_server; content:"|3a| eefysywrvkgxuqdf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015132; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vznrahwzgntmfcqk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vznrahwzgntmfcqk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015277; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nkrbvqxzfwicmhwb.ru"; flow:established,to_server; content:"|3a| nkrbvqxzfwicmhwb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015133; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xeeypppxswpquvrf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xeeypppxswpquvrf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015278; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qphhsudsmeftdaht.ru"; flow:established,to_server; content:"|3a| qphhsudsmeftdaht.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015134; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain inqgvoeohpcsfxmn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|inqgvoeohpcsfxmn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015279; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain axtopsbtntqnfdyk.ru"; flow:established,to_server; content:"|3a| axtopsbtntqnfdyk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015135; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ksgmckchdppqeicu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ksgmckchdppqeicu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015280; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ddkudnuklgiwtdyw.ru"; flow:established,to_server; content:"|3a| ddkudnuklgiwtdyw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015136; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uyrorwlibbjeasoq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uyrorwlibbjeasoq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015281; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mkwwclogcvgeekws.ru"; flow:established,to_server; content:"|3a| mkwwclogcvgeekws.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015137; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wejungvnykczyjam.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wejungvnykczyjam|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015282; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain opldkflyvlkywuec.ru"; flow:established,to_server; content:"|3a| opldkflyvlkywuec.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015138; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gmvdnpqbblixlgxj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gmvdnpqbblixlgxj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015283; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yvxfekhokspfuwqr.ru"; flow:established,to_server; content:"|3a| yvxfekhokspfuwqr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015139; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jrkjelzwleadyxsd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jrkjelzwleadyxsd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015284; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bdprvpxdejpohqpt.ru"; flow:established,to_server; content:"|3a| bdprvpxdejpohqpt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015140; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sywleisrsstsqoic.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sywleisrsstsqoic|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015285; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ljbvfrsvcevyfhor.ru"; flow:established,to_server; content:"|3a| ljbvfrsvcevyfhor.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015141; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain venrfhmthwpqlqge.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|venrfhmthwpqlqge|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015286; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain noqzuukouyfuyrmd.ru"; flow:established,to_server; content:"|3a| noqzuukouyfuyrmd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015142; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Anti-virus-pro.com Fake AV Checkin"; flow:established,to_server; content:"/stat.php?machine_id={"; nocase; http_uri; pcre:"/machine_id={[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+}/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007886; classtype:trojan-activity; sid:2007886; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xvcewyydwsmdgaju.ru"; flow:established,to_server; content:"|3a| xvcewyydwsmdgaju.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015143; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"GPL DELETED netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:2100110; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zatiscwwtipqlycd.ru"; flow:established,to_server; content:"|3a| zatiscwwtipqlycd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015144; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|"; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:2100286; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jjgshrjdcynohyuk.ru"; flow:established,to_server; content:"|3a| jjgshrjdcynohyuk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015145; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 BSD overflow 2"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1"; classtype:attempted-admin; sid:2100287; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mouwwvcwwlilnxub.ru"; flow:established,to_server; content:"|3a| mouwwvcwwlilnxub.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015146; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:2100288; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vuhaojpwxgsxuitu.ru"; flow:established,to_server; content:"|3a| vuhaojpwxgsxuitu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015147; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|"; reference:bugtraq,156; reference:cve,1999-0006; classtype:attempted-admin; sid:2100289; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yayfefhrwawquwcw.ru"; flow:established,to_server; content:"|3a| yayfefhrwawquwcw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015148; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL DELETED qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:2100290; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iiloishkjwvqldlq.ru"; flow:established,to_server; content:"|3a| iiloishkjwvqldlq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015149; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:2100292; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain knauycqgsdhgbwjo.ru"; flow:established,to_server; content:"|3a| knauycqgsdhgbwjo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015150; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET TELNET login failed"; flow:from_server,established; content:"Login failed"; nocase; classtype:bad-unknown; sid:2100492; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uumwyzhctrwdsrdp.ru"; flow:established,to_server; content:"|3a| uumwyzhctrwdsrdp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015151; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2100569; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wzbdwenwshfzglwt.ru"; flow:established,to_server; content:"|3a| wzbdwenwshfzglwt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015152; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap sadmind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:2100585; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hiplksflttfkpsxn.ru"; flow:established,to_server; content:"|3a| hiplksflttfkpsxn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015153; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:2100589; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jnfrqmekhoevppvw.ru"; flow:established,to_server; content:"|3a| jnfrqmekhoevppvw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015154; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2100590; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ttqtkmthptxvwiku.ru"; flow:established,to_server; content:"|3a| ttqtkmthptxvwiku.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015155; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:2100591; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vygzhvfiuommkqfj.ru"; flow:established,to_server; content:"|3a| vygzhvfiuommkqfj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015156; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2100593; rev:19; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fhuidtlqttqxgjvn.ru"; flow:established,to_server; content:"|3a| fhuidtlqttqxgjvn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015157; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2100595; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain imjosxuhbcdonrco.ru"; flow:established,to_server; content:"|3a| imjosxuhbcdonrco.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015158; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,428; classtype:rpc-portmap-decode; sid:2100598; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rtvqcdpbqxgwnrcn.ru"; flow:established,to_server; content:"|3a| rtvqcdpbqxgwnrcn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015159; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL RPC rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; classtype:bad-unknown; sid:2100601; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tykvyflnjhbnqpnr.ru"; flow:established,to_server; content:"|3a| tykvyflnjhbnqpnr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015160; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"GPL RPC rlogin login failure"; flow:from_server,established; content:"login incorrect"; reference:arachnids,393; classtype:unsuccessful-user; sid:2100605; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gmokuosvnbkshdtd.ru"; flow:established,to_server; content:"|3a| gmokuosvnbkshdtd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015162; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"GPL RPC rlogin login failure"; flow:from_server,established; content:"|01|rlogind|3A| Permission denied."; reference:arachnids,392; classtype:unsuccessful-user; sid:2100611; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qsbourrdxgxgwepy.ru"; flow:established,to_server; content:"|3a| qsbourrdxgxgwepy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015163; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; reference:arachnids,356; classtype:shellcode-detect; sid:2100638; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sxpskxdgoczvcjgp.ru"; flow:established,to_server; content:"|3a| sxpskxdgoczvcjgp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015164; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; reference:arachnids,357; classtype:shellcode-detect; sid:2100639; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dhedppigtpbwrmpc.ru"; flow:established,to_server; content:"|3a| dhedppigtpbwrmpc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015165; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; reference:arachnids,352; classtype:shellcode-detect; sid:2100641; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain flthmyjeuhdygshf.ru"; flow:established,to_server; content:"|3a| flthmyjeuhdygshf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015166; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; reference:arachnids,358; classtype:shellcode-detect; sid:2100642; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain osflhkaowydftniw.ru"; flow:established,to_server; content:"|3a| osflhkaowydftniw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015167; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; reference:arachnids,359; classtype:shellcode-detect; sid:2100643; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rxupwhkznihnxzqx.ru"; flow:established,to_server; content:"|3a| rxupwhkznihnxzqx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015168; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; reference:arachnids,345; classtype:shellcode-detect; sid:2100644; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bgjzhlasdrwwnenj.ru"; flow:established,to_server; content:"|3a| bgjzhlasdrwwnenj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015169; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; reference:arachnids,353; classtype:shellcode-detect; sid:2100645; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain elxegvkalqvkyoxc.ru"; flow:established,to_server; content:"|3a| elxegvkalqvkyoxc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015170; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; reference:arachnids,355; classtype:shellcode-detect; sid:2100646; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nrkhysgoltauclop.ru"; flow:established,to_server; content:"|3a| nrkhysgoltauclop.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015171; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; reference:arachnids,282; classtype:system-call-detect; sid:2100647; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pwyloytoagndnrex.ru"; flow:established,to_server; content:"|3a| pwyloytoagndnrex.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015172; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; reference:arachnids,284; classtype:system-call-detect; sid:2100649; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zenquqdskekaudbe.ru"; flow:established,to_server; content:"|3a| zenquqdskekaudbe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015173; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; reference:arachnids,436; classtype:system-call-detect; sid:2100650; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain cldcrgtnuwvgnbfd.ru"; flow:established,to_server; content:"|3a| cldcrgtnuwvgnbfd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015174; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; reference:arachnids,343; classtype:shellcode-detect; sid:2100652; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mroeqjdaukskbgua.ru"; flow:established,to_server; content:"|3a| mroeqjdaukskbgua.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015175; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit seen with O1/O2.class /form"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/search|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:exploit-kit; sid:2015646; rev:4; metadata:created_at 2012_08_17, former_category EXPLOIT_KIT, updated_at 2012_08_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain owekhoeuhmdiehrw.ru"; flow:established,to_server; content:"|3a| owekhoeuhmdiehrw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015176; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit seen with O1/O2.class /search"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/form|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:exploit-kit; sid:2015647; rev:4; metadata:created_at 2012_08_17, former_category EXPLOIT_KIT, updated_at 2012_08_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ydrngsmrdiiyvoiy.ru"; flow:established,to_server; content:"|3a| ydrngsmrdiiyvoiy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015177; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android.Ggtracker Ggtrack.org Checkin"; flow:established,to_server; content:"device_id="; nocase; http_uri; content:"adv_sub="; nocase; http_uri; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062208-5013-99&tabid=2; classtype:trojan-activity; sid:2013219; rev:3; metadata:created_at 2011_07_06, updated_at 2011_07_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bkhyiqitpoxewhmt.ru"; flow:established,to_server; content:"|3a| bkhyiqitpoxewhmt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015178; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED General Downloader URL - Post Infection"; flow:established,to_server; content:"/count.jsp?id="; http_uri; content:"&mac=0"; http_uri; content:"te="; http_uri; reference:url,doc.emergingthreats.net/2008728; classtype:trojan-activity; sid:2008728; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain krtbityuhlewigfe.ru"; flow:established,to_server; content:"|3a| krtbityuhlewigfe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015179; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Borlander Adware Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?t="; nocase; http_uri; content:"&i="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&n="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008736; classtype:bad-unknown; sid:2008736; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nvjgyermzsmynaeq.ru"; flow:established,to_server; content:"|3a| nvjgyermzsmynaeq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015180; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rogue.Win32/Winwebsec Install"; flow:to_server,established; content:"/api/stats/install/?affid="; content:"&ver=30"; http_uri; content:"&group="; http_uri; reference:md5,5310a7d855a14c93b12a36869cd252ec; classtype:trojan-activity; sid:2015653; rev:4; metadata:created_at 2012_02_24, updated_at 2012_02_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jwkpdxqbemsmclal.ru"; flow:established,to_server; content:"|3a| jwkpdxqbemsmclal.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015181; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible URL List or Clickfraud URLs Delivered To Client"; flow:established,from_server; content:"|0d 0a 0d 0a|http|3a|//"; content:"|7C|http|3a|//"; distance:0; content:"|0D 0A|http|3a|//"; distance:0; content:"|7C|http|3a|//"; distance:0; classtype:trojan-activity; sid:2014149; rev:4; metadata:created_at 2012_01_24, updated_at 2012_01_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uinyjmxfqinkxbda.ru"; flow:established,to_server; content:"|3a| uinyjmxfqinkxbda.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015183; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Landing Page Requested - /Home/index.php"; flow:established,to_server; content:"/Home/index.php"; http_uri; depth:15; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; classtype:trojan-activity; sid:2014975; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xndfbivuonkxfxrq.ru"; flow:established,to_server; content:"|3a| xndfbivuonkxfxrq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015184; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Received - catch and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.blackhole.uri; content:"}catch("; classtype:trojan-activity; sid:2014976; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hvpmffxpfnlquqxo.ru"; flow:established,to_server; content:"|3a| hvpmffxpfnlquqxo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015185; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Recieved - applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.blackhole.uri; content:"<applet"; classtype:trojan-activity; sid:2014977; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kbgsbqjugdqrgtdw.ru"; flow:established,to_server; content:"|3a| kbgsbqjugdqrgtdw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015186; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Landing Page Requested - /*.php?*=8HexChar"; flow:established,to_server; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; urilen:15<>52; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,10}=[a-f0-9]{8}$/U"; pcre:"/[0-9]{1,8}[a-f]{1,8}[0-9]{1,8}$/U"; classtype:trojan-activity; sid:2014974; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tisubmfvqrgnloxr.ru"; flow:established,to_server; content:"|3a| tisubmfvqrgnloxr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015187; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Malicious Redirect n.php h=*&s=*"; flow:to_server,established; content:"/n.php?h="; fast_pattern:only; http_uri; content:"&s="; http_uri; content:".rr.nu|0d 0a|"; http_header; pcre:"/\/n\.php\?h=\w*?&s=\w{1,5}$/Ui"; reference:url,0xicf.wordpress.com/category/security-updates/; reference:url,urlquery.net/report.php?id=111302; classtype:attempted-user; sid:2015669; rev:10; metadata:created_at 2012_08_23, former_category WEB_CLIENT, updated_at 2012_08_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vmibswhnpqhqwyih.ru"; flow:established,to_server; content:"|3a| vmibswhnpqhqwyih.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015188; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:attempted-user; sid:2015667; rev:2; metadata:created_at 2012_08_29, former_category CURRENT_EVENTS, updated_at 2012_08_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gvujhzvjxwptrtdg.ru"; flow:established,to_server; content:"|3a| gvujhzvjxwptrtdg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015189; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; content:"/1."; offset:75; depth:3; http_uri; content:"|2e|"; distance:1; within:1; http_uri; content:"|2e|"; distance:1; within:1; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//U"; classtype:attempted-user; sid:2015666; rev:4; metadata:created_at 2012_08_29, former_category CURRENT_EVENTS, updated_at 2012_08_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT BMP with invalid bfOffBits"; flow:established,to_client; content:"|0d 0a 0d 0a|BM"; fast_pattern; byte_test:4,>,14,0,relative; content:"|0000000000000000|"; distance:4; within:8; reference:url,www.microsoft.com/technet/security/Bulletin/ms06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; reference:url,doc.emergingthreats.net/bin/view/Main/2002803; classtype:attempted-user; sid:2002803; rev:10; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st.QQ Checkin"; flow:to_server,established; content:"QQ|3a|124971919"; depth:12; content:"|00 00|"; distance:2; within:2; content:"|00 00 78 9C|"; distance:2; within:4; reference:md5,899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014109; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_10, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iblpdiqdmmsbnuxb.ru"; flow:established,to_server; content:"|3a| iblpdiqdmmsbnuxb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015190; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st.QQ Checkin 2"; flow:to_server,established; content:"QQ|3a|"; depth:3; content:"|00 00|"; distance:11; within:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,12,little; reference:md5,899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014110; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_10, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain shxrsvasoncjnxpn.ru"; flow:established,to_server; content:"|3a| shxrsvasoncjnxpn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015191; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st Checkin (6 Byte keyword)"; flow:to_server,established; content:"|00 00|"; offset:8; depth:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,6,little; pcre:"/^[a-z0-9]{6}..\x00\x00/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; classtype:trojan-activity; sid:2015627; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_15, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ummxjwieppswcnrg.ru"; flow:established,to_server; content:"|3a| ummxjwieppswcnrg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015192; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st Checkin (7 Byte keyword)"; flow:to_server,established; content:"|00 00|"; offset:9; depth:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,7,little; pcre:"/^[a-z0-9]{7}..\x00\x00/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; classtype:trojan-activity; sid:2015628; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_15, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fuyfrockpfclxccd.ru"; flow:established,to_server; content:"|3a| fuyfrockpfclxccd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015193; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DOCHTML C&C http directive in HTML comments"; flow:established,from_server; content:"|3c|!-- DOCHTMLhttp|3a|//"; reference:url,blog.accuvantlabs.com/blog/dgrif/anatomy-targeted-attack; classtype:command-and-control; sid:2015616; rev:3; metadata:created_at 2012_08_11, former_category MALWARE, updated_at 2012_08_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain haqmuqqukywrcxfa.ru"; flow:established,to_server; content:"|3a| haqmuqqukywrcxfa.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015194; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PCFlashbang.com Spyware Checkin (PCFlashBangA)"; flow:to_server,established; content:"User-Agent|3a| PCFlashBang"; http_header; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453113169; reference:url,doc.emergingthreats.net/2009540; classtype:command-and-control; sid:2009540; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qhcplcuugevvyham.ru"; flow:established,to_server; content:"|3a| qhcplcuugevvyham.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015195; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 1342 (msg:"ET EXPLOIT_KIT Unknown Exploit Kit redirect"; flow:established,to_server; urilen:35; content:"GET"; http_method; content:"/t/"; depth:3; http_uri; pcre:"/^\/t\/[a-f0-9]{32}/Ui"; content:"|0d 0a|Host|3a| "; http_header; content:"|3a|1342|0d 0a|"; http_header; fast_pattern:only; classtype:exploit-kit; sid:2015672; rev:5; metadata:created_at 2012_08_30, former_category EXPLOIT_KIT, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tmrtbcienxrbnsjc.ru"; flow:established,to_server; content:"|3a| tmrtbcienxrbnsjc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015196; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shady RAT Get File Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"gf|3a|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013653; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dueebwwdllfburag.ru"; flow:established,to_server; content:"|3a| dueebwwdllfburag.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015197; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shady RAT Put File Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"pf|3a|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013654; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fzsirujgdbvabrjm.ru"; flow:established,to_server; content:"|3a| fzsirujgdbvabrjm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015198; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shady RAT Retrieve and Execute Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"http|3a|{"; content:"}.exe"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013655; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pghnrmkoeoetfwsm.ru"; flow:established,to_server; content:"|3a| pghnrmkoeoetfwsm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015199; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shady RAT Relay Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"taxi|3a|"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013656; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rlvqmipovrqbmvqd.ru"; flow:established,to_server; content:"|3a| rlvqmipovrqbmvqd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015200; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shady RAT Send Status Result"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"slp|3a|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013657; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ctjbmgjudwisgshv.ru"; flow:established,to_server; content:"|3a| ctjbmgjudwisgshv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015201; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability"; flow:established; content:"|21 00 21 03|"; pcre:"/[0-9a-zA-Z]{10}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; reference:url,doc.emergingthreats.net/bin/view/Main/2007933; classtype:misc-attack; sid:2007933; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain eyxejlabqaytqmjx.ru"; flow:established,to_server; content:"|3a| eyxejlabqaytqmjx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015202; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL DELETED AIM AddGame attempt"; flow:to_client,established; content:"aim|3A|AddGame?"; nocase; reference:bugtraq,3769; reference:cve,2002-0005; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:2101393; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ogmjjmqdhlbyabzg.ru"; flow:established,to_server; content:"|3a| ogmjjmqdhlbyabzg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015203; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL DELETED AIM AddExternalApp attempt"; flow:to_client,established; content:"aim|3A|AddExternalApp?"; nocase; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:2101752; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qlbpfyrupyadvjsl.ru"; flow:established,to_server; content:"|3a| qlbpfyrupyadvjsl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015204; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"GPL CHAT Yahoo IM conference request"; flow:to_server,established; content:"<R"; depth:2; pcre:"/^\x3c(REQIMG|RVWCFG)\x3e/ism"; classtype:policy-violation; sid:2102460; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain atnwerhvttvbivra.ru"; flow:established,to_server; content:"|3a| atnwerhvttvbivra.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015205; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 12|"; depth:2; offset:10; classtype:policy-violation; sid:2102452; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dydderasilekaegh.ru"; flow:established,to_server; content:"|3a| dydderasilekaegh.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015206; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM conference offer invitation"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10; classtype:policy-violation; sid:2102459; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mfqfrnqllqcrayiw.ru"; flow:established,to_server; content:"|3a| mfqfrnqllqcrayiw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015207; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 1D|"; depth:2; offset:10; classtype:policy-violation; sid:2102455; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pkglwwwmjxokzzfq.ru"; flow:established,to_server; content:"|3a| pkglwwwmjxokzzfq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015208; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET 5100 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference watch"; flow:from_server,established; content:"|0D 00 05 00|"; depth:4; classtype:policy-violation; sid:2102461; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yrrnrgliojezjctg.ru"; flow:established,to_server; content:"|3a| yrrnrgliojezjctg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015209; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo Messenger File Transfer Receive Request"; flow:established; content:"YMSG"; depth:4; content:"|00|M"; depth:2; offset:10; classtype:policy-violation; sid:2102456; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bxhzugppnulxghvm.ru"; flow:established,to_server; content:"|3a| bxhzugppnulxghvm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015210; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM voicechat"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00|J"; depth:2; offset:10; classtype:policy-violation; sid:2102451; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lfvcngdbzjrzgyby.ru"; flow:established,to_server; content:"|3a| lfvcngdbzjrzgyby.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015211; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference logon success"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 19|"; depth:2; offset:10; classtype:policy-violation; sid:2102454; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nkkijjyioljbfysn.ru"; flow:established,to_server; content:"|3a| nkkijjyioljbfysn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015212; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference invitation"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 18|"; depth:2; offset:10; classtype:policy-violation; sid:2102453; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xqwkdyjydkggsppd.ru"; flow:established,to_server; content:"|3a| xqwkdyjydkggsppd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015213; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Trojan-Spy.Win32.Bancos Download"; flow: established,from_server; content:"[AspackDie!]"; content:"|0f 6d 07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d 11 af af 45 c7 72 ac 5f 3138 d0|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/pwsteal.bancos.b.html; reference:url,doc.emergingthreats.net/2001726; classtype:trojan-activity; sid:2001726; rev:10; metadata:created_at 2010_07_30, malware_family Bancos, tag Banking_Trojan, updated_at 2018_04_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain axmvnmubgwlmqfrp.ru"; flow:established,to_server; content:"|3a| axmvnmubgwlmqfrp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015214; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED AV-Killer.Win32 User Agent Detected (p4r4z1t3v3.one14.J)"; flow:established,to_server; content:"User-Agent|3a| p4r4z1t3v3"; nocase; reference:url,doc.emergingthreats.net/2003638; classtype:trojan-activity; sid:2003638; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain keabgwmpzqhpmlng.ru"; flow:established,to_server; content:"|3a| keabgwmpzqhpmlng.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015215; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED Win32.SMTP-Mailer SMTP Outbound"; flow:to_server,established; content:"Subject|3a 20 3a 20|ZOMBIE"; nocase; content:"X-Library|3a| Indy 9.00.10"; nocase; distance:0; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.SMTP-Mailer&threatid=48095; reference:url,www.hauri.net/virus/virusinfo_read.php?code=TRW3000774&start=1; reference:url,doc.emergingthreats.net/2003041; classtype:trojan-activity; sid:2003041; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mjpflkwqskuqbjnk.ru"; flow:established,to_server; content:"|3a| mjpflkwqskuqbjnk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015216; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED HTTP RBOT Challenge/Response Authentication"; flow: to_server,established; content:"Host|3A 20|"; nocase; content:"|3A 20|Negotiate|20|YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFB"; nocase; reference:url,isc.sans.org/diary.php?date=2005-06-03; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring; reference:url,doc.emergingthreats.net/2001985; classtype:trojan-activity; sid:2001985; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vqcicnuhtwhxmtjd.ru"; flow:established,to_server; content:"|3a| vqcicnuhtwhxmtjd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015217; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Malicious file BaiduPlayer1.0.21.25.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/BaiduPlayer/BaiduPlayer1.0.21.25.exe"; nocase; http_uri; content:"dl.client.baidu.com"; http_header; nocase; classtype:trojan-activity; sid:2014181; rev:5; metadata:created_at 2012_02_06, updated_at 2012_02_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yvqnltydqtpresfu.ru"; flow:established,to_server; content:"|3a| yvqnltydqtpresfu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015218; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Parite.B GET"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"|0d0a|User-Agent|3a| gomtour|0d0a|"; within:200; reference:url,www.pandasecurity.com/homeusers/security-info/18181/information/Parite.B; reference:url,www.pctools.com/mrc/infections/id/Virus.Parite.B/; reference:url,www.threatexpert.com/threats/w32-parite-b.html; reference:url,doc.emergingthreats.net/2009454; classtype:trojan-activity; sid:2009454; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family Parite, signature_severity Major, updated_at 2017_07_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iefwvulgninlkoxe.ru"; flow:established,to_server; content:"|3a| iefwvulgninlkoxe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015219; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hotword Trojan in Transit"; flow: established,from_server; content:"|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001959; classtype:trojan-activity; sid:2001959; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ljubdldgqwbarplc.ru"; flow:established,to_server; content:"|3a| ljubdldgqwbarplc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015220; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hotword Trojan inbound via http"; flow: established,from_server; content:"|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001960; classtype:trojan-activity; sid:2001960; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain upgghggmbusopaxv.ru"; flow:established,to_server; content:"|3a| upgghggmbusopaxv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015221; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible File Upload CHJO"; flow: to_server,established; content:"STOR __"; content:"-CHJO.DRV"; nocase; within: 100; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001961; classtype:trojan-activity; sid:2001961; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wuvjdexaqtmqkvgk.ru"; flow:established,to_server; content:"|3a| wuvjdexaqtmqkvgk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015222; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible File Upload CFXP"; flow: to_server,established; content:"STOR __"; content:"-CFXP.DRV"; nocase; within: 100; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001962; classtype:trojan-activity; sid:2001962; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hektxucstnbuncix.ru"; flow:established,to_server; content:"|3a| hektxucstnbuncix.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015223; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Request pspv.exe"; flow: to_server,established; content:"SIZE pspv.exe"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001963; classtype:trojan-activity; sid:2001963; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jiyxdlvawkranmin.ru"; flow:established,to_server; content:"|3a| jiyxdlvawkranmin.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015224; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Request .tea"; flow: to_server,established; content:"LIST "; content:".tea"; nocase; within: 50; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001964; classtype:trojan-activity; sid:2001964; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tplczomvebjmhsgk.ru"; flow:established,to_server; content:"|3a| tplczomvebjmhsgk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015225; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED Greeting card gif.exe email incoming SMTP"; flow: established,to_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001919; classtype:trojan-activity; sid:2001919; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vuaivypissryzhij.ru"; flow:established,to_server; content:"|3a| vuaivypissryzhij.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015226; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET 110:220 -> $HOME_NET any (msg:"ET DELETED Greeting card gif.exe email incoming POP3/IMAP"; flow: established,from_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001920; classtype:trojan-activity; sid:2001920; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gdoqznfilmtulxxv.ru"; flow:established,to_server; content:"|3a| gdoqznfilmtulxxv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015227; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Status Check ___"; flow: to_server,established; content:"|53 49 5a 45 20 5f 5f 5f 0d 0a|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001966; classtype:trojan-activity; sid:2001966; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iiewprjomieydnix.ru"; flow:established,to_server; content:"|3a| iiewprjomieydnix.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015228; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SHELLCODE Shikata Ga Nai polymorphic payload"; dsize: >26; content: "|d9 74 24 f4|"; pcre: "/[\x29\x2b\x31\x33]\xc9/sm"; pcre: "/[\xd9-\xdb\xdd].{1,11}\xd9\x74\x24\xf4.{0,10}[\x58\x5a\x5b\x5d-\x5f]/sm"; pcre: "/([\x29\x2b\x31\x33\xb8\xba\xbb\xbe\xbf\xd9-\xdb\xdd][^\x00\xff][^\x00\xff][^\x00][^\x00\xff][^\x00][^\x00\xff][^\x00\xff][^\x00][^\x00][^\x00][^\x00\xff][^\x00\xff][^\x00\xff][^\x00][^\x00][\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0e\x10\x12\x13\x15\x17\xfc][\x03\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0a\x0c\x0e-\x13\x15\x17\xfc][\x03\x83]..[^\x1d\xe2][^\x0a\xf5])|([\x29\x2b\x31\x33\xb8\xba\xbb\xbd-\xbf\xd9-\xdb\xdd][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][\x24\xb1\xd9-\xdb\xdd][^\x00][\x58\x5a\x5b\x5d-\x5f\xb8\xba\xbb\xbd-\xbf\xd9][^\x00][^\x00][^\x00][^\x00][\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0e\x12\x17\xfc][\x03\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0a\x0e\x12\x13\x17\xfc][\x03\x83]..[^\xe2][^\xf5])/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003118; classtype:shellcode-detect; sid:2003118; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ropypfmcqjjfdiel.ru"; flow:established,to_server; content:"|3a| ropypfmcqjjfdiel.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015229; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Downloader Outbound HTTP connection - Downloading Code"; flow:established,to_server; content:"User-Agent|3A| PE-"; reference:url,doc.emergingthreats.net/2002695; classtype:trojan-activity; sid:2002695; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain utfenjxpvwtroioi.ru"; flow:established,to_server; content:"|3a| utfenjxpvwtroioi.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015230; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Status Upload ___"; flow: to_server,established; content:"|53 54 4f 52 20 5f 5f 5f 0d 0a|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001965; classtype:trojan-activity; sid:2001965; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain edtmjcvfnfcbweed.ru"; flow:established,to_server; content:"|3a| edtmjcvfnfcbweed.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015231; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> any 139 (msg:"ET DELETED BugBear@MM virus in Network share"; flow: established; content:"|24 48 fb bb ff e6 63 02 3a 20 41 70 61 63 68 65|"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; reference:url,doc.emergingthreats.net/2001765; classtype:misc-activity; sid:2001765; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hhishrpjdixwtctz.ru"; flow:established,to_server; content:"|3a| hhishrpjdixwtctz.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015232; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Greeting card gif.exe email incoming HTTP"; flow: established,from_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001921; classtype:trojan-activity; sid:2001921; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qouubrmdxtgnnjvm.ru"; flow:established,to_server; content:"|3a| qouubrmdxtgnnjvm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015233; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 8998 (msg:"ET DELETED Sobig.E-F Trojan Site Download Request"; dsize: 8; content:"|5c bf 01 29 ca 62 eb f1|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html; reference:url,doc.emergingthreats.net/2001547; classtype:trojan-activity; sid:2001547; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain stkbtccbckhdkbii.ru"; flow:established,to_server; content:"|3a| stkbtccbckhdkbii.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015234; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SHELLCODE CLET polymorphic payload"; dsize: >40; content: "|74 07 eb|"; content: "|e8|"; distance: 1; within: 1; pcre: "/\xeb.[\x58-\x5b]\x31[\xc0\xc9\xd2\xdb][\xb0-\xb3].\x8b.[\x05\x2d\x35\x81\xc1]/sm"; pcre: "/[\x40-\x43\xfd\xff][\x40-\x43\xff][\x40-\x43\x80\xff][\x40-\x43\xe9-\xeb\xff\x80\x2c][\x40-\x43\x48-\x4b\xe9-\xeb\x01\x2c\x80][\x48-\x4c\xe9-\xeb\x02\x2c][\x03\x48-\x4b][\x48-\x4b]\x74\x07\xeb.\xe8.\xff\xff\xff/smR"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003117; classtype:shellcode-detect; sid:2003117; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dcyjurmfwhgvyoio.ru"; flow:established,to_server; content:"|3a| dcyjurmfwhgvyoio.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015235; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SHELLCODE ADMutate polymorphic payload"; dsize: >45; content: "|e8|"; content: "|ff ff ff|"; distance: 1; within: 3; pcre: "/\xeb[\x26-\x7a].{0,20}(\x5e|\x58\x96|\x58\x89\xc6|\x8b\x34\x24\x83\xec\x04).{0,20}(((\xbb....|\x68....\x5b).{0,20}(\x31\xc9|\x31\xc0\x91))|((\x31\xc9|\x31\xc0\x91).{0,20}(\xbb....|\x68....\x5b))).{0,20}(\xb1.|\x6a.\x58\x89\xc1|\x6a.\x66\x59).{0,20}(\x31\x1e|\x93\x31\x06\x93|\x8b\x06\x09\xd8\x21\x1e\xf7\x16\x21\x06).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}\xe2[\xa0-\xf9].{0,20}\xeb[\x06-\x20].{0,20}\xe8[\x7f-\xff]\xff\xff\xff/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003119; classtype:shellcode-detect; sid:2003119; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fhnpjsnknkuvhazm.ru"; flow:established,to_server; content:"|3a| fhnpjsnknkuvhazm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015236; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit Payload Download Request - Sep 04 2012"; flow:established,to_server; content:" Java/"; http_header; fast_pattern:only; urilen:>24; content:!".jar"; nocase; http_uri; content:"!.class"; nocase; http_uri; pcre:"/\/[A-Z]{20,}\?[A-Z]=\d$/Ui"; classtype:exploit-kit; sid:2015676; rev:3; metadata:created_at 2012_09_05, former_category EXPLOIT_KIT, updated_at 2012_09_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pozrtgdmhvhvdscn.ru"; flow:established,to_server; content:"|3a| pozrtgdmhvhvdscn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015237; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED E2give Related Downloading IeBHOs.dll"; flow: to_server,established; content:"/downloads/IeBHOs.dll"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001415; classtype:trojan-activity; sid:2001415; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rsoxjlibxohdcyov.ru"; flow:established,to_server; content:"|3a| rsoxjlibxohdcyov.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015238; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Probable Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; content:"applet"; content:"myyu?44"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015679; rev:2; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2012_09_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ccdifvomwhtynpay.ru"; flow:established,to_server; content:"|3a| ccdifvomwhtynpay.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015239; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit with fast-flux like behavior static initial landing - Sep 05 2012"; flow:established,to_server; content:"/PJeHubmUD"; http_uri; classtype:exploit-kit; sid:2015682; rev:2; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2012_09_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ehsmldxnregnruez.ru"; flow:established,to_server; content:"|3a| ehsmldxnregnruez.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015240; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit with fast-flux like behavior hostile java archive - Sep 05 2012"; flow:established,to_server; content:"pqvjdujfllkwl.jar"; http_uri; classtype:exploit-kit; sid:2015683; rev:2; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2012_09_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lsvdxjpwykxxvryd.ru"; flow:established,to_server; content:"|3a| lsvdxjpwykxxvryd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015241; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow"; flow:to_client,established; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; nocase; content:"String("; nocase; distance:0; pcre:"/^\s*?[0-9]{4}/R"; pcre:"/(SetBgColor|SetMovieName|SetTarget|SetMatrix|SetHREF)/Ri"; reference:bugtraq,27769; reference:cve,CVE-2008-0778; reference:url,www.milw0rm.com/exploits/5110; reference:url,doc.emergingthreats.net/2007878; classtype:web-application-attack; sid:2007878; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain oxkjnvhjnvnegtyb.ru"; flow:established,to_server; content:"|3a| oxkjnvhjnvnegtyb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015242; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Remote PHP Code Execution (php.pjpg)"; flow:established,to_server; content:"POST"; http_method; content:".php.pjpg"; fast_pattern:only; http_uri; nocase; reference:url,exploitsdownload.com/search/Arbitrary%20File%20Upload/27; classtype:web-application-attack; sid:2015688; rev:3; metadata:created_at 2012_09_08, updated_at 2012_09_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xfymtpavzblzbknq.ru"; flow:established,to_server; content:"|3a| xfymtpavzblzbknq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015243; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SpyEyeV1.3.48 Data Post to CnC - lol.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/lol.php"; http_uri; content:"data="; depth:5; http_client_body; reference:url,blogs.mcafee.com/mcafee-labs/latest-spyeye-botnet-active-and-cheaper; classtype:command-and-control; sid:2014669; rev:4; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ksacasnubklrikdl.ru"; flow:established,to_server; content:"|3a| ksacasnubklrikdl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015245; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Gbod.dv Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:"Opera/"; http_header; content:"Presto/"; http_header; fast_pattern; content:!"Accept|3a| "; http_header; content:"a="; http_client_body; content:"&b="; http_client_body; content:"&c="; http_client_body; classtype:command-and-control; sid:2013154; rev:5; metadata:created_at 2011_07_01, former_category MALWARE, updated_at 2011_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mxpgggggukxqteoy.ru"; flow:established,to_server; content:"|3a| mxpgggggukxqteoy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015246; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SpyEye Post_Express_Label infection check-in"; flow:established,to_server; content:"/inst.php?id="; http_uri; content:"&lang="; http_uri; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012283; rev:4; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wedkgpdcxlrunbmu.ru"; flow:established,to_server; content:"|3a| wedkgpdcxlrunbmu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015247; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SpyEye Post_Express_Label infection activity multi-stage download confirmed success"; flow:established,to_server; content:"/load.php?file="; http_uri; content:"&luck="; http_uri; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012282; rev:4; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yjsovtnpgbwqcbbd.ru"; flow:established,to_server; content:"|3a| yjsovtnpgbwqcbbd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015248; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t"; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100674; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jrfyaswntteouafv.ru"; flow:established,to_server; content:"|3a| jrfyaswntteouafv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015249; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100675; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lwtcxuzbdrsnpqfb.ru"; flow:established,to_server; content:"|3a| lwtcxuzbdrsnpqfb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015250; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL sp_password password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:2100677; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain veihxoqukuetxqbn.ru"; flow:established,to_server; content:"|3a| veihxoqukuetxqbn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015251; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|"; nocase; classtype:attempted-user; sid:2100678; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xiwlnutkxsqxwjge.ru"; flow:established,to_server; content:"|3a| xiwlnutkxsqxwjge.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015252; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"GPL SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; offset:83; reference:bugtraq,4797; reference:cve,2000-1209; classtype:attempted-user; sid:2100680; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hrkusbnevtmyisab.ru"; flow:established,to_server; content:"|3a| hrkusbnevtmyisab.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015253; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100682; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kwyyhhqtwxupnhyu.ru"; flow:established,to_server; content:"|3a| kwyyhhqtwxupnhyu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015254; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_password - password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:2100683; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tdndpphrtyniynvz.ru"; flow:established,to_server; content:"|3a| tdndpphrtyniynvz.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015255; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|"; nocase; classtype:attempted-user; sid:2100684; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wicjgufeimlbmcus.ru"; flow:established,to_server; content:"|3a| wicjgufeimlbmcus.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015256; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_adduser - database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; nocase; classtype:attempted-user; sid:2100685; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gqortbbbsnksxpmm.ru"; flow:established,to_server; content:"|3a| gqortbbbsnksxpmm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015257; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL NETBIOS xp_reg* - registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:2100686; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE ZeroAccess udp traffic detected"; content:"|9e 98|"; offset:6; depth:2; dsize:20; classtype:trojan-activity; sid:2015474; rev:2; metadata:created_at 2012_07_14, updated_at 2012_07_14;)
+alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2100688; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED RedKit - Landing Page Received - applet and 5digit jar"; flow:established,to_client; content:"<applet"; fast_pattern; content:".jar"; distance:0; pcre:"/\W[0-9]{5}\.jar/"; classtype:exploit-kit; sid:2014894; rev:4; metadata:created_at 2012_06_15, updated_at 2012_06_15;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL NETBIOS xp_reg* registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; depth:32; offset:32; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:2100689; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lccwpflcdjrdfjib.ru"; flow:established,to_server; content:"|3a| lccwpflcdjrdfjib.ru|0D 0A|"; http_header; fast_pattern:only; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015182; rev:5; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; offset:32; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100690; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Paymilon-A HTTP POST"; flow:established,to_server; content:"POST http|3a|//"; depth:12; content:"C|3a|\\"; distance:0; nocase; content:".exe|00 00|"; distance:0; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/malpaymilona.html; reference:url,doc.emergingthreats.net/2010918; classtype:trojan-activity; sid:2010918; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; classtype:shellcode-detect; sid:2100692; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NuclearPack - Landing Page Received - applet archive=32CharHex"; flow:established,to_client; content:"<applet"; content:"archive=|22|"; pcre:"/^\?[a-f0-9]{32}\" /R"; classtype:exploit-kit; sid:2014915; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL MSSQL shellcode attempt 2"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:shellcode-detect; sid:2100693; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS sgrunt Dialer User Agent (sgrunt)"; flow:to_server,established; content:"sgrunt"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+sgrunt/Hi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347; reference:url,doc.emergingthreats.net/2003385; classtype:trojan-activity; sid:2003385; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:attempted-user; sid:2100694; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET MALWARE Delfsnif/Buzus.fte Remote Response"; flow:established,from_server; dsize:9; content:"|05 00 00 00|"; depth:4; content:"|cd|"; distance:4; within:1; reference:url,www.threatexpert.com/threats/virtool-win32-delfsnif-gen.html; reference:url,doc.emergingthreats.net/2009079; classtype:trojan-activity; sid:2009079; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; offset:32; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100696; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c3284d Malware Network Compromised Redirect (comments 1)"; flow:established,to_client; file_data; content:"#c3284d#"; distance:0; content:"#/c3284d#"; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015051; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; offset:32; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100697; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c3284d Malware Network Compromised Redirect (comments 2)"; flow:established,to_client; file_data; content:"<!--c3284d-->"; distance:0; content:"<!--/c3284d-->"; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015052; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; offset:32; nocase; reference:bugtraq,2042; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100698; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER XML-RPC for PHP Remote Code Injection"; flow:established,to_server; content:"POST"; nocase; http_method; content:"xmlrpc.php"; http_uri; content:"methodCall"; http_client_body; nocase; pcre:"/>.*?\'\s*?\)\s*?\)*?\s*?\;/PR"; reference:url,www.securityfocus.com/bid/14088/exploit; reference:cve,2005-1921; reference:url,doc.emergingthreats.net/bin/view/Main/2002158; classtype:web-application-attack; sid:2002158; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100699; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/OnlineGame.DaGame Variant CnC Checkin"; flow:established,to_server; content:"/logexp.php?aid="; http_uri; content:"&pid="; http_uri; content:"&kind="; http_uri; pcre:"/User\x2DAgent\x3A\x20[a-f0-9]{5,14}\x0D\x0A/H"; classtype:command-and-control; sid:2015489; rev:2; metadata:created_at 2012_07_20, former_category MALWARE, updated_at 2012_07_20;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; offset:32; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100700; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible beSTORM ActiveX (WinGraphviz.dll) Remote Heap Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"684811FB-0523-420F-9E8F-A5452C65A19C"; nocase; distance:0; content:"ToSvg"; nocase; distance:0; reference:url,exploit-db.com/exploits/19861/; classtype:attempted-user; sid:2015490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100701; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible CA BrightStor ARCserve Backup ActiveX AddColumn Method Access Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3"; nocase; distance:0; content:"AddColumn"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82950/CA-BrightStor-ARCserve-Backup-AddColumn-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015491; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t|00|"; offset:32; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100702; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible CommuniCrypt Mail SMTP ActiveX AddAttachments Method Access Stack Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"F8D07B72-B4B4-46A0-ACC0-C771D4614B82"; nocase; distance:0; content:"AddAttachments"; nocase; distance:0; reference:url,packetstormsecurity.org/files/89856/CommuniCrypt-Mail-1.16-SMTP-ActiveX-Stack-Buffer-Overflow.html; classtype:attempted-user; sid:2015493; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; offset:32; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100703; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible CA BrightStor ARCserve Backup ActiveX AddColumn Method Access Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ListCtrl.ocx"; fast_pattern; nocase; distance:0; content:"AddColumn"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82950/CA-BrightStor-ARCserve-Backup-AddColumn-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015492; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; nocase; reference:bugtraq,1204; reference:cve,2001-0542; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:2100704; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox - ProxyBotCommand - I_AM"; flow:established,to_server; content:"I_AM|0D 0A|"; depth:6; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015510; rev:2; metadata:created_at 2012_07_21, updated_at 2012_07_21;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100705; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ProxyBox - ProxyBotCommand - FORCE_AUTHENTICATION*"; flow:established,to_client; content:"FORCE_AUTHENTICATION_"; depth:21; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015511; rev:2; metadata:created_at 2012_07_21, updated_at 2012_07_21;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100706; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox -ProxyBotCommand - CHECK_ME"; flow:established,to_server; content:"CHECK_ME|0D 0A|Port|3a| "; depth:16; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015502; rev:2; metadata:created_at 2012_07_21, updated_at 2012_07_21;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100707; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Oracle AutoVue ActiveX SetMarkupMode Method Access Remote Code Execution"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AutoVueX.ocx"; fast_pattern; nocase; distance:0; content:"SetMarkupMode"; nocase; distance:0; reference:url,packetstormsecurity.org/files/114364/Oracle-AutoVue-ActiveX-SetMarkupMode-Remote-Code-Execution.html; classtype:attempted-user; sid:2015465; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; offset:32; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100708; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SaschArt SasCam Webcam Server ActiveX Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"XHTTP.HTTP"; fast_pattern; nocase; distance:0; content:"Head"; nocase; reference:url,exploit-db.com/exploits/14215/; reference:bugtraq,41343; reference:url,doc.emergingthreats.net/2011208; classtype:attempted-user; sid:2011208; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET TELNET access"; flow:from_server,established; content:"|FF FD|"; rawbytes; content:"|FF FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes; reference:arachnids,08; reference:cve,1999-0619; reference:nessus,10280; classtype:not-suspicious; sid:2100716; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"us="; distance:0; nocase; http_uri; content:"INSERT"; nocase; http_uri; distance:0; content:"INTO"; nocase; http_uri; distance:0; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005526; classtype:web-application-attack; sid:2005526; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert udp any any -> any 69 (msg:"GPL TFTP GET shadow"; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; classtype:successful-admin; sid:2101442; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; nocase; distance:0; http_uri; content:"SELECT"; http_uri; nocase; distance:0; content:"FROM"; http_uri; nocase; distance:0; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004492; classtype:web-application-attack; sid:2004492; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert udp any any -> any 69 (msg:"GPL TFTP GET passwd"; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; classtype:successful-admin; sid:2101443; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit nsswitch.conf Upload"; flow:established,to_server; content:"STOR "; content:"nsswitch.conf|0d 0a|"; distance:0; pcre:"/^\s*?STOR\s+[^\r\n]*?nsswitch\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015514; rev:2; metadata:created_at 2012_07_24, updated_at 2012_07_24;)
+alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa brute force failed login unicode attempt"; flow:from_server,established; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2103273; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific config files upload"; flow:established,to_server; content:"STOR "; content:".conf|0d 0a|"; distance:0; fast_pattern; pcre:"/^\s*?STOR\s+[^\r\n]*?\x2f(tgt|trace|rbp(c|p))\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015513; rev:3; metadata:created_at 2012_07_24, updated_at 2012_07_24;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3198 (msg:"GPL WORM mydoom.a backdoor upload/execute attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; classtype:trojan-activity; sid:2103272; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific (CHMOD 777)"; flow:established,to_server; content:"SITE CHMOD 777 NONEXISTANT"; depth:26; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015515; rev:2; metadata:created_at 2012_07_24, updated_at 2012_07_24;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103183; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit PluginDetect Rename Saigon"; flow:established,from_server; content:"var Saigon={version|3a 22|"; classtype:exploit-kit; sid:2015516; rev:3; metadata:created_at 2012_07_24, former_category CURRENT_EVENTS, updated_at 2012_07_24;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP unsubscribe overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sUNSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103076; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Msnbot Crawl"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"msnbot"; nocase; http_header; distance:0; threshold: type both, track by_src, count 10, seconds 60; reference:url,search.msn.com/msnbot.htm; reference:url,doc.emergingthreats.net/2002831; classtype:attempted-recon; sid:2002831; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP unsubscribe literal overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; pcre:"/\sUNSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103075; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pakes2 - Server Hello"; flow:established,to_client; dsize:11; content:"|01 00 01 ae 84 e3 aa 1f 90|"; offset:2; depth:9; classtype:trojan-activity; sid:2015521; rev:2; metadata:created_at 2012_07_25, updated_at 2012_07_25;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP subscribe overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103074; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c3284d Malware Network Compromised Redirect (comments 3)"; flow:established,from_server; file_data; content:"/*c3284d*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2015524; rev:2; metadata:created_at 2012_07_25, updated_at 2012_07_25;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP subscribe literal overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; pcre:"/\sSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103073; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS JS.Runfore Malware Campaign Request"; flow:established,to_server; content:"/runforestrun?"; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014971; rev:3; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP status overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; isdataat:100,relative; pcre:"/\sSTATUS\s[^\n]{100}/smi"; reference:bugtraq,11775; reference:bugtraq,13727; reference:cve,2005-1256; classtype:misc-attack; sid:2103072; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Generic - ProxyJudge Reverse Proxy Scoring Activity"; flow:established,to_client; file_data; content:"ProxyJudge V"; nocase; classtype:trojan-activity; sid:2015532; rev:2; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP status literal overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; pcre:"/\sSTATUS\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103071; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx; classtype:attempted-dos; sid:2100272; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP fetch literal overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; pcre:"/\sFETCH\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103069; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:2100268; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP examine overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; isdataat:100,relative; pcre:"/\sEXAMINE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103068; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP request udp";  reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101417; rev:11; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP examine literal overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; pcre:"/\sEXAMINE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103067; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP trap tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101420; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP append overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; isdataat:100,relative; pcre:"/\sAPPEND\s[^\n]{256}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103066; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP trap udp";  reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101419; rev:10; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
+#alert tcp $HOME_NET 1020 -> $EXTERNAL_NET any (msg:"GPL DELETED Vampire 1.2 connection confirmation"; flow:from_server,established; flowbits:isset,backdoor.vampire_12.connect; content:"Vampire v1.2 Server On-Line....."; depth:32; classtype:misc-activity; sid:2103064; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp any any -> 255.255.255.255 161 (msg:"GPL SNMP Broadcast request";  reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101415; rev:10; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1020 (msg:"GPL DELETED Vampire 1.2 connection request"; flow:to_server,established; content:"Hello..."; depth:8; flowbits:set,backdoor.vampire_12.connect; flowbits:noalert; classtype:misc-activity; sid:2103063; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp any any -> 255.255.255.255 162 (msg:"GPL SNMP broadcast trap";  reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101416; rev:10; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS NetScreen SA 5000 delhomepage.cgi access"; flow:to_server,established; content:"/delhomepage.cgi"; http_uri; reference:bugtraq,9791; classtype:web-application-activity; sid:2103062; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"GPL SNMP community string buffer overflow attempt with evasion"; content:" |04 82 01 00|"; depth:5; offset:7; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:2101422; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"GPL DELETED distccd command execution attempt"; flow:to_server,established; content:"DIST00000001"; depth:12; nocase; reference:url,distcc.samba.org/security.html; classtype:misc-activity; sid:2103061; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"GPL SMTP SMTP relaying denied"; flow:established,from_server; content:"550 5.7.1"; depth:70; reference:arachnids,249; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:2100567; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"GPL DELETED TLSv1 Client_Hello via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|03 01|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2103059; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"GPL SMTP OUTBOUND bad file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"filename"; distance:0; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:2100721; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP copy literal overflow attempt"; flow:established,to_server; content:"COPY"; nocase; pcre:"/\sCOPY\s[^\n]*?\{/smi"; byte_test:5,>,1024,0,string,dec,relative; reference:bugtraq,1110; classtype:misc-attack; sid:2103058; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"GPL DELETED sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; reference:arachnids,140; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:2100655; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; isdataat:4,relative; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103021; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|"; reference:arachnids,372; classtype:protocol-command-decode; sid:2100631; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP delete literal overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; pcre:"/\sDELETE\s[^\n]*?\{/smi"; byte_test:5,>,100,0,string,dec,relative; reference:bugtraq,11675; classtype:misc-attack; sid:2103008; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn *@"; flow:to_server,established; content:"expn"; nocase; content:"*@"; pcre:"/^expn\s+\*@/smi"; reference:cve,1999-1200; classtype:misc-attack; sid:2101450; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP delete overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; isdataat:100,relative; pcre:"/\sDELETE\s[^\n]{100}/smi"; reference:bugtraq,11675; classtype:misc-attack; sid:2103007; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; reference:arachnids,371; classtype:protocol-command-decode; sid:2100632; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; within:1; distance:4; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102999; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; nocase; pcre:"/^expn\s+decode/smi"; reference:arachnids,32; reference:cve,1999-0096; reference:nessus,10248; classtype:attempted-recon; sid:2100659; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102998; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; fast_pattern; distance:0; nocase; pcre:"/^expn\s+root/smi"; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; classtype:attempted-recon; sid:2100660; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102997; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi"; reference:arachnids,373; reference:bugtraq,10248; reference:cve,1999-0096; classtype:attempted-recon; sid:2100672; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102996; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; classtype:attempted-recon; sid:2101446; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102995; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL EXPLOIT EXPLOIT statdx"; flow:to_server,established; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:2100600; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102994; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_adduser database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:2100679; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102993; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:2100676; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102992; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32; nocase; reference:bugtraq,1204; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:2100695; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102991; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL EXPLOIT xp_cmdshell - program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2100687; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102964; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"GPL EXPLOIT login buffer non-evasive overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:2103274; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102965; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT formmail access"; flow:to_server,established; content:"/formmail"; nocase; http_uri; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-activity; sid:2100884; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102966; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"GPL SNMP SNMP community string buffer overflow attempt"; content:"|02 01 00 04 82 01 00|"; offset:4; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:2101409; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102967; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP invalid identification payload attempt"; content:"|05|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2102486; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2102384; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102380; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2102401; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP first payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102376; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102960; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP forth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102379; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102956; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102414; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102961; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102377; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102957; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102415; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102988; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:2100319; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102984; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT tftp command attempt"; flow:to_server,established; content:"tftp%20"; nocase; classtype:web-application-attack; sid:2101340; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102989; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%1c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100982; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102985; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT php.cgi access"; flow:to_server,established; content:"/php.cgi"; nocase; http_uri; reference:arachnids,232; reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0238; reference:cve,1999-058; reference:nessus,10178; classtype:attempted-recon; sid:2100824; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login literal format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2102665; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ip any any -> any any (msg:"GPL EXPLOIT EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102464; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101324; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102462; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101326; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102463; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL EXPLOIT ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101327; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED evaluate.cfm access"; flow:to_server,established; content:"/cfdocs/snippets/evaluate.cfm"; nocase; http_uri; reference:bugtraq,550; classtype:attempted-recon; sid:2100915; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"GPL WEB_SERVER Compaq Insight directory traversal"; flow:to_server,established; content:"../../../"; reference:arachnids,244; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-application-attack; sid:2101199; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute"; flow:to_client,established; content:"CLSID"; nocase; content:"3356DB7C-58A7-11D4-AA5C-006097314BF8"; nocase; distance:0; content:"installAppMgr"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82969/Symantec-AppStream-LaunchObj-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015537; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_27, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102982; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible WinZip FileView ActiveX CreateNewFolderFromName Method Access Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"A09AE68F-B14D-43ED-B713-BA413F034904"; nocase; distance:0; content:"CreateNewFolderFromName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83024/WinZip-FileView-WZFILEVIEW.FileViewCtrl.61-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_27, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102983; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"WZFILEVIEW.FileViewCtrl.61"; nocase; distance:0; content:"CreateNewFolderFromName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83024/WinZip-FileView-WZFILEVIEW.FileViewCtrl.61-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_27, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2102978; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT Tomcat server exploit access"; flow:to_server,established; content:"/contextAdmin/contextAdmin.html"; nocase; http_uri; reference:bugtraq,1548; reference:cve,2000-0672; reference:nessus,10477; classtype:attempted-recon; sid:2101111; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2102979; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"GPL EXPLOIT x86 Linux mountd overflow"; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:2100315; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102974; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell"; nocase; classtype:web-application-attack; sid:2101061; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102975; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn"; nocase; classtype:web-application-attack; sid:2101058; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2102496; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT xp_filelist attempt"; flow:to_server,established; content:"xp_filelist"; nocase; classtype:web-application-attack; sid:2101059; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102491; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_regread attempt"; flow:to_server,established; content:"xp_regread"; nocase; classtype:web-application-activity; sid:2101069; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2102385; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT ttdbserv solaris overflow"; dsize:>999; flow:to_server,established; content:"|C0 22|?|FC A2 02| |09 C0|,|7F FF E2 22|?|F4|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:2100570; rev:11; metadata:created_at 2010_09_23, former_category EXPLOIT, updated_at 2017_06_29;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102954; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"GPL EXPLOIT AIX pdnsd overflow"; flow:to_server,established; dsize:>1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:2101261; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102955; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"GPL DELETED Netscape Unixware overflow"; flow:to_server,established; content:"|EB|_|9A FF FF FF FF 07 FF C3|^1|C0 89|F|9D|"; reference:arachnids,180; reference:bugtraq,908; reference:cve,1999-0744; classtype:attempted-recon; sid:2101132; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102968; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL EXPLOIT rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,390; classtype:attempted-user; sid:2100607; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102969; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"GPL EXPLOIT Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:2100302; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102970; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"GPL EXPLOIT CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; reference:bugtraq,3517; reference:cve,2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:2101398; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102971; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"GPL DELETED SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:2100304; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2102402; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 81: (msg:"ET MALWARE Turkojan C&C Info Command Response (MINFO)"; flow:established,to_server; dsize:<100; content:"MINFO|7c|"; depth:6; reference:url,doc.emergingthreats.net/2008023; classtype:command-and-control; sid:2008023; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102962; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET 81: -> $HOME_NET any (msg:"ET MALWARE Turkojan C&C Info Command (MINFO)"; flow:established,from_server; dsize:5; content:"MINFO"; reference:url,doc.emergingthreats.net/2008022; classtype:command-and-control; sid:2008022; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102958; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?\.\.\./smi"; reference:bugtraq,9237; classtype:bad-unknown; sid:2101229; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102963; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; distance:1; nocase; pcre:"/^CWD\s+~root/smi"; reference:arachnids,318; reference:cve,1999-0082; classtype:bad-unknown; sid:2100336; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102959; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP NLST overflow attempt"; flow:to_server,established; content:"NLST"; nocase; isdataat:100,relative; pcre:"/^NLST\s[^\n]{100}/smi"; reference:bugtraq,10184; reference:bugtraq,7909; reference:bugtraq,9675; reference:cve,1999-1544; classtype:attempted-admin; sid:2102374; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2102951; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP PORT bounce attempt"; flow:to_server,established; content:"PORT"; nocase; ftpbounce; pcre:"/^PORT/smi"; classtype:misc-attack; sid:2103441; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102990; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP REST with numeric argument"; flow:to_server,established; content:"REST"; nocase; pcre:"/REST\s+[0-9]+\n/i"; reference:bugtraq,7825; classtype:attempted-recon; sid:2103460; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102986; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RETR overflow attempt"; flow:to_server,established; content:"RETR"; nocase; isdataat:100,relative; pcre:"/^RETR\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; reference:cve,2004-0287; reference:cve,2004-0298; classtype:attempted-admin; sid:2102392; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102987; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNFR overflow attempt"; flow:to_server,established; content:"RNFR"; nocase; isdataat:100,relative; pcre:"/^RNFR\s[^\n]{100}/smi"; classtype:attempted-admin; sid:2103077; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:2100574; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNTO overflow attempt"; flow:to_server,established; content:"RNTO"; nocase; isdataat:100,relative; pcre:"/^RNTO\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2000-0133; reference:cve,2001-1021; reference:cve,2003-0466; classtype:attempted-admin; sid:2102389; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /bin/ls command attempt"; flow:to_server,established; content:"/bin/ls"; http_uri; nocase; classtype:web-application-attack; sid:2101369; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:100,relative; pcre:"/^STAT\s[^\n]{100}/smi"; reference:bugtraq,3507; reference:bugtraq,8542; reference:cve,2001-0325; reference:cve,2001-1021; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:2101379; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /bin/ls| command attempt"; flow:to_server,established; content:"/bin/ls|7C|"; http_uri; nocase; classtype:web-application-attack; sid:2101368; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STOU overflow attempt"; flow:to_server,established; content:"STOU"; nocase; isdataat:100,relative; pcre:"/^STOU\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2102390; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /bin/ps command attempt"; flow:to_server,established; content:"/bin/ps"; http_uri; nocase; classtype:web-application-attack; sid:2101328; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP XMKD overflow attempt"; flow:to_server,established; content:"XMKD"; nocase; isdataat:100,relative; pcre:"/^XMKD\s[^\n]{100}/smi"; reference:bugtraq,7909; reference:cve,2000-0133; reference:cve,2001-1021; classtype:attempted-admin; sid:2102373; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /etc/inetd.conf access"; flow:to_server,established; content:"/etc/inetd.conf"; http_uri; nocase; classtype:web-application-activity; sid:2101370; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP format string attempt"; flow:to_server,established; content:"%"; fast_pattern:only; pcre:"/\s+.*?%.*?%/smi"; classtype:string-detect; sid:2102417; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /etc/motd access"; flow:to_server,established; content:"/etc/motd"; http_uri; nocase; classtype:web-application-activity; sid:2101371; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP format string attempt"; flow:to_server,established; content:"%p"; nocase; reference:nessus,10452; reference:bugtraq,1387; reference:bugtraq,2240; reference:bugtraq,726; reference:cve,2000-0573; reference:cve,1999-0997; classtype:attempted-admin; sid:2101530; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED /etc/shadow access"; flow:to_server,established; content:"/etc/shadow"; http_uri; nocase; classtype:web-application-activity; sid:2101372; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:2100356; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /usr/bin/id command attempt"; flow:to_server,established; content:"/usr/bin/id"; http_uri; nocase; classtype:web-application-attack; sid:2101332; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL FTP FTP Bad login"; flow:from_server,established; content:"530 "; depth:4; pcre:"/^530\s+(Login|User)/smi"; classtype:bad-unknown; sid:2100491; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /usr/bin/perl execution attempt"; flow:to_server,established; content:"/usr/bin/perl"; http_uri; nocase; classtype:web-application-attack; sid:2101355; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP no password"; flow:from_client,established; content:"PASS"; nocase; pcre:"/^PASS\s*\n/smi"; reference:arachnids,322; classtype:unknown; sid:2100489; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER bin/python access attempt"; flow:to_server,established; content:"bin/python"; http_uri; nocase; classtype:web-application-attack; sid:2101349; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP MKD / possible warez site"; flow:to_server,established; content:"MKD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:2100554; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100920; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP anonymous ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:" ftp|0D 0A|"; nocase; classtype:misc-activity; sid:2101449; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource password attempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100919; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; classtype:suspicious-filename-detect; sid:2101445; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100909; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"GPL GAMES Unreal Tournament secure overflow attempt"; content:"|5C|secure|5C|"; nocase; pcre:"/\x5csecure\x5c[^\x00]{50}/smi"; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack; sid:2103080; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100923; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED Inbound GNUTella client request"; flags:A+; flow:established; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:2100559; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /_vti_bin/ access"; flow:to_server,established; content:"/_vti_bin/"; http_uri; nocase; reference:nessus,11032; classtype:web-application-activity; sid:2101288; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; classtype:policy-violation; sid:2100557; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER _vti_rpc access"; flow:to_server,established; content:"/_vti_rpc"; http_uri; nocase; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:2100937; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; classtype:policy-violation; sid:2101432; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER ISAPI .printer access"; flow:to_server,established; content:".printer"; http_uri; nocase; reference:arachnids,533; reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661; reference:url,www.microsoft.com/technet/security/bulletin/MS01-023.mspx; classtype:web-application-activity; sid:2100971; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; classtype:policy-violation; sid:2100556; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER SAM Attempt"; flow:to_server,established; content:"sam._"; http_uri; nocase; reference:url,www.ciac.org/ciac/bulletins/h-45.shtml; classtype:web-application-attack; sid:2100988; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED Outbound GNUTella client request"; flow:established; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:2100558; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; http_uri; classtype:web-application-attack; sid:2101002; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:2100560; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER .htpasswd access"; flow:to_server,established; content:".htpasswd"; nocase; classtype:web-application-attack; sid:2101071; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"GPL POLICY AFS access"; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; fast_pattern:only; reference:nessus,10441; classtype:misc-activity; sid:2101504; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER apache directory disclosure attempt"; flow:to_server,established; content:"////////"; depth:200; reference:bugtraq,2503; classtype:attempted-dos; sid:2101156; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY Windows Media download"; flow:from_server,established; content:"Content-Type|3A|"; nocase; http_header; pcre:"/^Content-Type\x3a\s*(?=[av])(video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/Hi"; classtype:policy-violation; sid:2101437; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER apache source.asp file access"; flow:to_server,established; content:"/site/eg/source.asp"; http_uri; nocase; reference:bugtraq,1457; reference:cve,2000-0628; reference:nessus,10480; classtype:attempted-recon; sid:2101110; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"GPL POLICY PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:2100507; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER ls%20-l"; flow:to_server,established; content:"ls%20-l"; nocase; classtype:attempted-recon; sid:2101118; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:2103153; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SPECIFIC_APPS oracle web arbitrary command execution attempt"; flow:to_server,established; content:"/ows-bin/"; nocase; http_uri; content:"?&"; http_uri; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-attack; sid:2101193; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:2100255; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED xp_availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia"; nocase; classtype:web-application-attack; sid:2101060; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; classtype:bad-unknown; sid:2100253; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL TO_CHAR buffer overflow attempt"; flow:to_server,established; content:"TO_CHAR"; nocase; pcre:"/TO_CHAR\s*\(\s*SYSTIMESTAMP\s*,\s*(\x27[^\x27]{256}|\x22[^\x22]{256})/smi"; classtype:attempted-user; sid:2102699; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:2101435; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL create file buffer overflow attempt"; flow:to_server,established; content:"create"; nocase; content:"file "; nocase; isdataat:512; pcre:"/CREATE\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2102698; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:2100261; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL ctxsys.driddlr.subindexpopulate buffer overflow attempt"; flow:to_server,established; content:"ctxsys.driddlr.subindexpopulate"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\d+\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102680; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100259; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_grouped_column"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102768; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; classtype:bad-unknown; sid:2100254; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL DELETED login format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2102664; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100258; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP Overflow Attempt"; flow:to_server,established; content:"|E8 C0 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:2100293; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP private access tcp"; flow:to_server,established; content:"private"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101414; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL DELETED auth literal overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/({(?=\d+}[^\n]*?\sAUTH)|AUTH\s[^\n]*?{(?=\d+}))/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0005; classtype:misc-attack; sid:2101930; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP public access tcp"; flow:to_server,established; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101412; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET POLICY DNS Update From External net"; byte_test:1,!&,128,2; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,!&,16,2; byte_test:1,&,8,2; reference:url,doc.emergingthreats.net/2009702; classtype:policy-violation; sid:2009702; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP Location overflow"; content:"Location|3A|"; nocase; isdataat:128,relative; pcre:"/^Location\x3a[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:2101388; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.md2.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.sdo_code_size"; nocase; isdataat:512,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2102683; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:2101384; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.md2.validate_geom buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.validate_geom"; nocase; isdataat:500,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{128,}\x27|\x22[^\x22]{128,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,})|\(\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,}))/si"; classtype:attempted-user; sid:2102682; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"GPL MISC squid WCCP I_SEE_YOU message overflow attempt"; content:"|00 00 00 08|"; depth:4; byte_test:4,>,32,16; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:2103089; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.sdo_admin.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.sdo_admin.sdo_code_size"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102681; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"GPL MISC rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; reference:bugtraq,3474; reference:cve,2001-0838; classtype:misc-attack; sid:2101323; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL numtoyminterval buffer overflow attempt"; flow:to_server,established; content:"numtoyminterval"; nocase; pcre:"/numtoyminterval\s*\(\s*\d+\s*,\s*(\x27[^\x27]{32}|\x22[^\x22]{32})/smi"; classtype:attempted-user; sid:2102700; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP newgroup overflow attempt"; flow:to_server,established; content:"newgroup"; nocase; isdataat:21,relative; pcre:"/^newgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102430; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL service_name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|service_name="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck52.html; classtype:attempted-user; sid:2102649; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|"; reference:arachnids,388; classtype:attempted-user; sid:2100608; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aq_import_internal.aq_table_defn_update"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*qt_name[\r\n\s]*=>[\r\n\s]*\2|qt_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102695; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL DELETED Cassandra Overflow"; dsize:>512; flow:to_server,established; content:"AUTHINFO USER"; depth:16; nocase; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-user; sid:2100291; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_get_nrp"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102694; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP XPAT pattern overflow attempt"; flow:to_server,established; content:"PAT"; nocase; isdataat:1024,relative; pcre:"/^X?PAT\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:2102927; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_no_queue"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102693; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"GPL MISC Connection Closed MSG from Port 80"; flow:from_server,established; content:"Connection closed by foreign host"; nocase; classtype:unknown; sid:2100488; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm_sys.verify_queue_types"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102692; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:2100270; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_internal_sys.parallel_push_recovery"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*destination[\r\n\s]*=>[\r\n\s]*\2|destination\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102691; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:2101321; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_repcat.enable_propagation_to_dblink"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*dblink[\r\n\s]*=>[\r\n\s]*\2|dblink\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102690; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP sendsys overflow attempt"; flow:to_server,established; content:"sendsys"; nocase; pcre:"/^sendsys\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102424; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.disable_receiver_trace"; nocase; isdataat:1024; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102689; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC source route ssrr"; ipopts:ssrr ; reference:arachnids,422; classtype:bad-unknown; sid:2100502; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.enable_receiver_trace"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102688; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"GPL MISC ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:2100616; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.validate buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.validate"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102687; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP article post without path attempt"; flow:to_server,established; content:"takethis"; nocase; pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si"; classtype:attempted-admin; sid:2102432; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.differences"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102686; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP checkgroups overflow attempt"; flow:to_server,established; content:"checkgroups"; nocase; pcre:"/^checkgroups\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102427; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.rectify"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102633; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP ihave overflow attempt"; flow:to_server,established; content:"ihave"; nocase; pcre:"/^ihave\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102428; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat.alter_mview_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102617; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC Nntp rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup"; nocase; pcre:"/^rmgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102431; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.grant_surrogate_repcat"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102615; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP sendme overflow attempt"; flow:to_server,established; content:"sendme"; nocase; pcre:"/^sendme\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102429; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.revoke_surrogate_repcat"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102612; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP senduuname overflow attempt"; flow:to_server,established; content:"senduuname"; nocase; pcre:"/^senduuname\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102425; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102858; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP version overflow attempt"; flow:to_server,established; content:"version"; nocase; pcre:"/^version\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102426; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102861; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,384; classtype:attempted-user; sid:2100602; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102862; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; reference:arachnids,385; classtype:bad-unknown; sid:2100603; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102863; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,389; classtype:attempted-admin; sid:2100606; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102864; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:2100609; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102865; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,391; classtype:attempted-admin; sid:2100610; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102866; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN HTExploit Method"; flow:established,to_server; dsize:>6; content:"POTATO "; depth:7; reference:url,www.mkit.com.ar/labs/htexploit/download.php; classtype:trojan-activity; sid:2015552; rev:2; metadata:created_at 2012_07_31, updated_at 2012_07_31;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102867; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake-AV Conditional Redirect (Blackmuscats)"; flow:established,to_server; content:"/blackmuscats?"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/07/blackmuscats-conditional-redirections-to-faveav.html/; classtype:trojan-activity; sid:2015553; rev:3; metadata:created_at 2012_07_31, former_category CURRENT_EVENTS, updated_at 2012_07_31;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102868; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gooochi Related Spyware Ad pull"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?z="; nocase; http_uri; content:"|26|ch="; nocase; fast_pattern; http_uri; content:"|26|dim="; nocase; http_uri; content:"|26|abr="; nocase; http_uri; content:!"Referer|3a| "; nocase; http_header; reference:url,www.threatexpert.com/reports.aspx?find=ads.gooochi.biz; reference:url,doc.emergingthreats.net/bin/view/Main/2008375; classtype:pup-activity; sid:2008375; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102875; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Possible Spambot Checking in to Spam"; flow:established,to_server; content:"/devrandom/"; nocase; http_uri; fast_pattern; content:!"User-Agent|3a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002988; classtype:pup-activity; sid:2002988; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102869; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 2020search Update Engine"; flow: to_server,established; content:"POST"; depth: 4; nocase; content:"srng/reg.php HTTP"; within: 50; content:"|0d0a|Host|3a|"; content:"2020search.com"; within: 40; content:"IpAddr="; nocase; within: 100; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2004-03-04; reference:url,doc.emergingthreats.net/bin/view/Main/2000934; classtype:trojan-activity; sid:2000934; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102870; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SickleBot Reporting User Activity"; flow:established,to_server; content:"GET"; http_method; content:"id="; nocase; http_uri; content:"User-Agent|3a| SickleBot"; http_header; reference:url,doc.emergingthreats.net/2002776; classtype:trojan-activity; sid:2002776; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102871; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Downloader Generic - GET"; flow:established,to_server; content:"GET"; http_method; content:".php?mode="; nocase; http_uri; content:"&port="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&ltime="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009803; classtype:trojan-activity; sid:2009803; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102872; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tigger.a/Syzor Control Checkin"; flow:established,to_server; content:"/track.cgi"; http_uri; content:"POST"; depth:4; http_method; content:"u="; http_client_body; depth:2; content:"&t="; http_client_body; content:"&v="; http_client_body; content:"&f="; http_client_body; content:"&z="; http_client_body; reference:url,voices.washingtonpost.com/securityfix/2009/02/the_t-i-double-guh-r_trojan_ic.html?wprss=securityfix; reference:url,mnin.blogspot.com/2009/02/why-i-enjoyed-tiggersyzor.html; reference:url,doc.emergingthreats.net/2009096; classtype:command-and-control; sid:2009096; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102874; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tigger.a/Syzor Checkin"; flow:established,to_server; content:"POST"; depth:4; http_method; content:"/track.cgi"; http_uri; content:"u="; http_client_body; depth:2; content:"&t="; http_client_body; content:"&b="; http_client_body; content:"&v="; http_client_body; content:"&f="; http_client_body; reference:url,doc.emergingthreats.net/2009347; classtype:command-and-control; sid:2009347; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102876; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN NULL"; flow:stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:2100623; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102878; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN XMAS"; flow:stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:2100625; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.cancel_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102879; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:2100626; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102880; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:2100627; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_priority_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102881; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:2100628; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102882; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:2101228; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102883; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:2100629; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102884; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL SCAN sensepost.exe command shell attempt"; flow:to_server,established; content:"/sensepost.exe"; http_uri; nocase; reference:nessus,11003; classtype:web-application-activity; sid:2100989; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_priority_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102885; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"GPL SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:2100613; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102886; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:2100624; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102887; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN rusers query UDP"; content:"|00 01 86 A2|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:cve,1999-0626; classtype:attempted-recon; sid:2100612; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102894; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00|`|00 00 00 00 00 00 00 00 01 00 00 00|"; classtype:attempted-recon; sid:2100617; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102888; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN NetGear router default password login attempt admin/password"; flow:to_server,established; content:"Authorization|3A|"; http_header; nocase; content:"YWRtaW46cGFzc3dvcmQ"; distance:0; http_header; pcre:"/^Authorization\x3a\s*Basic\s+YWRtaW46cGFzc3dvcmQ/Hi"; reference:nessus,11737; classtype:default-login-attempt; sid:2102230; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102889; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:2101133; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102890; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:2101139; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102891; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL SCAN cybercop scan"; flow:to_server,established; content:"/cybercop"; http_uri; nocase; reference:arachnids,374; classtype:web-application-activity; sid:2101099; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102897; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"GPL SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; reference:arachnids,146; classtype:attempted-recon; sid:2100619; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102896; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TSPY_SPCESEND.A Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/log.php"; fast_pattern; http_uri; content:"id="; depth:3; http_client_body; content:"&link="; http_client_body; content:"&password="; http_client_body; content:"&debug="; http_client_body; content:!"User-Agent|3a 20|"; http_header; reference:url,blog.trendmicro.com/malware-uses-sendspace-to-store-stolen-documents/; classtype:command-and-control; sid:2014219; rev:4; metadata:created_at 2012_02_11, former_category MALWARE, updated_at 2012_02_11;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102898; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Krunchy/BZub HTTP POST Update"; flow:established,to_server; content:"POST"; nocase; http_method; content:"action="; fast_pattern; http_client_body; depth:7; content:"|25 35 46|script"; http_client_body; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2007776; classtype:trojan-activity; sid:2007776; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102899; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Pandex Trojan Dropper Initial Checkin"; flow:established,to_server; content:"?r="; http_uri; content:"&hdd="; fast_pattern; http_uri; content:"&gen="; http_uri; content:!"User-Agent|3A|"; nocase; http_header; classtype:command-and-control; sid:2013397; rev:3; metadata:created_at 2011_08_10, former_category MALWARE, updated_at 2011_08_10;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.purge_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102900; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Guard-Center.com Fake AntiVirus Post-Install Checkin"; flow:established,to_server; content:".php?"; http_uri; content:"&advid="; fast_pattern; http_uri; content:"&u="; http_uri; content:"&p="; http_uri; content:"HTTP/1."; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007744; classtype:pup-activity; sid:2007744; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.register_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.register_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102901; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Downloader (Win32.Doneltart) Checkin - HTTP GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?open="; nocase; http_uri; content:"&myid="; fast_pattern; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2009814; classtype:trojan-activity; sid:2009814; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.abort_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102813; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Agent-TMF Checkin"; flow:to_server,established; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"GET"; http_method; content:".php?gd="; fast_pattern; http_uri; pcre:"/.php\?gd=\d+_\d+_\d+$/U"; classtype:command-and-control; sid:2013701; rev:2; metadata:created_at 2011_09_28, former_category MALWARE, updated_at 2011_09_28;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.add_object_to_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102814; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 360safe.com related Fake Security Product Update (KillerSet)"; flow:established,to_server; content:"/?KillerSet="; fast_pattern; nocase; http_uri; content:"GET"; nocase; http_method; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008149; classtype:pup-activity; sid:2008149; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.begin_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102815; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Keylogger checkin"; flow:established; content:"GET"; nocase; http_method; content:"?mail="; http_uri; content:"subject=Keylogger"; http_uri; fast_pattern; content:"&body="; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)"; http_header; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008368; classtype:command-and-control; sid:2008368; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.drop_object_from_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102816; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware Installer Config 2"; flow:to_server,established; content:"config.aspx"; http_uri; nocase; fast_pattern; content:"?ver="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003217; classtype:pup-activity; sid:2003217; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.ensure_not_published"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck96.html; classtype:attempted-user; sid:2102643; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious PHP 302 redirect response with avtor URI and cookie"; flow:established,from_server; content:"302"; http_stat_code; content:".php?avtor="; fast_pattern; content:"Set-Cookie|3a| "; content:"avtor="; within:40; classtype:trojan-activity; sid:2013011; rev:6; metadata:created_at 2011_06_10, former_category CURRENT_EVENTS, updated_at 2011_06_10;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.set_local_flavor"; nocase; fast_pattern:only; pcre:"/(\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102824; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Foxit PDF Reader Title Stack Overflow"; flow:established,to_client; content:"|0d 0a 0d 0a|PDF-"; content:"|2f|Title"; nocase; distance:0; isdataat:540,relative; content:!"|0A|"; within:540; reference:url,www.exploit-db.com/exploits/15532/; classtype:attempted-user; sid:2012064; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_17, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102825; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Emogen Reporting via HTTP"; flow:established,to_server; content:".asp?"; nocase; http_uri; content:"mac="; fast_pattern; nocase; http_uri; content:"&name="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&id="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007986; classtype:trojan-activity; sid:2007986; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_for_local_flavor"; nocase; fast_pattern:only; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102826; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PDF Using CCITTFax Filter"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/CCITTFaxDecode"; distance:0; reference:url,nakedsecurity.sophos.com/2012/04/05/ccittfax-pdf-malware/; reference:url,blog.fireeye.com/research/2012/07/analysis-of-a-different-pdf-malware.html#more; classtype:bad-unknown; sid:2015561; rev:2; metadata:created_at 2012_08_02, former_category INFO, updated_at 2017_06_01;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_column_group_to_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102817; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE RevProxy ClientHello"; flow:established,to_server; dsize:13; content:"|04 00 00 01 05 00 00 00 00 07 00 01 00|"; reference:md5,7bf026c71d4ca6cdc7b6e543f9a5bb64; classtype:trojan-activity; sid:2014348; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_columns_to_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102818; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED RevProxy ServerRespone"; flow:established,to_client; dsize:9; content:"|04 00 00 01 01 00 00 00 04|"; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:trojan-activity; sid:2014349; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_column_group_from_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102819; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED RevProxy ClientPing"; flow:established,to_server; dsize:9; content:"|04 00 00 01 01 00 00 00 05|"; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:trojan-activity; sid:2014350; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_columns_from_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102820; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible BarCodeWiz (BARCODEWIZLib.BarCodeWiz) ActiveX Control Buffer Overflow"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BARCODEWIZLib.BarCodeWiz"; nocase; distance:0; content:"Barcode"; nocase; distance:0; reference:url,securityfocus.com/bid/54701; classtype:attempted-user; sid:2015564; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_03, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.obsolete_flavor_definition"; nocase; isdataat:1075,relative; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102821; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL ICQ ActiveX Control DownloadAgent Method Access Arbitrary File Download and Execute"; flow:to_client,established; content:"CLSID"; nocase; content:"54BDE6EC-F42F-4500-AC46-905177444300"; nocase; distance:0; content:"DownloadAgent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83020/America-Online-ICQ-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015566; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_03, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.publish_flavor_definition"; nocase; isdataat:1075,relative; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102822; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL ICQ ActiveX Control DownloadAgent Method Access Arbitrary File Download and Execute 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ICQPhone.SipxPhoneManager.1"; nocase; distance:0; content:"DownloadAgent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83020/America-Online-ICQ-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015567; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_03, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.purge_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102823; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Trojan File Download - BMP Requested but not received"; flow:established,from_server; flowbits:isset,ET.bmp_seen; flowbits:unset,ET.bmp_seen; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"Content-Type|3a| application|2f|octet-stream"; http_header; content:!"BM"; content:!"|00 00 00 00|"; within:4; reference:url,doc.emergingthreats.net/2009084; classtype:trojan-activity; sid:2009084; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.alter_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102827; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Admoke/Adload.AFB!tr.dldr Checkin"; flow: to_server,established; content:"/keyword.html"; http_uri; content:"User-Agent|3a| bdwinrun"; nocase; http_header; reference:md5,6085f2ff15282611fd82f9429d82912b; classtype:pup-activity; sid:2008742; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102828; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible BarCodeWiz BarcodeWiz.dll ActiveX Control Barcode Method Remote Buffer Overflow Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6"; nocase; distance:0; content:"Barcode"; nocase; distance:0; reference:url,securityfocus.com/bid/54701; classtype:attempted-user; sid:2015563; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_03, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102829; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP request tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101418; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102831; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments(2)"; flow:established,to_client; content:"Added By FoxxySF"; fast_pattern:only; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015584; rev:4; metadata:created_at 2012_08_07, updated_at 2012_08_07;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.do_deferred_repcat_admin"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102832; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Hit Counter Access"; flow:to_server,established; content:"/wtf/callback=getip"; fast_pattern:only; http_uri; nocase; content:".php?username="; nocase; http_uri; content:"&website="; nocase; http_uri; content:"foxxysoftware.org"; http_header; nocase; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015585; rev:2; metadata:created_at 2012_08_07, updated_at 2012_08_07;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.drop_master_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102833; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Executable (Win exe under 128)"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_test:4,<,128,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009033; classtype:policy-violation; sid:2009033; rev:7; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.generate_replication_package"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102834; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET HUNTING Suspicious Executable (PE offset 160)"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_test:4,=,160,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009034; classtype:policy-violation; sid:2009034; rev:7; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.purge_master_log"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102835; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Executable (PE offset 512)"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_test:4,=,512,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009035; classtype:policy-violation; sid:2009035; rev:7; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.relocate_masterdef"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102836; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http any any -> $HOME_NET any (msg:"ET ADWARE_PUP Windows executable sent when remote host claims to send an image"; flow: established,from_server; content:"Content-Type|3a| image"; http_header; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2001683; classtype:pup-activity; sid:2001683; rev:17; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.rename_shadow_column_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102837; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Java EXE Download"; flowbits:isset,ET.http.javaclient; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2013037; rev:7; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.resume_master_activity"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102838; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2013036; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_06_16, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.suspend_master_activity"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102839; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable served from Amazon S3"; flow:established,to_client; content:"|0d 0a|Server|3A| AmazonS3"; content:"|0d 0a 0d 0a|MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,blog.trendmicro.com/cybercriminals-using-amazon-web-services-aws-to-host-malware/; reference:url,www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud; classtype:bad-unknown; sid:2013414; rev:10; metadata:created_at 2011_08_17, updated_at 2011_08_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_rq.add_column buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_rq.add_column"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*SCHEMA_NAME[\r\n\s]*=>[\r\n\s]*\2|SCHEMA_NAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102685; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable Download From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; content:"|0d 0a 0d 0a|MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2012524; rev:7; metadata:created_at 2011_03_21, updated_at 2011_03_21;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.alter_snapshot_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102902; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable Download From Russian Content-Language Website"; flow:established,to_client; content:"|0d 0a|Content-Language|3A| ru"; nocase; content:"|0d 0a 0d 0a|MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2012523; rev:8; metadata:created_at 2011_03_21, updated_at 2011_03_21;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102903; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE UPX compressed file download possible malware"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"UPX0"; content:"UPX1"; content:"UPX!"; reference:url,doc.emergingthreats.net/2001046; classtype:misc-activity; sid:2001046; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102904; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP UPX encrypted file download possible malware"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|00|code|00|"; content:"|00 C0|text|00|"; reference:url,doc.emergingthreats.net/2001047; classtype:pup-activity; sid:2001047; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repschema"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102905; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MP-FormGrabber Checkin"; flow:established,to_server; content:"/panel/gate.php?host="; nocase; http_uri; content:"&data="; nocase; distance:0; http_uri; reference:url,www.xylibox.com/2012/08/mp-formgrabber.html?spref=tw; classtype:command-and-control; sid:2015587; rev:2; metadata:created_at 2012_08_08, former_category MALWARE, updated_at 2012_08_08;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102906; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Windows Executable WriteProcessMemory"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"WriteProcessMemory"; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015588; rev:5; metadata:created_at 2012_08_08, former_category POLICY, updated_at 2012_08_08;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102907; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Palevo (OUTBOUND)"; dsize:21; content:"|18|"; depth:1; content:"|80 00 00|"; reference:md5,119ee859144111dbc5419f4d5fd9b6b1; reference:md5,095d76e0bc48361b40d717b238f11501; reference:md5,5f1296995c7ccba13c0c0655baf03a3a; classtype:trojan-activity; sid:2013236; rev:2; metadata:created_at 2011_07_09, former_category TROJAN, updated_at 2018_06_26;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repschema"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102908; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET MALWARE Palevo/BFBot/Mariposa client join attempt"; dsize:7; content:"|61|"; depth:1; flowbits:set,ET.MariposaJoin; reference:url,defintel.com/docs/Mariposa_Analysis.pdf; reference:url,defintel.blogspot.com/2009/09/half-of-fortune-100-companies.html; reference:url,doc.emergingthreats.net/2010100; reference:url,blogs.pcmag.com/securitywatch/2009/09/botnet_reported_loose_in_fortu.php; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2009-093006-0442-99&tabid=2; reference:url,www.symantec.com/connect/blogs/mariposa-butterfly; classtype:trojan-activity; sid:2010100; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.generate_snapshot_support"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102909; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FinFisher Malware Connection Handshake"; flow:to_server,established; content:"|5c 00 00 00 a0 02 72 00 0c 00 00 00 40 04 fe 00|"; depth:16; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher; classtype:trojan-activity; sid:2015595; rev:2; metadata:created_at 2012_08_09, updated_at 2012_08_09;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102910; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FinFisher Malware Connection Initialization"; flow:to_server,established; content:"|0c 00 00 00 40 01 73 00|"; depth:8; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher; classtype:trojan-activity; sid:2015594; rev:2; metadata:created_at 2012_08_09, updated_at 2012_08_09;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repschema"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102911; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Applet Code Rafa.Rafa 6th July 2012"; flow:established,to_client; content:"<applet/code=|22|Rafa.Rafa|22|"; classtype:exploit-kit; sid:2015043; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102912; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"6F255F99-6961-48DC-B17E-6E1BCCBC0EE3"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:url,1337day.com/exploits/17395; classtype:attempted-user; sid:2015606; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.repcat_import_check"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102913; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"HPESPRIT.XMLCacheMgr.1"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:url,1337day.com/exploits/17395; classtype:attempted-user; sid:2015607; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.set_local_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102914; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Kazaa Altnet Download Manager ActiveX Control Install Method Access Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"DEF37997-D9C9-4A4B-BF3C-88F99EACEEC2"; nocase; distance:0; content:".Install("; nocase; distance:0; reference:url,packetstormsecurity.org/files/83086/Kazaa-Altnet-Download-Manager-ActiveX-Control-Buffer-Overflow.html; classtype:attempted-user; sid:2015608; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.switch_snapshot_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102915; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smardf/Boaxxe GET to cc.php3"; flow:established,to_server; content:"/cc.php3"; http_uri; fast_pattern:only; content:"GET"; http_method; content:!"|0d 0a|Accept"; http_header; reference:md5,f856b4c526c3e5cee9d47df59295d2e1; reference:md5,232b4dbed0453e2a952630fb1076248f; classtype:trojan-activity; sid:2015617; rev:2; metadata:created_at 2012_08_11, updated_at 2012_08_11;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.unregister_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102916; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_jump:1,0,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014431; rev:15; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.validate_for_local_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102918; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED GhostNet Trojan Reporting"; flow:established,to_server; content:"/microsoft/v2/update/upgrade.aspx?hostname="; http_uri; content:"&ostype="; http_uri; content:"&macaddr="; http_uri; content:"&ipaddr="; http_uri; content:"&owner="; http_uri; threshold: type limit, track by_src, count 1, seconds 300; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; reference:url,doc.emergingthreats.net/2009202; classtype:trojan-activity; sid:2009202; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2021_06_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.alter_snapshot_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102840; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp !$DNS_SERVERS any -> [85.255.112.0/20,67.210.0.0/20,93.188.160.0/21,77.67.83.0/24,213.109.64.0/20,64.28.176.0/20] 53 (msg:"ET DELETED Ghost Click DNSChanger DNS Request (UDP)"; threshold:type threshold, track by_src, seconds 2, count 2; reference:url,www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf; classtype:trojan-activity; sid:2013906; rev:4; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102841; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RevProxy CnC List Request"; flow:established,to_server; content:"?net=gnutella2&get=1&client=RAZA2.5.0.0"; http_uri; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:command-and-control; sid:2014351; rev:3; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102842; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Helpexpress Spyware User-Agent HXLogOnly"; flow:established,to_server; content:"User-Agent|3A 20|HXLogOnly"; http_header; classtype:trojan-activity; sid:2013545; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_09_06, deployment Perimeter, signature_severity Minor, tag Spyware_User_Agent, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102843; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Briba Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"loginmid="; http_client_body; content:"nickid="; http_client_body; reference:url,labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/; classtype:command-and-control; sid:2015635; rev:3; metadata:created_at 2012_08_16, former_category MALWARE, updated_at 2012_08_16;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102844; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible CA eTrust PestPatrol ActiveX Control Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"5E644C49-F8B0-4E9A-A2ED-5F176BB18CE6"; nocase; distance:0; content:".Initialize("; nocase; distance:0; reference:url,exploit-db.com/exploits/16630/; classtype:attempted-user; sid:2015636; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102845; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"525A15D0-4938-11D4-94C7-0050DA20189B"; nocase; distance:0; content:"CheckRequirements("; nocase; distance:0; reference:url,exploit-db.com/exploits/16609/; reference:url,kb.cert.org/vuls/id/179281; classtype:attempted-user; sid:2015643; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.repcat_import_check"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102846; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"SnoopyX.SnoopyCtrl.1"; nocase; distance:0; content:"CheckRequirements("; nocase; distance:0; reference:url,exploit-db.com/exploits/16609/; classtype:attempted-user; sid:2015644; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.switch_snapshot_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102917; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Vaklik.kku Checkin Request"; flow:to_server,established; content:".rar HTTP/1."; pcre:"/\x2f\d+?\x2erar$/U"; flowbits:set,et.trojan.valkik.kku; flowbits:noalert; reference:md5,9688d1d37a7ced200c53ec2b9332a0ad; reference:md5,81d8a235cb5f7345b5796483abe8145f; reference:md5,47a6dd02ee197f82b28cee0ab2b9bd35; classtype:command-and-control; sid:2012960; rev:8; metadata:created_at 2011_06_09, former_category MALWARE, updated_at 2011_06_09;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102847; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.Kryptik/proscan.co.kr Checkin 2"; flow:established,to_server; content:"User-Agent|3a| test_hInternet"; http_header; reference:md5,bf156b649cb5da6603a5f665a7d8f13b; classtype:trojan-activity; sid:2013822; rev:3; metadata:created_at 2011_11_04, updated_at 2011_11_04;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_untrusted.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102919; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fjgtmicxtlxynlpf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fjgtmicxtlxynlpf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015258; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.drop_an_object"; nocase; fast_pattern:only; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102849; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fjgtmicxtlxynlpf.ru"; flow:established,to_server; content:"|3a| fjgtmicxtlxynlpf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015461; rev:3; metadata:created_at 2012_07_13, updated_at 2012_07_13;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl.is_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.is_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*CANON_GNAME[\r\n\s]*=>[\r\n\s]*\2|CANON_GNAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102696; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bdvkpbuldslsapeb.ru"; flow:established,to_server; content:"|3a| bdvkpbuldslsapeb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015061; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl4.drop_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102848; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain eilqnjkoytyjuchn.ru"; flow:established,to_server; content:"|3a| eilqnjkoytyjuchn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015062; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_system.ksdwrt buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_system.ksdwrt"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*tst[\r\n\s]*=>[\r\n\s]*\2|tst\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*\d+\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102679; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain npxsiiwpxqqiihmo.ru"; flow:established,to_server; content:"|3a| npxsiiwpxqqiihmo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015063; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.ltutil.pushdeferredtxns buffer overflow attempt"; flow:to_server,established; content:"sys.ltutil.pushdeferredtxns"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*repgrpname[\r\n\s]*=>[\r\n\s]*\2|repgrpname\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2102684; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qtmyeslmsoxkjbku.ru"; flow:established,to_server; content:"|3a| qtmyeslmsoxkjbku.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015064; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"sysdbms_repcat_rgt.check_ddl_text"; nocase; isdataat:1024,relative; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102608; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain adbjjkquyyhyqknf.ru"; flow:established,to_server; content:"|3a| adbjjkquyyhyqknf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015065; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL time_zone buffer overflow attempt"; flow:to_server,established; content:"TIME_ZONE"; nocase; isdataat:1000,relative; pcre:"/TIME_ZONE\s*=\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_time_zone.txt; classtype:attempted-user; sid:2102614; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ciqmhuwgvfsxdtrw.ru"; flow:established,to_server; content:"|3a| ciqmhuwgvfsxdtrw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015066; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_cmdshell program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; offset:32; nocase; classtype:attempted-user; sid:2100681; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mocrafrewsdjztbj.ru"; flow:established,to_server; content:"|3a| mocrafrewsdjztbj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015067; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; nocase; classtype:attempted-user; sid:2100673; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain otruvbidvikzhlop.ru"; flow:established,to_server; content:"|3a| otruvbidvikzhlop.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015068; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2102923; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yafzvancybuwmnno.ru"; flow:established,to_server; content:"|3a| yafzvancybuwmnno.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015069; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2102924; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bhujzorkulhkpwob.ru"; flow:established,to_server; content:"|3a| bhujzorkulhkpwob.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015070; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap admind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:2100575; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lohnrnnpvvtxedfl.ru"; flow:established,to_server; content:"|3a| lohnrnnpvvtxedfl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015071; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap amountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:2100576; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ntvrnrdpyoadopbo.ru"; flow:established,to_server; content:"|3a| ntvrnrdpyoadopbo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015072; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap bootparam request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:2100577; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wakvnkyzkyietkdr.ru"; flow:established,to_server; content:"|3a| wakvnkyzkyietkdr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015073; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cmsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:2100578; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zfyafrjmmajqfvbh.ru"; flow:established,to_server; content:"|3a| zfyafrjmmajqfvbh.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015074; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap listing UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,428; classtype:rpc-portmap-decode; sid:2101280; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jnlkttkruqsdjqlx.ru"; flow:established,to_server; content:"|3a| jnlkttkruqsdjqlx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015075; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap mountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:2100579; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lsbppxhgckolsnap.ru"; flow:established,to_server; content:"|3a| lsbppxhgckolsnap.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015076; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nisd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:2100580; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vznrahwzgntmfcqk.ru"; flow:established,to_server; content:"|3a| vznrahwzgntmfcqk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015077; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap pcnfsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:2100581; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xeeypppxswpquvrf.ru"; flow:established,to_server; content:"|3a| xeeypppxswpquvrf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015078; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rexd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:2100582; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain inqgvoeohpcsfxmn.ru"; flow:established,to_server; content:"|3a| inqgvoeohpcsfxmn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015079; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rstatd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:2100583; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ksgmckchdppqeicu.ru"; flow:established,to_server; content:"|3a| ksgmckchdppqeicu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015080; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rusers request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:2100584; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uyrorwlibbjeasoq.ru"; flow:established,to_server; content:"|3a| uyrorwlibbjeasoq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015081; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap selection_svc request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:2100586; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wejungvnykczyjam.ru"; flow:established,to_server; content:"|3a| wejungvnykczyjam.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015082; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2101279; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gmvdnpqbblixlgxj.ru"; flow:established,to_server; content:"|3a| gmvdnpqbblixlgxj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015083; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap status request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2100587; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jrkjelzwleadyxsd.ru"; flow:established,to_server; content:"|3a| jrkjelzwleadyxsd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015084; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2100588; rev:18; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sywleisrsstsqoic.ru"; flow:established,to_server; content:"|3a| sywleisrsstsqoic.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015085; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP Get"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:2101444; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain venrfhmthwpqlqge.ru"; flow:established,to_server; content:"|3a| venrfhmthwpqlqge.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015086; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert udp any any -> any 69 (msg:"GPL TFTP GET Admin.dll"; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:2101289; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ppsvcvrcgkllplyn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ppsvcvrcgkllplyn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015259; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert udp any any -> any 69 (msg:"GPL TFTP GET nc.exe"; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; classtype:successful-admin; sid:2101441; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ruhctasjmpqbyvhm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ruhctasjmpqbyvhm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015260; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE HTTP 401 Unauthorized"; flow:from_server,established; content:"401"; http_stat_code; threshold: type both, count 1, seconds 300, track by_dst; reference:url,doc.emergingthreats.net/2009345; classtype:attempted-recon; sid:2009345; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bdvkpbuldslsapeb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bdvkpbuldslsapeb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015261; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack"; flow:from_server,established; content:"401"; http_stat_code; threshold:type both, track by_dst, count 30, seconds 60; reference:url,doc.emergingthreats.net/2009346; classtype:attempted-recon; sid:2009346; rev:9; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain eilqnjkoytyjuchn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eilqnjkoytyjuchn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015262; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible Ipconfig Information Detected in HTTP Response"; flow:from_server,established; file_data; content:"Windows IP Configuration"; content:"Ethernet adapter Local Area Connection"; distance:8; within:40; reference:url,en.wikipedia.org/wiki/Ipconfig; reference:url,doc.emergingthreats.net/2009675; classtype:successful-recon-limited; sid:2009675; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain npxsiiwpxqqiihmo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|npxsiiwpxqqiihmo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015263; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003145; classtype:web-application-attack; sid:2003145; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qtmyeslmsoxkjbku.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qtmyeslmsoxkjbku|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015264; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003146; classtype:web-application-attack; sid:2003146; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain adbjjkquyyhyqknf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|adbjjkquyyhyqknf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015265; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds (linewrap)"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003148; classtype:web-application-attack; sid:2003148; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ciqmhuwgvfsxdtrw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ciqmhuwgvfsxdtrw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015266; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost (linewrap)"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003147; classtype:web-application-attack; sid:2003147; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mocrafrewsdjztbj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mocrafrewsdjztbj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015267; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Boitho.com Distributed Crawler in use - User-Agent (boitho.com-dc)"; flow:to_server,established; content:"boitho.com"; http_user_agent; nocase; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2003653; classtype:trojan-activity; sid:2003653; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain otruvbidvikzhlop.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|otruvbidvikzhlop|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015268; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Gteko User-Agent Detected - Dell Remote Access"; flow:established,to_server; content:"Windows 98"; http_user_agent; content:"GtekClient"; fast_pattern; http_user_agent; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2008037; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yafzvancybuwmnno.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yafzvancybuwmnno|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015269; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Eurobarre.us Setup User-Agent"; flow:established,to_server; content:"eurobarre "; http_user_agent; nocase; depth:10; reference:url,doc.emergingthreats.net/2008336; classtype:policy-violation; sid:2008336; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bhujzorkulhkpwob.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bhujzorkulhkpwob|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015270; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - document.createElement applet"; flow:established,to_client; file_data; content:"document.createElement"; nocase; content:"applet"; nocase; fast_pattern; within:10; classtype:misc-activity; sid:2015707; rev:2; metadata:created_at 2012_09_18, updated_at 2012_09_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lohnrnnpvvtxedfl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lohnrnnpvvtxedfl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015271; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102860; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ntvrnrdpyoadopbo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ntvrnrdpyoadopbo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015272; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102892; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wakvnkyzkyietkdr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wakvnkyzkyietkdr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015273; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO DoSWF Flash Encryption Banner"; flow:to_client,established; file_data; content:"FWS"; within:3; content:"DoSWF"; distance:0; classtype:attempted-user; sid:2015704; rev:6; metadata:created_at 2012_09_18, former_category CURRENT_EVENTS, updated_at 2012_09_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zfyafrjmmajqfvbh.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zfyafrjmmajqfvbh|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015274; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dapato Checkin 8"; flow:established,to_server; content:"GET"; http_method; nocase; content:"?uid={"; http_uri; content:"}&user="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"Mozilla/4.1"; http_user_agent; depth:11; reference:md5,de7c781205d31f58a04d5acd13ff977d; classtype:command-and-control; sid:2015713; rev:3; metadata:created_at 2012_09_18, former_category MALWARE, updated_at 2012_09_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jnlkttkruqsdjqlx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jnlkttkruqsdjqlx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015275; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Skype Easybits Extras Manager - Exploit"; flow:established,from_server; content:"gygte"; nocase; content:"gygte"; nocase; distance:0; reference:url,www.m86security.com/labs/traceitem.asp?article=1347; reference:url,doc.emergingthreats.net/2011680; classtype:trojan-activity; sid:2011680; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lsbppxhgckolsnap.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lsbppxhgckolsnap|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015276; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; file_data; content:"|5C|x0b|5C|x0b|5C|x0b|5C|x0b"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013268; rev:4; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vznrahwzgntmfcqk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vznrahwzgntmfcqk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015277; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Loader EXE Payload Request"; flow:established,to_server; urilen:34; content:"/?"; depth:2; http_uri; pcre:"/^\/\?[a-f0-9]{32}$/U"; content:!"User-Agent|3a| "; http_header; content:" HTTP/1.1|0d 0a|Host|3a| "; classtype:trojan-activity; sid:2014058; rev:3; metadata:created_at 2011_12_31, updated_at 2011_12_31;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xeeypppxswpquvrf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xeeypppxswpquvrf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015278; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Web Bot Controller Accessed"; flow:to_server,established; content:"/stata/index.php?tr=ok"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003025; classtype:trojan-activity; sid:2003025; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain inqgvoeohpcsfxmn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|inqgvoeohpcsfxmn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015279; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL EXPLOIT WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:2103199; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ksgmckchdppqeicu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ksgmckchdppqeicu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015280; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Message Send Info Capture"; flow: to_server,established; content:"crumb="; nocase; content:"Subject="; nocase; reference:url,doc.emergingthreats.net/2000045; classtype:policy-violation; sid:2000045; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uyrorwlibbjeasoq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uyrorwlibbjeasoq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015281; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Unknown - Payload Download - 9Alpha1Digit.exe"; flow:established,to_client; content:"attachment"; http_header; content:".exe"; http_header; fast_pattern:only; pcre:"/[a-z]{9}[0-9]\.exe/H"; file_data; content:"MZ"; depth:2; classtype:trojan-activity; sid:2014968; rev:8; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wejungvnykczyjam.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wejungvnykczyjam|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015282; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Adware.AdzgaloreBiz/AdRotator!IK Install/Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?inst_result="; http_uri; content:"&hwid="; http_uri; content:"User-Agent|3a| NSISDL/1.2 (Mozilla)|0d 0a|"; http_header; pcre:"/\.php\?inst_result=.+&hwid=/Ui"; reference:url,doc.emergingthreats.net/2009305; reference:md5,1ca433d3f5538fda49c5defb59232f9d; classtype:trojan-activity; sid:2009305; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gmvdnpqbblixlgxj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gmvdnpqbblixlgxj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015283; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Thetatic.A Checkin"; flow:established,to_server; content:"User-Agent|3a| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 5.1|3B| rv|3a|1.9.1) Gecko/20090624 Firefox/3.5|0D 0A|Accept|3a| */*|0D 0A|Host|3a| "; http_header; depth:110; fast_pattern:72,20; classtype:trojan-activity; sid:2014796; rev:5; metadata:created_at 2012_05_22, updated_at 2012_05_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jrkjelzwleadyxsd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jrkjelzwleadyxsd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015284; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; distance:3; within:1; byte_extract:3,0,Certs.len,relative; content:"|55 04 0a 0c 0C|The Internet"; distance:3; within:Certs.len; content:"|55 04 03 0c 03|web"; distance:0; classtype:exploit-kit; sid:2015718; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_09_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sywleisrsstsqoic.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sywleisrsstsqoic|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015285; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT MSN IM Poll via HTTP"; flow: established,to_server; content:"/gateway/gateway.dll?Action=poll&SessionID="; http_uri; nocase; threshold: type limit, track by_src, count 10, seconds 3600; reference:url,doc.emergingthreats.net/2001682; classtype:policy-violation; sid:2001682; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain venrfhmthwpqlqge.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|venrfhmthwpqlqge|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015286; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HeapLib JS Library"; flow:established,to_client; file_data; content:"heapLib.ie|28|"; nocase; reference:url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf; classtype:bad-unknown; sid:2014972; rev:3; metadata:created_at 2012_06_27, updated_at 2012_06_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Anti-virus-pro.com Fake AV Checkin"; flow:established,to_server; content:"/stat.php?machine_id={"; nocase; http_uri; pcre:"/machine_id={[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+}/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007886; classtype:trojan-activity; sid:2007886; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER sumthin scan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/sumthin"; nocase; http_uri; reference:url,www.webmasterworld.com/forum11/2100.htm; reference:url,doc.emergingthreats.net/2002667; classtype:attempted-recon; sid:2002667; rev:38; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"GPL DELETED netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:2100110; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT HttpAddRequestHeader - Can Be Used For HTTP CnC"; flow:established,to_client; file_data; content:"MZ"; distance:0; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"HttpAddRequestHeader"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:command-and-control; sid:2012767; rev:11; metadata:created_at 2011_05_03, former_category MALWARE, updated_at 2011_05_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|"; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:2100286; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query to Unknown CnC DGA Domain adbullion.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|09|adbullion|03|com|00|"; nocase; distance:4; within:15; fast_pattern; classtype:command-and-control; sid:2015729; rev:2; metadata:created_at 2012_09_22, updated_at 2012_09_22;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 BSD overflow 2"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1"; classtype:attempted-admin; sid:2100287; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole2 - Landing Page Received - classid"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:"<param"; distance:0; content:"value="; distance:0; pcre:"/^.{1,5}[a-f0-9]{100}/R"; classtype:trojan-activity; sid:2015732; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_22, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:2100288; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE UpackbyDwing binary in HTTP (2) Possibly Hostile"; flow:from_server,established; content:"PE|00 00|"; content:"Upack|00 00|"; within:255; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2008947; classtype:trojan-activity; sid:2008947; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|"; reference:bugtraq,156; reference:cve,1999-0006; classtype:attempted-admin; sid:2100289; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE UpackbyDwing binary in HTTP Download Possibly Hostile"; flow:from_server,established; content:"UpackByDwing|40|"; content:"PE|00 00|"; within:20; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2008946; classtype:trojan-activity; sid:2008946; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL DELETED qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:2100290; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Trojan Checkin by MAC chkmac.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/chkmac.php?mac="; nocase; http_uri; classtype:command-and-control; sid:2006403; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:2100292; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL add_grouped_column ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22 ]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102600; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET TELNET login failed"; flow:from_server,established; content:"Login failed"; nocase; classtype:bad-unknown; sid:2100492; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_master_repgroup ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck87.html; classtype:attempted-user; sid:2102602; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2100569; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL create_mview_repgroup ordered fname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){4}\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102604; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap sadmind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:2100585; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL comment_on_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102607; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:2100589; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL cancel_statistics ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102610; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2100590; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL grant_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102616; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:2100591; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL alter_mview_propagation ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102618; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2100593; rev:19; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL unregister_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102625; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2100595; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL repcat_import_check ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/\((\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))|\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102628; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,428; classtype:rpc-portmap-decode; sid:2100598; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL register_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102630; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL RPC rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; classtype:bad-unknown; sid:2100601; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL refresh_mview_repgroup ordered gowner buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,(\s*(true|false)\s*,\s*){3}((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102632; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"GPL RPC rlogin login failure"; flow:from_server,established; content:"login incorrect"; reference:arachnids,393; classtype:unsuccessful-user; sid:2100605; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL rectifier_diff ordered sname1 buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102634; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"GPL RPC rlogin login failure"; flow:from_server,established; content:"|01|rlogind|3A| Permission denied."; reference:arachnids,392; classtype:unsuccessful-user; sid:2100611; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL snapshot.end_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102636; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; reference:arachnids,356; classtype:shellcode-detect; sid:2100638; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102638; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; reference:arachnids,357; classtype:shellcode-detect; sid:2100639; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_mview_repgroup ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102640; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; reference:arachnids,352; classtype:shellcode-detect; sid:2100641; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_site_instantiate ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"drop_site_instantiation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck629.html; classtype:attempted-user; sid:2102642; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; reference:arachnids,358; classtype:shellcode-detect; sid:2100642; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL from_tz buffer overflow attempt"; flow:to_server,established; content:"FROM_TZ"; nocase; pcre:"/\(\s*TIMESTAMP\s*(\s*(\x27[^\x27]+'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.nextgenss.com/advisories/ora_from_tz.txt; classtype:attempted-user; sid:2102644; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; reference:arachnids,359; classtype:shellcode-detect; sid:2100643; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL instantiate_offline ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_offline"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck630.html; classtype:attempted-user; sid:2102646; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; reference:arachnids,345; classtype:shellcode-detect; sid:2100644; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL instantiate_online ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_online"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck631.html; classtype:attempted-user; sid:2102648; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; reference:arachnids,353; classtype:shellcode-detect; sid:2100645; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL og.begin_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102653; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; reference:arachnids,355; classtype:shellcode-detect; sid:2100646; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF Vulnerability"; flow:established; content:"|61 00 09 00 08 00 07 00 21 03|"; pcre:"/[0-9a-zA-Z]{10}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; reference:url,doc.emergingthreats.net/bin/view/Main/2007934; classtype:misc-attack; sid:2007934; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; reference:arachnids,282; classtype:system-call-detect; sid:2100647; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Cisco-MARS/JBoss Remote Command Execution"; flowbits:isset,cmars.jboss; flow:to_server,established; content:"action=invokeOp"; nocase; content:"jboss.script"; nocase; content:"Runtime|2e|getRuntime|25|28|25|29|2e|exec|25|28"; nocase; reference:bugtraq,19071; reference:url,doc.emergingthreats.net/bin/view/Main/2003065; classtype:attempted-admin; sid:2003065; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; reference:arachnids,284; classtype:system-call-detect; sid:2100649; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura exploit kit exploit download request /sarah.php"; flow:established,to_server; content:"/sarah.php?s="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015733; rev:3; metadata:created_at 2012_09_25, former_category EXPLOIT_KIT, updated_at 2012_09_25;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; reference:arachnids,436; classtype:system-call-detect; sid:2100650; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> any any (msg:"ET POLICY Internet Explorer 6 in use - Significant Security Risk"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b|"; http_user_agent; depth:34; threshold: type limit, track by_src, seconds 180, count 1; classtype:policy-violation; sid:2010706; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 stealth NOOP"; content:"|EB 02 EB 02 EB 02|"; reference:arachnids,291; classtype:shellcode-detect; sid:2100651; rev:9; metadata:created_at 2010_09_23, former_category SHELLCODE, updated_at 2017_09_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Adware Istbar Search Hijacker and Downloader"; flow:established,to_client; content:"200"; http_stat_code; content:"OK"; nocase; http_stat_msg; content:"Content-Type|3a| qvod_update"; nocase; content:"|5b|AGENTLIST|5d 0d 0a|ip0="; nocase; content:"|0d 0a|port0="; nocase; within:25; content:"|0d 0a 0d 0a|ip1="; nocase; content:"|0d 0a|port1="; nocase; within:25; reference:url,www.pctools.com/mrc/infections/id/Trojan.ISTbar/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan.ISTbar; reference:url,doc.emergingthreats.net/2009597; classtype:trojan-activity; sid:2009597; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; reference:arachnids,343; classtype:shellcode-detect; sid:2100652; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; distance:3; within:1; byte_extract:3,0,Certs.len,relative; content:"|55 04 06 13 02|SE"; distance:3; within:Certs.len; content:"|55 04 08 13 01 20|"; distance:0; content:"|55 04 07 13 01 20|"; distance:0; content:"|55 04 0a 13 01 20|"; distance:0; content:"|55 04 0b 13 01 20|"; distance:0; content:"|55 04 03 13 01 20|"; distance:0; fast_pattern; classtype:exploit-kit; sid:2015742; rev:1; metadata:attack_target Client_Endpoint, created_at 2012_09_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit seen with O1/O2.class /form"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/search|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:exploit-kit; sid:2015646; rev:4; metadata:created_at 2012_08_17, former_category EXPLOIT_KIT, updated_at 2012_08_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Fynloski.A/DarkRat Checkin Outbound"; flow:to_server,established; dsize:<16; content:"KEEPALIVE"; depth:9; pcre:"/^KEEPALIVE\x7c?\d/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; reference:url,www.eff.org/deeplinks/2012/08/syrian-malware-post; reference:md5,a2f58a4215441276706f18519dae9102; classtype:command-and-control; sid:2013090; rev:10; metadata:created_at 2010_11_22, former_category MALWARE, updated_at 2010_11_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit seen with O1/O2.class /search"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/form|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:exploit-kit; sid:2015647; rev:4; metadata:created_at 2012_08_17, former_category EXPLOIT_KIT, updated_at 2012_08_17;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase; content:!"|0a|"; within:300; isdataat:300; pcre:"/^RCPT TO\x3a\s[^\n]{300}/ism"; reference:bugtraq,2283; reference:bugtraq,9696; reference:cve,2001-0260; classtype:attempted-admin; sid:2100654; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android.Ggtracker Ggtrack.org Checkin"; flow:established,to_server; content:"device_id="; nocase; http_uri; content:"adv_sub="; nocase; http_uri; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062208-5013-99&tabid=2; classtype:trojan-activity; sid:2013219; rev:3; metadata:created_at 2011_07_06, updated_at 2011_07_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CVSTrac filediff Arbitrary Remote Code Execution"; flow: to_server,established; content:"filediff|3f|f="; nocase; http_uri; pcre:"/\/filediff\?((&?v\d?=[\d.]+?)+?&f\x3d|f\x3d.+?(&v\d?=[\d.]+?)+?).+?\x3b.+?\x3b/Ui"; reference:bugtraq,10878; reference:cve,2004-1456; reference:url,doc.emergingthreats.net/bin/view/Main/2002697; classtype:web-application-attack; sid:2002697; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED General Downloader URL - Post Infection"; flow:established,to_server; content:"/count.jsp?id="; http_uri; content:"&mac=0"; http_uri; content:"te="; http_uri; reference:url,doc.emergingthreats.net/2008728; classtype:trojan-activity; sid:2008728; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Backdoor.Win32.VB.brg C&C Kill Command Send"; flow:established,from_server; dsize:<35; content:"kill-"; offset:0; depth:5; pcre:"/kill\-\d+.\d+.\d+.\d+\:\d+%\d/"; reference:url,doc.emergingthreats.net/2007980; classtype:command-and-control; sid:2007980; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Borlander Adware Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?t="; nocase; http_uri; content:"&i="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&n="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008736; classtype:bad-unknown; sid:2008736; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bredolab Downloader Response Binaries from Controller"; flow:established,from_server; content:"|0d 0a|Entity-Info|3a|"; nocase; content:"|0d 0a|Magic-Number|3a|"; nocase; pcre:"/\x0d\x0aEntity-Info\x3a\s+\d+\x3a\d/"; pcre:"/\x0d\x0aMagic-Number\x3a\s+\d+\|\d/"; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader%3aWin32/Bredolab.B; reference:url,doc.emergingthreats.net/2009388; classtype:trojan-activity; sid:2009388; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rogue.Win32/Winwebsec Install"; flow:to_server,established; content:"/api/stats/install/?affid="; content:"&ver=30"; http_uri; content:"&group="; http_uri; reference:md5,5310a7d855a14c93b12a36869cd252ec; classtype:trojan-activity; sid:2015653; rev:4; metadata:created_at 2012_02_24, updated_at 2012_02_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Agent.cav Url Pattern Detected (ping)"; flow:established,to_server; content:"/ping/"; nocase; http_uri; pcre:"/\/ping\/[0-9a-fA-F]{64}\/[0-9a-fA-F]+\/[0-9a-fA-F]/Ui"; reference:url,doc.emergingthreats.net/2007284; classtype:trojan-activity; sid:2007284; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible URL List or Clickfraud URLs Delivered To Client"; flow:established,from_server; content:"|0d 0a 0d 0a|http|3a|//"; content:"|7C|http|3a|//"; distance:0; content:"|0D 0A|http|3a|//"; distance:0; content:"|7C|http|3a|//"; distance:0; classtype:trojan-activity; sid:2014149; rev:4; metadata:created_at 2012_01_24, updated_at 2012_01_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HotLan.C Spambot Trojan Activity"; flow:to_server,established; content:"GET"; http_method; content:"|3F|mod|3D|"; fast_pattern:only; http_uri; content:"&id="; http_uri; content:"&up="; http_uri; content:"&mid="; http_uri; pcre:"/\x3Fmod\x3D\w*?\x26id\x3D[^\x26\s]+?\x5F\w+?\x26up\x3D[^\x26]+?\x26mid\x3D[^\x26\s]/Ui"; reference:url,doc.emergingthreats.net/2008473; classtype:trojan-activity; sid:2008473; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Landing Page Requested - /Home/index.php"; flow:established,to_server; content:"/Home/index.php"; http_uri; depth:15; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; classtype:trojan-activity; sid:2014975; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Lydra.hj HTTP Checkin"; flow:established,to_server; content:"/NewsFolder/News00"; http_uri; content:".ASP?id="; http_uri; pcre:"/\/NewsFolder\/News00\d\d\.ASP\?id=/U"; pcre:"/Host\: \d+\.\d+\.\d+\.\d/"; reference:url,doc.emergingthreats.net/2008130; classtype:command-and-control; sid:2008130; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Received - catch and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.blackhole.uri; content:"}catch("; classtype:trojan-activity; sid:2014976; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Mitglieder Proxy Bot Checking In"; flow:established,to_server; content:"/scr5.php"; nocase; http_uri; pcre:"/\/scr5\.php\?p=\d+&id=\d/Ui"; reference:url,isc.sans.org/diary.php?storyid=722; reference:url,doc.emergingthreats.net/2002387; classtype:trojan-activity; sid:2002387; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Recieved - applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.blackhole.uri; content:"<applet"; classtype:trojan-activity; sid:2014977; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED QQPass Related User-Agent Infection Checkin (App4)"; flow:to_server,established; content:"User-Agent|3a| App"; http_header; content:!"Host|3a| liveupdate.symantecliveupdate.com|0d 0a|"; http_header; pcre:"/^User-Agent\: App\d/Hmi"; reference:url,doc.emergingthreats.net/2007569; classtype:trojan-activity; sid:2007569; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Landing Page Requested - /*.php?*=8HexChar"; flow:established,to_server; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; urilen:15<>52; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,10}=[a-f0-9]{8}$/U"; pcre:"/[0-9]{1,8}[a-f]{1,8}[0-9]{1,8}$/U"; classtype:trojan-activity; sid:2014974; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Small.zon checkin"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?n="; http_uri; content:"&id="; http_uri; content:"&t="; http_uri; content:"&i="; http_uri; pcre:"/\?n=\d+&id=.+&t=.+&i=\d/Ui"; reference:url,doc.emergingthreats.net/2009300; classtype:command-and-control; sid:2009300; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Admin bhadmin.php access Outbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; classtype:attempted-user; sid:2015659; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Small.qh/xSock Checkin URL Detected"; flow:established,to_server; content:"port="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&sm="; nocase; http_uri; pcre:"/port=\d/Ui"; pcre:"/id=[a-f0-9-]+&/Ui"; reference:url,doc.emergingthreats.net/2007610; classtype:command-and-control; sid:2007610; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Malicious Redirect n.php h=*&s=*"; flow:to_server,established; content:"/n.php?h="; fast_pattern:only; http_uri; content:"&s="; http_uri; content:".rr.nu|0d 0a|"; http_header; pcre:"/\/n\.php\?h=\w*?&s=\w{1,5}$/Ui"; reference:url,0xicf.wordpress.com/category/security-updates/; reference:url,urlquery.net/report.php?id=111302; classtype:attempted-user; sid:2015669; rev:10; metadata:created_at 2012_08_23, former_category WEB_CLIENT, updated_at 2012_08_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zlob Updating via HTTP (v2)"; flow:established,to_server; content:".php?Code="; nocase; http_uri; content:"&V="; nocase; http_uri; content:"&ID="; nocase; http_uri; pcre:"/Code=\d/Ui"; pcre:"/ID=.{40}&.{6}/Ui"; reference:url,doc.emergingthreats.net/2007620; classtype:trojan-activity; sid:2007620; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED - Blackhole Admin Login Outbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; classtype:attempted-user; sid:2015660; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt"; flow: established,from_client; content:"/awstats.pl?"; nocase; http_uri; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system)/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; reference:url,doc.emergingthreats.net/2001686; classtype:web-application-attack; sid:2001686; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED - Blackhole Admin Login Inbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; classtype:attempted-user; sid:2015662; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CutePHP CuteNews directory traversal vulnerability - show_news"; flow:to_server,established; content:"/show_news.php"; nocase; http_uri; content:"template="; nocase; http_uri; pcre:"/template=[./]/Ui"; reference:bugtraq,15295; reference:url,doc.emergingthreats.net/2002668; classtype:misc-activity; sid:2002668; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:attempted-user; sid:2015667; rev:2; metadata:created_at 2012_08_29, former_category CURRENT_EVENTS, updated_at 2012_08_29;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CutePHP CuteNews directory traversal vulnerability - show_archives"; flow:to_server,established; content:"/show_archives.php"; nocase; http_uri; content:"template="; nocase; http_uri; pcre:"/template=[./]/Ui"; reference:bugtraq,15295; reference:url,doc.emergingthreats.net/2003152; classtype:misc-activity; sid:2003152; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; content:"/1."; offset:75; depth:3; http_uri; content:"|2e|"; distance:1; within:1; http_uri; content:"|2e|"; distance:1; within:1; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//U"; classtype:attempted-user; sid:2015666; rev:4; metadata:created_at 2012_08_29, former_category CURRENT_EVENTS, updated_at 2012_08_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Phoenix Java Exploit Attempt Request for .class from octal host"; flow:established,to_server; content:".class|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012609; rev:6; metadata:created_at 2011_03_31, former_category CURRENT_EVENTS, updated_at 2011_03_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st.QQ Checkin"; flow:to_server,established; content:"QQ|3a|124971919"; depth:12; content:"|00 00|"; distance:2; within:2; content:"|00 00 78 9C|"; distance:2; within:4; reference:md5,899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014109; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_10, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP LIST integer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s+\x22-W\s+\d/smi"; reference:bugtraq,8875; reference:cve,2003-0853; reference:cve,2003-0854; classtype:misc-attack; sid:2102272; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st.QQ Checkin 2"; flow:to_server,established; content:"QQ|3a|"; depth:3; content:"|00 00|"; distance:11; within:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,12,little; reference:md5,899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014110; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_10, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)"; flow:established,to_client; file_data; flowbits:isset,ET.http.binary; content:"CheckRemoteDebuggerPresent"; classtype:misc-activity; sid:2015745; rev:2; metadata:created_at 2012_09_28, updated_at 2012_09_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st Checkin (6 Byte keyword)"; flow:to_server,established; content:"|00 00|"; offset:8; depth:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,6,little; pcre:"/^[a-z0-9]{6}..\x00\x00/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; classtype:trojan-activity; sid:2015627; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_15, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gator Checkin"; flow: to_server,established; content:"/gbsf/"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000595; classtype:policy-violation; sid:2000595; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st Checkin (7 Byte keyword)"; flow:to_server,established; content:"|00 00|"; offset:9; depth:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,7,little; pcre:"/^[a-z0-9]{7}..\x00\x00/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; classtype:trojan-activity; sid:2015628; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_15, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Try Prototype Catch May 14 2012"; flow:from_server,established; content:"try{"; content:"=prototype|3b|}catch("; within:30; classtype:trojan-activity; sid:2014747; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DOCHTML C&C http directive in HTML comments"; flow:established,from_server; content:"|3c|!-- DOCHTMLhttp|3a|//"; reference:url,blog.accuvantlabs.com/blog/dgrif/anatomy-targeted-attack; classtype:command-and-control; sid:2015616; rev:3; metadata:created_at 2012_08_11, former_category MALWARE, updated_at 2012_08_11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)"; content:"|0d 0a|User-Agent|3A| friendly-scanner"; threshold: type limit, track by_src, count 5, seconds 120; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011716; classtype:attempted-recon; sid:2011716; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PCFlashbang.com Spyware Checkin (PCFlashBangA)"; flow:to_server,established; content:"User-Agent|3a| PCFlashBang"; http_header; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453113169; reference:url,doc.emergingthreats.net/2009540; classtype:command-and-control; sid:2009540; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.pdf$/U"; classtype:attempted-user; sid:2015664; rev:3; metadata:created_at 2012_08_29, updated_at 2012_08_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 1342 (msg:"ET EXPLOIT_KIT Unknown Exploit Kit redirect"; flow:established,to_server; urilen:35; content:"GET"; http_method; content:"/t/"; depth:3; http_uri; pcre:"/^\/t\/[a-f0-9]{32}/Ui"; content:"|0d 0a|Host|3a| "; http_header; content:"|3a|1342|0d 0a|"; http_header; fast_pattern:only; classtype:exploit-kit; sid:2015672; rev:5; metadata:created_at 2012_08_30, former_category EXPLOIT_KIT, updated_at 2012_08_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"|00 00 07|"; depth:16; content:"|02|eu|00|"; fast_pattern:only; pcre:"/\x00\x07[a-z]{7}\x02eu\x00/"; threshold: type both, count 5, seconds 120, track by_src; classtype:command-and-control; sid:2014371; rev:6; metadata:created_at 2012_03_14, updated_at 2012_03_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shady RAT Get File Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"gf|3a|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013653; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DELETED Possible Cisco ASA 5500 Series Adaptive Security Appliance Remote SIP Inspection Device Reload Denial of Service Attempt"; content:"REGISTER"; depth:8; nocase; isdataat:400,relative; pcre:"/REGISTER.{400}/smi"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19915; reference:cve,2010-0569; reference:url,doc.emergingthreats.net/2010818; classtype:attempted-dos; sid:2010818; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shady RAT Put File Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"pf|3a|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013654; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole OBE Java Exploit request to /content/obe.jar"; flow:established,to_server; content:"/content/obe.jar"; http_uri; reference:cve,CVE-2010-0840; reference:cve,CVE-2010-0842; classtype:trojan-activity; sid:2014160; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shady RAT Retrieve and Execute Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"http|3a|{"; content:"}.exe"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013655; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Blackhole Java Exploit request to spn.jar"; flow:established,to_server; content:"/spn.jar"; http_uri; nocase; classtype:trojan-activity; sid:2015001; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shady RAT Relay Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"taxi|3a|"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013656; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to Half.jar"; flow:established,to_server; content:"/Half.jar"; http_uri; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014918; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shady RAT Send Status Result"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"slp|3a|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013657; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /Set.jar"; flow:established,to_server; content:"/Set.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014746; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability"; flow:established; content:"|21 00 21 03|"; pcre:"/[0-9a-zA-Z]{10}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; reference:url,doc.emergingthreats.net/bin/view/Main/2007933; classtype:misc-attack; sid:2007933; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /Cal.jar"; flow:established,to_server; content:"/Cal.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014724; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_09, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL DELETED AIM AddGame attempt"; flow:to_client,established; content:"aim|3A|AddGame?"; nocase; reference:bugtraq,3769; reference:cve,2002-0005; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:2101393; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /Edu.jar"; flow:established,to_server; content:"/Edu.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014642; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_26, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL DELETED AIM AddExternalApp attempt"; flow:to_client,established; content:"aim|3A|AddExternalApp?"; nocase; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:2101752; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /Klot.jar"; flow:established,to_server; content:"/Klot.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014536; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_10, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"GPL CHAT Yahoo IM conference request"; flow:to_server,established; content:"<R"; depth:2; pcre:"/^\x3c(REQIMG|RVWCFG)\x3e/ism"; classtype:policy-violation; sid:2102460; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /content/viewer.jar"; flow:established,to_server; content:"/content/viewer.jar"; http_uri; classtype:trojan-activity; sid:2014299; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_02, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 12|"; depth:2; offset:10; classtype:policy-violation; sid:2102452; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /content/jav2.jar"; flow:established,to_server; content:"/content/jav2.jar"; http_uri; classtype:trojan-activity; sid:2014278; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM conference offer invitation"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10; classtype:policy-violation; sid:2102459; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request similar to /content/jav.jar"; flow:established,to_server; content:"/content/jav"; http_uri; content:".jar"; http_uri; pcre:"/\/content\/jav\d?\.jar$/U"; classtype:trojan-activity; sid:2014245; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_20, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 1D|"; depth:2; offset:10; classtype:policy-violation; sid:2102455; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /content/rin.jar"; flow:established,to_server; content:"/content/rin.jar"; http_uri; classtype:trojan-activity; sid:2014196; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET 5100 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference watch"; flow:from_server,established; content:"|0D 00 05 00|"; depth:4; classtype:policy-violation; sid:2102461; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Rhino Java Exploit request to /content/rino.jar"; flow:established,to_server; content:"/content/rino.jar"; http_uri; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014159; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo Messenger File Transfer Receive Request"; flow:established; content:"YMSG"; depth:4; content:"|00|M"; depth:2; offset:10; classtype:policy-violation; sid:2102456; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Rhino Java Exploit request to /content/v1.jar"; flow:established,to_server; content:"/content/v1.jar"; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014050; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_30, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM voicechat"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00|J"; depth:2; offset:10; classtype:policy-violation; sid:2102451; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows "; content:"Copyright |28|c|29| 20"; distance:0; content:"Microsoft Corp"; distance:0; reference:nessus,11633; classtype:successful-admin; sid:2102123; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference logon success"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 19|"; depth:2; offset:10; classtype:policy-violation; sid:2102454; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download - SET"; flow:from_server,established; file_data; content:"|7B 5C 72 74 66 31|"; within:6; flowbits:set,ET.http.rtf.download; flowbits:noalert; reference:cve,2012-0183; classtype:attempted-user; sid:2015790; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_10_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference invitation"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 18|"; depth:2; offset:10; classtype:policy-violation; sid:2102453; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BegOpEK - TDS - icon.php"; flow:established,to_server; content:"/icon.php"; urilen:9; classtype:exploit-kit; sid:2015789; rev:2; metadata:created_at 2012_10_10, updated_at 2012_10_10;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Trojan-Spy.Win32.Bancos Download"; flow: established,from_server; content:"[AspackDie!]"; content:"|0f 6d 07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d 11 af af 45 c7 72 ac 5f 3138 d0|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/pwsteal.bancos.b.html; reference:url,doc.emergingthreats.net/2001726; classtype:trojan-activity; sid:2001726; rev:10; metadata:created_at 2010_07_30, malware_family Bancos, tag Banking_Trojan, updated_at 2018_04_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NeoSploit - TDS"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:attempted-user; sid:2015692; rev:3; metadata:created_at 2012_09_11, updated_at 2012_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED AV-Killer.Win32 User Agent Detected (p4r4z1t3v3.one14.J)"; flow:established,to_server; content:"User-Agent|3a| p4r4z1t3v3"; nocase; reference:url,doc.emergingthreats.net/2003638; classtype:trojan-activity; sid:2003638; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> 209.139.208.0/23 $HTTP_PORTS (msg:"ET EXPLOIT_KIT Scalaxy Secondary Landing Page 10/11/12"; flow:to_server,established; content:"/q"; http_uri; depth:2; pcre:"/^\/q[a-zA-Z0-9+-]{3,14}\/[a-zA-Z0-9+-]{3,16}\?[a-z]{1,6}=[a-zA-Z0-9+-\._]{7,18}$/U"; classtype:exploit-kit; sid:2015792; rev:2; metadata:created_at 2012_10_12, updated_at 2012_10_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED Win32.SMTP-Mailer SMTP Outbound"; flow:to_server,established; content:"Subject|3a 20 3a 20|ZOMBIE"; nocase; content:"X-Library|3a| Indy 9.00.10"; nocase; distance:0; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.SMTP-Mailer&threatid=48095; reference:url,www.hauri.net/virus/virusinfo_read.php?code=TRW3000774&start=1; reference:url,doc.emergingthreats.net/2003041; classtype:trojan-activity; sid:2003041; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> 209.139.208.0/23 any (msg:"ET EXPLOIT Scalaxy Java Exploit 10/11/12"; flow:to_server,established; content:"/m"; http_uri; depth:2; pcre:"/^\/m[a-zA-Z0-9-_]{3,14}\/[a-zA-Z0-9-_]{3,17}$/U"; classtype:trojan-activity; sid:2015793; rev:2; metadata:created_at 2012_10_12, former_category CURRENT_EVENTS, updated_at 2012_10_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED HTTP RBOT Challenge/Response Authentication"; flow: to_server,established; content:"Host|3A 20|"; nocase; content:"|3A 20|Negotiate|20|YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFB"; nocase; reference:url,isc.sans.org/diary.php?date=2005-06-03; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring; reference:url,doc.emergingthreats.net/2001985; classtype:trojan-activity; sid:2001985; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert ip $HOME_NET any -> [184.82.162.163/32,184.22.103.202/32,158.255.211.28/32] any (msg:"ET DELETED Possible XDocCrypt/Dorifel CnC IP"; threshold:type limit, track by_src, count 1, seconds 600; reference:url,www.fox-it.com/en/blog/xdoccryptdorifel-document-encrypting-and-network-spreading-virus; classtype:command-and-control; sid:2015630; rev:5; metadata:created_at 2012_08_16, updated_at 2012_08_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Malicious file BaiduPlayer1.0.21.25.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/BaiduPlayer/BaiduPlayer1.0.21.25.exe"; nocase; http_uri; content:"dl.client.baidu.com"; http_header; nocase; classtype:trojan-activity; sid:2014181; rev:5; metadata:created_at 2012_02_06, updated_at 2012_02_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ProxyBox - HTTP CnC - proxy_info.php"; flow:established,to_server; content:"/proxy_info.php"; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:command-and-control; sid:2015509; rev:3; metadata:created_at 2012_07_21, updated_at 2012_07_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Parite.B GET"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"|0d0a|User-Agent|3a| gomtour|0d0a|"; within:200; reference:url,www.pandasecurity.com/homeusers/security-info/18181/information/Parite.B; reference:url,www.pctools.com/mrc/infections/id/Virus.Parite.B/; reference:url,www.threatexpert.com/threats/w32-parite-b.html; reference:url,doc.emergingthreats.net/2009454; classtype:trojan-activity; sid:2009454; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family Parite, signature_severity Major, updated_at 2017_07_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mini-Flame v 4.x C2 HTTP request"; flow:established,to_server; content:"/cgi-bin/feed.cgi"; http_uri; fast_pattern:only; pcre:"/(?:web(?:\.(?:velocitycache\.com|autoflash\.info)|update\.(?:dyndns\.info|hopto\.org)|app\.serveftp\.com)|flash(?:center\.info|rider\.org)|cache\.dyndns\.info)\r?$/Hmi"; reference:url,www.securelist.com/en/analysis/204792247/miniFlame_aka_SPE_Elvis_and_his_friends; classtype:command-and-control; sid:2015805; rev:2; metadata:created_at 2012_10_16, former_category MALWARE, updated_at 2012_10_16;)
 
-#alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hotword Trojan in Transit"; flow: established,from_server; content:"|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001959; classtype:trojan-activity; sid:2001959; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mini-Flame v 5.x C2 HTTP request"; flow:established,to_server; content:"/cgi-bin/counter.cgi"; http_uri; fast_pattern:only; pcre:"/(?:(?:nvidia(?:s(?:tream|oft)|drivers)|(?:rendercode|videosyn)c|flashupdates|syncstream)\.info|194\.192\.14\.125|202\.75\.58\.179)\r?$/Hmi"; reference:url,www.securelist.com/en/analysis/204792247/miniFlame_aka_SPE_Elvis_and_his_friends; classtype:command-and-control; sid:2015806; rev:2; metadata:created_at 2012_10_16, former_category MALWARE, updated_at 2012_10_16;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hotword Trojan inbound via http"; flow: established,from_server; content:"|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001960; classtype:trojan-activity; sid:2001960; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Uncompressed) Exploit Specific"; flow:from_server,established; flowbits:isset,OLE.CompoundFile; file_data; content:"FWS"; content:"kern"; distance:0; flowbits:set,Ole.Flash.kernpresent; flowbits:noalert; classtype:trojan-activity; sid:2015809; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_10_17, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible File Upload CHJO"; flow: to_server,established; content:"STOR __"; content:"-CHJO.DRV"; nocase; within: 100; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001961; classtype:trojan-activity; sid:2001961; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Uncompressed) Exploit Specific"; flow:from_server,established; flowbits:isset,Ole.Flash.kernpresent; file_data; content:"heapSpray"; classtype:trojan-activity; sid:2015810; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_10_17, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible File Upload CFXP"; flow: to_server,established; content:"STOR __"; content:"-CFXP.DRV"; nocase; within: 100; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001962; classtype:trojan-activity; sid:2001962; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole2 - Client reporting targeted software versions"; flow:established,to_server; urilen:>122; content:".php?"; http_uri; content:"="; distance:0; http_uri; content:"&"; http_uri; distance:64; within:1; content:"="; http_uri; distance:0; content:"&"; http_uri; distance:20; within:1; pcre:"/\.php\?[a-z]+=[a-f0-9]{64}&[^\?]+=[a-f0-9]{20}&/U"; classtype:attempted-user; sid:2015716; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_19, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Request pspv.exe"; flow: to_server,established; content:"SIZE pspv.exe"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001963; classtype:trojan-activity; sid:2001963; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yoyo-DDoS Bot HTTP Flood Attack Outbound"; flow:established,to_server; content:"|0d 0a|Accept-Encoding|3A| g|7b|ip|2C| deflate|0d 0a|"; http_header; content:"|0d 0a|Connection|3A| Keep|2D|Alivf|0d 0a|"; http_header; threshold:type limit, count 5, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:denial-of-service; sid:2011403; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Request .tea"; flow: to_server,established; content:"LIST "; content:".tea"; nocase; within: 50; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001964; classtype:trojan-activity; sid:2001964; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 10/17/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern; distance:0; content:"Mac.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015812; rev:3; metadata:created_at 2012_10_18, updated_at 2012_10_18;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED Greeting card gif.exe email incoming SMTP"; flow: established,to_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001919; classtype:trojan-activity; sid:2001919; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downadup/Conficker A Worm reporting"; flow:to_server,established; content:"/search?q="; http_uri; content:"&aq="; http_uri; pcre:"/\/search\?q\=\d+&aq=\d/mi"; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009114; classtype:trojan-activity; sid:2009114; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 110:220 -> $HOME_NET any (msg:"ET DELETED Greeting card gif.exe email incoming POP3/IMAP"; flow: established,from_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001920; classtype:trojan-activity; sid:2001920; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GeckaSeka User-Agent"; flow:established,to_server; content:"GeckaSeka"; http_user_agent; classtype:trojan-activity; sid:2015824; rev:6; metadata:created_at 2012_10_19, updated_at 2012_10_19;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Status Check ___"; flow: to_server,established; content:"|53 49 5a 45 20 5f 5f 5f 0d 0a|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001966; classtype:trojan-activity; sid:2001966; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Googlebot Crawl"; flow:established,to_server; content:"googlebot"; nocase; http_user_agent; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.google.com/webmasters/bot.html; reference:url,doc.emergingthreats.net/2002829; classtype:attempted-recon; sid:2002829; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SHELLCODE Shikata Ga Nai polymorphic payload"; dsize: >26; content: "|d9 74 24 f4|"; pcre: "/[\x29\x2b\x31\x33]\xc9/sm"; pcre: "/[\xd9-\xdb\xdd].{1,11}\xd9\x74\x24\xf4.{0,10}[\x58\x5a\x5b\x5d-\x5f]/sm"; pcre: "/([\x29\x2b\x31\x33\xb8\xba\xbb\xbe\xbf\xd9-\xdb\xdd][^\x00\xff][^\x00\xff][^\x00][^\x00\xff][^\x00][^\x00\xff][^\x00\xff][^\x00][^\x00][^\x00][^\x00\xff][^\x00\xff][^\x00\xff][^\x00][^\x00][\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0e\x10\x12\x13\x15\x17\xfc][\x03\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0a\x0c\x0e-\x13\x15\x17\xfc][\x03\x83]..[^\x1d\xe2][^\x0a\xf5])|([\x29\x2b\x31\x33\xb8\xba\xbb\xbd-\xbf\xd9-\xdb\xdd][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][\x24\xb1\xd9-\xdb\xdd][^\x00][\x58\x5a\x5b\x5d-\x5f\xb8\xba\xbb\xbd-\xbf\xd9][^\x00][^\x00][^\x00][^\x00][\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0e\x12\x17\xfc][\x03\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0a\x0e\x12\x13\x17\xfc][\x03\x83]..[^\xe2][^\xf5])/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003118; classtype:shellcode-detect; sid:2003118; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Tilde in URI after file, potential source disclosure vulnerability"; flow:established,from_server; pcre:"/^HTTP\x2f1\.[01] 200/"; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009954; classtype:web-application-attack; sid:2009954; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Downloader Outbound HTTP connection - Downloading Code"; flow:established,to_server; content:"User-Agent|3A| PE-"; reference:url,doc.emergingthreats.net/2002695; classtype:trojan-activity; sid:2002695; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File Magic Bytes Flowbit Set"; flow:to_client,established; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; within:8; content:!".msi"; flowbits:set,OLE.CompoundFile; flowbits:noalert; classtype:protocol-command-decode; sid:2012520; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Status Upload ___"; flow: to_server,established; content:"|53 54 4f 52 20 5f 5f 5f 0d 0a|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001965; classtype:trojan-activity; sid:2001965; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JavaScript Obfuscation JSXX Script"; flow:established,to_client; file_data; content:"Encrypt "; content:"JSXX"; fast_pattern; distance:0; content:"VIP"; within:100; reference:cve,2012-0003; reference:url,eromang.zataz.com/2012/10/22/gong-da-gondad-exploit-pack-evolutions/; classtype:attempted-user; sid:2014155; rev:5; metadata:created_at 2012_01_28, updated_at 2012_01_28;)
 
-#alert tcp $HOME_NET any -> any 139 (msg:"ET DELETED BugBear@MM virus in Network share"; flow: established; content:"|24 48 fb bb ff e6 63 02 3a 20 41 70 61 63 68 65|"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; reference:url,doc.emergingthreats.net/2001765; classtype:misc-activity; sid:2001765; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access Video Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/video/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015834; rev:7; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Greeting card gif.exe email incoming HTTP"; flow: established,from_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001921; classtype:trojan-activity; sid:2001921; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel API Access Iframer Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/iframer/"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015827; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 8998 (msg:"ET DELETED Sobig.E-F Trojan Site Download Request"; dsize: 8; content:"|5c bf 01 29 ca 62 eb f1|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html; reference:url,doc.emergingthreats.net/2001547; classtype:trojan-activity; sid:2001547; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access IFramer Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/iframer/"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015828; rev:7; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SHELLCODE CLET polymorphic payload"; dsize: >40; content: "|74 07 eb|"; content: "|e8|"; distance: 1; within: 1; pcre: "/\xeb.[\x58-\x5b]\x31[\xc0\xc9\xd2\xdb][\xb0-\xb3].\x8b.[\x05\x2d\x35\x81\xc1]/sm"; pcre: "/[\x40-\x43\xfd\xff][\x40-\x43\xff][\x40-\x43\x80\xff][\x40-\x43\xe9-\xeb\xff\x80\x2c][\x40-\x43\x48-\x4b\xe9-\xeb\x01\x2c\x80][\x48-\x4c\xe9-\xeb\x02\x2c][\x03\x48-\x4b][\x48-\x4b]\x74\x07\xeb.\xe8.\xff\xff\xff/smR"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003117; classtype:shellcode-detect; sid:2003117; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel API Access VNC Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/vnc/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015829; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SHELLCODE ADMutate polymorphic payload"; dsize: >45; content: "|e8|"; content: "|ff ff ff|"; distance: 1; within: 3; pcre: "/\xeb[\x26-\x7a].{0,20}(\x5e|\x58\x96|\x58\x89\xc6|\x8b\x34\x24\x83\xec\x04).{0,20}(((\xbb....|\x68....\x5b).{0,20}(\x31\xc9|\x31\xc0\x91))|((\x31\xc9|\x31\xc0\x91).{0,20}(\xbb....|\x68....\x5b))).{0,20}(\xb1.|\x6a.\x58\x89\xc1|\x6a.\x66\x59).{0,20}(\x31\x1e|\x93\x31\x06\x93|\x8b\x06\x09\xd8\x21\x1e\xf7\x16\x21\x06).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}\xe2[\xa0-\xf9].{0,20}\xeb[\x06-\x20].{0,20}\xe8[\x7f-\xff]\xff\xff\xff/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003119; classtype:shellcode-detect; sid:2003119; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access VNC Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/vnc/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015830; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent|3a| unknown"; http_header; content:!".real.com|0d 0a|"; http_header; content:!".rhapsody.com|0D 0A|"; http_header; reference:url,doc.emergingthreats.net/2007567; classtype:trojan-activity; sid:2007567; rev:10; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_09_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel API Access Bot Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/bots/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015831; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent (Zlob Related) (UA00000)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible"; http_header; content:"|3b| UA"; fast_pattern; http_header; pcre:"/User-Agent\:[^\n]+\; UA\d\d\d\d\d\;/H"; reference:url,doc.emergingthreats.net/2008083; classtype:trojan-activity; sid:2008083; rev:13; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access Bot Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/bots/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015832; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit Payload Download Request - Sep 04 2012"; flow:established,to_server; content:" Java/"; http_header; fast_pattern:only; urilen:>24; content:!".jar"; nocase; http_uri; content:"!.class"; nocase; http_uri; pcre:"/\/[A-Z]{20,}\?[A-Z]=\d$/Ui"; classtype:exploit-kit; sid:2015676; rev:3; metadata:created_at 2012_09_05, former_category EXPLOIT_KIT, updated_at 2012_09_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Citadel API Access Video Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/video/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015833; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Baigoo User Agent"; flow:established,to_server; content:"User-Agent|3A 20|BaiGoo Agent"; http_header; classtype:pup-activity; sid:2013405; rev:3; metadata:created_at 2011_08_11, former_category ADWARE_PUP, updated_at 2011_08_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus/Citadel Control Panel Access (Outbound)"; flow:established,to_server; content:".php?m=login"; fast_pattern:only; http_uri; nocase; content:"user="; depth:5; http_client_body; nocase; content:"pass="; http_client_body; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015825; rev:8; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED E2give Related Downloading IeBHOs.dll"; flow: to_server,established; content:"/downloads/IeBHOs.dll"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001415; classtype:trojan-activity; sid:2001415; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zeus/Citadel Control Panel Access (Inbound)"; flow:established,to_server; content:".php?m=login"; http_uri; fast_pattern:only; nocase; content:"user="; depth:5; http_client_body; nocase; content:"pass="; http_client_body; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015826; rev:8; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Probable Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; content:"applet"; content:"myyu?44"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015679; rev:2; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2012_09_06;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"|00 c8 b9 67 4e 25 75 e9 92|"; content:"|55 04 06 13 02 4e 4c|"; distance:0; content:"|55 04 07 0c 01 20|"; distance:0; content:"|55 04 03 0c 01 20|"; distance:0; classtype:exploit-kit; sid:2015837; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit with fast-flux like behavior static initial landing - Sep 05 2012"; flow:established,to_server; content:"/PJeHubmUD"; http_uri; classtype:exploit-kit; sid:2015682; rev:2; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2012_09_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/Applet.jar"; http_uri; fast_pattern:only; pcre:"/^\/Applet\.jar$/U"; classtype:exploit-kit; sid:2015841; rev:3; metadata:created_at 2012_10_25, former_category EXPLOIT_KIT, updated_at 2012_10_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit with fast-flux like behavior hostile java archive - Sep 05 2012"; flow:established,to_server; content:"pqvjdujfllkwl.jar"; http_uri; classtype:exploit-kit; sid:2015683; rev:2; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2012_09_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/beacon/"; http_uri; fast_pattern:only; pcre:"/\/beacon\/[a-f0-9]{8}\.htm$/U"; classtype:exploit-kit; sid:2015840; rev:3; metadata:created_at 2012_10_25, former_category EXPLOIT_KIT, updated_at 2012_10_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Split String Obfuscation of Eval 3"; flow:established,to_client; content:"ev|22|+|22|a"; pcre:"/(\x3D|\x5B\x22])ev\x22\x2B\x22a/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015014; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert udp $HOME_NET 5355 -> any any (msg:"ET INFO LLNMR query response to wpad"; content:"|80 00 00 01 00 01|"; offset:2; depth:6; content:"|04|wpad|00 00 01 00 01 04|wpad|00 00 01 00 01|"; distance:0; isdataat:7,relative; classtype:misc-activity; sid:2015842; rev:2; metadata:created_at 2012_10_25, updated_at 2012_10_25;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow"; flow:to_client,established; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; nocase; content:"String("; nocase; distance:0; pcre:"/^\s*?[0-9]{4}/R"; pcre:"/(SetBgColor|SetMovieName|SetTarget|SetMatrix|SetHREF)/Ri"; reference:bugtraq,27769; reference:cve,CVE-2008-0778; reference:url,www.milw0rm.com/exploits/5110; reference:url,doc.emergingthreats.net/2007878; classtype:web-application-attack; sid:2007878; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic Java Exploit Obfuscated With Allatori"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"Allatori"; nocase; fast_pattern:only; classtype:exploit-kit; sid:2014036; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_22, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Remote PHP Code Execution (php.pjpg)"; flow:established,to_server; content:"POST"; http_method; content:".php.pjpg"; fast_pattern:only; http_uri; nocase; reference:url,exploitsdownload.com/search/Arbitrary%20File%20Upload/27; classtype:web-application-attack; sid:2015688; rev:3; metadata:created_at 2012_09_08, updated_at 2012_09_08;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog Remote File Include Vulnerability"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"_CONF"; nocase; http_uri; pcre:"/_CONF\[.*\]=(data|https?|ftps?|php)\:\//Ui"; reference:url,securitydot.net/xpl/exploits/vulnerabilities/articles/1122/exploit.html; reference:url,doc.emergingthreats.net/2002996; classtype:web-application-attack; sid:2002996; rev:9; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SpyEyeV1.3.48 Data Post to CnC - lol.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/lol.php"; http_uri; content:"data="; depth:5; http_client_body; reference:url,blogs.mcafee.com/mcafee-labs/latest-spyeye-botnet-active-and-cheaper; classtype:command-and-control; sid:2014669; rev:4; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus POST Request to CnC - URL agnostic"; flow:established,to_server; content:"POST"; nocase; http_method; content:" HTTP/1."; content:"|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a| Mozilla"; distance:1; within:34; fast_pattern; content:"|0D 0A|"; distance:0; content:"Content-Length|3a| "; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0D 0A|"; distance:0; content:"|3a| no-cache"; distance:0; content:"|0D 0A 0D 0A|"; distance:0; content:!"Content-Type|3a| "; http_header; content:!"NetflixId="; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:command-and-control; sid:2013976; rev:10; metadata:created_at 2011_12_01, former_category MALWARE, updated_at 2011_12_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Gbod.dv Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:"Opera/"; http_header; content:"Presto/"; http_header; fast_pattern; content:!"Accept|3a| "; http_header; content:"a="; http_client_body; content:"&b="; http_client_body; content:"&c="; http_client_body; classtype:command-and-control; sid:2013154; rev:5; metadata:created_at 2011_07_01, former_category MALWARE, updated_at 2011_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Metasploit CVE-2012-1723 Path (Seen in Unknown EK) 10/29/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"cve1723/"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:exploit-kit; sid:2015849; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_10_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category EXPLOIT_KIT, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SpyEye Post_Express_Label infection check-in"; flow:established,to_server; content:"/inst.php?id="; http_uri; content:"&lang="; http_uri; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012283; rev:4; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible SQLMAP Scan"; flow:established,to_server; content:" AND "; http_uri; content:"AND ("; http_uri; pcre:"/\x20AND\x20[0-9]{6}\x3D[0-9]{4}/U"; detection_filter:track by_dst, count 4, seconds 20; reference:url,sqlmap.sourceforge.net; reference:url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/; classtype:attempted-recon; sid:2012755; rev:4; metadata:created_at 2011_04_29, updated_at 2011_04_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SpyEye Post_Express_Label infection activity multi-stage download confirmed success"; flow:established,to_server; content:"/load.php?file="; http_uri; content:"&luck="; http_uri; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012282; rev:4; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Metasploit CVE-2012-1723 Attacker.class (Seen in Unknown EK) 11/01/12"; flow:to_client,established; file_data; content:"<applet"; content:"Attacker.class"; distance:0; classtype:exploit-kit; sid:2015859; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_11_02, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sidelinker.com-Upspider.com Spyware Checkin"; flow:established,to_server; content:"/Pro/pro.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; pcre:"/\/Pro\/pro\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008157; classtype:pup-activity; sid:2008157; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/R 3"; within:200; pcre:"/^[\r\n\s]+((?!>>).)+?\/Length[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))/Rs"; classtype:trojan-activity; sid:2015867; rev:2; metadata:created_at 2012_11_07, updated_at 2012_11_07;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t"; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100674; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.ADDNEW (DarKDdoser) CnC 1"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|ddoser|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:command-and-control; sid:2015868; rev:2; metadata:created_at 2012_11_07, former_category MALWARE, updated_at 2012_11_07;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100675; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.ADDNEW (DarKDdoser) CnC 2"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|Zombie|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:command-and-control; sid:2015869; rev:2; metadata:created_at 2012_11_07, former_category MALWARE, updated_at 2012_11_07;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL sp_password password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:2100677; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.ADDNEW (DarKDdoser) CnC 3"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|Stable|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:command-and-control; sid:2015870; rev:2; metadata:created_at 2012_11_07, former_category MALWARE, updated_at 2012_11_07;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|"; nocase; classtype:attempted-user; sid:2100678; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/Length"; within:200; pcre:"/^[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))((?!>>).)+\/R\s+3[\r\n\s>]/Rs"; classtype:trojan-activity; sid:2015866; rev:4; metadata:created_at 2012_11_06, updated_at 2012_11_06;)
 
-alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"GPL SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; offset:83; reference:bugtraq,4797; reference:cve,2000-1209; classtype:attempted-user; sid:2100680; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET EXPLOIT_KIT Self-Signed SSL Cert Used in Conjunction with Neosploit"; flow:from_server,established; content:"|16 03 01|"; content:"|00 be d3 cf b1 fe a1 55 bf|"; distance:0; content:"webmaster@localhost"; distance:0; content:"|30 81 89 02 81 81 00 ac 12 38 fc 5c bf 7c 8c 18 e7 db 09 dc|"; distance:0; classtype:exploit-kit; sid:2015865; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_11_06, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100682; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Probable Sakura Java applet with obfuscated URL Sep 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"nzzv@55"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015735; rev:3; metadata:created_at 2012_09_25, updated_at 2012_09_25;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_password - password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:2100683; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Alms backdoor checkin"; content:"/getnewv.php?keyword=google&id="; http_uri; nocase; fast_pattern; content:"Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| en-US)"; http_user_agent; flow:to_server,established; classtype:command-and-control; sid:2012803; rev:5; metadata:created_at 2011_05_11, former_category MALWARE, updated_at 2011_05_11;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|"; nocase; classtype:attempted-user; sid:2100684; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for Payload"; flow:established,to_server; content:".php?"; http_uri; content:"|3a|"; http_uri; fast_pattern; content:"|3a|"; distance:2; within:1; http_uri; content:"|3a|"; distance:2; within:1; http_uri; pcre:"/\.php\?[a-z]+=(([1-2][a-z]|3[0-9])\x3a){3,}([1-2][a-z]|3[0-9])&/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015872; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_08, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_adduser - database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; nocase; classtype:attempted-user; sid:2100685; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern:only; content:"Anony"; pcre:"/^(mous)?\.class/R"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015876; rev:3; metadata:created_at 2012_11_10, updated_at 2012_11_10;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL NETBIOS xp_reg* - registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:2100686; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Landing Page NOP String"; flow:established,to_client; file_data; content:" == -1 {|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0"; distance:0; reference:url,ondailybasis.com/blog/?p=1610; classtype:exploit-kit; sid:2015881; rev:3; metadata:created_at 2012_11_14, former_category EXPLOIT_KIT, updated_at 2012_11_14;)
 
-alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2100688; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Landing Page parseInt Javascript Replace"; flow:established,to_client; file_data; content:" = parseInt("; distance:0; content:".replace(|2F 5C 2E 7C 5C 5F 2F|g, ''))|3B|"; within:30; reference:url,ondailybasis.com/blog/?p=1610; classtype:exploit-kit; sid:2015882; rev:2; metadata:created_at 2012_11_14, former_category EXPLOIT_KIT, updated_at 2012_11_14;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL NETBIOS xp_reg* registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; depth:32; offset:32; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:2100689; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritXPack Landing Page"; flow:established,to_client; file_data; content:"<applet"; content:"a.Test"; fast_pattern; classtype:exploit-kit; sid:2015884; rev:2; metadata:created_at 2012_11_14, former_category EXPLOIT_KIT, updated_at 2012_11_14;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; offset:32; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100690; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CirtXPack - No Java URI - /a.Test"; flow:established,to_server; urilen:7; content:"/a.Test"; classtype:exploit-kit; sid:2015886; rev:2; metadata:created_at 2012_11_14, updated_at 2012_11_14;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; classtype:shellcode-detect; sid:2100692; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Downloader Checkin Url Detected"; flow:established,to_server; content:"??IP|3a|"; depth:100; content:"??IP|3a|"; distance:0; content:"????|3a|"; distance:0; pcre:"/IP\:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/U"; reference:url,doc.emergingthreats.net/2008766; classtype:trojan-activity; sid:2008766; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL MSSQL shellcode attempt 2"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:shellcode-detect; sid:2100693; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mac Flashback Checkin 3"; flow:to_server,established; content:"GET"; http_method; content:"/search?q="; http_uri; content:"&ua="; http_uri; distance: 0; content:"==&al="; http_uri; distance: 0; content:"&cv="; http_uri; distance:0; classtype:command-and-control; sid:2014599; rev:5; metadata:created_at 2012_04_17, former_category MALWARE, updated_at 2012_04_17;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:attempted-user; sid:2100694; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Image Viewer CP Gold Image2PDF Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"E589DA78-AD4C-4FC5-B6B9-9E47B110679E"; nocase; content:"|2e|Image2PDF"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*E589DA78-AD4C-4FC5-B6B9-9E47B110679E\s*}?\s*(.*)(\s|>)/si"; reference:url,www.exploit-db.com/exploits/15658/; classtype:attempted-user; sid:2012102; rev:4; metadata:created_at 2010_12_27, updated_at 2010_12_27;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; offset:32; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100696; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Advanced File Vault Activex Heap Spray Attempt"; flow:established,to_client; file_data; content:"|2e|GetWebStoreURL"; content:"clsid"; nocase; content:"25982EAA-87CC-4747-BE09-9913CF7DD2F1"; nocase; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*25982EAA-87CC-4747-BE09-9913CF7DD2F1\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14580/; classtype:attempted-user; sid:2012147; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; offset:32; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100697; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX dBpowerAMP Audio Player 2 FileExists Method ActiveX Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"BECB8EE1-6BBB-4A85-8DFD-099B7A60903A"; nocase; distance:0; content:"|2e|Enque"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*BECB8EE1-6BBB-4A85-8DFD-099B7A60903A\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14586/; classtype:attempted-user; sid:2012148; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; offset:32; nocase; reference:bugtraq,2042; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100698; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX FathFTP 1.8 EnumFiles Method ActiveX Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; nocase; distance:0; content:"|2e|EnumFiles"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*62A989CE-D39A-11D5-86F0-B9C370762176\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14552/; classtype:attempted-user; sid:2012133; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100699; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole Landing to 8 chr folder plus index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:20<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html?$/U"; classtype:bad-unknown; sid:2014521; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; offset:32; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100700; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK - Landing Page - FlashExploit"; flow:established,to_client; file_data; content:"FlashExploit()"; classtype:exploit-kit; sid:2015890; rev:3; metadata:created_at 2012_11_16, former_category EXPLOIT_KIT, updated_at 2012_11_16;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100701; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown FakeAV - /get/*.crp"; flow:established,to_server; content:"/get/"; http_uri; content:".crp"; http_uri; fast_pattern; classtype:trojan-activity; sid:2015894; rev:2; metadata:created_at 2012_11_20, updated_at 2012_11_20;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t|00|"; offset:32; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100702; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - D.K - Title"; flow:established,to_client; file_data; content:"<title>"; content:" - D.K "; fast_pattern; distance:0; content:"</title>"; distance:0; classtype:bad-unknown; sid:2015917; rev:2; metadata:created_at 2012_11_21, updated_at 2012_11_21;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; offset:32; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100703; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header"; flow:established,to_client; file_data; content:"<span>Uname<br>User<br>Php<br>Hdd<br>Cwd</span>"; classtype:attempted-user; sid:2015918; rev:2; metadata:created_at 2012_11_21, updated_at 2012_11_21;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; nocase; reference:bugtraq,1204; reference:cve,2001-0542; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:2100704; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header w/colons"; flow:established,to_client; file_data; content:"<span>Uname|3a|<br>User|3a|<br>Php|3a|<br>Hdd|3a|<br>Cwd|3a|</span>"; classtype:attempted-user; sid:2015919; rev:3; metadata:created_at 2012_11_21, updated_at 2012_11_21;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100705; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Spam Campaign JPG CnC Link"; flow:established,to_client; file_data; content:"he1l0|3A|hxxp|3A|//"; distance:0; content:".jpg"; distance:0; reference:url,blog.fireeye.com/research/2012/11/more-phish.html; classtype:command-and-control; sid:2015921; rev:2; metadata:created_at 2012_11_21, former_category PHISHING, updated_at 2012_11_21;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100706; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument Uninitialized Memory Corruption CVE-2012-1889"; flow:to_client,established; file_data; content:"f6d90f11-9c73-11d3-b32e-00c04f990bb4"; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*f6d90f11-9c73-11d3-b32e-00c04f990bb4/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2014938; rev:13; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100707; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument.4-6.0 Uninitialized Memory Corruption CVE-2012-1889"; flow:to_client,established; file_data; content:"88d96"; nocase; content:"-f192-11d4-a65f-0040963251e5"; distance:3; within:28; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*88d96(9c(0|1)|9e(5|6)|a0(5|6))-f192-11d4-a65f-0040963251e5/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2015555; rev:18; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; offset:32; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100708; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.FreeThreadedDOMDocument Uninitialized Memory Corruption Attempt"; flow:to_client,established; content:"f6d90f12-9c73-11d3-b32e-00c04f990bb4"; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*f6d90f12-9c73-11d3-b32e-00c04f990bb4/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,2012-1889; classtype:attempted-user; sid:2015557; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_07_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET TELNET access"; flow:from_server,established; content:"|FF FD|"; rawbytes; content:"|FF FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes; reference:arachnids,08; reference:cve,1999-0619; reference:nessus,10280; classtype:not-suspicious; sid:2100716; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole try eval prototype string splitting evasion Jul 24 2012"; flow:established,from_server; file_data; content:"try{eval(|22|p"; fast_pattern; content:"|3b|}catch("; within:30; classtype:trojan-activity; sid:2015525; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_25, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:2101390; rev:6; metadata:created_at 2010_09_23, former_category SHELLCODE, updated_at 2017_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Unknown - self-kill"; flow:established,to_client; file_data; content:"<a href=|22|?x=selfremove|22|>[Self-Kill]</a>"; classtype:web-application-activity; sid:2015925; rev:2; metadata:created_at 2012_11_24, updated_at 2012_11_24;)
 
-alert udp any any -> any 69 (msg:"GPL TFTP GET shadow"; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; classtype:successful-admin; sid:2101442; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent - Possible Trojan Downloader (cv_v5.0.0)"; flow:established,to_server; content:"cv_v"; depth:4; http_user_agent; nocase; reference:url,doc.emergingthreats.net/2007926; classtype:trojan-activity; sid:2007926; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2016_07_01;)
 
-alert udp any any -> any 69 (msg:"GPL TFTP GET passwd"; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; classtype:successful-admin; sid:2101443; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit Vulnerable Java Payload Request URI (1)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/33.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015930; rev:2; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2012_11_27;)
 
-alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa brute force failed login unicode attempt"; flow:from_server,established; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2103273; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit vulnerable Java Payload Request to URI (2)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/41.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015931; rev:2; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2012_11_27;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3198 (msg:"GPL WORM mydoom.a backdoor upload/execute attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; classtype:trojan-activity; sid:2103272; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET EXPLOIT_KIT Nuclear Exploit Kit HTTP Off-port Landing Page Request"; flow:established,to_server; urilen:35; content:"/t/"; depth:3; http_uri; pcre:"/\/t\/[a-f0-9]{32}$/U"; classtype:exploit-kit; sid:2015936; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_27, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103183; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Crimeboss - Java Exploit - Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"amor.class"; distance:0; classtype:exploit-kit; sid:2015943; rev:3; metadata:created_at 2012_11_27, updated_at 2012_11_27;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP unsubscribe overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sUNSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103076; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Stats Access"; flow:established,to_server; content:".php?action=stats_access"; http_uri; classtype:exploit-kit; sid:2015944; rev:2; metadata:created_at 2012_11_27, updated_at 2012_11_27;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP unsubscribe literal overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; pcre:"/\sUNSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103075; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Stats Java On"; flow:established,to_server; content:".php?action=stats_javaon"; http_uri; classtype:exploit-kit; sid:2015945; rev:2; metadata:created_at 2012_11_27, updated_at 2012_11_27;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP subscribe overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103074; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Propack Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"propack/"; distance:0; classtype:exploit-kit; sid:2015949; rev:2; metadata:created_at 2012_11_28, updated_at 2012_11_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP subscribe literal overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; pcre:"/\sSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103073; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Nginx Server with no version string - Often Hostile Traffic"; flow:established,from_server; content:"|0d 0a|Server|3a| nginx|0d 0a|"; nocase; threshold:type limit, seconds 60, count 3, track by_src; reference:url,doc.emergingthreats.net/2008064; classtype:bad-unknown; sid:2008064; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP status overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; isdataat:100,relative; pcre:"/\sSTATUS\s[^\n]{100}/smi"; reference:bugtraq,11775; reference:bugtraq,13727; reference:cve,2005-1256; classtype:misc-attack; sid:2103072; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PDF /FlateDecode and PDF version 1.0"; flow:established,from_server; file_data; content:"%PDF-1.0"; fast_pattern; within:8; content:"/FlateDecode"; distance:0; classtype:trojan-activity; sid:2015954; rev:2; metadata:created_at 2012_11_29, updated_at 2012_11_29;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP status literal overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; pcre:"/\sSTATUS\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103071; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT PDF /FlateDecode and PDF version 1.1 (seen in pamdql EK)"; flow:established,from_server; file_data; content:"%PDF-1.1"; fast_pattern; within:8; content:"/FlateDecode"; distance:0; classtype:exploit-kit; sid:2015955; rev:2; metadata:created_at 2012_11_29, former_category CURRENT_EVENTS, updated_at 2012_11_29;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP fetch literal overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; pcre:"/\sFETCH\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103069; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Serenity Exploit Kit Landing Page HTML Header"; flow:established,to_client; file_data; content:"<head><title>Loading... Please wait<|2F|title><meta name=|22|robots|22| content=|22|noindex|22|><|2F|head>"; distance:0; classtype:exploit-kit; sid:2015956; rev:2; metadata:created_at 2012_11_29, former_category EXPLOIT_KIT, updated_at 2012_11_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP examine overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; isdataat:100,relative; pcre:"/\sEXAMINE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103068; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING PHISH Generic - Bank and Routing"; flow:established,to_server; content:"POST"; http_method; content:"bank"; http_client_body; nocase; content:"routing"; http_client_body; nocase; classtype:bad-unknown; sid:2015963; rev:3; metadata:created_at 2012_11_29, former_category INFO, updated_at 2012_11_29;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP examine literal overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; pcre:"/\sEXAMINE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103067; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DNS Query for Suspicious .com.ru Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|ru|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011407; rev:3; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2010_09_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP append overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; isdataat:100,relative; pcre:"/\sAPPEND\s[^\n]{256}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103066; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DNS Query for Suspicious .com.cn Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|cn|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011408; rev:3; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2010_09_28;)
 
-#alert tcp $HOME_NET 1020 -> $EXTERNAL_NET any (msg:"GPL DELETED Vampire 1.2 connection confirmation"; flow:from_server,established; flowbits:isset,backdoor.vampire_12.connect; content:"Vampire v1.2 Server On-Line....."; depth:32; classtype:misc-activity; sid:2103064; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DNS Query for Suspicious .co.kr Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|kr|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011411; rev:3; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2010_09_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1020 (msg:"GPL DELETED Vampire 1.2 connection request"; flow:to_server,established; content:"Hello..."; depth:8; flowbits:set,backdoor.vampire_12.connect; flowbits:noalert; classtype:misc-activity; sid:2103063; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus CnC Checkin POST to Config.php"; flow:established,to_server; content:"POST"; nocase; http_method; urilen:11; content:"/config.php"; http_uri; fast_pattern; content:"Accept|3A| */*"; http_header; content:"Content-Type|3A| application/x-www-form-urlencoded"; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B|"; http_header; reference:url,blog.fireeye.com/research/2012/04/zeus-takeover-leaves-undead-remains.html#more; classtype:command-and-control; sid:2014460; rev:5; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS NetScreen SA 5000 delhomepage.cgi access"; flow:to_server,established; content:"/delhomepage.cgi"; http_uri; reference:bugtraq,9791; classtype:web-application-activity; sid:2103062; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Zuponcic EK Payload Request"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"|29 20|Java/1"; http_header; content:"/"; http_uri; content:"i=2ZI"; fast_pattern; http_client_body; depth:5; classtype:exploit-kit; sid:2015970; rev:11; metadata:created_at 2012_11_30, updated_at 2012_11_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"GPL DELETED distccd command execution attempt"; flow:to_server,established; content:"DIST00000001"; depth:12; nocase; reference:url,distcc.samba.org/security.html; classtype:misc-activity; sid:2103061; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Zuponcic EK Java Exploit Jar"; flow:established,from_server; file_data; content:"PK"; within:2; content:"FlashPlayer.class"; distance:0; content:".SF"; content:".RSA"; classtype:exploit-kit; sid:2015971; rev:9; metadata:created_at 2012_11_30, updated_at 2012_11_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"GPL DELETED TLSv1 Client_Hello via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|03 01|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2103059; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PHISH Gateway POST to gateway-p"; flow:established,to_server; content:"POST"; http_method; content:"/gateway-p"; http_uri; classtype:bad-unknown; sid:2015973; rev:2; metadata:created_at 2012_11_30, updated_at 2012_11_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP copy literal overflow attempt"; flow:established,to_server; content:"COPY"; nocase; pcre:"/\sCOPY\s[^\n]*?\{/smi"; byte_test:5,>,1024,0,string,dec,relative; reference:bugtraq,1110; classtype:misc-attack; sid:2103058; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritXPack - Landing Page"; flow:established,from_server; file_data; content:"|7C|pdfver|7C|"; content:"|7C|applet|7C|"; classtype:exploit-kit; sid:2015979; rev:1; metadata:created_at 2012_12_04, former_category EXPLOIT_KIT, updated_at 2012_12_04;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; isdataat:4,relative; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103021; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Corpsespyware.net Blind Data Upload"; flow:to_server,established; content:"/images/data.php?"; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002774; classtype:trojan-activity; sid:2002774; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP delete literal overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; pcre:"/\sDELETE\s[^\n]*?\{/smi"; byte_test:5,>,100,0,string,dec,relative; reference:bugtraq,11675; classtype:misc-attack; sid:2103008; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL MySQL Remote FAST Account Password Cracking"; flow:to_server,established; content:"|11|"; offset:3; depth:4; threshold:type both,track by_src,count 100,seconds 1; reference:url,www.securityfocus.com/archive/1/524927/30/0/threaded; classtype:protocol-command-decode; sid:2015986; rev:5; metadata:created_at 2012_12_05, updated_at 2012_12_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP delete overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; isdataat:100,relative; pcre:"/\sDELETE\s[^\n]{100}/smi"; reference:bugtraq,11675; classtype:misc-attack; sid:2103007; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Stats Load Fail"; flow:established,to_server; content:"?action=stats_loadfail"; http_uri; classtype:exploit-kit; sid:2015988; rev:2; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; within:1; distance:4; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102999; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit - Potential Java Exploit Requested - 3 digit jar"; flow:established,to_server; urilen:6<>9; content:".jar"; http_uri; pcre:"/^\/[0-9]{3}\.jar$/U"; classtype:exploit-kit; sid:2015989; rev:2; metadata:created_at 2012_12_06, former_category EXPLOIT_KIT, updated_at 2012_12_06;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102998; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET INFO MySQL Database Query Version OS compile"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"select |40 40|version_compile_os"; nocase; pcre:"/SELECT @@version_compile_os\s*?\x3b/i"; classtype:misc-activity; sid:2015994; rev:2; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102997; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET 3389 -> any any (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn/Ack Outbound Flowbit Set"; flow:from_server; flags:SA; flowbits:isnotset,ms.rdp.synack; flowbits:set,ms.rdp.synack; flowbits:noalert; reference:cve,2012-0152; classtype:not-suspicious; sid:2014385; rev:5; metadata:created_at 2012_03_15, updated_at 2012_03_15;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102996; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Google Chrome Update/Install"; flow:established,to_server; content:"/chrome/google_chrome_"; http_uri; content:".exe"; http_uri; distance:0; pcre:"/\/chrome\/google_chrome_(update|installer)\.exe$/U"; reference:url,www.barracudanetworks.com/blogs/labsblog?bid=3108; reference:url,www.bluecoat.com/security-blog/2012-12-05/blackhole-kit-doesnt-chrome; classtype:trojan-activity; sid:2015997; rev:3; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102995; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Techique DUMP INTO executable)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"SELECT data FROM"; nocase; distance:0; content:"INTO DUMPFILE"; nocase; distance:0; content:"c|3a|/windows/system32/"; nocase; fast_pattern; content:".exe"; nocase; distance:0; pcre:"/SELECT data FROM [^\x20]+?\x20INTO DUMPFILE [\x27\x22]c\x3a\/windows\/system32\/[a-z0-9_-]+?\.exe[\x27\x22]/i"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015995; rev:4; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102994; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED probable malicious Glazunov Javascript injection"; flow:established,from_server; content:"|22|,|22|"; content:"|22|)|3b|</script></body>"; distance:64; within:83; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014753; rev:5; metadata:created_at 2012_05_17, updated_at 2012_05_17;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102993; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 1"; flow:established,to_client; content:"|0d 0a 0d 0a|PK"; content:"|2f|Gondvv.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015655; rev:5; metadata:created_at 2012_08_29, updated_at 2012_08_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102992; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 2"; flow:established,to_client; content:"|0d 0a 0d 0a|PK"; content:"|2f|Gondzz.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015656; rev:4; metadata:created_at 2012_08_29, updated_at 2012_08_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102991; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Quarian HTTP Proxy Header"; flow:established,to_server; content:"Content_length|3A 20|"; http_header; content:"Proxy-Connetion|3A 20|"; http_header; reference:url,vrt-blog.snort.org/2012/12/quarian.html; classtype:trojan-activity; sid:2015999; rev:2; metadata:created_at 2012_12_08, updated_at 2012_12_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102964; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT PDF /XFA and PDF-1.[0-4] Spec Violation (seen in pamdql and other EKs)"; flow:established,to_client; file_data; content:"%PDF-1."; within:7; pcre:"/^[0-4][^0-9]/R"; content:"/XFA"; distance:0; fast_pattern; pcre:"/^[\r\n\s]*[\d\x5b]/R"; classtype:exploit-kit; sid:2016001; rev:5; metadata:created_at 2012_12_08, former_category CURRENT_EVENTS, updated_at 2012_12_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102965; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fake AV base64 affid initial Landing or owned Check-In, asset owned if /callback/ in URI"; flow:established,to_server; content:"/?"; http_uri; content:"=YWZmaWQ9"; http_uri; classtype:trojan-activity; sid:2015649; rev:3; metadata:created_at 2012_08_22, updated_at 2012_08_22;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102966; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Embedded Open Type Font file .eot seeing at Cool Exploit Kit"; flow:established,to_client; file_data; content:"|02 00 02 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40 00|D|00|e|00|x|00|t|00|e|00|r|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:exploit-kit; sid:2016018; rev:2; metadata:created_at 2012_12_12, former_category CURRENT_EVENTS, updated_at 2012_12_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102967; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MALVERTISING FlashPost - Redirection IFRAME"; flow:established,to_client; file_data; content:"{|22|iframe|22 3a|true,|22|url|22|"; within:20; classtype:bad-unknown; sid:2016022; rev:2; metadata:created_at 2012_12_13, former_category CURRENT_EVENTS, updated_at 2012_12_13;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2102384; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit -Java Atomic Exploit Downloaded"; flow:established,to_client; file_data; content:"PK"; within:2; content:"msf|2f|x|2f|"; distance:0; classtype:bad-unknown; sid:2016028; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_12_13, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2102401; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NVIDIA Install Application ActiveX Control AddPackages Unicode Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"A9C8F210-55EB-4849-8807-EC49C5389A79"; nocase; distance:0; content:".AddPackages"; nocase; distance:0; reference:url,packetstormsecurity.org/files/118648/NVIDIA-Install-Application-2.1002.85.551-Buffer-Overflow.html; classtype:attempted-user; sid:2016041; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_14, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102960; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Downloader Checkin Pattern Used by Several Trojans"; flow:established,to_server; content:".php?"; http_uri; content:"uid="; http_uri; content:"&gid="; http_uri; content:"&cid="; http_uri; content:"&rid="; http_uri; content:"&sid="; http_uri; reference:url,doc.emergingthreats.net/2008143; classtype:trojan-activity; sid:2008143; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102956; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.boCheMan-A/Dexter"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/gateway.php"; http_uri; content:"page="; depth:5; http_client_body; content:"&unm="; fast_pattern:only; http_client_body; content:"&cnm="; http_client_body; content:"&query="; http_client_body; reference:md5,ccc99c9f07e7be0f408ef3a68a9da298; classtype:trojan-activity; sid:2016019; rev:5; metadata:created_at 2012_10_06, updated_at 2012_10_06;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102961; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Prinimalka Get Task CnC Beacon"; flow:established,to_server; content:"/command?user_id="; fast_pattern; http_uri; content:"&version_id="; http_uri; content:"&crc="; http_uri; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:command-and-control; sid:2016047; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102957; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Prinimalka Configuration Update Request"; flow:established,to_server; content:"/options?user_id="; http_uri; content:"&version_id="; http_uri; content:"&crc="; http_uri; content:"&uptime="; http_uri; content:"&port="; http_uri; content:"&ip="; http_uri; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:trojan-activity; sid:2016048; rev:2; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102988; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Prinimalka Prinimalka.py Script In CnC Beacon"; flow:established,to_server; content:"/prinimalka.py/"; http_uri; fast_pattern:only; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:command-and-control; sid:2016049; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102984; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any ->  $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - Payload Download Received"; flow:established,to_client; content:".exe.crypted"; http_header; fast_pattern; content:"attachment"; http_header; classtype:exploit-kit; sid:2016053; rev:2; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102989; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - flsh.html"; flow:established,to_server; urilen:>80; content:"/flsh.html"; http_uri; classtype:exploit-kit; sid:2016056; rev:2; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102985; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Daws/Sanny CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/write.php"; http_uri; fast_pattern; content:"Accept-Language|3A| ko-kr"; http_header; content:"db="; http_client_body; depth:3; content:"&ch="; distance:0; http_client_body; content:"&name="; distance:0; http_client_body; content:"&email="; http_client_body; distance:0; content:"&pw="; http_client_body; distance:0; reference:url,blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html; classtype:command-and-control; sid:2016051; rev:5; metadata:created_at 2012_12_18, former_category MALWARE, updated_at 2022_05_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login literal format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2102665; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - Server Response - Application Error"; flow:established,to_client; content:"X-Powered-By|3a| Application Error...."; http_header; classtype:exploit-kit; sid:2016054; rev:3; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101324; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Chapro.A Malicious Apache Module CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"c="; http_client_body; depth:2; content:"&version="; http_client_body; distance:0; content:"&uname="; fast_pattern; http_client_body; distance:0; reference:url,blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a; classtype:command-and-control; sid:2016062; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101326; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Kazy/Kryptor/Cycbot Trojan Checkin 3"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?pr="; fast_pattern; http_uri; content:!"Accept|3a|"; http_header; pcre:"/\.(jpg|png|gif|cgi)\?pr=/U"; classtype:trojan-activity; sid:2013866; rev:6; metadata:created_at 2011_11_08, updated_at 2011_11_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL EXPLOIT ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101327; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SofosFO 20 Dec 12 - .jar file request"; flow:established,to_server; urilen:>44; content:".jar"; offset:38; http_uri; content:"Java/1."; http_user_agent; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.jar$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016071; rev:4; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"GPL WEB_SERVER Compaq Insight directory traversal"; flow:to_server,established; content:"../../../"; reference:arachnids,244; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-application-attack; sid:2101199; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SofosFO 20 Dec 12 - .pdf file request"; flow:established,to_server; urilen:>44; content:".pdf"; offset:38; http_uri; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.pdf$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016072; rev:3; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102982; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible HP ALM XGO.ocx ActiveX Control SetShapeNodeType method Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"C3B92104-B5A7-11D0-A37F-00A0248F0AF1"; nocase; distance:0; content:".SetShapeNodeType("; nocase; distance:0; reference:url,packetstormsecurity.org/files/116848/HP-ALM-Remote-Code-Execution.html; classtype:attempted-user; sid:2016084; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_21, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102983; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Cyme ChartFX client server ActiveX Control ShowPropertiesDialog arbitrary code execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"E9DF30CA-4B30-4235-BF0C-7150F646606C"; nocase; distance:0; content:"ShowPropertiesDialog"; nocase; distance:0; reference:url,packetstormsecurity.org/files/117137/Cyme-ChartFX-Client-Server-Array-Indexing.html; classtype:attempted-user; sid:2016085; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_21, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2102978; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Medialoads.com Spyware Reporting (download.cgi)"; flow: to_server,established; content:"/dw/cgi/download.cgi?"; nocase; http_uri; content:"sn="; nocase; http_uri; content:"Host|3a|config.medialoads.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001508; classtype:trojan-activity; sid:2001508; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2102979; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Drupal Mass Injection Campaign Inbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016098; rev:2; metadata:created_at 2012_12_28, former_category CURRENT_EVENTS, updated_at 2012_12_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102974; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Drupal Mass Injection Campaign Outbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016099; rev:2; metadata:created_at 2012_12_28, former_category CURRENT_EVENTS, updated_at 2012_12_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102975; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Page"; flow:established,from_server; file_data; content:"<applet"; content:"site.A.class"; within:300; classtype:exploit-kit; sid:2016106; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2102496; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Download antivirus-installer.exe"; flow:to_server,established; content:"/antivirus-install.exe"; http_uri; classtype:trojan-activity; sid:2016110; rev:3; metadata:created_at 2012_12_29, updated_at 2012_12_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102491; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Advantech Studio ISSymbol ActiveX Control Multiple Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"3c9dff6f-5cb0-422e-9978-d6405d10718f"; nocase; distance:0; content:"InternationalSeparator"; nocase; distance:0; reference:url,securityfocus.com/bid/47596; classtype:attempted-user; sid:2016118; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2102385; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.FakeFlashPlayer Clientregister.php CnC Beacon"; flow:established,to_server; content:"/clientregister.php?type="; http_uri; content:"&uniqid="; http_uri; content:"&winver="; http_uri; content:"&compusername="; http_uri; content:"&compnetname="; http_uri; classtype:command-and-control; sid:2016124; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102954; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.FakeFlashPlayer Bitensiteler CnC Beacon"; flow:established,to_server; content:".php?type="; http_uri; content:"&uniqid="; http_uri; content:"&langid="; http_uri; content:"&ver="; http_uri; content:"bitensiteler="; http_uri; classtype:command-and-control; sid:2016126; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102955; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.FakeFlashPlayer Kelimeid CnC Beacon"; flow:established,to_server; content:".php?type="; http_uri; content:"&kelimeid"; http_uri; content:"&gecenzaman="; http_uri; content:"&gezilensayfa="; http_uri; content:"&delcookies="; http_uri; classtype:command-and-control; sid:2016127; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102968; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; classtype:exploit-kit; sid:2016128; rev:2; metadata:created_at 2012_12_29, former_category CURRENT_EVENTS, updated_at 2012_12_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102969; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Escaped Unicode Char in Location CVE-2012-4792 EIP (Exploit Specific replace)"; flow:established,from_server; file_data; content:"jj2Ejj6Cjj6Fjj63jj61jj74jj69jj6Fjj6Ejj20jj3Djj20jj75jj6Ejj65jj73jj63jj61jj70jj65jj28jj22jj25jj75"; nocase; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016133; rev:3; metadata:created_at 2012_12_30, former_category CURRENT_EVENTS, updated_at 2012_12_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102970; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Escaped Unicode Char in Location CVE-2012-4792 EIP % Hex Encode"; flow:established,from_server; file_data; content:"%2e%6c%6f%63%61%74%69%6f%6e%20%3d%20%75%6e%65%73%63%61%70%65%28%22%25%75"; nocase; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016134; rev:3; metadata:created_at 2012_12_30, former_category CURRENT_EVENTS, updated_at 2012_12_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102971; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PTUNNEL OUTBOUND"; itype:8; icode:0; content:"|D5 20 08 80|"; depth:4; reference:url,github.com/madeye/ptunnel; reference:url,cs.uit.no/~daniels/PingTunnel/#protocol; classtype:protocol-command-decode; sid:2016145; rev:2; metadata:created_at 2013_01_03, updated_at 2013_01_03;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2102402; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PTUNNEL INBOUND"; itype:0; icode:0; content:"|D5 20 08 80|"; depth:4; reference:url,github.com/madeye/ptunnel; reference:url,cs.uit.no/~daniels/PingTunnel/#protocol; classtype:protocol-command-decode; sid:2016146; rev:3; metadata:created_at 2013_01_03, updated_at 2013_01_03;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102962; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion Load method Stack-based Unicode Buffer Overload SEH"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"EEA36793-F574-4CC1-8690-60E3511CFEAA"; nocase; distance:0; content:".Load"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119022/Sony-PC-Companion-2.1-Load-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016160; rev:3; metadata:created_at 2013_01_05, updated_at 2013_01_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102958; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion CheckCompatibility method Stack-based Unicode Buffer Overload"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"A70D160E-E925-4207-803B-A0D702BEDF46"; nocase; distance:0; content:".CheckCompatibility"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119023/Sony-PC-Companion-2.1-CheckCompatibility-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016161; rev:3; metadata:created_at 2013_01_05, updated_at 2013_01_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102963; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion Admin_RemoveDirectory Stack-based Unicode Buffer Overload SEH"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"BBB7AA7C-DCE4-4F85-AED3-72FE3BCA4141"; nocase; distance:0; content:".Admin_RemoveDirectory"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119024/Sony-PC-Companion-2.1-Admin_RemoveDirectory-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016162; rev:3; metadata:created_at 2013_01_05, updated_at 2013_01_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102959; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Microsoft - 199.2.137.0/24"; content:"|00 01 00 01|"; content:"|00 04 c7 02 89|"; distance:4; within:5; classtype:trojan-activity; sid:2016102; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2102951; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Microsoft - 207.46.90.0/24"; content:"|00 01 00 01|"; content:"|00 04 cf 2e 5a|"; distance:4; within:5; classtype:trojan-activity; sid:2016103; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102990; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:"/cb.php?action="; http_uri; classtype:exploit-kit; sid:2016169; rev:3; metadata:created_at 2013_01_08, updated_at 2013_01_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102986; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - JSP RAT"; flow:established,to_client; file_data; content:"<table id=\"filetable\" class=\"filelist\" cellspacing=\"1px\" cellpadding=\"0px\">"; classtype:attempted-user; sid:2016151; rev:3; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102987; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - JSP File Admin"; flow:established,to_client; file_data; content:"<h2>(L)aunch external program</h2>"; classtype:attempted-user; sid:2016152; rev:4; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:2100574; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; pcre:"/\/[0-9]{3}\.jar/"; pcre:"/\/[0-9]{3}\.pdf/"; classtype:exploit-kit; sid:2016174; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /bin/ls command attempt"; flow:to_server,established; content:"/bin/ls"; http_uri; nocase; classtype:web-application-attack; sid:2101369; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 1"; content:"|30|"; depth:1; byte_test:1,!&,0x80,0,relative,big; content:"|02|"; distance:1; within:1; byte_test:1,!&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016178; rev:2; metadata:created_at 2013_01_09, updated_at 2013_01_09;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /bin/ls| command attempt"; flow:to_server,established; content:"/bin/ls|7C|"; http_uri; nocase; classtype:web-application-attack; sid:2101368; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 2"; content:"|30|"; depth:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|02|"; distance:-129; within:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; distance:-129; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016179; rev:2; metadata:created_at 2013_01_09, updated_at 2013_01_09;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /bin/ps command attempt"; flow:to_server,established; content:"/bin/ps"; http_uri; nocase; classtype:web-application-attack; sid:2101328; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 4"; content:"|30|"; depth:1; byte_test:1,!&,0x80,0,relative,big; content:"|02|"; distance:1; within:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; distance:-129; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016181; rev:2; metadata:created_at 2013_01_09, updated_at 2013_01_09;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /etc/inetd.conf access"; flow:to_server,established; content:"/etc/inetd.conf"; http_uri; nocase; classtype:web-application-activity; sid:2101370; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT probable malicious Glazunov Javascript injection"; flow:established,from_server; file_data; content:"(|22|"; distance:0; content:"|22|))|3b|"; distance:52; within:106; content:")|3b|</script></body>"; within:200; fast_pattern; pcre:"/\(\x22[0-9\x3a\x3b\x3c\x3d\x3e\x3fa-k]{50,100}\x22\).{0,200}\)\x3b<\/script><\/body>/s"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015977; rev:7; metadata:created_at 2012_12_04, updated_at 2012_12_04;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /etc/motd access"; flow:to_server,established; content:"/etc/motd"; http_uri; nocase; classtype:web-application-activity; sid:2101371; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|000"; content:"height=|22|000"; classtype:exploit-kit; sid:2016190; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED /etc/shadow access"; flow:to_server,established; content:"/etc/shadow"; http_uri; nocase; classtype:web-application-activity; sid:2101372; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK - Landing Page Received"; flow:established,to_client; file_data; content:"<div id=|22|heap_allign|22|></div>"; classtype:exploit-kit; sid:2016191; rev:6; metadata:created_at 2013_01_12, former_category EXPLOIT_KIT, updated_at 2013_01_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /usr/bin/id command attempt"; flow:to_server,established; content:"/usr/bin/id"; http_uri; nocase; classtype:web-application-attack; sid:2101332; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Honeywell Tema Remote Installer ActiveX DownloadFromURL method Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"E01DF79C-BE0C-4999-9B13-B5F7B2306E9B"; nocase; distance:0; content:".DownloadFromURL"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119427/Honeywell-Tema-Remote-Installer-ActiveX-Remote-Code-Execution.html; classtype:attempted-user; sid:2016197; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /usr/bin/perl execution attempt"; flow:to_server,established; content:"/usr/bin/perl"; http_uri; nocase; classtype:web-application-attack; sid:2101355; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/?affid="; depth:8; http_uri; content:"&promo_type="; http_uri; content:"&promo_opt="; http_uri; pcre:"/^\/\?affid=\d+&promo_type=\d+&promo_opt=\d+$/U"; reference:md5,527e115876d0892c9a0ddfc96e852a16; classtype:trojan-activity; sid:2016075; rev:3; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER bin/python access attempt"; flow:to_server,established; content:"bin/python"; http_uri; nocase; classtype:web-application-attack; sid:2101349; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DELETED DNS Reply Sinkhole - zeus.redheberg.com - 95.130.14.32"; content:"|00 01 00 01|"; content:"|00 04 5f 82 0e 20|"; distance:4; within:6; classtype:trojan-activity; sid:2016105; rev:3; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100920; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit CVE-2013-0422 Landing Page"; flow:established,from_server; file_data; content:"<title>Loading, Please Wait...</title>"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{8}\.jar/"; classtype:attempted-user; sid:2016227; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_17, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource password attempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100919; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability"; flow:to_client,established; file_data; content:"45E66957-2932-432A-A156-31503DF0A681"; nocase; distance:0; content:".LaunchTriPane("; nocase; distance:0; reference:url,packetstormsecurity.com/files/117293/KeyHelp-ActiveX-LaunchTriPane-Remote-Code-Execution.html; classtype:attempted-user; sid:2016236; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100909; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Samsung Kies ActiveX PrepareSync method Buffer overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"EA8A3985-F9DF-4652-A255-E4E7772AFCA8"; nocase; distance:0; content:".PrepareSync"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119423/Samsung-Kies-2.5.0.12114_1-Buffer-Overflow.html; classtype:attempted-user; sid:2016237; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100923; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible JKDDOS download b.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/b.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012466; rev:3; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /_vti_bin/ access"; flow:to_server,established; content:"/_vti_bin/"; http_uri; nocase; reference:nessus,11032; classtype:web-application-activity; sid:2101288; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"KeyHelp.KeyScript"; nocase; distance:0; content:".LaunchTriPane("; nocase; distance:0; reference:url,packetstormsecurity.com/files/117293/KeyHelp-ActiveX-LaunchTriPane-Remote-Code-Execution.html; classtype:attempted-user; sid:2016235; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER _vti_rpc access"; flow:to_server,established; content:"/_vti_rpc"; http_uri; nocase; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:2100937; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED pamdql/Sweet Orange delivering hostile XOR trojan payload from robots.php"; flow:established,to_server; content:"/robots.php?"; http_uri; classtype:exploit-kit; sid:2016092; rev:3; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER ISAPI .printer access"; flow:to_server,established; content:".printer"; http_uri; nocase; reference:arachnids,533; reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661; reference:url,www.microsoft.com/technet/security/bulletin/MS01-023.mspx; classtype:web-application-activity; sid:2100971; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Symlink_Sa"; flow:established,to_client; file_data; content:"<title>Symlink_Sa"; classtype:bad-unknown; sid:2016244; rev:2; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER SAM Attempt"; flow:to_server,established; content:"sam._"; http_uri; nocase; reference:url,www.ciac.org/ciac/bulletins/h-45.shtml; classtype:web-application-attack; sid:2100988; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT StyX Landing Page"; flow:established,from_server; file_data; content:"|22|pdfx.ht|5C|x6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016247; rev:6; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; http_uri; classtype:web-application-attack; sid:2101002; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header"; flow:established,to_client; file_data; content:"<b>Software|3a|"; content:"<b>uname -a|3a|"; content:"<b>uid="; classtype:bad-unknown; sid:2016245; rev:3; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER .htpasswd access"; flow:to_server,established; content:".htpasswd"; nocase; classtype:web-application-attack; sid:2101071; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Red Dot Exploit Kit Binary Payload Request"; flow:established,to_server; content:"/load.php?guid="; http_uri; content:"&thread="; http_uri; content:"&exploit="; http_uri; content:"&version="; http_uri; content:"&rnd="; http_uri; reference:url,malware.dontneedcoffee.com/; classtype:exploit-kit; sid:2016255; rev:2; metadata:created_at 2013_01_24, former_category EXPLOIT_KIT, updated_at 2013_01_24;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER apache directory disclosure attempt"; flow:to_server,established; content:"////////"; depth:200; reference:bugtraq,2503; classtype:attempted-dos; sid:2101156; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 1"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/start.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016257; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER apache source.asp file access"; flow:to_server,established; content:"/site/eg/source.asp"; http_uri; nocase; reference:bugtraq,1457; reference:cve,2000-0628; reference:nessus,10480; classtype:attempted-recon; sid:2101110; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 2"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/setup.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016258; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER ls%20-l"; flow:to_server,established; content:"ls%20-l"; nocase; classtype:attempted-recon; sid:2101118; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 3"; flow:to_server,established; content:"GET"; http_method; urilen:11; content:"/search.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016259; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SPECIFIC_APPS oracle web arbitrary command execution attempt"; flow:to_server,established; content:"/ows-bin/"; nocase; http_uri; content:"?&"; http_uri; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-attack; sid:2101193; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 4"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/main.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016260; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED xp_availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia"; nocase; classtype:web-application-attack; sid:2101060; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 5"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/login.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016261; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL TO_CHAR buffer overflow attempt"; flow:to_server,established; content:"TO_CHAR"; nocase; pcre:"/TO_CHAR\s*\(\s*SYSTIMESTAMP\s*,\s*(\x27[^\x27]{256}|\x22[^\x22]{256})/smi"; classtype:attempted-user; sid:2102699; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 6"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/main.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016262; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL create file buffer overflow attempt"; flow:to_server,established; content:"create"; nocase; content:"file "; nocase; isdataat:512; pcre:"/CREATE\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2102698; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 7"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/welcome.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016263; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL ctxsys.driddlr.subindexpopulate buffer overflow attempt"; flow:to_server,established; content:"ctxsys.driddlr.subindexpopulate"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\d+\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102680; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 8"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/file.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016264; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_grouped_column"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102768; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 10"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/home.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016266; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Admin bhadmin.php access Inbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; classtype:attempted-user; sid:2015661; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 11"; flow:to_server,established; content:"GET"; http_method; urilen:11; content:"/online.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016267; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL DELETED login format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2102664; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 12"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/install.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016268; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP Overflow Attempt"; flow:to_server,established; content:"|E8 C0 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:2100293; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"Confuser.class"; classtype:exploit-kit; sid:2016277; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_25, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL DELETED auth literal overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/({(?=\d+}[^\n]*?\sAUTH)|AUTH\s[^\n]*?{(?=\d+}))/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0005; classtype:misc-attack; sid:2101930; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"ConfusingClassLoader.class"; classtype:exploit-kit; sid:2016276; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_25, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET POLICY DNS Update From External net"; byte_test:1,!&,128,2; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,!&,16,2; byte_test:1,&,8,2; reference:url,doc.emergingthreats.net/2009702; classtype:policy-violation; sid:2009702; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Aloaha PDF Crypter activex SaveToFile method arbitrary file overwrite"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"B1E7505E-BBFD-42BF-98C9-602205A1504C"; nocase; distance:0; content:".SaveToFile"; nocase; distance:0; reference:url,exploit-db.com/exploits/24319/; classtype:attempted-user; sid:2016286; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_25, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.md2.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.sdo_code_size"; nocase; isdataat:512,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2102683; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RevProxy - ClickFraud - MIDUIDEND"; flow:established,to_server; dsize:46; content:"MID"; depth:3; content:"UID"; distance:32; within:3; content:"END"; distance:5; within:3; classtype:trojan-activity; sid:2016293; rev:2; metadata:created_at 2013_01_26, updated_at 2013_01_26;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.md2.validate_geom buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.validate_geom"; nocase; isdataat:500,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{128,}\x27|\x22[^\x22]{128,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,})|\(\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,}))/si"; classtype:attempted-user; sid:2102682; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fun Web Products Adware Agent Traffic"; flow: to_server,established; content:"FunWebProducts|3b|"; nocase; http_header; threshold: type limit, track by_src, count 2, seconds 360; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001034; classtype:policy-violation; sid:2001034; rev:23; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.sdo_admin.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.sdo_admin.sdo_code_size"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102681; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT JDB Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"Adobe Flash must be updated to view this"; content:"/lib/adobe.php?id="; distance:0; fast_pattern; pcre:"/^[a-f0-9]{32}/R"; classtype:exploit-kit; sid:2016307; rev:6; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2013_01_30;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL numtoyminterval buffer overflow attempt"; flow:to_server,established; content:"numtoyminterval"; nocase; pcre:"/numtoyminterval\s*\(\s*\d+\s*,\s*(\x27[^\x27]{32}|\x22[^\x22]{32})/smi"; classtype:attempted-user; sid:2102700; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 3"; content:"Portable SDK for UPnP devices"; pcre:"/^Server\x3a[^\r\n]*Portable SDK for UPnP devices(\/?\s*$|\/1\.([0-5]\..|8\.0.|(6\.[0-9]|6\.1[0-7])))/m"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959; classtype:successful-recon-limited; sid:2016304; rev:2; metadata:created_at 2013_01_30, updated_at 2013_01_30;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL service_name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|service_name="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck52.html; classtype:attempted-user; sid:2102649; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 2"; content:"Intel SDK for UPnP devices"; pcre:"/^Server\x3a[^\r\n]*Intel SDK for UPnP devices/mi"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959; classtype:successful-recon-limited; sid:2016303; rev:4; metadata:created_at 2013_01_30, updated_at 2013_01_30;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aq_import_internal.aq_table_defn_update"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*qt_name[\r\n\s]*=>[\r\n\s]*\2|qt_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102695; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Linux/SSHDoor.A User Login CnC Beacon"; flow:established,to_server; content:"sid="; http_uri; content:"|3A|"; http_uri; content:"&uname="; http_uri; reference:url,blog.eset.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords; classtype:command-and-control; sid:2016315; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_01_30, deployment Perimeter, signature_severity Major, tag c2, updated_at 2013_01_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_get_nrp"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102694; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5963 ST UDN Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*uuid\x3a[^\r\n\x3a]{181}/Ri"; reference:cve,CVE-2012-5963; classtype:attempted-dos; sid:2016323; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_no_queue"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102693; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 20192 (msg:"ET DELETED Ranky or variant backdoor communication ping"; dsize:<6; reference:url,www.sophos.com/virusinfo/analyses/trojranckcx.html; reference:url,www.iss.net/threats/W32.Trojan.Ranky.FV.html; classtype:trojan-activity; sid:2002728; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm_sys.verify_queue_types"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102692; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura/RedKit obfuscated URL"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!<\/applet>).)+?\/.{1,12}\/.{1,12}\x3a.{1,12}p.{1,12}t.{1,12}t.{1,12}h/Rs"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015858; rev:3; metadata:created_at 2012_11_01, former_category EXPLOIT_KIT, updated_at 2012_11_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_internal_sys.parallel_push_recovery"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*destination[\r\n\s]*=>[\r\n\s]*\2|destination\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102691; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Landing Applet With Getmyfile.exe Payload"; flow:established,to_client; file_data; content:"<applet"; distance:0; content:"value="; distance:0; content:"/getmyfile.exe?o="; distance:0; nocase; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:exploit-kit; sid:2016353; rev:2; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2013_02_05;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_repcat.enable_propagation_to_dblink"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*dblink[\r\n\s]*=>[\r\n\s]*\2|dblink\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102690; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> 212.26.42.47 9090 (msg:"ET DELETED Possible ProFTPD Backdoor Initiate Attempt"; flow:to_server; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url,sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; classtype:trojan-activity; sid:2011992; rev:3; metadata:created_at 2010_12_02, updated_at 2010_12_02;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.disable_receiver_trace"; nocase; isdataat:1024; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102689; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Variant"; flow:established,to_server; content:"GET"; http_method; content:"/search/"; http_uri; content:".php?i="; http_uri; distance:0; content:"1.0|0d 0a|User-Agent|3a| unknown|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2016345; rev:5; metadata:created_at 2013_02_05, former_category MOBILE_MALWARE, updated_at 2013_02_05;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.enable_receiver_trace"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102688; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritXPack - Landing Page - Received"; flow:established,to_client; file_data; content:"js.pd.js"; content:"|7C|applet|7C|"; classtype:exploit-kit; sid:2016356; rev:2; metadata:created_at 2013_02_07, former_category EXPLOIT_KIT, updated_at 2013_02_07;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.validate buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.validate"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102687; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack - URI - jpfoff.php"; flow:established,to_server; content:"/jpfoff.php?token="; http_uri; classtype:exploit-kit; sid:2016357; rev:2; metadata:created_at 2013_02_07, former_category EXPLOIT_KIT, updated_at 2013_02_07;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.differences"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102686; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - ClassID"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; classtype:misc-activity; sid:2016360; rev:2; metadata:created_at 2013_02_07, updated_at 2013_02_07;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.rectify"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102633; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - ClassID"; flow:established,to_client; file_data; content:"CAFEEFAC-00"; content:"-FFFF-ABCDEFFEDCBA"; distance:7; within:18; classtype:misc-activity; sid:2016361; rev:2; metadata:created_at 2013_02_07, updated_at 2013_02_07;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat.alter_mview_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102617; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS CVE-2013-0230 Miniupnpd SoapAction MethodName Buffer Overflow"; flow:to_server,established; content:"POST "; depth:5; content:"|0d 0a|SOAPAction|3a|"; nocase; distance:0; pcre:"/^[^\r\n]+#[^\x22\r\n]{2049}/R"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0230; classtype:attempted-dos; sid:2016364; rev:1; metadata:created_at 2013_02_07, updated_at 2013_02_07;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.grant_surrogate_repcat"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102615; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Miniupnpd M-SEARCH Buffer Overflow CVE-2013-0229"; content:"M-SEARCH"; depth:8; isdataat:1492,relative; content:!"|0d 0a|"; distance:1490; within:2; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0229; classtype:attempted-dos; sid:2016363; rev:2; metadata:created_at 2013_02_07, updated_at 2013_02_07;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.revoke_surrogate_repcat"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102612; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_MM EK - Landing Page"; flow:established,to_client; file_data; content:"<applet "; content:"new PDFObject"; classtype:exploit-kit; sid:2016373; rev:2; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102858; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Payload Download"; flow:established,to_client; file_data; content:"PK"; within:2; content:"stealth.exe"; within:60; classtype:exploit-kit; sid:2016377; rev:2; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102861; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Ecava IntegraXor save method Remote ActiveX Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"520F4CFD-61C6-4EED-8004-C26D514D3D19"; nocase; distance:0; content:".save"; nocase; distance:0; reference:url,1337day.org/exploit/15398; classtype:attempted-user; sid:2016382; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_02_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102862; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"value"; distance:0; pcre:"/^(\s*=\s*|[\x22\x27]\s*,\s*)[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"|3a|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:exploit-kit; sid:2016393; rev:3; metadata:created_at 2013_02_09, former_category EXPLOIT_KIT, updated_at 2013_02_09;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102863; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File With Flash"; flow:to_client,established; content:"CONTROL ShockwaveFlash.ShockwaveFlash"; flowbits:isset,OLE.CompoundFile; flowbits:set,OLE.WithFlash; classtype:protocol-command-decode; sid:2016395; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_02_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102864; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Exploit Specific Uncompressed Flash CVE-2013-0634"; flow:established,to_client; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016396; rev:5; metadata:created_at 2013_02_09, former_category CURRENT_EVENTS, updated_at 2013_02_09;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102865; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Exploit Specific Uncompressed Flash Inside of OLE CVE-2013-0634"; flow:established,to_client; flowbits:isset,OLE.WithFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016397; rev:4; metadata:created_at 2013_02_09, former_category CURRENT_EVENTS, updated_at 2013_02_09;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102866; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android/DNightmare - Task Killer Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/pagead/afma_load_ads.js"; nocase; http_uri; fast_pattern; content:"pagead2.googlesyndication.com"; http_header; reference:md5,745513a53af2befe3dc00d0341d80ca6; classtype:trojan-activity; sid:2016386; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102867; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android/DNightmare -Task Killer Checkin 3"; flow:established,to_server; content:"GET"; http_method; content:"/m/gne/suggest?q="; nocase; http_uri; fast_pattern; content:"SID=DQAAAKQAAAAHga"; http_cookie; reference:md5,745513a53af2befe3dc00d0341d80ca6; classtype:trojan-activity; sid:2016387; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102868; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Office File With Embedded Executable"; flow:established,to_client; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2012684; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_04_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102875; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible g01pack Jar download"; flow:established,from_server; flowbits:isset,ET.g01pack.Java.Image; file_data; content:"PK"; depth:2; content:".class"; fast_pattern:only; classtype:exploit-kit; sid:2016321; rev:3; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102869; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android/DNightmare - Task Killer Checkin 1"; flow:established,to_server; content:"GET"; http_method; content:"/pagead/ads?rsp="; nocase; http_uri; fast_pattern; content:"msid=com.droiddream.advancedtaskkiller1"; nocase; http_uri; classtype:trojan-activity; sid:2016385; rev:3; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102870; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Flash Action Script Invalid Regex CVE-2013-0634"; flow:established,to_client; file_data; flowbits:isset,HTTP.UncompressedFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R"; reference:cve,2013-0634; classtype:trojan-activity; sid:2016400; rev:3; metadata:created_at 2013_02_12, former_category CURRENT_EVENTS, updated_at 2013_02_12;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102871; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Flash Action Script Invalid Regex CVE-2013-0634"; flow:established,to_client; file_data; flowbits:isset,OLE.WithFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R"; reference:cve,2013-0364; classtype:trojan-activity; sid:2016401; rev:3; metadata:created_at 2013_02_12, former_category CURRENT_EVENTS, updated_at 2013_02_12;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102872; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK Payload - obfuscated binary base 0"; flow:established,to_client; file_data; content:"|af 9e b6 98 09 fc ee d0|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016403; rev:2; metadata:created_at 2013_02_12, former_category EXPLOIT_KIT, updated_at 2013_02_12;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102874; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO MPEG Download Over HTTP (1)"; flow:established,to_client; file_data; content:"|00 00 01 ba|"; depth:4; flowbits:set,ET.mpeg.HTTP; flowbits:noalert; classtype:not-suspicious; sid:2016404; rev:3; metadata:created_at 2013_02_12, updated_at 2013_02_12;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102876; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"SunJCE.class"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016407; rev:3; metadata:created_at 2013_02_13, updated_at 2013_02_13;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102878; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - sinkhole.cert.pl 148.81.111.111"; content:"|00 01 00 01|"; content:"|00 04 94 51 6f 6f|"; distance:4; within:6; classtype:trojan-activity; sid:2016413; rev:4; metadata:created_at 2013_02_15, updated_at 2013_02_15;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.cancel_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102879; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Skype VOIP Reporting Install"; flow: to_server,established; content:"/ui/"; nocase; http_uri; content:"/installed"; http_uri; nocase; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2001596; classtype:policy-violation; sid:2001596; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102880; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Featured-Results.com Agent Reporting Data"; flow: to_server,established; content:"action=any"; nocase; http_uri; content:"country="; nocase; http_uri; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/.*perl\/fr\.pl/i"; reference:url,www.featured-results.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001293; classtype:trojan-activity; sid:2001293; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_priority_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102881; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Georgia Tech (2)"; content:"|00 01 00 01|"; content:"|00 04 32 3e 0c 67|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016423; rev:6; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102882; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Georgia Tech (1)"; content:"|00 01 00 01|"; content:"|00 04 c6 3d e3 06|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016422; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102883; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 1and1 Internet AG"; content:"|00 01 00 01|"; content:"|00 04 52 a5 19 d2|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016421; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102884; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - German Company"; content:"|00 01 00 01|"; content:"|00 04 52 a5 19 a7|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016420; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_priority_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102885; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Zinkhole.org"; content:"|00 01 00 01|"; content:"|00 04 b0 1f 3e 4c|"; distance:4; within:6; classtype:trojan-activity; sid:2016419; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102886; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Dr. Web"; content:"|00 01 00 01|"; content:"|00 04 5b e9 f4 6a|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016418; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102887; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK landing applet plus class Feb 18 2013"; flow:established,to_client; file_data; content:"<applet"; content:"code=|22|hw|22|"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016426; rev:3; metadata:created_at 2013_02_19, former_category EXPLOIT_KIT, updated_at 2013_02_19;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102894; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET DELETED NPRC Malicious POST Request Possible DOJ or DOT Malware"; flow:to_server; content:"POST"; nocase; http_method; content:"POST|2C|"; fast_pattern; nocase; depth:100; content:"ACCEPT|3A|"; nocase; within:300; reference:url,www.websense.com/securitylabs/alerts/alert.php?AlertID=835; reference:url,doc.emergingthreats.net/2007748; classtype:trojan-activity; sid:2007748; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102888; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Win32.Likseput.B Checkin 2"; flow:from_server,established; file_data; content:"|3c 21 2d 2d 0d 0a 3c|img border="; nocase; content:"|2f 23|KX8|2E|"; distance:5; within:64; fast_pattern; pcre:"/^\x3c\x21\x2d\x2d\x0d\x0a\x3cimg\x20border=\d+\x20src=\x22\S+\x2f\x23KX8\x2e/mi"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fLikseput.B; classtype:command-and-control; sid:2016428; rev:7; metadata:created_at 2011_03_08, former_category MALWARE, updated_at 2011_03_08;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102889; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-TABLE Checkin Response - Embedded CnC APT1 Related"; flow:established,from_server; flowbits:isset,ET.webc2; file_data; content:"<!---<table<b"; reference:url,www.mandiant.com/apt1; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; classtype:targeted-activity; sid:2016438; rev:2; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102890; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SEASALT Client Checkin"; flow:established,to_server; dsize:7; content:"fxftest"; depth:7; reference:md5,5e0df5b28a349d46ac8cc7d9e5e61a96; reference:url,www.mandiant.com/apt1; classtype:command-and-control; sid:2016441; rev:2; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102891; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SEASALT Server Response"; flow:established,from_server; dsize:7; content:"fxftest"; depth:7; reference:md5,5e0df5b28a349d46ac8cc7d9e5e61a96; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016442; rev:2; metadata:created_at 2013_02_20, updated_at 2013_02_20;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102897; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE STARSYPOUND Client Checkin"; flow:established,to_server; content:"*(SY)# "; depth:7; reference:md5,8442ae37b91f279a9f06de4c60b286a3; reference:url,www.mandiant.com/apt1; classtype:command-and-control; sid:2016443; rev:2; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102896; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-ADSPACE Server Response"; flow:established,from_server; file_data; content:"<!---HEADER ADSPACE style=|22|"; content:"|5c|text $-->"; distance:0; reference:url,www.mandiant.com/apt1; classtype:command-and-control; sid:2016448; rev:2; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102898; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-AUSOV Checkin Response - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"|3c|!-- DOCHTMLAuthor"; pcre:"/^\d+\s*-->/R"; reference:url,www.mandiant.com/apt1; reference:md5,0cf9e999c574ec89595263446978dc9f; reference:md5,0cf9e999c574ec89595263446978dc9f; classtype:targeted-activity; sid:2016449; rev:3; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102899; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE STARSYPOUND Client Checkin"; flow:established,from_server; content:"*(SY)# "; depth:7; reference:md5,8442ae37b91f279a9f06de4c60b286a3; reference:url,www.mandiant.com/apt1; classtype:command-and-control; sid:2016444; rev:3; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.purge_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102900; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible WEBC2-GREENCAT Response - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"<!--|0d 0a|<img border="; pcre:"/^[0-4]\s*src=\x22[^\x22]+\x22\swidth=\d+\sheight=\d+>\r\n-->/R"; reference:url,www.mandiant.com/apt1; reference:md5,b5e9ce72771217680efaeecfafe3da3f; classtype:targeted-activity; sid:2016455; rev:3; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.register_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.register_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102901; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-KT3 Intial Connection Beacon APT1 Related"; flow:established,to_server; dsize:<11; content:"*!Kt3+v|7c|"; depth:8; flowbits:set,ET.WEBC2KT3; reference:url,www.mandiant.com/apt1; reference:md5,ec3a2197ca6b63ee1454d99a6ae145ab; classtype:targeted-activity; sid:2016456; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.abort_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102813; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-KT3 Intial Connection Beacon Server Response APT1 Related"; flow:established,from_server; dsize:<11; content:"*!Kt3+v|7c|"; depth:8; flowbits:isset,ET.WEBC2KT3; reference:url,www.mandiant.com/apt1; reference:md5,ec3a2197ca6b63ee1454d99a6ae145ab; classtype:targeted-activity; sid:2016457; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.add_object_to_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102814; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-UGX Embedded CnC Response APT1"; flow:established,from_server; flowbits:isset,ET.webc2ugx; file_data; content:"<!-- dW"; within:20; reference:md5,ae45648a8fc01b71214482d35cf8da54; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016472; rev:2; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.begin_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102815; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Gimemo Ransomware Checkin"; flow:established,to_client; file_data; content:"/gate.php?computername="; nocase; classtype:command-and-control; sid:2016496; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2013_02_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.drop_object_from_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102816; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT StyX Landing Page (2)"; flow:established,from_server; file_data; content:"|22|pdf|5c|78.ht|5c|6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016497; rev:7; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.ensure_not_published"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck96.html; classtype:attempted-user; sid:2102643; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Nicepack EK Landing (Anti-VM)"; flow:established,to_client; file_data; content:"if(document.body.onclick!=null)"; content:"if(document.styleSheets.length!=0)"; classtype:exploit-kit; sid:2016500; rev:8; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.set_local_flavor"; nocase; fast_pattern:only; pcre:"/(\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102824; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - zecmd - Form"; flow:established,to_client; file_data; content:"<FORM METHOD=|22|GET|22| NAME=|22|comments|22| ACTION=|22 22|>"; classtype:attempted-user; sid:2016501; rev:2; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102825; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Java Serialized Data via vulnerable client"; flow:established,from_server; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"|ac ed|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016502; rev:2; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_for_local_flavor"; nocase; fast_pattern:only; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102826; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Java Serialized Data"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"|ac ed|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016503; rev:2; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_column_group_to_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102817; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO file possibly containing Serialized Data file"; flow:to_client,established; file_data; content:"PK"; within:2; content:".serPK"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2016505; rev:2; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_columns_to_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102818; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible g01pack Landing Page"; flow:established,to_client; file_data; content:"<applet"; nocase; content:"archive"; nocase; distance:0; pcre:"/^[\r\n\s]*=[\r\n\s]*(?P<q>[\x22\x27])((?!(?P=q)).)+?\.(gif|jpe?g|p(ng|sd))(?P=q)/Rsi"; classtype:exploit-kit; sid:2016333; rev:4; metadata:created_at 2013_02_01, former_category EXPLOIT_KIT, updated_at 2013_02_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_column_group_from_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102819; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Corpsespyware.net BlackListed Malicious Domain - google.vc"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"google.vc"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002765; classtype:trojan-activity; sid:2002765; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_columns_from_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102820; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Serialized Java Applet (Used by some EKs in the Wild)"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"object"; distance:0; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*[\x22\x27][^\x22\x27]+\.ser[\x22\x27]/Ri"; classtype:exploit-kit; sid:2016494; rev:5; metadata:created_at 2013_02_25, former_category INFO, updated_at 2013_02_25;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.obsolete_flavor_definition"; nocase; isdataat:1075,relative; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102821; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Stabuniq Observed C&C POST Target /rss.php"; flow:to_server,established; content:"POST"; http_method; content:"/rss.php"; http_uri; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2; reference:url,contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html; classtype:trojan-activity; sid:2016131; rev:3; metadata:created_at 2012_12_29, updated_at 2012_12_29;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.publish_flavor_definition"; nocase; isdataat:1075,relative; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102822; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Stabuniq CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/rssnews.php"; http_uri; content:!"User-Agent|3A|"; http_header; content:"id="; http_client_body; depth:3; content:"&varname="; distance:0; http_client_body; content:"&comp="; distance:0; http_client_body; content:"&src="; distance:0; http_client_body; reference:url,contagiodump.blogspot.co.uk/2012/12/dec-2012-trojanstabuniq-samples.html; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; classtype:command-and-control; sid:2016096; rev:4; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.purge_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102823; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download"; flowbits:isset,min.gethttp; flow:established,to_client; file_data; content:"MZ"; within:2; content:"PE|00 00|"; distance:0; classtype:bad-unknown; sid:2016538; rev:3; metadata:created_at 2013_03_06, updated_at 2013_03_06;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.alter_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102827; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Ponik.Downloader Randomware Download"; flow:established,to_server; urilen:>60; content:"-.php"; fast_pattern; http_uri; content:"User-Agent|3A| Mozilla/5.0 (Windows NT  6.1|3B| WOW64) AppletWebKit/537.11 (KHTML, like Gecko)  Chrome/23.0.1271.97 Safari/537.11|0D 0A|"; http_header; pcre:"/\x2F[a-z\x2D]{60,120}.+\x2D\x2Ephp$/U"; reference:url,www.symantec.com/connect/blogs/fake-adobe-flash-update-installs-ransomware-performs-click-fraud; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-110915-5758-99; classtype:trojan-activity; sid:2016548; rev:3; metadata:created_at 2013_03_07, updated_at 2013_03_07;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102828; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:".php?action=jv&h="; http_uri; classtype:exploit-kit; sid:2016558; rev:4; metadata:created_at 2013_03_09, updated_at 2013_03_09;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102829; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Database List"; flow:established,to_client; file_data; content:"<h1>Databases List</h1>"; classtype:bad-unknown; sid:2016574; rev:2; metadata:created_at 2013_03_14, updated_at 2013_03_14;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102831; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Romanian Webshell"; flow:established,to_client; file_data; content:"Incarca fisier|3a|"; content:"Exeuta comada|3a|"; classtype:bad-unknown; sid:2016577; rev:4; metadata:created_at 2013_03_14, updated_at 2013_03_14;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.do_deferred_repcat_admin"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102832; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT_NGO_wuaclt PDF file"; flow:from_server,established; file_data; content:"%PDF-"; within:5; content:"|3C 21 2D 2D 0D 0A 63 57 4B 51 6D 5A 6C 61 56 56 56 56 56 56 56 56 56 56 56 56 56 63 77 53 64 63 6A 4B 7A 38 35 6D 37 4A 56 6D 37 4A 46 78 6B 5A 6D 5A 6D 52 44 63 5A 58 41 73 6D 5A 6D 5A 7A 42 4A 31 79 73 2F 4F 0D 0A|"; within:200; reference:url,labs.alienvault.com/labs/index.php/2013/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists/; classtype:targeted-activity; sid:2016579; rev:2; metadata:created_at 2013_03_15, former_category MALWARE, updated_at 2013_03_15;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.drop_master_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102833; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Redkit Landing Page URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"u33&299"; within:200; content:"u3v7"; within:50; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016587; rev:6; metadata:created_at 2013_03_15, former_category EXPLOIT_KIT, updated_at 2013_03_15;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.generate_replication_package"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102834; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; reference:bugtraq,1163; reference:cve,2000-0347; reference:nessus,10392; classtype:attempted-recon; sid:2101239; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.purge_master_log"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102835; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rusers request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:2101271; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.relocate_masterdef"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102836; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,17; classtype:rpc-portmap-decode; sid:2101265; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.rename_shadow_column_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102837; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rexd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,23; classtype:rpc-portmap-decode; sid:2101269; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.resume_master_activity"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102838; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,14; classtype:rpc-portmap-decode; sid:2101275; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.suspend_master_activity"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102839; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 APOP USER overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; reference:bugtraq,9794; classtype:attempted-admin; sid:2102409; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_rq.add_column buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_rq.add_column"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*SCHEMA_NAME[\r\n\s]*=>[\r\n\s]*\2|SCHEMA_NAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102685; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap admind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,18; classtype:rpc-portmap-decode; sid:2101262; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.alter_snapshot_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102902; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,10; classtype:rpc-portmap-decode; sid:2101270; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102903; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,25; classtype:rpc-portmap-decode; sid:2101273; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102904; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,22; classtype:rpc-portmap-decode; sid:2101268; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repschema"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102905; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_repcat.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102726; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102906; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap amountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,19; classtype:rpc-portmap-decode; sid:2101263; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102907; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s+[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2102666; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repschema"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102908; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nisd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,21; classtype:rpc-portmap-decode; sid:2101267; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.generate_snapshot_support"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102909; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,20; classtype:rpc-portmap-decode; sid:2101272; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102910; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2101276; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repschema"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102911; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:2101264; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102912; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2102950; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.repcat_import_check"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102913; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RevProxy Java  Settings"; flow:established,to_client; file_data; content:"USE_USERAGENT="; content:"DELAY_BETWEEN_SYNCS="; content:"CONNECTION_TIMEOUT="; classtype:trojan-activity; sid:2016592; rev:3; metadata:created_at 2013_03_19, updated_at 2013_03_19;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.set_local_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102914; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 9"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/default.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016265; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.switch_snapshot_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102915; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 13"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/index.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016281; rev:4; metadata:created_at 2013_01_25, updated_at 2013_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.unregister_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102916; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ACTIVEX Norton antivirus sysmspam.dll load attempt"; flow:to_client,established; content:"clsid|3A|"; nocase; content:"0534CF61-83C5-4765-B19B-45F7A4E135D0"; nocase; reference:bugtraq,9916; reference:cve,2004-0363; classtype:attempted-admin; sid:2102485; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.validate_for_local_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102918; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible RedDotv2 applet with 32hex value Landing Page"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!<\/applet>).)+[\r\n\s]value[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])[a-f0-9]{32}(?P=q1)/Rsi"; classtype:exploit-kit; sid:2016643; rev:5; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.alter_snapshot_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102840; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 1"; flow:from_server,established; flowbits:isset,ETPRO.RTF; file_data; content:"|5c|object"; distance:0; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"4BF0D1BD8B85D111B16A00C0F0283628"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; reference:cve,2012-0158; classtype:attempted-user; sid:2025082; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag ActiveX, tag Web_Client_Attacks, updated_at 2017_11_29;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102841; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 2"; flow:from_server,established; flowbits:isset,ETPRO.RTF; file_data; content:"|5c|object"; distance:0; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"E0F56B9944805046ADEB0B013914E99C"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; reference:cve,2012-0158; classtype:attempted-user; sid:2025083; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag ActiveX, tag Web_Client_Attacks, updated_at 2017_11_29;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102842; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 3"; flow:from_server,established; flowbits:isset,ETPRO.RTF; content:"|5c|object"; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"5FDC81917DE08A41ACA68EEA1ECB8E9E"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; reference:cve,2012-0158; classtype:attempted-user; sid:2025084; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag ActiveX, tag Web_Client_Attacks, updated_at 2017_11_29;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102843; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Acrobat Web Capture [8-9].0"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Acrobat Web Capture "; pcre:"/^[8-9]\.0/R"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016646; rev:3; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102844; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Python PDF Library"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"Python PDF Library - http|3a|//pybrary.net/pyPdf/"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016648; rev:3; metadata:created_at 2013_03_22, updated_at 2022_05_03;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102845; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Asprox Spam Module CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"Content-Disposition|3A| form-data|3B| name=|22|sid|22|"; http_client_body; content:"Content-Disposition|3A| form-data|3B| name=|22|up|22|"; http_client_body; distance:0; content:"Content-Disposition|3A| form-data|3B| name=|22|ping|22|"; fast_pattern:32,11; http_client_body; distance:0; content:"Content-Disposition|3A| form-data|3B| name=|22|guid|22|"; distance:0; http_client_body; reference:url,www.welivesecurity.com/2013/03/08/sinkholing-trojan-downloader-zortob-b-reveals-fast-growing-malware-threat/; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2016561; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_12, deployment Perimeter, signature_severity Major, tag c2, updated_at 2013_03_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.repcat_import_check"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102846; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator pdfeTeX-1.21a"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"pdfeTeX-1.21a"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016651; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.switch_snapshot_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102917; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Adobe Acrobat 9.2.0"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Adobe Acrobat 9.2.0"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016652; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102847; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Adobe PDF Library 9.0"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Adobe PDF Library 9.0"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016653; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_untrusted.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102919; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [CrowdStrike] ANCHOR PANDA - Adobe Gh0st Beacon"; flow:established, to_server; content: "Adobe"; depth:5; content:"|e0 00 00 00 78 9c|"; distance: 4; within:15; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016656; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Major, tag PCRAT, tag Gh0st, tag RAT, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.drop_an_object"; nocase; fast_pattern:only; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102849; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [CrowdStrike] ANCHOR PANDA Torn RAT Beacon Message Header Local"; flow:established, to_server; dsize:16; content:"|00 00 00 11 c8 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; flowbits:set,ET.Torn.toread_header; flowbits: noalert; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016659; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_03_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl.is_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.is_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*CANON_GNAME[\r\n\s]*=>[\r\n\s]*\2|CANON_GNAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102696; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [CrowdStrike] ANCHOR PANDA Torn RAT Beacon Message"; dsize: 200; flow: to_server,established; flowbits:isset,ET.Torn.toread_header; content:"|40 7e 7e 7e|"; offset:196; depth:4; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016660; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_03_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl4.drop_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102848; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SofosFO - possible second stage landing page"; flow:established,to_server; urilen:>40; content:".js"; offset:38; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([tZFBeDauxR]+q){3}[tZFBeDauxR]+(_[tZFBeDauxR]+)?|O7dd)k(([tZFBeDauxR]+q){3}[tZFBeDauxR]+|O7dd)\//U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016073; rev:7; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_system.ksdwrt buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_system.ksdwrt"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*tst[\r\n\s]*=>[\r\n\s]*\2|tst\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*\d+\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102679; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET P2P Possible Bittorrent Activity - Multiple DNS Queries For tracker hosts"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|tracker"; fast_pattern; distance:0; threshold: type both, count 3, seconds 10, track by_src; classtype:policy-violation; sid:2016662; rev:3; metadata:created_at 2013_03_26, updated_at 2013_03_26;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.ltutil.pushdeferredtxns buffer overflow attempt"; flow:to_server,established; content:"sys.ltutil.pushdeferredtxns"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*repgrpname[\r\n\s]*=>[\r\n\s]*\2|repgrpname\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2102684; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (ORA-)"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"ORA-"; distance:0; classtype:bad-unknown; sid:2016676; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"sysdbms_repcat_rgt.check_ddl_text"; nocase; isdataat:1024,relative; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102608; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (ORA-)"; flow:from_server,established; content:"500"; http_stat_code; file_data; content:"ORA-"; distance:0; classtype:bad-unknown; sid:2016677; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL time_zone buffer overflow attempt"; flow:to_server,established; content:"TIME_ZONE"; nocase; isdataat:1000,relative; pcre:"/TIME_ZONE\s*=\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_time_zone.txt; classtype:attempted-user; sid:2102614; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HTTP_SERVERS any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - Simple - Title"; flow:established,to_client; file_data; content:"- Simple Shell</title>"; classtype:bad-unknown; sid:2016679; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL user name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2102650; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - JSPCMD - Form"; flow:established,to_client; file_data; content:"<FORM METHOD=\"GET\" NAME=\"comments\" ACTION=\"\">"; classtype:bad-unknown; sid:2016684; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_cmdshell program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; offset:32; nocase; classtype:attempted-user; sid:2100681; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Delfinject Check-in"; flow:established,to_server; content: "|44 4d 7f 49 51 48 50 62 7d 74 61 77 4e 55 32 2f|"; depth:16; dsize:<65; reference:md5,90f8b934c541966aede75094cfef27ed; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=VirTool%3AWin32%2FDelfInject; classtype:trojan-activity; sid:2016685; rev:2; metadata:created_at 2013_03_28, updated_at 2013_03_28;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; nocase; classtype:attempted-user; sid:2100673; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED thebestsoft4u.com Spyware Install (3)"; flow: to_server,established; content:"/pr.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001486; classtype:trojan-activity; sid:2001486; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2102923; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Auth Prompt"; flow:established,to_client; file_data; content:"bG9nb25fc3VibWl0"; classtype:bad-unknown; sid:2016689; rev:2; metadata:created_at 2013_04_02, updated_at 2013_04_02;)
 
-alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2102924; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Probable Sakura exploit kit landing page obfuscated applet tag Mar 28 2013"; flow:established,from_server; file_data; content:"<apABCplet"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016704; rev:3; metadata:created_at 2013_04_02, former_category EXPLOIT_KIT, updated_at 2013_04_02;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap admind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:2100575; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely EgyPack Exploit kit landing page (EGYPACK_CRYPT)"; flow:established,from_server; content:"EGYPACK_CRYPT"; pcre:"/EGYPACK_CRYPT\d/"; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:exploit-kit; sid:2013175; rev:4; metadata:created_at 2011_07_04, former_category EXPLOIT_KIT, updated_at 2011_07_04;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap amountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:2100576; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-8 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c|5C|0c"; nocase; distance:0; classtype:bad-unknown; sid:2016714; rev:2; metadata:created_at 2013_04_04, updated_at 2013_04_04;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap bootparam request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:2100577; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Potential Fiesta Flash Exploit"; flow:established,to_server; content:"/?"; http_uri; content:"|3b|"; distance:60; within:7; http_uri; pcre:"/\/\?[0-9a-f]{60,66}\x3b(?:1(?:0[0-3]|1\d)|90)\d{1,3}\x3b\d{1,3}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016726; rev:6; metadata:created_at 2013_04_05, former_category EXPLOIT_KIT, updated_at 2013_04_05;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cmsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:2100578; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Empty HTTP Content Type Server Response - Potential CnC Server"; flow:established,to_client; content:"Content-Type|3A 20 0D 0A|"; http_header; classtype:command-and-control; sid:2016712; rev:3; metadata:created_at 2013_04_04, updated_at 2013_04_04;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap listing UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,428; classtype:rpc-portmap-decode; sid:2101280; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic Backdoor Retrieve Instructions/Configs - HTTP GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?aid="; fast_pattern; nocase; http_uri; content:"&pid="; http_uri; content:"&kind="; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2009826; classtype:trojan-activity; sid:2009826; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap mountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:2100579; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008110; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nisd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:2100580; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008108; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap pcnfsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:2100581; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET DELETED Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound"; flow:established; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008103; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rexd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:2100582; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET DELETED Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound"; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008107; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rstatd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:2100583; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedDotv2 Jar March 18 2013"; flow:established,to_server; content:"/sexy.jar"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2016594; rev:7; metadata:created_at 2013_03_19, updated_at 2013_03_19;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rusers request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:2100584; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -2 Mar 13 2013"; flow:established,from_server; file_data; content:"0156,0142,0156,0142,073,0171"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016636; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_21, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap selection_svc request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:2100586; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -4 Mar 22 2013"; flow:established,from_server; file_data; content:"0154,0140,0154,0140,071,0167"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016661; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2101279; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -5 Mar 26 2013"; flow:established,from_server; file_data; content:"0153,0137,0153,0137,070,0166"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016678; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap status request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2100587; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -7 Mar 30 2013"; flow:established,from_server; file_data; content:"0151,0135,0151,0135,066,0164"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016686; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_01, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2100588; rev:18; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal Mar 6 2013"; flow:established,from_server; file_data; content:"0160,0144,0160,0144,075,0173"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016544; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_07, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"GPL MALWARE BackOrifice access"; content:"|CE|c|D1 D2 16 E7 13 CF|9|A5 A5 86|"; reference:arachnids,399; classtype:misc-activity; sid:2100116; rev:6; metadata:created_at 2010_09_23, former_category TROJAN, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RedKit applet + obfuscated URL Apr 7 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"8ss&299"; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016734; rev:2; metadata:created_at 2013_04_09, former_category EXPLOIT_KIT, updated_at 2013_04_09;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP Get"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:2101444; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GonDadEK Kit Jar"; flow:to_client,established; file_data; content:"ckwm"; pcre:"/^(ckwm)*?(Exp|cc)\.class/R"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016737; rev:11; metadata:created_at 2013_04_09, updated_at 2013_04_09;)
 
-alert udp any any -> any 69 (msg:"GPL TFTP GET Admin.dll"; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:2101289; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/NSISDL.Downloader CnC Server Response"; flow:established,to_client; file_data; content:"[install 1]"; within:11; content:"Ins="; within:40; classtype:command-and-control; sid:2016746; rev:2; metadata:created_at 2013_04_09, former_category MALWARE, updated_at 2013_04_09;)
 
-alert udp any any -> any 69 (msg:"GPL TFTP GET nc.exe"; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; classtype:successful-admin; sid:2101441; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Siscos CnC Checkin"; flow:established,to_server; content:".php?getcmd="; fast_pattern:only; http_uri; content:"&uid="; http_uri; content:"User-Agent|3a| "; http_header; content:"|3b| MSlE 6.0|3b|"; distance:23; within:11; http_header; classtype:command-and-control; sid:2013384; rev:3; metadata:created_at 2011_08_09, former_category MALWARE, updated_at 2011_08_09;)
 
-#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE HTTP 401 Unauthorized"; flow:from_server,established; content:"401"; http_stat_code; threshold: type both, count 1, seconds 300, track by_dst; reference:url,doc.emergingthreats.net/2009345; classtype:attempted-recon; sid:2009345; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lizamoon Related Compromised site served to local client"; flow:established,from_server; content:"</title><script src=http|3a|//"; nocase; content:"/ur.php></script>"; within:100; classtype:attempted-user; sid:2012624; rev:5; metadata:created_at 2011_04_02, updated_at 2011_04_02;)
 
-#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack"; flow:from_server,established; content:"401"; http_stat_code; threshold:type both, track by_dst, count 30, seconds 60; reference:url,doc.emergingthreats.net/2009346; classtype:attempted-recon; sid:2009346; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:arachnids,449; classtype:attempted-recon; sid:2100467; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible Ipconfig Information Detected in HTTP Response"; flow:from_server,established; file_data; content:"Windows IP Configuration"; content:"Ethernet adapter Local Area Connection"; distance:8; within:40; reference:url,en.wikipedia.org/wiki/Ipconfig; reference:url,doc.emergingthreats.net/2009675; classtype:successful-recon-limited; sid:2009675; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible XDocCrypt/Dorifel Checkin"; flow:established,to_server; content:"GET"; http_method; content:"&pin="; http_uri; content:"&crc="; http_uri; content:"&uniq="; http_uri; reference:url,www.fox-it.com/en/blog/xdoccryptdorifel-document-encrypting-and-network-spreading-virus; classtype:trojan-activity; sid:2015631; rev:6; metadata:created_at 2012_08_16, updated_at 2012_08_16;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003145; classtype:web-application-attack; sid:2003145; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Nymaim Checkin"; flow:to_server,established; content:"POST"; http_method; content:"/nymain/"; http_uri; fast_pattern:only; content:"/index.php"; http_uri; content:"filename="; http_client_body; content:"&data="; http_client_body; reference:md5,b904ce55532582a6ea516399d8e4b410; classtype:trojan-activity; sid:2016752; rev:3; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003146; classtype:web-application-attack; sid:2003146; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (1)"; flow:established,to_server; urilen:>40; content:".js"; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([e7uxMhp1Kt]+Q){3}[e7uxMhp1Kt]+(_[e7uxMhp1Kt]+)?|a2\.\.)Z(([e7uxMhp1Kt]+Q){3}[e7uxMhp1Kt]+|a2\.\.)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015889; rev:9; metadata:created_at 2012_11_16, updated_at 2012_11_16;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds (linewrap)"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003148; classtype:web-application-attack; sid:2003148; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - PHPShell - Comment"; flow:established,to_client; file_data; content:"<!-- PHPShell "; classtype:attempted-user; sid:2016760; rev:2; metadata:created_at 2013_04_16, updated_at 2013_04_16;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost (linewrap)"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003147; classtype:web-application-attack; sid:2003147; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SofosFO - Landing Page"; flow:established,to_client; file_data; content:"BillyBonnyGetDepolo"; classtype:trojan-activity; sid:2016241; rev:4; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY MOBILE Apple device leaking UDID from SpringBoard"; flow:established,to_server; content:" CFNetwork/"; http_user_agent; content:" Darwin/"; http_user_agent; content:"UDID"; nocase; http_client_body; pcre:"/[0-9a-f]{40}[^0-9a-f]/P"; reference:url,www.innerfence.com/howto/find-iphone-unique-device-identifier-udid; reference:url,support.apple.com/kb/HT4061; classtype:attempted-recon; sid:2013289; rev:6; metadata:created_at 2011_07_19, former_category POLICY, updated_at 2017_07_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (2)"; flow:established,to_server; urilen:>25; content:"/highlands.js"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016046; rev:6; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PCDoc.co.kr Fake AV User-Agent (PCDoc11)"; flow:established,to_server; content:"PCDoc"; http_user_agent; depth:5; reference:url,doc.emergingthreats.net/bin/view/Main/2007786; classtype:pup-activity; sid:2007786; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible landing page 10/01/12"; flow:established,to_server; urilen:51; content:"/4ff"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015750; rev:4; metadata:created_at 2012_10_01, updated_at 2012_10_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PCDoc.co.kr Fake AV User-Agent (mypcdoctor)"; flow:established,to_server; content:"mypcdoc"; http_user_agent; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2007804; classtype:pup-activity; sid:2007804; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible landing page 10/01/12 (2)"; flow:established,to_server; urilen:51; content:"/504"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015751; rev:4; metadata:created_at 2012_10_01, updated_at 2012_10_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SysVenFak Fake AV Package User-Agent (gh2008)"; flow:established,to_server; content:"gh20"; http_user_agent; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2007944; classtype:pup-activity; sid:2007944; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SofosFO obfuscator string 19 Dec 12 - possible landing"; flow:from_server,established; file_data; content:"cRxmlqC14I8yhr92sovp"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016070; rev:5; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Boitho.com Distributed Crawler in use - User-Agent (boitho.com-dc)"; flow:to_server,established; content:"boitho.com"; http_user_agent; nocase; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2003653; classtype:trojan-activity; sid:2003653; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PDF - Acrobat Enumeration - var PDFObject"; flow:established,to_client; file_data; content:"var PDFObject="; classtype:misc-activity; sid:2016766; rev:2; metadata:created_at 2013_04_18, updated_at 2013_04_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Gteko User-Agent Detected - Dell Remote Access"; flow:established,to_server; content:"Windows 98"; http_user_agent; content:"GtekClient"; fast_pattern; http_user_agent; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2008037; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - SCR in PKZip Compressed Data Download"; flow:established,to_client; file_data; content:"PK"; within:2; content:".scr"; fast_pattern:only; nocase; classtype:bad-unknown; sid:2016767; rev:3; metadata:created_at 2013_04_18, updated_at 2013_04_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Eurobarre.us Setup User-Agent"; flow:established,to_server; content:"eurobarre "; http_user_agent; nocase; depth:10; reference:url,doc.emergingthreats.net/2008336; classtype:policy-violation; sid:2008336; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Windows EXE with alternate byte XOR 51 - possible SofosFO/NeoSploit download"; flow:established,to_client; content:"|0d 0a|Mi"; isdataat:76,relative; content:"|54 5b 69 40 20 43 72 5c 67 41 61 5e 20 50 61 5d 6e 5c 74 13 62 56 20 41 75 5d 20 5a 6e 13 44 7c 53 13 6d 5c 64 56|"; distance:0; classtype:trojan-activity; sid:2015752; rev:3; metadata:created_at 2012_10_01, updated_at 2012_10_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - document.createElement applet"; flow:established,to_client; file_data; content:"document.createElement"; nocase; content:"applet"; nocase; fast_pattern; within:10; classtype:misc-activity; sid:2015707; rev:2; metadata:created_at 2012_09_18, updated_at 2012_09_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura obfuscated javascript Apr 21 2013"; flow:established,from_server; file_data; content:"OD&|3a|x9T6"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016781; rev:2; metadata:created_at 2013_04_23, updated_at 2013_04_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:"<param"; distance:0; content:"value="; distance:0; pcre:"/^.{1,5}[a-f0-9]{100}/R"; classtype:trojan-activity; sid:2015710; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_09_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pony Downloader check-in response STATUS-IMPORT-OK"; flow:established,from_server; file_data; content:"STATUS-IMPORT-OK"; within:16; classtype:trojan-activity; sid:2014563; rev:3; metadata:created_at 2012_04_13, updated_at 2012_04_13;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102860; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bancos User-Agent Detected vb wininet"; flow:established,to_server; content:"vb wininet"; nocase; http_user_agent; reference:url,doc.emergingthreats.net/2004114; classtype:trojan-activity; sid:2004114; rev:7; metadata:created_at 2010_07_30, former_category USER_AGENTS, malware_family Bancos, tag Banking_Trojan, updated_at 2018_04_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102892; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bredolab Infection - Windows Key"; flow:established,to_server; content:"?s=Windows"; nocase; http_uri; content:"&p="; nocase; http_uri; pcre:"/\&p=[0-9A-Za-z]{5}\-[0-9A-Za-z]{5}\-/U"; reference:url,doc.emergingthreats.net/2010072; classtype:trojan-activity; sid:2010072; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO DoSWF Flash Encryption Banner"; flow:to_client,established; file_data; content:"FWS"; within:3; content:"DoSWF"; distance:0; classtype:attempted-user; sid:2015704; rev:6; metadata:created_at 2012_09_18, former_category CURRENT_EVENTS, updated_at 2012_09_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta - Payload - flashplayer11"; flow:established,to_client; content:"flashplayer11_"; http_header; file_data; content:"MZ"; within:2; classtype:exploit-kit; sid:2016784; rev:3; metadata:created_at 2013_04_26, former_category EXPLOIT_KIT, updated_at 2013_04_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dapato Checkin 8"; flow:established,to_server; content:"GET"; http_method; nocase; content:"?uid={"; http_uri; content:"}&user="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"Mozilla/4.1"; http_user_agent; depth:11; reference:md5,de7c781205d31f58a04d5acd13ff977d; classtype:command-and-control; sid:2015713; rev:3; metadata:created_at 2012_09_18, former_category MALWARE, updated_at 2012_09_18;)
+#alert  http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Redkit encrypted binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|fb 67 1f 49|"; within:4; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016113; rev:3; metadata:created_at 2012_12_29, former_category EXPLOIT_KIT, updated_at 2012_12_29;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Skype Easybits Extras Manager - Exploit"; flow:established,from_server; content:"gygte"; nocase; content:"gygte"; nocase; distance:0; reference:url,www.m86security.com/labs/traceitem.asp?article=1347; reference:url,doc.emergingthreats.net/2011680; classtype:trojan-activity; sid:2011680; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass"; flow:established,to_client; file_data; content:"<jnlp "; nocase; content:"__applet_ssv_validated"; nocase; distance:0; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2016797; rev:2; metadata:created_at 2013_04_28, updated_at 2013_04_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; file_data; content:"|5C|x0b|5C|x0b|5C|x0b|5C|x0b"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013268; rev:4; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet with obfuscated URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; content:"103sdj115sdj115sdj111sdj57sdj46sdj46sdj"; fast_pattern; within:250; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016585; rev:7; metadata:created_at 2013_03_15, former_category CURRENT_EVENTS, updated_at 2013_03_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Loader EXE Payload Request"; flow:established,to_server; urilen:34; content:"/?"; depth:2; http_uri; pcre:"/^\/\?[a-f0-9]{32}$/U"; content:!"User-Agent|3a| "; http_header; content:" HTTP/1.1|0d 0a|Host|3a| "; classtype:trojan-activity; sid:2014058; rev:3; metadata:created_at 2011_12_31, updated_at 2011_12_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT SofosFO/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/50a"; http_uri; depth:4; pcre:"/^\/50a[a-f0-9]{21}\/(((\d+,)+\d+)|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015847; rev:5; metadata:created_at 2012_10_27, former_category CURRENT_EVENTS, updated_at 2012_10_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Web Bot Controller Accessed"; flow:to_server,established; content:"/stata/index.php?tr=ok"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003025; classtype:trojan-activity; sid:2003025; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Sweet Orange Java obfuscated binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|22 2a|"; within:2; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016112; rev:3; metadata:created_at 2012_12_29, updated_at 2012_12_29;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL EXPLOIT WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:2103199; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Java payload request (1)"; flow:established,to_server; content:"Java/1"; http_user_agent; content:"openparadise1"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016111; rev:4; metadata:created_at 2012_12_29, former_category CURRENT_EVENTS, updated_at 2012_12_29;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Message Send Info Capture"; flow: to_server,established; content:"crumb="; nocase; content:"Subject="; nocase; reference:url,doc.emergingthreats.net/2000045; classtype:policy-violation; sid:2000045; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Sweet Orange Java obfuscated binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|3d 3b|"; within:2; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016143; rev:3; metadata:created_at 2013_01_03, updated_at 2013_01_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Unknown - Payload Download - 9Alpha1Digit.exe"; flow:established,to_client; content:"attachment"; http_header; content:".exe"; http_header; fast_pattern:only; pcre:"/[a-z]{9}[0-9]\.exe/H"; file_data; content:"MZ"; depth:2; classtype:trojan-activity; sid:2014968; rev:8; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Java obfuscated binary (3)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|20 3b|"; within:2; content:"|3d 24 00 00|"; within:512; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016655; rev:5; metadata:created_at 2013_03_22, former_category CURRENT_EVENTS, updated_at 2013_03_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Adware.AdzgaloreBiz/AdRotator!IK Install/Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?inst_result="; http_uri; content:"&hwid="; http_uri; content:"User-Agent|3a| NSISDL/1.2 (Mozilla)|0d 0a|"; http_header; pcre:"/\.php\?inst_result=.+&hwid=/Ui"; reference:url,doc.emergingthreats.net/2009305; reference:md5,1ca433d3f5538fda49c5defb59232f9d; classtype:trojan-activity; sid:2009305; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT pamdql/Sweet Orange delivering exploit kit payload"; flow:established,to_server; content:"/command/"; http_uri; urilen:15; pcre:"/^\/command\/[a-zA-Z]{6}$/U"; classtype:exploit-kit; sid:2016093; rev:4; metadata:created_at 2012_12_28, former_category EXPLOIT_KIT, updated_at 2012_12_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Thetatic.A Checkin"; flow:established,to_server; content:"User-Agent|3a| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 5.1|3B| rv|3a|1.9.1) Gecko/20090624 Firefox/3.5|0D 0A|Accept|3a| */*|0D 0A|Host|3a| "; http_header; depth:110; fast_pattern:72,20; classtype:trojan-activity; sid:2014796; rev:5; metadata:created_at 2012_05_22, updated_at 2012_05_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ehyewyqydfpidbdp.ru"; flow:established,to_server; content:"|3a| ehyewyqydfpidbdp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015161; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zenosearch Malware Checkin HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"uid="; http_client_body; depth:4; content:"&ref="; http_client_body; content:"&clid="; http_client_body; content:"&commode="; http_client_body; content:"&cmd="; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008757; classtype:pup-activity; sid:2008757; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for file containing Java payload URIs (1)"; flow:established,to_server; content:".php?asd=12gqw"; http_uri; content:"|29 20|Java/"; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015843; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_26, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; distance:3; within:1; byte_extract:3,0,Certs.len,relative; content:"|55 04 0a 0c 0C|The Internet"; distance:3; within:Certs.len; content:"|55 04 03 0c 03|web"; distance:0; classtype:exploit-kit; sid:2015718; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_09_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Oct 19 2012"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"&|23|48|3b|&|23|98|3b|&|23|48|3b|&|23|57|3b|&|23|48|3b|&|23|57|3b|&|23|48|3b|&|23|52|3b|&|23|49|3b|&|23|102|3b|"; within:300; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015823; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_19, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT MSN IM Poll via HTTP"; flow: established,to_server; content:"/gateway/gateway.dll?Action=poll&SessionID="; http_uri; nocase; threshold: type limit, track by_src, count 10, seconds 3600; reference:url,doc.emergingthreats.net/2001682; classtype:policy-violation; sid:2001682; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole file containing obfuscated Java payload URIs"; flow:established,from_server; file_data; content:"0b0909041f3131"; within:14; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015844; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_26, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HeapLib JS Library"; flow:established,to_client; file_data; content:"heapLib.ie|28|"; nocase; reference:url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf; classtype:bad-unknown; sid:2014972; rev:3; metadata:created_at 2012_06_27, updated_at 2012_06_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole alt URL request Sep 05 2012 bv6rcs3v1ithi.php?w="; flow:established,to_server; content:"/bv6rcs3v1ithi.php?w="; http_uri; reference:url,urlquery.net/report.php?id=158608; classtype:attempted-user; sid:2015684; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER sumthin scan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/sumthin"; nocase; http_uri; reference:url,www.webmasterworld.com/forum11/2100.htm; reference:url,doc.emergingthreats.net/2002667; classtype:attempted-recon; sid:2002667; rev:38; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole repetitive applet/code tag"; flow:established,from_server; file_data; content:"applet/code="; content:"/archive="; distance:0; content:".jar"; distance:0; pcre:"/applet\/code=[\x22\x27](?P<val1>[a-zA-Z0-9]+)[a-z]\.(?P=val1)[a-z][\x22\x27][^\x3e]+\.jar[\x22\x27]/"; classtype:trojan-activity; sid:2015697; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_12, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casalemedia Spyware Reporting URL Visited 3"; flow: to_server,established; content:"/sd?s="; nocase; http_uri; pcre:"/\/sd\?s=\d+&f=\d&C=\d/Ui"; reference:url,doc.emergingthreats.net/2009880; classtype:pup-activity; sid:2009880; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL 23 Aug 2012"; flow:established,from_server; content:"applet"; content:"0xb|3a|0x9|3a|0x9|3a|0x4|3a|0x1f|3a|0x31|3a|0x31|3a|"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015652; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_23, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT HttpAddRequestHeader - Can Be Used For HTTP CnC"; flow:established,to_client; file_data; content:"MZ"; distance:0; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"HttpAddRequestHeader"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:command-and-control; sid:2012767; rev:11; metadata:created_at 2011_05_03, former_category MALWARE, updated_at 2011_05_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Javascript 23 Aug 2012 split join split applet"; flow:established,from_server; content:"|3c|script"; content:"split(|22|"; within:40; content:".join(|22 22|).split(|22 22 29 3b|"; within:50; classtype:trojan-activity; sid:2015651; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_23, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query to Unknown CnC DGA Domain adbullion.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|09|adbullion|03|com|00|"; nocase; distance:4; within:15; fast_pattern; classtype:command-and-control; sid:2015729; rev:2; metadata:created_at 2012_09_22, updated_at 2012_09_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page ChildNodes.Length - August 13th 2012"; flow:established,to_client; content:"=0|3B|i<document.body.childNodes.length|3B|i++{"; classtype:trojan-activity; sid:2015621; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_13, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole2 - Landing Page Received - classid"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:"<param"; distance:0; content:"value="; distance:0; pcre:"/^.{1,5}[a-f0-9]{100}/R"; classtype:trojan-activity; sid:2015732; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_22, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page JavaScript Replace - 13th August 2012"; flow:established,to_client; file_data; content:"=document.body.childNodes["; content:"].innerHTML.replace(/"; distance:1; within:21; content:"/g,|22 22|)|3B|"; within:30; classtype:trojan-activity; sid:2015620; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_13, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE UpackbyDwing binary in HTTP (2) Possibly Hostile"; flow:from_server,established; content:"PE|00 00|"; content:"Upack|00 00|"; within:255; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2008947; classtype:trojan-activity; sid:2008947; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Specific JavaScript Replace hwehes - 8th August 2012"; flow:established,to_client; content:".replace(/hwehes/g"; classtype:trojan-activity; sid:2015592; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_09, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE UpackbyDwing binary in HTTP Download Possibly Hostile"; flow:from_server,established; content:"UpackByDwing|40|"; content:"PE|00 00|"; within:20; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2008946; classtype:trojan-activity; sid:2008946; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Potential Blackhole Zeus Drop - 8th August 2012"; flow:established,to_client; content:"P|00|r|00|o|00|d|00|u|00|c|00|t|00|N|00|a|00|m|00|e"; content:"n|00|o|00|n|00|a|00|m|00|e"; fast_pattern; within:15; classtype:trojan-activity; sid:2015591; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_09, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Trojan Checkin by MAC chkmac.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/chkmac.php?mac="; nocase; http_uri; classtype:command-and-control; sid:2006403; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Intial Structure - 8th August 2012"; flow:established,to_client; content:"|0d 0a 0d 0a 3C|html|3E 3C|body|3E 3C|script|3E|"; content:"=function|28 29 7B|"; fast_pattern; distance:1; within:12; classtype:trojan-activity; sid:2015590; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_09, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL add_grouped_column ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22 ]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102600; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Redirection Page You Will Be Forwarded - 7th August 2012"; flow:established,to_client; content:"<h1><b>Please wait a moment. You will be forwarded...<|2F|h1><|2F|b>"; classtype:trojan-activity; sid:2015582; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_07, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_master_repgroup ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck87.html; classtype:attempted-user; sid:2102602; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Replace JavaScript Large Obfuscated Blob - August 3rd 2012"; flow:established,to_client; file_data; content:"=|22|"; isdataat:300,relative; content:"|22|"; within:300; content:"|22|.replace(/"; distance:0; content:"/g.|22 22 29 3B|"; fast_pattern; within:30; classtype:trojan-activity; sid:2015580; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_07, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL create_mview_repgroup ordered fname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){4}\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102604; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Applet Structure"; flow:established,to_client; file_data; content:"<|2F|script><applet/archive="; fast_pattern; content:".jar"; within:20; content:"code=|22|"; distance:0; content:"|22|><param/name=|22|"; distance:9; within:15; content:"<|2F|applet><|2F|body><|2F|html>"; distance:0; pcre:"/code\x3D\x22[a-z]{4}\x2E[a-z]{4}\x22/i"; classtype:trojan-activity; sid:2015520; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_24, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL comment_on_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102607; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Split String Obfuscated Math Floor - July 19th 2012"; flow:established,to_client; file_data; content:"=Math|3B|"; content:"[|22|f"; distance:0; content:"|22|+|22|"; within:15; content:"r|22|]"; within:12; classtype:trojan-activity; sid:2015519; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_24, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL cancel_statistics ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102610; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Eval Split String Obfuscation In Brackets"; flow:established,to_client; file_data; content:"[|22|e"; fast_pattern; content:"|22|+|22|"; within:11; content:"l|22|]"; within:11; pcre:"/\x7B\x22e(v|x22\x2B\x22)(v|x22\x2B\x22|a)(a|v|x22\x2B\x22)[^\x5D]*?l\x22\x5D/"; classtype:trojan-activity; sid:2015477; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL grant_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102616; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole Landing Page /upinv.html"; flow:established,to_server; content:"/upinv.html"; http_uri; classtype:trojan-activity; sid:2015476; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL alter_mview_propagation ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102618; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Request For Blackhole Landing Page Go.php"; flow:established,to_server; content:"/go.php?d="; http_uri; pcre:"/\x2Fgo\x2Ephp\x3Dd\x3D[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2015049; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_12, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL unregister_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102625; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:".php?"; distance:0; pcre:"/^[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/R"; classtype:attempted-user; sid:2015701; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL repcat_import_check ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/\((\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))|\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102628; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2.0 PDF GET request"; flow:established,to_server; content:".php?"; http_uri; content:"00020002"; http_uri; fast_pattern:only; pcre:"/\.php\?\w{2,9}\=(0[0-9a-b]|3[0-9]){5}\&\w{3,9}\=(3[0-9a-f]|4[0-9a-f])\&\w{3,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{3,9}\=(0[0-9a-b]{1,8})00020002$/U"; reference:url,fortknoxnetworks.blogspot.com/2012/11/deeper-into-blackhole-urls-and-dialects.html; classtype:attempted-user; sid:2015864; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL register_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102630; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - tcp"; flow:established,to_server; content:"|12 06 41 46 50 33 2e 31|"; pcre:"/[a-zA-Z0-9]{5}/i"; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0759; reference:url,doc.emergingthreats.net/bin/view/Main/2007877; classtype:successful-dos; sid:2007877; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL refresh_mview_repgroup ordered gowner buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,(\s*(true|false)\s*,\s*){3}((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102632; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow"; content:"|44 53 52 65 71 75 65 73 74|"; pcre:"/[0-9a-zA-Z]{50}/R"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; classtype:successful-dos; sid:2007937; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL rectifier_diff ordered sname1 buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102634; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"ET EXPLOIT Siemens Gigaset SE361 WLAN Data Flood Denial of Service Vulnerability"; flow:to_server; content:"|90 90 90 90 90|"; depth:5; content:"|90 90 90 90 90|"; distance:0; content:"|90 90 90 90 90|"; distance:0; pcre:"/\x90{200}/"; reference:cve,CVE-2009-3322; reference:bugtraq,36366; reference:url,www.milw0rm.com/exploits/9646; reference:url,doc.emergingthreats.net/2009976; classtype:denial-of-service; sid:2009976; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL snapshot.end_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102636; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET EXPLOIT MySQL Stack based buffer overrun Exploit Specific"; flow:to_server,established; content:"grant"; nocase; content:"file"; nocase; distance:0; content:"on"; distance:0; nocase; pcre:"/^\s+A{500}/R"; reference:url,seclists.org/fulldisclosure/2012/Dec/4; classtype:attempted-user; sid:2015975; rev:5; metadata:created_at 2012_12_04, updated_at 2012_12_04;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102638; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp any any -> $HOME_NET 27901 (msg:"ET GAMES Alien Arena 7.30 Remote Code Execution Attempt"; content:"print|0A 5C|"; isdataat:257,relative; pcre:"/\x5C[^\x5C\x00]{257}/"; reference:url,www.packetstormsecurity.org/0910-advisories/alienarena-exec.txt; reference:url,doc.emergingthreats.net/2010156; classtype:misc-attack; sid:2010156; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_mview_repgroup ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102640; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:50,relative; pcre:"/^USER\s[^\n]{50}/smi"; reference:bugtraq,11256; reference:bugtraq,789; reference:cve,1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:2101866; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_site_instantiate ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"drop_site_instantiation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck629.html; classtype:attempted-user; sid:2102642; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Apache mod_deflate DoS via many multiple byte Range values"; flow:established,to_server; content:"Range|3a|"; nocase; content:"bytes="; nocase; distance:0; isdataat:10,relative; content:","; within:11; isdataat:10,relative; content:","; within:11; isdataat:10,relative; content:","; within:11; isdataat:70,relative; content:!"|0d 0a|"; within:12; pcre:"/Range\x3a\s?bytes=[-0-9,\x20]{100}/iH"; reference:url,seclists.org/fulldisclosure/2011/Aug/175; classtype:attempted-dos; sid:2013473; rev:5; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL from_tz buffer overflow attempt"; flow:to_server,established; content:"FROM_TZ"; nocase; pcre:"/\(\s*TIMESTAMP\s*(\s*(\x27[^\x27]+'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.nextgenss.com/advisories/ora_from_tz.txt; classtype:attempted-user; sid:2102644; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; isdataat:255,relative; content:!"|0a|"; within:255; pcre:"/^EXPN[^\n]{255}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2102259; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL instantiate_offline ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_offline"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck630.html; classtype:attempted-user; sid:2102646; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Opachki Link Hijacker HTTP Header Injection"; flow:established,to_server; content:".php?l="; fast_pattern; nocase; http_uri; content:"&u="; nocase; http_uri; content:"Accept-Encoding|3a|"; http_header; nocase; content:"Referer|3a| "; http_header; nocase; pcre:"/^Accept-Encoding\x3a\s+([a-z])\1{3}/Hmi"; reference:url,www.secureworks.com/research/threats/opachki/?threat=opachki; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2; reference:url,doc.emergingthreats.net/2010283; classtype:trojan-activity; sid:2010283; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL instantiate_online ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_online"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck631.html; classtype:attempted-user; sid:2102648; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion"; flow:established,to_server; content:"GET"; http_method; pcre:"/(listen.php|download.php)/Ui"; content:"?src="; nocase; http_uri; pcre:"/(\.\.\/){1}/"; reference:url,www.exploit-db.com/exploits/6669/; reference:url,doc.emergingthreats.net/2008651; classtype:web-application-attack; sid:2008651; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL og.begin_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102653; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Rovnix Downloading Config File From CnC"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/config.php?"; http_uri; content:"user="; http_uri; content:"version="; http_uri; content:"&server="; http_uri; content:"&crc="; http_uri; pcre:"/user=[a-f0-9]{32}&/Ui"; reference:url,blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution; classtype:command-and-control; sid:2014276; rev:4; metadata:created_at 2012_02_24, former_category MALWARE, updated_at 2012_02_24;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF Vulnerability"; flow:established; content:"|61 00 09 00 08 00 07 00 21 03|"; pcre:"/[0-9a-zA-Z]{10}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; reference:url,doc.emergingthreats.net/bin/view/Main/2007934; classtype:misc-attack; sid:2007934; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit js_property_spray sprayHeap"; flow:established,from_server; file_data; content:"sprayHeap"; nocase; pcre:"/^[\r\n\s]*?\x28[^\x29]*?shellcode/Ri"; reference:url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation; classtype:attempted-user; sid:2016519; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_03_05, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Cisco-MARS/JBoss Remote Command Execution"; flowbits:isset,cmars.jboss; flow:to_server,established; content:"action=invokeOp"; nocase; content:"jboss.script"; nocase; content:"Runtime|2e|getRuntime|25|28|25|29|2e|exec|25|28"; nocase; reference:bugtraq,19071; reference:url,doc.emergingthreats.net/bin/view/Main/2003065; classtype:attempted-admin; sid:2003065; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit mstime_malloc no-spray"; flow:established,from_server; file_data; content:"mstime_malloc"; nocase; pcre:"/^[\r\n\s]*?\x28[^\x29]*?shellcode/Ri"; reference:url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation; classtype:attempted-user; sid:2016824; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_05_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura exploit kit exploit download request /sarah.php"; flow:established,to_server; content:"/sarah.php?s="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015733; rev:3; metadata:created_at 2012_09_25, former_category EXPLOIT_KIT, updated_at 2012_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Possible CollectGarbage in base64 1"; flow:established,from_server; file_data; content:"Q29sbGVjdEdhcmJhZ2U"; classtype:misc-activity; sid:2016825; rev:3; metadata:created_at 2013_05_07, former_category INFO, updated_at 2013_05_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 2"; flow:established,to_server; urilen:5; content:"/mix/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015549; rev:5; metadata:created_at 2012_07_31, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Possible CollectGarbage in base64 2"; flow:established,from_server; file_data; content:"NvbGxlY3RHYXJiYWdlK"; classtype:misc-activity; sid:2016826; rev:3; metadata:created_at 2013_05_07, former_category INFO, updated_at 2013_05_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 3"; flow:established,to_server; urilen:7; content:"/login/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015558; rev:4; metadata:created_at 2012_08_02, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Possible CollectGarbage in base64 3"; flow:established,from_server; file_data; content:"Db2xsZWN0R2FyYmFnZS"; classtype:misc-activity; sid:2016827; rev:3; metadata:created_at 2013_05_07, former_category INFO, updated_at 2013_05_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 4"; flow:established,to_server; urilen:10; content:"/comments/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015696; rev:4; metadata:created_at 2012_09_11, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Injection - var j=0"; flow:established,to_client; file_data; content:"00|3a|00|3a|00|3b| path=/|22 3b|var j=0|3b| while(j"; classtype:trojan-activity; sid:2016830; rev:2; metadata:created_at 2013_05_07, former_category CURRENT_EVENTS, updated_at 2013_05_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 6"; flow:established,to_server; urilen:6; content:"/news/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015705; rev:4; metadata:created_at 2012_09_18, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2013-2423 IVKM PoC Seen in Unknown EK"; flow:to_client,established; content:"Union1.class"; content:"Union2.class"; fast_pattern; content:"SystemClass.class"; content:"PoC.class"; flowbits:isset,ET.http.javaclient; reference:url,weblog.ikvm.net/CommentView.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0; classtype:exploit-kit; sid:2016831; rev:3; metadata:created_at 2013_05_07, updated_at 2013_05_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 5"; flow:established,to_server; urilen:6; content:"/view/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015706; rev:4; metadata:created_at 2012_09_18, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan POST"; flow:established,to_server; content:"POST"; http_method; content:"Content-Length|3a| 0|0d 0a|"; http_header; content:"/a/"; http_uri; fast_pattern; content:"PHPSESSID="; http_cookie; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2016834; rev:2; metadata:created_at 2013_05_08, updated_at 2013_05_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 7"; flow:established,to_server; urilen:7; content:"/feeds/"; http_uri; content:".dyndns"; http_header; classtype:exploit-kit; sid:2015731; rev:3; metadata:created_at 2012_09_22, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura obfuscated javascript May 10 2013"; flow:established,from_server; file_data; content:"qV7/|3b|pF"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016852; rev:3; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole2 - URI Structure"; flow:established,to_server; urilen:>122; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/U"; classtype:attempted-user; sid:2015700; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Embedded Android Dalvik Executable File With Fake Windows Executable Header - Possible AV Bypass Attempt"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program"; distance:0; content:"dex|0A|"; distance:0; reference:url,research.zscaler.com/2013/03/guess-who-am-i-pe-or-apk.html; classtype:trojan-activity; sid:2016854; rev:3; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MALVERTISING - Redirect To Blackhole - Push JavaScript"; flow:established,to_client; file_data; content:".push( 'h' )\;"; content:".push( 't' )\;"; within:20; classtype:trojan-activity; sid:2015740; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Embedded ZIP/APK File With Fake Windows Executable Header - Possible AV Bypass Attempt"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program"; distance:0; content:"PK|03|"; distance:0; content:"classes."; distance:0; reference:url,research.zscaler.com/2013/03/guess-who-am-i-pe-or-apk.html; classtype:trojan-activity; sid:2016855; rev:2; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
 
-#alert http $HOME_NET any -> any any (msg:"ET POLICY Internet Explorer 6 in use - Significant Security Risk"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b|"; http_user_agent; depth:34; threshold: type limit, track by_src, seconds 180, count 1; classtype:policy-violation; sid:2010706; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Android Dalvik Executable File Download"; flow:established,to_client; file_data; content:"dex|0A|"; within:4; reference:url,source.android.com/tech/dalvik/dex-format.html; classtype:policy-violation; sid:2016856; rev:2; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Adware Istbar Search Hijacker and Downloader"; flow:established,to_client; content:"200"; http_stat_code; content:"OK"; nocase; http_stat_msg; content:"Content-Type|3a| qvod_update"; nocase; content:"|5b|AGENTLIST|5d 0d 0a|ip0="; nocase; content:"|0d 0a|port0="; nocase; within:25; content:"|0d 0a 0d 0a|ip1="; nocase; content:"|0d 0a|port1="; nocase; within:25; reference:url,www.pctools.com/mrc/infections/id/Trojan.ISTbar/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan.ISTbar; reference:url,doc.emergingthreats.net/2009597; classtype:trojan-activity; sid:2009597; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Tornado Pack Binary Request"; flow:established,to_server; content:"GET"; http_method; content:"?o="; http_uri; content:"&t="; http_uri; content:"&i="; http_uri; content:"&e="; http_uri; reference:url,dxp2532.blogspot.com/2009/05/tornado-exploit-pack.html; classtype:trojan-activity; sid:2009389; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; distance:3; within:1; byte_extract:3,0,Certs.len,relative; content:"|55 04 06 13 02|SE"; distance:3; within:Certs.len; content:"|55 04 08 13 01 20|"; distance:0; content:"|55 04 07 13 01 20|"; distance:0; content:"|55 04 0a 13 01 20|"; distance:0; content:"|55 04 0b 13 01 20|"; distance:0; content:"|55 04 03 13 01 20|"; distance:0; fast_pattern; classtype:exploit-kit; sid:2015742; rev:1; metadata:attack_target Client_Endpoint, created_at 2012_09_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zbot/Zeus C&C Access"; flow:to_server,established; content:"in.php?m=home"; http_uri; reference:url,doc.emergingthreats.net/2009175; classtype:trojan-activity; sid:2009175; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Fynloski.A/DarkRat Checkin Outbound"; flow:to_server,established; dsize:<16; content:"KEEPALIVE"; depth:9; pcre:"/^KEEPALIVE\x7c?\d/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; reference:url,www.eff.org/deeplinks/2012/08/syrian-malware-post; reference:md5,a2f58a4215441276706f18519dae9102; classtype:command-and-control; sid:2013090; rev:10; metadata:created_at 2010_11_22, former_category MALWARE, updated_at 2010_11_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Requesting Payload"; flow:established,to_server; content:".php?ex="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:exploit-kit; sid:2016896; rev:4; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Thespyguard.com Spyware Update Check"; flow:established,to_server; content:"/soft/update/check_update.php"; nocase; http_uri; content:"Host|3a| www.kliksoftware.com"; nocase; http_header; fast_pattern; reference:url,www.kliksoftware.com; reference:url,www.thespyguard.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003202; classtype:pup-activity; sid:2003202; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Spy.Win32.Agent.byhm User-Agent (EMSCBVDFRT)"; flow:to_server,established; content:"EMSCBVDFRT"; http_user_agent; depth:10; classtype:trojan-activity; sid:2016907; rev:5; metadata:created_at 2012_03_02, updated_at 2022_05_03;)
 
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase; content:!"|0a|"; within:300; isdataat:300; pcre:"/^RCPT TO\x3a\s[^\n]{300}/ism"; reference:bugtraq,2283; reference:bugtraq,9696; reference:cve,2001-0260; classtype:attempted-admin; sid:2100654; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.FresctSpy.A User-Agent (MBVDFRESCT)"; flow:to_server,established; content:"MBVDFRESCT"; nocase; depth:10; http_user_agent; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FAgent.CZ; classtype:trojan-activity; sid:2016908; rev:5; metadata:created_at 2011_09_09, updated_at 2011_09_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advertisementserver.com Spyware Checkin"; flow:to_server,established; content:"monitor.php"; nocase; http_uri; content:"?UID="; nocase; http_uri; pcre:"/UID=\d/Ui"; content:"User-Agent|3a| Microsoft URL Control"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007602; classtype:pup-activity; sid:2007602; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TrojanSpy.KeyLogger Hangover Campaign User-Agent(wininetget/0.1)"; flow:established,to_server; content:"wininetget/"; nocase; depth:11; http_user_agent; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016889; rev:5; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CVSTrac filediff Arbitrary Remote Code Execution"; flow: to_server,established; content:"filediff|3f|f="; nocase; http_uri; pcre:"/\/filediff\?((&?v\d?=[\d.]+?)+?&f\x3d|f\x3d.+?(&v\d?=[\d.]+?)+?).+?\x3b.+?\x3b/Ui"; reference:bugtraq,10878; reference:cve,2004-1456; reference:url,doc.emergingthreats.net/bin/view/Main/2002697; classtype:web-application-attack; sid:2002697; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Java Class"; flow:to_client,established; file_data; content:"Gond"; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2015575; rev:11; metadata:created_at 2012_08_04, former_category EXPLOIT_KIT, updated_at 2012_08_04;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Backdoor.Win32.VB.brg C&C Kill Command Send"; flow:established,from_server; dsize:<35; content:"kill-"; offset:0; depth:5; pcre:"/kill\-\d+.\d+.\d+.\d+\:\d+%\d/"; reference:url,doc.emergingthreats.net/2007980; classtype:command-and-control; sid:2007980; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Landing Page 1 May 24 2013"; flow:to_client,established; file_data; content:"AppletObject.code"; nocase; content:"Gond"; nocase; distance:0; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016925; rev:2; metadata:created_at 2013_05_25, updated_at 2013_05_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bredolab Downloader Response Binaries from Controller"; flow:established,from_server; content:"|0d 0a|Entity-Info|3a|"; nocase; content:"|0d 0a|Magic-Number|3a|"; nocase; pcre:"/\x0d\x0aEntity-Info\x3a\s+\d+\x3a\d/"; pcre:"/\x0d\x0aMagic-Number\x3a\s+\d+\|\d/"; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader%3aWin32/Bredolab.B; reference:url,doc.emergingthreats.net/2009388; classtype:trojan-activity; sid:2009388; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura - Landing Page - Received"; flow:established,to_client; file_data; content:"value"; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?[\x22\x27]((?P<hex>%[A-Fa-f0-9]{2})|(?P<ascii>[a-zA-Z0-9]))((?P=hex){10}|(?P=ascii){10})/R"; content:"var PluginDetect"; distance:0; classtype:exploit-kit; sid:2016791; rev:6; metadata:created_at 2013_04_27, updated_at 2013_04_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Agent.cav Url Pattern Detected (ping)"; flow:established,to_server; content:"/ping/"; nocase; http_uri; pcre:"/\/ping\/[0-9a-fA-F]{64}\/[0-9a-fA-F]+\/[0-9a-fA-F]/Ui"; reference:url,doc.emergingthreats.net/2007284; classtype:trojan-activity; sid:2007284; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura - Java Exploit Recievied"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"javax/crypto/spec/SecretKeySpec"; distance:0; classtype:exploit-kit; sid:2016785; rev:3; metadata:created_at 2013_04_26, updated_at 2013_04_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HotLan.C Spambot Trojan Activity"; flow:to_server,established; content:"GET"; http_method; content:"|3F|mod|3D|"; fast_pattern:only; http_uri; content:"&id="; http_uri; content:"&up="; http_uri; content:"&mid="; http_uri; pcre:"/\x3Fmod\x3D\w*?\x26id\x3D[^\x26\s]+?\x5F\w+?\x26up\x3D[^\x26]+?\x26mid\x3D[^\x26\s]/Ui"; reference:url,doc.emergingthreats.net/2008473; classtype:trojan-activity; sid:2008473; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL Injection List Priveleges Attempt"; flow:established,to_server; content:"SELECT"; http_uri; nocase; content:"PRIV"; http_uri; nocase; distance:0; pcre:"/\bSELECT.*?\bPRIV/Ui"; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2016937; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_05_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Lydra.hj HTTP Checkin"; flow:established,to_server; content:"/NewsFolder/News00"; http_uri; content:".ASP?id="; http_uri; pcre:"/\/NewsFolder\/News00\d\d\.ASP\?id=/U"; pcre:"/Host\: \d+\.\d+\.\d+\.\d/"; reference:url,doc.emergingthreats.net/2008130; classtype:command-and-control; sid:2008130; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura - Landing Page - Received May 29 2013"; flow:established,to_client; file_data; content:"<div id"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?[\x22\x27][^\x22\x27]+?[\x22\x27][^>]*?>((?P<hex>%[A-Fa-f0-9]{2})|(?P<ascii>[a-zA-Z0-9]))((?P=hex){9,20}|(?P=ascii){9,20})%3C/R"; content:"{version:|22|0.8.0|22|"; distance:0; nocase; classtype:exploit-kit; sid:2016942; rev:6; metadata:created_at 2013_05_29, updated_at 2013_05_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Mitglieder Proxy Bot Checking In"; flow:established,to_server; content:"/scr5.php"; nocase; http_uri; pcre:"/\/scr5\.php\?p=\d+&id=\d/Ui"; reference:url,isc.sans.org/diary.php?storyid=722; reference:url,doc.emergingthreats.net/2002387; classtype:trojan-activity; sid:2002387; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Neosploit Exploit Pack Activity Observed"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| "; nocase; pcre:"/\.(php|asp|py|exe|htm|html)\/[joewxy](U[0-9a-f]{8})?H[0-9a-f]{8}V[0-9a-f]{8}\d{3}R[0-9a-f]{8}\d{3}T[0-9a-f]{8,}/U"; reference:url,blog.fireeye.com/research/2010/01/pdf-obfuscation.html; reference:url,blog.fireeye.com/research/2010/06/neosploit_notes.html; reference:url,dxp2532.blogspot.com/2007/12/neosploit-exploit-toolkit.html; classtype:attempted-user; sid:2011583; rev:4; metadata:created_at 2010_10_02, former_category CURRENT_EVENTS, updated_at 2010_10_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED QQPass Related User-Agent Infection Checkin (App4)"; flow:to_server,established; content:"User-Agent|3a| App"; http_header; content:!"Host|3a| liveupdate.symantecliveupdate.com|0d 0a|"; http_header; pcre:"/^User-Agent\: App\d/Hmi"; reference:url,doc.emergingthreats.net/2007569; classtype:trojan-activity; sid:2007569; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 2"; flow:to_server,established; pcre:"/^\d+?.\x00\x00\x00/"; byte_extract:4,-4,d_size,relative,little; byte_test:4,>,d_size,0,relative,little; content:"|78 9c|"; distance:4; within:2; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2016962; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_01, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Small.zon checkin"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?n="; http_uri; content:"&id="; http_uri; content:"&t="; http_uri; content:"&i="; http_uri; pcre:"/\?n=\d+&id=.+&t=.+&i=\d/Ui"; reference:url,doc.emergingthreats.net/2009300; classtype:command-and-control; sid:2009300; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Jar Request (3)"; flow:established,to_server; content:"/j17.php?i="; http_uri; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; classtype:exploit-kit; sid:2016365; rev:5; metadata:created_at 2013_02_07, former_category CURRENT_EVENTS, updated_at 2013_02_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Small.qh/xSock Checkin URL Detected"; flow:established,to_server; content:"port="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&sm="; nocase; http_uri; pcre:"/port=\d/Ui"; pcre:"/id=[a-f0-9-]+&/Ui"; reference:url,doc.emergingthreats.net/2007610; classtype:command-and-control; sid:2007610; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura obfuscated javascript Jun 1 2013"; flow:established,from_server; file_data; content:"a5chZev!"; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016966; rev:7; metadata:created_at 2013_06_04, updated_at 2013_06_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zlob Updating via HTTP (v2)"; flow:established,to_server; content:".php?Code="; nocase; http_uri; content:"&V="; nocase; http_uri; content:"&ID="; nocase; http_uri; pcre:"/Code=\d/Ui"; pcre:"/ID=.{40}&.{6}/Ui"; reference:url,doc.emergingthreats.net/2007620; classtype:trojan-activity; sid:2007620; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET GAMES PunkBuster Server webkey Buffer Overflow"; flow:established,to_server; content:"/pbsvweb"; http_uri; nocase; content:"webkey="; nocase; isdataat:500,relative; content:!"|0A|"; within:500; content:!"&"; within:500; reference:url,aluigi.altervista.org/adv/pbwebbof-adv.txt; reference:url,doc.emergingthreats.net/2002947; classtype:attempted-admin; sid:2002947; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt"; flow: established,from_client; content:"/awstats.pl?"; nocase; http_uri; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system)/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; reference:url,doc.emergingthreats.net/2001686; classtype:web-application-attack; sid:2001686; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DELETED Possible Open SIP Relay scanner Fake Eyebeam User-Agent Detected"; content:"User-Agent|3A| eyeBeam release"; nocase; reference:url,honeynet.org.au/?q=open_sip_relay_scanner; classtype:attempted-recon; sid:2012183; rev:3; metadata:created_at 2011_01_15, updated_at 2011_01_15;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CutePHP CuteNews directory traversal vulnerability - show_news"; flow:to_server,established; content:"/show_news.php"; nocase; http_uri; content:"template="; nocase; http_uri; pcre:"/template=[./]/Ui"; reference:bugtraq,15295; reference:url,doc.emergingthreats.net/2002668; classtype:misc-activity; sid:2002668; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor Login"; flow:to_server,established; content:"|c4 4c 87 3f 11 1e c4 1a|"; depth:8; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016986; rev:2; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CutePHP CuteNews directory traversal vulnerability - show_archives"; flow:to_server,established; content:"/show_archives.php"; nocase; http_uri; content:"template="; nocase; http_uri; pcre:"/template=[./]/Ui"; reference:bugtraq,15295; reference:url,doc.emergingthreats.net/2003152; classtype:misc-activity; sid:2003152; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor SysInfo Response header"; flow:to_server,established; content:"|ac 09 7b 09 4b 2a 92 bd ac 00|"; depth:10; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016987; rev:2; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Phoenix Java Exploit Attempt Request for .class from octal host"; flow:established,to_server; content:".class|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012609; rev:6; metadata:created_at 2011_03_31, former_category CURRENT_EVENTS, updated_at 2011_03_31;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor File Manager Response Header"; flow:to_server,established; content:"|ac 92 4b 04 ff 37 b3 2a b3 25 ff 76 ac 00|"; depth:14; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016988; rev:3; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP LIST integer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s+\x22-W\s+\d/smi"; reference:bugtraq,8875; reference:cve,2003-0853; reference:cve,2003-0854; classtype:misc-attack; sid:2102272; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor File Download Response Header"; flow:to_server,established; content:"|ac 92 4b 04 ff 0c bd 55 2a 04 bd b3 6c ac 00|"; depth:15; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016989; rev:2; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)"; flow:established,to_client; file_data; flowbits:isset,ET.http.binary; content:"CheckRemoteDebuggerPresent"; classtype:misc-activity; sid:2015745; rev:2; metadata:created_at 2012_09_28, updated_at 2012_09_28;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor File Upload Response Header"; flow:to_server,established; content:"|ac 92 4b 04 ff cf 50 04 bd b3 6c ac 00|"; depth:13; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016990; rev:2; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gator Checkin"; flow: to_server,established; content:"/gbsf/"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000595; classtype:policy-violation; sid:2000595; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT pamdql Exploit Kit 09/25/12 Sending Jar"; flow:established,from_server; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}$/C"; content:"/x-java-archive|0d 0a|"; fast_pattern:only; http_header; file_data; content:"PK"; within:2; classtype:exploit-kit; sid:2015724; rev:10; metadata:created_at 2012_09_21, former_category EXPLOIT_KIT, updated_at 2012_09_21;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Try Prototype Catch May 14 2012"; flow:from_server,established; content:"try{"; content:"=prototype|3b|}catch("; within:30; classtype:trojan-activity; sid:2014747; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT pamdql obfuscated javascript --- padding"; flow:established,from_server; file_data; content:"d---o---c---u---m---"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015738; rev:3; metadata:created_at 2012_09_26, former_category CURRENT_EVENTS, updated_at 2012_09_26;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)"; content:"|0d 0a|User-Agent|3A| friendly-scanner"; threshold: type limit, track by_src, count 5, seconds 120; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011716; classtype:attempted-recon; sid:2011716; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert  http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql applet with obfuscated URL"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"103hj115hj115hj111hj57hj46hj46hj"; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015739; rev:6; metadata:created_at 2012_09_26, updated_at 2012_09_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.pdf$/U"; classtype:attempted-user; sid:2015664; rev:3; metadata:created_at 2012_08_29, updated_at 2012_08_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql obfuscated javascript _222_ padding"; flow:established,from_server; file_data; content:"d_222_o_222_c_222_u_222_"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015785; rev:4; metadata:created_at 2012_10_09, updated_at 2012_10_09;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"|00 00 07|"; depth:16; content:"|02|eu|00|"; fast_pattern:only; pcre:"/\x00\x07[a-z]{7}\x02eu\x00/"; threshold: type both, count 5, seconds 120, track by_src; classtype:command-and-control; sid:2014371; rev:6; metadata:created_at 2012_03_14, updated_at 2012_03_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql obfuscated javascript -_-- padding"; flow:established,from_server; file_data; content:"d-_--o-_--c-_--u-_--"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015801; rev:4; metadata:created_at 2012_10_16, updated_at 2012_10_16;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DELETED Possible Cisco ASA 5500 Series Adaptive Security Appliance Remote SIP Inspection Device Reload Denial of Service Attempt"; content:"REGISTER"; depth:8; nocase; isdataat:400,relative; pcre:"/REGISTER.{400}/smi"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19915; reference:cve,2010-0569; reference:url,doc.emergingthreats.net/2010818; classtype:attempted-dos; sid:2010818; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql obfuscated javascript __-_ padding"; flow:established,from_server; file_data; content:"d__-_o__-_c__-_u__-_m__-_e__-_n__-_t"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015845; rev:4; metadata:created_at 2012_10_26, updated_at 2012_10_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole OBE Java Exploit request to /content/obe.jar"; flow:established,to_server; content:"/content/obe.jar"; http_uri; reference:cve,CVE-2010-0840; reference:cve,CVE-2010-0842; classtype:trojan-activity; sid:2014160; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Srv.SSA-KeyLogger Checkin Traffic"; flow:to_server,established; content:"Srv.SSA-KeyLogger"; http_uri; reference:url,doc.emergingthreats.net/2002175; classtype:command-and-control; sid:2002175; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Kit Java Exploit request to /Set1.jar 6th July 2012"; flow:established,to_server; content:"/Set1.jar"; http_uri; classtype:exploit-kit; sid:2015046; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert ip $HOME_NET any -> [50.57.148.87,166.78.144.80] any (msg:"ET MALWARE Connection to Georgia Tech Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016994; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Blackhole Java Exploit request to spn.jar"; flow:established,to_server; content:"/spn.jar"; http_uri; nocase; classtype:trojan-activity; sid:2015001; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert ip $HOME_NET any -> 176.31.62.76 any (msg:"ET MALWARE Connection to Zinkhole Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016996; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to Half.jar"; flow:established,to_server; content:"/Half.jar"; http_uri; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014918; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert ip $HOME_NET any -> 212.227.20.19 any (msg:"ET MALWARE Connection to 1&1 Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016995; rev:3; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /Set.jar"; flow:established,to_server; content:"/Set.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014746; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert ip $HOME_NET any -> 91.233.244.106 any (msg:"ET MALWARE Connection to Dr Web Sinkhole IP(Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016997; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /Cal.jar"; flow:established,to_server; content:"/Cal.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014724; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_09, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert ip $HOME_NET any -> 193.166.255.171 any (msg:"ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016998; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /Edu.jar"; flow:established,to_server; content:"/Edu.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014642; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_26, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert ip $HOME_NET any -> 148.81.111.111 any (msg:"ET MALWARE Connection to a cert.pl Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2017001; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /Klot.jar"; flow:established,to_server; content:"/Klot.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014536; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_10, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxy.Win32.Fackemo.g/Katusha/FakeAlert Checkin"; flow:to_server,established; content:"POST"; http_method; content:"magic="; http_uri; content:"&id="; http_uri; content:"&cache="; http_uri; content:"&tm="; http_uri; content:"&ox="; http_uri; content:!"Mozilla"; http_user_agent; reference:md5,29457bd7a95e11bfd0e614a6e237a344; reference:md5,173a060ed791e620c2ec84d7b360ed60; reference:url,www.bugbopper.com/NameLookup.asp?Name=Packed_Win32_TDSS_o; classtype:command-and-control; sid:2008523; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit JAR from //Home/"; flow:established,to_server; content:"GET //Home/"; depth:11; fast_pattern; content:".jar"; http_uri; nocase; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:exploit-kit; sid:2014457; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit plugin-detect script access"; flow:established,to_client; file_data; content:"ScriptBridge.ScriptBridge"; content:"|00|h|00|t|00|t|00|p|00 3a 00 2f 00 2f 00|"; content:"|2f 00|v|00|w|00|.|00|p|00|h|00|p|00|?|00|i|00|="; distance:0; fast_pattern; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017006; rev:5; metadata:created_at 2013_06_12, updated_at 2013_06_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /content/viewer.jar"; flow:established,to_server; content:"/content/viewer.jar"; http_uri; classtype:trojan-activity; sid:2014299; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_02, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY JBOSS/JMX port 80 access from outside"; flow:established,to_server; content:"GET"; http_method; content:"/jmx-console"; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 60; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010377; classtype:web-application-attack; sid:2010377; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /content/jav2.jar"; flow:established,to_server; content:"/content/jav2.jar"; http_uri; classtype:trojan-activity; sid:2014278; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Open Web Analytics mw_plugin.php IP Parameter Remote File inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/mw_plugin.php?"; nocase; http_uri; content:"IP="; nocase; http_uri; pcre:"/IP=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/11903/; classtype:web-application-attack; sid:2011881; rev:5; metadata:created_at 2010_10_29, updated_at 2010_10_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request similar to /content/jav.jar"; flow:established,to_server; content:"/content/jav"; http_uri; content:".jar"; http_uri; pcre:"/\/content\/jav\d?\.jar$/U"; classtype:trojan-activity; sid:2014245; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_20, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103043; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /content/rin.jar"; flow:established,to_server; content:"/content/rin.jar"; http_uri; classtype:trojan-activity; sid:2014196; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"ET DOS FreeBSD NFS RPC Kernel Panic"; flow:to_server,established; content:"|00 01 86 a5|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 00 00 00 00 00|"; offset:0; depth:6; reference:cve,2006-0900; reference:bugtraq,19017; reference:url,doc.emergingthreats.net/bin/view/Main/2002853; classtype:attempted-dos; sid:2002853; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Rhino Java Exploit request to /content/rino.jar"; flow:established,to_server; content:"/content/rino.jar"; http_uri; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014159; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Softspydelete.com Fake Anti-Spyware Checkin"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"a1="; nocase; http_uri; content:"&a2="; nocase; http_uri; content:"&a3="; nocase; http_uri; content:"Windows"; nocase; http_uri; content:"&a4=Build"; nocase; http_uri; content:"&a5="; nocase; http_uri; content:"&table="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007842; classtype:trojan-activity; sid:2007842; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Rhino Java Exploit request to /content/v1.jar"; flow:established,to_server; content:"/content/v1.jar"; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014050; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_30, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zhelatin Variant Checkin"; flow:established,to_server; content:"/adload.php?a1="; nocase; http_uri; content:"a3="; nocase; http_uri; content:"&a4="; nocase; http_uri; content:"&a5="; nocase; http_uri; content:!"User-Agent|3a|"; http_header; content:"Host|3a|"; http_header; reference:url,doc.emergingthreats.net/2003408; classtype:trojan-activity; sid:2003408; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"chcyih.class"; classtype:trojan-activity; sid:2015486; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TrojanSpy.KeyLogger Hangover Campaign User-Agent(file)"; flow:established,to_server; content:"User-Agent|3a| file|0d 0a|"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016890; rev:3; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
 
-alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows "; content:"Copyright |28|c|29| 20"; distance:0; content:"Microsoft Corp"; distance:0; reference:nessus,11633; classtype:successful-admin; sid:2102123; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Karagany encrypted binary (3)"; flow:established,to_client; file_data; content:"|f2 fd 90 00 bc a7 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016970; rev:4; metadata:created_at 2013_06_05, former_category EXPLOIT_KIT, updated_at 2013_06_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download - SET"; flow:from_server,established; file_data; content:"|7B 5C 72 74 66 31|"; within:6; flowbits:set,ET.http.rtf.download; flowbits:noalert; reference:cve,2012-0183; classtype:attempted-user; sid:2015790; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_10_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Net User Command Response"; flow:established; content:"User accounts for |5C 5C|"; fast_pattern; content:"-------------------------------------------------------------------------------"; distance:0; classtype:successful-user; sid:2017025; rev:3; metadata:created_at 2013_06_18, updated_at 2013_06_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BegOpEK - TDS - icon.php"; flow:established,to_server; content:"/icon.php"; urilen:9; classtype:exploit-kit; sid:2015789; rev:2; metadata:created_at 2012_10_10, updated_at 2012_10_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Webserver Backdoor Domain (google-analytcs)"; flow:established,to_server; content:"google-analytcs.com|0d 0a|"; nocase; http_header; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:2017027; rev:2; metadata:created_at 2013_06_18, updated_at 2013_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NeoSploit - TDS"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:attempted-user; sid:2015692; rev:3; metadata:created_at 2012_09_11, updated_at 2012_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT MALVERTISING Unknown_InIFRAME - RedTDS URI Structure"; flow:established,to_server; content:"/red"; depth:7; http_uri; content:".php"; distance:2; within:6; http_uri; pcre:"/^\/[0-9]{1,2}\/red[0-9]{1,4}\.php[0-9]{0,1}$/Ui"; classtype:exploit-kit; sid:2017028; rev:2; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
 
-#alert http $HOME_NET any -> 209.139.208.0/23 $HTTP_PORTS (msg:"ET EXPLOIT_KIT Scalaxy Secondary Landing Page 10/11/12"; flow:to_server,established; content:"/q"; http_uri; depth:2; pcre:"/^\/q[a-zA-Z0-9+-]{3,14}\/[a-zA-Z0-9+-]{3,16}\?[a-z]{1,6}=[a-zA-Z0-9+-\._]{7,18}$/U"; classtype:exploit-kit; sid:2015792; rev:2; metadata:created_at 2012_10_12, updated_at 2012_10_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_InIFRAME - URI Structure"; flow:established,to_server; content:"/iniframe/"; depth:10; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/"; distance:1; within:5; http_uri; content:"/"; distance:32; within:1; http_uri; classtype:exploit-kit; sid:2017029; rev:5; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
 
-#alert http $HOME_NET any -> 209.139.208.0/23 any (msg:"ET EXPLOIT Scalaxy Java Exploit 10/11/12"; flow:to_server,established; content:"/m"; http_uri; depth:2; pcre:"/^\/m[a-zA-Z0-9-_]{3,14}\/[a-zA-Z0-9-_]{3,17}$/U"; classtype:trojan-activity; sid:2015793; rev:2; metadata:created_at 2012_10_12, former_category CURRENT_EVENTS, updated_at 2012_10_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_InIFRAME - Redirect to /iniframe/ URI"; flow:established,to_client; content:"302"; http_stat_code; content:"/iniframe/"; http_header; classtype:exploit-kit; sid:2017030; rev:2; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
 
-#alert ip $HOME_NET any -> [184.82.162.163/32,184.22.103.202/32,158.255.211.28/32] any (msg:"ET DELETED Possible XDocCrypt/Dorifel CnC IP"; threshold:type limit, track by_src, count 1, seconds 600; reference:url,www.fox-it.com/en/blog/xdoccryptdorifel-document-encrypting-and-network-spreading-virus; classtype:command-and-control; sid:2015630; rev:5; metadata:created_at 2012_08_16, updated_at 2012_08_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT MALVERTISING Flash - URI - /loading?vkn="; flow:established,to_server; content:"/loading?vkn="; http_uri; classtype:trojan-activity; sid:2017032; rev:2; metadata:created_at 2013_06_19, former_category CURRENT_EVENTS, updated_at 2013_06_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ProxyBox - HTTP CnC - proxy_info.php"; flow:established,to_server; content:"/proxy_info.php"; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:command-and-control; sid:2015509; rev:3; metadata:created_at 2012_07_21, updated_at 2012_07_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NailedPack EK Landing June 18 2013"; flow:established,to_client; file_data; content:"report_and_get_exploits(_0x"; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:exploit-kit; sid:2017034; rev:2; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET DELETED Blackhole 2 Landing Page (5)"; flow:to_server,established; content:"/forum/links/column.php"; http_uri; nocase; content:".ru:8080|0d 0a|"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015802; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Landing URI Struct"; flow:established,to_server; content:".php?"; http_uri; content:"v=1."; http_uri; fast_pattern; content:"."; http_uri; distance:1; within:1; pcre:"/\.php\?(b=[a-fA-F0-9]{6}&)?v=1\.(?:(?:4\.[0-2]\.[0-3]|5\.0\.[0-2]|6.0\.[0-4])\d?|[7-8]\.0\.\d{1,2})$/U"; classtype:exploit-kit; sid:2017040; rev:2; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2013_06_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mini-Flame v 4.x C2 HTTP request"; flow:established,to_server; content:"/cgi-bin/feed.cgi"; http_uri; fast_pattern:only; pcre:"/(?:web(?:\.(?:velocitycache\.com|autoflash\.info)|update\.(?:dyndns\.info|hopto\.org)|app\.serveftp\.com)|flash(?:center\.info|rider\.org)|cache\.dyndns\.info)\r?$/Hmi"; reference:url,www.securelist.com/en/analysis/204792247/miniFlame_aka_SPE_Elvis_and_his_friends; classtype:command-and-control; sid:2015805; rev:2; metadata:created_at 2012_10_16, former_category MALWARE, updated_at 2012_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving UDP DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-udp "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017051; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mini-Flame v 5.x C2 HTTP request"; flow:established,to_server; content:"/cgi-bin/counter.cgi"; http_uri; fast_pattern:only; pcre:"/(?:(?:nvidia(?:s(?:tream|oft)|drivers)|(?:rendercode|videosyn)c|flashupdates|syncstream)\.info|194\.192\.14\.125|202\.75\.58\.179)\r?$/Hmi"; reference:url,www.securelist.com/en/analysis/204792247/miniFlame_aka_SPE_Elvis_and_his_friends; classtype:command-and-control; sid:2015806; rev:2; metadata:created_at 2012_10_16, former_category MALWARE, updated_at 2012_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving IP2 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-ip2 "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017050; rev:4; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackHole 2 PDF Exploit"; flow:established,from_server; file_data; content:"/Index[5 1 7 1 9 4 23 4 50 3]"; flowbits:isset,ET.pdf.in.http; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015804; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving IP DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-ip "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017049; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Uncompressed) Exploit Specific"; flow:from_server,established; flowbits:isset,OLE.CompoundFile; file_data; content:"FWS"; content:"kern"; distance:0; flowbits:set,Ole.Flash.kernpresent; flowbits:noalert; classtype:trojan-activity; sid:2015809; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_10_17, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving POST2 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-post2 http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017048; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Uncompressed) Exploit Specific"; flow:from_server,established; flowbits:isset,Ole.Flash.kernpresent; file_data; content:"heapSpray"; classtype:trojan-activity; sid:2015810; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_10_17, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving POST1 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-post1 http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017047; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole2 - Client reporting targeted software versions"; flow:established,to_server; urilen:>122; content:".php?"; http_uri; content:"="; distance:0; http_uri; content:"&"; http_uri; distance:64; within:1; content:"="; http_uri; distance:0; content:"&"; http_uri; distance:20; within:1; pcre:"/\.php\?[a-z]+=[a-f0-9]{64}&[^\?]+=[a-f0-9]{20}&/U"; classtype:attempted-user; sid:2015716; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_19, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving GET DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-get http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017046; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yoyo-DDoS Bot HTTP Flood Attack Outbound"; flow:established,to_server; content:"|0d 0a|Accept-Encoding|3A| g|7b|ip|2C| deflate|0d 0a|"; http_header; content:"|0d 0a|Connection|3A| Keep|2D|Alivf|0d 0a|"; http_header; threshold:type limit, count 5, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:denial-of-service; sid:2011403; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot Download and Execute Scheduled file command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Download and Execute Scheduled [File|3a|"; classtype:trojan-activity; sid:2017057; rev:1; metadata:created_at 2013_06_25, updated_at 2013_06_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 10/17/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern; distance:0; content:"Mac.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015812; rev:3; metadata:created_at 2012_10_18, updated_at 2012_10_18;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot CnC2"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:" |3a|[AryaN]|3a| "; within:30; content: "download"; nocase; classtype:command-and-control; sid:2017056; rev:1; metadata:created_at 2013_06_25, former_category MALWARE, updated_at 2013_06_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downadup/Conficker A Worm reporting"; flow:to_server,established; content:"/search?q="; http_uri; content:"&aq="; http_uri; pcre:"/\/search\?q\=\d+&aq=\d/mi"; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009114; classtype:trojan-activity; sid:2009114; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64"; flow:established,to_client; file_data; content:"X19hcHBsZXRfc3N2X3ZhbGlkYXRl"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2016796; rev:5; metadata:created_at 2013_04_28, updated_at 2013_04_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole2 Non-Vulnerable Client Fed Fake Flash Executable"; flow: established,to_server; content:"/adobe/update_flash_player.exe"; http_uri; reference:url,research.zscaler.com/2012/10/blackhole-exploit-kit-v2-on-rise.html; classtype:trojan-activity; sid:2015817; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 2"; flow:established,to_client; file_data; content:"9fYXBwbGV0X3Nzdl92YWxpZGF0"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2016817; rev:4; metadata:created_at 2013_05_04, updated_at 2013_05_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GeckaSeka User-Agent"; flow:established,to_server; content:"GeckaSeka"; http_user_agent; classtype:trojan-activity; sid:2015824; rev:6; metadata:created_at 2012_10_19, updated_at 2012_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 3"; flow:established,to_client; file_data; content:"fX2FwcGxldF9zc3ZfdmFsaWRhdGVk"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2016818; rev:4; metadata:created_at 2013_05_04, updated_at 2013_05_04;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Googlebot Crawl"; flow:established,to_server; content:"googlebot"; nocase; http_user_agent; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.google.com/webmasters/bot.html; reference:url,doc.emergingthreats.net/2002829; classtype:attempted-recon; sid:2002829; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Dotka Chef EK exploit/payload URI request"; flow:to_server,established; content:"?f="; http_uri; content:"&k="; http_uri; pcre:"/&k=\d{16}(&|$)/U"; content:"Java/1"; http_user_agent; classtype:exploit-kit; sid:2017020; rev:10; metadata:created_at 2013_06_15, updated_at 2013_06_15;)
 
-#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Tilde in URI after file, potential source disclosure vulnerability"; flow:established,from_server; pcre:"/^HTTP\x2f1\.[01] 200/"; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009954; classtype:web-application-attack; sid:2009954; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand Attempt"; flow:established,to_server; content:"/zport/dmd/Devices/devices/localhost/manage_doUserCommand"; nocase; http_uri; content:"commandId="; http_uri; nocase; distance:0; pcre:"/commandId\x3D[a-z]/Ui"; reference:url,www.securityfocus.com/bid/37843; reference:url,doc.emergingthreats.net/2010762; classtype:web-application-attack; sid:2010762; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File Magic Bytes Flowbit Set"; flow:to_client,established; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; within:8; content:!".msi"; flowbits:set,OLE.CompoundFile; flowbits:noalert; classtype:protocol-command-decode; sid:2012520; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot CnC1"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:"|20 3a 03|10OK|3a 03 20|"; within:30; classtype:command-and-control; sid:2017055; rev:1; metadata:created_at 2013_06_25, former_category MALWARE, updated_at 2013_06_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JavaScript Obfuscation JSXX Script"; flow:established,to_client; file_data; content:"Encrypt "; content:"JSXX"; fast_pattern; distance:0; content:"VIP"; within:100; reference:cve,2012-0003; reference:url,eromang.zataz.com/2012/10/22/gong-da-gondad-exploit-pack-evolutions/; classtype:attempted-user; sid:2014155; rev:5; metadata:created_at 2012_01_28, updated_at 2012_01_28;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot Flood command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Flood|3a| Started [Type|3a|"; classtype:trojan-activity; sid:2017058; rev:1; metadata:created_at 2013_06_25, updated_at 2013_06_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access Video Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/video/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015834; rev:7; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot Botkill command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Botkill|3a| Cycled once"; classtype:trojan-activity; sid:2017059; rev:1; metadata:created_at 2013_06_25, updated_at 2013_06_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel API Access Iframer Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/iframer/"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015827; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Keylogger Crack by bahman"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&message=|2b|keylogger|2b|Crack|2b|By|2b 25 32 31 25 32 31 25 32 31|...bahman"; nocase; http_client_body; reference:url,doc.emergingthreats.net/2008369; classtype:trojan-activity; sid:2008369; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access IFramer Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/iframer/"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015828; rev:7; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query for Sykipot C&C www.prettylikeher.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|prettylikeher|03|com"; fast_pattern; distance:0; nocase; reference:cve,CVE-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:trojan-activity; sid:2014005; rev:3; metadata:created_at 2011_12_09, updated_at 2011_12_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel API Access VNC Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/vnc/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015829; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|74 3d c0 19|"; within:4; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016733; rev:4; metadata:created_at 2013_04_09, updated_at 2013_04_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access VNC Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/vnc/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015830; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - GODSpy - GOD Hacker"; flow:established,to_client; file_data; content:"GOD Hacker"; classtype:trojan-activity; sid:2017083; rev:2; metadata:created_at 2013_07_02, updated_at 2013_07_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel API Access Bot Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/bots/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015831; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - GODSpy - Auth Prompt"; flow:established,to_client; file_data; content:"name=|22|haz|22| value=|22|pasa|22|>"; classtype:trojan-activity; sid:2017087; rev:3; metadata:created_at 2013_07_02, updated_at 2013_07_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access Bot Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/bots/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015832; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Pouya - Pouya_Server Shell"; flow:established,to_client; file_data; content:"Pouya_Server Shell"; classtype:trojan-activity; sid:2017089; rev:2; metadata:created_at 2013_07_02, updated_at 2013_07_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Citadel API Access Video Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/video/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015833; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - GODSpy - GODSpy title"; flow:established,to_client; file_data; content:"GODSpy</title>"; classtype:trojan-activity; sid:2017084; rev:3; metadata:created_at 2013_07_02, updated_at 2013_07_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown base64-style Java-based Exploit Kit using github as initial director"; flow:established,to_server; content:"%3D HTTP/1."; fast_pattern:only; content:"/?"; http_uri; isdataat:45,relative; pcre:"/\/\?[a-z0-9]{5,}=[a-zA-Z0-9\x25]{40,}\x253D$/I"; classtype:exploit-kit; sid:2015699; rev:3; metadata:created_at 2012_09_12, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising Exploit Kit Hostile Jar pipe.class"; flow:established,from_server; file_data; content:"PK"; within:2; content:"|00|pipe.class"; fast_pattern; content:"|00|inc.class"; content:"|00|fdp.class"; classtype:exploit-kit; sid:2017095; rev:2; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2013_07_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus/Citadel Control Panel Access (Outbound)"; flow:established,to_server; content:".php?m=login"; fast_pattern:only; http_uri; nocase; content:"user="; depth:5; http_client_body; nocase; content:"pass="; http_client_body; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015825; rev:8; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Lucky7 EK Landing Encoded Plugin-Detect"; flow:established,from_server; file_data; content:"JTc1JTY3JTY5JTZlJTQ0JTY1JTc0JTY1JTYzJTc0JTJlJTY3JTY1JTc0JTU2JTY1JTcyJTcz"; classtype:exploit-kit; sid:2017098; rev:2; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2013_07_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zeus/Citadel Control Panel Access (Inbound)"; flow:established,to_server; content:".php?m=login"; http_uri; fast_pattern:only; nocase; content:"user="; depth:5; http_client_body; nocase; content:"pass="; http_client_body; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015826; rev:8; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
+alert udp any any -> $HOME_NET [623,664] (msg:"ET EXPLOIT IPMI Cipher 0 Authentication mode set"; content:"|07 06 10 00 00 00 00 00 00 00 00|"; offset:3; depth:11; content:"|00 00|"; distance:2; within:2; content:"|00 00 00 08 00 00 00 00 01 00 00 08 00 00 00 00 02 00 00 08 00 00 00 00|"; distance:6; within:24; reference:url,www.intel.com/content/dam/www/public/us/en/documents/product-briefs/second-gen-interface-spec-v2.pdf; reference:url,community.rapid7.com/community/metasploit/blog/2013/06/23/a-penetration-testers-guide-to-ipmi; classtype:attempted-admin; sid:2017094; rev:3; metadata:created_at 2013_07_04, updated_at 2013_07_04;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"|00 c8 b9 67 4e 25 75 e9 92|"; content:"|55 04 06 13 02 4e 4c|"; distance:0; content:"|55 04 07 0c 01 20|"; distance:0; content:"|55 04 03 0c 01 20|"; distance:0; classtype:exploit-kit; sid:2015837; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet with obfuscated URL April 01 2013"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!(?i:<\/applet>)).)+?[\r\n\s]value[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?(\d{2,3})?(?P<sep>([^a-zA-Z0-9]{1,100}|[a-zA-Z0-9]{1,100}))\d{2,3}((?P=sep)\d{2,3}){20}/Rs"; classtype:exploit-kit; sid:2016705; rev:19; metadata:created_at 2013_04_01, former_category EXPLOIT_KIT, updated_at 2013_04_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/Applet.jar"; http_uri; fast_pattern:only; pcre:"/^\/Applet\.jar$/U"; classtype:exploit-kit; sid:2015841; rev:3; metadata:created_at 2012_10_25, former_category EXPLOIT_KIT, updated_at 2012_10_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool Exploit Kit Plugin-Detect July 08 2013"; flow:established,from_server; file_data; content:"cGRwZD17dmVyc2lvbjoiMC4"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017117; rev:2; metadata:created_at 2013_07_09, former_category EXPLOIT_KIT, updated_at 2013_07_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/beacon/"; http_uri; fast_pattern:only; pcre:"/\/beacon\/[a-f0-9]{8}\.htm$/U"; classtype:exploit-kit; sid:2015840; rev:3; metadata:created_at 2012_10_25, former_category EXPLOIT_KIT, updated_at 2012_10_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sibhost Zip as Applet Archive July 08 2013"; flow:established,from_server; file_data; content:"getVersion("; content:"<applet"; fast_pattern; distance:0; nocase; pcre:"/^((?!(?i:<\/applet>)).)+?[\r\n\s]archive[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\.zip[\x22\x27]/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017118; rev:2; metadata:created_at 2013_07_09, updated_at 2013_07_09;)
 
-alert udp $HOME_NET 5355 -> any any (msg:"ET INFO LLNMR query response to wpad"; content:"|80 00 00 01 00 01|"; offset:2; depth:6; content:"|04|wpad|00 00 01 00 01 04|wpad|00 00 01 00 01|"; distance:0; isdataat:7,relative; classtype:misc-activity; sid:2015842; rev:2; metadata:created_at 2012_10_25, updated_at 2012_10_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Redirection - Wordpress Injection"; flow:established,to_client; file_data; content:"15,15,155,152,44,54"; classtype:trojan-activity; sid:2017124; rev:2; metadata:affected_product Any, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_07_09, deployment Perimeter, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, tag Wordpress, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic Java Exploit Obfuscated With Allatori"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"Allatori"; nocase; fast_pattern:only; classtype:exploit-kit; sid:2014036; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_22, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gator/Clarian Spyware Posting Data"; flow: to_server,established; content:"/gs_med"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2003575; classtype:trojan-activity; sid:2003575; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog Remote File Include Vulnerability"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"_CONF"; nocase; http_uri; pcre:"/_CONF\[.*\]=(data|https?|ftps?|php)\:\//Ui"; reference:url,securitydot.net/xpl/exploits/vulnerabilities/articles/1122/exploit.html; reference:url,doc.emergingthreats.net/2002996; classtype:web-application-attack; sid:2002996; rev:9; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JJEncode Encoded Script"; flow:established,from_server; file_data; content:"$$$$|3a|(![]+|22 22|)["; pcre:"/^(?P<global_var>((?!(\]\,__\$\x3a\+\+)).)+)]\,__\$\x3a\+\+(?P=global_var)/R"; classtype:bad-unknown; sid:2017127; rev:2; metadata:created_at 2013_07_11, updated_at 2013_07_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"NewClass1.class"; classtype:trojan-activity; sid:2015488; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer Use-After-Free CVE-2013-3163"; flow:established,from_server; file_data; content:"<bdo"; nocase; pcre:"/^[\r\n\s\+\>]((?!<\/bdo>).)*?<fieldset[\r\n\s\+\>]((?!<\/fieldset>).)*?<\/bdo>/Rsi"; reference:cve,2013-3163; classtype:attempted-user; sid:2017133; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_07_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus POST Request to CnC - URL agnostic"; flow:established,to_server; content:"POST"; nocase; http_method; content:" HTTP/1."; content:"|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a| Mozilla"; distance:1; within:34; fast_pattern; content:"|0D 0A|"; distance:0; content:"Content-Length|3a| "; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0D 0A|"; distance:0; content:"|3a| no-cache"; distance:0; content:"|0D 0A 0D 0A|"; distance:0; content:!"Content-Type|3a| "; http_header; content:!"NetflixId="; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:command-and-control; sid:2013976; rev:10; metadata:created_at 2011_12_01, former_category MALWARE, updated_at 2011_12_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3163"; flow:established,from_server; file_data; content:".contentEditable"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?true/Ri"; content:"var"; pcre:"/^[\r\n\s\+]+?(?P<var>[^\r\n\s\+\x3d]+)[\r\n\s\+]*?=[\r\n\s\+]*?[^\)]+\.createElement\(.+?\.body.appendChild\([\r\n\s]*?[\x22\x27]?(?P=var)[\x22\x27]?[\r\n\s]*?\).+\b(?P=var)\.innerHTML[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])(?P=q)/Rsi"; content:"CollectGarbage("; fast_pattern; nocase; distance:0; content:"eval("; distance:0; nocase; reference:cve,2013-3163; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017129; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_07_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Metasploit CVE-2012-1723 Path (Seen in Unknown EK) 10/29/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"cve1723/"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:exploit-kit; sid:2015849; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_10_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category EXPLOIT_KIT, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cryptmen FakAV page Title"; flow:established,from_server; file_data; content:"<title>Viruses were found on your computer</title>"; classtype:trojan-activity; sid:2017137; rev:2; metadata:created_at 2013_07_13, updated_at 2013_07_13;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible SQLMAP Scan"; flow:established,to_server; content:" AND "; http_uri; content:"AND ("; http_uri; pcre:"/\x20AND\x20[0-9]{6}\x3D[0-9]{4}/U"; detection_filter:track by_dst, count 4, seconds 20; reference:url,sqlmap.sourceforge.net; reference:url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/; classtype:attempted-recon; sid:2012755; rev:4; metadata:created_at 2011_04_29, updated_at 2011_04_29;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Arachni Web Scan"; flow:established,to_server; content:"/Arachni-"; http_uri; threshold: type limit, track by_src, seconds 60, count 1; reference:url,www.arachni-scanner.com/; classtype:attempted-recon; sid:2017142; rev:2; metadata:created_at 2013_07_13, updated_at 2013_07_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Metasploit CVE-2012-1723 Attacker.class (Seen in Unknown EK) 11/01/12"; flow:to_client,established; file_data; content:"<applet"; content:"Attacker.class"; distance:0; classtype:exploit-kit; sid:2015859; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_11_02, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC USER Likely bot with 0 0 colon checkin"; flow:to_server,established; content:"USER|20|"; nocase; content:" 0 0 |3a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; classtype:misc-activity; sid:2025066; rev:1; metadata:created_at 2013_07_13, former_category CHAT, updated_at 2017_11_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/R 3"; within:200; pcre:"/^[\r\n\s]+((?!>>).)+?\/Length[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))/Rs"; classtype:trojan-activity; sid:2015867; rev:2; metadata:created_at 2012_11_07, updated_at 2012_11_07;)
+alert tcp any any -> any !6666:7000 (msg:"ET CHAT IRC USER Off-port Likely bot with 0 0 colon checkin"; flow:to_server,established; content:"USER|20|"; nocase; content:" 0 0 |3a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; classtype:misc-activity; sid:2025067; rev:1; metadata:created_at 2013_07_13, former_category CHAT, updated_at 2017_11_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.ADDNEW (DarKDdoser) CnC 1"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|ddoser|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:command-and-control; sid:2015868; rev:2; metadata:created_at 2012_11_07, former_category MALWARE, updated_at 2012_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTP Request Smuggling Attempt - Double Content-Length Headers"; flow:established,to_server; content:"Content-Length|3A|"; http_header; content:"Content-Length|3A|"; http_header; within:100; reference:url,www.owasp.org/index.php/HTTP_Request_Smuggling; classtype:web-application-attack; sid:2017146; rev:3; metadata:created_at 2013_07_13, updated_at 2013_07_13;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.ADDNEW (DarKDdoser) CnC 2"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|Zombie|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:command-and-control; sid:2015869; rev:2; metadata:created_at 2012_11_07, former_category MALWARE, updated_at 2012_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTP Request Smuggling Attempt - Two Transfer-Encoding Values Specified"; flow:established,to_server; content:"Transfer-Encoding"; http_header; content:"Transfer-Encoding"; http_header; within:100; reference:url,www.owasp.org/index.php/HTTP_Request_Smuggling; classtype:web-application-attack; sid:2017147; rev:2; metadata:created_at 2013_07_13, updated_at 2013_07_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.ADDNEW (DarKDdoser) CnC 3"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|Stable|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:command-and-control; sid:2015870; rev:2; metadata:created_at 2012_11_07, former_category MALWARE, updated_at 2012_11_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY Redirection - phpBB Injection"; flow:established,to_server; content:".js?"; http_uri; content:"&"; distance:6; within:1; http_uri; pcre:"/\/[0-9]{6}\.js\?[0-9]{6}&[0-9a-f]{16}$/Ui"; classtype:trojan-activity; sid:2017149; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/Length"; within:200; pcre:"/^[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))((?!>>).)+\/R\s+3[\r\n\s>]/Rs"; classtype:trojan-activity; sid:2015866; rev:4; metadata:created_at 2012_11_06, updated_at 2012_11_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious Redirect June 18 2013"; flow:established,to_client; file_data; content:",53,154,170,170,164,76,63,63,"; classtype:trojan-activity; sid:2017035; rev:3; metadata:created_at 2013_06_19, former_category CURRENT_EVENTS, updated_at 2013_06_19;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET EXPLOIT_KIT Self-Signed SSL Cert Used in Conjunction with Neosploit"; flow:from_server,established; content:"|16 03 01|"; content:"|00 be d3 cf b1 fe a1 55 bf|"; distance:0; content:"webmaster@localhost"; distance:0; content:"|30 81 89 02 81 81 00 ac 12 38 fc 5c bf 7c 8c 18 e7 db 09 dc|"; distance:0; classtype:exploit-kit; sid:2015865; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_11_06, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS trac q variable open redirect"; flow:to_server,established; content:"/search?q"; nocase; http_uri; pcre:"/search\?q=(ht|f)tp?\:\//iU"; reference:cve,CVE-2008-2951; reference:url,doc.emergingthreats.net/2008648; classtype:web-application-attack; sid:2008648; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Probable Sakura Java applet with obfuscated URL Sep 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"nzzv@55"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015735; rev:3; metadata:created_at 2012_09_25, updated_at 2012_09_25;)
+#alert http any any -> $HOME_NET 3128 (msg:"ET DOS Squid-3.3.5 DoS"; flow:established,to_server; content:"Host|3a| "; http_header; pcre:"/^Host\x3a[^\x3a\r\n]+?\x3a[^\r\n]{6}/Hmi"; classtype:attempted-dos; sid:2017154; rev:2; metadata:created_at 2013_07_17, updated_at 2013_07_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Alms backdoor checkin"; content:"/getnewv.php?keyword=google&id="; http_uri; nocase; fast_pattern; content:"Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| en-US)"; http_user_agent; flow:to_server,established; classtype:command-and-control; sid:2012803; rev:5; metadata:created_at 2011_05_11, former_category MALWARE, updated_at 2011_05_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|58 23 3a d4|"; within:4; classtype:exploit-kit; sid:2016945; rev:8; metadata:created_at 2013_05_30, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for file containing Java payload URIs (3)"; flow:established,to_server; content:".php?asvvab=125qwafdsg"; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015871; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE E-Jihad 3.0 HTTP Activity 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/tlog.php?logn="; http_uri; pcre:"/\/tlog\.php\?logn=[^\s]+&pss=[^\s]/U"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007683; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED TDS Sutra Exploit Kit Redirect Received"; flow:established,from_server; content:"302"; http_stat_code; content:"=_"; http_header; content:"_|3b| domain="; http_header; distance:1; within:10; pcre:"/^[a-z]{5}\d=\x5f\d\x5f/C"; classtype:exploit-kit; sid:2014220; rev:7; metadata:created_at 2012_02_11, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE E-Jihad 3.0 HTTP Activity 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ntarg.php?"; http_uri; pcre:"/ntarg\.php\?[^\s]*(notdoing|howme|uname)=/U"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007684; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for Payload"; flow:established,to_server; content:".php?"; http_uri; content:"|3a|"; http_uri; fast_pattern; content:"|3a|"; distance:2; within:1; http_uri; content:"|3a|"; distance:2; within:1; http_uri; pcre:"/\.php\?[a-z]+=(([1-2][a-z]|3[0-9])\x3a){3,}([1-2][a-z]|3[0-9])&/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015872; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_08, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE E-Jihad 3.0 HTTP Activity 3"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/tnewu.php?nlogin="; http_uri; pcre:"/\/tnewu\.php\?nlogin=[^\s]+&npss=[^\s]+&invitedby=[^\s]/U"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007685; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern:only; content:"Anony"; pcre:"/^(mous)?\.class/R"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015876; rev:3; metadata:created_at 2012_11_10, updated_at 2012_11_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE - Trojan.Proxy.PPAgent.t (updatea)"; flow:to_server,established; content:"/updatea.php?p="; nocase; http_uri; pcre:"/updatea\.php\?p=\d/Ui"; flowbits:set,BT.ppagent.updatea; flowbits:noalert; reference:url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738; reference:url,doc.emergingthreats.net/2003115; classtype:trojan-activity; sid:2003115; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Landing Page NOP String"; flow:established,to_client; file_data; content:" == -1 {|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0"; distance:0; reference:url,ondailybasis.com/blog/?p=1610; classtype:exploit-kit; sid:2015881; rev:3; metadata:created_at 2012_11_14, former_category EXPLOIT_KIT, updated_at 2012_11_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT JS Browser Based Ransomware"; flow:established,from_server; file_data; content:"YOUR BROWSER HAS BEEN LOCKED.|5c|n|5c|nALL PC DATA WILL BE DETAINED"; reference:url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/; reference:url,www.f-secure.com/weblog/archives/00002577.html; classtype:trojan-activity; sid:2017165; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_07_19, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Ransomware, updated_at 2013_07_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Landing Page parseInt Javascript Replace"; flow:established,to_client; file_data; content:" = parseInt("; distance:0; content:".replace(|2F 5C 2E 7C 5C 5F 2F|g, ''))|3B|"; within:30; reference:url,ondailybasis.com/blog/?p=1610; classtype:exploit-kit; sid:2015882; rev:2; metadata:created_at 2012_11_14, former_category EXPLOIT_KIT, updated_at 2012_11_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP GET invalid method case"; flow:established,to_server; content:"get "; depth:4; nocase; content:!"GET "; depth:4; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011031; classtype:bad-unknown; sid:2011031; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritXPack Landing Page"; flow:established,to_client; file_data; content:"<applet"; content:"a.Test"; fast_pattern; classtype:exploit-kit; sid:2015884; rev:2; metadata:created_at 2012_11_14, former_category EXPLOIT_KIT, updated_at 2012_11_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP POST invalid method case"; flow:established,to_server; content:"post "; depth:5; nocase; content:!"POST "; depth:5; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011032; classtype:bad-unknown; sid:2011032; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CirtXPack - No Java URI - /a.Test"; flow:established,to_server; urilen:7; content:"/a.Test"; classtype:exploit-kit; sid:2015886; rev:2; metadata:created_at 2012_11_14, updated_at 2012_11_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP HEAD invalid method case"; flow:established,to_server; content:"head "; depth:5; nocase; content:!"HEAD "; depth:5; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011033; classtype:bad-unknown; sid:2011033; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Downloader Checkin Url Detected"; flow:established,to_server; content:"??IP|3a|"; depth:100; content:"??IP|3a|"; distance:0; content:"????|3a|"; distance:0; pcre:"/IP\:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/U"; reference:url,doc.emergingthreats.net/2008766; classtype:trojan-activity; sid:2008766; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Topic EK Requesting Jar"; flow:established,to_server; content:".php?exp="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; content:"Java/1."; http_user_agent; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:exploit-kit; sid:2016107; rev:6; metadata:created_at 2012_12_28, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mac Flashback Checkin 3"; flow:to_server,established; content:"GET"; http_method; content:"/search?q="; http_uri; content:"&ua="; http_uri; distance: 0; content:"==&al="; http_uri; distance: 0; content:"&cv="; http_uri; distance:0; classtype:command-and-control; sid:2014599; rev:5; metadata:created_at 2012_04_17, former_category MALWARE, updated_at 2012_04_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Class Request (2)"; flow:established,to_server; content:"/Runs.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016250; rev:8; metadata:created_at 2013_01_22, former_category EXPLOIT_KIT, updated_at 2013_01_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Image Viewer CP Gold Image2PDF Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"E589DA78-AD4C-4FC5-B6B9-9E47B110679E"; nocase; content:"|2e|Image2PDF"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*E589DA78-AD4C-4FC5-B6B9-9E47B110679E\s*}?\s*(.*)(\s|>)/si"; reference:url,www.exploit-db.com/exploits/15658/; classtype:attempted-user; sid:2012102; rev:4; metadata:created_at 2010_12_27, updated_at 2010_12_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java Request to DtDNS Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:(?:b(?:bsindex|0ne)|chatnook|gotgeeks|3d-game|4irc)\.com|s(?:(?:cieron|uroot)\.com|lyip\.(?:com|net))|d(?:arktech\.org|eaftone\.com|tdns\.net)|e(?:towns\.(?:net|org)|ffers\.com)|flnet\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016584; rev:4; metadata:created_at 2013_03_15, former_category HUNTING, updated_at 2013_03_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Advanced File Vault Activex Heap Spray Attempt"; flow:established,to_client; file_data; content:"|2e|GetWebStoreURL"; content:"clsid"; nocase; content:"25982EAA-87CC-4747-BE09-9913CF7DD2F1"; nocase; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*25982EAA-87CC-4747-BE09-9913CF7DD2F1\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14580/; classtype:attempted-user; sid:2012147; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java Request to cd.am Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; content:"cd.am"; http_header; nocase; pcre:"/^Host\x3a\x20[^\r\n]+\.cd\.am(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016595; rev:6; metadata:created_at 2013_03_20, former_category HUNTING, updated_at 2013_03_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX dBpowerAMP Audio Player 2 FileExists Method ActiveX Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"BECB8EE1-6BBB-4A85-8DFD-099B7A60903A"; nocase; distance:0; content:"|2e|Enque"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*BECB8EE1-6BBB-4A85-8DFD-099B7A60903A\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14586/; classtype:attempted-user; sid:2012148; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Watering Hole applet name AppletLow.jar"; flow:established,to_server; content:"/AppletLow.jar"; http_uri; content:"Java/1."; http_user_agent; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:exploit-kit; sid:2016640; rev:4; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX FathFTP 1.8 EnumFiles Method ActiveX Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; nocase; distance:0; content:"|2e|EnumFiles"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*62A989CE-D39A-11D5-86F0-B9C370762176\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14552/; classtype:attempted-user; sid:2012133; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT GonDadEK Java Exploit Requested"; flow:established,to_server; content:"/wmck.jpg"; nocase; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016735; rev:5; metadata:created_at 2013_04_09, updated_at 2013_04_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole Landing to 8 chr folder plus index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:20<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html?$/U"; classtype:bad-unknown; sid:2014521; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT GonDadEK Java Exploit Requested"; flow:established,to_server; content:"/ckwm.jpg"; nocase; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016736; rev:5; metadata:created_at 2013_04_09, updated_at 2013_04_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK - Landing Page - FlashExploit"; flow:established,to_client; file_data; content:"FlashExploit()"; classtype:exploit-kit; sid:2015890; rev:3; metadata:created_at 2012_11_16, former_category EXPLOIT_KIT, updated_at 2012_11_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Requsting Payload"; flow:established,to_server; content:"/FlashPlayer.cpl"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016828; rev:5; metadata:created_at 2013_05_07, updated_at 2013_05_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown FakeAV - /get/*.crp"; flow:established,to_server; content:"/get/"; http_uri; content:".crp"; http_uri; fast_pattern; classtype:trojan-activity; sid:2015894; rev:2; metadata:created_at 2012_11_20, updated_at 2012_11_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT HellSpawn EK Requesting Jar"; flow:established,to_server; content:"/j21.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016832; rev:7; metadata:created_at 2013_05_07, updated_at 2013_05_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - D.K - Title"; flow:established,to_client; file_data; content:"<title>"; content:" - D.K "; fast_pattern; distance:0; content:"</title>"; distance:0; classtype:bad-unknown; sid:2015917; rev:2; metadata:created_at 2012_11_21, updated_at 2012_11_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible HellSpawn EK Java Artifact May 24 2013"; flow:to_server,established; content:"/PoC.class"; http_uri; nocase; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016930; rev:4; metadata:created_at 2013_05_25, updated_at 2013_05_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header"; flow:established,to_client; file_data; content:"<span>Uname<br>User<br>Php<br>Hdd<br>Cwd</span>"; classtype:attempted-user; sid:2015918; rev:2; metadata:created_at 2012_11_21, updated_at 2012_11_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Jar 1 June 12 2013"; flow:established,to_server; content:"/6u27.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017016; rev:7; metadata:created_at 2013_06_13, updated_at 2013_06_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header w/colons"; flow:established,to_client; file_data; content:"<span>Uname|3a|<br>User|3a|<br>Php|3a|<br>Hdd|3a|<br>Cwd|3a|</span>"; classtype:attempted-user; sid:2015919; rev:3; metadata:created_at 2012_11_21, updated_at 2012_11_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Jar 2 June 12 2013"; flow:established,to_server; content:"/6u41.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017017; rev:6; metadata:created_at 2013_06_13, updated_at 2013_06_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Spam Campaign JPG CnC Link"; flow:established,to_client; file_data; content:"he1l0|3A|hxxp|3A|//"; distance:0; content:".jpg"; distance:0; reference:url,blog.fireeye.com/research/2012/11/more-phish.html; classtype:command-and-control; sid:2015921; rev:2; metadata:created_at 2012_11_21, former_category PHISHING, updated_at 2012_11_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Jar 3 June 12 2013"; flow:established,to_server; content:"/7u17.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017018; rev:6; metadata:created_at 2013_06_13, updated_at 2013_06_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument Uninitialized Memory Corruption CVE-2012-1889"; flow:to_client,established; file_data; content:"f6d90f11-9c73-11d3-b32e-00c04f990bb4"; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*f6d90f11-9c73-11d3-b32e-00c04f990bb4/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2014938; rev:13; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising Exploit Kit Hostile Jar cm2.jar"; flow:established,to_server; content:"/cm2.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017097; rev:4; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2013_07_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument.4-6.0 Uninitialized Memory Corruption CVE-2012-1889"; flow:to_client,established; file_data; content:"88d96"; nocase; content:"-f192-11d4-a65f-0040963251e5"; distance:3; within:28; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*88d96(9c(0|1)|9e(5|6)|a0(5|6))-f192-11d4-a65f-0040963251e5/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2015555; rev:18; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Sakura Jar Download SET"; flow:established,to_server; content:".php"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; flowbits:set,ET.Sakura.php.Java; flowbits:noalert; classtype:trojan-activity; sid:2016720; rev:5; metadata:created_at 2013_04_04, updated_at 2013_04_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.FreeThreadedDOMDocument Uninitialized Memory Corruption Attempt"; flow:to_client,established; content:"f6d90f12-9c73-11d3-b32e-00c04f990bb4"; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*f6d90f12-9c73-11d3-b32e-00c04f990bb4/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,2012-1889; classtype:attempted-user; sid:2015557; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_07_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT DRIVEBY Rawin - Java Exploit -dubspace.jar"; flow:established,to_server; content:"/dubspace.jar"; http_uri; classtype:trojan-activity; sid:2017178; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole try eval prototype string splitting evasion Jul 24 2012"; flow:established,from_server; file_data; content:"try{eval(|22|p"; fast_pattern; content:"|3b|}catch("; within:30; classtype:trojan-activity; sid:2015525; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_25, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible CritXPack - Landing Page - jnlp_embedded"; flow:established,to_client; file_data; content:"jnlp_embedded|3a 22|PD94b"; classtype:exploit-kit; sid:2017182; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_24, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Unknown - self-kill"; flow:established,to_client; file_data; content:"<a href=|22|?x=selfremove|22|>[Self-Kill]</a>"; classtype:web-application-activity; sid:2015925; rev:2; metadata:created_at 2012_11_24, updated_at 2012_11_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing 07/22/13"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"applet"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017168; rev:4; metadata:created_at 2013_07_23, former_category CURRENT_EVENTS, updated_at 2013_07_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent - Possible Trojan Downloader (cv_v5.0.0)"; flow:established,to_server; content:"cv_v"; depth:4; http_user_agent; nocase; reference:url,doc.emergingthreats.net/2007926; classtype:trojan-activity; sid:2007926; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 1"; flow:established,to_client; file_data; content:"<!--0c0896-->"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017184; rev:2; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2013_07_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit Vulnerable Java Payload Request URI (1)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/33.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015930; rev:2; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2012_11_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 2"; flow:established,to_client; file_data; content:"#0c0896#"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017185; rev:2; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2013_07_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit vulnerable Java Payload Request to URI (2)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/41.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015931; rev:2; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2012_11_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 3"; flow:established,to_client; file_data; content:"/*0c0896*/"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017186; rev:2; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2013_07_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2 Landing Page (7)"; flow:to_server,established; content:"/news/enter/2012-1"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/news\/enter\/2012-1[0-2]-([0-2][0-9]|3[0-1])\.php/U"; classtype:trojan-activity; sid:2015932; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 1"; flow:established,to_client; file_data; content:"<!--0c0896-->"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017187; rev:2; metadata:created_at 2013_07_24, updated_at 2013_07_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET EXPLOIT_KIT Nuclear Exploit Kit HTTP Off-port Landing Page Request"; flow:established,to_server; urilen:35; content:"/t/"; depth:3; http_uri; pcre:"/\/t\/[a-f0-9]{32}$/U"; classtype:exploit-kit; sid:2015936; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_27, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 2"; flow:established,to_client; file_data; content:"#0c0896#"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017188; rev:2; metadata:created_at 2013_07_24, updated_at 2013_07_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Crimeboss - Java Exploit - Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"amor.class"; distance:0; classtype:exploit-kit; sid:2015943; rev:3; metadata:created_at 2012_11_27, updated_at 2012_11_27;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 3"; flow:established,to_client; file_data; content:"/*0c0896*/"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017189; rev:2; metadata:created_at 2013_07_24, updated_at 2013_07_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Stats Access"; flow:established,to_server; content:".php?action=stats_access"; http_uri; classtype:exploit-kit; sid:2015944; rev:2; metadata:created_at 2012_11_27, updated_at 2012_11_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - Payload Download Requested"; flow:established,to_server; content:"/getmyfile.exe"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016052; rev:4; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Stats Java On"; flow:established,to_server; content:".php?action=stats_javaon"; http_uri; classtype:exploit-kit; sid:2015945; rev:2; metadata:created_at 2012_11_27, updated_at 2012_11_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Class Request (1)"; flow:established,to_server; content:"/Gobon.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016249; rev:8; metadata:created_at 2013_01_22, former_category EXPLOIT_KIT, updated_at 2013_01_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BegOp Exploit Kit Payload"; flow:established,from_server; content:"Content-Type|3a| image/"; http_header; fast_pattern:only; file_data; content:"M"; within:1; content:!"Z"; within:1; content:"Z"; distance:1; within:1; classtype:exploit-kit; sid:2015783; rev:5; metadata:created_at 2012_10_06, former_category EXPLOIT_KIT, updated_at 2017_09_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Java Exploit - jaxws.jar"; flow:established,to_server; content:"/jaxws.jar"; http_uri; content:"Java/"; http_user_agent; classtype:exploit-kit; sid:2016374; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Propack Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"propack/"; distance:0; classtype:exploit-kit; sid:2015949; rev:2; metadata:created_at 2012_11_28, updated_at 2012_11_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Java Exploit - jre.jar"; flow:established,to_server; content:"/jre.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016375; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Nginx Server with no version string - Often Hostile Traffic"; flow:established,from_server; content:"|0d 0a|Server|3a| nginx|0d 0a|"; nocase; threshold:type limit, seconds 60, count 3, track by_src; reference:url,doc.emergingthreats.net/2008064; classtype:bad-unknown; sid:2008064; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM EK - Java Exploit - fbyte.jar"; flow:established,to_server; content:"/fbyte.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016378; rev:3; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PDF /FlateDecode and PDF version 1.0"; flow:established,from_server; file_data; content:"%PDF-1.0"; fast_pattern; within:8; content:"/FlateDecode"; distance:0; classtype:trojan-activity; sid:2015954; rev:2; metadata:created_at 2012_11_29, updated_at 2012_11_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Java Exploit - jhan.jar"; flow:established,to_server; content:"/jhan.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016514; rev:4; metadata:created_at 2013_03_04, updated_at 2013_03_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT PDF /FlateDecode and PDF version 1.1 (seen in pamdql EK)"; flow:established,from_server; file_data; content:"%PDF-1.1"; fast_pattern; within:8; content:"/FlateDecode"; distance:0; classtype:exploit-kit; sid:2015955; rev:2; metadata:created_at 2012_11_29, former_category CURRENT_EVENTS, updated_at 2012_11_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CrimeBoss - Java Exploit - m11.jar"; flow:established,to_server; content:"/m11.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016597; rev:5; metadata:created_at 2013_03_20, updated_at 2013_03_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Serenity Exploit Kit Landing Page HTML Header"; flow:established,to_client; file_data; content:"<head><title>Loading... Please wait<|2F|title><meta name=|22|robots|22| content=|22|noindex|22|><|2F|head>"; distance:0; classtype:exploit-kit; sid:2015956; rev:2; metadata:created_at 2012_11_29, former_category EXPLOIT_KIT, updated_at 2012_11_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Java Exploit - jmx.jar"; flow:established,to_server; content:"/jmx.jar"; http_uri; content:"Java/1."; http_user_agent; content:!"hermesjms.com"; http_header; classtype:exploit-kit; sid:2016598; rev:5; metadata:created_at 2013_03_20, updated_at 2013_03_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING PHISH Generic - Bank and Routing"; flow:established,to_server; content:"POST"; http_method; content:"bank"; http_client_body; nocase; content:"routing"; http_client_body; nocase; classtype:bad-unknown; sid:2015963; rev:3; metadata:created_at 2012_11_29, former_category INFO, updated_at 2012_11_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Java Exploit - cee.jar"; flow:established,to_server; content:"/cee.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016859; rev:4; metadata:created_at 2013_05_17, updated_at 2013_05_17;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DNS Query for Suspicious .com.ru Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|ru|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011407; rev:3; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2010_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JNLP embedded file"; flow:established,to_client; file_data; content:"jnlp"; content:"PD94bWwgdmVyc2lvbj0"; distance:0; classtype:bad-unknown; sid:2017197; rev:3; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DNS Query for Suspicious .com.cn Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|cn|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011408; rev:3; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2010_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sakura Jar Download"; flow:established,to_client; content:"Content-Type|3a| application/x-java-archive|0d 0a|"; http_header; content:"Sun, 28 Jul 2002 "; fast_pattern; classtype:exploit-kit; sid:2017200; rev:5; metadata:created_at 2013_07_26, former_category EXPLOIT_KIT, updated_at 2013_07_26;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DNS Query for Suspicious .co.kr Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|kr|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011411; rev:3; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2010_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 (Reversed)"; flow:established,to_client; file_data; content:"lRXYklGbhZ3X2N3cfRXZsBHch91X"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017201; rev:6; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus CnC Checkin POST to Config.php"; flow:established,to_server; content:"POST"; nocase; http_method; urilen:11; content:"/config.php"; http_uri; fast_pattern; content:"Accept|3A| */*"; http_header; content:"Content-Type|3A| application/x-www-form-urlencoded"; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B|"; http_header; reference:url,blog.fireeye.com/research/2012/04/zeus-takeover-leaves-undead-remains.html#more; classtype:command-and-control; sid:2014460; rev:5; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass (Reversed)"; flow:established,to_client; file_data; content:"detadilav_vss_telppa__"; nocase; distance:0; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017202; rev:3; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Zuponcic EK Payload Request"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"|29 20|Java/1"; http_header; content:"/"; http_uri; content:"i=2ZI"; fast_pattern; http_client_body; depth:5; classtype:exploit-kit; sid:2015970; rev:11; metadata:created_at 2012_11_30, updated_at 2012_11_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 2 (Reversed)"; flow:established,to_client; file_data; content:"0FGZpxWY29ldzN3X0VGbwBXYf9"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017203; rev:5; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Zuponcic EK Java Exploit Jar"; flow:established,from_server; file_data; content:"PK"; within:2; content:"FlashPlayer.class"; distance:0; content:".SF"; content:".RSA"; classtype:exploit-kit; sid:2015971; rev:9; metadata:created_at 2012_11_30, updated_at 2012_11_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 3 (Reversed)"; flow:established,to_client; file_data; content:"kVGdhRWasFmdfZ3cz9FdlxGcwF2Xf"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017204; rev:5; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PHISH Gateway POST to gateway-p"; flow:established,to_server; content:"POST"; http_method; content:"/gateway-p"; http_uri; classtype:bad-unknown; sid:2015973; rev:2; metadata:created_at 2012_11_30, updated_at 2012_11_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response Hex (Inbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[a-f0-9]{2})(?P<sep>[^0-9a-f])(?P<f>[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P<n>(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017195; rev:3; metadata:created_at 2013_07_25, former_category CURRENT_EVENTS, updated_at 2013_07_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (4)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"hw.class"; content:"test.class"; classtype:trojan-activity; sid:2015759; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER c0896 Hacked Site Response Hex (Outbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[a-f0-9]{2})(?P<sep>[^0-9a-f])(?P<f>[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P<n>(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017193; rev:3; metadata:created_at 2013_07_25, former_category CURRENT_EVENTS, updated_at 2013_07_25;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritXPack - Landing Page"; flow:established,from_server; file_data; content:"|7C|pdfver|7C|"; content:"|7C|applet|7C|"; classtype:exploit-kit; sid:2015979; rev:1; metadata:created_at 2012_12_04, former_category EXPLOIT_KIT, updated_at 2012_12_04;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response Octal (Outbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[0-7]{1,3})(?P<sep>[^0-9a-f])(?P<f>[0-7]{1,3})(?P=sep)[0-7]{1,3}(?P=sep)(?P<n>(?!(?P=f))[0-7]{1,3})(?P=sep)([0-7]{1,3}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[0-7]{1,3})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017192; rev:3; metadata:created_at 2013_07_25, updated_at 2013_07_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Corpsespyware.net Blind Data Upload"; flow:to_server,established; content:"/images/data.php?"; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002774; classtype:trojan-activity; sid:2002774; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response Octal (Inbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[0-7]{1,3})(?P<sep>[^0-9a-f])(?P<f>[0-7]{1,3})(?P=sep)[0-7]{1,3}(?P=sep)(?P<n>(?!(?P=f))[0-7]{1,3})(?P=sep)([0-7]{1,3}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[0-7]{1,3})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017194; rev:3; metadata:created_at 2013_07_25, former_category CURRENT_EVENTS, updated_at 2013_07_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING PHISH Bank - York - Creds Phished"; flow:established,to_server; content:"POST"; http_method; content:"/secured/private/login.php"; http_uri; classtype:social-engineering; sid:2015983; rev:2; metadata:created_at 2012_12_05, former_category CURRENT_EVENTS, updated_at 2017_06_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Neutrino Exploit Kit XOR decodeURIComponent"; flow:established,to_client; file_data; content:"xor(decodeURIComponent("; distance:0; classtype:exploit-kit; sid:2017071; rev:3; metadata:created_at 2013_06_27, former_category EXPLOIT_KIT, updated_at 2013_06_27;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL MySQL Remote FAST Account Password Cracking"; flow:to_server,established; content:"|11|"; offset:3; depth:4; threshold:type both,track by_src,count 100,seconds 1; reference:url,www.securityfocus.com/archive/1/524927/30/0/threaded; classtype:protocol-command-decode; sid:2015986; rev:5; metadata:created_at 2012_12_05, updated_at 2012_12_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdSave"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014737; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Stats Load Fail"; flow:established,to_server; content:"?action=stats_loadfail"; http_uri; classtype:exploit-kit; sid:2015988; rev:2; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GonDadEK Plugin Detect March 11 2013"; flow:to_client,established; file_data; content:"this.gondad = arrVersion"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016560; rev:10; metadata:created_at 2013_03_12, updated_at 2013_03_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit - Potential Java Exploit Requested - 3 digit jar"; flow:established,to_server; urilen:6<>9; content:".jar"; http_uri; pcre:"/^\/[0-9]{3}\.jar$/U"; classtype:exploit-kit; sid:2015989; rev:2; metadata:created_at 2012_12_06, former_category EXPLOIT_KIT, updated_at 2012_12_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdExport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014739; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET INFO MySQL Database Query Version OS compile"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"select |40 40|version_compile_os"; nocase; pcre:"/SELECT @@version_compile_os\s*?\x3b/i"; classtype:misc-activity; sid:2015994; rev:2; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdSave"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014738; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET 3389 -> any any (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn/Ack Outbound Flowbit Set"; flow:from_server; flags:SA; flowbits:isnotset,ms.rdp.synack; flowbits:set,ms.rdp.synack; flowbits:noalert; reference:cve,2012-0152; classtype:not-suspicious; sid:2014385; rev:5; metadata:created_at 2012_03_15, updated_at 2012_03_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdExport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014740; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Google Chrome Update/Install"; flow:established,to_server; content:"/chrome/google_chrome_"; http_uri; content:".exe"; http_uri; distance:0; pcre:"/\/chrome\/google_chrome_(update|installer)\.exe$/U"; reference:url,www.barracudanetworks.com/blogs/labsblog?bid=3108; reference:url,www.bluecoat.com/security-blog/2012-12-05/blackhole-kit-doesnt-chrome; classtype:trojan-activity; sid:2015997; rev:3; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdImport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014741; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Techique DUMP INTO executable)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"SELECT data FROM"; nocase; distance:0; content:"INTO DUMPFILE"; nocase; distance:0; content:"c|3a|/windows/system32/"; nocase; fast_pattern; content:".exe"; nocase; distance:0; pcre:"/SELECT data FROM [^\x20]+?\x20INTO DUMPFILE [\x27\x22]c\x3a\/windows\/system32\/[a-z0-9_-]+?\.exe[\x27\x22]/i"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015995; rev:4; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdImport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014742; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED probable malicious Glazunov Javascript injection"; flow:established,from_server; content:"|22|,|22|"; content:"|22|)|3b|</script></body>"; distance:64; within:83; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014753; rev:5; metadata:created_at 2012_05_17, updated_at 2012_05_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdOpen"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014743; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 1"; flow:established,to_client; content:"|0d 0a 0d 0a|PK"; content:"|2f|Gondvv.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015655; rev:5; metadata:created_at 2012_08_29, updated_at 2012_08_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdOpen"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014744; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 2"; flow:established,to_client; content:"|0d 0a 0d 0a|PK"; content:"|2f|Gondzz.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015656; rev:4; metadata:created_at 2012_08_29, updated_at 2012_08_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Chilkat Software FTP2 ActiveX Component GetFile Access Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"302124C4-30A0-484A-9C7A-B51D5BA5306B"; nocase; distance:0; content:".GetFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/97160/Chilkat-Software-FTP2-ActiveX-Code-Execution.html; classtype:attempted-user; sid:2014763; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Quarian HTTP Proxy Header"; flow:established,to_server; content:"Content_length|3A 20|"; http_header; content:"Proxy-Connetion|3A 20|"; http_header; reference:url,vrt-blog.snort.org/2012/12/quarian.html; classtype:trojan-activity; sid:2015999; rev:2; metadata:created_at 2012_12_08, updated_at 2012_12_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control ConnectDDNS Method Access Code Execution Vulnerability 2"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"17A7F731-C9EC-461C-B813-2F42A1BB58EB"; nocase; distance:0; content:"ConnectDDNS"; nocase; distance:0; reference:url,secunia.com/advisories/48965/; classtype:attempted-user; sid:2014877; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT PDF /XFA and PDF-1.[0-4] Spec Violation (seen in pamdql and other EKs)"; flow:established,to_client; file_data; content:"%PDF-1."; within:7; pcre:"/^[0-4][^0-9]/R"; content:"/XFA"; distance:0; fast_pattern; pcre:"/^[\r\n\s]*[\d\x5b]/R"; classtype:exploit-kit; sid:2016001; rev:5; metadata:created_at 2012_12_08, former_category CURRENT_EVENTS, updated_at 2012_12_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Chilkat Software FTP2 ActiveX Component GetFile Access Remote Code Execution 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"ChilkatFtp2.ChilkatFtp2.1"; nocase; distance:0; content:".GetFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/97160/Chilkat-Software-FTP2-ActiveX-Code-Execution.html; classtype:attempted-user; sid:2014764; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fake AV base64 affid initial Landing or owned Check-In, asset owned if /callback/ in URI"; flow:established,to_server; content:"/?"; http_uri; content:"=YWZmaWQ9"; http_uri; classtype:trojan-activity; sid:2015649; rev:3; metadata:created_at 2012_08_22, updated_at 2012_08_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control ConnectDDNS Method Access Code Execution Vulnerability"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"EEDBA32E-5C2D-48f1-A58E-0AAB0BC230E3"; nocase; distance:0; content:"ConnectDDNS"; nocase; distance:0; reference:url,secunia.com/advisories/48965/; classtype:attempted-user; sid:2014876; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Embedded Open Type Font file .eot seeing at Cool Exploit Kit"; flow:established,to_client; file_data; content:"|02 00 02 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40 00|D|00|e|00|x|00|t|00|e|00|r|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:exploit-kit; sid:2016018; rev:2; metadata:created_at 2012_12_12, former_category CURRENT_EVENTS, updated_at 2012_12_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Windows Live Writer ActiveX BlogThisLink Method Access Denail of Service Attack"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"8F085BC0-363D-4219-95BA-DC8A5E06D295"; nocase; distance:0; content:"BlogThisLink"; nocase; distance:0; reference:url,1337day.com/exploits/17583; classtype:attempted-user; sid:2014765; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MALVERTISING FlashPost - Redirection IFRAME"; flow:established,to_client; file_data; content:"{|22|iframe|22 3a|true,|22|url|22|"; within:20; classtype:bad-unknown; sid:2016022; rev:2; metadata:created_at 2012_12_13, former_category CURRENT_EVENTS, updated_at 2012_12_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control BackupToAvi Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"208650B1-3CA1-4406-926D-45F2DBB9C299"; nocase; distance:0; content:"BackupToAvi"; nocase; distance:0; reference:url,secunia.com/advisories/48966/; classtype:attempted-user; sid:2014875; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit -Java Atomic Exploit Downloaded"; flow:established,to_client; file_data; content:"PK"; within:2; content:"msf|2f|x|2f|"; distance:0; classtype:bad-unknown; sid:2016028; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_12_13, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control BackupToAvi Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A"; nocase; distance:0; content:"BackupToAvi"; nocase; distance:0; reference:url,secunia.com/advisories/48966/; classtype:attempted-user; sid:2014874; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NVIDIA Install Application ActiveX Control AddPackages Unicode Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"A9C8F210-55EB-4849-8807-EC49C5389A79"; nocase; distance:0; content:".AddPackages"; nocase; distance:0; reference:url,packetstormsecurity.org/files/118648/NVIDIA-Install-Application-2.1002.85.551-Buffer-Overflow.html; classtype:attempted-user; sid:2016041; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_14, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Windows Live Writer ActiveX BlogThisLink Method Access Denail of Service Attack 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"WindowsLiveWriterApplicationLib.WindowsLiveWriterApplication"; nocase; distance:0; content:"BlogThisLink"; nocase; distance:0; reference:url,1337day.com/exploits/17583; classtype:attempted-user; sid:2014766; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Downloader Checkin Pattern Used by Several Trojans"; flow:established,to_server; content:".php?"; http_uri; content:"uid="; http_uri; content:"&gid="; http_uri; content:"&cid="; http_uri; content:"&rid="; http_uri; content:"&sid="; http_uri; reference:url,doc.emergingthreats.net/2008143; classtype:trojan-activity; sid:2008143; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SonicWALL SSL-VPN End-Point Interrogator/Installer ActiveX Control Install3rdPartyComponent Method Buffer Overflow"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"Aventail.EPInstaller"; nocase; distance:0; content:"Install3rdPartyComponent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/95286/SonicWALL-SSL-VPN-End-Point-Interrogator-Installer-ActiveX-Control.html; classtype:attempted-user; sid:2014835; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2 Landing Page (3)"; flow:to_server,established; content:"/ngen/controlling/"; fast_pattern:only; http_uri; content:".php"; http_uri; classtype:trojan-activity; sid:2015797; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible LEADTOOLS ActiveX Raster Twain AppName Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"LTRASTERTWAINLib_U.LEADRasterTwain_U"; nocase; distance:0; content:".AppName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/93252/LEADTOOLS-ActiveX-Raster-Twain-16.5-Buffer-Overflow.html; classtype:attempted-user; sid:2014834; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.boCheMan-A/Dexter"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/gateway.php"; http_uri; content:"page="; depth:5; http_client_body; content:"&unm="; fast_pattern:only; http_client_body; content:"&cnm="; http_client_body; content:"&query="; http_client_body; reference:md5,ccc99c9f07e7be0f408ef3a68a9da298; classtype:trojan-activity; sid:2016019; rev:5; metadata:created_at 2012_10_06, updated_at 2012_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SkinCrafter ActiveX Control InitLicenKeys Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"B9D38E99-5F6E-4C51-8CFD-507804387AE9"; nocase; distance:0; content:"InitLicenKeys"; nocase; distance:0; reference:url,exploit-db.com/exploits/18892/; classtype:attempted-user; sid:2014806; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_25, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Prinimalka Get Task CnC Beacon"; flow:established,to_server; content:"/command?user_id="; fast_pattern; http_uri; content:"&version_id="; http_uri; content:"&crc="; http_uri; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:command-and-control; sid:2016047; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible LEADTOOLS ActiveX Raster Twain AppName Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"00165752-B1BA-11CE-ABC6-F5B2E79D9E3F"; nocase; distance:0; content:".AppName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/93252/LEADTOOLS-ActiveX-Raster-Twain-16.5-Buffer-Overflow.html; classtype:attempted-user; sid:2014833; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Prinimalka Configuration Update Request"; flow:established,to_server; content:"/options?user_id="; http_uri; content:"&version_id="; http_uri; content:"&crc="; http_uri; content:"&uptime="; http_uri; content:"&port="; http_uri; content:"&ip="; http_uri; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:trojan-activity; sid:2016048; rev:2; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Wireless Manager Sony VAIO ConnectToNetwork Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"92E7DDED-BBFE-4DDF-B717-074E3B602D1B"; nocase; distance:0; content:"ConnectToNetwork"; nocase; distance:0; reference:url,packetstormsecurity.org/files/113131/Wireless-Manager-Sony-VAIO-4.0.0.0-Buffer-Overflows.html; classtype:attempted-user; sid:2014832; rev:4; metadata:created_at 2012_06_01, updated_at 2012_06_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Prinimalka Prinimalka.py Script In CnC Beacon"; flow:established,to_server; content:"/prinimalka.py/"; http_uri; fast_pattern:only; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:command-and-control; sid:2016049; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Wireless Manager Sony VAIO SetTmpProfileOption Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"92E7DDED-BBFE-4DDF-B717-074E3B602D1B"; nocase; distance:0; content:"SetTmpProfileOption"; nocase; distance:0; reference:url,packetstormsecurity.org/files/113131/Wireless-Manager-Sony-VAIO-4.0.0.0-Buffer-Overflows.html; classtype:attempted-user; sid:2014831; rev:3; metadata:created_at 2012_06_01, updated_at 2012_06_01;)
 
-#alert http $EXTERNAL_NET any ->  $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - Payload Download Received"; flow:established,to_client; content:".exe.crypted"; http_header; fast_pattern; content:"attachment"; http_header; classtype:exploit-kit; sid:2016053; rev:2; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SkinCrafter ActiveX Control InitLicenKeys Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"SKINCRAFTERLib.SCSkin3"; nocase; distance:0; content:"InitLicenKeys"; nocase; distance:0; reference:url,exploit-db.com/exploits/18892/; classtype:attempted-user; sid:2014807; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_25, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - flsh.html"; flow:established,to_server; urilen:>80; content:"/flsh.html"; http_uri; classtype:exploit-kit; sid:2016056; rev:2; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus Quickr for Domino ActiveX control Import_Times Method Access buffer overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"05D96F71-87C6-11d3-9BE4-00902742D6E0"; nocase; distance:0; content:"Import_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49285/; classtype:attempted-user; sid:2014809; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_25, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Daws/Sanny CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/write.php"; http_uri; fast_pattern; content:"Accept-Language|3A| ko-kr"; http_header; content:"db="; http_client_body; depth:3; content:"&ch="; distance:0; http_client_body; content:"&name="; distance:0; http_client_body; content:"&email="; http_client_body; distance:0; content:"&pw="; http_client_body; distance:0; reference:url,blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html; classtype:command-and-control; sid:2016051; rev:5; metadata:created_at 2012_12_18, former_category MALWARE, updated_at 2012_12_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus Quickr for Domino ActiveX control Attachment_Times Method Access buffer overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"05D96F71-87C6-11d3-9BE4-00902742D6E0"; nocase; distance:0; content:"Attachment_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49285/; classtype:attempted-user; sid:2014808; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_25, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - Server Response - Application Error"; flow:established,to_client; content:"X-Powered-By|3a| Application Error...."; http_header; classtype:exploit-kit; sid:2016054; rev:3; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Wscript Shell Run Attempt - Likely Hostile"; flow:established,to_server; content:"WScript.Shell"; nocase; content:".Run"; nocase; within:100; pcre:"/[\r\n\s]+(?P<var1>([a-z]([a-z0-9_])*|_+([a-z0-9])([a-z0-9_])*))[\r\n\s]*\x3d[\r\n\s]*CreateObject\(\s*[\x22\x27]Wscript\.Shell[\x27\x22]\s*\).+?(?P=var1)\.run/si"; classtype:attempted-user; sid:2017205; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Chapro.A Malicious Apache Module CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"c="; http_client_body; depth:2; content:"&version="; http_client_body; distance:0; content:"&uname="; fast_pattern; http_client_body; distance:0; reference:url,blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a; classtype:command-and-control; sid:2016062; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 1"; flow:established,from_server; file_data; content:"|22|e|22|+|22|val|22|"; classtype:trojan-activity; sid:2017206; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Kazy/Kryptor/Cycbot Trojan Checkin 3"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?pr="; fast_pattern; http_uri; content:!"Accept|3a|"; http_header; pcre:"/\.(jpg|png|gif|cgi)\?pr=/U"; classtype:trojan-activity; sid:2013866; rev:6; metadata:created_at 2011_11_08, updated_at 2011_11_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 2"; flow:established,from_server; file_data; content:"|22|ev|22|+|22|al|22|"; classtype:trojan-activity; sid:2017207; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SofosFO 20 Dec 12 - .jar file request"; flow:established,to_server; urilen:>44; content:".jar"; offset:38; http_uri; content:"Java/1."; http_user_agent; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.jar$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016071; rev:4; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 3"; flow:established,from_server; file_data; content:"|22|e|22|+|22|v|22|+|22|al|22|"; classtype:trojan-activity; sid:2017208; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SofosFO 20 Dec 12 - .pdf file request"; flow:established,to_server; urilen:>44; content:".pdf"; offset:38; http_uri; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.pdf$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016072; rev:3; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 4"; flow:established,from_server; file_data; content:"|22|e|22|+|22|v|22|+|22|a|22|+|22|l|22|"; classtype:trojan-activity; sid:2017209; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible HP ALM XGO.ocx ActiveX Control SetShapeNodeType method Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"C3B92104-B5A7-11D0-A37F-00A0248F0AF1"; nocase; distance:0; content:".SetShapeNodeType("; nocase; distance:0; reference:url,packetstormsecurity.org/files/116848/HP-ALM-Remote-Code-Execution.html; classtype:attempted-user; sid:2016084; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_21, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 5"; flow:established,from_server; file_data; content:"|22|ev|22|+|22|a|22|+|22|l|22|"; classtype:trojan-activity; sid:2017210; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Cyme ChartFX client server ActiveX Control ShowPropertiesDialog arbitrary code execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"E9DF30CA-4B30-4235-BF0C-7150F646606C"; nocase; distance:0; content:"ShowPropertiesDialog"; nocase; distance:0; reference:url,packetstormsecurity.org/files/117137/Cyme-ChartFX-Client-Server-Array-Indexing.html; classtype:attempted-user; sid:2016085; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_21, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 6"; flow:established,from_server; file_data; content:"|22|e|22|+|22|va|22|+|22|l|22|"; classtype:trojan-activity; sid:2017211; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Skill.gk User-Agent"; flow:established,to_server; content:"|3b 20 3b 20|"; http_user_agent; content:"MSIE"; http_user_agent;  classtype:trojan-activity; sid:2016074; rev:4; metadata:created_at 2012_12_21, updated_at 2020_08_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 1"; flow:established,from_server; file_data; content:"|27|e|27|+|27|val|27|"; classtype:trojan-activity; sid:2017212; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Medialoads.com Spyware Reporting (download.cgi)"; flow: to_server,established; content:"/dw/cgi/download.cgi?"; nocase; http_uri; content:"sn="; nocase; http_uri; content:"Host|3a|config.medialoads.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001508; classtype:trojan-activity; sid:2001508; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 2"; flow:established,from_server; file_data; content:"|27|ev|27|+|27|al|27|"; classtype:trojan-activity; sid:2017213; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Drupal Mass Injection Campaign Inbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016098; rev:2; metadata:created_at 2012_12_28, former_category CURRENT_EVENTS, updated_at 2012_12_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 3"; flow:established,from_server; file_data; content:"|27|eva|27|+|27|l|27|"; classtype:trojan-activity; sid:2017214; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Drupal Mass Injection Campaign Outbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016099; rev:2; metadata:created_at 2012_12_28, former_category CURRENT_EVENTS, updated_at 2012_12_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 4"; flow:established,from_server; file_data; content:"|27|e|27|+|27|v|27|+|27|al|27|"; classtype:trojan-activity; sid:2017215; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Page"; flow:established,from_server; file_data; content:"<applet"; content:"site.A.class"; within:300; classtype:exploit-kit; sid:2016106; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 5"; flow:established,from_server; file_data; content:"|27|e|27|+|27|v|27|+|27|a|27|+|27|l|27|"; classtype:trojan-activity; sid:2017216; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Download antivirus-installer.exe"; flow:to_server,established; content:"/antivirus-install.exe"; http_uri; classtype:trojan-activity; sid:2016110; rev:3; metadata:created_at 2012_12_29, updated_at 2012_12_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 7"; flow:established,from_server; file_data; content:"|27|e|27|+|27|va|27|+|27|l|27|"; classtype:trojan-activity; sid:2017218; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Advantech Studio ISSymbol ActiveX Control Multiple Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"3c9dff6f-5cb0-422e-9978-d6405d10718f"; nocase; distance:0; content:"InternationalSeparator"; nocase; distance:0; reference:url,securityfocus.com/bid/47596; classtype:attempted-user; sid:2016118; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 6"; flow:established,from_server; file_data; content:"|27|ev|27|+|27|a|27|+|27|l|27|"; classtype:trojan-activity; sid:2017217; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.FakeFlashPlayer Clientregister.php CnC Beacon"; flow:established,to_server; content:"/clientregister.php?type="; http_uri; content:"&uniqid="; http_uri; content:"&winver="; http_uri; content:"&compusername="; http_uri; content:"&compnetname="; http_uri; classtype:command-and-control; sid:2016124; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 7"; flow:established,from_server; file_data; content:"|22|eva|22|+|22|l|22|"; classtype:trojan-activity; sid:2017219; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.FakeFlashPlayer Bitensiteler CnC Beacon"; flow:established,to_server; content:".php?type="; http_uri; content:"&uniqid="; http_uri; content:"&langid="; http_uri; content:"&ver="; http_uri; content:"bitensiteler="; http_uri; classtype:command-and-control; sid:2016126; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 1"; flow:established,from_server; file_data; content:"|27|s|27|+|27|plit|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017220; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.FakeFlashPlayer Kelimeid CnC Beacon"; flow:established,to_server; content:".php?type="; http_uri; content:"&kelimeid"; http_uri; content:"&gecenzaman="; http_uri; content:"&gezilensayfa="; http_uri; content:"&delcookies="; http_uri; classtype:command-and-control; sid:2016127; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 2"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|lit|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017221; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; classtype:exploit-kit; sid:2016128; rev:2; metadata:created_at 2012_12_29, former_category CURRENT_EVENTS, updated_at 2012_12_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 3"; flow:established,from_server; file_data; content:"|27|s|27|+|27|p|27|+|27|lit|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017222; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Escaped Unicode Char in Location CVE-2012-4792 EIP (Exploit Specific replace)"; flow:established,from_server; file_data; content:"jj2Ejj6Cjj6Fjj63jj61jj74jj69jj6Fjj6Ejj20jj3Djj20jj75jj6Ejj65jj73jj63jj61jj70jj65jj28jj22jj25jj75"; nocase; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016133; rev:3; metadata:created_at 2012_12_30, former_category CURRENT_EVENTS, updated_at 2012_12_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 4"; flow:established,from_server; file_data; content:"|27|spl|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017223; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Escaped Unicode Char in Location CVE-2012-4792 EIP % Hex Encode"; flow:established,from_server; file_data; content:"%2e%6c%6f%63%61%74%69%6f%6e%20%3d%20%75%6e%65%73%63%61%70%65%28%22%25%75"; nocase; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016134; rev:3; metadata:created_at 2012_12_30, former_category CURRENT_EVENTS, updated_at 2012_12_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 5"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|l|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017224; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PTUNNEL OUTBOUND"; itype:8; icode:0; content:"|D5 20 08 80|"; depth:4; reference:url,github.com/madeye/ptunnel; reference:url,cs.uit.no/~daniels/PingTunnel/#protocol; classtype:protocol-command-decode; sid:2016145; rev:2; metadata:created_at 2013_01_03, updated_at 2013_01_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 6"; flow:established,from_server; file_data; content:"|27|s|27|+|27|pl|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017225; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PTUNNEL INBOUND"; itype:0; icode:0; content:"|D5 20 08 80|"; depth:4; reference:url,github.com/madeye/ptunnel; reference:url,cs.uit.no/~daniels/PingTunnel/#protocol; classtype:protocol-command-decode; sid:2016146; rev:3; metadata:created_at 2013_01_03, updated_at 2013_01_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 7"; flow:established,from_server; file_data; content:"|27|s|27|+|27|p|27|+|27|l|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017226; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion Load method Stack-based Unicode Buffer Overload SEH"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"EEA36793-F574-4CC1-8690-60E3511CFEAA"; nocase; distance:0; content:".Load"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119022/Sony-PC-Companion-2.1-Load-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016160; rev:3; metadata:created_at 2013_01_05, updated_at 2013_01_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 8"; flow:established,from_server; file_data; content:"|27|spli|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017227; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion CheckCompatibility method Stack-based Unicode Buffer Overload"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"A70D160E-E925-4207-803B-A0D702BEDF46"; nocase; distance:0; content:".CheckCompatibility"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119023/Sony-PC-Companion-2.1-CheckCompatibility-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016161; rev:3; metadata:created_at 2013_01_05, updated_at 2013_01_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 9"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|l|27|+|27|i|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017228; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion Admin_RemoveDirectory Stack-based Unicode Buffer Overload SEH"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"BBB7AA7C-DCE4-4F85-AED3-72FE3BCA4141"; nocase; distance:0; content:".Admin_RemoveDirectory"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119024/Sony-PC-Companion-2.1-Admin_RemoveDirectory-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016162; rev:3; metadata:created_at 2013_01_05, updated_at 2013_01_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 10"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|li|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017229; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Microsoft - 199.2.137.0/24"; content:"|00 01 00 01|"; content:"|00 04 c7 02 89|"; distance:4; within:5; classtype:trojan-activity; sid:2016102; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 11"; flow:established,from_server; file_data; content:"|27|spl|27|+|27|i|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017230; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Microsoft - 207.46.90.0/24"; content:"|00 01 00 01|"; content:"|00 04 cf 2e 5a|"; distance:4; within:5; classtype:trojan-activity; sid:2016103; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 12"; flow:established,from_server; file_data; content:"|27|s|27|+|27|pli|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017231; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:"/cb.php?action="; http_uri; classtype:exploit-kit; sid:2016169; rev:3; metadata:created_at 2013_01_08, updated_at 2013_01_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 13"; flow:established,from_server; file_data; content:"|27|s|27|+|27|p|27|+|27|l|27|+|27|i|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017232; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - JSP RAT"; flow:established,to_client; file_data; content:"<table id=\"filetable\" class=\"filelist\" cellspacing=\"1px\" cellpadding=\"0px\">"; classtype:attempted-user; sid:2016151; rev:3; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 1"; flow:established,from_server; file_data; content:"|22|s|22|+|22|plit|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017233; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - JSP File Admin"; flow:established,to_client; file_data; content:"<h2>(L)aunch external program</h2>"; classtype:attempted-user; sid:2016152; rev:4; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 2"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|lit|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017234; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; pcre:"/\/[0-9]{3}\.jar/"; pcre:"/\/[0-9]{3}\.pdf/"; classtype:exploit-kit; sid:2016174; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 3"; flow:established,from_server; file_data; content:"|22|s|22|+|22|p|22|+|22|lit|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017235; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 1"; content:"|30|"; depth:1; byte_test:1,!&,0x80,0,relative,big; content:"|02|"; distance:1; within:1; byte_test:1,!&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016178; rev:2; metadata:created_at 2013_01_09, updated_at 2013_01_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 4"; flow:established,from_server; file_data; content:"|22|spl|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017236; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 2"; content:"|30|"; depth:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|02|"; distance:-129; within:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; distance:-129; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016179; rev:2; metadata:created_at 2013_01_09, updated_at 2013_01_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 5"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|l|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017237; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 3"; content:"|30|"; depth:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|02|"; distance:-129; within:1; byte_test:1,!&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016180; rev:2; metadata:created_at 2013_01_09, former_category SNMP, updated_at 2017_08_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 6"; flow:established,from_server; file_data; content:"|22|s|22|+|22|pl|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017238; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 4"; content:"|30|"; depth:1; byte_test:1,!&,0x80,0,relative,big; content:"|02|"; distance:1; within:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; distance:-129; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016181; rev:2; metadata:created_at 2013_01_09, updated_at 2013_01_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 7"; flow:established,from_server; file_data; content:"|22|s|22|+|22|p|22|+|22|l|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017239; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT probable malicious Glazunov Javascript injection"; flow:established,from_server; file_data; content:"(|22|"; distance:0; content:"|22|))|3b|"; distance:52; within:106; content:")|3b|</script></body>"; within:200; fast_pattern; pcre:"/\(\x22[0-9\x3a\x3b\x3c\x3d\x3e\x3fa-k]{50,100}\x22\).{0,200}\)\x3b<\/script><\/body>/s"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015977; rev:7; metadata:created_at 2012_12_04, updated_at 2012_12_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 8"; flow:established,from_server; file_data; content:"|22|spli|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017240; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|000"; content:"height=|22|000"; classtype:exploit-kit; sid:2016190; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 9"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|l|22|+|22|i|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017241; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK - Landing Page Received"; flow:established,to_client; file_data; content:"<div id=|22|heap_allign|22|></div>"; classtype:exploit-kit; sid:2016191; rev:6; metadata:created_at 2013_01_12, former_category EXPLOIT_KIT, updated_at 2013_01_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 10"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|li|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017242; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Unknown - Please wait..."; flow:established,to_client; file_data; content:"<title>Please wait...</title>"; nocase; content:"<div id="; content:"></div><div id="; distance:5; within:16; classtype:exploit-kit; sid:2016192; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 11"; flow:established,from_server; file_data; content:"|22|spl|22|+|22|i|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017243; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Honeywell Tema Remote Installer ActiveX DownloadFromURL method Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"E01DF79C-BE0C-4999-9B13-B5F7B2306E9B"; nocase; distance:0; content:".DownloadFromURL"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119427/Honeywell-Tema-Remote-Installer-ActiveX-Remote-Code-Execution.html; classtype:attempted-user; sid:2016197; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 12"; flow:established,from_server; file_data; content:"|22|s|22|+|22|pli|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017244; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/?affid="; depth:8; http_uri; content:"&promo_type="; http_uri; content:"&promo_opt="; http_uri; pcre:"/^\/\?affid=\d+&promo_type=\d+&promo_opt=\d+$/U"; reference:md5,527e115876d0892c9a0ddfc96e852a16; classtype:trojan-activity; sid:2016075; rev:3; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 13"; flow:established,from_server; file_data; content:"|22|s|22|+|22|p|22|+|22|l|22|+|22|i|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017245; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DELETED DNS Reply Sinkhole - zeus.redheberg.com - 95.130.14.32"; content:"|00 01 00 01|"; content:"|00 04 5f 82 0e 20|"; distance:4; within:6; classtype:trojan-activity; sid:2016105; rev:3; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 4"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; flowbits:isset,ET.JS.Obfus.Func; classtype:trojan-activity; sid:2017246; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit CVE-2013-0422 Landing Page"; flow:established,from_server; file_data; content:"<title>Loading, Please Wait...</title>"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{8}\.jar/"; classtype:attempted-user; sid:2016227; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_17, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 4"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; flowbits:isset,ET.JS.Obfus.Func; classtype:trojan-activity; sid:2017247; rev:2; metadata:created_at 2013_07_30, former_category CURRENT_EVENTS, updated_at 2013_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability"; flow:to_client,established; file_data; content:"45E66957-2932-432A-A156-31503DF0A681"; nocase; distance:0; content:".LaunchTriPane("; nocase; distance:0; reference:url,packetstormsecurity.com/files/117293/KeyHelp-ActiveX-LaunchTriPane-Remote-Code-Execution.html; classtype:attempted-user; sid:2016236; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT PluginDetect plus Java version check"; flow:established,from_server; file_data; content:"PluginDetect"; pcre:"/if.{1,10}[<>]=?\s*(?P<quot>[\x22\x27])1(?P<sep>[^0-9a-zA-Z])7((?P=sep)\d+)?(?P=quot).{1,10}[<>]=?\s*(?P=quot)1(?P=sep)7((?P=sep)\d+)?(?P=quot)/s"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017248; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Samsung Kies ActiveX PrepareSync method Buffer overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"EA8A3985-F9DF-4652-A255-E4E7772AFCA8"; nocase; distance:0; content:".PrepareSync"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119423/Samsung-Kies-2.5.0.12114_1-Buffer-Overflow.html; classtype:attempted-user; sid:2016237; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded Applet (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|61|25|70|25|70|25|6c|25|65|25|74"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017249; rev:2; metadata:created_at 2013_07_30, updated_at 2016_10_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible JKDDOS download b.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/b.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012466; rev:3; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded jnlp_embedded (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|6a|25|6e|25|6c|25|70|25|5f|25|65|25|6d|25|62|25|65|25|64|25|64|25|65|25|64"; flowbits:set,et.exploitkitlanding; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009172; classtype:exploit-kit; sid:2017250; rev:2; metadata:created_at 2013_07_30, cve CVE_1234_CVE_341, former_category EXPLOIT_KIT, updated_at 2020_08_31;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"KeyHelp.KeyScript"; nocase; distance:0; content:".LaunchTriPane("; nocase; distance:0; reference:url,packetstormsecurity.com/files/117293/KeyHelp-ActiveX-LaunchTriPane-Remote-Code-Execution.html; classtype:attempted-user; sid:2016235; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|61|25|70|25|70|25|6c|25|65|25|74|25|5f|25|73|25|73|25|76|25|5f|25|76|25|61|25|6c|25|69|25|64|25|61|25|74|25|65|25|64"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017251; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED pamdql/Sweet Orange delivering hostile XOR trojan payload from robots.php"; flow:established,to_server; content:"/robots.php?"; http_uri; classtype:exploit-kit; sid:2016092; rev:3; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded/base64 1 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|58|25|31|25|39|25|68|25|63|25|48|25|42|25|73|25|5a|25|58|25|52|25|66|25|63|25|33|25|4e|25|32|25|58|25|33|25|5a|25|68|25|62|25|47|25|6c|25|6b|25|59|25|58|25|52|25|6c"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017252; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Jan 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"Dyy"; within:300; content:"Ojj"; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016242; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded/base64 2 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|39|25|66|25|59|25|58|25|42|25|77|25|62|25|47|25|56|25|30|25|58|25|33|25|4e|25|7a|25|64|25|6c|25|39|25|32|25|59|25|57|25|78|25|70|25|5a|25|47|25|46|25|30"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017253; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Symlink_Sa"; flow:established,to_client; file_data; content:"<title>Symlink_Sa"; classtype:bad-unknown; sid:2016244; rev:2; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded/base64 3 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|66|25|58|25|32|25|46|25|77|25|63|25|47|25|78|25|6c|25|64|25|46|25|39|25|7a|25|63|25|33|25|5a|25|66|25|64|25|6d|25|46|25|73|25|61|25|57|25|52|25|68|25|64|25|47|25|56|25|6b"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017254; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT StyX Landing Page"; flow:established,from_server; file_data; content:"|22|pdfx.ht|5C|x6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016247; rev:6; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32/Mutopy.A Checkin"; flow:to_server,established; content:"/protocol.php?p="; fast_pattern:only; http_uri; content:"&d="; http_uri; pcre:"/&d=.{44}$/U"; reference:md5,2a0344bac492c65400eb944ac79ac3c3; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FMutopy.A&ThreatID=-2147312217; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/header-spoofing-hides-malware-communication/; classtype:command-and-control; sid:2016963; rev:5; metadata:created_at 2012_04_13, former_category MALWARE, updated_at 2012_04_13;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header"; flow:established,to_client; file_data; content:"<b>Software|3a|"; content:"<b>uname -a|3a|"; content:"<b>uid="; classtype:bad-unknown; sid:2016245; rev:3; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf/Styx EK - fnts.html"; flow:established,to_server; content:"/fnts.html"; http_uri; classtype:exploit-kit; sid:2016129; rev:4; metadata:created_at 2012_12_29, former_category EXPLOIT_KIT, updated_at 2012_12_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Red Dot Exploit Kit Binary Payload Request"; flow:established,to_server; content:"/load.php?guid="; http_uri; content:"&thread="; http_uri; content:"&exploit="; http_uri; content:"&version="; http_uri; content:"&rnd="; http_uri; reference:url,malware.dontneedcoffee.com/; classtype:exploit-kit; sid:2016255; rev:2; metadata:created_at 2013_01_24, former_category EXPLOIT_KIT, updated_at 2013_01_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT /Styx EK - /jlnp.html"; flow:established,to_server; content:!"&"; http_uri; content:"/jlnp.html"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities; classtype:exploit-kit; sid:2017100; rev:4; metadata:created_at 2013_07_05, updated_at 2013_07_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 1"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/start.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016257; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT /Styx EK - /jovf.html"; flow:established,to_server; content:!"&"; http_uri; content:"/jovf.html"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities; classtype:exploit-kit; sid:2017101; rev:3; metadata:created_at 2013_07_05, updated_at 2013_07_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 2"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/setup.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016258; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT /Styx EK - /jorg.html"; flow:established,to_server; content:!"&"; http_uri; content:"/jorg.html"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities; classtype:exploit-kit; sid:2017102; rev:3; metadata:created_at 2013_07_05, updated_at 2013_07_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 3"; flow:to_server,established; content:"GET"; http_method; urilen:11; content:"/search.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016259; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Landing Applet With Payload Aug 02 2013"; flow:established,to_client; file_data; content:"<applet"; content:" value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]http\x3a\/\/[^\/]+?\/\?[A-Za-z0-9]+=[A-Za-z0-9%]{60,}[\x22\x27]/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:exploit-kit; sid:2017270; rev:7; metadata:created_at 2013_08_03, former_category EXPLOIT_KIT, updated_at 2013_08_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 4"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/main.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016260; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Plugin-Detect with global % replace on unescaped string (Sakura)"; flow:established,to_client; file_data; content:"PluginDetect.getVersion"; fast_pattern; content:"unescape("; nocase; pcre:"/^[\r\n\s]*?[\x22\x27][^\x22\x27]+?[\x22\x27]\.replace\([\r\n\s]*?(?P<q1>[\x22\x27]?)\/.+?\/g[\r\n\s]*?,[\r\n\s]*?(?P<q2>[\x22\x27]?)%(?P=q2)[\r\n\s]*?\)/R"; classtype:exploit-kit; sid:2017271; rev:3; metadata:created_at 2013_08_03, updated_at 2013_08_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 5"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/login.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016261; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/StealRat.SpamBot CnC Server Configuration File Response"; flowbits:isset,et.stealrat.config; flow:established,to_client; file_data; content:"<repo"; distance:0; content:"<dudp>"; within:50; content:"<|2F|dudp>"; within:100; content:"<pudp>"; within:50; content:"<|2F|pudp>"; within:100; content:"<tbd>"; within:50; content:"<dom>"; within:50; content:"<|2F|dom>"; within:100; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf; classtype:command-and-control; sid:2017275; rev:2; metadata:created_at 2013_08_05, former_category MALWARE, updated_at 2013_08_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 6"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/main.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016262; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx iframe with obfuscated Java version check Jul 04 2013"; flow:established,from_server; file_data; content:"<html>|0d 0a|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">|0d 0a|<h"; within:6; pcre:"/(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{12,16}(?P=space)[0-9a-z]{2}(?P=space)(?P<w>[0-9a-z]{2})(?P<i>[0-9a-z]{2})(?P<n>[0-9a-z]{2})[0-9a-z]{4}(?P=w)[0-9a-z]{10}(?P=i)(?P=n)[0-9a-z]{28}(?P=i)[0-9a-z]{2}(?P=n)[0-9a-z]{6}(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017114; rev:5; metadata:created_at 2013_07_05, updated_at 2013_07_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 7"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/welcome.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016263; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Microsoft Script Encoder Encoded File"; flow:established,from_server; file_data; content:"#@~^"; within:4; classtype:trojan-activity; sid:2017282; rev:3; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 8"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/file.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016264; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible CritX/SafePack/FlashPack Jar Download"; flow:established,from_server; content:"filename=j"; http_header; content:".jar"; distance:23; within:4; http_header; pcre:"/filename=j[a-f0-9]{23}\.jar/H"; classtype:exploit-kit; sid:2017296; rev:5; metadata:created_at 2013_08_08, former_category CURRENT_EVENTS, updated_at 2013_08_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 10"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/home.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016266; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin -TDS - POST w/Java Version"; flow:established,to_server; content:"POST"; http_method; content:"&v="; http_client_body; depth:3; pcre:"/^&v=(null|(\d+\.)+?\d+)\x3b\d+\x3b\x3b\d{3,5}x\d{3,5}\x3b/P"; classtype:trojan-activity; sid:2017300; rev:2; metadata:created_at 2013_08_08, updated_at 2013_08_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 11"; flow:to_server,established; content:"GET"; http_method; urilen:11; content:"/online.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016267; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Trojan Dropper purporting to be missing application - findloader"; flow:established,to_server; content:"/findloader"; http_uri; pcre:"/findloader[^\x2f\.\?]*?\.php\?[a-z]=[^&]+$/U"; classtype:trojan-activity; sid:2017302; rev:2; metadata:created_at 2013_08_08, updated_at 2013_08_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 12"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/install.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016268; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS 0f2490 Hacked Site Response (Inbound)"; flow:established,from_server; file_data; content:"</script>"; content:"#/0f2490#"; fast_pattern; distance:0; classtype:trojan-activity; sid:2017306; rev:5; metadata:created_at 2013_08_12, updated_at 2013_08_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"Confuser.class"; classtype:exploit-kit; sid:2016277; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_25, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS 0f2490 Hacked Site Response (Outbound)"; flow:established,from_server; file_data; content:"</script>"; content:"#/0f2490#"; fast_pattern; distance:0; classtype:trojan-activity; sid:2017307; rev:5; metadata:created_at 2013_08_12, updated_at 2013_08_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"ConfusingClassLoader.class"; classtype:exploit-kit; sid:2016276; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_25, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible FortDisco Wordpress Brute-force Site list download 10+ wp-login.php"; flow:established,to_client; file_data; content:"/wp-login.php|0d 0a|"; nocase; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; reference:url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/; reference:md5,722a1809bd4fd75743083f3577e1e6a4; classtype:trojan-activity; sid:2017310; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_08_12, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Aloaha PDF Crypter activex SaveToFile method arbitrary file overwrite"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"B1E7505E-BBFD-42BF-98C9-602205A1504C"; nocase; distance:0; content:".SaveToFile"; nocase; distance:0; reference:url,exploit-db.com/exploits/24319/; classtype:attempted-user; sid:2016286; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_25, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.Win32.Agent.bay Covert Channel (VERSONEX and Mr.Black)"; content:"VERSONEX|3a|"; depth:64; fast_pattern; content:"Mr.Black"; within:50; classtype:trojan-activity; sid:2017315; rev:2; metadata:created_at 2013_08_12, updated_at 2013_08_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RevProxy - ClickFraud - MIDUIDEND"; flow:established,to_server; dsize:46; content:"MID"; depth:3; content:"UID"; distance:32; within:3; content:"END"; distance:5; within:3; classtype:trojan-activity; sid:2016293; rev:2; metadata:created_at 2013_01_26, updated_at 2013_01_26;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE python shell spawn attempt"; flow:established,to_client; content:"pty|2e|spawn|2822|/bin/sh|2229|"; depth:64; classtype:trojan-activity; sid:2017317; rev:2; metadata:created_at 2013_08_12, updated_at 2013_08_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fun Web Products Adware Agent Traffic"; flow: to_server,established; content:"FunWebProducts|3b|"; nocase; http_header; threshold: type limit, track by_src, count 2, seconds 360; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001034; classtype:policy-violation; sid:2001034; rev:23; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET 8300 (msg:"ET WEB_SERVER Novell GroupWise Messenger Accept Language Buffer Overflow"; flow:established,to_server; content:"Accept-Language"; nocase; pcre:"/^Accept-Language\:[^\n]*?[^,\;\n]{17}/mi"; reference:cve,2006-0992; reference:bugtraq,17503; reference:url,doc.emergingthreats.net/2002865; classtype:attempted-user; sid:2002865; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT JDB Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"Adobe Flash must be updated to view this"; content:"/lib/adobe.php?id="; distance:0; fast_pattern; pcre:"/^[a-f0-9]{32}/R"; classtype:exploit-kit; sid:2016307; rev:6; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2013_01_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackHole EK Non-standard base64 Key"; flow:established,from_server; file_data; content:"keyStr = |22|"; content:!"|22|"; within:65; content:"|22|"; distance:65; within:1; content:!"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; distance:-66; within:62; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017164; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_19, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 3"; content:"Portable SDK for UPnP devices"; pcre:"/^Server\x3a[^\r\n]*Portable SDK for UPnP devices(\/?\s*$|\/1\.([0-5]\..|8\.0.|(6\.[0-9]|6\.1[0-7])))/m"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959; classtype:successful-recon-limited; sid:2016304; rev:2; metadata:created_at 2013_01_30, updated_at 2013_01_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sinowal/Mebroot/Torpig Client POST"; flow:to_server,established; content:"POST"; depth:4; http_method; content:"|0d 0a|Connection|3a| close|0d 0a 0d 0a a9 3a d4 31 4b 84|"; fast_pattern; reference:url,doc.emergingthreats.net/2008520; classtype:trojan-activity; sid:2008520; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 2"; content:"Intel SDK for UPnP devices"; pcre:"/^Server\x3a[^\r\n]*Intel SDK for UPnP devices/mi"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959; classtype:successful-recon-limited; sid:2016303; rev:4; metadata:created_at 2013_01_30, updated_at 2013_01_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Sinowal/Torpig Phoning Home"; flow:established,to_server; content:"GET"; http_method; content:"/ld/"; http_uri; content:".php"; http_uri; content:"id="; http_uri; content:"&n="; http_uri; content:"&try="; http_uri; reference:url,doc.emergingthreats.net/2008580; classtype:trojan-activity; sid:2008580; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Linux/SSHDoor.A User Login CnC Beacon"; flow:established,to_server; content:"sid="; http_uri; content:"|3A|"; http_uri; content:"&uname="; http_uri; reference:url,blog.eset.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords; classtype:command-and-control; sid:2016315; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_01_30, deployment Perimeter, signature_severity Major, tag c2, updated_at 2013_01_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Kuluoz.B CnC"; flow:from_server,established; file_data; content:"c=run&u=/get/"; content:".exe"; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2015902; rev:7; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5963 ST UDN Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*uuid\x3a[^\r\n\x3a]{181}/Ri"; reference:cve,CVE-2012-5963; classtype:attempted-dos; sid:2016323; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Kuluoz.B CnC 2"; flow:from_server,established; file_data; content:"c=idl"; within:5; isdataat:!1,relative; reference:md5,a88ba0c2b30afba357ebb38df9898f9e; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2015903; rev:5; metadata:created_at 2012_09_25, former_category MALWARE, updated_at 2012_09_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?id Download Secondary Request"; flow:established,to_server; content:".php?id"; http_uri; pcre:"/^[^?#]+?\.php\?id[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014189; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS IRC - NICK and 3 Letter Country Code"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*[\[\|\{][A-Z]{3}[\]\|\}]/R"; classtype:bad-unknown; sid:2017319; rev:6; metadata:created_at 2013_08_13, former_category HUNTING, updated_at 2013_08_13;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 20192 (msg:"ET DELETED Ranky or variant backdoor communication ping"; dsize:<6; reference:url,www.sophos.com/virusinfo/analyses/trojranckcx.html; reference:url,www.iss.net/threats/W32.Trojan.Ranky.FV.html; classtype:trojan-activity; sid:2002728; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS IRC - NICK and Win"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*win/Ri"; classtype:bad-unknown; sid:2017322; rev:4; metadata:created_at 2013_08_13, former_category MALWARE, updated_at 2013_08_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura/RedKit obfuscated URL"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!<\/applet>).)+?\/.{1,12}\/.{1,12}\x3a.{1,12}p.{1,12}t.{1,12}t.{1,12}h/Rs"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015858; rev:3; metadata:created_at 2012_11_01, former_category EXPLOIT_KIT, updated_at 2012_11_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS IRC - NICK and -PC"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*-PC/Ri"; classtype:bad-unknown; sid:2017323; rev:4; metadata:created_at 2013_08_13, former_category MALWARE, updated_at 2013_08_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Landing Applet With Getmyfile.exe Payload"; flow:established,to_client; file_data; content:"<applet"; distance:0; content:"value="; distance:0; content:"/getmyfile.exe?o="; distance:0; nocase; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:exploit-kit; sid:2016353; rev:2; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2013_02_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK setSecurityManager hex August 14 2013"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"73657453656375726974794d616e6167657228"; nocase; reference:url,piratebrowser.com; classtype:exploit-kit; sid:2017328; rev:2; metadata:created_at 2013_08_15, former_category CURRENT_EVENTS, updated_at 2013_08_15;)
 
-#alert tcp $HOME_NET any -> 212.26.42.47 9090 (msg:"ET DELETED Possible ProFTPD Backdoor Initiate Attempt"; flow:to_server; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url,sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; classtype:trojan-activity; sid:2011992; rev:3; metadata:created_at 2010_12_02, updated_at 2010_12_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sibhost Zip as Applet Archive July 08 2013"; flow:established,from_server; file_data; content:"jquery.js"; content:"archive"; fast_pattern; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\.zip[\x22\x27]/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017166; rev:4; metadata:created_at 2013_07_23, updated_at 2013_07_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Variant"; flow:established,to_server; content:"GET"; http_method; content:"/search/"; http_uri; content:".php?i="; http_uri; distance:0; content:"1.0|0d 0a|User-Agent|3a| unknown|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2016345; rev:5; metadata:created_at 2013_02_05, former_category MOBILE_MALWARE, updated_at 2013_02_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQLi - SELECT and sysobject"; flow:established,to_server; content:"SELECT"; nocase; content:"sysobjects"; distance:0; nocase; classtype:attempted-admin; sid:2017330; rev:2; metadata:created_at 2013_08_15, updated_at 2013_08_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritXPack - Landing Page - Received"; flow:established,to_client; file_data; content:"js.pd.js"; content:"|7C|applet|7C|"; classtype:exploit-kit; sid:2016356; rev:2; metadata:created_at 2013_02_07, former_category EXPLOIT_KIT, updated_at 2013_02_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx EK - /jvvn.html"; flow:established,to_server; content:"/jvvn.html"; http_uri; classtype:exploit-kit; sid:2017333; rev:3; metadata:created_at 2013_08_15, former_category CURRENT_EVENTS, updated_at 2013_08_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack - URI - jpfoff.php"; flow:established,to_server; content:"/jpfoff.php?token="; http_uri; classtype:exploit-kit; sid:2016357; rev:2; metadata:created_at 2013_02_07, former_category EXPLOIT_KIT, updated_at 2013_02_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Reassigned Eval Function 1"; flow:established,from_server; file_data; content:"=(eval)|3b|"; classtype:bad-unknown; sid:2017334; rev:3; metadata:created_at 2013_08_15, former_category INFO, updated_at 2013_08_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - ClassID"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; classtype:misc-activity; sid:2016360; rev:2; metadata:created_at 2013_02_07, updated_at 2013_02_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Reassigned Eval Function 2"; flow:established,from_server; file_data; content:"=[|22|eval|22|]|3b|"; classtype:bad-unknown; sid:2017335; rev:3; metadata:created_at 2013_08_15, former_category INFO, updated_at 2013_08_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - ClassID"; flow:established,to_client; file_data; content:"CAFEEFAC-00"; content:"-FFFF-ABCDEFFEDCBA"; distance:7; within:18; classtype:misc-activity; sid:2016361; rev:2; metadata:created_at 2013_02_07, updated_at 2013_02_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Reassigned Eval Function 3"; flow:established,from_server; file_data; content:"=[|27|eval|27|]|3b|"; classtype:bad-unknown; sid:2017336; rev:3; metadata:created_at 2013_08_15, former_category INFO, updated_at 2013_08_15;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS CVE-2013-0230 Miniupnpd SoapAction MethodName Buffer Overflow"; flow:to_server,established; content:"POST "; depth:5; content:"|0d 0a|SOAPAction|3a|"; nocase; distance:0; pcre:"/^[^\r\n]+#[^\x22\r\n]{2049}/R"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0230; classtype:attempted-dos; sid:2016364; rev:1; metadata:created_at 2013_02_07, updated_at 2013_02_07;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - net add PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"net"; within:200; content:"/add"; within:100; classtype:trojan-activity; sid:2017285; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
 
-alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Miniupnpd M-SEARCH Buffer Overflow CVE-2013-0229"; content:"M-SEARCH"; depth:8; isdataat:1492,relative; content:!"|0d 0a|"; distance:1490; within:2; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0229; classtype:attempted-dos; sid:2016363; rev:2; metadata:created_at 2013_02_07, updated_at 2013_02_07;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - netsh - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"netsh"; within:50; classtype:trojan-activity; sid:2017286; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_MM EK - Landing Page"; flow:established,to_client; file_data; content:"<applet "; content:"new PDFObject"; classtype:exploit-kit; sid:2016373; rev:2; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - ipconfig - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"ipconfig"; within:100; classtype:trojan-activity; sid:2017287; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Payload Download"; flow:established,to_client; file_data; content:"PK"; within:2; content:"stealth.exe"; within:60; classtype:exploit-kit; sid:2016377; rev:2; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot -  reg - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"reg "; within:50; content:"HKEY_"; within:20; classtype:trojan-activity; sid:2017288; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Ecava IntegraXor save method Remote ActiveX Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"520F4CFD-61C6-4EED-8004-C26D514D3D19"; nocase; distance:0; content:".save"; nocase; distance:0; reference:url,1337day.org/exploit/15398; classtype:attempted-user; sid:2016382; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_02_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - The command completed successfully - PRIVMSG Response"; flow:established,from_client; content:"PRIVMSG "; content:"The command completed successfully."; distance:0; classtype:trojan-activity; sid:2017289; rev:4; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Adobe Flash Zero Day LadyBoyle Infection Campaign"; flow:established,to_client; file_data; content:"FWS"; distance:0; content:"LadyBoyle"; distance:0; reference:md5,3de314089db35af9baaeefc598f09b23; reference:md5,2568615875525003688839cb8950aeae; reference:url,blog.fireeye.com/research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html; reference:url,www.adobe.com/go/apsb13-04; reference:cve,2013-0633; reference:cve,2013-0633; classtype:trojan-activity; sid:2016391; rev:2; metadata:created_at 2013_02_08, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - PRIVMSG Response - net command output"; flow:established,from_client; content:"PRIVMSG "; fast_pattern; content:"-------------------------------------------------------------------------------"; distance:0; classtype:trojan-activity; sid:2017291; rev:5; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"value"; distance:0; pcre:"/^(\s*=\s*|[\x22\x27]\s*,\s*)[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"|3a|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:exploit-kit; sid:2016393; rev:3; metadata:created_at 2013_02_09, former_category EXPLOIT_KIT, updated_at 2013_02_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - PRIVMSG Response - ipconfig command output"; flow:established,from_client; content:"PRIVMSG "; content:"Windows IP"; within:200; classtype:trojan-activity; sid:2017292; rev:4; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File With Flash"; flow:to_client,established; content:"CONTROL ShockwaveFlash.ShockwaveFlash"; flowbits:isset,OLE.CompoundFile; flowbits:set,OLE.WithFlash; classtype:protocol-command-decode; sid:2016395; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_02_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - net localgroup - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"net localgroup"; within:200; classtype:trojan-activity; sid:2017284; rev:4; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Exploit Specific Uncompressed Flash CVE-2013-0634"; flow:established,to_client; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016396; rev:5; metadata:created_at 2013_02_09, former_category CURRENT_EVENTS, updated_at 2013_02_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - PRIVMSG Response - Directory Listing *nix"; flow:established,from_client; content:"PRIVMSG "; fast_pattern; content:"-rw-r--r--"; within:300; classtype:trojan-activity; sid:2017303; rev:5; metadata:created_at 2013_08_08, updated_at 2013_08_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Exploit Specific Uncompressed Flash Inside of OLE CVE-2013-0634"; flow:established,to_client; flowbits:isset,OLE.WithFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016397; rev:4; metadata:created_at 2013_02_09, former_category CURRENT_EVENTS, updated_at 2013_02_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - PRIVMSG Response - Directory Listing"; flow:established,from_client; content:"PRIVMSG "; content:"  <DIR>"; within:200; classtype:trojan-activity; sid:2017290; rev:3; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android/DNightmare - Task Killer Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/pagead/afma_load_ads.js"; nocase; http_uri; fast_pattern; content:"pagead2.googlesyndication.com"; http_header; reference:md5,745513a53af2befe3dc00d0341d80ca6; classtype:trojan-activity; sid:2016386; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - net user - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"net user"; within:200; classtype:trojan-activity; sid:2017283; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android/DNightmare -Task Killer Checkin 3"; flow:established,to_server; content:"GET"; http_method; content:"/m/gne/suggest?q="; nocase; http_uri; fast_pattern; content:"SID=DQAAAKQAAAAHga"; http_cookie; reference:md5,745513a53af2befe3dc00d0341d80ca6; classtype:trojan-activity; sid:2016387; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Optix Pro Trojan/Keylogger Reporting Installation via Email"; flow:established,to_server; content:"Optix Pro v"; content:"Installed Trojan Port|3a|"; distance:0; reference:url,en.wikipedia.org/wiki/Optix_Pro; classtype:trojan-activity; sid:2008212; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Office File With Embedded Executable"; flow:established,to_client; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2012684; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_04_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkComet-RAT server join acknowledgement"; flow:to_server,established; dsize:12; content:"|39 34 41 35 41 44 30 41 45 46 36 39|"; flowbits:isset,ET.DarkCometJoin; reference:url,www.darkcomet-rat.com; reference:url,anubis.iseclab.org/?action=result&task_id=1a7326f61fef1ecb4ed4fbf3de3f3b8cb&format=txt; classtype:trojan-activity; sid:2013284; rev:3; metadata:created_at 2011_07_18, updated_at 2011_07_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible g01pack Jar download"; flow:established,from_server; flowbits:isset,ET.g01pack.Java.Image; file_data; content:"PK"; depth:2; content:".class"; fast_pattern:only; classtype:exploit-kit; sid:2016321; rev:3; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkComet-RAT Client Keepalive"; flow:to_server,established; dsize:12; content:"|39 34 41 35 41 44 30 41 45 46 36 39|"; flowbits:isset,ET.DarkCometJoin; reference:url,www.darkcomet-rat.com; classtype:trojan-activity; sid:2013285; rev:2; metadata:created_at 2011_07_18, updated_at 2011_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android/DNightmare - Task Killer Checkin 1"; flow:established,to_server; content:"GET"; http_method; content:"/pagead/ads?rsp="; nocase; http_uri; fast_pattern; content:"msid=com.droiddream.advancedtaskkiller1"; nocase; http_uri; classtype:trojan-activity; sid:2016385; rev:3; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY exe download via HTTP - Informational"; flow:established,to_server; content:".exe"; http_uri; nocase; content:"GET"; http_method; nocase; pcre:"/\.exe\b/Ui"; reference:url,doc.emergingthreats.net/2003595; classtype:policy-violation; sid:2003595; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Flash Action Script Invalid Regex CVE-2013-0634"; flow:established,to_client; file_data; flowbits:isset,HTTP.UncompressedFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R"; reference:cve,2013-0634; classtype:trojan-activity; sid:2016400; rev:3; metadata:created_at 2013_02_12, former_category CURRENT_EVENTS, updated_at 2013_02_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER SQLi - SELECT and Schema Columns"; flow:established,to_server; content:"SELECT"; nocase; content:"information_schema.columns"; distance:0; nocase; classtype:attempted-user; sid:2017337; rev:2; metadata:created_at 2013_08_19, updated_at 2013_08_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Flash Action Script Invalid Regex CVE-2013-0634"; flow:established,to_client; file_data; flowbits:isset,OLE.WithFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R"; reference:cve,2013-0364; classtype:trojan-activity; sid:2016401; rev:3; metadata:created_at 2013_02_12, former_category CURRENT_EVENTS, updated_at 2013_02_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 u9090 NOP SLED"; file_data; flow:established,to_client; content:"|5c|u9090|5c|"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2017345; rev:4; metadata:created_at 2013_08_19, updated_at 2013_08_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK Payload - obfuscated binary base 0"; flow:established,to_client; file_data; content:"|af 9e b6 98 09 fc ee d0|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016403; rev:2; metadata:created_at 2013_02_12, former_category EXPLOIT_KIT, updated_at 2013_02_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.APT.9002 CnC Traffic"; flow:to_server,established; dsize:24; content:"|0c 00 00 00 08 00 00 00 19 ff ff ff ff 00 00 00 00 11 00 00|"; offset:4; depth:20; reference:md5,81687637b7bf2b90258a5006683e781c; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/08/the-sunshop-campaign-continues.html; classtype:targeted-activity; sid:2016398; rev:8; metadata:created_at 2012_06_28, former_category MALWARE, updated_at 2012_06_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO MPEG Download Over HTTP (1)"; flow:established,to_client; file_data; content:"|00 00 01 ba|"; depth:4; flowbits:set,ET.mpeg.HTTP; flowbits:noalert; classtype:not-suspicious; sid:2016404; rev:3; metadata:created_at 2013_02_12, updated_at 2013_02_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Iframe For IP Address Site"; flow:established,to_client; file_data; content:"iframe src=|22|http|3A|//"; nocase; distance:0; pcre:"/^\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}[^\r\n]*\x3C\x2Fiframe\x3E/Ri"; classtype:bad-unknown; sid:2017342; rev:3; metadata:created_at 2013_08_19, updated_at 2013_08_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"SunJCE.class"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016407; rev:3; metadata:created_at 2013_02_13, updated_at 2013_02_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible g01pack Exploit Pack Malicious JAR File Request"; flow:established,to_server; content:".jar"; http_uri; fast_pattern; content:"User-Agent|3a|"; nocase; http_header; content:"Java/"; within:200; http_header; pcre:"/\/[0-9a-f]{32}\.jar$/U"; reference:url,blog.tllod.com/2010/11/03/statistics-dont-lie-or-do-they/; reference:url,community.websense.com/blogs/securitylabs/archive/2011/04/19/Mass-Injections-Leading-to-g01pack-Exploit-Kit.aspx; classtype:exploit-kit; sid:2012807; rev:4; metadata:created_at 2011_05_15, updated_at 2011_05_15;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - sinkhole.cert.pl 148.81.111.111"; content:"|00 01 00 01|"; content:"|00 04 94 51 6f 6f|"; distance:4; within:6; classtype:trojan-activity; sid:2016413; rev:4; metadata:created_at 2013_02_15, updated_at 2013_02_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit/Other - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; nocase; content:"value"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?[a-f0-9]{100}/R"; classtype:attempted-user; sid:2015668; rev:6; metadata:created_at 2012_08_29, former_category CURRENT_EVENTS, updated_at 2012_08_29;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Skype VOIP Reporting Install"; flow: to_server,established; content:"/ui/"; nocase; http_uri; content:"/installed"; http_uri; nocase; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2001596; classtype:policy-violation; sid:2001596; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPCIOUS Non-standard base64 charset used for encoding"; flow:established,from_server; file_data; content:" & 15) << 4)"; fast_pattern; content:"(|22|"; content:!"|22|"; within:65; content:"|22|"; distance:65; within:1; content:!"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; distance:-66; within:62; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2017364; rev:7; metadata:created_at 2013_08_21, updated_at 2013_08_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Featured-Results.com Agent Reporting Data"; flow: to_server,established; content:"action=any"; nocase; http_uri; content:"country="; nocase; http_uri; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/.*perl\/fr\.pl/i"; reference:url,www.featured-results.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001293; classtype:trojan-activity; sid:2001293; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User Agent (iexplorer)"; flow:to_server,established; content:"User-Agent|3a 20|iexplorer|0d 0a|"; http_header; classtype:trojan-activity; sid:2016140; rev:5; metadata:created_at 2013_01_03, updated_at 2013_01_03;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Georgia Tech (2)"; content:"|00 01 00 01|"; content:"|00 04 32 3e 0c 67|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016423; rev:6; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.admin@388 Keepalive to CnC"; flow:established,to_server; content:"|b0 f6 8f d3 1c 2b 0e 50 7e 16 85 de 0c ae 6e 67|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017350; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Georgia Tech (1)"; content:"|00 01 00 01|"; content:"|00 04 c6 3d e3 06|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016422; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.th3bug Keepalive to CnC"; flow:established,to_server; content:"|35 d1 50 14 94 b2 24 ac 9b 00 2e f1 99 a0 82 4d|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017351; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 1and1 Internet AG"; content:"|00 01 00 01|"; content:"|00 04 52 a5 19 d2|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016421; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.keaidestone Keepalive to CnC"; flow:established,to_server; content:"|82 ca 6f eb 66 ed 9e 86 dc 95 29 f0 68 a2 5d b8|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017352; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - German Company"; content:"|00 01 00 01|"; content:"|00 04 52 a5 19 a7|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016420; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.suzuki Keepalive to CnC"; flow:established,to_server; content:"|d4 77 eb ff b6 94 cc d1 25 b6 30 12 23 d7 2e 24|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017353; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Zinkhole.org"; content:"|00 01 00 01|"; content:"|00 04 b0 1f 3e 4c|"; distance:4; within:6; classtype:trojan-activity; sid:2016419; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.happyyongzi Keepalive to CnC"; flow:established,to_server; content:"|ad 4a 6c bb a7 9c 30 3e 44 bc cf a5 db 77 3c 62|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017354; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Dr. Web"; content:"|00 01 00 01|"; content:"|00 04 5b e9 f4 6a|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016418; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.key@123 Keepalive to CnC"; flow:established,to_server; content:"|ef 80 7b ec 93 e6 92 06 17 12 27 be e3 e2 e1 19|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017355; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK landing applet plus class Feb 18 2013"; flow:established,to_client; file_data; content:"<applet"; content:"code=|22|hw|22|"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016426; rev:3; metadata:created_at 2013_02_19, former_category EXPLOIT_KIT, updated_at 2013_02_19;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.gwx@123 Keepalive to CnC"; flow:established,to_server; content:"|6c 6e d3 08 a6 26 34 c7 bf c6 d3 d9 df 04 25 97|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017356; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET DELETED NPRC Malicious POST Request Possible DOJ or DOT Malware"; flow:to_server; content:"POST"; nocase; http_method; content:"POST|2C|"; fast_pattern; nocase; depth:100; content:"ACCEPT|3A|"; nocase; within:300; reference:url,www.websense.com/securitylabs/alerts/alert.php?AlertID=835; reference:url,doc.emergingthreats.net/2007748; classtype:trojan-activity; sid:2007748; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.wwwst@Admin Keepalive to CnC"; flow:established,to_server; content:"|b4 7d 56 44 f3 23 e2 a2 1d 74 18 b6 bc 72 66 2a|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017357; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Win32.Likseput.B Checkin 2"; flow:from_server,established; file_data; content:"|3c 21 2d 2d 0d 0a 3c|img border="; nocase; content:"|2f 23|KX8|2E|"; distance:5; within:64; fast_pattern; pcre:"/^\x3c\x21\x2d\x2d\x0d\x0a\x3cimg\x20border=\d+\x20src=\x22\S+\x2f\x23KX8\x2e/mi"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fLikseput.B; classtype:command-and-control; sid:2016428; rev:7; metadata:created_at 2011_03_08, former_category MALWARE, updated_at 2011_03_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.xiaoxiaohuli Keepalive to CnC"; flow:established,to_server; content:"|4e c3 69 55 10 ad 3f 34 31 cc d1 73 30 ae 16 64|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017358; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-TABLE Checkin Response - Embedded CnC APT1 Related"; flow:established,from_server; flowbits:isset,ET.webc2; file_data; content:"<!---<table<b"; reference:url,www.mandiant.com/apt1; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; classtype:targeted-activity; sid:2016438; rev:2; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.smallfish Keepalive to CnC"; flow:established,to_server; content:"|19 07 1b 24 3b 7a 9d e7 77 1e 84 f6 0f 60 3e 27|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017359; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SEASALT Client Checkin"; flow:established,to_server; dsize:7; content:"fxftest"; depth:7; reference:md5,5e0df5b28a349d46ac8cc7d9e5e61a96; reference:url,www.mandiant.com/apt1; classtype:command-and-control; sid:2016441; rev:2; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.XGstone Keepalive to CnC"; flow:established,to_server; content:"|ed d2 c6 f2 b9 ca 1e df 5c ba b7 0c 59 8e 9c 49|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017360; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SEASALT Server Response"; flow:established,from_server; dsize:7; content:"fxftest"; depth:7; reference:md5,5e0df5b28a349d46ac8cc7d9e5e61a96; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016442; rev:2; metadata:created_at 2013_02_20, updated_at 2013_02_20;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PoisonIvy.fishplay Keepalive to CnC"; flow:established,to_server; content:"|77 1b 13 19 a2 d1 8d a1 b5 05 8f fa 3f aa c0 8a|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017361; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE STARSYPOUND Client Checkin"; flow:established,to_server; content:"*(SY)# "; depth:7; reference:md5,8442ae37b91f279a9f06de4c60b286a3; reference:url,www.mandiant.com/apt1; classtype:command-and-control; sid:2016443; rev:2; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH"; http_method; content:"/"; http_uri; urilen:1; content:" HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|"; within:255; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2102091; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-ADSPACE Server Response"; flow:established,from_server; file_data; content:"<!---HEADER ADSPACE style=|22|"; content:"|5c|text $-->"; distance:0; reference:url,www.mandiant.com/apt1; classtype:command-and-control; sid:2016448; rev:2; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mashigoom/Tranwos/RevProxy ClickFraud - hello"; flow:established,to_server; threshold:type both,track by_src,seconds 60,count 1; dsize:<150; content:"hello/"; depth:6; content:"/"; within:3; distance:2; content:"/"; pcre:"/^hello\/[0-9]\.[0-9]\/[0-9]{3}/"; classtype:trojan-activity; sid:2016292; rev:6; metadata:created_at 2013_01_26, updated_at 2013_01_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-AUSOV Checkin Response - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"|3c|!-- DOCHTMLAuthor"; pcre:"/^\d+\s*-->/R"; reference:url,www.mandiant.com/apt1; reference:md5,0cf9e999c574ec89595263446978dc9f; reference:md5,0cf9e999c574ec89595263446978dc9f; classtype:targeted-activity; sid:2016449; rev:3; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AutoIT C&C Check-In 2013-08-23 URL"; flow:established,to_server; content:"GET"; http_method; content:"/panel/panel.bin"; http_uri; reference:url,malwr.com/analysis/MWM3NDA2NTdhM2U4NGE0NjgwY2IzN2Y3ZDk4ZTcyMmM/; classtype:trojan-activity; sid:2017370; rev:2; metadata:created_at 2013_08_23, updated_at 2013_08_23;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE STARSYPOUND Client Checkin"; flow:established,from_server; content:"*(SY)# "; depth:7; reference:md5,8442ae37b91f279a9f06de4c60b286a3; reference:url,www.mandiant.com/apt1; classtype:command-and-control; sid:2016444; rev:3; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Browseraid.com Agent Updating"; flow: to_server,established; content:"/perl/uptodate.pl"; nocase; http_uri; content:"uptodate.browseraid.com"; nocase; http_header; reference:url,www.browseraid.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001304; classtype:trojan-activity; sid:2001304; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible WEBC2-GREENCAT Response - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"<!--|0d 0a|<img border="; pcre:"/^[0-4]\s*src=\x22[^\x22]+\x22\swidth=\d+\sheight=\d+>\r\n-->/R"; reference:url,www.mandiant.com/apt1; reference:md5,b5e9ce72771217680efaeecfafe3da3f; classtype:targeted-activity; sid:2016455; rev:3; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CookieBomb Generic JavaScript Format"; flow:from_server,established; file_data; content:"/*/"; fast_pattern; pcre:"/^[a-f0-9]{6}\*\//R"; content:"="; pcre:"/^[\r\n\s]*?\x5c?[\x22\x27]/R"; content:!"|22|"; within:500; content:!"|27|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)|(?P=u)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017373; rev:6; metadata:created_at 2013_08_26, former_category CURRENT_EVENTS, updated_at 2013_08_26;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-KT3 Intial Connection Beacon APT1 Related"; flow:established,to_server; dsize:<11; content:"*!Kt3+v|7c|"; depth:8; flowbits:set,ET.WEBC2KT3; reference:url,www.mandiant.com/apt1; reference:md5,ec3a2197ca6b63ee1454d99a6ae145ab; classtype:targeted-activity; sid:2016456; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CookieBomb Generic PHP Format"; flow:from_server,established; file_data; content:"echo "; fast_pattern; content:"#/"; distance:0; pcre:"/^[a-f0-9]{6}#/R"; content:"="; pcre:"/^[\r\n\s]*?\x5c?[\x22\x27]/R"; content:!"|22|"; within:500; content:!"|27|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)|(?P=u)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017374; rev:6; metadata:created_at 2013_08_26, former_category CURRENT_EVENTS, updated_at 2013_08_26;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-KT3 Intial Connection Beacon Server Response APT1 Related"; flow:established,from_server; dsize:<11; content:"*!Kt3+v|7c|"; depth:8; flowbits:isset,ET.WEBC2KT3; reference:url,www.mandiant.com/apt1; reference:md5,ec3a2197ca6b63ee1454d99a6ae145ab; classtype:targeted-activity; sid:2016457; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CookieBomb Generic HTML Format"; flow:from_server,established; file_data; content:"<!--/"; fast_pattern; pcre:"/^[a-f0-9]{6}\-\-\>/R"; content:"="; pcre:"/^[\r\n\s]*?\x5c?[\x22\x27]/R"; content:!"|22|"; within:500; content:!"|27|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)|(?P=u)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017375; rev:6; metadata:created_at 2013_08_26, former_category CURRENT_EVENTS, updated_at 2013_08_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-UGX Embedded CnC Response APT1"; flow:established,from_server; flowbits:isset,ET.webc2ugx; file_data; content:"<!-- dW"; within:20; reference:md5,ae45648a8fc01b71214482d35cf8da54; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016472; rev:2; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool get command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgwKH08DHh4bVURA"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017378; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Gimemo Ransomware Checkin"; flow:established,to_client; file_data; content:"/gate.php?computername="; nocase; classtype:command-and-control; sid:2016496; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2013_02_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool long command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgcABQhLAh4fH1FA"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017379; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT StyX Landing Page (2)"; flow:established,from_server; file_data; content:"|22|pdf|5c|78.ht|5c|6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016497; rev:7; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool smart command received key=okokokjjk"; flow:established,from_server; file_data; content:"QhgCCh0fSgIfGxtV"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017380; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Nicepack EK Landing (Anti-VM)"; flow:established,to_client; file_data; content:"if(document.body.onclick!=null)"; content:"if(document.styleSheets.length!=0)"; classtype:exploit-kit; sid:2016500; rev:8; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool post1 command received key=okokokjjk"; flow:established,from_server; file_data; content:"QhsAGBtaSgIfGxtV"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017381; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - zecmd - Form"; flow:established,to_client; file_data; content:"<FORM METHOD=|22|GET|22| NAME=|22|comments|22| ACTION=|22 22|>"; classtype:attempted-user; sid:2016501; rev:2; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool post2 command received key=okokokjjk"; flow:established,from_server; file_data; content:"QhsAGBtZSgIfGxtV"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017382; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Java Serialized Data via vulnerable client"; flow:established,from_server; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"|ac ed|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016502; rev:2; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool byte command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgkWHwpL"; within:8; pcre:"/^[A-Za-z0-9\/\+]+={0,2}$/R"; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017383; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Java Serialized Data"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"|ac ed|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016503; rev:2; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool byte command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgIMBh9L"; within:8; pcre:"/^[A-Za-z0-9\/\+]+={0,2}$/R"; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017384; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO file possibly containing Serialized Data file"; flow:to_client,established; file_data; content:"PK"; within:2; content:".serPK"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2016505; rev:2; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Aug 27 2013"; flow:established,from_server; file_data; content:"base_decode("; nocase; fast_pattern:only; content:"decodeHex("; nocase; content:"<applet"; nocase; classtype:exploit-kit; sid:2017387; rev:5; metadata:created_at 2013_08_28, former_category CURRENT_EVENTS, updated_at 2013_08_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible g01pack Landing Page"; flow:established,to_client; file_data; content:"<applet"; nocase; content:"archive"; nocase; distance:0; pcre:"/^[\r\n\s]*=[\r\n\s]*(?P<q>[\x22\x27])((?!(?P=q)).)+?\.(gif|jpe?g|p(ng|sd))(?P=q)/Rsi"; classtype:exploit-kit; sid:2016333; rev:4; metadata:created_at 2013_02_01, former_category EXPLOIT_KIT, updated_at 2013_02_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Sweet Orange Payload Download Aug 28 2013"; flow:established,to_server; content:"=java.util.Random@"; http_uri; fast_pattern:only; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017388; rev:3; metadata:created_at 2013_08_28, former_category CURRENT_EVENTS, updated_at 2013_08_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Corpsespyware.net BlackListed Malicious Domain - google.vc"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"google.vc"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002765; classtype:trojan-activity; sid:2002765; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - ASPyder - File Browser - Interface"; flow:established,to_client; file_data; content:"document.myform.txtpath.value"; classtype:trojan-activity; sid:2017390; rev:3; metadata:created_at 2013_08_28, updated_at 2013_08_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Serialized Java Applet (Used by some EKs in the Wild)"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"object"; distance:0; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*[\x22\x27][^\x22\x27]+\.ser[\x22\x27]/Ri"; classtype:exploit-kit; sid:2016494; rev:5; metadata:created_at 2013_02_25, former_category INFO, updated_at 2013_02_25;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - ASPyder - Auth Prompt"; flow:established,to_client; file_data; content:"<INPUT type=password name=code >"; classtype:trojan-activity; sid:2017391; rev:2; metadata:created_at 2013_08_28, updated_at 2013_08_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vaccine-program.co.kr Related Spyware Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/version/controllerVersion"; fast_pattern; nocase; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007995; classtype:pup-activity; sid:2007995; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - ASPyder - File Upload - Response"; flow:established,to_client; file_data; content:"<title>ASPYDrvsInfo</title>"; classtype:trojan-activity; sid:2017394; rev:2; metadata:created_at 2013_08_28, updated_at 2013_08_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Stabuniq Observed C&C POST Target /rss.php"; flow:to_server,established; content:"POST"; http_method; content:"/rss.php"; http_uri; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2; reference:url,contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html; classtype:trojan-activity; sid:2016131; rev:3; metadata:created_at 2012_12_29, updated_at 2012_12_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Bot Nick in IRC ([country|so version|CPU])"; flow:established,to_server; content:"NICK {"; content:"x86"; within:12; content:"}"; distance:0; pcre:"/NICK {[a-z]{2,3}\x2D.+?x86[a-z]}[a-z]/i"; flowbits:set,ET.IRC.BOT.CntSOCPU; classtype:trojan-activity; sid:2017395; rev:3; metadata:created_at 2013_08_28, updated_at 2013_08_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Stabuniq CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/rssnews.php"; http_uri; content:!"User-Agent|3A|"; http_header; content:"id="; http_client_body; depth:3; content:"&varname="; distance:0; http_client_body; content:"&comp="; distance:0; http_client_body; content:"&src="; distance:0; http_client_body; reference:url,contagiodump.blogspot.co.uk/2012/12/dec-2012-trojanstabuniq-samples.html; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; classtype:command-and-control; sid:2016096; rev:4; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Apple CoreText Exploit Specific string"; flow:established,from_server; file_data; content:"|D8 B3 D9 85 D9 8E D9 80 D9 8E D9 91 D9 88 D9 8F D9 88 D9 8F D8 AD D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 D8 A7 D9 85 D8 A7 D8 B1 D8 AA D9 8A D8 AE 20 CC B7 CC B4 CC 90 D8 AE|"; reference:url,techcrunch.com/2013/08/29/bug-in-apples-coretext-allows-specific-string-of-characters-to-crash-ios-6-os-x-10-8-apps/; classtype:bad-unknown; sid:2017397; rev:2; metadata:created_at 2013_08_30, updated_at 2013_08_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download"; flowbits:isset,min.gethttp; flow:established,to_client; file_data; content:"MZ"; within:2; content:"PE|00 00|"; distance:0; classtype:bad-unknown; sid:2016538; rev:3; metadata:created_at 2013_03_06, updated_at 2013_03_06;)
+alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Connection Request"; dsize:35; content:"|e4 21|"; depth:2; threshold: type limit, count 1, seconds 300, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009967; classtype:policy-violation; sid:2009967; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Ponik.Downloader Randomware Download"; flow:established,to_server; urilen:>60; content:"-.php"; fast_pattern; http_uri; content:"User-Agent|3A| Mozilla/5.0 (Windows NT  6.1|3B| WOW64) AppletWebKit/537.11 (KHTML, like Gecko)  Chrome/23.0.1271.97 Safari/537.11|0D 0A|"; http_header; pcre:"/\x2F[a-z\x2D]{60,120}.+\x2D\x2Ephp$/U"; reference:url,www.symantec.com/connect/blogs/fake-adobe-flash-update-installs-ransomware-performs-click-fraud; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-110915-5758-99; classtype:trojan-activity; sid:2016548; rev:3; metadata:created_at 2013_03_07, updated_at 2013_03_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet July 08 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?(?P<dot>[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<p>(?!(?P=dot))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<h>(?!((?P=p)|(?P=dot)))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P=p).+?value[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?(?P=dot)([^a-f0-9]{2}){1,20}(?P<e>[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<x>(?!(?P=e))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P=e)(([^a-f0-9]{2}){1,20})?[\x22\x27]/Rs"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017115; rev:8; metadata:created_at 2013_07_09, former_category EXPLOIT_KIT, updated_at 2013_07_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:".php?action=jv&h="; http_uri; classtype:exploit-kit; sid:2016558; rev:4; metadata:created_at 2013_03_09, updated_at 2013_03_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Njw0rm CnC Beacon"; flow:established,to_server; content:"lv0njxq80"; depth:9; content:"njxq80"; distance:0; reference:url,www.fireeye.com/blog/technical/malware-research/2013/08/njw0rm-brother-from-the-same-mother.html; reference:md5,4c60493b14c666c56db163203e819272; reference:md5,b0e1d20accd9a2ed29cdacb803e4a89d; classtype:command-and-control; sid:2017404; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_08_31, deployment Perimeter, former_category WORM, signature_severity Major, tag c2, updated_at 2013_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"h"; depth:1; http_client_body; content:"="; within:12; http_client_body; content:"&p"; distance:24; within:2; http_client_body; pcre:"/^h[a-z0-9]{0,10}\x3d[a-f0-9]{24}&p[a-z0-9]{0,10}\x3d[a-z0-9]{1,11}&i/P"; classtype:exploit-kit; sid:2016562; rev:7; metadata:created_at 2013_03_12, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura Landing with Applet Aug 30 2013"; flow:established,from_server; file_data; content:".getVersion"; nocase; content:"|22|PGFwcGxld"; fast_pattern; content:"|22|PGFwcGxld"; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017407; rev:2; metadata:created_at 2013_09_03, updated_at 2013_09_03;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Database List"; flow:established,to_client; file_data; content:"<h1>Databases List</h1>"; classtype:bad-unknown; sid:2016574; rev:2; metadata:created_at 2013_03_14, updated_at 2013_03_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Winsoftware.com Spyware Activity"; flow: to_server,established; content:"/?proto="; nocase; http_uri; content:"&rc="; nocase; http_uri; content:"&abbr="; nocase; http_uri; content:"platform="; nocase; http_uri; content:"&os_version="; nocase; http_uri; content:"&appid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003471; classtype:trojan-activity; sid:2003471; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Romanian Webshell"; flow:established,to_client; file_data; content:"Incarca fisier|3a|"; content:"Exeuta comada|3a|"; classtype:bad-unknown; sid:2016577; rev:4; metadata:created_at 2013_03_14, updated_at 2013_03_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Weird on the Web /180 Solutions Update"; flow: to_server,established; content:"/notifier/updates"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002041; classtype:trojan-activity; sid:2002041; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT_NGO_wuaclt PDF file"; flow:from_server,established; file_data; content:"%PDF-"; within:5; content:"|3C 21 2D 2D 0D 0A 63 57 4B 51 6D 5A 6C 61 56 56 56 56 56 56 56 56 56 56 56 56 56 63 77 53 64 63 6A 4B 7A 38 35 6D 37 4A 56 6D 37 4A 46 78 6B 5A 6D 5A 6D 52 44 63 5A 58 41 73 6D 5A 6D 5A 7A 42 4A 31 79 73 2F 4F 0D 0A|"; within:200; reference:url,labs.alienvault.com/labs/index.php/2013/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists/; classtype:targeted-activity; sid:2016579; rev:2; metadata:created_at 2013_03_15, former_category MALWARE, updated_at 2013_03_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Browseraid.com Agent Reporting Data"; flow: to_server,established; content:"/perl/ads.pl"; nocase; http_uri; reference:url,www.browseraid.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001266; classtype:trojan-activity; sid:2001266; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Redkit Landing Page URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"u33&299"; within:200; content:"u3v7"; within:50; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016587; rev:6; metadata:created_at 2013_03_15, former_category EXPLOIT_KIT, updated_at 2013_03_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Browseraid.com User-Agent (Browser Adv)"; flow: to_server,established; content:"Browser Adv"; http_header; fast_pattern:only; reference:url,www.browseraid.com; reference:url,doc.emergingthreats.net/2001295; classtype:trojan-activity; sid:2001295; rev:24; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; reference:bugtraq,1163; reference:cve,2000-0347; reference:nessus,10392; classtype:attempted-recon; sid:2101239; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Keep-Alive (OUTBOUND)"; flow:to_server,established; content:"P[endof]"; dsize:8; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017418; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rusers request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:2101271; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Checkin"; flow:to_server,established; content:"lv"; depth:2; content:"[endof]"; isdataat:!2,relative; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017419; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,17; classtype:rpc-portmap-decode; sid:2101265; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (File Manager)"; flow:from_server,established; content:"FM|7c 27 7c 27 7c|"; depth:7; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017420; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rexd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,23; classtype:rpc-portmap-decode; sid:2101269; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command Response (File Manager)"; flow:to_server,established; content:"rn|7c 27 7c 27 7c|"; depth:7; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017421; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,14; classtype:rpc-portmap-decode; sid:2101275; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Remote Desktop)"; flow:from_server,established; content:"sc~|7c 27 7c 27 7c|"; depth:8; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017422; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 APOP USER overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; reference:bugtraq,9794; classtype:attempted-admin; sid:2102409; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command Response (Remote Desktop)"; flow:to_server,established; content:"scPK|7c 27 7c 27 7c|"; depth:9; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017423; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap admind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,18; classtype:rpc-portmap-decode; sid:2101262; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Remote Cam)"; flow:from_server,established; content:"CAM|7c 27 7c 27 7c|"; depth:8; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017424; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,10; classtype:rpc-portmap-decode; sid:2101270; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Remote Shell)"; flow:from_server,established; content:"rs|7c 27 7c 27 7c|"; depth:8; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017426; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,25; classtype:rpc-portmap-decode; sid:2101273; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command Response (Process listing)"; flow:to_server,established; content:"proc|7c 27 7c 27 7c|"; depth:9; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017427; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,22; classtype:rpc-portmap-decode; sid:2101268; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Kill Process)"; flow:from_server,established; content:"k|7c 27 7c 27 7c|"; depth:6; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017428; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_repcat.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102726; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible BHEK Landing URI Format"; flow:to_server,established; urilen:>41; content:".php"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{32}\/[a-z]+?\-[a-z]+?\.php/U"; classtype:exploit-kit; sid:2017376; rev:7; metadata:created_at 2013_08_27, former_category EXPLOIT_KIT, updated_at 2013_08_27;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap amountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,19; classtype:rpc-portmap-decode; sid:2101263; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Bleeding EK Variant Landing JAR Sep 06 2013"; flow:established,to_server; content:"Java/1."; fast_pattern:only; http_user_agent; content:".php?e="; nocase; http_uri; pcre:"/\.php\?e=\d+(&|$)/Ui"; classtype:exploit-kit; sid:2017435; rev:4; metadata:created_at 2013_09_07, former_category CURRENT_EVENTS, updated_at 2013_09_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s+[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2102666; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit Landing Page"; flow:established,from_server; file_data; content:"|22|0x|22 3b|"; content:"="; distance:0; pcre:"/^[\r\n\s]*?[\x22\x27][a-f0-9]{2}(?P<sep>[^a-f0-9]{1,10})(?P<a>[a-f0-9]{2})(?P=sep)(?P<p>[a-f0-9]{2})(?P=sep)(?P=p)(?P=sep)(?P<l>[a-f0-9]{2})(?P=sep)(?P<e>[a-f0-9]{2})[^\x22\x27]+?(?P=sep)(?P=p)(?P=sep)(?P=a)(?P=sep)[a-f0-9]{2}(?P=sep)(?P=a)(?P=sep)[^\x22\x27]+?(?P=sep)(?P=a)(?P=sep)(?P=l)(?P=sep)[a-f0-9]{2}(?P=sep)(?P=e)/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017451; rev:6; metadata:created_at 2013_09_11, updated_at 2013_09_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nisd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,21; classtype:rpc-portmap-decode; sid:2101267; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole hex and wordlist initial landing and exploit path"; flow:established,to_server; urilen:>70; content:".php"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{5,}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2017452; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_11, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,20; classtype:rpc-portmap-decode; sid:2101272; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT X20 EK Landing July 22 2013"; flow:established,from_server; file_data; content:"&7&.y|22|></param></applet></table></body></html>"; nocase; classtype:exploit-kit; sid:2017167; rev:4; metadata:created_at 2013_07_23, updated_at 2013_07_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2101276; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SNET EK Encoded VBS 1"; flow:established,from_server; file_data; content:"BDbGVhckludGVybmV0Q2FjaGUo"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017470; rev:2; metadata:created_at 2013_09_17, updated_at 2013_09_17;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:2101264; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SNET EK Encoded VBS 2"; flow:established,from_server; file_data; content:"IENsZWFySW50ZXJuZXRDYWNoZS"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017471; rev:2; metadata:created_at 2013_09_17, updated_at 2013_09_17;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2102950; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SNET EK Encoded VBS 3"; flow:established,from_server; file_data; content:"Q2xlYXJJbnRlcm5ldENhY2hlK"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017472; rev:2; metadata:created_at 2013_09_17, updated_at 2013_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RevProxy Java  Settings"; flow:established,to_client; file_data; content:"USE_USERAGENT="; content:"DELAY_BETWEEN_SYNCS="; content:"CONNECTION_TIMEOUT="; classtype:trojan-activity; sid:2016592; rev:3; metadata:created_at 2013_03_19, updated_at 2013_03_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible SNET EK VBS Download"; flow:to_server,established; content:"/cod/"; http_uri; fast_pattern; content:".vbs"; http_uri; distance:0; pcre:"/\/cod\/[^\x2f]+\.vbs$/U"; classtype:exploit-kit; sid:2017469; rev:5; metadata:created_at 2013_09_17, former_category CURRENT_EVENTS, updated_at 2013_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 9"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/default.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016265; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Embedded Open Type Font file .eot"; flow:established,to_client; file_data; content:"|02 00 02  00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40  00|a|00|b|00|c|00|d|00|e|00|f|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:exploit-kit; sid:2016065; rev:4; metadata:created_at 2012_12_20, former_category EXPLOIT_KIT, updated_at 2012_12_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 13"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/index.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016281; rev:4; metadata:created_at 2013_01_25, updated_at 2013_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Styx - TDS - Redirect To Landing Page"; flow:established,to_client; file_data; content:"<body onLoad="; content:"Redirect..."; fast_pattern; classtype:exploit-kit; sid:2017482; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ACTIVEX Norton antivirus sysmspam.dll load attempt"; flow:to_client,established; content:"clsid|3A|"; nocase; content:"0534CF61-83C5-4765-B19B-45F7A4E135D0"; nocase; reference:bugtraq,9916; reference:cve,2004-0363; classtype:attempted-admin; sid:2102485; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) - Landing Page - Java ClassID and 32HexChar.jar"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:".jar"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:exploit-kit; sid:2015901; rev:3; metadata:created_at 2012_11_20, former_category EXPLOIT_KIT, updated_at 2012_11_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible RedDotv2 applet with 32hex value Landing Page"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!<\/applet>).)+[\r\n\s]value[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])[a-f0-9]{32}(?P=q1)/Rsi"; classtype:exploit-kit; sid:2016643; rev:5; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess Outbound udp traffic detected"; content:"|28 94 8d ab c9 c0 d1 99|"; offset:4; depth:8; dsize:16; threshold: type both, track by_src, count 10, seconds 600; classtype:trojan-activity; sid:2015482; rev:8; metadata:created_at 2012_07_17, updated_at 2012_07_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 1"; flow:from_server,established; flowbits:isset,ETPRO.RTF; file_data; content:"|5c|object"; distance:0; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"4BF0D1BD8B85D111B16A00C0F0283628"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; reference:cve,2012-0158; classtype:attempted-user; sid:2025082; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag ActiveX, tag Web_Client_Attacks, updated_at 2017_11_29;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Unknown Malware CnC response with exe file"; flow:from_server,established; dsize:>0; byte_jump:2,1,little,post_offset -4; isdataat:!2,relative; content:"!This program cannot be run in DOS mode."; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:command-and-control; sid:2017414; rev:3; metadata:created_at 2013_09_04, updated_at 2013_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 2"; flow:from_server,established; flowbits:isset,ETPRO.RTF; file_data; content:"|5c|object"; distance:0; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"E0F56B9944805046ADEB0B013914E99C"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; reference:cve,2012-0158; classtype:attempted-user; sid:2025083; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag ActiveX, tag Web_Client_Attacks, updated_at 2017_11_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"function Suck("; fast_pattern:only; classtype:exploit-kit; sid:2017484; rev:3; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 3"; flow:from_server,established; flowbits:isset,ETPRO.RTF; content:"|5c|object"; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"5FDC81917DE08A41ACA68EEA1ECB8E9E"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; reference:cve,2012-0158; classtype:attempted-user; sid:2025084; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag ActiveX, tag Web_Client_Attacks, updated_at 2017_11_29;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"function align_esp("; fast_pattern:only; classtype:exploit-kit; sid:2017485; rev:1; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Acrobat Web Capture [8-9].0"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Acrobat Web Capture "; pcre:"/^[8-9]\.0/R"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016646; rev:3; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"CollectGarbage"; nocase; fast_pattern:only; content:"eval(|27|unescape|27|)"; nocase; content:"|27|%u|27|"; classtype:exploit-kit; sid:2017486; rev:2; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Python PDF Library"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"Python PDF Library - http|3a|//pybrary.net/pyPdf/"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016648; rev:3; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible JavaFX Click To Run Bypass 1"; flow:established,to_client; file_data; content:"cHJlbG9hZGVyLWNsYXNz"; reference:url,seclists.org/bugtraq/2013/Jul/41; classtype:attempted-user; sid:2017494; rev:2; metadata:created_at 2013_09_20, updated_at 2013_09_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Asprox Spam Module CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"Content-Disposition|3A| form-data|3B| name=|22|sid|22|"; http_client_body; content:"Content-Disposition|3A| form-data|3B| name=|22|up|22|"; http_client_body; distance:0; content:"Content-Disposition|3A| form-data|3B| name=|22|ping|22|"; fast_pattern:32,11; http_client_body; distance:0; content:"Content-Disposition|3A| form-data|3B| name=|22|guid|22|"; distance:0; http_client_body; reference:url,www.welivesecurity.com/2013/03/08/sinkholing-trojan-downloader-zortob-b-reveals-fast-growing-malware-threat/; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2016561; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_12, deployment Perimeter, signature_severity Major, tag c2, updated_at 2013_03_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible JavaFX Click To Run Bypass 2"; flow:established,to_client; file_data; content:"wcmVsb2FkZXItY2xhc3"; reference:url,seclists.org/bugtraq/2013/Jul/41; classtype:attempted-user; sid:2017495; rev:3; metadata:created_at 2013_09_20, updated_at 2013_09_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator pdfeTeX-1.21a"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"pdfeTeX-1.21a"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016651; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible JavaFX Click To Run Bypass 3"; flow:established,to_client; file_data; content:"ByZWxvYWRlci1jbGFzc"; reference:url,seclists.org/bugtraq/2013/Jul/41; classtype:attempted-user; sid:2017496; rev:3; metadata:created_at 2013_09_20, updated_at 2013_09_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Adobe Acrobat 9.2.0"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Adobe Acrobat 9.2.0"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016652; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK - Java Exploit - bona.jar"; flow:established,to_server; content:"/bona.jar"; http_uri; classtype:exploit-kit; sid:2017497; rev:2; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Adobe PDF Library 9.0"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Adobe PDF Library 9.0"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016653; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"(|22|ms-help|3a|//|22|)|3b|"; nocase; content:"(|22|ms-help|3a|//|22|)|3b|"; distance:0; content:"(|22|ms-help|3a 22|)|3b|"; nocase; content:"(|22|ms-help|3a 22|)|3b|"; nocase; distance:0; classtype:exploit-kit; sid:2017488; rev:3; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Postal Reciept EXE in Zip"; flow:from_server,established; file_data; content:"PK"; within:2; content:"Postal-Receipt.exe"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016654; rev:2; metadata:created_at 2013_03_22, former_category CURRENT_EVENTS, updated_at 2019_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Probably Evil Long Unicode string only string and unescape 1"; flow:established,from_server; file_data; content:"unescape"; content:"|22|%u"; content:!"|22|"; within:120; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017499; rev:2; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [CrowdStrike] ANCHOR PANDA - Adobe Gh0st Beacon"; flow:established, to_server; content: "Adobe"; depth:5; content:"|e0 00 00 00 78 9c|"; distance: 4; within:15; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016656; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Major, tag PCRAT, tag Gh0st, tag RAT, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Probably Evil Long Unicode string only string and unescape 2"; flow:established,from_server; file_data; content:"unescape"; content:"|27|%u"; nocase; content:!"|27|"; within:120; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017500; rev:2; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [CrowdStrike] ANCHOR PANDA Torn RAT Beacon Message Header Local"; flow:established, to_server; dsize:16; content:"|00 00 00 11 c8 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; flowbits:set,ET.Torn.toread_header; flowbits: noalert; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016659; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_03_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Probably Evil Long Unicode string only string and unescape 3"; flow:established,from_server; file_data; content:"unescape"; content:"|22 5f|u"; nocase; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017501; rev:2; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [CrowdStrike] ANCHOR PANDA Torn RAT Beacon Message"; dsize: 200; flow: to_server,established; flowbits:isset,ET.Torn.toread_header; content:"|40 7e 7e 7e|"; offset:196; depth:4; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016660; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_03_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Probably Evil Long Unicode string only string and unescape 3"; flow:established,from_server; file_data; content:"unescape"; content:"|27 5f|u"; nocase; content:!"|27|"; within:100; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017502; rev:2; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SofosFO - possible second stage landing page"; flow:established,to_server; urilen:>40; content:".js"; offset:38; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([tZFBeDauxR]+q){3}[tZFBeDauxR]+(_[tZFBeDauxR]+)?|O7dd)k(([tZFBeDauxR]+q){3}[tZFBeDauxR]+|O7dd)\//U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016073; rev:7; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Used in various watering hole attacks"; flow:established,from_server; file_data; content:"ConVertData"; pcre:"/^[^a-z0-9]/Ri"; content:"checka"; pcre:"/^[^a-z0-9]/Ri"; content:"checkb"; pcre:"/^[^a-z0-9]/Ri"; classtype:exploit-kit; sid:2017503; rev:2; metadata:created_at 2013_09_21, former_category CURRENT_EVENTS, updated_at 2013_09_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Karagany encrypted binary (1)"; flow:established,to_client; file_data; content:"|81 f2 90 00 cf a8 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016663; rev:2; metadata:created_at 2013_03_26, former_category EXPLOIT_KIT, updated_at 2019_09_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Sakura - Java Exploit Recieved - Atomic"; flow:established,to_client; file_data; content:"PK"; within:2; content:"Main-Class|3a| atomic.Atomic"; classtype:trojan-activity; sid:2017506; rev:2; metadata:created_at 2013_09_24, former_category CURRENT_EVENTS, updated_at 2013_09_24;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET P2P Possible Bittorrent Activity - Multiple DNS Queries For tracker hosts"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|tracker"; fast_pattern; distance:0; threshold: type both, count 3, seconds 10, track by_src; classtype:policy-violation; sid:2016662; rev:3; metadata:created_at 2013_03_26, updated_at 2013_03_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Cushion Redirection"; flow:established,to_server; content:".php?message="; http_uri; fast_pattern:only; pcre:"/\/(?:app|info)\.php\?message=[A-Za-z0-9\+\/]+={0,2}$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:2017507; rev:2; metadata:created_at 2013_09_24, former_category CURRENT_EVENTS, updated_at 2013_09_24;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (ORA-)"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"ORA-"; distance:0; classtype:bad-unknown; sid:2016676; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Styx J7u21 click2play bypass"; flow:established,to_server; content:"/jplay.html"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017508; rev:2; metadata:created_at 2013_09_24, updated_at 2013_09_24;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (ORA-)"; flow:from_server,established; content:"500"; http_stat_code; file_data; content:"ORA-"; distance:0; classtype:bad-unknown; sid:2016677; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible J7u21 click2play bypass"; flow:established,to_client; file_data; content:"<jfx|3a|"; nocase; content:"preloader-class"; nocase; content:"<jnlp"; nocase; classtype:attempted-user; sid:2017509; rev:2; metadata:created_at 2013_09_24, updated_at 2013_09_24;)
 
-alert http $HTTP_SERVERS any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - Simple - Title"; flow:established,to_client; file_data; content:"- Simple Shell</title>"; classtype:bad-unknown; sid:2016679; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura Exploit Kit Encrypted Binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|25 3e fc 75 7b|"; within:5; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016380; rev:4; metadata:created_at 2013_02_08, former_category EXPLOIT_KIT, updated_at 2013_02_08;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - JSPCMD - Form"; flow:established,to_client; file_data; content:"<FORM METHOD=\"GET\" NAME=\"comments\" ACTION=\"\">"; classtype:bad-unknown; sid:2016684; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT W32/Caphaw DriveBy Campaign Ping.html"; flow:established,to_server; content:"/ping.html?id="; http_uri; content:"&js="; http_uri; content:"&key="; http_uri; content:!"/utils/"; http_uri; reference:url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html; reference:url,blog.damballa.com/archives/2147; classtype:trojan-activity; sid:2017513; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Delfinject Check-in"; flow:established,to_server; content: "|44 4d 7f 49 51 48 50 62 7d 74 61 77 4e 55 32 2f|"; depth:16; dsize:<65; reference:md5,90f8b934c541966aede75094cfef27ed; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=VirTool%3AWin32%2FDelfInject; classtype:trojan-activity; sid:2016685; rev:2; metadata:created_at 2013_03_28, updated_at 2013_03_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Sep 10 2013"; flow:established,from_server; file_data; content:".getVersion("; nocase; content:!"PluginDetect"; nocase; distance:-24; within:12; pcre:"/^[\r\n\s]*?(?P<q>[\x22\x27])Java(?P=q)/Ri"; content:!"<applet"; nocase; content:"var"; pcre:"/^[^=]+?=[^\x22\x27\x3b]*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?<[^\x22\x27]*?a[^\x22\x27]*?p[^\x22\x27]*?p[^\x22\x27]*?l[^\x22\x27]*?e[^\x22\x27]*?t[^\x22\x27](?:(?!(?P=q)).)+?<[^\x22\x27]*?p[^\x22\x27]*?a[^\x22\x27]*?r[^\x22\x27]*?a[^\x22\x27]*?m/Rs"; classtype:trojan-activity; sid:2017450; rev:3; metadata:created_at 2013_09_11, updated_at 2013_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED thebestsoft4u.com Spyware Install (3)"; flow: to_server,established; content:"/pr.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001486; classtype:trojan-activity; sid:2001486; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Leverage.A Checkin"; flow:established,to_server; content:"|00 00|"; offset:0; depth:2; content:"|00 00 00 01|"; distance:2; within:4; content:"RAM|0a 7c|"; pcre:"/^\d+\w+\/\d+\w+ free \(\d+% used\)/R"; classtype:command-and-control; sid:2017525; rev:2; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2013_09_25;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Auth Prompt"; flow:established,to_client; file_data; content:"bG9nb25fc3VibWl0"; classtype:bad-unknown; sid:2016689; rev:2; metadata:created_at 2013_04_02, updated_at 2013_04_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command response"; flow:established,from_server; file_data; content:"send|3c 7c 3e|"; within:7; pcre:"/^[A-Z]\x3a\x5f/R"; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017523; rev:5; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2013_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Probable Sakura exploit kit landing page obfuscated applet tag Mar 28 2013"; flow:established,from_server; file_data; content:"<apABCplet"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016704; rev:3; metadata:created_at 2013_04_02, former_category EXPLOIT_KIT, updated_at 2013_04_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Hiloti/Mufanom CnC Response"; flow:established,from_server; flowbits:isset,ET.Hiloti; file_data; content:"<!-- vbe -->"; distance:0; classtype:command-and-control; sid:2017526; rev:3; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2013_09_25;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely EgyPack Exploit kit landing page (EGYPACK_CRYPT)"; flow:established,from_server; content:"EGYPACK_CRYPT"; pcre:"/EGYPACK_CRYPT\d/"; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:exploit-kit; sid:2013175; rev:4; metadata:created_at 2011_07_04, former_category EXPLOIT_KIT, updated_at 2011_07_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT Windows Media Player directory traversal via Content-Disposition attempt"; flow:from_server,established; file_data; content:"Content-Disposition|3A|"; nocase; pcre:"/filename=[^\x3b\x3a\r\n]*(\x2e\x2e|\x25\x32\x65)/smi"; reference:bugtraq,7517; reference:cve,2003-0228; reference:url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx; classtype:attempted-user; sid:2103192; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-8 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c|5C|0c"; nocase; distance:0; classtype:bad-unknown; sid:2016714; rev:2; metadata:created_at 2013_04_04, updated_at 2013_04_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT LightsOut EK Payload Download"; flow:to_server,established; content:".php?dwl="; http_uri; fast_pattern:only; nocase; pcre:"/\.php\?dwl=[a-z]+$/U"; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017529; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-16 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c0c"; nocase; distance:0; classtype:bad-unknown; sid:2016715; rev:2; metadata:created_at 2013_04_04, former_category SHELLCODE, updated_at 2017_09_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK info3i.html"; flow:to_server,established; content:"/info3i.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017530; rev:2; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/q.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:23; content:"/q.php"; offset:17; http_uri; pcre:"/^\/[0-9a-f]{16}\/q\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016563; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK info3i.php"; flow:to_server,established; content:"/info3i.php"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017531; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:40; content:"/ff.php"; http_uri; offset:33; pcre:"/^\/[0-9a-f]{32}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016722; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK inden2i.html"; flow:to_server,established; content:"/inden2i.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017532; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:24; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016724; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK leks.html"; flow:to_server,established; content:"/leks.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017534; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Potential Fiesta Flash Exploit"; flow:established,to_server; content:"/?"; http_uri; content:"|3b|"; distance:60; within:7; http_uri; pcre:"/\/\?[0-9a-f]{60,66}\x3b(?:1(?:0[0-3]|1\d)|90)\d{1,3}\x3b\d{1,3}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016726; rev:6; metadata:created_at 2013_04_05, former_category EXPLOIT_KIT, updated_at 2013_04_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK negc.html"; flow:to_server,established; content:"/negc.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017535; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Empty HTTP Content Type Server Response - Potential CnC Server"; flow:established,to_client; content:"Content-Type|3A 20 0D 0A|"; http_header; classtype:command-and-control; sid:2016712; rev:3; metadata:created_at 2013_04_04, updated_at 2013_04_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK negq.html"; flow:to_server,established; content:"/negq.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017536; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic Backdoor Retrieve Instructions/Configs - HTTP GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?aid="; fast_pattern; nocase; http_uri; content:"&pid="; http_uri; content:"&kind="; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2009826; classtype:trojan-activity; sid:2009826; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK leks.jar"; flow:to_server,established; content:"/leks.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017537; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008110; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK start.jar"; flow:to_server,established; content:"/start.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017538; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert tcp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008108; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK stoq.jar"; flow:to_server,established; content:"/stoq.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017539; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET DELETED Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound"; flow:established; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008103; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK erno_rfq.html"; flow:to_server,established; content:"/erno_rfq.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017540; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert udp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET DELETED Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound"; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008107; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK inden2i.php"; flow:to_server,established; content:"/inden2i.php"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017541; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedDotv2 Jar March 18 2013"; flow:established,to_server; content:"/sexy.jar"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2016594; rev:7; metadata:created_at 2013_03_19, updated_at 2013_03_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK gami.html"; flow:to_server,established; content:"/gami.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017542; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -2 Mar 13 2013"; flow:established,from_server; file_data; content:"0156,0142,0156,0142,073,0171"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016636; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_21, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK gami.jar"; flow:to_server,established; content:"/gami.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017543; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -4 Mar 22 2013"; flow:established,from_server; file_data; content:"0154,0140,0154,0140,071,0167"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016661; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text|HTML)/Ri"; content:"onlosecapture"; nocase; fast_pattern; pcre:"/^(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?(?!function)(?P<func>[^\r\n\s]+)\b.+?function[\r\n\s]+(?P=func)[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{((?!function).)*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(\x22\x22|\x27\x27))?((?!function).)*?document\.write\([\r\n\s]*?(\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\)/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017480; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -5 Mar 26 2013"; flow:established,from_server; file_data; content:"0153,0137,0153,0137,070,0166"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016678; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text|HTML)/Ri"; content:"onlosecapture"; fast_pattern; nocase; pcre:"/^(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?function[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{.*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(\x22\x22|\x27\x27))?.*?document\.write\([\r\n\s]*?(\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\)/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017478; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -7 Mar 30 2013"; flow:established,from_server; file_data; content:"0151,0135,0151,0135,066,0164"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016686; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_01, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Obfuscated http 2 digit sep in applet (Seen in HiMan EK)"; flow:established,from_server; file_data; content:"<applet"; content:"value"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]h(?P<sep>\d{2})t(?P=sep)t(?P=sep)p(?P=sep)\x3a/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017551; rev:2; metadata:created_at 2013_10_02, updated_at 2013_10_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal Mar 6 2013"; flow:established,from_server; file_data; content:"0160,0144,0160,0144,075,0173"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016544; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_07, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible CritX/SafePack/FlashPack EXE Download"; flow:established,from_server; content:"filename=e"; http_header; content:".exe"; distance:23; within:4; http_header; pcre:"/filename=e[a-f0-9]{23}\.exe/H"; classtype:exploit-kit; sid:2017297; rev:6; metadata:created_at 2013_08_08, former_category CURRENT_EVENTS, updated_at 2013_08_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RedKit applet + obfuscated URL Apr 7 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"8ss&299"; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016734; rev:2; metadata:created_at 2013_04_09, former_category EXPLOIT_KIT, updated_at 2013_04_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT HiMan EK Reporting Host/Exploit Info"; flow:established,to_server; content:".php?ex="; http_uri; content:"&os="; http_uri; content:"&name="; http_uri; content:"&ver="; http_uri; classtype:exploit-kit; sid:2017553; rev:3; metadata:created_at 2013_10_03, former_category CURRENT_EVENTS, updated_at 2013_10_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GonDadEK Kit Jar"; flow:to_client,established; file_data; content:"ckwm"; pcre:"/^(ckwm)*?(Exp|cc)\.class/R"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016737; rev:11; metadata:created_at 2013_04_09, updated_at 2013_04_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK sort.html"; flow:to_server,established; content:"/sort.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017533; rev:5; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/NSISDL.Downloader CnC Server Response"; flow:established,to_client; file_data; content:"[install 1]"; within:11; content:"Ins="; within:40; classtype:command-and-control; sid:2016746; rev:2; metadata:created_at 2013_04_09, former_category MALWARE, updated_at 2013_04_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:" DropPayload("; fast_pattern:only; classtype:exploit-kit; sid:2017483; rev:4; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Siscos CnC Checkin"; flow:established,to_server; content:".php?getcmd="; fast_pattern:only; http_uri; content:"&uid="; http_uri; content:"User-Agent|3a| "; http_header; content:"|3b| MSlE 6.0|3b|"; distance:23; within:11; http_header; classtype:command-and-control; sid:2013384; rev:3; metadata:created_at 2011_08_09, former_category MALWARE, updated_at 2011_08_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE SSH Connection on 443 - Mevade Banner"; flow:to_server,established; content:"SSH-2.0-PuTTY_Local|3a|_Feb__5_2013_18|3a|26|3a|54"; depth:41; classtype:trojan-activity; sid:2017559; rev:2; metadata:created_at 2013_10_05, updated_at 2013_10_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lizamoon Related Compromised site served to local client"; flow:established,from_server; content:"</title><script src=http|3a|//"; nocase; content:"/ur.php></script>"; within:100; classtype:attempted-user; sid:2012624; rev:5; metadata:created_at 2011_04_02, updated_at 2011_04_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing with Applet Oct 4 2013"; flow:established,from_server; file_data; content:"Embassy  Tokyo, Japan"; fast_pattern; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017562; rev:6; metadata:created_at 2013_10_05, former_category EXPLOIT_KIT, updated_at 2013_10_05;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:arachnids,449; classtype:attempted-recon; sid:2100467; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java CVE-2013-2465 Based on PoC"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"$MyColorModel.class"; content:"$MyColorSpace.class"; reference:cve,2013-2465; reference:url,seclists.org/fulldisclosure/2013/Aug/134; reference:url,malwageddon.blogspot.com/2013/10/unknown-ek-i-wanna-be-billionaire-so.html; classtype:exploit-kit; sid:2017563; rev:3; metadata:created_at 2013_10_08, updated_at 2013_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible XDocCrypt/Dorifel Checkin"; flow:established,to_server; content:"GET"; http_method; content:"&pin="; http_uri; content:"&crc="; http_uri; content:"&uniq="; http_uri; reference:url,www.fox-it.com/en/blog/xdoccryptdorifel-document-encrypting-and-network-spreading-virus; classtype:trojan-activity; sid:2015631; rev:6; metadata:created_at 2012_08_16, updated_at 2012_08_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"name=|22|kurban|22|"; distance:0; nocase; content:".exe"; nocase; reference:cve,2013-2465; reference:url,malwageddon.blogspot.com/2013/10/unknown-ek-i-wanna-be-billionaire-so.html; reference:url,seclists.org/fulldisclosure/2013/Aug/134; classtype:attempted-user; sid:2017564; rev:3; metadata:created_at 2013_10_08, former_category CURRENT_EVENTS, updated_at 2013_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Nymaim Checkin"; flow:to_server,established; content:"POST"; http_method; content:"/nymain/"; http_uri; fast_pattern:only; content:"/index.php"; http_uri; content:"filename="; http_client_body; content:"&data="; http_client_body; reference:md5,b904ce55532582a6ea516399d8e4b410; classtype:trojan-activity; sid:2016752; rev:3; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx EK jply.html"; flow:established,to_server; content:"/jply.html"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2017576; rev:2; metadata:created_at 2013_10_10, former_category CURRENT_EVENTS, updated_at 2013_10_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fake Mozilla UA Outbound (Mozilla/0.xx)"; flow:established,to_server; content:"Mozilla/0."; http_user_agent; depth:10; reference:url,doc.emergingthreats.net/2010905; classtype:pup-activity; sid:2010905; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fake MS Security Update EK (Payload Download)"; flow:established,to_server; content:"/winddl32.exe"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017578; rev:2; metadata:created_at 2013_10_11, former_category CURRENT_EVENTS, updated_at 2013_10_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2 Landing Page (9)"; flow:to_server,established; content:"/closest/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/^\/closest\/(([a-z]{1,16}[-_]){1,4}[a-z]{1,16}|[a-z0-9]{20,}+)\.php/U"; classtype:trojan-activity; sid:2016755; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Possible Secondary Indicator of Java Exploit (Artifact Observed mostly in EKs/a few mis-configured apps)"; flow:established,to_server; content:"/javax.xml.datatype.DatatypeFactory"; http_uri; content:"Java/1."; http_header; classtype:exploit-kit; sid:2017579; rev:2; metadata:created_at 2013_10_11, former_category EXPLOIT_KIT, updated_at 2013_10_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (1)"; flow:established,to_server; urilen:>40; content:".js"; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([e7uxMhp1Kt]+Q){3}[e7uxMhp1Kt]+(_[e7uxMhp1Kt]+)?|a2\.\.)Z(([e7uxMhp1Kt]+Q){3}[e7uxMhp1Kt]+|a2\.\.)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015889; rev:9; metadata:created_at 2012_11_16, updated_at 2012_11_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DotkaChef Payload October 09"; flow:to_server,established; content:"sm_main.mp3"; http_uri; fast_pattern; content:"Java/1."; http_header; classtype:trojan-activity; sid:2017580; rev:2; metadata:created_at 2013_10_11, updated_at 2013_10_11;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - PHPShell - Comment"; flow:established,to_client; file_data; content:"<!-- PHPShell "; classtype:attempted-user; sid:2016760; rev:2; metadata:created_at 2013_04_16, updated_at 2013_04_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing with Applet Aug 30 2013"; flow:established,from_server; file_data; content:"var pp100"; fast_pattern; content:"document.write("; distance:0; pcre:"/^[\r\n\s]*?[\x22\x27]<(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?a(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?p(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?p(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?l(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?e(?:[\x27\x22]\s*?\+\s*?[\x27\x22])?t/Ri"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017405; rev:6; metadata:created_at 2013_09_03, former_category EXPLOIT_KIT, updated_at 2013_09_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SofosFO - Landing Page"; flow:established,to_client; file_data; content:"BillyBonnyGetDepolo"; classtype:trojan-activity; sid:2016241; rev:4; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
+#alert ip $HOME_NET any -> [195.22.26.231,195.22.26.232] any (msg:"ET MALWARE Connection to AnubisNetworks Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016993; rev:3; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (2)"; flow:established,to_server; urilen:>25; content:"/highlands.js"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016046; rev:6; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS D-LINK Router Backdoor via Specific UA"; flow:to_server,established; content:"xmlset_roodkcableoj28840ybtide"; http_user_agent; reference:url,www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/; classtype:attempted-admin; sid:2017590; rev:3; metadata:created_at 2013_10_14, updated_at 2013_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO exploit kit jar download"; flow:established,to_server; content:"GET"; http_method; content:"files.php?"; http_uri; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015006; rev:6; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Initial Payload Internet Connectivity Check"; flow:established,to_server; content:"/ep/cl.php"; http_uri; fast_pattern:only; pcre:"/^\/ep\/cl\.php$/U"; reference:url,malwageddon.blogspot.fi/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:exploit-kit; sid:2017589; rev:3; metadata:created_at 2013_10_14, former_category CURRENT_EVENTS, updated_at 2013_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO exploit kit version check"; flow:established,to_server; content:"GET"; http_method; content:"&u="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; content:"&java"; http_uri; fast_pattern:only; content:"&pdf="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015007; rev:9; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising Related EK Landing Oct 14 2013"; flow:established,from_server; content:"(2)!=7"; fast_pattern:only; content:"(7)==0"; content:"(6)==1"; content:"javafx_version"; content:"jnlp_href"; content:".getVersion("; pcre:"/^[\r\n\s]*?[\x22\x27]Java[\x22\x27]/R"; content:"document.write("; pcre:"/^[\r\n\s]*?[\x22\x27]<applet/R"; content:"document.write("; pcre:"/^[\r\n\s]*?[\x22\x27]<applet/R"; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2017591; rev:2; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2013_10_15;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern:only; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015009; rev:3; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Unknown Malvertising Related EK Redirect Oct 14 2013"; flow:established,to_server; content:".php?tnzppl="; fast_pattern; content:"&endovenafsl="; distance:0; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/mi"; reference:url,malwageddon.blogspot.fi/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:exploit-kit; sid:2017592; rev:1; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2013_10_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible landing page 10/01/12"; flow:established,to_server; urilen:51; content:"/4ff"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015750; rev:4; metadata:created_at 2012_10_01, updated_at 2012_10_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NfLog Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/Nfile.asp"; fast_pattern:only; http_uri; content:"Content-Length|3a| 7|0d 0a|"; http_header; content:"GetFile"; depth:7; http_client_body; reference:url,contagiodump.blogspot.com/2012/02/feb-9-cve-2011-1980-msoffice-dll.html; classtype:command-and-control; sid:2014229; rev:3; metadata:created_at 2012_02_16, former_category MALWARE, updated_at 2012_02_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible landing page 10/01/12 (2)"; flow:established,to_server; urilen:51; content:"/504"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015751; rev:4; metadata:created_at 2012_10_01, updated_at 2012_10_01;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PHP WebShell Embedded In GIF (OUTBOUND)"; flow:established,to_client; file_data; content:"GIF89"; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017604; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SofosFO obfuscator string 19 Dec 12 - possible landing"; flow:from_server,established; file_data; content:"cRxmlqC14I8yhr92sovp"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016070; rev:5; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PHP WebShell Embedded In JPG (OUTBOUND)"; flow:established,to_client; file_data; content:"JFIF|00|"; distance:6; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017605; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PDF - Acrobat Enumeration - var PDFObject"; flow:established,to_client; file_data; content:"var PDFObject="; classtype:misc-activity; sid:2016766; rev:2; metadata:created_at 2013_04_18, updated_at 2013_04_18;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PHP WebShell Embedded In PNG (OUTBOUND)"; flow:established,to_client; file_data; content:"PNG|0D 0A 1A 0A|"; distance:1; within:7; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017606; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - SCR in PKZip Compressed Data Download"; flow:established,to_client; file_data; content:"PK"; within:2; content:".scr"; fast_pattern:only; nocase; classtype:bad-unknown; sid:2016767; rev:3; metadata:created_at 2013_04_18, updated_at 2013_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP WebShell Embedded In GIF (INBOUND)"; flow:established,from_server; file_data; content:"GIF89"; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017607; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Windows EXE with alternate byte XOR 51 - possible SofosFO/NeoSploit download"; flow:established,to_client; content:"|0d 0a|Mi"; isdataat:76,relative; content:"|54 5b 69 40 20 43 72 5c 67 41 61 5e 20 50 61 5d 6e 5c 74 13 62 56 20 41 75 5d 20 5a 6e 13 44 7c 53 13 6d 5c 64 56|"; distance:0; classtype:trojan-activity; sid:2015752; rev:3; metadata:created_at 2012_10_01, updated_at 2012_10_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP WebShell Embedded In JPG (INBOUND)"; flow:established,from_server; file_data; content:"JFIF|00|"; distance:6; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017608; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data April 12 2013"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/c"; http_uri; depth:2; pcre:"/^\/c[a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; content:"p"; depth:1; http_client_body; pcre:"/^p[a-z0-9]{0,20}\x3d[a-z0-9]{1,20}&i[a-z0-9]{0,20}\x3d%[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016753; rev:10; metadata:created_at 2013_04_13, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED vBulletin Administrator Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/install/upgrade.php"; http_uri; content:"username"; http_client_body; content:"password"; http_client_body; distance:0; content:"confirmpassword"; http_client_body; distance:0; reference:url,blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html; classtype:web-application-attack; sid:2017610; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Reversed Applet Observed in Sakura/Blackhole Landing"; flow:established,from_server; file_data; content:"eulav "; nocase; fast_pattern:only; content:"eman "; nocase; content:"marap<"; nocase; within:500; content:"telppa"; within:500; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016729; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET DELETED Kelihos p2p traffic detected via byte_test CnC Response"; flow:established,from_server; flowbits:isset,ET.Kelihos-P2P; byte_extract:2,2,kelihos.p2p; byte_test:2,=,kelihos.p2p,6; byte_test:2,=,kelihos.p2p,10; byte_test:2,=,kelihos.p2p,14; byte_test:2,=,kelihos.p2p,18; byte_test:2,=,kelihos.p2p,22; byte_test:2,!=,kelihos.p2p,0; byte_test:2,!=,kelihos.p2p,4; byte_test:2,!=,kelihos.p2p,8; byte_test:2,!=,kelihos.p2p,25; classtype:command-and-control; sid:2017614; rev:2; metadata:created_at 2013_10_18, updated_at 2013_10_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura obfuscated javascript Apr 21 2013"; flow:established,from_server; file_data; content:"OD&|3a|x9T6"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016781; rev:2; metadata:created_at 2013_04_23, updated_at 2013_04_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET DELETED Kelihos p2p traffic detected via byte_test - SET"; flow:established,to_server; dsize:100<>2000; pcre:"/^[^OGHPDTCMLUVRBAS]/"; content:!"HTTP/1."; byte_extract:2,2,kelihos.p2p; byte_test:2,=,kelihos.p2p,6; byte_test:2,=,kelihos.p2p,10; byte_test:2,=,kelihos.p2p,14; byte_test:2,=,kelihos.p2p,18; byte_test:2,=,kelihos.p2p,22; byte_test:2,!=,kelihos.p2p,0; byte_test:2,!=,kelihos.p2p,4; byte_test:2,!=,kelihos.p2p,8; byte_test:2,!=,kelihos.p2p,25; flowbits:set,ET.Kelihos-P2P; flowbits:noalert; classtype:trojan-activity; sid:2017612; rev:5; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (8)"; flow:established,to_server; content:"/getqq.jpg"; http_uri; nocase; fast_pattern:only; pcre:"/getqq\.jpg$/U"; classtype:exploit-kit; sid:2016782; rev:15; metadata:created_at 2013_04_23, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT Possible Cutwail Redirect to Magnitude EK"; flow:established,to_server; urilen:15; content:"/messag_id.html"; http_uri; fast_pattern:only; reference:url,www.secureworks.com/resources/blog/research/cutwail-spam-swapping-blackhole-for-magnitude-exploit-kit/; classtype:exploit-kit; sid:2017621; rev:3; metadata:created_at 2013_10_21, former_category CURRENT_EVENTS, updated_at 2013_10_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pony Downloader check-in response STATUS-IMPORT-OK"; flow:established,from_server; file_data; content:"STATUS-IMPORT-OK"; within:16; classtype:trojan-activity; sid:2014563; rev:3; metadata:created_at 2012_04_13, updated_at 2012_04_13;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tenda Router Backdoor 1"; content:"w302r_mfg|00|"; depth:10; reference:url,www.devttys0.com/2013/10/from-china-with-love/; classtype:attempted-admin; sid:2017623; rev:3; metadata:created_at 2013_10_21, updated_at 2013_10_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fake DHL Kuluoz.B URI"; flow:established,to_server; content:".php?get"; http_uri; fast_pattern:only; pcre:"/\.php\?get[^=]*=\d_\d{5,}$/U"; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2016779; rev:4; metadata:created_at 2013_04_23, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tenda Router Backdoor 2"; content:"rlink_mfg|00|"; depth:10; reference:url,www.devttys0.com/2013/10/from-china-with-love/; classtype:attempted-admin; sid:2017624; rev:3; metadata:created_at 2013_10_21, updated_at 2013_10_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bancos User-Agent Detected vb wininet"; flow:established,to_server; content:"vb wininet"; nocase; http_user_agent; reference:url,doc.emergingthreats.net/2004114; classtype:trojan-activity; sid:2004114; rev:7; metadata:created_at 2010_07_30, former_category USER_AGENTS, malware_family Bancos, tag Banking_Trojan, updated_at 2018_04_23;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS 81a338 Hacked Site Response (Outbound)"; flow:established,from_server; file_data; content:"<!--81a338-->"; fast_pattern:only; classtype:trojan-activity; sid:2017625; rev:6; metadata:created_at 2013_10_22, updated_at 2013_10_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bredolab Infection - Windows Key"; flow:established,to_server; content:"?s=Windows"; nocase; http_uri; content:"&p="; nocase; http_uri; pcre:"/\&p=[0-9A-Za-z]{5}\-[0-9A-Za-z]{5}\-/U"; reference:url,doc.emergingthreats.net/2010072; classtype:trojan-activity; sid:2010072; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS 81a338 Hacked Site Response (Inbound)"; flow:established,from_server; file_data; content:"<!--81a338-->"; fast_pattern:only; classtype:trojan-activity; sid:2017626; rev:7; metadata:created_at 2013_10_22, updated_at 2013_10_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta - Payload - flashplayer11"; flow:established,to_client; content:"flashplayer11_"; http_header; file_data; content:"MZ"; within:2; classtype:exploit-kit; sid:2016784; rev:3; metadata:created_at 2013_04_26, former_category EXPLOIT_KIT, updated_at 2013_04_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE Possible Sakura Jar Download Oct 22 2013"; flow:to_server,established; content:!".jar"; http_uri; content:"Java/1."; http_user_agent; fast_pattern:only; content:".pl|3a|"; http_header; pcre:"/^\/[a-z]+([_-][a-z]+)*\.[a-z]{1,3}$/U"; pcre:"/^Host\x3a\x20[a-z0-9]+\.[a-z0-9]+\.[a-z0-9]+\.pl\x3a\d{2,5}\r$/Hm"; classtype:trojan-activity; sid:2017628; rev:4; metadata:created_at 2013_10_23, former_category CURRENT_EVENTS, updated_at 2013_10_23;)
 
-#alert  http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Redkit encrypted binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|fb 67 1f 49|"; within:4; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016113; rev:3; metadata:created_at 2012_12_29, former_category EXPLOIT_KIT, updated_at 2012_12_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack Oct 23 2013"; flow:to_server,established; content:".php?cashe="; http_uri; fast_pattern:only; content:"Java/1."; http_user_agent; pcre:"/\.php\?cashe=\d+$/U"; classtype:trojan-activity; sid:2017629; rev:4; metadata:created_at 2013_10_23, updated_at 2013_10_23;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole MapYandex.class malicious jar"; flow:established,from_server; content:"|0d 0a|Content-Type|3a 20|application/java-archive|0d 0a|"; content:"MapYandex.class"; fast_pattern:only; content:"PK"; classtype:bad-unknown; sid:2013554; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible CoolEK Variant Payload Download Sep 16 2013"; flow:to_server,established; content:"Java/1."; http_user_agent; content:"&e="; http_uri; content:!"osk188.com"; http_header; pcre:"/=\d+&e=\d+$/U"; classtype:exploit-kit; sid:2017473; rev:6; metadata:created_at 2013_09_17, former_category EXPLOIT_KIT, updated_at 2013_09_17;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole landing page with malicious Java applet"; flow:established,from_server; file_data; content:"<applet code=|27|buildService.MapYandex.class|27|"; content:".jar"; content:"</applet>"; classtype:bad-unknown; sid:2013553; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netgear WNDR4700 Auth Bypass"; flow:to_server,established; content:"/BRS_03B_haveBackupFile_fileRestore.html"; http_uri; nocase; reference:url,securityevaluators.com/content/case-studies/routers/netgear_wndr4700.jsp; classtype:attempted-admin; sid:2017631; rev:2; metadata:created_at 2013_10_25, updated_at 2013_10_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole client=done Cookie Set"; flow:established,from_server; content:"client=done|3b|"; content:"client=done|3b|"; http_cookie; depth:12; classtype:bad-unknown; sid:2014412; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netgear WNDR3700 Auth Bypass"; flow:to_server,established; content:"/BRS_02_genieHelp.html"; http_uri; nocase; reference:url,shadow-file.blogspot.ro/2013/10/complete-persistent-compromise-of.html; classtype:attempted-admin; sid:2017632; rev:2; metadata:created_at 2013_10_25, updated_at 2013_10_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole client=done Cookie Present"; flow:established,to_server; content:"client=done"; http_header; content:"client=done"; http_cookie; depth:11; classtype:bad-unknown; sid:2014413; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Glazunov EK Downloading Jar"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".zip"; http_uri; pcre:"/\/\d+\/\d\.zip$/U"; classtype:exploit-kit; sid:2017011; rev:7; metadata:created_at 2013_06_13, updated_at 2013_06_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole hostile PDF v1"; flow:established,from_server; file_data; content:"|25 50 44 46 2d 31 2e 36|"; content:"|4b 69 64 73 5b 32 38 20 30 20 52 5d 3e 3e|"; distance:0; content:"javascript"; nocase; distance:0; classtype:trojan-activity; sid:2013991; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx Landing Page Oct 25 2013"; flow:established,from_server; file_data; content:"fromCharCode"; content:"+0+0+3-1-1"; fast_pattern; within:100; content:"substr"; content:"(3-1)"; within:100; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017635; rev:4; metadata:created_at 2013_10_25, updated_at 2013_10_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole hostile PDF v2"; flow:established,from_server; file_data; content:"|25 50 44 46 2d 31 2e 36|"; content:"|20 2f 4b 69 64 73 20 5b 31 20 30 20 52 5d 20 2f 54 79 70 65 2f 50 61 67 65 73 3e 3e|"; distance:0; content:"javascript"; nocase; distance:0; classtype:trojan-activity; sid:2013992; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated fromCharCode"; flow:established,from_server; file_data; content:"|22|f"; nocase; content:!"romCharcode"; nocase; within:11; pcre:"/^(?:\x22\s*?\+\s*?\x22)?r(?:\x22\s*?\+\s*?\x22)?o(?:\x22\s*?\+\s*?\x22)?m(?:\x22\s*?\+\s*?\x22)?C(?:\x22\s*?\+\s*?\x22)?h(?:\x22\s*?\+\s*?\x22)?a(?:\x22\s*?\+\s*?\x22)?r(?:\x22\s*?\+\s*?\x22)?c(?:\x22\s*?\+\s*?\x22)?o(?:\x22\s*?\+\s*?\x22)?d(?:\x22\s*?\+\s*?\x22)?e/Ri"; classtype:bad-unknown; sid:2017565; rev:4; metadata:created_at 2013_10_08, updated_at 2013_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 5"; flow:established,to_server; content:"/adp"; http_uri; content:".php?f="; http_uri; pcre:"/\/adp\d\.php\?=[0-9a-z]{2,6}/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014195; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated fromCharCode"; flow:established,from_server; file_data; content:"|27|f"; nocase; content:!"romCharcode"; nocase; within:11; pcre:"/^(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?o(?:\x27\s*?\+\s*?\x27)?m(?:\x27\s*?\+\s*?\x27)?C(?:\x27\s*?\+\s*?\x27)?h(?:\x27\s*?\+\s*?\x27)?a(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?c(?:\x27\s*?\+\s*?\x27)?o(?:\x27\s*?\+\s*?\x27)?d(?:\x27\s*?\+\s*?\x27)?e/Ri"; classtype:bad-unknown; sid:2017566; rev:5; metadata:created_at 2013_10_08, updated_at 2013_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java Applet with Obfuscated URL 2"; flow:established,from_server; file_data; content:"<applet"; content:"Mlgg"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014281; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SibHost Jar Request"; flow:established,to_server; content:".jar?m="; http_uri; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; pcre:"/\.jar\?m=[1-2]$/U"; classtype:trojan-activity; sid:2015951; rev:17; metadata:created_at 2012_11_28, updated_at 2012_11_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass"; flow:established,to_client; file_data; content:"<jnlp "; nocase; content:"__applet_ssv_validated"; nocase; distance:0; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2016797; rev:2; metadata:created_at 2013_04_28, updated_at 2013_04_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible SibHost PDF Request"; flow:established,to_server; content:".pdf?p=1&s="; http_uri; fast_pattern:only; pcre:"/\.pdf\?p=1&s=[1-2]$/U"; classtype:trojan-activity; sid:2016035; rev:3; metadata:created_at 2012_12_14, updated_at 2012_12_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet with obfuscated URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; content:"103sdj115sdj115sdj111sdj57sdj46sdj46sdj"; fast_pattern; within:250; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016585; rev:7; metadata:created_at 2013_03_15, former_category CURRENT_EVENTS, updated_at 2013_03_15;)
+#alert http any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Alpha Networks ADSL2/2+ router remote administration password disclosure"; flow:to_server,established; content:"/APIS/returnJSON.htm"; http_uri; reference:url,packetstorm.foofus.com/1208-exploits/asl26555_pass_disclosure.txt; classtype:attempted-admin; sid:2017638; rev:2; metadata:created_at 2013_10_28, updated_at 2013_10_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT SofosFO/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/50a"; http_uri; depth:4; pcre:"/^\/50a[a-f0-9]{21}\/(((\d+,)+\d+)|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015847; rev:5; metadata:created_at 2012_10_27, former_category CURRENT_EVENTS, updated_at 2012_10_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Host Domain .bit"; flow:established,to_server; content:".bit|0D 0A|"; fast_pattern:only; http_header; pcre:"/^Host\x3a [^\r\n]+?\.bit\r\n$/Hmi"; reference:url,www.normanshark.com/blog/necurs-cc-domains-non-censorable/; classtype:bad-unknown; sid:2017644; rev:2; metadata:created_at 2013_10_30, updated_at 2013_10_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Sweet Orange Java obfuscated binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|22 2a|"; within:2; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016112; rev:3; metadata:created_at 2012_12_29, updated_at 2012_12_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.NfLog Checkin (TTip)"; flow:to_server,established; content:"/NfStart.asp?ClientId="; http_uri; nocase; reference:url,contagiodump.blogspot.com/2012/02/feb-9-cve-2011-1980-msoffice-dll.html; classtype:command-and-control; sid:2014266; rev:4; metadata:created_at 2012_02_21, former_category MALWARE, updated_at 2012_02_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Java payload request (1)"; flow:established,to_server; content:"Java/1"; http_user_agent; content:"openparadise1"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016111; rev:4; metadata:created_at 2012_12_29, former_category CURRENT_EVENTS, updated_at 2012_12_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SofosFO/Grandsoft Plugin-Detect"; flow:established,to_client; file_data; content:"go2Page(|27|/|27|+PluginDetect.getVersion(|22|AdobeReader|22|)+|27|.pdf|27|)|3b|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017650; rev:2; metadata:created_at 2013_10_31, updated_at 2013_10_31;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Sweet Orange Java obfuscated binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|3d 3b|"; within:2; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016143; rev:3; metadata:created_at 2013_01_03, updated_at 2013_01_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Malicious Cookie Set By Flash Malvertising"; flow:established,to_server; content:"|0d 0a|Cookie|3a 20|asg325we234=1|0d 0a|"; reference:md5,cce9dcad030c4cba605a8ee65572136a; classtype:trojan-activity; sid:2017660; rev:2; metadata:created_at 2013_11_04, former_category CURRENT_EVENTS, updated_at 2013_11_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Java obfuscated binary (3)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|20 3b|"; within:2; content:"|3d 24 00 00|"; within:512; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016655; rev:5; metadata:created_at 2013_03_22, former_category CURRENT_EVENTS, updated_at 2013_03_22;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Fredcot campaign php5-cgi initial exploit"; flow:to_server,established; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"Mobile/10A5355d"; http_user_agent; content:"<?php"; depth:5; http_client_body; content:"fredcot"; http_client_body; fast_pattern; reference:cve,2012-1823; reference:url,eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/; classtype:web-application-attack; sid:2017663; rev:2; metadata:created_at 2013_11_05, former_category CURRENT_EVENTS, updated_at 2013_11_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT pamdql/Sweet Orange delivering exploit kit payload"; flow:established,to_server; content:"/command/"; http_uri; urilen:15; pcre:"/^\/command\/[a-zA-Z]{6}$/U"; classtype:exploit-kit; sid:2016093; rev:4; metadata:created_at 2012_12_28, former_category EXPLOIT_KIT, updated_at 2012_12_28;)
+#alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fredcot campaign IRC CnC"; flow:to_server,established; content:"JOIN #1111 ddosit"; reference:md5,e69bbd29f2822c1846d569ace710c9d5; reference:url,permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/20243; classtype:command-and-control; sid:2017665; rev:3; metadata:created_at 2013_11_05, former_category CURRENT_EVENTS, updated_at 2013_11_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ehyewyqydfpidbdp.ru"; flow:established,to_server; content:"|3a| ehyewyqydfpidbdp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015161; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET 21 (msg:"ET MALWARE Fredcot campaign payload download"; flow:to_server,established; content:"PASS fredcot123|0d 0a|"; reference:md5,e69bbd29f2822c1846d569ace710c9d5; reference:url,permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/20243; classtype:trojan-activity; sid:2017664; rev:5; metadata:created_at 2013_11_05, former_category CURRENT_EVENTS, updated_at 2013_11_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for file containing Java payload URIs (2)"; flow:established,to_server; content:"php?fbebf=nt34t4"; http_uri; content:"|29 20|Java/"; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015863; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Napolar Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:"v="; depth:2; http_client_body; content:"&u="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; content:"&s={"; distance:0; http_client_body; content:"}&w="; fast_pattern; distance:0; http_client_body; content:"&b="; distance:0; http_client_body; pcre:"/&s=\{[A-Z0-9]{8}-([A-Z0-9]{4}-){3}[A-Z0-9]{12}\}&w=(\d{1,2}\.){2}\d{1,2}&b=(32|64)$/Pi"; reference:url,blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/; reference:url,www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/; reference:md5,2c344add2ee6201f4e2cdf604548408b; classtype:trojan-activity; sid:2017527; rev:3; metadata:created_at 2013_09_27, updated_at 2013_09_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for file containing Java payload URIs (1)"; flow:established,to_server; content:".php?asd=12gqw"; http_uri; content:"|29 20|Java/"; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015843; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_26, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Backdoor.Adwind Download"; flow:established,from_server; file_data; content:"plugins/AdwindServer.class"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99&tabid=3; classtype:attempted-user; sid:2017668; rev:4; metadata:created_at 2013_11_06, updated_at 2013_11_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Oct 19 2012"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"&|23|48|3b|&|23|98|3b|&|23|48|3b|&|23|57|3b|&|23|48|3b|&|23|57|3b|&|23|48|3b|&|23|52|3b|&|23|49|3b|&|23|102|3b|"; within:300; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015823; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_19, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Zip File"; flow:established,from_server; file_data; content:"PK|03 04|"; within:4; flowbits:set,et.http.PK; flowbits:noalert; classtype:misc-activity; sid:2017669; rev:5; metadata:created_at 2013_11_06, updated_at 2013_11_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit encoded PluginDetect Jan 15 2013"; flow:established,to_client; file_data; content:"80|3A|!08|3A|!!7|3A|!03|3A|!05|3A|!!0|3A|68|3A|!0!|3A|!!6|3A|!0!|3A|99|3A|!!6"; classtype:exploit-kit; sid:2016213; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_16, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Word DOCX with Many ActiveX Objects and Media"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"word/activeX/activeX40.xml"; nocase; content:"word/media/"; nocase; reference:url,blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2; classtype:trojan-activity; sid:2017670; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole file containing obfuscated Java payload URIs"; flow:established,from_server; file_data; content:"0b0909041f3131"; within:14; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015844; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_26, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx iframe with obfuscated Java version check Jul 04 2013"; flow:established,from_server; file_data; content:"<html>|0d 0a|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">|0d 0a|<div"; within:8; pcre:"/(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{10,20}(?P=space)[0-9a-z]{2}(?P=space)(?P<w>[0-9a-z]{2})(?P<i>[0-9a-z]{2})(?P<n>[0-9a-z]{2})[0-9a-z]{4}(?P=w)[0-9a-z]{10}(?P=i)(?P=n)[0-9a-z]{28}(?P=i)[0-9a-z]{2}(?P=n)[0-9a-z]{6}(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017295; rev:6; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole alt URL request Sep 05 2012 bv6rcs3v1ithi.php?w="; flow:established,to_server; content:"/bv6rcs3v1ithi.php?w="; http_uri; reference:url,urlquery.net/report.php?id=158608; classtype:attempted-user; sid:2015684; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx iframe with obfuscated CVE-2013-2551"; flow:established,from_server; file_data; content:"<html>|0d 0a|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">|0d 0a|<div"; within:8; pcre:"/(?P<a>[0-9a-z]{2})(?P<s>(?!(?P=a))[0-9a-z]{2})[0-9a-z]{2}(?P=s)[0-9a-z]{2}(?P<y>[0-9a-z]{2})[0-9a-z]{4}(?P<dot>[0-9a-z]{2})(?P=a)(?P<r>[0-9a-z]{2})(?P=r)(?P=a)(?P=y)(?P=dot)/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017693; rev:2; metadata:created_at 2013_11_07, updated_at 2013_11_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole repetitive applet/code tag"; flow:established,from_server; file_data; content:"applet/code="; content:"/archive="; distance:0; content:".jar"; distance:0; pcre:"/applet\/code=[\x22\x27](?P<val1>[a-zA-Z0-9]+)[a-z]\.(?P=val1)[a-z][\x22\x27][^\x3e]+\.jar[\x22\x27]/"; classtype:trojan-activity; sid:2015697; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_12, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT FaceBook IM & Web Driven Facebook Trojan Download"; flow:established,to_server; content:"/dlimage4.php"; http_uri; content:".best.lt.ua|0d 0a|"; http_header; pcre:"/Host\x3a\x20[a-z]{6}\.best.lt\.ua\r$/Hm"; reference:url,pastebin.com/raw.php?i=tdATTg7L; classtype:trojan-activity; sid:2017696; rev:5; metadata:created_at 2013_11_08, former_category CURRENT_EVENTS, updated_at 2013_11_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL 23 Aug 2012"; flow:established,from_server; content:"applet"; content:"0xb|3a|0x9|3a|0x9|3a|0x4|3a|0x1f|3a|0x31|3a|0x31|3a|"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015652; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_23, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:attempted-user; sid:2015663; rev:4; metadata:created_at 2012_08_29, updated_at 2012_08_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Javascript 23 Aug 2012 split join split applet"; flow:established,from_server; content:"|3c|script"; content:"split(|22|"; within:40; content:".join(|22 22|).split(|22 22 29 3b|"; within:50; classtype:trojan-activity; sid:2015651; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_23, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Daemonize Trojan Proxy Initial Checkin"; flow:established,to_server; content:"/command.php?IP="; http_uri; content:"&P1="; http_uri; content:"&P2="; http_uri; content:"&ID="; http_uri; content:"&SP="; http_uri; content:"&CT="; http_uri; content:"&L1="; http_uri; content:"&L2="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanProxy%3AWin32%2FDaemonize.A&ThreatID=-2147464655; classtype:trojan-activity; sid:2013541; rev:3; metadata:created_at 2011_09_06, updated_at 2011_09_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing - Aug 21 2012"; flow:established,from_server; content:"|3c|html>|3c|body>|3c|applet "; fast_pattern; content:"code="; within:100; content:">|3c|param"; distance:0; content:">|3c|script>"; distance:0; content:".split("; within:100; content:").join("; within:100; classtype:exploit-kit; sid:2015648; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_21, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET DELETED Wordpress possible Malicious DNS-Requests - wordpress.com.*"; content:"|09|wordpress|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013356; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page ChildNodes.Length - August 13th 2012"; flow:established,to_client; content:"=0|3B|i<document.body.childNodes.length|3B|i++{"; classtype:trojan-activity; sid:2015621; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_13, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/basicstats.php?"; nocase; http_uri; content:"AjaxHandler="; nocase; http_uri; pcre:"/AjaxHandler\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,46771; reference:url,xforce.iss.net/xforce/xfdb/65942; reference:url,packetstorm.linuxsecurity.com/1103-exploits/Interleave5.5.0.2-xss.txt; classtype:web-application-attack; sid:2012582; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page JavaScript Replace - 13th August 2012"; flow:established,to_client; file_data; content:"=document.body.childNodes["; content:"].innerHTML.replace(/"; distance:1; within:21; content:"/g,|22 22|)|3B|"; within:30; classtype:trojan-activity; sid:2015620; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_13, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED mySeatXT SQL Injection Attempt autocomplete.php field DELETE"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012578; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Specific JavaScript Replace hwehes - 8th August 2012"; flow:established,to_client; content:".replace(/hwehes/g"; classtype:trojan-activity; sid:2015592; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_09, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED mySeatXT SQL Injection Attempt autocomplete.php field UNION SELECT"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012576; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Potential Blackhole Zeus Drop - 8th August 2012"; flow:established,to_client; content:"P|00|r|00|o|00|d|00|u|00|c|00|t|00|N|00|a|00|m|00|e"; content:"n|00|o|00|n|00|a|00|m|00|e"; fast_pattern; within:15; classtype:trojan-activity; sid:2015591; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_09, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005371; classtype:web-application-attack; sid:2005371; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Intial Structure - 8th August 2012"; flow:established,to_client; content:"|0d 0a 0d 0a 3C|html|3E 3C|body|3E 3C|script|3E|"; content:"=function|28 29 7B|"; fast_pattern; distance:1; within:12; classtype:trojan-activity; sid:2015590; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_09, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass ASCII"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005370; classtype:web-application-attack; sid:2005370; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Redirection Page You Will Be Forwarded - 7th August 2012"; flow:established,to_client; content:"<h1><b>Please wait a moment. You will be forwarded...<|2F|h1><|2F|b>"; classtype:trojan-activity; sid:2015582; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_07, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass DELETE"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005369; classtype:web-application-attack; sid:2005369; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Replace JavaScript Large Obfuscated Blob - August 3rd 2012"; flow:established,to_client; file_data; content:"=|22|"; isdataat:300,relative; content:"|22|"; within:300; content:"|22|.replace(/"; distance:0; content:"/g.|22 22 29 3B|"; fast_pattern; within:30; classtype:trojan-activity; sid:2015580; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_07, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass INSERT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005368; classtype:web-application-attack; sid:2005368; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; file_data; content:"|3c|script>try{"; fast_pattern; content:"Math."; within:15; content:"}catch("; within:20; content:"eval"; within:17; classtype:exploit-kit; sid:2015579; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UNION SELECT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005367; classtype:web-application-attack; sid:2005367; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Applet Structure"; flow:established,to_client; file_data; content:"<|2F|script><applet/archive="; fast_pattern; content:".jar"; within:20; content:"code=|22|"; distance:0; content:"|22|><param/name=|22|"; distance:9; within:15; content:"<|2F|applet><|2F|body><|2F|html>"; distance:0; pcre:"/code\x3D\x22[a-z]{4}\x2E[a-z]{4}\x22/i"; classtype:trojan-activity; sid:2015520; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_24, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass SELECT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005366; classtype:web-application-attack; sid:2005366; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Split String Obfuscated Math Floor - July 19th 2012"; flow:established,to_client; file_data; content:"=Math|3B|"; content:"[|22|f"; distance:0; content:"|22|+|22|"; within:15; content:"r|22|]"; within:12; classtype:trojan-activity; sid:2015519; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_24, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004151; classtype:web-application-attack; sid:2004151; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Eval Split String Obfuscation In Brackets"; flow:established,to_client; file_data; content:"[|22|e"; fast_pattern; content:"|22|+|22|"; within:11; content:"l|22|]"; within:11; pcre:"/\x7B\x22e(v|x22\x2B\x22)(v|x22\x2B\x22|a)(a|v|x22\x2B\x22)[^\x5D]*?l\x22\x5D/"; classtype:trojan-activity; sid:2015477; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php ASCII"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004150; classtype:web-application-attack; sid:2004150; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole Landing Page /upinv.html"; flow:established,to_server; content:"/upinv.html"; http_uri; classtype:trojan-activity; sid:2015476; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php DELETE"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004149; classtype:web-application-attack; sid:2004149; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Request For Blackhole Landing Page Go.php"; flow:established,to_server; content:"/go.php?d="; http_uri; pcre:"/\x2Fgo\x2Ephp\x3Dd\x3D[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2015049; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_12, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php INSERT"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004148; classtype:web-application-attack; sid:2004148; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Redirect.php Port 8080 Request"; flow:established,to_server; content:"/redirect.php?d="; fast_pattern:only; http_uri; content:"|3A|8080|0D 0A|"; http_header; pcre:"/\x2Fredirect\x2Ephp\x3Fd\x3D[0-9a-f]{8}$/U"; classtype:exploit-kit; sid:2015047; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php SELECT"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004146; classtype:web-application-attack; sid:2004146; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Obfuscated Applet Value 6th July 2012"; flow:established,to_client; content:"<applet"; content:"value=|22|&#"; isdataat:50,relative; distance:0; content:"|3B|&#"; distance:4; within:3; content:"|3B|&#"; distance:4; within:3; content:"|3B|&#"; distance:4; within:3; pcre:"/value\x3D\x22\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23/"; classtype:exploit-kit; sid:2015044; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Magnitude Landing Nov 11 2013"; flow:established,from_server; file_data; content:".fromCharCode("; nocase; pcre:"/^[^\)]+\][\r\n\s]*?\^[\r\n\s]*?\d+?[\r\n\s]*?\)/R"; content:"eval("; nocase; content:".split("; nocase; pcre:"/^[\r\n\s]*?[\x22\x27](?P<sp>[^\x22\x27]+)[\x22\x27].+?eval\([^\)\(]+?\([\x22\x27]\d{2,3}(?P=sp)\d{2,3}(?P=sp)/Rsi"; classtype:exploit-kit; sid:2017698; rev:2; metadata:created_at 2013_11_09, former_category CURRENT_EVENTS, updated_at 2013_11_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:".php?"; distance:0; pcre:"/^[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/R"; classtype:attempted-user; sid:2015701; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Websearch.com Cab Download"; flow: to_server,established; content:"/Dnl/T_"; nocase; http_uri; pcre:"/\/\S+\.cab/Ui"; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2003242; classtype:trojan-activity; sid:2003242; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - TDS Redirection To Exploit Kit - /head/head1.html"; flow:established,to_server; content:"/head/head1.html"; http_uri; classtype:exploit-kit; sid:2016025; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED AskSearch Toolbar Spyware User-Agent (AskTBar)"; flow:to_server,established; content:"|3b| AskTb"; http_header; pcre:"/User-Agent\x3a[^\n]+AskTB/iH"; reference:url,doc.emergingthreats.net/2003494; classtype:policy-violation; sid:2003494; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Minor, tag Spyware_User_Agent, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2.0 PDF GET request"; flow:established,to_server; content:".php?"; http_uri; content:"00020002"; http_uri; fast_pattern:only; pcre:"/\.php\?\w{2,9}\=(0[0-9a-b]|3[0-9]){5}\&\w{3,9}\=(3[0-9a-f]|4[0-9a-f])\&\w{3,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{3,9}\=(0[0-9a-b]{1,8})00020002$/U"; reference:url,fortknoxnetworks.blogspot.com/2012/11/deeper-into-blackhole-urls-and-dialects.html; classtype:attempted-user; sid:2015864; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Findwhat.com Spyware (sendtracker)"; flow: to_server,established; content:"/bin/findwhat.dll?sendtracker&"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003580; classtype:trojan-activity; sid:2003580; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit JavaScript colon string splitting"; flow:established,from_server; content:"<html><body><pre style=|22|visibility|3a|hidden|3b 22|"; pcre:"/(-?\d+\x3a-?\d+\x3a){100}/"; classtype:exploit-kit; sid:2014194; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Nulprot Checkin Response"; flow:established,from_server; content:"200"; http_stat_code; content:"Encryption|3a| on|0d 0a|Content-Length|3a| "; http_header; depth:32; reference:url,doc.emergingthreats.net/2007669; classtype:trojan-activity; sid:2007669; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - tcp"; flow:established,to_server; content:"|12 06 41 46 50 33 2e 31|"; pcre:"/[a-zA-Z0-9]{5}/i"; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0759; reference:url,doc.emergingthreats.net/bin/view/Main/2007877; classtype:successful-dos; sid:2007877; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Delf HTTP Post Checkin (1)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"Content-type|3a| image/gif"; http_header; content:"x|da|"; http_client_body; depth:2; content:"|0d 0a|Content-type|3a| image/gif|0d 0a 0d 0a|x|da|"; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2007867; classtype:trojan-activity; sid:2007867; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow"; content:"|44 53 52 65 71 75 65 73 74|"; pcre:"/[0-9a-zA-Z]{50}/R"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; classtype:successful-dos; sid:2007937; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Emo/Downloader.uxk checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; content:"v="; http_uri; content:"&id="; http_uri; content:"&rs="; http_uri; fast_pattern; content:"&cc="; http_uri; reference:url,doc.emergingthreats.net/2008452; classtype:trojan-activity; sid:2008452; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"ET EXPLOIT Siemens Gigaset SE361 WLAN Data Flood Denial of Service Vulnerability"; flow:to_server; content:"|90 90 90 90 90|"; depth:5; content:"|90 90 90 90 90|"; distance:0; content:"|90 90 90 90 90|"; distance:0; pcre:"/\x90{200}/"; reference:cve,CVE-2009-3322; reference:bugtraq,36366; reference:url,www.milw0rm.com/exploits/9646; reference:url,doc.emergingthreats.net/2009976; classtype:denial-of-service; sid:2009976; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET 6345:6349 -> $EXTERNAL_NET 6345:6349 (msg:"ET DELETED UDP traffic - Likely Limewire"; threshold: type threshold,track by_src,count 40, seconds 300; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001841; classtype:policy-violation; sid:2001841; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET EXPLOIT MySQL Stack based buffer overrun Exploit Specific"; flow:to_server,established; content:"grant"; nocase; content:"file"; nocase; distance:0; content:"on"; distance:0; nocase; pcre:"/^\s+A{500}/R"; reference:url,seclists.org/fulldisclosure/2012/Dec/4; classtype:attempted-user; sid:2015975; rev:5; metadata:created_at 2012_12_04, updated_at 2012_12_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Saturn Proxy Checkin Response"; flow:established,from_server; flowbits:isset,ET.saturn.checkin; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"Encryption|3a| on|0d 0a|"; depth:16; reference:url,doc.emergingthreats.net/2007752; classtype:command-and-control; sid:2007752; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert udp any any -> $HOME_NET 27901 (msg:"ET GAMES Alien Arena 7.30 Remote Code Execution Attempt"; content:"print|0A 5C|"; isdataat:257,relative; pcre:"/\x5C[^\x5C\x00]{257}/"; reference:url,www.packetstormsecurity.org/0910-advisories/alienarena-exec.txt; reference:url,doc.emergingthreats.net/2010156; classtype:misc-attack; sid:2010156; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal Jun 26 2013"; flow:established,from_server; file_data; content:"mCharCode"; pcre:"/(?P<p>[0-7]{3})(?P<d>[0-7]{3})(?P=p)(?P=d)([0-7]{3}){10}(?P<q>[0-7]{3})[0-7]{3}(?P<dot>[0-7]{3})[0-7]{3}(?P=dot)[0-7]{3}(?P=q)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017072; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:50,relative; pcre:"/^USER\s[^\n]{50}/smi"; reference:bugtraq,11256; reference:bugtraq,789; reference:cve,1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:2101866; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal Apr 18 2013"; flow:established,from_server; file_data; content:"telppa"; pcre:"/(?P<p>[0-7]{2,4})(?P<sep>[^0-7])(?P<d>(?!(?P=p))[0-7]{2,4})(?P=sep)(?P=p)(?P=sep)(?P=d)(?P=sep)([0-7]{2,4}(?P=sep)){10}(?P<q>[0-7]{2,4})(?P=sep)[0-7]{2,4}(?P=sep)(?P<dot>[0-7]{2,4})(?P=sep)[0-7]{2,4}(?P=sep)(?P=dot)(?P=sep)[0-7]{2,4}(?P=sep)(?P=q)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016776; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_19, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Apache mod_deflate DoS via many multiple byte Range values"; flow:established,to_server; content:"Range|3a|"; nocase; content:"bytes="; nocase; distance:0; isdataat:10,relative; content:","; within:11; isdataat:10,relative; content:","; within:11; isdataat:10,relative; content:","; within:11; isdataat:70,relative; content:!"|0d 0a|"; within:12; pcre:"/Range\x3a\s?bytes=[-0-9,\x20]{100}/iH"; reference:url,seclists.org/fulldisclosure/2011/Aug/175; classtype:attempted-dos; sid:2013473; rev:5; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 1"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:".requiredClaims"; nocase; content:".remove("; nocase; content:".add("; nocase; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017704; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; isdataat:255,relative; content:!"|0a|"; within:255; pcre:"/^EXPN[^\n]{255}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2102259; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 2"; flow:established,from_server; file_data; content:"InformationCardSigninHelper"; nocase; content:".requiredClaims"; nocase; content:".remove("; nocase; content:".add("; nocase; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017705; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Opachki Link Hijacker HTTP Header Injection"; flow:established,to_server; content:".php?l="; fast_pattern; nocase; http_uri; content:"&u="; nocase; http_uri; content:"Accept-Encoding|3a|"; http_header; nocase; content:"Referer|3a| "; http_header; nocase; pcre:"/^Accept-Encoding\x3a\s+([a-z])\1{3}/Hmi"; reference:url,www.secureworks.com/research/threats/opachki/?threat=opachki; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2; reference:url,doc.emergingthreats.net/2010283; classtype:trojan-activity; sid:2010283; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 3"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"|5c|u"; content:"|5c|u"; distance:4; within:4; content:"|5c|u"; distance:4; within:4; pcre:"/^\{?[a-fA-F0-9]{4}\}?(\x5cu\{?[a-fA-F0-9]{4}\}?){20}/Rs"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017708; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion"; flow:established,to_server; content:"GET"; http_method; pcre:"/(listen.php|download.php)/Ui"; content:"?src="; nocase; http_uri; pcre:"/(\.\.\/){1}/"; reference:url,www.exploit-db.com/exploits/6669/; reference:url,doc.emergingthreats.net/2008651; classtype:web-application-attack; sid:2008651; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 4"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"|25|u"; content:"|25|u"; distance:4; within:4; content:"|25|u"; distance:4; within:4; pcre:"/^\{?[a-fA-F0-9]{4}\}?(\x25u\{?[a-fA-F0-9]{4}\}?){20}/Rs"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017709; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Rovnix Downloading Config File From CnC"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/config.php?"; http_uri; content:"user="; http_uri; content:"version="; http_uri; content:"&server="; http_uri; content:"&crc="; http_uri; pcre:"/user=[a-f0-9]{32}&/Ui"; reference:url,blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution; classtype:command-and-control; sid:2014276; rev:4; metadata:created_at 2012_02_24, former_category MALWARE, updated_at 2012_02_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Fake Codec Download"; flow:established,to_server; content:"/Setup.exe?tid="; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017711; rev:2; metadata:created_at 2013_11_14, former_category CURRENT_EVENTS, updated_at 2013_11_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED - Possible BlackHole request with decryption Base"; flow:established,to_server; content:"&jopa="; nocase; http_uri; fast_pattern:only; pcre:"/&jopa=\d+$/U"; classtype:trojan-activity; sid:2016813; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Taidoor Checkin"; flow:to_server,established; content:".jsp?"; fast_pattern:only; http_uri; pcre:"/^\/(?:p(?:a(?:rs|g)e|rocess)|(?:securit|quer)y|(?:defaul|abou)t|index|login|user)\.jsp\?[a-z]{2}\x3d[a-z0-9]{9}[A-F0-9]{9}$/Ui"; content:"User-Agent|3a| "; depth:12; http_header; content:!"Referer"; http_header; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017415; rev:4; metadata:created_at 2013_09_04, updated_at 2013_09_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware Command Client Checkin"; flow: to_server,established; content:"/client.php?str="; nocase; http_uri; content:"Indy Library)"; nocase; http_user_agent; reference:url,www.nuker.com/container/details/adware_command.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003446; classtype:pup-activity; sid:2003446; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS  [25,587] (msg:"ET EXPLOIT Microsoft Outlook/Crypto API X.509 oid id-pe-authorityInfoAccessSyntax design bug allow blind HTTP requests attempt"; flow:to_server,established; content:"multipart/signed|3B|"; nocase; content:"application/pkcs7-signature|3B|"; nocase; distance:0; content:"|0A|QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB|0D|"; distance:0; reference:cve,2013-3870; reference:url,www.microsoft.com/technet/security/bulletin/MS13-068.mspx; reference:url,blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex; classtype:attempted-admin; sid:2017712; rev:10; metadata:created_at 2013_11_14, updated_at 2013_11_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit js_property_spray sprayHeap"; flow:established,from_server; file_data; content:"sprayHeap"; nocase; pcre:"/^[\r\n\s]*?\x28[^\x29]*?shellcode/Ri"; reference:url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation; classtype:attempted-user; sid:2016519; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_03_05, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Athena Bot Nick in IRC"; flow:established,to_server; content:"NICK "; content:"|5b|"; distance:1; within:1; pcre:"/^[A-Z]{3}\|[UA]\|[DL]\|W([78]|_XP|VIS)\|x(86|64)\|/R"; reference:url,arbornetworks.com/asert/2013/11/athena-a-ddos-malware-odyssey/; reference:md5,859c2fec50ba1212dca9f00aa4a64ec4; classtype:trojan-activity; sid:2017716; rev:3; metadata:created_at 2013_11_15, updated_at 2013_11_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit mstime_malloc no-spray"; flow:established,from_server; file_data; content:"mstime_malloc"; nocase; pcre:"/^[\r\n\s]*?\x28[^\x29]*?shellcode/Ri"; reference:url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation; classtype:attempted-user; sid:2016824; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_05_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.BlackRev Polling for DoS targets"; flow:established,to_server; content:"/gate.php?cmd=urls"; http_uri; fast_pattern:only; pcre:"/\/gate\.php\?cmd=urls$/U"; content:!"Referer|3a 20|"; http_header; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016900; rev:5; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Possible CollectGarbage in base64 1"; flow:established,from_server; file_data; content:"Q29sbGVjdEdhcmJhZ2U"; classtype:misc-activity; sid:2016825; rev:3; metadata:created_at 2013_05_07, former_category INFO, updated_at 2013_05_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.BlackRev Download Executable"; flow:established,to_server; content:"/gate.php?cmd=getexe"; http_uri; fast_pattern:only; pcre:"/\/gate\.php\?cmd=getexe$/U"; content:!"Referer|3a 20|"; http_header; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016901; rev:5; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Possible CollectGarbage in base64 2"; flow:established,from_server; file_data; content:"NvbGxlY3RHYXJiYWdlK"; classtype:misc-activity; sid:2016826; rev:3; metadata:created_at 2013_05_07, former_category INFO, updated_at 2013_05_07;)
+alert icmp any any -> any any (msg:"ET MALWARE PWS Win32/Lmir.BMQ checkin"; dsize:19; content:"This|27|s|20|Ping|20|Packet|21|"; reference:md5,0fe0cf9a2d8c3ccd1c92acbb81ff6343; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=PWS%3AWin32%2FLmir.BMQ; classtype:command-and-control; sid:2017724; rev:3; metadata:created_at 2013_11_15, former_category MALWARE, updated_at 2013_11_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Possible CollectGarbage in base64 3"; flow:established,from_server; file_data; content:"Db2xsZWN0R2FyYmFnZS"; classtype:misc-activity; sid:2016827; rev:3; metadata:created_at 2013_05_07, former_category INFO, updated_at 2013_05_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Trojan.Dropper.Win32.Dapato.braa.AMN CnC traffic"; flow:to_server,established; content:"9002"; depth:4; reference:md5,6ef66c2336b2b5aaa697c2d0ab2b66e2; classtype:command-and-control; sid:2017728; rev:2; metadata:created_at 2013_11_20, former_category MALWARE, updated_at 2013_11_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Injection - var j=0"; flow:established,to_client; file_data; content:"00|3a|00|3a|00|3b| path=/|22 3b|var j=0|3b| while(j"; classtype:trojan-activity; sid:2016830; rev:2; metadata:created_at 2013_05_07, former_category CURRENT_EVENTS, updated_at 2013_05_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Java payload request (2)"; flow:established,to_server; content:"Java/1"; http_header; content:"&partners="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016142; rev:3; metadata:created_at 2013_01_03, former_category CURRENT_EVENTS, updated_at 2013_01_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2013-2423 IVKM PoC Seen in Unknown EK"; flow:to_client,established; content:"Union1.class"; content:"Union2.class"; fast_pattern; content:"SystemClass.class"; content:"PoC.class"; flowbits:isset,ET.http.javaclient; reference:url,weblog.ikvm.net/CommentView.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0; classtype:exploit-kit; sid:2016831; rev:3; metadata:created_at 2013_05_07, updated_at 2013_05_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Sweet Orange Landing Page May 16 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"Seven guids Seven g"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016860; rev:18; metadata:created_at 2013_05_17, former_category CURRENT_EVENTS, updated_at 2013_05_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan POST"; flow:established,to_server; content:"POST"; http_method; content:"Content-Length|3a| 0|0d 0a|"; http_header; content:"/a/"; http_uri; fast_pattern; content:"PHPSESSID="; http_cookie; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2016834; rev:2; metadata:created_at 2013_05_08, updated_at 2013_05_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet structure Jul 05 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; fast_pattern; content:"000000000000000000|22| name=|22|WindowSize"; distance:0; content:"000000000000000000|22| name=|22|WindowSize"; distance:0; content:"000000000000000000|22| name=|22|WindowSize"; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017110; rev:7; metadata:created_at 2013_07_05, former_category CURRENT_EVENTS, updated_at 2013_07_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura obfuscated javascript May 10 2013"; flow:established,from_server; file_data; content:"qV7/|3b|pF"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016852; rev:3; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Sweet Orange Landing with Applet July 08 2013"; flow:established,from_server; file_data; content:" Passage to India "; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017116; rev:5; metadata:created_at 2013_07_09, former_category CURRENT_EVENTS, updated_at 2013_07_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Embedded Android Dalvik Executable File With Fake Windows Executable Header - Possible AV Bypass Attempt"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program"; distance:0; content:"dex|0A|"; distance:0; reference:url,research.zscaler.com/2013/03/guess-who-am-i-pe-or-apk.html; classtype:trojan-activity; sid:2016854; rev:3; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
+alert tcp $EXTERNAL_NET any -> any 22 (msg:"ET MALWARE Possible SSH Linux.Fokirtor backchannel command"; flow:established,to_server; content:"|3a 21 3b 2e|"; pcre:"/^(?:[A-Za-z0-9\+\/]{4})*(?:[A-Za-z0-9\+\/]{2}==|[A-Za-z0-9\+\/]{3}=|[A-Za-z0-9\+\/]{4})/R"; reference:url,www.symantec.com/connect/blogs/linux-back-door-uses-covert-communication-protocol; classtype:trojan-activity; sid:2017727; rev:6; metadata:created_at 2013_11_16, updated_at 2013_11_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Embedded ZIP/APK File With Fake Windows Executable Header - Possible AV Bypass Attempt"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program"; distance:0; content:"PK|03|"; distance:0; content:"classes."; distance:0; reference:url,research.zscaler.com/2013/03/guess-who-am-i-pe-or-apk.html; classtype:trojan-activity; sid:2016855; rev:2; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT WhiteLotus EK PluginDetect Nov 20 2013"; flow:established,from_server; file_data; content:"makeid"; pcre:"/^[\r\n\s]*?\(/R"; content:"replaceIt"; pcre:"/^[\r\n\s]*?\(/R"; content:".getVersion"; nocase; content:"Silverlight"; nocase; content:"Java"; nocase; content:"Reader"; nocase; content:"Flash"; nocase; classtype:exploit-kit; sid:2017735; rev:4; metadata:created_at 2013_11_21, former_category CURRENT_EVENTS, updated_at 2013_11_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Android Dalvik Executable File Download"; flow:established,to_client; file_data; content:"dex|0A|"; within:4; reference:url,source.android.com/tech/dalvik/dex-format.html; classtype:policy-violation; sid:2016856; rev:2; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible WhiteLotus EK 2013-2551 Exploit 1"; flow:established,from_server; file_data; content:"a0dmblxmL5FmcyFmLlxWe0NHazFGZ"; classtype:exploit-kit; sid:2017736; rev:4; metadata:created_at 2013_11_21, updated_at 2013_11_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Tornado Pack Binary Request"; flow:established,to_server; content:"GET"; http_method; content:"?o="; http_uri; content:"&t="; http_uri; content:"&i="; http_uri; content:"&e="; http_uri; reference:url,dxp2532.blogspot.com/2009/05/tornado-exploit-pack.html; classtype:trojan-activity; sid:2009389; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible WhiteLotus EK 2013-2551 Exploit 2"; flow:established,from_server; file_data; content:"gGdn5WZs5SehJnch5SZslHdzh2chR"; classtype:exploit-kit; sid:2017737; rev:4; metadata:created_at 2013_11_21, updated_at 2013_11_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zbot/Zeus C&C Access"; flow:to_server,established; content:"in.php?m=home"; http_uri; reference:url,doc.emergingthreats.net/2009175; classtype:trojan-activity; sid:2009175; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible WhiteLotus EK 2013-2551 Exploit 3"; flow:established,from_server; file_data; content:"oR3ZuVGbukXYyJXYuUGb5R3coNXYk"; classtype:exploit-kit; sid:2017738; rev:4; metadata:created_at 2013_11_21, updated_at 2013_11_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Requesting Payload"; flow:established,to_server; content:".php?ex="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:exploit-kit; sid:2016896; rev:4; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible WhiteLotus Java Payload"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/?"; depth:2; http_uri; pcre:"/^\/\?[A-Za-z0-9]+=(?P<v1>[^&]+)&(?P=v1)=[^\/\.]+$/U"; classtype:trojan-activity; sid:2017739; rev:4; metadata:created_at 2013_11_21, updated_at 2013_11_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Spy.Win32.Agent.byhm User-Agent (EMSCBVDFRT)"; flow:to_server,established; content:"EMSCBVDFRT"; http_user_agent; depth:10; classtype:trojan-activity; sid:2016907; rev:5; metadata:created_at 2012_03_02, updated_at 2012_03_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT StyX EK Payload Cookie"; flow:established,to_server; content:"Cookie|3a 20|fGGhTasdas=http"; classtype:exploit-kit; sid:2017744; rev:2; metadata:created_at 2013_11_22, former_category CURRENT_EVENTS, updated_at 2013_11_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.FresctSpy.A User-Agent (MBVDFRESCT)"; flow:to_server,established; content:"MBVDFRESCT"; nocase; depth:10; http_user_agent; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FAgent.CZ; classtype:trojan-activity; sid:2016908; rev:5; metadata:created_at 2011_09_09, updated_at 2011_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Media Player malware binary requested"; flow:established,to_server; content:"&filename=Media Player "; http_uri; content:".exe"; http_uri; classtype:trojan-activity; sid:2017745; rev:2; metadata:created_at 2013_11_22, updated_at 2013_11_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TrojanSpy.KeyLogger Hangover Campaign User-Agent(wininetget/0.1)"; flow:established,to_server; content:"wininetget/"; nocase; depth:11; http_user_agent; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016889; rev:5; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Java Downloading Archive flowbit no alert"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; flowbits:set,et.JavaArchiveOrClass; flowbits:noalert; classtype:misc-activity; sid:2017748; rev:6; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Malicious Redirect URL"; flow:established,to_server; content:"/8gcf744Waxolp752.php"; http_uri; classtype:trojan-activity; sid:2016919; rev:8; metadata:created_at 2013_05_24, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Java Downloading Class flowbit no alert"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"|CA FE BA BE|"; within:4; flowbits:set,et.JavaArchiveOrClass; flowbits:noalert; classtype:misc-activity; sid:2017749; rev:6; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Mozilla UA with no Space after colon"; flow:established,to_server; content:"User-Agent|3a|Mozilla"; http_header; nocase; fast_pattern:only; threshold: type limit,track by_src,count 2,seconds 60; classtype:trojan-activity; sid:2016921; rev:5; metadata:created_at 2013_05_24, former_category INFO, updated_at 2017_10_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Goon EK Jar Download"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"Goon.class"; classtype:exploit-kit; sid:2017756; rev:2; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Java Class"; flow:to_client,established; file_data; content:"Gond"; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2015575; rev:11; metadata:created_at 2012_08_04, former_category EXPLOIT_KIT, updated_at 2012_08_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Lang Runtime in B64 Observed in Goon EK 1"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"amF2YS9sYW5nL1J1bnRpbW"; classtype:exploit-kit; sid:2017757; rev:2; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Landing Page 1 May 24 2013"; flow:to_client,established; file_data; content:"AppletObject.code"; nocase; content:"Gond"; nocase; distance:0; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016925; rev:2; metadata:created_at 2013_05_25, updated_at 2013_05_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Lang Runtime in B64 Observed in Goon EK 2"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"phdmEvbGFuZy9SdW50aW1l"; classtype:exploit-kit; sid:2017758; rev:3; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura - Landing Page - Received"; flow:established,to_client; file_data; content:"value"; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?[\x22\x27]((?P<hex>%[A-Fa-f0-9]{2})|(?P<ascii>[a-zA-Z0-9]))((?P=hex){10}|(?P=ascii){10})/R"; content:"var PluginDetect"; distance:0; classtype:exploit-kit; sid:2016791; rev:6; metadata:created_at 2013_04_27, updated_at 2013_04_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class file Accessing Security Manager"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"etSecurityManager"; classtype:bad-unknown; sid:2017760; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
 
-#alert http $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura - Java Exploit Recievied"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"javax/crypto/spec/SecretKeySpec"; distance:0; classtype:exploit-kit; sid:2016785; rev:3; metadata:created_at 2013_04_26, updated_at 2013_04_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class file Importing Protection Domain"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/security/ProtectionDomain"; classtype:bad-unknown; sid:2017761; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL Injection List Priveleges Attempt"; flow:established,to_server; content:"SELECT"; http_uri; nocase; content:"PRIV"; http_uri; nocase; distance:0; pcre:"/\bSELECT.*?\bPRIV/Ui"; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2016937; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_05_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Accessing Importing glassfish"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"glassfish/gmbal"; classtype:bad-unknown; sid:2017762; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura - Landing Page - Received May 29 2013"; flow:established,to_client; file_data; content:"<div id"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?[\x22\x27][^\x22\x27]+?[\x22\x27][^>]*?>((?P<hex>%[A-Fa-f0-9]{2})|(?P<ascii>[a-zA-Z0-9]))((?P=hex){9,20}|(?P=ascii){9,20})%3C/R"; content:"{version:|22|0.8.0|22|"; distance:0; nocase; classtype:exploit-kit; sid:2016942; rev:6; metadata:created_at 2013_05_29, updated_at 2013_05_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class B64 encoded class"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"yv66v"; classtype:bad-unknown; sid:2017763; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Eorezo-B Adware Checkin"; flow:established,to_server; content:"x-company|3a| "; http_header; content:"EoAgence-"; http_user_agent; reference:md5,6631bb8d95906decc7e6f7c51f6469e6; classtype:pup-activity; sid:2014120; rev:3; metadata:created_at 2012_01_12, former_category ADWARE_PUP, updated_at 2012_01_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing jmx mbeanserver"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"jmx/mbeanserver"; classtype:bad-unknown; sid:2017764; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Neosploit Exploit Pack Activity Observed"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| "; nocase; pcre:"/\.(php|asp|py|exe|htm|html)\/[joewxy](U[0-9a-f]{8})?H[0-9a-f]{8}V[0-9a-f]{8}\d{3}R[0-9a-f]{8}\d{3}T[0-9a-f]{8,}/U"; reference:url,blog.fireeye.com/research/2010/01/pdf-obfuscation.html; reference:url,blog.fireeye.com/research/2010/06/neosploit_notes.html; reference:url,dxp2532.blogspot.com/2007/12/neosploit-exploit-toolkit.html; classtype:attempted-user; sid:2011583; rev:4; metadata:created_at 2010_10_02, former_category CURRENT_EVENTS, updated_at 2010_10_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing mbeanserver Introspector"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"mbeanserver/Introspector"; classtype:bad-unknown; sid:2017765; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 2"; flow:to_server,established; pcre:"/^\d+?.\x00\x00\x00/"; byte_extract:4,-4,d_size,relative,little; byte_test:4,>,d_size,0,relative,little; content:"|78 9c|"; distance:4; within:2; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2016962; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_01, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing glassfish external statistics impl"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"glassfish/external/statistics/impl"; classtype:bad-unknown; sid:2017766; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Jar Request (3)"; flow:established,to_server; content:"/j17.php?i="; http_uri; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; classtype:exploit-kit; sid:2016365; rev:5; metadata:created_at 2013_02_07, former_category CURRENT_EVENTS, updated_at 2013_02_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing management MBeanServer"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"management/MBeanServer"; classtype:bad-unknown; sid:2017767; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura obfuscated javascript Jun 1 2013"; flow:established,from_server; file_data; content:"a5chZev!"; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016966; rev:7; metadata:created_at 2013_06_04, updated_at 2013_06_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Mozilla JS Class Creation"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"sun.org.mozilla.javascript.internal.Context"; content:"sun.org.mozilla.javascript.internal.GeneratedClassLoader"; classtype:trojan-activity; sid:2017768; rev:3; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/a.php Landing Page/Java exploit URI"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{32}\/a\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016971; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Hex Encoded Class file"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"CAFEBABE"; classtype:bad-unknown; sid:2017769; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/a.php Landing Page/Java exploit URI"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{16}\/a\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016973; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing tracing Provider Factory"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"tracing/ProviderFactory"; classtype:bad-unknown; sid:2017770; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Initial Gate from Linked-In Mailing Campaign"; flow:established,to_server; content:"/linkendorse.html"; http_uri; classtype:exploit-kit; sid:2016984; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classes used in awt exploits"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image"; content:"Raster"; content:"SampleModel"; classtype:bad-unknown; sid:2017771; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET GAMES PunkBuster Server webkey Buffer Overflow"; flow:established,to_server; content:"/pbsvweb"; http_uri; nocase; content:"webkey="; nocase; isdataat:500,relative; content:!"|0A|"; within:500; content:!"&"; within:500; reference:url,aluigi.altervista.org/adv/pbwebbof-adv.txt; reference:url,doc.emergingthreats.net/2002947; classtype:attempted-admin; sid:2002947; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear/Safe/CritX/FlashPack - Java Request - 32char hex-ascii"; flow:to_server,established; content:".jar"; offset:32; http_uri; fast_pattern; content:"Java/1"; http_user_agent; pcre:"/\/[a-z0-9]{32}\.jar$/U"; classtype:exploit-kit; sid:2014751; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_17, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DELETED Possible Open SIP Relay scanner Fake Eyebeam User-Agent Detected"; content:"User-Agent|3A| eyeBeam release"; nocase; reference:url,honeynet.org.au/?q=open_sip_relay_scanner; classtype:attempted-recon; sid:2012183; rev:3; metadata:created_at 2011_01_15, updated_at 2011_01_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Darkness DDoS HTTP Target/EXE"; flow:from_server,established; file_data; content:"Z"; within:1; content:"PWh0dHA"; distance:2; within:9; pcre:"/^[a-z0-9\+\/]+={0,2}$/Rsi"; classtype:trojan-activity; sid:2017775; rev:7; metadata:created_at 2013_11_27, updated_at 2013_11_27;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor Login"; flow:to_server,established; content:"|c4 4c 87 3f 11 1e c4 1a|"; depth:8; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016986; rev:2; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Darkness DDoS Common Intial Check-in Response wtf"; flow:from_server,established; file_data; content:"d3Rm"; within:4; pcre:"/^(?:\r\n|$)/R"; reference:md5,a9af388f5a627aa66c34074ef45db1b7; classtype:trojan-activity; sid:2017776; rev:7; metadata:created_at 2013_11_27, updated_at 2013_11_27;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor SysInfo Response header"; flow:to_server,established; content:"|ac 09 7b 09 4b 2a 92 bd ac 00|"; depth:10; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016987; rev:2; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Badur.Spy User Agent HWMPro"; flow:established,to_server; content:"HWMPro"; depth:6; http_user_agent; reference:md5,234c47b5b29a2cfcc00900bbc13ea181; classtype:trojan-activity; sid:2017654; rev:4; metadata:created_at 2013_11_01, updated_at 2013_11_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor File Manager Response Header"; flow:to_server,established; content:"|ac 92 4b 04 ff 37 b3 2a b3 25 ff 76 ac 00|"; depth:14; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016988; rev:3; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Landing Page Recieved - applet and flowbit"; flow:from_server,established; flowbits:isset,et.exploitkitlanding; content:"<applet"; classtype:bad-unknown; sid:2014443; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_29, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor File Download Response Header"; flow:to_server,established; content:"|ac 92 4b 04 ff 0c bd 55 2a 04 bd b3 6c ac 00|"; depth:15; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016989; rev:2; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
+#alert tcp $HOME_NET 1023: -> $EXTERNAL_NET 53 (msg:"ET MALWARE Potential DNS Command and Control via TXT queries"; flow:established,to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:4; content:"|00 00 10 00 01|"; threshold:type both, track by_src,count 10, seconds 300; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-September/015625.html; classtype:trojan-activity; sid:2013515; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor File Upload Response Header"; flow:to_server,established; content:"|ac 92 4b 04 ff cf 50 04 bd b3 6c ac 00|"; depth:13; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016990; rev:2; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SNET EK Activity Nov 27 2013"; flow:established,to_server; content:"?src="; content:"request|3a 20|microsoft_update|0d 0a|"; pcre:"/^[^\s]*?\s*?\/[^\r\n\s]*?\?src=/i"; classtype:exploit-kit; sid:2017786; rev:2; metadata:created_at 2013_11_28, former_category CURRENT_EVENTS, updated_at 2013_11_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT pamdql Exploit Kit 09/25/12 Sending Jar"; flow:established,from_server; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}$/C"; content:"/x-java-archive|0d 0a|"; fast_pattern:only; http_header; file_data; content:"PK"; within:2; classtype:exploit-kit; sid:2015724; rev:10; metadata:created_at 2012_09_21, former_category EXPLOIT_KIT, updated_at 2012_09_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JJEncode Encoded Script Inside of PDF Likely Evil"; flow:established,from_server; flowbits:isset,ET.pdf.in.http; file_data; content:"|2c 24 24 24 24 3a 28 21 5b 5d 2b 22 22 29 5b|"; reference:md5,6776bda19a3a8ed4c2870c34279dbaa9; classtype:trojan-activity; sid:2017789; rev:4; metadata:created_at 2013_11_30, updated_at 2013_11_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql Exploit Kit 09/25/12 Sending PDF"; flow:established,from_server; content:"application/pdf|0d 0a|"; fast_pattern:only; http_header; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}$/C"; file_data; content:"%PDF-"; within:5; classtype:exploit-kit; sid:2015725; rev:8; metadata:created_at 2012_09_21, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Polling/Check-in/Compromise from fake DHL mailing campaign"; flow:established,to_server; content:"/golden/index.php"; http_uri; content:" MSIE 7.0"; http_header; content:"q=0.1|0d 0a|"; http_header; classtype:trojan-activity; sid:2017791; rev:2; metadata:created_at 2013_12_02, updated_at 2013_12_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT pamdql obfuscated javascript --- padding"; flow:established,from_server; file_data; content:"d---o---c---u---m---"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015738; rev:3; metadata:created_at 2012_09_26, former_category CURRENT_EVENTS, updated_at 2012_09_26;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Hostile fake DHL mailing campaign"; flow:established,to_server; content:"but no one bell unresponsive"; content:"The best regard DHL.com."; content:"filename=Notice"; classtype:trojan-activity; sid:2017792; rev:2; metadata:created_at 2013_12_02, updated_at 2013_12_02;)
 
-#alert  http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql applet with obfuscated URL"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"103hj115hj115hj111hj57hj46hj46hj"; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015739; rev:6; metadata:created_at 2012_09_26, updated_at 2012_09_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HiMan EK - Flash Exploit"; flow:established,to_client; file_data; content:"function Flash_Exploit() {"; classtype:exploit-kit; sid:2017794; rev:2; metadata:created_at 2013_12_05, former_category CURRENT_EVENTS, updated_at 2013_12_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql obfuscated javascript _222_ padding"; flow:established,from_server; file_data; content:"d_222_o_222_c_222_u_222_"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015785; rev:4; metadata:created_at 2012_10_09, updated_at 2012_10_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED HiMan EK - Payload Downloaded - EXE in ZIP Downloaded by Java"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".exe"; fast_pattern; nocase; classtype:exploit-kit; sid:2017795; rev:2; metadata:created_at 2013_12_05, updated_at 2013_12_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql obfuscated javascript -_-- padding"; flow:established,from_server; file_data; content:"d-_--o-_--c-_--u-_--"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015801; rev:4; metadata:created_at 2012_10_16, updated_at 2012_10_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT HiMan EK - TDS - POST hyt="; flow:established,to_server; content:"POST"; http_method; content:"hyt="; http_client_body; depth:4; content:"&vre="; http_client_body; classtype:exploit-kit; sid:2017797; rev:2; metadata:created_at 2013_12_05, former_category CURRENT_EVENTS, updated_at 2013_12_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql obfuscated javascript __-_ padding"; flow:established,from_server; file_data; content:"d__-_o__-_c__-_u__-_m__-_e__-_n__-_t"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015845; rev:4; metadata:created_at 2012_10_26, updated_at 2012_10_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Java Exploit Kit 32 byte hex with trailing digit java payload request"; flow:established,to_server; urilen:>32; content:"Java/1."; http_user_agent; pcre:"/^\/(?:[\/_]*?[a-f0-9][\/_]*?){32}\/\d+?$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015888; rev:8; metadata:created_at 2012_11_15, former_category EXPLOIT_KIT, updated_at 2012_11_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Srv.SSA-KeyLogger Checkin Traffic"; flow:to_server,established; content:"Srv.SSA-KeyLogger"; http_uri; reference:url,doc.emergingthreats.net/2002175; classtype:command-and-control; sid:2002175; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK - Landing Page - Java ClassID and 32/32 archive Oct 16 2013"; flow:established,to_client; file_data; content:"applet"; nocase; fast_pattern; content:"archive"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?\/(?:[\/_]*?[a-f0-9][\/_]*?){64}[\x22\x27]/R"; classtype:exploit-kit; sid:2017602; rev:5; metadata:created_at 2013_10_17, former_category CURRENT_EVENTS, updated_at 2013_10_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Dec 03 2012"; flow:established,from_server; file_data; content:"applet"; content:"yy3Ojj"; within:1600; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015978; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Java Jar Download"; flow:established,to_server; urilen:>32; content:"Java/1."; http_header; pcre:"/^\/(?:[\/_]*?[a-f0-9][\/_]*?){32}$/U"; content:"_"; http_uri; content:"/"; http_uri; offset:1; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017811; rev:2; metadata:created_at 2013_12_06, former_category EXPLOIT_KIT, updated_at 2013_12_06;)
 
-#alert ip $HOME_NET any -> [50.57.148.87,166.78.144.80] any (msg:"ET MALWARE Connection to Georgia Tech Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016994; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Edwards Packed PluginDetect"; flow:established,to_client; file_data; content:"|7C|PluginDetect|7C|"; classtype:exploit-kit; sid:2017815; rev:2; metadata:created_at 2013_12_06, former_category CURRENT_EVENTS, updated_at 2013_12_06;)
 
-#alert ip $HOME_NET any -> 176.31.62.76 any (msg:"ET MALWARE Connection to Zinkhole Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016996; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Trojan-Downloader Win32.Genome.AV server response"; flow:to_client,established; file_data; content:"|5b|Soft"; pcre:"/^\d+?\x5d/R"; content:"SoftTitle="; distance:0; flowbits:isset,et.GENOME.AV; reference:md5,d14314ceb74c8c1a8e1e8ca368d75501; classtype:trojan-activity; sid:2017747; rev:3; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
 
-#alert ip $HOME_NET any -> 212.227.20.19 any (msg:"ET MALWARE Connection to 1&1 Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016995; rev:3; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Lang Runtime in B64 Observed in Goon EK 3"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"qYXZhL2xhbmcvUnVudGltZ"; classtype:exploit-kit; sid:2017759; rev:3; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
 
-#alert ip $HOME_NET any -> 91.233.244.106 any (msg:"ET MALWARE Connection to Dr Web Sinkhole IP(Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016997; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Probable Sakura exploit kit landing page obfuscated applet tag Mar 1 2013"; flow:established,from_server; file_data; content:"<#a#p#p#l#e#t#"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016520; rev:3; metadata:created_at 2013_03_05, former_category EXPLOIT_KIT, updated_at 2013_03_05;)
 
-#alert ip $HOME_NET any -> 193.166.255.171 any (msg:"ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016998; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing Page Nov 21 2013"; flow:established,from_server; file_data; content:"object|22|.substring(15)"; content:"|22|"; distance:-37; within:1; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017740; rev:3; metadata:created_at 2013_11_22, former_category EXPLOIT_KIT, updated_at 2013_11_22;)
 
-#alert ip $HOME_NET any -> 148.81.111.111 any (msg:"ET MALWARE Connection to a cert.pl Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2017001; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx EK iexp.html"; flow:established,to_server; content:"/iexp.html"; http_uri; content:!"&"; http_uri; classtype:exploit-kit; sid:2017819; rev:5; metadata:created_at 2013_12_10, former_category CURRENT_EVENTS, updated_at 2013_12_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxy.Win32.Fackemo.g/Katusha/FakeAlert Checkin"; flow:to_server,established; content:"POST"; http_method; content:"magic="; http_uri; content:"&id="; http_uri; content:"&cache="; http_uri; content:"&tm="; http_uri; content:"&ox="; http_uri; content:!"Mozilla"; http_user_agent; reference:md5,29457bd7a95e11bfd0e614a6e237a344; reference:md5,173a060ed791e620c2ec84d7b360ed60; reference:url,www.bugbopper.com/NameLookup.asp?Name=Packed_Win32_TDSS_o; classtype:command-and-control; sid:2008523; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT heapSpray in jjencode"; flow:from_server,established; file_data; content:".__$+"; pcre:"/^(?P<sep>((?!\.\$\_\$\+).){1,10})\.\$\_\$\+(?P=sep)\.___\+(?P=sep)\.\$\$\$\_\+(?P=sep)\.\$\_\$\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\_\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\_\$\_\+(?P=sep)\.\_\$\$\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\_\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\$\_\+(?P=sep)\.\$\_\$\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\$\+(?P=sep)\.\_\_\$/R"; reference:url,www.invincea.com/2013/12/e-k-i-a-adobe-reader-exploit-cve-2013-3346-kernel-ndproxy-sys-zero-day-eop/; classtype:exploit-kit; sid:2017823; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Kuluoz.B Spam Campaign Shipment_Label.exe in Zip"; flow:from_server,established; content:"Shipment_Label.zip"; nocase; fast_pattern:only; http_header; file_data; content:"PK"; within:2; content:".exe"; distance:0; classtype:trojan-activity; sid:2017003; rev:2; metadata:created_at 2013_06_12, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC Scanning Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Scanning"; fast_pattern; within:50; content:"for open ports."; within:40; classtype:trojan-activity; sid:2017828; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit plugin-detect script access"; flow:established,to_client; file_data; content:"ScriptBridge.ScriptBridge"; content:"|00|h|00|t|00|t|00|p|00 3a 00 2f 00 2f 00|"; content:"|2f 00|v|00|w|00|.|00|p|00|h|00|p|00|?|00|i|00|="; distance:0; fast_pattern; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017006; rev:5; metadata:created_at 2013_06_12, updated_at 2013_06_12;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC Open Ports Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Open port(s)|3A| "; fast_pattern; within:50; classtype:trojan-activity; sid:2017829; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
 
-#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply for unallocated address space - Potentially Malicious 1.1.1.0/24"; content:"|00 01 00 01|"; content:"|00 04 01 01 01|"; distance:4; within:5; classtype:trojan-activity; sid:2016104; rev:3; metadata:created_at 2012_12_28, former_category TROJAN, updated_at 2018_04_03;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC No Open Ports Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"No open ports found"; fast_pattern; within:50; classtype:trojan-activity; sid:2017830; rev:1; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
 
-#alert ip $HOME_NET any -> 1.1.1.0/24 any (msg:"ET POLICY Connection to previously unallocated address space 1.1.1.0/24"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2017000; rev:3; metadata:created_at 2013_06_11, former_category POLICY, updated_at 2018_04_24;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Attacking Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Attacking"; within:50; fast_pattern; classtype:trojan-activity; sid:2017831; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16/32-hex/a-z.php Landing Page URI"; flow:established,to_server; content:".php"; http_uri; content:"/"; http_uri; distance:-6; within:1; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/[a-z]\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015877; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Attack Done Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Attack"; fast_pattern; within:50; content:"done"; within:8; classtype:trojan-activity; sid:2017832; rev:1; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY JBOSS/JMX port 80 access from outside"; flow:established,to_server; content:"GET"; http_method; content:"/jmx-console"; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 60; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010377; classtype:web-application-attack; sid:2010377; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS PerlBot Version Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"perlb0t ver"; within:50; classtype:trojan-activity; sid:2017833; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Open Web Analytics mw_plugin.php IP Parameter Remote File inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/mw_plugin.php?"; nocase; http_uri; content:"IP="; nocase; http_uri; pcre:"/IP=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/11903/; classtype:web-application-attack; sid:2011881; rev:5; metadata:created_at 2010_10_29, updated_at 2010_10_29;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Mambo Scanning Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Scanning for unpatched mambo for"; within:80; classtype:trojan-activity; sid:2017834; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103043; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Exploited Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Exploited"; within:50; content:"boxes in"; within:30; classtype:trojan-activity; sid:2017835; rev:3; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"ET DOS FreeBSD NFS RPC Kernel Panic"; flow:to_server,established; content:"|00 01 86 a5|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 00 00 00 00 00|"; offset:0; depth:6; reference:cve,2006-0900; reference:bugtraq,19017; reference:url,doc.emergingthreats.net/bin/view/Main/2002853; classtype:attempted-dos; sid:2002853; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Hostile Gate landing seen with pamdql/Sweet Orange /in.php?q="; flow:established,to_server; content:"/in.php?q="; http_uri; classtype:exploit-kit; sid:2016090; rev:3; metadata:created_at 2012_12_28, former_category CURRENT_EVENTS, updated_at 2012_12_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Softspydelete.com Fake Anti-Spyware Checkin"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"a1="; nocase; http_uri; content:"&a2="; nocase; http_uri; content:"&a3="; nocase; http_uri; content:"Windows"; nocase; http_uri; content:"&a4=Build"; nocase; http_uri; content:"&a5="; nocase; http_uri; content:"&table="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007842; classtype:trojan-activity; sid:2007842; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing try catch try catch math eval Aug 27 2012"; flow:established,from_server; file_data; content:"try{"; content:"|3b|}catch("; within:25; content:"){try{"; fast_pattern; within:15; content:"}catch("; within:35; content:"eval("; distance:0; classtype:bad-unknown; sid:2015654; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zhelatin Variant Checkin"; flow:established,to_server; content:"/adload.php?a1="; nocase; http_uri; content:"a3="; nocase; http_uri; content:"&a4="; nocase; http_uri; content:"&a5="; nocase; http_uri; content:!"User-Agent|3a|"; http_header; content:"Host|3a|"; http_header; reference:url,doc.emergingthreats.net/2003408; classtype:trojan-activity; sid:2003408; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Zbot Activity Common Download Struct"; flow:to_server,established; content:".bin"; fast_pattern; http_uri; pcre:"/\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"User-Agent|3a 20|"; http_header; depth:12; content:" MSIE "; http_header; pcre:"/^User-Agent\x3a[^\r\n]*?\sMSIE\s/H"; classtype:trojan-activity; sid:2017837; rev:3; metadata:created_at 2013_12_12, updated_at 2013_12_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Kuluoz.B Shipping Label Spam Campaign"; flow:established,to_server; content:".php?"; http_uri; content:"_info="; distance:1; within:6; http_uri; pcre:"/\.php\?[a-z]_info=[a-z0-9]{1,4}_\d+?$/Ui"; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2017002; rev:6; metadata:created_at 2013_06_12, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit - JAR Exploit"; flow:to_server,established; urilen:>300; content:"Java/1."; http_user_agent; content:".jar"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.jar$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:exploit-kit; sid:2017840; rev:3; metadata:created_at 2013_12_12, former_category EXPLOIT_KIT, updated_at 2013_12_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TrojanSpy.KeyLogger Hangover Campaign User-Agent(file)"; flow:established,to_server; content:"User-Agent|3a| file|0d 0a|"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016890; rev:3; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit - EOT Exploit"; flow:to_server,established; urilen:>300; content:".eot"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.eot$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:exploit-kit; sid:2017844; rev:3; metadata:created_at 2013_12_12, former_category EXPLOIT_KIT, updated_at 2013_12_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Karagany encrypted binary (3)"; flow:established,to_client; file_data; content:"|f2 fd 90 00 bc a7 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016970; rev:4; metadata:created_at 2013_06_05, former_category EXPLOIT_KIT, updated_at 2013_06_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HiMan EK - Landing Page"; flow:established,to_client; file_data; content:"687474703a2f2f"; fast_pattern:only; content:"<applet"; nocase; pcre:"/^((?!<\/applet>).)+?[\x22\x27]687474703a2f2f/Rsi"; classtype:exploit-kit; sid:2017796; rev:3; metadata:created_at 2013_12_05, former_category CURRENT_EVENTS, updated_at 2013_12_05;)
 
-alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Net User Command Response"; flow:established; content:"User accounts for |5C 5C|"; fast_pattern; content:"-------------------------------------------------------------------------------"; distance:0; classtype:successful-user; sid:2017025; rev:3; metadata:created_at 2013_06_18, updated_at 2013_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Browlock Landing Page URI Struct"; flow:to_server,established; content:"/?flow_id"; http_uri; content:"/case_id="; http_uri; fast_pattern:only; pcre:"/\/\?flow_id=\d+?&\d+?=\d+?\/case_id=\d+$/U"; classtype:trojan-activity; sid:2017847; rev:2; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2013_12_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Webserver Backdoor Domain (google-analytcs)"; flow:established,to_server; content:"google-analytcs.com|0d 0a|"; nocase; http_header; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:2017027; rev:2; metadata:created_at 2013_06_18, updated_at 2013_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK SilverLight"; flow:to_server,established; content:".html?sv="; http_uri; fast_pattern:only; pcre:"/\.html\?sv=[1-5](\,\d+?){1,3}$/U"; classtype:exploit-kit; sid:2017848; rev:2; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2013_12_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT MALVERTISING Unknown_InIFRAME - RedTDS URI Structure"; flow:established,to_server; content:"/red"; depth:7; http_uri; content:".php"; distance:2; within:6; http_uri; pcre:"/^\/[0-9]{1,2}\/red[0-9]{1,4}\.php[0-9]{0,1}$/Ui"; classtype:exploit-kit; sid:2017028; rev:2; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible CVE-2013-2551 As seen in SPL2 EK"; flow:from_server,established; file_data; content:".dashstyle.array.length"; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(?:-[\r\n\s]*?\d|0[\r\n\s]*?-)/Ri"; classtype:exploit-kit; sid:2017849; rev:2; metadata:created_at 2013_12_13, updated_at 2013_12_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_InIFRAME - URI Structure"; flow:established,to_server; content:"/iniframe/"; depth:10; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/"; distance:1; within:5; http_uri; content:"/"; distance:32; within:1; http_uri; classtype:exploit-kit; sid:2017029; rev:5; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT HiMan EK Exploit URI Struct"; flow:to_server,established; content:"=687474703a2f2f"; http_uri; content:".php?"; http_uri; pcre:"/\/(?:d|xie|fla)\.php\?[a-z]+?=687474703a2f2f/U"; classtype:exploit-kit; sid:2017851; rev:2; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2013_12_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_InIFRAME - Redirect to /iniframe/ URI"; flow:established,to_client; content:"302"; http_stat_code; content:"/iniframe/"; http_header; classtype:exploit-kit; sid:2017030; rev:2; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Landing Dec 09 2013"; flow:from_server,established; file_data; content:"$.getVersion(|22|Silverlight|22|)"; content:"$.getVersion(|22|Java|22|)"; content:"calcMD5(encode_utf8(location"; classtype:exploit-kit; sid:2017826; rev:3; metadata:created_at 2013_12_10, former_category CURRENT_EVENTS, updated_at 2013_12_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT MALVERTISING Flash - URI - /loading?vkn="; flow:established,to_server; content:"/loading?vkn="; http_uri; classtype:trojan-activity; sid:2017032; rev:2; metadata:created_at 2013_06_19, former_category CURRENT_EVENTS, updated_at 2013_06_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Dec 09 2013 Java Request"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".html%3fjar"; http_raw_uri; pcre:"/\.html\?jar$/U"; classtype:exploit-kit; sid:2017827; rev:6; metadata:created_at 2013_12_10, former_category CURRENT_EVENTS, updated_at 2013_12_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NailedPack EK Landing June 18 2013"; flow:established,to_client; file_data; content:"report_and_get_exploits(_0x"; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:exploit-kit; sid:2017034; rev:2; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-QBP Checkin Response 1 - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"|3c|!--<2010QBP"; content:" 2010QBP//-->"; within:150; reference:url,intelreport.mandiant.com; reference:md5,0cf9e999c574ec89595263446978dc9f; reference:md5,fcdaa67e33357f64bc4ce7b57491fc53; classtype:targeted-activity; sid:2016451; rev:3; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Landing URI Struct"; flow:established,to_server; content:".php?"; http_uri; content:"v=1."; http_uri; fast_pattern; content:"."; http_uri; distance:1; within:1; pcre:"/\.php\?(b=[a-fA-F0-9]{6}&)?v=1\.(?:(?:4\.[0-2]\.[0-3]|5\.0\.[0-2]|6.0\.[0-4])\d?|[7-8]\.0\.\d{1,2})$/U"; classtype:exploit-kit; sid:2017040; rev:2; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2013_06_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Grandsoft/SofosFO EK Java Payload URI Struct"; flow:established,to_server; content:"Java/1."; http_header; pcre:"/^\/\d{4,5}\/\d{7}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017861; rev:3; metadata:created_at 2013_12_13, updated_at 2013_12_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving UDP DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-udp "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017051; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Initial Connection Server Response"; flow:established,to_client; content:"|22|result|22 3A| [[|22|mining.notify|22|"; depth:120; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2017872; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving IP2 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-ip2 "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017050; rev:4; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER W32/BitCoinMiner Fake Flash Player Distribution Campaign - December 2013"; flow:established,to_server; content:"/blam/flashplayerv"; nocase; http_uri; reference:url,blog.malwarebytes.org/fraud-scam/2013/12/fake-flash-player-wants-to-go-mining/; reference:url,esearch.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; classtype:coin-mining; sid:2017874; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving IP DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-ip "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017049; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JAR Download From Crimepack Exploit Kit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"cpak/Crimepack"; nocase; reference:url,doc.emergingthreats.net/2011544; reference:url,krebsonsecurity.com/tag/crimepack/; reference:url,www.offensivecomputing.net/?q=node/1572; classtype:exploit-kit; sid:2011544; rev:7; metadata:created_at 2010_09_27, former_category MALWARE, updated_at 2010_09_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving POST2 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-post2 http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017048; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Work Server Response"; flow:established,to_client; content:"|22|params|22 3A| [|22|"; depth:120; content:"|22|method|22 3A| |22|mining.notify|22|"; distance:0; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2017873; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving POST1 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-post1 http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017047; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Getblocktemplate Protocol Server Connection"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3A| |22|getblocktemplate|22|"; within:40; reference:url,en.bitcoin.it/wiki/Getblocktemplate; classtype:coin-mining; sid:2017878; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving GET DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-get http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017046; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Getblocktemplate Protocol Server Coinbasetxn Begin Mining Response"; flow:established,to_client; content:"|22|result|22 3A| {"; depth:50; content:"|22|coinbasetxn|22 3A| {"; within:30; content:"|22|data|22 3A| |22|"; within:30; reference:url,en.bitcoin.it/wiki/Getblocktemplate; classtype:coin-mining; sid:2017879; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Baidu.com Related Agent User-Agent (iexp)"; flow:to_server,established; content:"User-Agent|3a| iexp|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2003608; classtype:trojan-activity; sid:2003608; rev:12; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Ferret DDOS Bot CnC Beacon"; flow:established,to_server; urilen:14; content:"POST"; http_method; content:"/hor/input.php"; http_uri; content:"Mozilla Gecko Firefox 25"; http_user_agent; content:"m="; http_client_body; depth:2; content:"&h="; http_client_body; within:50; reference:md5,c49e3411294521d63c7cc28e08cf8a77; reference:url,www.arbornetworks.com/asert/2013/12/a-business-of-ferrets/; classtype:command-and-control; sid:2017883; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_19, deployment Perimeter, signature_severity Major, tag c2, updated_at 2013_12_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot Download and Execute Scheduled file command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Download and Execute Scheduled [File|3a|"; classtype:trojan-activity; sid:2017057; rev:1; metadata:created_at 2013_06_25, updated_at 2013_06_25;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Upatre Downloader SSL certificate"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; pcre:"/^.{2}(?P<fake_email>([asdfgh]+|[qwerty]+|[zxcvbn]+)\@([asdfgh]+|[qwerty]+|[zxcvbn]+)\.).+?\x2a\x86\x48\x86\xf7\x0d\x01\x09\x01.{2}(?P=fake_email)/Rs"; classtype:trojan-activity; sid:2017733; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_20, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot CnC2"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:" |3a|[AryaN]|3a| "; within:30; content: "download"; nocase; classtype:command-and-control; sid:2017056; rev:1; metadata:created_at 2013_06_25, former_category MALWARE, updated_at 2013_06_25;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - ZIP file with .exe filename inside (Inbound)"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(5leG|LmV4|uZXhl)/R"; classtype:bad-unknown; sid:2017884; rev:5; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64"; flow:established,to_client; file_data; content:"X19hcHBsZXRfc3N2X3ZhbGlkYXRl"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2016796; rev:5; metadata:created_at 2013_04_28, updated_at 2013_04_28;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - RAR file with .exe filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(5leG|LmV4|uZXhl)/R"; classtype:bad-unknown; sid:2017885; rev:5; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 2"; flow:established,to_client; file_data; content:"9fYXBwbGV0X3Nzdl92YWxpZGF0"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2016817; rev:4; metadata:created_at 2013_05_04, updated_at 2013_05_04;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - ZIP file with .com filename inside"; flow:established; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(uY29t|5jb2|LmNvb)/R"; classtype:bad-unknown; sid:2017887; rev:2; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 3"; flow:established,to_client; file_data; content:"fX2FwcGxldF9zc3ZfdmFsaWRhdGVk"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2016818; rev:4; metadata:created_at 2013_05_04, updated_at 2013_05_04;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - RAR file with .com filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(uY29t|5jb2|LmNvb)/R"; classtype:bad-unknown; sid:2017888; rev:2; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Dotka Chef EK exploit/payload URI request"; flow:to_server,established; content:"?f="; http_uri; content:"&k="; http_uri; pcre:"/&k=\d{16}(&|$)/U"; content:"Java/1"; http_user_agent; classtype:exploit-kit; sid:2017020; rev:10; metadata:created_at 2013_06_15, updated_at 2013_06_15;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - ZIP file with .scr filename inside"; flow:established; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(LnNjc|Euc2Ny|S5zY3)/R"; classtype:bad-unknown; sid:2017889; rev:2; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand Attempt"; flow:established,to_server; content:"/zport/dmd/Devices/devices/localhost/manage_doUserCommand"; nocase; http_uri; content:"commandId="; http_uri; nocase; distance:0; pcre:"/commandId\x3D[a-z]/Ui"; reference:url,www.securityfocus.com/bid/37843; reference:url,doc.emergingthreats.net/2010762; classtype:web-application-attack; sid:2010762; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - RAR file with .scr filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(LnNjc|Euc2Ny|S5zY3)/R"; classtype:bad-unknown; sid:2017890; rev:2; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot CnC1"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:"|20 3a 03|10OK|3a 03 20|"; within:30; classtype:command-and-control; sid:2017055; rev:1; metadata:created_at 2013_06_25, former_category MALWARE, updated_at 2013_06_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/GMUnpacker.Downloader Download Instructions Response From CnC"; flow:established,to_client; file_data; content:"<AD>"; within:4; content:"<TIPAD>"; distance:0; content:"<POPUP>"; distance:0; content:"<REG>HKEY_LOCAL_MACHINE|5c|SOFTWARE|5c|Microsoft|5c|Windows|5c|CurrentVersion|5c|"; distance:0; reference:md5,43e89125ad40b18d22e01f997da8929a; classtype:command-and-control; sid:2017891; rev:2; metadata:created_at 2013_12_20, former_category MALWARE, updated_at 2013_12_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot Flood command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Flood|3a| Started [Type|3a|"; classtype:trojan-activity; sid:2017058; rev:1; metadata:created_at 2013_06_25, updated_at 2013_06_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DotkaChef Landing URI Struct"; flow:established,to_server; content:"/?"; http_uri; content:"LvoDc0RHa8NnZ"; http_uri; pcre:"/\/\?={0,2}[A-Za-z0-9\+\/]+?LvoDc0RHa8NnZ$/U"; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/analyzing-dotkachef-exploit-pack/; classtype:exploit-kit; sid:2017893; rev:4; metadata:created_at 2013_12_21, updated_at 2013_12_21;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot Botkill command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Botkill|3a| Cycled once"; classtype:trojan-activity; sid:2017059; rev:1; metadata:created_at 2013_06_25, updated_at 2013_06_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DotkaChef Payload Dec 20 2013"; flow:established,to_server; content:"/?f=bb.mp3"; http_uri; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/analyzing-dotkachef-exploit-pack/; classtype:exploit-kit; sid:2017894; rev:3; metadata:created_at 2013_12_21, updated_at 2013_12_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Keylogger Crack by bahman"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&message=|2b|keylogger|2b|Crack|2b|By|2b 25 32 31 25 32 31 25 32 31|...bahman"; nocase; http_client_body; reference:url,doc.emergingthreats.net/2008369; classtype:trojan-activity; sid:2008369; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit 2013-3346"; flow:established,from_server; file_data; content:"5 0 R>>|0a|endobj|0a|5 0 obj |0a|<</"; pcre:"/^(?:L|#4c)(?:e|#65)(?:n|#6e)(?:g|#67)(?:t|#74)(?:h|#68)\x20\d+?\/(?:F|#46)(?:i|#69)(?:l|#6c)(?:t|#74)(?:e|#65)(?:r|#72)\[\/(?:F|#46)(?:l|#6c)(?:a|#61)(?:t|#74)(?:e|#65)(?:D|#44)(?:e|#65)(?:c|#63)(?:o|#6f)(?:d|#64)(?:e|#65)\/(?:A|#41)(?:S|#53)(?:C|#43)(?:I|#49){2}(?:H|#48)(?:e|#65)(?:x|#78)(?:D|#44)(?:e|#65)(?:c|#63)(?:o|#6f)(?:d|#64)(?:e|#65)\]>>/Rs"; content:"5 0 R>>|0a|endobj|0a|5 0 obj |0a|<<"; pcre:"/^(?:(?!>>).)+?#(?:[46][1-9a-fA-F]|[57][\daA])/Rs"; classtype:attempted-admin; sid:2017900; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category MALWARE, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool Exploit Kit iframe with obfuscated Java version check Jun 26 2013"; flow:established,from_server; file_data; content:"<textarea id|3d 22|"; content:"|22|>"; pcre:"/^(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{2}(?P<J>[0-9a-z]{2})[0-9a-z]{4}(?P=v)[0-9a-z]{6}(?P=space)[0-9a-z]{2}(?P=space)[0-9a-z]{64}(?P=J)(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017073; rev:3; metadata:created_at 2013_06_27, former_category EXPLOIT_KIT, updated_at 2013_06_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO/GrandSoft PDF"; flow:established,from_server; file_data; content:"/TM(gawgewafgwe[0].#subform[0]"; classtype:trojan-activity; sid:2017905; rev:3; metadata:created_at 2013_12_27, updated_at 2013_12_27;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query for Sykipot C&C www.prettylikeher.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|prettylikeher|03|com"; fast_pattern; distance:0; nocase; reference:cve,CVE-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:trojan-activity; sid:2014005; rev:3; metadata:created_at 2011_12_09, updated_at 2011_12_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS TDS Unknown_.aso - URI - IP.aso"; flow:established,to_server; content:".aso"; http_uri; fast_pattern:only; pcre:"/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\.aso$/U"; classtype:bad-unknown; sid:2017906; rev:2; metadata:created_at 2013_12_27, updated_at 2013_12_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|74 3d c0 19|"; within:4; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016733; rev:4; metadata:created_at 2013_04_09, updated_at 2013_04_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible PDF Dictionary Entry with Hex/Ascii replacement"; flow:established,from_server; file_data; content:"%PDF-"; fast_pattern; within:5; content:"obj"; pcre:"/^[\r\n\s]*?<<(?:(?!>>).)+?\/[a-zA-Z\d]*?#(?:[46][1-9a-fA-F]|[57][\daA])(?:[a-zA-Z\d])*?#(?:[46][1-9a-fA-F]|[57][\daA])/Rsi"; classtype:trojan-activity; sid:2017899; rev:4; metadata:created_at 2013_12_24, former_category INFO, updated_at 2013_12_24;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - GODSpy - GOD Hacker"; flow:established,to_client; file_data; content:"GOD Hacker"; classtype:trojan-activity; sid:2017083; rev:2; metadata:created_at 2013_07_02, updated_at 2013_07_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK encrypted binary (1)"; flow:established,to_client; file_data; content:"|20 69 c3 34 55 6d 33 53|"; depth:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017908; rev:2; metadata:created_at 2013_12_30, updated_at 2013_12_30;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - GODSpy - Auth Prompt"; flow:established,to_client; file_data; content:"name=|22|haz|22| value=|22|pasa|22|>"; classtype:trojan-activity; sid:2017087; rev:3; metadata:created_at 2013_07_02, updated_at 2013_07_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing with CVE-2013-2551 Dec 29 2013"; flow:established,from_server; file_data; content:"javafx_version"; fast_pattern:only; content:"fromCharCode"; pcre:"/^[\r\n\s]*?\([\r\n\s]*?[a-zA-Z_$][^\r\n\s]*?\.charCodeAt[\r\n\s]*?\([\r\n\s]*?[a-zA-Z_$][^\r\n\s]*[\r\n\s]*?\)[\r\n\s]*?\^[\r\n\s]*?[a-zA-Z_$][^\r\n\s]*\.charCodeAt[\r\n\s]*?\(/Rsi"; content:"decodeURIComponent"; content:"applet"; classtype:exploit-kit; sid:2017907; rev:4; metadata:created_at 2013_12_30, updated_at 2013_12_30;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Pouya - Pouya_Server Shell"; flow:established,to_client; file_data; content:"Pouya_Server Shell"; classtype:trojan-activity; sid:2017089; rev:2; metadata:created_at 2013_07_02, updated_at 2013_07_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING suspicious - uncompressed pack200-ed JAR"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"|ca fe d0 0d|"; depth:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017909; rev:3; metadata:created_at 2013_12_30, former_category INFO, updated_at 2013_12_30;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - GODSpy - GODSpy title"; flow:established,to_client; file_data; content:"GODSpy</title>"; classtype:trojan-activity; sid:2017084; rev:3; metadata:created_at 2013_07_02, updated_at 2013_07_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING suspicious - gzipped file via JAVA - could be pack200-ed JAR"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"|1f 8b 08 00|"; depth:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017910; rev:3; metadata:created_at 2013_12_30, former_category INFO, updated_at 2013_12_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising Exploit Kit Hostile Jar pipe.class"; flow:established,from_server; file_data; content:"PK"; within:2; content:"|00|pipe.class"; fast_pattern; content:"|00|inc.class"; content:"|00|fdp.class"; classtype:exploit-kit; sid:2017095; rev:2; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2013_07_04;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02"; content:"|00 02 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017918; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Lucky7 EK Landing Encoded Plugin-Detect"; flow:established,from_server; file_data; content:"JTc1JTY3JTY5JTZlJTQ0JTY1JTc0JTY1JTYzJTc0JTJlJTY3JTY1JTc0JTU2JTY1JTcyJTcz"; classtype:exploit-kit; sid:2017098; rev:2; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2013_07_04;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03"; content:"|00 03 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017919; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)
 
-alert udp any any -> $HOME_NET [623,664] (msg:"ET EXPLOIT IPMI Cipher 0 Authentication mode set"; content:"|07 06 10 00 00 00 00 00 00 00 00|"; offset:3; depth:11; content:"|00 00|"; distance:2; within:2; content:"|00 00 00 08 00 00 00 00 01 00 00 08 00 00 00 00 02 00 00 08 00 00 00 00|"; distance:6; within:24; reference:url,www.intel.com/content/dam/www/public/us/en/documents/product-briefs/second-gen-interface-spec-v2.pdf; reference:url,community.rapid7.com/community/metasploit/blog/2013/06/23/a-penetration-testers-guide-to-ipmi; classtype:attempted-admin; sid:2017094; rev:3; metadata:created_at 2013_07_04, updated_at 2013_07_04;)
+alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017920; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FlashPlayerSetup.x86.exe pull"; flow:established,to_server; content:"GET"; http_method; content:"FlashPlayerSetup.x86.exe"; http_uri; content:".swf|0d 0a|"; http_header; reference:url,blog.avast.com/2013/07/03/fake-flash-player-installer; classtype:trojan-activity; sid:2017107; rev:2; metadata:created_at 2013_07_05, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
+alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017921; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FlashPlayerSetup.x86.exe checkin UA"; flow:established,to_server; content:"GET"; http_method; content:"risp"; http_user_agent; depth:4; flowbits:set,FlashPlayerSetupUA; reference:url,blog.avast.com/2013/07/03/fake-flash-player-installer; classtype:trojan-activity; sid:2017108; rev:3; metadata:created_at 2013_07_05, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
+alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Little Endian)"; flow:established,to_server; content:"MMcS"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017923; rev:2; metadata:created_at 2014_01_04, updated_at 2014_01_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FlashPlayerSetup.x86.exe checkin response 2"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"var begenilecek_sayfalar"; depth:28; flowbits:isset,FlashPlayerSetupUA; reference:url,blog.avast.com/2013/07/03/fake-flash-player-installer; classtype:trojan-activity; sid:2017109; rev:2; metadata:created_at 2013_07_05, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
+alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Big Endian)"; flow:established,to_server; content:"ScMM"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017924; rev:2; metadata:created_at 2014_01_04, updated_at 2014_01_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet with obfuscated URL April 01 2013"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!(?i:<\/applet>)).)+?[\r\n\s]value[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?(\d{2,3})?(?P<sep>([^a-zA-Z0-9]{1,100}|[a-zA-Z0-9]{1,100}))\d{2,3}((?P=sep)\d{2,3}){20}/Rs"; classtype:exploit-kit; sid:2016705; rev:19; metadata:created_at 2013_04_01, former_category EXPLOIT_KIT, updated_at 2013_04_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Redirection - Injection - Modified Edwards Packer Script"; flow:established,to_client; file_data; content:"function(s,a,c,k,e,d"; classtype:trojan-activity; sid:2017931; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_01_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK Plugin-Detect April 12 2013"; flow:established,from_server; file_data; content:"PluginDetect"; fast_pattern:only; nocase; content:"$(document).ready"; content:"function"; distance:0; pcre:"/\x28[\r\n\s]*?(?P<qa1>[\x22\x27]?)[a-f0-9]{24}(?P=qa1)[\r\n\s]*?,[\r\n\s]*?(?P<qa2>[\x22\x27]?)[a-z0-9]{1,20}(?P=qa2)[\r\n\s]*?/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016756; rev:6; metadata:created_at 2013_04_13, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PWS-LDPinch Reporting User Activity"; flow:established,to_server; content:".php?ut="; nocase; http_uri; content:"&idr="; nocase; http_uri; content:"&lang="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&winver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2002812; classtype:trojan-activity; sid:2002812; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool Exploit Kit Plugin-Detect July 08 2013"; flow:established,from_server; file_data; content:"cGRwZD17dmVyc2lvbjoiMC4"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017117; rev:2; metadata:created_at 2013_07_09, former_category EXPLOIT_KIT, updated_at 2013_07_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PWS-LDPinch posting data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"a="; http_client_body; nocase; content:"&b="; http_client_body; nocase; content:"&d="; http_client_body; nocase; content:".bin&"; fast_pattern; http_client_body; nocase; content:"u="; http_client_body; nocase; content:"&c="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2006385; classtype:trojan-activity; sid:2006385; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sibhost Zip as Applet Archive July 08 2013"; flow:established,from_server; file_data; content:"getVersion("; content:"<applet"; fast_pattern; distance:0; nocase; pcre:"/^((?!(?i:<\/applet>)).)+?[\r\n\s]archive[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\.zip[\x22\x27]/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017118; rev:2; metadata:created_at 2013_07_09, updated_at 2013_07_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; nocase; content:"&d="; http_client_body; nocase; content:".bin&c="; http_client_body; reference:url,doc.emergingthreats.net/2007828; classtype:trojan-activity; sid:2007828; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Redirection - Wordpress Injection"; flow:established,to_client; file_data; content:"15,15,155,152,44,54"; classtype:trojan-activity; sid:2017124; rev:2; metadata:affected_product Any, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_07_09, deployment Perimeter, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, tag Wordpress, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Checkin (4)"; flow:established,to_server; content:"a="; content:"&b=Pinch"; nocase; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2008061; classtype:trojan-activity; sid:2008061; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gator/Clarian Spyware Posting Data"; flow: to_server,established; content:"/gs_med"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2003575; classtype:trojan-activity; sid:2003575; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Checkin (8)"; flow:established,to_server; content:"/view.php"; nocase; http_uri; content:"a="; content:"&b=Passes"; distance:0; content:"&d=Pass"; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2008091; classtype:trojan-activity; sid:2008091; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing July 10 2013"; flow:established,from_server; file_data; flowbits:isset,FlimKit.SWF.Redirect; content:".substring("; fast_pattern:only; nocase; content:"document.write("; nocase; content:".substring("; distance:0; nocase; content:".substring("; distance:0; nocase; content:".substring("; distance:0; nocase; classtype:trojan-activity; sid:2017126; rev:2; metadata:created_at 2013_07_11, former_category CURRENT_EVENTS, updated_at 2017_05_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Checkin (9)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/gate.php"; http_uri; content:"a=&b=&d=&c="; http_client_body; reference:url,doc.emergingthreats.net/2008213; classtype:trojan-activity; sid:2008213; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JJEncode Encoded Script"; flow:established,from_server; file_data; content:"$$$$|3a|(![]+|22 22|)["; pcre:"/^(?P<global_var>((?!(\]\,__\$\x3a\+\+)).)+)]\,__\$\x3a\+\+(?P=global_var)/R"; classtype:bad-unknown; sid:2017127; rev:2; metadata:created_at 2013_07_11, updated_at 2013_07_11;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 82 (msg:"ET DELETED LDPinch Checkin on Port 82"; flow:established,to_server; content:".php"; nocase; content:"a="; content:"&b=Pinch"; distance:0; content:"&d="; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2008354; classtype:trojan-activity; sid:2008354; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer Use-After-Free CVE-2013-3163"; flow:established,from_server; file_data; content:"<bdo"; nocase; pcre:"/^[\r\n\s\+\>]((?!<\/bdo>).)*?<fieldset[\r\n\s\+\>]((?!<\/fieldset>).)*?<\/bdo>/Rsi"; reference:cve,2013-3163; classtype:attempted-user; sid:2017133; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_07_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Loader Binary Request"; flow:established,to_server; content:"HTTP/1.0|0d 0a|Host|3a|"; content:".exe"; http_uri; nocase; content:"User-Agent|3a| "; http_header; content:"|0a 0a|Connection|3a| close|0d 0a 0d 0a|"; http_header; classtype:trojan-activity; sid:2013994; rev:4; metadata:created_at 2011_12_07, updated_at 2011_12_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3163"; flow:established,from_server; file_data; content:".contentEditable"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?true/Ri"; content:"var"; pcre:"/^[\r\n\s\+]+?(?P<var>[^\r\n\s\+\x3d]+)[\r\n\s\+]*?=[\r\n\s\+]*?[^\)]+\.createElement\(.+?\.body.appendChild\([\r\n\s]*?[\x22\x27]?(?P=var)[\x22\x27]?[\r\n\s]*?\).+\b(?P=var)\.innerHTML[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])(?P=q)/Rsi"; content:"CollectGarbage("; fast_pattern; nocase; distance:0; content:"eval("; distance:0; nocase; reference:cve,2013-3163; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017129; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_07_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TROJAN LDPinch Loader Binary Request"; flow:to_server,established; content:"HTTP/1.0|0D 0A|Host|3a|"; content:".exe"; http_uri; nocase; content:"User-Agent|3a| "; http_header; content:"|0D 0A|Connection|3a| close|0D 0A 0D 0A|"; http_header; classtype:trojan-activity; sid:2014015; rev:7; metadata:created_at 2011_12_09, updated_at 2011_12_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cryptmen FakAV page Title"; flow:established,from_server; file_data; content:"<title>Viruses were found on your computer</title>"; classtype:trojan-activity; sid:2017137; rev:2; metadata:created_at 2013_07_13, updated_at 2013_07_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LDPinch Checkin (3)"; flow:established,to_server; content:"a="; content:"&b=Passes from"; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2007862; classtype:command-and-control; sid:2007862; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole EK Plugin-Detect July 12 2013"; flow:established,from_server; file_data; content:"4CMiojbvl2cyVmd71DZwRGc"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017141; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ATTACKER WebShell - PHP Offender - Title"; flow:established,to_client; file_data; content:"<title>PHP Shell offender</title>"; nocase; classtype:web-application-attack; sid:2017951; rev:3; metadata:created_at 2014_01_11, updated_at 2014_01_11;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Arachni Web Scan"; flow:established,to_server; content:"/Arachni-"; http_uri; threshold: type limit, track by_src, seconds 60, count 1; reference:url,www.arachni-scanner.com/; classtype:attempted-recon; sid:2017142; rev:2; metadata:created_at 2013_07_13, updated_at 2013_07_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Jan 10 2014"; flow:established,to_client; file_data; content:"javafx_version"; fast_pattern:only; nocase; content:"46"; pcre:"/^(?P<sep>[^\x22\x27]{1,10})100(?P=sep)97(?P=sep)115(?P=sep)104(?P=sep)115(?P=sep)116(?P=sep)121(?P=sep)108(?P=sep)101(?P=sep)46(?P=sep)97(?P=sep)114(?P=sep)114(?P=sep)97(?P=sep)121(?P=sep)/R"; classtype:exploit-kit; sid:2017957; rev:2; metadata:created_at 2014_01_11, updated_at 2014_01_11;)
 
-alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC USER Likely bot with 0 0 colon checkin"; flow:to_server,established; content:"USER|20|"; nocase; content:" 0 0 |3a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; classtype:misc-activity; sid:2025066; rev:1; metadata:created_at 2013_07_13, former_category CHAT, updated_at 2017_11_28;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017965; rev:3; metadata:created_at 2014_01_14, updated_at 2014_01_14;)
 
-alert tcp any any -> any !6666:7000 (msg:"ET CHAT IRC USER Off-port Likely bot with 0 0 colon checkin"; flow:to_server,established; content:"USER|20|"; nocase; content:" 0 0 |3a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; classtype:misc-activity; sid:2025067; rev:1; metadata:created_at 2013_07_13, former_category CHAT, updated_at 2017_11_28;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 2012:2014 (msg:"ET MALWARE Win32.Morix.B checkin"; flow:to_server,established; content:"|00 00 42 42 43 42 43|"; offset:2; depth:7; reference:md5,25623fa3a64f6bed301822f8fe6aa9b5; classtype:command-and-control; sid:2017922; rev:3; metadata:created_at 2014_01_03, former_category MALWARE, updated_at 2014_01_03;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTP Request Smuggling Attempt - Double Content-Length Headers"; flow:established,to_server; content:"Content-Length|3A|"; http_header; content:"Content-Length|3A|"; http_header; within:100; reference:url,www.owasp.org/index.php/HTTP_Request_Smuggling; classtype:web-application-attack; sid:2017146; rev:3; metadata:created_at 2013_07_13, updated_at 2013_07_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SpyEye Bot Checkin"; flow:established,to_server; content:".php?guid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&stat="; nocase; http_uri; content:"&cpu="; nocase; http_uri; content:"&ccrc="; nocase; http_uri; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-020216-0135-99; reference:url,malwareint.blogspot.com/2010/01/spyeye-new-bot-on-market.html; reference:url,doc.emergingthreats.net/2010789; reference:url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot; reference:md5,2b8a408b56eaf3ce0198c9d1d8a75ec0; classtype:trojan-activity; sid:2010789; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTP Request Smuggling Attempt - Two Transfer-Encoding Values Specified"; flow:established,to_server; content:"Transfer-Encoding"; http_header; content:"Transfer-Encoding"; http_header; within:100; reference:url,www.owasp.org/index.php/HTTP_Request_Smuggling; classtype:web-application-attack; sid:2017147; rev:2; metadata:created_at 2013_07_13, updated_at 2013_07_13;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED PE EXE or DLL Windows file download disguised as ASCII - SET"; flow:established; content:"|34 44 35 41|"; byte_jump:8,116,relative,multiplier 2,little,string; isdataat:1,relative; flowbits:set,ET.http.binary.ASCII; flowbits:noalert; classtype:trojan-activity; sid:2017961; rev:5; metadata:created_at 2014_01_13, updated_at 2014_01_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY Redirection - phpBB Injection"; flow:established,to_server; content:".js?"; http_uri; content:"&"; distance:6; within:1; http_uri; pcre:"/\/[0-9]{6}\.js\?[0-9]{6}&[0-9a-f]{16}$/Ui"; classtype:trojan-activity; sid:2017149; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-3918"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"Array"; nocase; distance:0; content:"|22|"; nocase; within:500; content:!"|22|"; within:500; pcre:"/^[a-z0-9]{1,500}?(?P<s>[a-z0-9]{2})(?P<t>(?!(?P=s))[a-z0-9]{2})(?P<r>(?!(?:(?P=s)|(?P=t)))[a-z0-9]{2})(?P=t)(?P<o>(?!(?:(?P=s)|(?P=t)|(?P=r)))[a-z0-9]{2})(?P<b>(?!(?:(?P=s)|(?P=t)|(?P=r)|(?P=o)))[a-z0-9]{2})(?P<y>(?!(?:(?P=s)|(?P=t)|(?P=r)|(?P=o)|(?P=b)))[a-z0-9]{2})(?P=t)(?:(?!(?:(?P=s)|(?P=t)|(?P=r)))[a-z0-9]{4})(?P=s)(?P=t)(?P=r)/Rs"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017973; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_16, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious Redirect June 18 2013"; flow:established,to_client; file_data; content:",53,154,170,170,164,76,63,63,"; classtype:trojan-activity; sid:2017035; rev:3; metadata:created_at 2013_06_19, former_category CURRENT_EVENTS, updated_at 2013_06_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO InformationCardSigninHelper ClassID (Vulnerable ActiveX Control in CVE-2013-3918)"; flow:established,to_client; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; classtype:misc-activity; sid:2017980; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS trac q variable open redirect"; flow:to_server,established; content:"/search?q"; nocase; http_uri; pcre:"/search\?q=(ht|f)tp?\:\//iU"; reference:cve,CVE-2008-2951; reference:url,doc.emergingthreats.net/2008648; classtype:web-application-attack; sid:2008648; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Compromised site appsredeeem"; flow:established,to_client; content:"|12|www.appsredeem.com"; nocase; classtype:trojan-activity; sid:2017987; rev:2; metadata:created_at 2014_01_17, former_category CURRENT_EVENTS, updated_at 2014_01_17;)
 
-#alert http any any -> $HOME_NET 3128 (msg:"ET DOS Squid-3.3.5 DoS"; flow:established,to_server; content:"Host|3a| "; http_header; pcre:"/^Host\x3a[^\x3a\r\n]+?\x3a[^\r\n]{6}/Hmi"; classtype:attempted-dos; sid:2017154; rev:2; metadata:created_at 2013_07_17, updated_at 2013_07_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible AnglerEK Landing URI Struct"; flow:established,to_server; content:"?thread="; http_uri; nocase; content:"key="; http_uri; nocase; pcre:"/^\/[a-z0-9]+?\?thread=\d+?&x?key=[A-F0-9]{32}$/U"; classtype:exploit-kit; sid:2017975; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|58 23 3a d4|"; within:4; classtype:exploit-kit; sid:2016945; rev:8; metadata:created_at 2013_05_30, updated_at 2013_05_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cybergate/Rebhip/Spyrat Backdoor Keepalive Response"; flow:to_server,established; dsize:<100; content:"pong|7c|"; depth:5; classtype:trojan-activity; sid:2017991; rev:6; metadata:created_at 2011_04_09, updated_at 2011_04_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE E-Jihad 3.0 HTTP Activity 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/tlog.php?logn="; http_uri; pcre:"/\/tlog\.php\?logn=[^\s]+&pss=[^\s]/U"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007683; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java/Jacksbot Check-in"; flow:established,to_server; content:"|00 2d 00 68 00 20 00 32 00 66 00|"; pcre:"/^(?:4\x00[1-9a-f]|5\x00[\da])/Rs"; content:"|00 33 00 61 00|"; within:5; reference:md5,6d93fc6132ae6938013cdd95354bff4e; classtype:trojan-activity; sid:2017983; rev:3; metadata:created_at 2014_01_17, updated_at 2014_01_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE E-Jihad 3.0 HTTP Activity 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ntarg.php?"; http_uri; pcre:"/ntarg\.php\?[^\s]*(notdoing|howme|uname)=/U"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007684; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Jan 21 2013 SilverLight 1"; flow:established,from_server; file_data; content:"Y21kLmV4ZSA"; pcre:"/^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x)/R"; classtype:exploit-kit; sid:2017995; rev:2; metadata:created_at 2014_01_22, updated_at 2014_01_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE E-Jihad 3.0 HTTP Activity 3"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/tnewu.php?nlogin="; http_uri; pcre:"/\/tnewu\.php\?nlogin=[^\s]+&npss=[^\s]+&invitedby=[^\s]/U"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007685; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Jan 21 2013 SilverLight 2"; flow:established,from_server; file_data; content:"NtZC5leGUg"; pcre:"/^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x)/R"; classtype:exploit-kit; sid:2017996; rev:2; metadata:created_at 2014_01_22, updated_at 2014_01_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE - Trojan.Proxy.PPAgent.t (updatea)"; flow:to_server,established; content:"/updatea.php?p="; nocase; http_uri; pcre:"/updatea\.php\?p=\d/Ui"; flowbits:set,BT.ppagent.updatea; flowbits:noalert; reference:url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738; reference:url,doc.emergingthreats.net/2003115; classtype:trojan-activity; sid:2003115; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Jan 21 2013 SilverLight 3"; flow:established,from_server; file_data; content:"jbWQuZXhlI"; pcre:"/^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x)/R"; classtype:exploit-kit; sid:2017997; rev:2; metadata:created_at 2014_01_22, updated_at 2014_01_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT JS Browser Based Ransomware"; flow:established,from_server; file_data; content:"YOUR BROWSER HAS BEEN LOCKED.|5c|n|5c|nALL PC DATA WILL BE DETAINED"; reference:url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/; reference:url,www.f-secure.com/weblog/archives/00002577.html; classtype:trojan-activity; sid:2017165; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_07_19, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Ransomware, updated_at 2013_07_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Feodo Banking Trojan Receiving Configuration File"; flow:established,from_server; content:"ibanking-services.com"; nocase; content:"webcash"; nocase; distance:0; content:"/wires/"; nocase; content:"amazon.com"; nocase; distance:0; content:"EncryptPassword"; nocase; distance:0; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html; classtype:trojan-activity; sid:2011863; rev:5; metadata:created_at 2010_10_28, updated_at 2010_10_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP GET invalid method case"; flow:established,to_server; content:"get "; depth:4; nocase; content:!"GET "; depth:4; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011031; classtype:bad-unknown; sid:2011031; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Browlock Hostname Format US"; flow:established,to_server; content:"Host|3a 20|fbi.gov."; http_header; fast_pattern:only; classtype:trojan-activity; sid:2018006; rev:3; metadata:created_at 2014_01_23, updated_at 2014_01_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP POST invalid method case"; flow:established,to_server; content:"post "; depth:5; nocase; content:!"POST "; depth:5; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011032; classtype:bad-unknown; sid:2011032; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing Jan 24 2013"; flow:established,to_client; file_data; content:"0x3dcde1&&"; nocase; content:"0x4e207d"; nocase; within:50; classtype:exploit-kit; sid:2018011; rev:2; metadata:created_at 2014_01_24, former_category CURRENT_EVENTS, updated_at 2014_01_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP HEAD invalid method case"; flow:established,to_server; content:"head "; depth:5; nocase; content:!"HEAD "; depth:5; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011033; classtype:bad-unknown; sid:2011033; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Limitless Logger Sending Data over SMTP 2"; flow:to_server,established; content:"Limitless Logger successfully ran on this computer."; nocase; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:trojan-activity; sid:2018016; rev:2; metadata:created_at 2014_01_28, updated_at 2014_01_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - calc.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"calc."; http_header; distance:0; fast_pattern; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?calc\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014237; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Xtrat C2 Response"; flow:established,from_server; content:"S|00|T|00|A|00|R|00|T|00|S|00|E|00|R|00|V|00|E|00|R|00|B|00|U|00|F|00|F|00|E|00|R"; depth:33; reference:md5,f45b1b82c849fbbea3374ae7e9200092; classtype:command-and-control; sid:2018027; rev:2; metadata:created_at 2014_01_28, former_category MALWARE, updated_at 2014_01_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - info.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"info."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?info\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014235; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ehow/livestrong Malicious Flash 10/11"; flow:established,to_server; urilen:13; content:".swf"; http_uri; offset:9; depth:4; pcre:"/^\/[a-f0-9]{8}\.swf$/U"; pcre:"/^Referer\x3a[^\r\n]+\/[a-f0-9]{8}\/1(?:0\/[0-2]|1\/\d)\/\r$/Hm"; classtype:trojan-activity; sid:2018029; rev:2; metadata:created_at 2014_01_28, former_category CURRENT_EVENTS, updated_at 2014_01_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - about.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"about."; http_header; distance:0; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?about\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014238; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Banker.AALV checkin"; flow:to_server,established; content:"CHEGOU-NOIS"; fast_pattern; content:"|20 7c 20|PLUGIN|3a|"; distance:0; content:"|20 7c 20|BROWSER|3a|"; reference:md5,74bfd81b345a6ef36be5fcf6964af6e1; classtype:command-and-control; sid:2018034; rev:1; metadata:created_at 2014_01_29, former_category MALWARE, updated_at 2014_01_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - readme.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"readme."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?readme\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014301; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT StyX Landing Jan 29 2014"; flow:from_server,established; file_data; content:"<applet"; fast_pattern:only; content:".exe"; pcre:"/^[\x22\x27]/R"; content:"var"; pcre:"/^\s+?(?P<vname>[^\s=]+)\s*?=\s*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?\.exe(?P=q).+?<applet(?:(?!<\/applet>).)+?value\s*?=\s*?(?:\x22\x27|\x27\x22)\s*?\+\s*?(?P=vname)\s*?\+\s*?(?:\x22\x27|\x27\x22)/Rsi"; classtype:trojan-activity; sid:2018035; rev:4; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2014_01_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (2)"; flow:established,to_server; content:"/java.jar"; http_uri; nocase; fast_pattern:only; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2015487; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SolarBot Plugin Download Server Response"; flow:from_server,established; file_data; content:"SOLAR|00|"; within:6; content:"MZP"; distance:0; classtype:trojan-activity; sid:2018036; rev:5; metadata:created_at 2014_01_30, updated_at 2014_01_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Topic EK Requesting Jar"; flow:established,to_server; content:".php?exp="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; content:"Java/1."; http_user_agent; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:exploit-kit; sid:2016107; rev:6; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
+#alert udp any 53 -> $HOME_NET any (msg:"ET DELETED Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|02|ru|00|"; fast_pattern:only; pcre:"/[^a-z0-9\-\.][a-z0-9]{32,48}\x02ru\x00\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:command-and-control; sid:2014373; rev:2; metadata:created_at 2012_03_14, updated_at 2012_03_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16/32-hex/a-z.php Jar Download"; flow:established,to_server; content:".php"; http_uri; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/[a-z]\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016229; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert udp any 53 -> $HOME_NET any (msg:"ET DELETED Possible Zeus .info CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|04|info|00|"; fast_pattern:only; pcre:"/[^a-z0-9\-\.][a-z0-9]{32,48}\x04info\x00\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:command-and-control; sid:2014374; rev:3; metadata:created_at 2012_03_14, updated_at 2012_03_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Class Request (2)"; flow:established,to_server; content:"/Runs.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016250; rev:8; metadata:created_at 2013_01_22, former_category EXPLOIT_KIT, updated_at 2013_01_22;)
+#alert udp any 53 -> $HOME_NET any (msg:"ET DELETED Possible Zeus .biz CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|03|biz|00|"; fast_pattern:only; pcre:"/[^a-z0-9\-\.][a-z0-9]{32,48}\x03biz\x00\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:command-and-control; sid:2014375; rev:2; metadata:created_at 2012_03_14, updated_at 2012_03_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/q.php Jar Download"; flow:established,to_server; content:"/q.php"; offset:17; http_uri; pcre:"/^\/[0-9a-f]{16}\/q\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016564; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 444 (msg:"ET MALWARE W32/FakeAlert.FT.gen.Eldorado Downloading DLL"; flow:to_server,established; content:"SIZE libcurl-4.dll|0d 0a|"; reference:md5,0f352448103f7d487e265220006a1c32; classtype:trojan-activity; sid:2018072; rev:2; metadata:created_at 2014_02_05, updated_at 2014_02_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java Request to DtDNS Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:(?:b(?:bsindex|0ne)|chatnook|gotgeeks|3d-game|4irc)\.com|s(?:(?:cieron|uroot)\.com|lyip\.(?:com|net))|d(?:arktech\.org|eaftone\.com|tdns\.net)|e(?:towns\.(?:net|org)|ffers\.com)|flnet\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016584; rev:4; metadata:created_at 2013_03_15, former_category HUNTING, updated_at 2013_03_15;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/FakeAlert.FT.gen.Eldorado Downloading VBS"; flow:to_server,established; content:"SIZE explore.vbs|0d 0a|"; reference:md5,0f352448103f7d487e265220006a1c32; classtype:trojan-activity; sid:2018073; rev:2; metadata:created_at 2014_02_05, updated_at 2014_02_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java Request to cd.am Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; content:"cd.am"; http_header; nocase; pcre:"/^Host\x3a\x20[^\r\n]+\.cd\.am(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016595; rev:6; metadata:created_at 2013_03_20, former_category HUNTING, updated_at 2013_03_20;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BeEF Default SSL Cert"; flow:established,from_server; content:"|0b|Bovine Land"; fast_pattern; content:"|1e|Browser Exploitation Framework"; classtype:attempted-user; sid:2018089; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Watering Hole applet name AppletLow.jar"; flow:established,to_server; content:"/AppletLow.jar"; http_uri; content:"Java/1."; http_user_agent; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:exploit-kit; sid:2016640; rev:4; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BeEF Module in use"; flow:established,from_server; file_data; content:"beef.execute"; pcre:"/^\s*?\(/Rs"; threshold: type limit, track by_src, seconds 300, count 1; classtype:attempted-user; sid:2018090; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_07, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:33; depth:7; http_uri; pcre:"/^\/[0-9a-f]{32}\/ff\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016723; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Flash Exploit CVE-2014-0497"; flow:established,from_server; file_data; content:"makePayloadWin"; reference:url,www.securelist.com/en/blog/8177/CVE_2014_0497_a_0_day_vulnerability; classtype:exploit-kit; sid:2018091; rev:2; metadata:created_at 2014_02_07, updated_at 2014_02_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016725; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Oracle Reports Parse Query Returned Creds CVE-2012-3153"; flow:established,to_client; file_data; content:"Result Reports Server Command"; content:"userid="; distance:0; content:"/"; distance:0; content:"@"; distance:0; reference:url,netinfiltration.com; classtype:web-application-attack; sid:2018093; rev:2; metadata:created_at 2014_02_07, updated_at 2014_02_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT GonDadEK Java Exploit Requested"; flow:established,to_server; content:"/wmck.jpg"; nocase; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016735; rev:5; metadata:created_at 2013_04_09, updated_at 2013_04_09;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TecSystems (Possible Mask) Signed PE EXE Download"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|55 04 0a|"; content:"|0e|TecSystem Ltd."; distance:1; within:15; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:2018103; rev:2; metadata:created_at 2014_02_11, former_category CURRENT_EVENTS, updated_at 2014_02_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT GonDadEK Java Exploit Requested"; flow:established,to_server; content:"/ckwm.jpg"; nocase; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016736; rev:5; metadata:created_at 2013_04_09, updated_at 2013_04_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE FTP File Upload - BlackPOS Naming Scheme"; flow:established,to_server; content:"STOR "; depth:5; content:".txt"; pcre:"/data_\d{4}_\d{1,2}_\d{1,2}_\d{1,2}_\d{1,2}\.txt/"; reference:url,www.cyphort.com/blog/cyphort-tracks-down-new-variants-of-target-malware/; classtype:trojan-activity; sid:2018115; rev:1; metadata:created_at 2014_02_12, updated_at 2014_02_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Requsting Payload"; flow:established,to_server; content:"/FlashPlayer.cpl"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016828; rev:5; metadata:created_at 2013_05_07, updated_at 2013_05_07;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET MALWARE MS Remote Desktop edc User Login Request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=edc|0d 0a|"; nocase; reference:url,intelcrawler.com/about/press08; classtype:protocol-command-decode; sid:2018116; rev:1; metadata:created_at 2014_02_12, updated_at 2014_02_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT HellSpawn EK Requesting Jar"; flow:established,to_server; content:"/j21.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016832; rev:7; metadata:created_at 2013_05_07, updated_at 2013_05_07;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET MALWARE MS Remote Desktop micros User Login Request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=micros|0d 0a|"; nocase; reference:url,intelcrawler.com/about/press08; classtype:protocol-command-decode; sid:2018124; rev:3; metadata:created_at 2014_02_12, updated_at 2014_02_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED BlackHole Java Exploit Artifact"; flow:established,to_server; content:"/hw.class"; http_uri; content:"Java/1."; http_user_agent; reference:url,vanheusden.com/httping/; classtype:policy-violation; sid:2016848; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.Sality.bh Checkin"; flow:to_server,established; content:"/logo.gif?"; http_uri; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| .NET CLR 1.1.4322|3b| .NET CLR 2.0.50728)|0d 0a|Host|3a| "; http_header; pcre:"/\x2flogo\x2egif\x3f([0-9a-z]){5}\x3d\d{6,7}/U"; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; reference:md5,c15f4fe2e180150dc511aa64427404c5; classtype:trojan-activity; sid:2018111; rev:3; metadata:created_at 2012_04_09, updated_at 2012_04_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible HellSpawn EK Java Artifact May 24 2013"; flow:to_server,established; content:"/PoC.class"; http_uri; nocase; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016930; rev:4; metadata:created_at 2013_05_25, updated_at 2013_05_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS .CPL File Inside of Zip"; flow:established,from_server; file_data; content:"PK|01 02|"; within:4; content:".cpl"; nocase; fast_pattern; distance:42; within:500; content:"PK|05 06|"; within:52; content:"|01 00 01 00|"; distance:4; within:4; classtype:trojan-activity; sid:2018126; rev:3; metadata:created_at 2014_02_13, former_category CURRENT_EVENTS, updated_at 2014_02_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK JNLP request"; flow:established,to_server; content:".php?jnlp="; http_uri; nocase; fast_pattern:only; pcre:"/\.php\?jnlp=[a-f0-9]{10}(,|$)/Ui"; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016931; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Goon EK Java JNLP URI Struct Feb 12 2014"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".xml"; http_uri; pcre:"/\/[A-Z]\.xml$/U"; classtype:exploit-kit; sid:2018127; rev:3; metadata:created_at 2014_02_13, former_category CURRENT_EVENTS, updated_at 2014_02_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/a.php Jar Download"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{32}\/a\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016972; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1431 (msg:"ET MALWARE Win32/Tapazom.A"; flow:established,to_server; content:"GIVEME|7c|"; reference:md5,dc7284b199d212e73c26a21a0913c69d; classtype:trojan-activity; sid:2018133; rev:1; metadata:created_at 2014_02_13, updated_at 2014_02_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/a.php Jar Download"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{16}\/a\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016974; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1431 (msg:"ET MALWARE Win32/Tapazom.A 2"; flow:established,to_server; content:"GETSERVER|7c|"; reference:md5,030f3840d2729243280d3cea3d99d8e6; classtype:trojan-activity; sid:2018134; rev:1; metadata:created_at 2014_02_13, updated_at 2014_02_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Jar 1 June 12 2013"; flow:established,to_server; content:"/6u27.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017016; rev:7; metadata:created_at 2013_06_13, updated_at 2013_06_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Current Asprox Spam Campaign"; flow:established,to_server; urilen:>60; content:"/viewtopic.php?"; http_uri; fast_pattern:only; pcre:"/\/viewtopic\.php\?[^=]+=[a-zA-Z0-9\x2b\x2f]{43}=$/U"; classtype:trojan-activity; sid:2018041; rev:4; metadata:created_at 2014_01_30, updated_at 2014_01_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Jar 2 June 12 2013"; flow:established,to_server; content:"/6u41.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017017; rev:6; metadata:created_at 2013_06_13, updated_at 2013_06_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Current Asprox Spam Campaign 2"; flow:established,to_server; urilen:>60; content:"/handler.php?"; http_uri; fast_pattern:only; pcre:"/\/handler\.php\?[^=]+=[a-zA-Z0-9\x2b\x2f]{43}=$/U"; classtype:trojan-activity; sid:2018135; rev:3; metadata:created_at 2014_02_14, updated_at 2014_02_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Jar 3 June 12 2013"; flow:established,to_server; content:"/7u17.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017018; rev:6; metadata:created_at 2013_06_13, updated_at 2013_06_13;)
+#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - photobucket.com.*"; content:"|0b|photobucket|03|com"; nocase; content:!"|00|"; within:1; content:!"|09|footprint|03|net|00|"; nocase; distance:0; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013360; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category WEB_CLIENT, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising Exploit Kit Hostile Jar cm2.jar"; flow:established,to_server; content:"/cm2.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017097; rev:4; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2013_07_04;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT EXE Accessing Kaspersky System Driver (Possible Mask)"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|5c 5c 2e 5c|KLIF"; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:bad-unknown; sid:2018104; rev:3; metadata:created_at 2014_02_11, former_category CURRENT_EVENTS, updated_at 2014_02_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (1) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/kid.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016554; rev:7; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SMTP EXE - ZIP file with .pif filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(LnBpZ|5waW|ucGlm)/R"; classtype:bad-unknown; sid:2018144; rev:2; metadata:created_at 2014_02_15, updated_at 2014_02_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (2) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/dab.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016555; rev:7; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Torrent Client User-Agent (Solid Core/0.82)"; flow:to_server,established; content:"User-Agent|3a| Solid Core/"; http_header; reference:url,sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=4a9f376e8d01cb5f7990576ed927869b; classtype:policy-violation; sid:2013869; rev:7; metadata:created_at 2011_11_08, updated_at 2011_11_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (4) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/kir.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016557; rev:6; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Azbreg.Backdoor CnC Beacon"; flow:established,to_server; urilen:17; content:"/instant_messages"; http_uri; content:"sid="; http_cookie; content:"locale="; http_cookie; distance:0; content:"name="; http_cookie; distance:0; content:"password="; http_cookie; content:"uid="; http_cookie; distance:0; reference:md5,4b435a3f43d0e7ffa71453cf18804b70; classtype:command-and-control; sid:2018151; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_02_18, deployment Perimeter, signature_severity Major, tag c2, updated_at 2014_02_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Sakura Jar Download SET"; flow:established,to_server; content:".php"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; flowbits:set,ET.Sakura.php.Java; flowbits:noalert; classtype:trojan-activity; sid:2016720; rev:5; metadata:created_at 2013_04_04, updated_at 2013_04_04;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Fake Googlebot UA 1 Inbound"; flow:established,to_server; content:"User-Agent|3a|"; http_header; content:!" Mozilla/5.0 (compatible|3b| Googlebot/2.1|3b| +http|3a|//www.google.com/bot.html)|0d 0a|"; http_header; within:75; content:!" Googlebot/2.1 (+http|3a|//www.google.com/bot.html)|0d 0a|"; http_header; within:50; content:"Googlebot"; fast_pattern; http_header; nocase; distance:0; pcre:"/^User-Agent\x3a[^\r\n]+?Googlebot[^\-].+?\r$/Hmi"; reference:url,www.incapsula.com/the-incapsula-blog/item/369-was-that-really-a-google-bot-crawling-my-site; reference:url,support.google.com/webmasters/bin/answer.py?hl=en&answer=1061943; classtype:bad-unknown; sid:2015526; rev:4; metadata:created_at 2012_07_25, updated_at 2012_07_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT DRIVEBY Rawin - Java Exploit -dubspace.jar"; flow:established,to_server; content:"/dubspace.jar"; http_uri; classtype:trojan-activity; sid:2017178; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $HOME_NET 8083 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linksys Failed Upgrade BackDoor Access (Server Response)"; flow:from_server,established; file_data; content:"Utopia_Init|3a 20|SUCCEEDED"; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018160; rev:3; metadata:created_at 2014_02_19, updated_at 2014_02_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible CritXPack - Landing Page - jnlp_embedded"; flow:established,to_client; file_data; content:"jnlp_embedded|3a 22|PD94b"; classtype:exploit-kit; sid:2017182; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_24, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fake FedEX/Pony spam campaign URI Struct"; flow:established,to_server; content:".php?label="; http_uri; nocase; fast_pattern:only; pcre:"/\.php\?label=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Ui"; content:!"dynamicdrive.com"; nocase; http_header; classtype:trojan-activity; sid:2017258; rev:5; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing 07/22/13"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"applet"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017168; rev:4; metadata:created_at 2013_07_23, former_category CURRENT_EVENTS, updated_at 2013_07_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible GoonEK Landing Feb 19 2014 1"; flow:from_server,established; file_data; content:"javafx_version"; nocase; fast_pattern:only; content:"jnlp_href"; nocase; content:"</applet><object"; nocase; content:"data|3a|application/x-silverlight-2"; nocase; within:100; classtype:exploit-kit; sid:2018161; rev:2; metadata:created_at 2014_02_20, updated_at 2014_02_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool EXE URI Struct"; flow:to_server,established; content:".exe"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.exe(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015798; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Feb 19 2014 2"; flow:from_server,established; file_data; content:"stroke>"; fast_pattern:only; content:!"#default#VML"; content:"eval"; content:"35"; pcre:"/^(?P<sep>((?!100).){1,20})100(?P=sep)101(?P=sep)102(?P=sep)97(?P=sep)117(?P=sep)108(?P=sep)116(?P=sep)35(?P=sep)86(?P=sep)77(?P=sep)76(?P=sep)/Rsi"; classtype:exploit-kit; sid:2018163; rev:2; metadata:created_at 2014_02_20, updated_at 2014_02_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool Jar URI Struct"; flow:to_server,established; content:".jar"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.jar(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015796; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Ebury SSH Rootkit data exfiltration"; content:"|12 0b 01 00 00 01|"; depth:6; pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}(([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs"; reference:url,cert-bund.de/ebury-faq; classtype:trojan-activity; sid:2018164; rev:1; metadata:created_at 2014_02_21, updated_at 2014_02_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool eot URI Struct"; flow:to_server,established; content:".eot"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.eot(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015787; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic CnC"; flow:established,to_server; content:" Mini BackDoor|00|"; offset:9; depth:20; reference:md5,398b6622a2c86d472a4340d3e79e654b; classtype:command-and-control; sid:2018167; rev:1; metadata:created_at 2014_02_21, former_category MALWARE, updated_at 2014_02_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool txt URI Struct"; flow:to_server,established; content:".txt"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.txt(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015933; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gh0st Trojan CnC 3"; flow:established,to_server; dsize:14; content:"Gh0st"; depth:5; reference:md5,6a814cacb0c4b464d85ab874f68a5344; classtype:command-and-control; sid:2018165; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_21, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool jnlp URI Struct"; flow:established,to_server; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.jnlp(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015619; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS XXTEA UTF-16 Encoded HTTP Response"; flow:from_server,established; content:"u|00|t|00|f|00|8|00|t|00|o|00|1|00|6|00|"; nocase; content:"x|00|x|00|t|00|e|00|a|00|_|00|d|00|e|00|c|00|r|00|y|00|p|00|t|00|"; nocase; fast_pattern; content:"b|00|a|00|s|00|e|00|6|00|4|00|d|00|e|00|c|00|o|00|d|00|e"; nocase; classtype:bad-unknown; sid:2018175; rev:2; metadata:created_at 2014_02_25, former_category CURRENT_EVENTS, updated_at 2014_02_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole/Cool Landing URI Struct"; flow:to_server,established; content:".php"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.php(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015803; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS OnClick Anti-BOT TDS POST Feb 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"/tds/"; http_uri; fast_pattern:only; nocase; pcre:"/\/tds\/[a-f0-9]{32}$/U"; content:"ua="; http_client_body; content:"ip="; http_client_body; classtype:trojan-activity; sid:2018177; rev:5; metadata:created_at 2014_02_26, updated_at 2014_02_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 1"; flow:established,to_client; file_data; content:"<!--0c0896-->"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017184; rev:2; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2013_07_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS OnClick Anti-BOT TDS Hidden Form Feb 25 2014"; flow:established,from_server; file_data; content:"<form"; nocase; content:"action"; nocase; distance:0; content:"/tds/"; fast_pattern; distance:0; pcre:"/^[a-f0-9]{32}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2018178; rev:4; metadata:created_at 2014_02_26, updated_at 2014_02_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 2"; flow:established,to_client; file_data; content:"#0c0896#"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017185; rev:2; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2013_07_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS .PIF File Inside of Zip"; flow:established,from_server; file_data; content:"PK"; within:2; content:".pif"; nocase; fast_pattern; within:500; reference:md5,2e760350a5c692bd94c7c6d1233af72c; classtype:trojan-activity; sid:2018125; rev:5; metadata:created_at 2014_02_13, former_category CURRENT_EVENTS, updated_at 2014_02_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 3"; flow:established,to_client; file_data; content:"/*0c0896*/"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017186; rev:2; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2013_07_24;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE W32/FakeFlash.Dropper Initial CnC Beacon"; flow:established,to_server; dsize:8; content:"PutToken"; depth:8; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018185; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_02_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 1"; flow:established,to_client; file_data; content:"<!--0c0896-->"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017187; rev:2; metadata:created_at 2013_07_24, updated_at 2013_07_24;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE W32/FakeFlash.Dropper Initial CnC Beacon Acknowledgement"; flow:established,to_client; dsize:12; content:"TokenRecived"; depth:12; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018186; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_02_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 2"; flow:established,to_client; file_data; content:"#0c0896#"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017188; rev:2; metadata:created_at 2013_07_24, updated_at 2013_07_24;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE W32/FakeFlash.Dropper PutInformation CnC Beacon"; flow:established,to_server; dsize:18; content:"PutInformation_New"; depth:18; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018187; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_02_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 3"; flow:established,to_client; file_data; content:"/*0c0896*/"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017189; rev:2; metadata:created_at 2013_07_24, updated_at 2013_07_24;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE W32/FakeFlash.Dropper GetInformation CnC Beacon Acknowledgement"; flow:established,to_client; dsize:14; content:"GetInformation"; depth:14; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018188; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_02_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - Payload Download Requested"; flow:established,to_server; content:"/getmyfile.exe"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016052; rev:4; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.joggver backdoor initialization packet"; flow:established,to_server; dsize:32; content:"|03 01 74 80|"; depth:4; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:14; within:14; classtype:trojan-activity; sid:2018189; rev:1; metadata:created_at 2014_02_27, updated_at 2014_02_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Class Request (1)"; flow:established,to_server; content:"/Gobon.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016249; rev:8; metadata:created_at 2013_01_22, former_category EXPLOIT_KIT, updated_at 2013_01_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Trojan.Delf-5496 New Infection Report"; flow:established,to_server; dsize:<500; content:"|7c|OnConnect|7c|"; depth:20; pcre:"/^\d+?\x7cOnConnect\x7c/"; reference:url,doc.emergingthreats.net/2008908; reference:md5,3a7f11fbaf815cd2338d633de175e252; classtype:trojan-activity; sid:2008908; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Java Exploit - jaxws.jar"; flow:established,to_server; content:"/jaxws.jar"; http_uri; content:"Java/"; http_user_agent; classtype:exploit-kit; sid:2016374; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible FakeAV .exe.vbe HTTP Content-Disposition"; flow:established,to_client; content:".exe.vbe"; http_header; nocase; fast_pattern:only; pcre:"/Content-Disposition\x3a[^\r\n]*?\.exe\.vbe/Hi"; reference:url,www.malwaresigs.com/2014/02/07/fakeav-is-still-alive/; classtype:trojan-activity; sid:2018190; rev:3; metadata:created_at 2014_02_27, updated_at 2014_02_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Java Exploit - jre.jar"; flow:established,to_server; content:"/jre.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016375; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android FakeInst.BX checkin"; flow:to_server; content:".html?c="; http_uri; content:"&o="; http_uri; distance:2; within:3; content:"&n="; http_uri; distance:0; content:"&pid="; http_uri; distance:10; within:10; content:"Apache-HttpClient"; http_user_agent; reference:md5,b2397ddc90e57f2d0eb6b0d3b8bb63f8; classtype:trojan-activity; sid:2018180; rev:6; metadata:created_at 2014_02_27, updated_at 2014_02_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM EK - Java Exploit - fbyte.jar"; flow:established,to_server; content:"/fbyte.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016378; rev:3; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Blatantly Evil JS Function"; flow:established,from_server; file_data; content:"function heap"; nocase; content:"spray"; nocase; within:6; classtype:trojan-activity; sid:2017498; rev:3; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Java Exploit - jhan.jar"; flow:established,to_server; content:"/jhan.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016514; rev:4; metadata:created_at 2013_03_04, updated_at 2013_03_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY LoJack asset recovery/tracking - not malicious"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"TagId|3a 20|"; http_header; fast_pattern; content:".namequery.com|0d 0a|"; http_header; threshold: type limit, count 2, seconds 300, track by_src; reference:url,www.absolute.com/en/lojackforlaptops/home.aspx; classtype:attempted-recon; sid:2012689; rev:6; metadata:created_at 2011_04_15, updated_at 2011_04_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CrimeBoss - Java Exploit - m11.jar"; flow:established,to_server; content:"/m11.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016597; rev:5; metadata:created_at 2013_03_20, updated_at 2013_03_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious Spam Redirection Feb 28 2014"; flow:established,from_server; file_data; content:"Connecting to server...</div></td></tr></table>"; within:500; classtype:trojan-activity; sid:2018196; rev:3; metadata:created_at 2014_02_28, former_category CURRENT_EVENTS, updated_at 2014_02_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Java Exploit - jmx.jar"; flow:established,to_server; content:"/jmx.jar"; http_uri; content:"Java/1."; http_user_agent; content:!"hermesjms.com"; http_header; classtype:exploit-kit; sid:2016598; rev:5; metadata:created_at 2013_03_20, updated_at 2013_03_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Hello/LightsOut EK Secondary Landing"; flow:established,to_server; content:".php?a="; http_uri; fast_pattern:only; content:"&f="; http_uri; content:"&u="; http_uri; pcre:"/\.php\?a=[^&]+&f=[a-f0-9]{32}&u=[^&]+$/I"; reference:url,vrt-blog.snort.org/2014/03/hello-new-exploit-kit.html; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/; classtype:exploit-kit; sid:2018206; rev:2; metadata:created_at 2014_03_05, former_category CURRENT_EVENTS, updated_at 2014_03_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Java Exploit - cee.jar"; flow:established,to_server; content:"/cee.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016859; rev:4; metadata:created_at 2013_05_17, updated_at 2013_05_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT LightsOut EK Exploit/Payload Request"; flow:to_server,established; content:".php?a="; http_uri; fast_pattern:only; nocase; pcre:"/\.php\?a=(?:dw[a-z0-9]|[hr][2-7])$/U"; reference:url,vrt-blog.snort.org/2014/03/hello-new-exploit-kit.html; classtype:exploit-kit; sid:2018207; rev:2; metadata:created_at 2014_03_05, former_category CURRENT_EVENTS, updated_at 2014_03_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JNLP embedded file"; flow:established,to_client; file_data; content:"jnlp"; content:"PD94bWwgdmVyc2lvbj0"; distance:0; classtype:bad-unknown; sid:2017197; rev:3; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java fakav.jar"; flow:established,to_server; content:"/fakav.jar"; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2018209; rev:7; metadata:created_at 2014_03_05, former_category CURRENT_EVENTS, updated_at 2014_03_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Reversed Embedded JNLP Observed in Sakura/Blackhole Landing"; flow:established,from_server; file_data; content:"deddebme_plnj"; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017198; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Fiesta Jar with four-letter class names"; flow:established,from_server; file_data; content:"PK"; depth:2; content:".classPK"; pcre:"/(PK\x01\x02.{24}\x0a\x00.{16}[a-z]{4}.class){4}/"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018225; rev:2; metadata:created_at 2014_03_06, former_category EXPLOIT_KIT, updated_at 2014_03_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sakura Jar Download"; flow:established,to_client; content:"Content-Type|3a| application/x-java-archive|0d 0a|"; http_header; content:"Sun, 28 Jul 2002 "; fast_pattern; classtype:exploit-kit; sid:2017200; rev:5; metadata:created_at 2013_07_26, former_category EXPLOIT_KIT, updated_at 2013_07_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Rawin Flash Landing URI Struct March 05 2014"; flow:established,to_server; content:".php?b="; http_uri; content:"&css="; http_uri; pcre:"/\.php\?b=[A-F0-9]{6}&css=[a-z]+$/"; classtype:trojan-activity; sid:2018227; rev:2; metadata:created_at 2014_03_06, former_category CURRENT_EVENTS, updated_at 2014_03_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 (Reversed)"; flow:established,to_client; file_data; content:"lRXYklGbhZ3X2N3cfRXZsBHch91X"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017201; rev:6; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Darkshell.A Checkin XOR C0 Win XP"; flow:to_server,established; dsize:<512; content:"|e0 e0 e0 e0 97 89 8e 84 8f|"; content:"|98 90 e0|"; distance:2; within:3; classtype:command-and-control; sid:2018229; rev:2; metadata:created_at 2014_03_06, former_category MALWARE, updated_at 2014_03_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass (Reversed)"; flow:established,to_client; file_data; content:"detadilav_vss_telppa__"; nocase; distance:0; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017202; rev:3; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Hack.PcClient.g CnC (OUTBOUND) XOR b5"; flow:to_server,established; content:"|d0 cd d0 db d4 d8 d0|"; content:"|d9 da d2 dc db|"; distance:0; content:"|d1 da d6 d8 d1|"; distance:0; content:"|dd da c6 c1 db d4 d8 d0|"; fast_pattern; distance:0; content:"|c2 dc db d1 da c2 c6|"; distance:0; reference:md5,dfd6b93dac698dccd9ef565a172123f3; classtype:command-and-control; sid:2018154; rev:3; metadata:created_at 2014_02_19, former_category MALWARE, updated_at 2014_02_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 2 (Reversed)"; flow:established,to_client; file_data; content:"0FGZpxWY29ldzN3X0VGbwBXYf9"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017203; rev:5; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RedKit/Sakura/CritX/SafePack/FlashPack applet + obfuscated URL Apr 10 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; pcre:"/^((?!(?i:<\/applet>)).)+?(?i:value)[\r\n\s]*=[\r\n\s]*\x5c?[\x22\x27](?!http\x3a\/\/)(?P<h>[^\x22\x27])(?P<t>(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P<slash>(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]+(?P=slash)/Rs"; classtype:exploit-kit; sid:2016751; rev:10; metadata:created_at 2013_04_12, former_category EXPLOIT_KIT, updated_at 2013_04_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 3 (Reversed)"; flow:established,to_client; file_data; content:"kVGdhRWasFmdfZ3cz9FdlxGcwF2Xf"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017204; rev:5; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CritX/SafePack/FlashPack CVE-2013-2551"; flow:established,from_server; file_data; content:"#default#VML"; content:"stroke"; content:"%66%75%6e%63%74%69%6f%6e"; nocase; content:"%66%72%6f%6d%43%68%61%72%43%6f%64%65"; content:"%63%68%61%72%41%74"; fast_pattern:only; classtype:exploit-kit; sid:2018235; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response Hex (Inbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[a-f0-9]{2})(?P<sep>[^0-9a-f])(?P<f>[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P<n>(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017195; rev:3; metadata:created_at 2013_07_25, former_category CURRENT_EVENTS, updated_at 2013_07_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CritX/SafePack/FlashPack SilverLight Secondary Landing"; flow:established,from_server; file_data; content:"/x-silverlight-2"; content:"aHR0cDov"; distance:0; pcre:"/^[A-Za-z0-9\+\/]+(?:(?:LmVvdA=|5lb3Q)=|uZW90)[\x22\x27]/Rsi"; content:".eot"; classtype:exploit-kit; sid:2018236; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER c0896 Hacked Site Response Hex (Outbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[a-f0-9]{2})(?P<sep>[^0-9a-f])(?P<f>[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P<n>(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017193; rev:3; metadata:created_at 2013_07_25, former_category CURRENT_EVENTS, updated_at 2013_07_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack SilverLight file as eot"; flow:established,from_server; content:"Content-Type|3a 20|application/vnd.ms-fontobject|0d 0a|"; http_header; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; distance:0; fast_pattern; classtype:exploit-kit; sid:2018237; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response Octal (Outbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[0-7]{1,3})(?P<sep>[^0-9a-f])(?P<f>[0-7]{1,3})(?P=sep)[0-7]{1,3}(?P=sep)(?P<n>(?!(?P=f))[0-7]{1,3})(?P=sep)([0-7]{1,3}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[0-7]{1,3})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017192; rev:3; metadata:created_at 2013_07_25, updated_at 2013_07_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javadb.php"; flow:established,to_server; content:"/javadb.php"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018238; rev:4; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response Octal (Inbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[0-7]{1,3})(?P<sep>[^0-9a-f])(?P<f>[0-7]{1,3})(?P=sep)[0-7]{1,3}(?P=sep)(?P<n>(?!(?P=f))[0-7]{1,3})(?P=sep)([0-7]{1,3}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[0-7]{1,3})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017194; rev:3; metadata:created_at 2013_07_25, former_category CURRENT_EVENTS, updated_at 2013_07_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javaim.php"; flow:established,to_server; content:"/javaim.php"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018239; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Neutrino Exploit Kit XOR decodeURIComponent"; flow:established,to_client; file_data; content:"xor(decodeURIComponent("; distance:0; classtype:exploit-kit; sid:2017071; rev:3; metadata:created_at 2013_06_27, former_category EXPLOIT_KIT, updated_at 2013_06_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javarh.php"; flow:established,to_server; content:"/javarh.php"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018240; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdSave"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014737; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Havex Rat Check-in URI Struct"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a 20|"; content:".php?id"; http_uri; content:"&v1="; http_uri; content:"&v2="; http_uri; content:"&q="; http_uri; pcre:"/\.php\?id=[A-F0-9]+\-[A-F0-9]+&v1=[A-F0-9]+&v2=[A-F0-9]+&q=[A-F0-9]+$/U"; reference:md5,6557d6518c3f6bcb8b1b2de77165c962; classtype:trojan-activity; sid:2018251; rev:2; metadata:created_at 2014_03_11, updated_at 2014_03_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GonDadEK Plugin Detect March 11 2013"; flow:to_client,established; file_data; content:"this.gondad = arrVersion"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016560; rev:10; metadata:created_at 2013_03_12, updated_at 2013_03_12;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE TDLv4 SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|*.city.com"; distance:1; within:11; content:"|55 04 07|"; content:"|06|Cities"; distance:1; within:7; content:"|55 04 0a|"; content:"|0a|State Corp"; distance:1; within:11; classtype:trojan-activity; sid:2018256; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_03_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdExport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014739; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Page Mar 12 2014"; flow:established,from_server; file_data; content:"/[a-zA-Z]/g|3b|"; fast_pattern; content:"/[0-9]/g|3b|"; content:"|22|f"; pcre:"/^\d+r\d+o\d+m\d/R"; content:"|22|p"; pcre:"/^\d+u\d+s\d+h\d/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018261; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_03_12, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdSave"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014738; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http any any -> any any (msg:"ET CURRENT_EVENTS Dell Kace backdoor"; flow:established,to_server; content:"POST"; http_method; content:"/kbot_upload.php"; nocase; http_uri; content:"filename=db.php"; nocase; distance:0; http_uri; content:"machineId="; nocase; pcre:"/(?:\.\.\/)+kboxwww\/tmp\//Ri"; content:"KSudoClient.class.php"; nocase; http_client_body; content:"KSudoClient|3a 3a|RunCommand"; distance:0; http_client_body; reference:url,console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypiratela.html; classtype:attempted-admin; sid:2018263; rev:2; metadata:created_at 2014_03_13, former_category CURRENT_EVENTS, updated_at 2014_03_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdExport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014740; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool/BHEK/Goon Applet with Alpha-Numeric Encoded HTML entity"; flow:established,from_server; file_data; content:"<applet"; nocase; pcre:"/^((?!<\/applet>).)+?&#(?:0*?(?:1(?:[0-1]\d|2[0-2])|[78][0-9]|9[07-9]|4[8-9]|5[0-7]|6[5-9])|x0*?(?:[46][1-9A-F]|[57][0-9A]|3[0-9]))(\x3b|&#)/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017064; rev:18; metadata:created_at 2013_06_25, former_category EXPLOIT_KIT, updated_at 2013_06_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdImport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014741; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Styx Landing Page Mar 08 2014"; flow:established,from_server; file_data; content:"fromCharCode"; content:"substr"; within:200; content:",2,"; within:20; fast_pattern; content:"-"; distance:2; within:4; pcre:"/^\s*?\d/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018260; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_03_12, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdImport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014742; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Server Login OK Packet"; flowbits:isset,ET.gadu.loginsent; flow:established,from_server; content:"|03 00 00 00|"; depth:4; byte_jump:4,0,relative,little,post_offset -1; isdataat:!2,relative; flowbits:set,ET.gadu.loggedin; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008299; classtype:policy-violation; sid:2008299; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdOpen"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014743; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EMET.DLL in jjencode"; flow:established,from_server; file_data; content:"|22 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 22|+"; pcre:"/^(?P<var>.{1,10})\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\$\_\+(?P=var)\.\$\_\_\+\x22\.\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\_\+\x22/R"; classtype:trojan-activity; sid:2018286; rev:3; metadata:created_at 2014_03_18, updated_at 2014_03_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdOpen"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014744; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Linux/Onimiki DNS trojan activity long format (Outbound)"; byte_test:1,!&,128,2; content:"|00 01 00 00 00 00 00 00 38|"; offset:4; depth:9; pcre:"/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00\x01\x00\x01/Rsi"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018275; rev:8; metadata:created_at 2014_03_14, updated_at 2014_03_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Chilkat Software FTP2 ActiveX Component GetFile Access Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"302124C4-30A0-484A-9C7A-B51D5BA5306B"; nocase; distance:0; content:".GetFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/97160/Chilkat-Software-FTP2-ActiveX-Code-Execution.html; classtype:attempted-user; sid:2014763; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET MALWARE Linux/Onimiki DNS trojan activity long format (Inbound)"; byte_test:1,!&,128,2; content:"|00 01 00 00 00 00 00 00 38|"; offset:4; depth:9; pcre:"/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00\x01\x00\x01/Rsi"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018276; rev:6; metadata:created_at 2014_03_14, updated_at 2014_03_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control ConnectDDNS Method Access Code Execution Vulnerability 2"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"17A7F731-C9EC-461C-B813-2F42A1BB58EB"; nocase; distance:0; content:"ConnectDDNS"; nocase; distance:0; reference:url,secunia.com/advisories/48965/; classtype:attempted-user; sid:2014877; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp any any -> any $SSH_PORTS (msg:"ET MALWARE Linux/Kimodin SSH backdoor activity"; flow:established,to_server; content:"SSH-2.0-"; depth:8; isdataat:22,relative; pcre:"/^[0-9a-f]{22,46}/R"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018264; rev:8; metadata:created_at 2014_03_13, updated_at 2014_03_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Chilkat Software FTP2 ActiveX Component GetFile Access Remote Code Execution 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"ChilkatFtp2.ChilkatFtp2.1"; nocase; distance:0; content:".GetFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/97160/Chilkat-Software-FTP2-ActiveX-Code-Execution.html; classtype:attempted-user; sid:2014764; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Keep-Alive (INBOUND)"; flow:from_server,established; content:"P[endof]"; dsize:8; reference:md5,0ae2261385c482d55519be9b0e4afef3; reference:url,anubis.iseclab.org/?action=result&task_id=1043e1f5f61319b944d51d0d6d7e23f2e; reference:md5,41a0a4c0831dbcbbfd877c7d37b671e0; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2012/09/the-story-behind-backdoorlv.html; classtype:command-and-control; sid:2017417; rev:9; metadata:created_at 2012_07_31, former_category MALWARE, updated_at 2012_07_31;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control ConnectDDNS Method Access Code Execution Vulnerability"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"EEDBA32E-5C2D-48f1-A58E-0AAB0BC230E3"; nocase; distance:0; content:"ConnectDDNS"; nocase; distance:0; reference:url,secunia.com/advisories/48965/; classtype:attempted-user; sid:2014876; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.WinSpy.pob Sending Data over SMTP"; flow:to_server,established; content:"filename="; content:"PC_Active_Time.txt"; within:19; content:"|0d 0a|"; within:3; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018019; rev:3; metadata:created_at 2014_01_28, updated_at 2014_01_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Windows Live Writer ActiveX BlogThisLink Method Access Denail of Service Attack"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"8F085BC0-363D-4219-95BA-DC8A5E06D295"; nocase; distance:0; content:"BlogThisLink"; nocase; distance:0; reference:url,1337day.com/exploits/17583; classtype:attempted-user; sid:2014765; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.WinSpy.pob Sending Data over SMTP 2"; flow:to_server,established; content:"Subject|3a 20|LOG|20|FILE|20 20|Current User|3a|"; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018020; rev:3; metadata:created_at 2014_01_28, updated_at 2014_01_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control BackupToAvi Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"208650B1-3CA1-4406-926D-45F2DBB9C299"; nocase; distance:0; content:"BackupToAvi"; nocase; distance:0; reference:url,secunia.com/advisories/48966/; classtype:attempted-user; sid:2014875; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 1024"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009582; classtype:attempted-recon; sid:2009582; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control BackupToAvi Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A"; nocase; distance:0; content:"BackupToAvi"; nocase; distance:0; reference:url,secunia.com/advisories/48966/; classtype:attempted-user; sid:2014874; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 3072"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:3072; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009583; classtype:attempted-recon; sid:2009583; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Windows Live Writer ActiveX BlogThisLink Method Access Denail of Service Attack 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"WindowsLiveWriterApplicationLib.WindowsLiveWriterApplication"; nocase; distance:0; content:"BlogThisLink"; nocase; distance:0; reference:url,1337day.com/exploits/17583; classtype:attempted-user; sid:2014766; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 4096"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:4096; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009584; classtype:attempted-recon; sid:2009584; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SonicWALL SSL-VPN End-Point Interrogator/Installer ActiveX Control Install3rdPartyComponent Method Buffer Overflow"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"Aventail.EPInstaller"; nocase; distance:0; content:"Install3rdPartyComponent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/95286/SonicWALL-SSL-VPN-End-Point-Interrogator-Installer-ActiveX-Control.html; classtype:attempted-user; sid:2014835; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WEBSHELL CFM Shell Access"; flow:established,from_server; file_data; content:"<title>CFM shell"; nocase; reference:url,blog.spiderlabs.com/2014/03/coldfusion-admin-compromise-analysis-cve-2010-2861.html; classtype:successful-admin; sid:2018290; rev:2; metadata:created_at 2014_03_18, updated_at 2014_03_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible LEADTOOLS ActiveX Raster Twain AppName Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"LTRASTERTWAINLib_U.LEADRasterTwain_U"; nocase; distance:0; content:".AppName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/93252/LEADTOOLS-ActiveX-Raster-Twain-16.5-Buffer-Overflow.html; classtype:attempted-user; sid:2014834; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MultiThreat/Winspy.RAT Keep-Alive (flowbit set)"; flow:established,to_server; dsize:2; content:"/P"; depth:2; flowbits:set,WinSpy.KeepAlive; flowbits:noalert; reference:url,www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-in-to-multi-vector-attack-mechanisms-in-rats.html; reference:md5,815576890789003a7575c2948508c6b1; classtype:trojan-activity; sid:2018291; rev:1; metadata:created_at 2014_03_18, former_category MALWARE, updated_at 2014_03_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SkinCrafter ActiveX Control InitLicenKeys Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"B9D38E99-5F6E-4C51-8CFD-507804387AE9"; nocase; distance:0; content:"InitLicenKeys"; nocase; distance:0; reference:url,exploit-db.com/exploits/18892/; classtype:attempted-user; sid:2014806; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_25, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MultiThreat/Winspy.RAT Keep-Alive Server Response"; flow:established,from_server; dsize:2; content:"/P"; depth:2; flowbits:isset,WinSpy.KeepAlive; threshold:type limit,count 2,track by_src,seconds 300; reference:url,www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-in-to-multi-vector-attack-mechanisms-in-rats.html; classtype:trojan-activity; sid:2018292; rev:1; metadata:created_at 2014_03_18, updated_at 2014_03_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible LEADTOOLS ActiveX Raster Twain AppName Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"00165752-B1BA-11CE-ABC6-F5B2E79D9E3F"; nocase; distance:0; content:".AppName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/93252/LEADTOOLS-ActiveX-Raster-Twain-16.5-Buffer-Overflow.html; classtype:attempted-user; sid:2014833; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 37 (msg:"ET MALWARE MultiThreat/Winspy.RAT SMTP Data Exfiltration"; flow:established,to_server; content:"X-Mailer|3A| SysMon v1.0.0"; reference:url,www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-in-to-multi-vector-attack-mechanisms-in-rats.html; classtype:trojan-activity; sid:2018293; rev:1; metadata:created_at 2014_03_18, updated_at 2014_03_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Wireless Manager Sony VAIO ConnectToNetwork Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"92E7DDED-BBFE-4DDF-B717-074E3B602D1B"; nocase; distance:0; content:"ConnectToNetwork"; nocase; distance:0; reference:url,packetstormsecurity.org/files/113131/Wireless-Manager-Sony-VAIO-4.0.0.0-Buffer-Overflows.html; classtype:attempted-user; sid:2014832; rev:4; metadata:created_at 2012_06_01, updated_at 2012_06_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET MALWARE MultiThreat/Winspy.RAT FTP File Download Command"; flow:established,to_server; dsize:>0; content:"/CD |5C 5C 5C|"; depth:9; pcre:"/^(?:(?:PCACTIV|ONLIN)ETIME|WEBSITE[DS]|CHATROOM|KEYLOGS)/Ri"; reference:url,www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-in-to-multi-vector-attack-mechanisms-in-rats.html; classtype:trojan-activity; sid:2018294; rev:1; metadata:created_at 2014_03_18, updated_at 2014_03_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Wireless Manager Sony VAIO SetTmpProfileOption Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"92E7DDED-BBFE-4DDF-B717-074E3B602D1B"; nocase; distance:0; content:"SetTmpProfileOption"; nocase; distance:0; reference:url,packetstormsecurity.org/files/113131/Wireless-Manager-Sony-VAIO-4.0.0.0-Buffer-Overflows.html; classtype:attempted-user; sid:2014831; rev:3; metadata:created_at 2012_06_01, updated_at 2012_06_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK encrypted binary (3)"; flow:established,to_client; file_data; content:"|89 b4 f4 6a 24 1f 46 14|"; depth:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018297; rev:2; metadata:created_at 2014_03_20, former_category EXPLOIT_KIT, updated_at 2014_03_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SkinCrafter ActiveX Control InitLicenKeys Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"SKINCRAFTERLib.SCSkin3"; nocase; distance:0; content:"InitLicenKeys"; nocase; distance:0; reference:url,exploit-db.com/exploits/18892/; classtype:attempted-user; sid:2014807; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_25, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Mar 20 2014"; flow:established,from_server; file_data; content:"jnlp_href"; nocase; fast_pattern:only; content:"application/x-silverlight-2"; nocase; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][^\x22\x27\x3d]{1,20}=[a-zA-z0-9\/\+]{10}/R"; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; nocase; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][^\x22\x27\x3d]{1,20}=[a-f0-9]{20}/R"; classtype:exploit-kit; sid:2018298; rev:3; metadata:created_at 2014_03_20, updated_at 2014_03_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus Quickr for Domino ActiveX control Import_Times Method Access buffer overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"05D96F71-87C6-11d3-9BE4-00902742D6E0"; nocase; distance:0; content:"Import_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49285/; classtype:attempted-user; sid:2014809; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_25, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; reference:url,doc.emergingthreats.net/bin/view/Main/2003519; classtype:attempted-admin; sid:2003519; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus Quickr for Domino ActiveX control Attachment_Times Method Access buffer overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"05D96F71-87C6-11d3-9BE4-00902742D6E0"; nocase; distance:0; content:"Attachment_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49285/; classtype:attempted-user; sid:2014808; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_25, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM file transfer request"; flow: established; content:"YMSG"; nocase; depth: 4; content:"|00 dc|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001259; classtype:policy-violation; sid:2001259; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Wscript Shell Run Attempt - Likely Hostile"; flow:established,to_server; content:"WScript.Shell"; nocase; content:".Run"; nocase; within:100; pcre:"/[\r\n\s]+(?P<var1>([a-z]([a-z0-9_])*|_+([a-z0-9])([a-z0-9_])*))[\r\n\s]*\x3d[\r\n\s]*CreateObject\(\s*[\x22\x27]Wscript\.Shell[\x27\x22]\s*\).+?(?P=var1)\.run/si"; classtype:attempted-user; sid:2017205; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-1761 HTTP"; flow:from_server,established; file_data; content:"{|5c|rt{"; content:"|5c|objocx|5c|"; distance:0; content:"MSComctlLib."; content:"|5c|u-554"; fast_pattern; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018313; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_03_25, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 1"; flow:established,from_server; file_data; content:"|22|e|22|+|22|val|22|"; classtype:trojan-activity; sid:2017206; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN NMAP SIP Version Detect OPTIONS Scan"; flow:established,to_server; content:"OPTIONS sip|3A|nm SIP/"; depth:19; classtype:attempted-recon; sid:2018317; rev:1; metadata:created_at 2014_03_25, updated_at 2014_03_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 2"; flow:established,from_server; file_data; content:"|22|ev|22|+|22|al|22|"; classtype:trojan-activity; sid:2017207; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5060:5061 (msg:"ET SCAN NMAP SIP Version Detection Script Activity"; content:"Via|3A| SIP/2.0/TCP nm"; content:"From|3A| <sip|3A|nm@nm"; within:150; fast_pattern; classtype:attempted-recon; sid:2018318; rev:1; metadata:created_at 2014_03_25, updated_at 2014_03_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 3"; flow:established,from_server; file_data; content:"|22|e|22|+|22|v|22|+|22|al|22|"; classtype:trojan-activity; sid:2017208; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Compromised site trudeausociety"; flow:established,to_client; content:"|12|trudeausociety.com"; fast_pattern:only; classtype:trojan-activity; sid:2018319; rev:1; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 4"; flow:established,from_server; file_data; content:"|22|e|22|+|22|v|22|+|22|a|22|+|22|l|22|"; classtype:trojan-activity; sid:2017209; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sisproc"; flow:established,to_server; content:"/page_"; content:"Cookie|3a 20|XX=0|3b 20|BX=0"; reference:url,www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html; reference:md5,aaf73666cbd750ed22b80ed836d2b1e4; classtype:trojan-activity; sid:2018320; rev:3; metadata:created_at 2014_03_26, updated_at 2014_03_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 5"; flow:established,from_server; file_data; content:"|22|ev|22|+|22|a|22|+|22|l|22|"; classtype:trojan-activity; sid:2017210; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED JCE Joomla Extension User-Agent (BOT)"; flow:to_server,established; content:"BOT/0.1 (BOT for JCE)"; depth:21; http_user_agent; reference:url,exploit-db.com/exploits/17734/; reference:url,blog.spiderlabs.com/2014/03/honeypot-alert-jce-joomla-extension-attacks.html; classtype:attempted-recon; sid:2018327; rev:4; metadata:created_at 2014_03_26, updated_at 2014_03_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 6"; flow:established,from_server; file_data; content:"|22|e|22|+|22|va|22|+|22|l|22|"; classtype:trojan-activity; sid:2017211; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE Bozok.RAT checkin"; flow:to_server; content:"|00 00 00|"; offset:1; depth:4; content:"|00 7C 00|"; within:32; content:"|00 7C 00|"; within:32; content:"|00 7C 00|"; within:64; content:"|00 7C 00|"; within:12; content:"|00 7C 00|"; within:5; content:"|00 7C 00|0|00 7c 00|2|00|"; within:32; reference:md5,a45d3564d1fa27161b33712f035a5962; reference:url,www.fireeye.com/blog/technical/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html; classtype:command-and-control; sid:2018325; rev:3; metadata:created_at 2014_03_26, former_category MALWARE, updated_at 2014_03_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 1"; flow:established,from_server; file_data; content:"|27|e|27|+|27|val|27|"; classtype:trojan-activity; sid:2017212; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Win32/Kryptik.AZER C2 SSL Stolen Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|junrio.com"; distance:1; within:11; reference:md5,b27e0561283697c1fb1a973c37b52265; classtype:command-and-control; sid:2018328; rev:2; metadata:created_at 2014_03_27, updated_at 2014_03_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 2"; flow:established,from_server; file_data; content:"|27|ev|27|+|27|al|27|"; classtype:trojan-activity; sid:2017213; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Dorkbot.AR Join IRC channel"; flow:to_server,established; content:"NICK n|7B|"; nocase; pcre:"/^\S{2,3}\x7c\S+?[au]\x7D\w{2,11}\x0d?\x0a/Ri"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32/Dorkbot.AR; reference:md5,7e76c7db8706511fc59508af4aef27fa; classtype:trojan-activity; sid:2016768; rev:4; metadata:created_at 2013_04_18, updated_at 2013_04_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 3"; flow:established,from_server; file_data; content:"|27|eva|27|+|27|l|27|"; classtype:trojan-activity; sid:2017214; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phish - Saved Website Comment Observed"; flow:established,to_client; file_data; content:"<!-- saved from url=("; pcre:"/^\s*?\d+?\s*?\)https\x3a\x2f/Rsi"; content:"<form"; nocase; distance:0; classtype:bad-unknown; sid:2018334; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_03_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2014_03_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 4"; flow:established,from_server; file_data; content:"|27|e|27|+|27|v|27|+|27|al|27|"; classtype:trojan-activity; sid:2017215; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Goon/Infinity EK Landing Mar 31 2014"; flow:established,to_client; file_data; content:".text+=String.fromCharCode"; content:"35"; pcre:"/^[^\d]{1,20}100[^\d]{1,20}101[^\d]{1,20}102[^\d]{1,20}97[^\d]{1,20}117[^\d]{1,20}108[^\d]{1,20}116[^\d]{1,20}35[^\d]{1,20}86[^\d]{1,20}77[^\d]{1,20}76/Rsi"; classtype:exploit-kit; sid:2018337; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_03_31, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 5"; flow:established,from_server; file_data; content:"|27|e|27|+|27|v|27|+|27|a|27|+|27|l|27|"; classtype:trojan-activity; sid:2017216; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY fetch User Agent"; flow:established,to_server; content:"fetch"; nocase; http_user_agent; reference:url,gobsd.com/code/freebsd/lib/libfetch; reference:url,doc.emergingthreats.net/2002826; classtype:attempted-recon; sid:2002826; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 7"; flow:established,from_server; file_data; content:"|27|e|27|+|27|va|27|+|27|l|27|"; classtype:trojan-activity; sid:2017218; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Goon/Infinity EK Landing Mar 31 2014"; flow:established,to_client; file_data; content:"117"; fast_pattern; content:"108"; within:24; content:"116"; within:24; content:"35"; pcre:"/^[^\d](?:.{0,20}[^\d])?100[^\d](?:.{0,20}[^\d])?101[^\d](?:.{0,20}[^\d])?102[^\d](?:.{0,20}[^\d])?97[^\d](?:.{0,20}[^\d])?117[^\d](?:.{1,20}[^\d])?108[^\d](?:.{0,20}[^\d])?116[^\d](?:.{0,20}[^\d])?35[^\d](?:[^\d].{0,20}[^\d])?86[^\d](?:.{0,20}[^\d])?77[^\d](?:.{0,20}[^\d])?76[^\d]/Rsi"; classtype:exploit-kit; sid:2018342; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_04_02, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 6"; flow:established,from_server; file_data; content:"|27|ev|27|+|27|a|27|+|27|l|27|"; classtype:trojan-activity; sid:2017217; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Deep Panda WateringHole Related URI Struct"; flow:established,to_server; content:".php?v=webhp"; fast_pattern:only; http_uri; nocase; classtype:trojan-activity; sid:2018348; rev:3; metadata:created_at 2014_04_02, updated_at 2014_04_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 7"; flow:established,from_server; file_data; content:"|22|eva|22|+|22|l|22|"; classtype:trojan-activity; sid:2017219; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Possible BackupExec Metasploit Exploit (inbound)"; flow:established,to_server; content: "|09 01|"; offset:18; depth:2; content:"|00 03|"; distance:10; within:2; byte_jump:2,2,relative,big; content:"|00 00|"; within:2; byte_test:2,>,512,0,relative,big; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; reference:url,doc.emergingthreats.net/bin/view/Main/2002061; classtype:attempted-admin; sid:2002061; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 1"; flow:established,from_server; file_data; content:"|27|s|27|+|27|plit|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017220; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP MyWaySearch Products Spyware User Agent"; flow: established,to_server; content:"MyWay"; http_user_agent; reference:url,doc.emergingthreats.net/2002079; reference:url,www.funwebproducts.com; classtype:pup-activity; sid:2002079; rev:19; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 2"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|lit|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017221; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SofosFO/GrandSoft landing applet plus class Mar 03 2013"; flow:established,to_client; file_data; content:"<applet"; content:"MyApplet"; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016541; rev:4; metadata:created_at 2013_03_06, updated_at 2013_03_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 3"; flow:established,from_server; file_data; content:"|27|s|27|+|27|p|27|+|27|lit|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017222; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/ZeroAccess Counter.img Checkin"; flow:established,to_server; content:"/counter.img?theme="; fast_pattern; http_uri; content:"&digits="; http_uri; content:"&siteId="; http_uri; content:"Opera/9 (Windows NT "; http_user_agent; reference:url,malwaremustdie.blogspot.co.uk/2013/02/blackhole-of-closest-version-with.html; classtype:trojan-activity; sid:2016358; rev:5; metadata:created_at 2013_02_07, updated_at 2013_02_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 4"; flow:established,from_server; file_data; content:"|27|spl|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017223; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Compromised site potpourriflowers"; flow:established,to_client; content:"|55 04 03|"; content:"|1a|www.potpourriflowers.co.uk"; distance:1; within:27; nocase; classtype:trojan-activity; sid:2018350; rev:2; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2014_04_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 5"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|l|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017224; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Compromised site kionic"; flow:established,to_client; content:"|55 04 03|"; content:"|0a|kionic.com"; distance:1; within:11; nocase; reference:url,blog.malwaremustdie.org/2014/04/upatre-downloading-gmo-is-back-to-ssl.html; classtype:trojan-activity; sid:2018351; rev:2; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2014_04_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 6"; flow:established,from_server; file_data; content:"|27|s|27|+|27|pl|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017225; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible FakeAV binary download (setup)"; content:"GET"; http_method; content:"index.php?key="; http_uri; content:"&key2=download"; http_uri; classtype:trojan-activity; sid:2018352; rev:2; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2014_04_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 7"; flow:established,from_server; file_data; content:"|27|s|27|+|27|p|27|+|27|l|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017226; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute Scan (Outgoing)"; flow:to_server,established; urilen:1; content:"/"; http_uri; content:"Microsoft-WebDAV-MiniRedir/5.1.2600"; http_user_agent; depth:35; content:"Referer|3a 20|http|3a|//"; pcre:"/^Host\x3a (?P<ipaddr>\b([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\b).*Referer\x3a http\x3a\/\/(?P=ipaddr)\//Hs"; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:attempted-recon; sid:2018353; rev:4; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2014_04_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 8"; flow:established,from_server; file_data; content:"|27|spli|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017227; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $EXTERNAL_NET any -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute Scan (incoming)"; flow:to_server,established; urilen:1; content:"/"; http_uri; content:"Microsoft-WebDAV-MiniRedir/5.1.2600"; depth:35; http_user_agent; content:"Referer|3a 20|http|3a|//"; pcre:"/^Host\x3a (?P<ipaddr>\b([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\b).*Referer\x3a http\x3a\/\/(?P=ipaddr)\//Hs"; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:attempted-recon; sid:2018354; rev:4; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2014_04_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 9"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|l|27|+|27|i|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017228; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http any 80 -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute http response"; flow:to_client,established; file_data; content:"<html>kenji oke</html>|0d 0a|"; depth:24; flowbits:isset,ET.Rbrute.incoming; reference:md5,055a9be75e469f8817c9311390a449f6; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:trojan-activity; sid:2018356; rev:3; metadata:created_at 2014_04_04, updated_at 2014_04_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 10"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|li|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017229; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT EvilTDS Redirection"; flow:established,to_server; content:"/zyso.cgi?"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018357; rev:10; metadata:created_at 2014_04_04, former_category CURRENT_EVENTS, updated_at 2014_04_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 11"; flow:established,from_server; file_data; content:"|27|spl|27|+|27|i|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017230; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK PDF"; flow:established,from_server; file_data; content:"13 0 obj"; pcre:"/^\s*?<<\s*?\/[A-Z0-9a-z]+\([A-Z0-9a-z]+\)\s*?/Rs"; content:"/XFA[(config)17 0 R] /Fields [14 0 R]|0d 0a|>>"; classtype:exploit-kit; sid:2018363; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 12"; flow:established,from_server; file_data; content:"|27|s|27|+|27|pli|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017231; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Goldun Reporting User Activity 2"; flow:established,to_server; content:"?phid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&nn="; nocase; http_uri; content:"User-Agent|3a| z|0d 0a|"; http_header; reference:url,www.avira.com/en/threats/TR_Spy_Goldun_de_1_details.html; reference:url,doc.emergingthreats.net/2002780; classtype:trojan-activity; sid:2002780; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 13"; flow:established,from_server; file_data; content:"|27|s|27|+|27|p|27|+|27|l|27|+|27|i|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017232; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CWS Related Installer"; flow:established,to_server; content:"/image_tracker.php?l="; http_uri; fast_pattern:only; content:"&x="; http_uri; content:"&deptid="; distance:0; http_uri; content:"&page"; distance:0; http_uri; content:"&unique="; distance:0; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002932; classtype:trojan-activity; sid:2002932; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 1"; flow:established,from_server; file_data; content:"|22|s|22|+|22|plit|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017233; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WEBSHELL K-Shell/ZHC Shell 1.0/Aspx Shell Backdoor NetCat_Listener"; flow:established,from_server; file_data; content:"Silentz's Tricks:"; content:"action=cmd2"; content:"Start NC"; reference:url,www.fidelissecurity.com/webfm_send/377; reference:url,pastebin.com/XAG1Hnfd; classtype:web-application-attack; sid:2018369; rev:2; metadata:created_at 2014_04_07, updated_at 2014_04_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 2"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|lit|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017234; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ATTACKER WebShell - Zehir4.asp - content"; flow:established,from_server; file_data; content:"<title>zehir3--> powered by zehir"; content:"Sistem Bilgileri"; content:"color=red>Local Adres</td"; content:"zehirhacker"; reference:url,pastebin.com/m44e60e60; reference:url,www.fidelissecurity.com/webfm_send/377; classtype:web-application-attack; sid:2018371; rev:2; metadata:created_at 2014_04_07, updated_at 2014_04_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 3"; flow:established,from_server; file_data; content:"|22|s|22|+|22|p|22|+|22|lit|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017235; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Small User Agent Detected (NetScafe)"; flow:established,to_server; content:"NetScafe"; http_user_agent; depth:8; reference:url,doc.emergingthreats.net/2003641; classtype:trojan-activity; sid:2003641; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 4"; flow:established,from_server; file_data; content:"|22|spl|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017236; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vinself Backdoor Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"GIF89a|50 00 00 00|"; http_client_body; depth:10; fast_pattern; content:"|0A|Content-Length|3A| 90|0D 0A|"; http_header; pcre:"/^\/[A-Z]{1}[0-9]{1,3}\/[A-X]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}\/[A-Z]{1}[0-9]{4,5}[A-M]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}\/$/Um"; reference:url,blog.fireeye.com/research/2010/11/winself-a-new-backdoor-in-town.html; classtype:command-and-control; sid:2012865; rev:11; metadata:created_at 2010_12_22, former_category MALWARE, updated_at 2010_12_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 5"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|l|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017237; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan/Hacktool.Sniffer Successful Install Message"; flow:established,to_server; content:"/Install/Post.asp?Uid="; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2013199; rev:5; metadata:created_at 2011_07_05, updated_at 2011_07_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 6"; flow:established,from_server; file_data; content:"|22|s|22|+|22|pl|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017238; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Successful Fake Banking App Install CnC Server Acknowledgement"; flow:established,to_client; file_data; content:"|7b 22|success|22 3A|1,|22|message|22 3A 22|Product successfully updated.|22|}"; within:55; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:command-and-control; sid:2017788; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_11_28, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 7"; flow:established,from_server; file_data; content:"|22|s|22|+|22|p|22|+|22|l|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017239; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_InIFRAME - In Referer"; flow:established,to_server; content:"/iniframe/"; http_header; content:"/"; distance:32; within:1; http_header; content:"/"; distance:1; within:5; http_header; content:"/"; distance:32; within:1; http_header; classtype:exploit-kit; sid:2017031; rev:3; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 8"; flow:established,from_server; file_data; content:"|22|spli|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017240; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Malicious Redirect Evernote Spam Campaign Feb 19 2014"; flow:to_server,established; content:"/1.txt"; http_uri; nocase; pcre:"/\/1\.txt$/Ui"; content:"/1.html"; http_header; nocase; pcre:"/Referer\x3a\x20[^\r\n]+?\/1\.html[\x3a\r]/Hi"; classtype:attempted-admin; sid:2018162; rev:3; metadata:created_at 2014_02_20, former_category CURRENT_EVENTS, updated_at 2014_02_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 9"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|l|22|+|22|i|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017241; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP authorized_keys file transferred"; flow:to_server,established; content:"authorized_keys"; classtype:suspicious-filename-detect; sid:2101927; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 10"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|li|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017242; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 1"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"M1"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018059; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 11"; flow:established,from_server; file_data; content:"|22|spl|22|+|22|i|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017243; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 2"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Mf"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018060; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 12"; flow:established,from_server; file_data; content:"|22|s|22|+|22|pli|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017244; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 3"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Mh"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018061; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 13"; flow:established,from_server; file_data; content:"|22|s|22|+|22|p|22|+|22|l|22|+|22|i|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017245; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 4"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Ml"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018062; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 4"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; flowbits:isset,ET.JS.Obfus.Func; classtype:trojan-activity; sid:2017246; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 5"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"T1"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018063; rev:3; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 4"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; flowbits:isset,ET.JS.Obfus.Func; classtype:trojan-activity; sid:2017247; rev:2; metadata:created_at 2013_07_30, former_category CURRENT_EVENTS, updated_at 2013_07_30;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 6"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Tf"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018064; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT PluginDetect plus Java version check"; flow:established,from_server; file_data; content:"PluginDetect"; pcre:"/if.{1,10}[<>]=?\s*(?P<quot>[\x22\x27])1(?P<sep>[^0-9a-zA-Z])7((?P=sep)\d+)?(?P=quot).{1,10}[<>]=?\s*(?P=quot)1(?P=sep)7((?P=sep)\d+)?(?P=quot)/s"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017248; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 7"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Th"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018065; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded Applet (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|61|25|70|25|70|25|6c|25|65|25|74"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017249; rev:2; metadata:created_at 2013_07_30, updated_at 2016_10_21;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 8"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Tl"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018066; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded jnlp_embedded (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|6a|25|6e|25|6c|25|70|25|5f|25|65|25|6d|25|62|25|65|25|64|25|64|25|65|25|64"; flowbits:set,et.exploitkitlanding; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009172; classtype:exploit-kit; sid:2017250; rev:2; metadata:created_at 2013_07_30, cve CVE_1234_CVE_341, former_category EXPLOIT_KIT, updated_at 2020_08_31;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 9"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"sh"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018067; rev:3; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|61|25|70|25|70|25|6c|25|65|25|74|25|5f|25|73|25|73|25|76|25|5f|25|76|25|61|25|6c|25|69|25|64|25|61|25|74|25|65|25|64"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017251; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 10"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"sl"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018068; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded/base64 1 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|58|25|31|25|39|25|68|25|63|25|48|25|42|25|73|25|5a|25|58|25|52|25|66|25|63|25|33|25|4e|25|32|25|58|25|33|25|5a|25|68|25|62|25|47|25|6c|25|6b|25|59|25|58|25|52|25|6c"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017252; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED eMule KAD Network Hello Request (2)"; dsize:27; content:"|e4 10|"; depth:2; byte_test:2,<,65535,0,relative; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; classtype:policy-violation; sid:2009971; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded/base64 2 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|39|25|66|25|59|25|58|25|42|25|77|25|62|25|47|25|56|25|30|25|58|25|33|25|4e|25|7a|25|64|25|6c|25|39|25|32|25|59|25|57|25|78|25|70|25|5a|25|47|25|46|25|30"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017253; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Trojan-Gypikon Server Check-in Response"; flow:established,from_server; dsize:16; content:"|85 19 00 00 25 04 00 00 00 00|"; content:"|40 00 00 00 00|"; distance:1; within:6; reference:md5,f27bf471d2f2c0a76331d25fc4761e10; reference:md5,792b725b6a2a52e4eecde846b39eea7d; classtype:trojan-activity; sid:2018130; rev:3; metadata:created_at 2014_02_13, updated_at 2014_02_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded/base64 3 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|66|25|58|25|32|25|46|25|77|25|63|25|47|25|78|25|6c|25|64|25|46|25|39|25|7a|25|63|25|33|25|5a|25|66|25|64|25|6d|25|46|25|73|25|61|25|57|25|52|25|68|25|64|25|47|25|56|25|6b"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017254; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Trojan-Gypikon Sending Data"; flow:established,to_server; content:"@"; pcre:"/^(?:x(?:86|64)@)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/R"; content:" OS|3a 20|Win"; within:8; content:" CPU|3a|"; distance:0; content:"Hz|2c|RAM|3a|"; distance:0; reference:md5,f27bf471d2f2c0a76331d25fc4761e10; reference:md5,792b725b6a2a52e4eecde846b39eea7d; classtype:trojan-activity; sid:2018129; rev:4; metadata:created_at 2014_02_13, updated_at 2014_02_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32/Mutopy.A Checkin"; flow:to_server,established; content:"/protocol.php?p="; fast_pattern:only; http_uri; content:"&d="; http_uri; pcre:"/&d=.{44}$/U"; reference:md5,2a0344bac492c65400eb944ac79ac3c3; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FMutopy.A&ThreatID=-2147312217; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/header-spoofing-hides-malware-communication/; classtype:command-and-control; sid:2016963; rev:5; metadata:created_at 2012_04_13, former_category MALWARE, updated_at 2012_04_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS 2search.org User Agent (2search)"; flow:to_server,established; content:"2search"; http_user_agent; fast_pattern:only; reference:url,doc.emergingthreats.net/2003335; classtype:trojan-activity; sid:2003335; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED CoolEK - Landing Page (2)"; flow:established,to_client; file_data; content:"</title>|0D 0A|<link href=|22|favicon.ico|22| rel=|22|shortcut icon|22| type=|22|image/x-icon|22| />"; classtype:exploit-kit; sid:2016066; rev:3; metadata:created_at 2012_12_20, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BAT.Qhost - SET"; flow:established,to_server; content:"GET"; http_method; content:"/stat/tuk/"; http_uri; flowbits:set,ETPRO.Trojan.BAT.Qhost; flowbits:noalert; reference:md5,f6e1583aca310c4c0d55db1dae942b2b; classtype:trojan-activity; sid:2014758; rev:5; metadata:created_at 2012_05_16, former_category MALWARE, updated_at 2012_05_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf/Styx EK - fnts.html"; flow:established,to_server; content:"/fnts.html"; http_uri; classtype:exploit-kit; sid:2016129; rev:4; metadata:created_at 2012_12_29, former_category EXPLOIT_KIT, updated_at 2012_12_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Trojan.BAT.Qhost Response from Controller"; flow:established,from_server; flowbits:isset,ETPRO.Trojan.BAT.Qhost; content:"Set-Cookie|3a| ci_session="; content:"session_id"; distance:0; content:"ip_address"; distance:0; content:"user_agent"; distance:0; content:"last_activity"; distance:0; content:"user_data"; distance:0; reference:md5,f6e1583aca310c4c0d55db1dae942b2b; classtype:trojan-activity; sid:2014759; rev:4; metadata:created_at 2012_05_16, updated_at 2012_05_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT /Styx EK - /jlnp.html"; flow:established,to_server; content:!"&"; http_uri; content:"/jlnp.html"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities; classtype:exploit-kit; sid:2017100; rev:4; metadata:created_at 2013_07_05, updated_at 2013_07_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 110 (msg:"ET MALWARE Gh0st_Apple Checkin"; flow:to_server,established; content:"GET"; http_method; content:".gif?pid"; fast_pattern; content:"&v="; content:"Mozilla/4.0("; http_user_agent; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; reference:md5,82644661f6639c9fcb021ad197b565f7; classtype:command-and-control; sid:2017412; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT /Styx EK - /jovf.html"; flow:established,to_server; content:!"&"; http_uri; content:"/jovf.html"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities; classtype:exploit-kit; sid:2017101; rev:3; metadata:created_at 2013_07_05, updated_at 2013_07_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole Landing to 7-8 chr folder plus index.htm or index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:18<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html?$/U"; pcre:"/^\/[A-Za-z0-9]{7,8}\/index\.html?$/U"; classtype:bad-unknown; sid:2015709; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_18, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT /Styx EK - /jorg.html"; flow:established,to_server; content:!"&"; http_uri; content:"/jorg.html"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities; classtype:exploit-kit; sid:2017102; rev:3; metadata:created_at 2013_07_05, updated_at 2013_07_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole Landing to 8 chr folder plus js.js"; flow:established,to_server; content:"/js.js"; http_uri; urilen:15; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/js\.js$/U"; classtype:bad-unknown; sid:2014629; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_20, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Landing Applet With Payload Aug 02 2013"; flow:established,to_client; file_data; content:"<applet"; content:" value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]http\x3a\/\/[^\/]+?\/\?[A-Za-z0-9]+=[A-Za-z0-9%]{60,}[\x22\x27]/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:exploit-kit; sid:2017270; rev:7; metadata:created_at 2013_08_03, former_category EXPLOIT_KIT, updated_at 2013_08_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32/Zegost.Q CnC traffic (OUTBOUND)"; flow:to_server,established; dsize:>11; content:"|55 60 67 6c 69 70 9a|"; offset:8; depth:7; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,4f0d365408b439eb9aaf0b2352abb662; classtype:command-and-control; sid:2018390; rev:1; metadata:created_at 2014_04_16, former_category MALWARE, updated_at 2014_04_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Plugin-Detect with global % replace on unescaped string (Sakura)"; flow:established,to_client; file_data; content:"PluginDetect.getVersion"; fast_pattern; content:"unescape("; nocase; pcre:"/^[\r\n\s]*?[\x22\x27][^\x22\x27]+?[\x22\x27]\.replace\([\r\n\s]*?(?P<q1>[\x22\x27]?)\/.+?\/g[\r\n\s]*?,[\r\n\s]*?(?P<q2>[\x22\x27]?)%(?P=q2)[\r\n\s]*?\)/R"; classtype:exploit-kit; sid:2017271; rev:3; metadata:created_at 2013_08_03, updated_at 2013_08_03;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE CryptoDefense DNS Domain Lookup"; content:"|10|rj2bocejarqnpuhm"; nocase; pcre:"/^[^\x00]+?\x00/Rs"; classtype:trojan-activity; sid:2018397; rev:3; metadata:created_at 2014_04_16, updated_at 2014_04_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/StealRat.SpamBot CnC Server Configuration File Response"; flowbits:isset,et.stealrat.config; flow:established,to_client; file_data; content:"<repo"; distance:0; content:"<dudp>"; within:50; content:"<|2F|dudp>"; within:100; content:"<pudp>"; within:50; content:"<|2F|pudp>"; within:100; content:"<tbd>"; within:50; content:"<dom>"; within:50; content:"<|2F|dom>"; within:100; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf; classtype:command-and-control; sid:2017275; rev:2; metadata:created_at 2013_08_05, former_category MALWARE, updated_at 2013_08_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BitCrypt Ransomware Domain"; flow:established,to_server; content:"bitcrypt.cc"; nocase; http_header; pcre:"/Host\x3a\x20(?:[^\r\n]+\.)?bitcrypt\.cc(?:\x3a\d{1,5})?\r\n/Hmi"; classtype:trojan-activity; sid:2018400; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_04_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2014_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx iframe with obfuscated Java version check Jul 04 2013"; flow:established,from_server; file_data; content:"<html>|0d 0a|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">|0d 0a|<h"; within:6; pcre:"/(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{12,16}(?P=space)[0-9a-z]{2}(?P=space)(?P<w>[0-9a-z]{2})(?P<i>[0-9a-z]{2})(?P<n>[0-9a-z]{2})[0-9a-z]{4}(?P=w)[0-9a-z]{10}(?P=i)(?P=n)[0-9a-z]{28}(?P=i)[0-9a-z]{2}(?P=n)[0-9a-z]{6}(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017114; rev:5; metadata:created_at 2013_07_05, updated_at 2013_07_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32/Pushdo CnC Server Fake JPEG Response"; flow:established,to_client; file_data; content:"<!--[if IE]"; distance:0; content:"<img src=|22|data|3A|image/jpeg|3B|base64"; distance:0; reference:url,www.damballa.com/downloads/r_pubs/Damballa_mv20_case_study.pdf; classtype:command-and-control; sid:2016857; rev:3; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Microsoft Script Encoder Encoded File"; flow:established,from_server; file_data; content:"#@~^"; within:4; classtype:trojan-activity; sid:2017282; rev:3; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Inbox View"; flow:to_server,established; content:"/ym/ShowFolder"; http_uri; nocase; content:"rb=Inbox"; nocase; reference:url,doc.emergingthreats.net/2000041; classtype:policy-violation; sid:2000041; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole TKR Landing Page /last/index.php"; flow:established,to_server; content:"/last/index.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015475; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Message View"; flow:to_server,established; content:"/ym/ShowLetter"; nocase; http_uri; content:"MsgId"; nocase; reference:url,doc.emergingthreats.net/2000042; classtype:policy-violation; sid:2000042; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible CritX/SafePack/FlashPack Jar Download"; flow:established,from_server; content:"filename=j"; http_header; content:".jar"; distance:23; within:4; http_header; pcre:"/filename=j[a-f0-9]{23}\.jar/H"; classtype:exploit-kit; sid:2017296; rev:5; metadata:created_at 2013_08_08, former_category CURRENT_EVENTS, updated_at 2013_08_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Message Compose Open"; flow:to_server,established; content:"/ym/Compose"; http_uri; nocase; reference:url,doc.emergingthreats.net/2000043; classtype:policy-violation; sid:2000043; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin -TDS - POST w/Java Version"; flow:established,to_server; content:"POST"; http_method; content:"&v="; http_client_body; depth:3; pcre:"/^&v=(null|(\d+\.)+?\d+)\x3b\d+\x3b\x3b\d{3,5}x\d{3,5}\x3b/P"; classtype:trojan-activity; sid:2017300; rev:2; metadata:created_at 2013_08_08, updated_at 2013_08_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Styx Kein Landing URI Struct"; flow:to_server,established; content:"/?"; depth:2; http_uri; fast_pattern; pcre:"/^\/\?[^=&\?]{4,}=[^&]{20,}$/U"; content:"Host|3a 20|www"; http_header; content:!"."; within:1; http_header; pcre:"/^Host\x3a\x20www\d+?\.[^\.]+?\.[^\.]+?\.([^\.]+\.)*?[a-z]{2,4}(?:\x3a\d{1,5})?\r$/Hmi"; classtype:trojan-activity; sid:2017947; rev:4; metadata:created_at 2014_01_09, updated_at 2014_01_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Trojan Dropper purporting to be missing application - findloader"; flow:established,to_server; content:"/findloader"; http_uri; pcre:"/findloader[^\x2f\.\?]*?\.php\?[a-z]=[^&]+$/U"; classtype:trojan-activity; sid:2017302; rev:2; metadata:created_at 2013_08_08, updated_at 2013_08_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Potential Common Malicious JavaScript Loop"; flow:established,to_client; content:"for("; content:"|3B|"; within:20; content:">=0|3B|"; fast_pattern; within:10; content:"--)"; within:10; pcre:"/for\x28[^\x3D\r\n]*[0-9]{1,6}\x2D[0-9]{1,5}\x3B[^\x3D\r\n]\x3E\x3D0\x3B[^\x29\r\n]\x2D\x2D\x29/"; classtype:bad-unknown; sid:2015045; rev:4; metadata:created_at 2012_07_07, updated_at 2012_07_07;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS 0f2490 Hacked Site Response (Inbound)"; flow:established,from_server; file_data; content:"</script>"; content:"#/0f2490#"; fast_pattern; distance:0; classtype:trojan-activity; sid:2017306; rev:5; metadata:created_at 2013_08_12, updated_at 2013_08_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Oracle Java 6 Object Tag launchjnlp docbase Parameters Buffer Overflow"; flow:to_client,established; flowbits:isset,NtDll.ImageBase.Module.Called; content:"ZwProtectVirtualMemory|22|"; content:"strDup|28|"; distance:0; content:"<object|20|"; distance:0; content:"application|2f|x|2d|java|2d|applet"; within:35; content:"|3c|param|20|name"; distance:0; content:"|22|launchjnlp|22|"; within:20; content:"|3c|param|20|name"; distance:0; content:"|22|docbase|22|"; within:20; content:"|3c|fieldset|3e 3c|legend|3e|"; distance:0; content:"object"; within:10; content:"|2e|innerHTML"; distance:0; reference:url,www.exploit-db.com/exploits/15241/; reference:cve,2010-3552; reference:bid,44023; classtype:attempted-user; sid:2012100; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_22, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS 0f2490 Hacked Site Response (Outbound)"; flow:established,from_server; file_data; content:"</script>"; content:"#/0f2490#"; fast_pattern; distance:0; classtype:trojan-activity; sid:2017307; rev:5; metadata:created_at 2013_08_12, updated_at 2013_08_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Downloader Win32.Genome.avan"; flow:to_server,established; content:"mac="; http_uri; content:"&hdid="; http_uri; content:"&wlid="; http_uri; fast_pattern:only; content:"&start="; http_uri; content:"&os="; http_uri; content:"&mem="; http_uri; content:"&alive="; http_uri; content:"&ver="; http_uri; reference:url,doc.emergingthreats.net/2011236; classtype:trojan-activity; sid:2011236; rev:5; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible FortDisco Wordpress Brute-force Site list download 10+ wp-login.php"; flow:established,to_client; file_data; content:"/wp-login.php|0d 0a|"; nocase; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; reference:url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/; reference:md5,722a1809bd4fd75743083f3577e1e6a4; classtype:trojan-activity; sid:2017310; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_08_12, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fiesta PDF Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"%PDF"; within:1024; classtype:exploit-kit; sid:2018408; rev:2; metadata:created_at 2014_04_23, former_category CURRENT_EVENTS, updated_at 2014_04_23;)
 
-alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.Win32.Agent.bay Covert Channel (VERSONEX and Mr.Black)"; content:"VERSONEX|3a|"; depth:64; fast_pattern; content:"Mr.Black"; within:50; classtype:trojan-activity; sid:2017315; rev:2; metadata:created_at 2013_08_12, updated_at 2013_08_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta SilverLight Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"AppManifest.xaml"; nocase; classtype:exploit-kit; sid:2018409; rev:2; metadata:created_at 2014_04_23, former_category EXPLOIT_KIT, updated_at 2014_04_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE python shell spawn attempt"; flow:established,to_client; content:"pty|2e|spawn|2822|/bin/sh|2229|"; depth:64; classtype:trojan-activity; sid:2017317; rev:2; metadata:created_at 2013_08_12, updated_at 2013_08_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fiesta Flash Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"ZWS"; within:3; classtype:exploit-kit; sid:2018410; rev:2; metadata:created_at 2014_04_23, former_category CURRENT_EVENTS, updated_at 2014_04_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET 8300 (msg:"ET WEB_SERVER Novell GroupWise Messenger Accept Language Buffer Overflow"; flow:established,to_server; content:"Accept-Language"; nocase; pcre:"/^Accept-Language\:[^\n]*?[^,\;\n]{17}/mi"; reference:cve,2006-0992; reference:bugtraq,17503; reference:url,doc.emergingthreats.net/2002865; classtype:attempted-user; sid:2002865; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta Flash Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"CWS"; within:3; classtype:exploit-kit; sid:2018411; rev:2; metadata:created_at 2014_04_23, former_category EXPLOIT_KIT, updated_at 2014_04_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackHole EK Non-standard base64 Key"; flow:established,from_server; file_data; content:"var "; content:" = |22|"; within:10; content:!"|22|"; within:65; content:"|22|"; distance:65; within:1; content:!"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; distance:-66; within:62; content:" & 15) << 4)"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017265; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; pcre:"/\/\?[0-9a-f]{60,66}[\;\d\x2c]*$/U"; classtype:exploit-kit; sid:2013094; rev:9; metadata:created_at 2011_06_22, former_category CURRENT_EVENTS, updated_at 2011_06_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackHole EK Non-standard base64 Key"; flow:established,from_server; file_data; content:"keyStr = |22|"; content:!"|22|"; within:65; content:"|22|"; distance:65; within:1; content:!"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; distance:-66; within:62; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017164; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_19, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Wapomi.AD Variant Checkin"; flow:established,to_server; content:"/passport.asp?ID="; http_uri; content:"&fn="; http_uri; content:"&Var="; http_uri; reference:md5,37ab252df52f5e1a46b3b40e9afb40c0; classtype:command-and-control; sid:2013720; rev:5; metadata:created_at 2011_10_01, former_category MALWARE, updated_at 2011_10_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sinowal/Mebroot/Torpig Client POST"; flow:to_server,established; content:"POST"; depth:4; http_method; content:"|0d 0a|Connection|3a| close|0d 0a 0d 0a a9 3a d4 31 4b 84|"; fast_pattern; reference:url,doc.emergingthreats.net/2008520; classtype:trojan-activity; sid:2008520; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan Checkin to CnC Server"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/passport.asp?ID="; http_uri; content:"&fn="; http_uri; content:"&Var="; http_uri; classtype:command-and-control; sid:2013344; rev:5; metadata:created_at 2011_08_02, updated_at 2011_08_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Sinowal/Torpig Phoning Home"; flow:established,to_server; content:"GET"; http_method; content:"/ld/"; http_uri; content:".php"; http_uri; content:"id="; http_uri; content:"&n="; http_uri; content:"&try="; http_uri; reference:url,doc.emergingthreats.net/2008580; classtype:trojan-activity; sid:2008580; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PSW.Win32.Ruftar.lon File Stealer FTP File Upload"; flow:established,to_server; content:"CWD Stealer"; classtype:trojan-activity; sid:2013346; rev:4; metadata:created_at 2011_08_02, updated_at 2011_08_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Kuluoz.B CnC"; flow:from_server,established; file_data; content:"c=run&u=/get/"; content:".exe"; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2015902; rev:7; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Bravesentry.com/Protectwin.com Fake Antispyware Reporting"; flow:established,to_server; content:"/download.php?&advid="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&p="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; content:"Host|3a| "; http_header; content:".bravesentry.com"; nocase; http_header; fast_pattern; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; reference:url,doc.emergingthreats.net/bin/view/Main/2003542; classtype:trojan-activity; sid:2003542; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Kuluoz.B CnC 2"; flow:from_server,established; file_data; content:"c=idl"; within:5; isdataat:!1,relative; reference:md5,a88ba0c2b30afba357ebb38df9898f9e; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2015903; rev:5; metadata:created_at 2012_09_25, former_category MALWARE, updated_at 2012_09_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan Download"; flow:established,to_server; content:"/taskmgr.exe"; http_uri; fast_pattern; content:"Accept-Language|3a 20|zh-cn|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; http_header; reference:md5,3a2c3b422a7ec78f88a939d20ed07615; classtype:trojan-activity; sid:2017659; rev:6; metadata:created_at 2013_11_04, updated_at 2013_11_04;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS IRC - NICK and 3 Letter Country Code"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*[\[\|\{][A-Z]{3}[\]\|\}]/R"; classtype:bad-unknown; sid:2017319; rev:6; metadata:created_at 2013_08_13, former_category HUNTING, updated_at 2013_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan Secondary Download"; flow:established,to_server; content:"/calc.exe"; http_uri; fast_pattern; content:"Accept-Language|3a 20|zh-cn|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; http_header; reference:md5,3a2c3b422a7ec78f88a939d20ed07615; classtype:trojan-activity; sid:2017658; rev:6; metadata:created_at 2013_11_04, updated_at 2013_11_04;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS IRC - NICK and Win"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*win/Ri"; classtype:bad-unknown; sid:2017322; rev:4; metadata:created_at 2013_08_13, former_category MALWARE, updated_at 2013_08_13;)
+#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ftpchk3.php possible upload success"; flow:to_client,established; content:"|0d 0a|150 "; content:"ftpchk3.php|0d 0a|226 "; distance:0; nocase; reference:url,digitalpbk.blogspot.com/2009/10/ftpchk3-virus-php-pl-hacked-website.html; reference:url,labs.mwrinfosecurity.com/system/assets/131/original/Journey-to-the-Centre-of-the-Breach.pdf; classtype:attempted-admin; sid:2018417; rev:3; metadata:created_at 2014_04_24, updated_at 2014_04_24;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS IRC - NICK and -PC"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*-PC/Ri"; classtype:bad-unknown; sid:2017323; rev:4; metadata:created_at 2013_08_13, former_category MALWARE, updated_at 2013_08_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cutwail.BE Checkin 2"; flow:established,from_client; dsize:32; content:"|00 00 00 00 FF FF FF FF 3F 57|"; depth:10; content:"|FE FF FF FF FF FF FF FF FF FF FF|"; distance:3; within:11; threshold: type limit, track by_src, seconds 60, count 1; reference:md5,c6d256edcc8879717539f348706061f2; reference:md5,8f17e2a9e7c6cbec772ae56dfffb13cb; classtype:command-and-control; sid:2014272; rev:3; metadata:created_at 2012_02_22, former_category MALWARE, updated_at 2012_02_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK setSecurityManager hex August 14 2013"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"73657453656375726974794d616e6167657228"; nocase; reference:url,piratebrowser.com; classtype:exploit-kit; sid:2017328; rev:2; metadata:created_at 2013_08_15, former_category CURRENT_EVENTS, updated_at 2013_08_15;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cutwail.BE Checkin 1"; flow:established,from_client; dsize:234; content:"|16 03 00 00 37 01 00 00 33 03 00|"; depth:11; threshold: type limit, track by_src, seconds 60, count 1; reference:md5,4352407efc8891215b514a54db5b8a1d; reference:md5,45ab3554f3d60d07fc5228faff7784e1; classtype:command-and-control; sid:2014271; rev:3; metadata:created_at 2012_02_22, former_category MALWARE, updated_at 2012_02_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sibhost Zip as Applet Archive July 08 2013"; flow:established,from_server; file_data; content:"jquery.js"; content:"archive"; fast_pattern; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\.zip[\x22\x27]/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017166; rev:4; metadata:created_at 2013_07_23, updated_at 2013_07_23;)
+alert icmp $HOME_NET any -> any any (msg:"ET MALWARE Backdoor.Win32.RShot Ping Outbound"; icode:0; itype:8; icmp_id:512; dsize:32; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; reference:md5,34477e29f7408966d2703f3471741618; reference:md5,adf4c3a16f5f6d4baa634b2c50bf7454; classtype:trojan-activity; sid:2014270; rev:3; metadata:created_at 2012_02_21, updated_at 2012_02_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQLi - SELECT and sysobject"; flow:established,to_server; content:"SELECT"; nocase; content:"sysobjects"; distance:0; nocase; classtype:attempted-admin; sid:2017330; rev:2; metadata:created_at 2013_08_15, updated_at 2013_08_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Crystalize Filter in Uncompressed Flash"; flow:from_server,established; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"Crystallize -filter"; content:"|41 41 41 41|"; distance:0; reference:url,www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks; classtype:trojan-activity; sid:2018428; rev:2; metadata:created_at 2014_04_28, former_category CURRENT_EVENTS, updated_at 2014_04_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx EK - /jvvn.html"; flow:established,to_server; content:"/jvvn.html"; http_uri; classtype:exploit-kit; sid:2017333; rev:3; metadata:created_at 2013_08_15, former_category CURRENT_EVENTS, updated_at 2013_08_15;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102710; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Reassigned Eval Function 1"; flow:established,from_server; file_data; content:"=(eval)|3b|"; classtype:bad-unknown; sid:2017334; rev:3; metadata:created_at 2013_08_15, former_category INFO, updated_at 2013_08_15;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102716; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Reassigned Eval Function 2"; flow:established,from_server; file_data; content:"=[|22|eval|22|]|3b|"; classtype:bad-unknown; sid:2017335; rev:3; metadata:created_at 2013_08_15, former_category INFO, updated_at 2013_08_15;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102787; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Reassigned Eval Function 3"; flow:established,from_server; file_data; content:"=[|27|eval|27|]|3b|"; classtype:bad-unknown; sid:2017336; rev:3; metadata:created_at 2013_08_15, former_category INFO, updated_at 2013_08_15;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102794; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - net add PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"net"; within:200; content:"/add"; within:100; classtype:trojan-activity; sid:2017285; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(refresh_template_name|user_name)[\r\n\s]*=>[\r\n\s]*\2|(refresh_template_name|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102803; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - netsh - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"netsh"; within:50; classtype:trojan-activity; sid:2017286; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic Password Stealer Checkin URL Detected"; flow:established,to_server; content:"method=get"; nocase; http_uri; content:"&port="; nocase; http_uri; content:"&type="; nocase; http_uri; content:"&winver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006384; classtype:trojan-activity; sid:2006384; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - ipconfig - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"ipconfig"; within:100; classtype:trojan-activity; sid:2017287; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Upatre Binary Download April 28 2014"; flow:established,from_server; file_data; content:"|ff d1 4e 8d|"; within:4; classtype:trojan-activity; sid:2018422; rev:3; metadata:created_at 2014_04_28, updated_at 2014_04_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot -  reg - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"reg "; within:50; content:"HKEY_"; within:20; classtype:trojan-activity; sid:2017288; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Common Bad Actor Indicators Used in Various Targeted 0-day Attacks"; flow:from_server,established; file_data; content:"dword2data"; fast_pattern; pcre:"/^\s*?\(/Rs"; content:"function"; pcre:"/^\s*?fun\s*?\(/Rs"; content:"CollectGarbage"; reference:cve,2014-0322; reference:cve,2014-1776; classtype:trojan-activity; sid:2018439; rev:4; metadata:created_at 2014_04_30, former_category CURRENT_EVENTS, updated_at 2014_04_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - The command completed successfully - PRIVMSG Response"; flow:established,from_client; content:"PRIVMSG "; content:"The command completed successfully."; distance:0; classtype:trojan-activity; sid:2017289; rev:4; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT 32-byte by 32-byte PHP EK Gate with HTTP POST"; flow:established,to_server; urilen:72; content:"POST"; http_method; content:".php?q="; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{32}\.php\?q=[a-f0-9]{32}$/U"; classtype:exploit-kit; sid:2018442; rev:3; metadata:created_at 2014_05_02, former_category CURRENT_EVENTS, updated_at 2014_05_02;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - PRIVMSG Response - net command output"; flow:established,from_client; content:"PRIVMSG "; fast_pattern; content:"-------------------------------------------------------------------------------"; distance:0; classtype:trojan-activity; sid:2017291; rev:5; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Spy.Win32.Zbot.hmcm Checkin"; flow:established,to_server; content:"/b/"; depth:3; http_uri; pcre:"/^\/b\/(eve|opt|req)\/[\-f0-9A-F]{24}$/U"; reference:md5,291b5ce96b3932944a32031d33bc8cfc; classtype:trojan-activity; sid:2018437; rev:4; metadata:created_at 2013_01_26, updated_at 2013_01_26;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - PRIVMSG Response - ipconfig command output"; flow:established,from_client; content:"PRIVMSG "; content:"Windows IP"; within:200; classtype:trojan-activity; sid:2017292; rev:4; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Base64 Encoded Java Value"; flow:established,to_client; file_data; content:"<applet"; content:"<param"; distance:0; content:"<value="; distance:0; pcre:"/\x3Cvalue\x3D\x22([a-z0-9+/]{4})*(?:[a-z0-9+/]{2}==|[a-z0-9+/]{3}=)/smi"; reference:url,vrt-blog.snort.org/2014/05/continued-analysis-of-lightsout-exploit.html; classtype:bad-unknown; sid:2018447; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_05_05, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_05_03;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - net localgroup - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"net localgroup"; within:200; classtype:trojan-activity; sid:2017284; rev:4; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
+#alert tcp any any -> any 443 (msg:"ET DELETED Potential Selfint C2 traffic (from client)"; flow: from_client,established; content:"PuTTY-Local|3a| Feb 5 2013 18|3a|27|3a|27"; classtype:command-and-control; sid:2018450; rev:7; metadata:created_at 2014_05_05, updated_at 2014_05_05;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - PRIVMSG Response - Directory Listing *nix"; flow:established,from_client; content:"PRIVMSG "; fast_pattern; content:"-rw-r--r--"; within:300; classtype:trojan-activity; sid:2017303; rev:5; metadata:created_at 2013_08_08, updated_at 2013_08_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Goon/Infinity URI Struct EK Landing May 05 2014"; flow:established,to_server; content:".php?req="; nocase; http_uri; fast_pattern; content:"&PHPSSESID="; http_uri; pcre:"/\.php\?req=(?:swf(?:IE)?|x(?:ap|ml)|jar|mp3)&/Ui"; classtype:exploit-kit; sid:2018441; rev:10; metadata:created_at 2014_05_02, former_category CURRENT_EVENTS, updated_at 2014_05_02;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - PRIVMSG Response - Directory Listing"; flow:established,from_client; content:"PRIVMSG "; content:"  <DIR>"; within:200; classtype:trojan-activity; sid:2017290; rev:3; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NeoSploit Jar with three-letter class names"; flow:established,from_server; file_data; content:"PK"; depth:2; content:".classPK"; pcre:"/(\0[a-z]{3}\.classPK.{43}){4}/"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015846; rev:3; metadata:created_at 2012_10_27, updated_at 2012_10_27;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - net user - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"net user"; within:200; classtype:trojan-activity; sid:2017283; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/ProxyChanger.InfoStealer Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/abc.php"; http_uri; fast_pattern; content:"User-Agent|3A 20|Mozilla/3.0|20 28|compatible|3B 20|Indy Library|29|"; http_header; content:"ABC="; http_client_body; depth:4; content:"&XRE="; http_client_body; within:30; reference:md5,67c9799940dce6b9af2e6f98f52afdf7; classtype:command-and-control; sid:2014356; rev:5; metadata:created_at 2012_03_09, former_category MALWARE, updated_at 2012_03_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Optix Pro Trojan/Keylogger Reporting Installation via Email"; flow:established,to_server; content:"Optix Pro v"; content:"Installed Trojan Port|3a|"; distance:0; reference:url,en.wikipedia.org/wiki/Optix_Pro; classtype:trojan-activity; sid:2008212; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.Win32.VBKrypt.cugq Checkin"; flow:to_server,established; content:"/bot.php"; http_uri; content:"umbra"; depth:5; nocase; http_user_agent; reference:url,www.securelist.com/en/descriptions/10316591/Trojan.Win32.VBKrypt.cugq; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=456326; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-RDK/detailed-analysis.aspx; reference:md5,79e24434a74a985e1c64925fd0ac4b28; classtype:trojan-activity; sid:2017348; rev:6; metadata:created_at 2011_04_28, updated_at 2011_04_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkComet-RAT server join acknowledgement"; flow:to_server,established; dsize:12; content:"|39 34 41 35 41 44 30 41 45 46 36 39|"; flowbits:isset,ET.DarkCometJoin; reference:url,www.darkcomet-rat.com; reference:url,anubis.iseclab.org/?action=result&task_id=1a7326f61fef1ecb4ed4fbf3de3f3b8cb&format=txt; classtype:trojan-activity; sid:2013284; rev:3; metadata:created_at 2011_07_18, updated_at 2011_07_18;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Possible WebShell Login Form (Outbound)"; flow:established,from_server; file_data; content:"<pre align=center><form method=post>Password|3a| <input type=password name=pass><input type=submit value=|27|>>|27|></form></pre>"; within:120; isdataat:!2,relative; reference:url,blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html; classtype:trojan-activity; sid:2018459; rev:2; metadata:created_at 2014_05_09, former_category WEB_SERVER, updated_at 2014_05_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkComet-RAT Client Keepalive"; flow:to_server,established; dsize:12; content:"|39 34 41 35 41 44 30 41 45 46 36 39|"; flowbits:isset,ET.DarkCometJoin; reference:url,www.darkcomet-rat.com; classtype:trojan-activity; sid:2013285; rev:2; metadata:created_at 2011_07_18, updated_at 2011_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Daemonize Trojan Proxy Initial Checkin"; flow:established,to_server; content:"/command.php?IP="; http_uri; content:"ID="; http_uri; content:"User-Agent|3a 20 5c 0d 0a|"; pcre:"/ID=\d{24}($|&)/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanProxy%3AWin32%2FDaemonize.A&ThreatID=-2147464655; classtype:command-and-control; sid:2013723; rev:3; metadata:created_at 2011_10_01, former_category MALWARE, updated_at 2011_10_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY exe download via HTTP - Informational"; flow:established,to_server; content:".exe"; http_uri; nocase; content:"GET"; http_method; nocase; pcre:"/\.exe\b/Ui"; reference:url,doc.emergingthreats.net/2003595; classtype:policy-violation; sid:2003595; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Compromised site iclasshd.net"; flow:established,to_client; content:"|55 04 03|"; content:"|0c|iclasshd.net"; distance:1; within:14; nocase; reference:md5,abe131828ce5beae41ef341238016547; classtype:trojan-activity; sid:2018460; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2014_05_09, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER SQLi - SELECT and Schema Columns"; flow:established,to_server; content:"SELECT"; nocase; content:"information_schema.columns"; distance:0; nocase; classtype:attempted-user; sid:2017337; rev:2; metadata:created_at 2013_08_19, updated_at 2013_08_19;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Compromised site sabzevarsez.com"; flow:established,to_client; content:"|55 04 03|"; content:"|13|www.sabzevarsez.com"; distance:1; within:21; nocase; reference:md5,36cf205b39bd27b6dc981dd0da8a311a; classtype:trojan-activity; sid:2018461; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2014_05_09, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 u9090 NOP SLED"; file_data; flow:established,to_client; content:"|5c|u9090|5c|"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2017345; rev:4; metadata:created_at 2013_08_19, updated_at 2013_08_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hacked Website Response '/*km0ae9gr6m*/' Jun 25 2012"; flow:established,from_server; content:"/*km0ae9gr6m*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014964; rev:4; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.APT.9002 CnC Traffic"; flow:to_server,established; dsize:24; content:"|0c 00 00 00 08 00 00 00 19 ff ff ff ff 00 00 00 00 11 00 00|"; offset:4; depth:20; reference:md5,81687637b7bf2b90258a5006683e781c; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/08/the-sunshop-campaign-continues.html; classtype:targeted-activity; sid:2016398; rev:8; metadata:created_at 2012_06_28, former_category MALWARE, updated_at 2012_06_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hacked Website Response '/*qhk6sa6g1c*/' Jun 25 2012"; flow:established,from_server; content:"/*qhk6sa6g1c*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014965; rev:4; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Popads Exploit Kit font request 32hex digit .eot"; flow:established,to_server; content:".eot"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\.eot$/Ui"; classtype:exploit-kit; sid:2016064; rev:5; metadata:created_at 2012_12_20, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET DELETED SSL Bomb DoS Attempt"; flow:to_server,established; content:"|16 03 00|"; offset:0; depth:3; content:"|01|"; within:1; distance:2; byte_jump:1,37,relative,align; byte_test:2,>,255,0,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2000016; classtype:attempted-dos; sid:2000016; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Iframe For IP Address Site"; flow:established,to_client; file_data; content:"iframe src=|22|http|3A|//"; nocase; distance:0; pcre:"/^\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}[^\r\n]*\x3C\x2Fiframe\x3E/Ri"; classtype:bad-unknown; sid:2017342; rev:3; metadata:created_at 2013_08_19, updated_at 2013_08_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Backdoor.Unrecom Download"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"Unrecom"; nocase; pcre:"/^[a-z0-9_-]*?\.class/Rsi"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99&tabid=3; reference:url,www.crowdstrike.com/blog/adwind-rat-rebranding/index.html; classtype:trojan-activity; sid:2018466; rev:6; metadata:created_at 2014_05_13, updated_at 2014_05_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible g01pack Exploit Pack Malicious JAR File Request"; flow:established,to_server; content:".jar"; http_uri; fast_pattern; content:"User-Agent|3a|"; nocase; http_header; content:"Java/"; within:200; http_header; pcre:"/\/[0-9a-f]{32}\.jar$/U"; reference:url,blog.tllod.com/2010/11/03/statistics-dont-lie-or-do-they/; reference:url,community.websense.com/blogs/securitylabs/archive/2011/04/19/Mass-Injections-Leading-to-g01pack-Exploit-Kit.aspx; classtype:exploit-kit; sid:2012807; rev:4; metadata:created_at 2011_05_15, updated_at 2011_05_15;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PandoraRat/Refroso.bsp Activity"; flow:established,to_server; content:"|c3 b8 ba ab a0 bc b0 b1 c1 7c|"; depth:10; content:"|7c|N|7c|"; within:200; reference:md5,9972e686d36f1e98ba9bb82b5528255a; classtype:trojan-activity; sid:2018467; rev:4; metadata:created_at 2014_05_13, updated_at 2014_05_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit/Other - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; nocase; content:"value"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?[a-f0-9]{100}/R"; classtype:attempted-user; sid:2015668; rev:6; metadata:created_at 2012_08_29, former_category CURRENT_EVENTS, updated_at 2012_08_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PandoraRat/Refroso.bsp Directory Listing Sent To Server"; flow:established,to_server; content:"|7C|DIR#0#bin|7C|DIR#0"; reference:md5,9972e686d36f1e98ba9bb82b5528255a; classtype:trojan-activity; sid:2018468; rev:4; metadata:created_at 2014_05_13, updated_at 2014_05_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPCIOUS Non-standard base64 charset used for encoding"; flow:established,from_server; file_data; content:" & 15) << 4)"; fast_pattern; content:"(|22|"; content:!"|22|"; within:65; content:"|22|"; distance:65; within:1; content:!"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; distance:-66; within:62; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2017364; rev:7; metadata:created_at 2013_08_21, updated_at 2013_08_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack Flash Exploit flash2013.php"; flow:established,to_server; content:"/flash2013.php"; http_uri; nocase; classtype:exploit-kit; sid:2018470; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User Agent (iexplorer)"; flow:to_server,established; content:"User-Agent|3a 20|iexplorer|0d 0a|"; http_header; classtype:trojan-activity; sid:2016140; rev:5; metadata:created_at 2013_01_03, updated_at 2013_01_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack Flash Exploit flash2014.php"; flow:established,to_server; content:"/flash2014.php"; http_uri; nocase; classtype:exploit-kit; sid:2018471; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.admin@388 Keepalive to CnC"; flow:established,to_server; content:"|b0 f6 8f d3 1c 2b 0e 50 7e 16 85 de 0c ae 6e 67|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017350; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack Plugin-Detect May 13 2014"; flow:from_server,established; file_data; content:"javarhino"; fast_pattern; nocase; pcre:"/^[\x22\x27]/R"; content:"javaimage"; pcre:"/^[\x22\x27]/R"; content:"javadb"; pcre:"/^[\x22\x27]/R"; content:"getVersion"; content:"SilverLight"; classtype:exploit-kit; sid:2018472; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.th3bug Keepalive to CnC"; flow:established,to_server; content:"|35 d1 50 14 94 b2 24 ac 9b 00 2e f1 99 a0 82 4d|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017351; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Alina.POS-Trojan CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:20; content:"/insidee/loading.php"; fast_pattern:only; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| InfoPath.1 Spark v1.1|0D 0A|"; http_header; reference:url,pages.arbornetworks.com/rs/arbor/images/Uncovering_PoS_Malware.pdf; classtype:command-and-control; sid:2018473; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag c2, updated_at 2014_05_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.keaidestone Keepalive to CnC"; flow:established,to_server; content:"|82 ca 6f eb 66 ed 9e 86 dc 95 29 f0 68 a2 5d b8|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017352; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED TROJAN Downloader.Win32.Tesch.A Client CnC Checkin"; flow:established,to_server; content:"|01 00 30 01 01 00|"; fast_pattern; depth:6; content:"|00|"; distance:4; within:1; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/R"; reference:md5,86b5491831522f3c7bdcdacb17417514; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:command-and-control; sid:2018476; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_15, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.suzuki Keepalive to CnC"; flow:established,to_server; content:"|d4 77 eb ff b6 94 cc d1 25 b6 30 12 23 d7 2e 24|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017353; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Compromised site dfsdirect.ca"; flow:established,to_client; content:"|55 04 03|"; content:"|0c|dfsdirect.ca"; distance:1; within:14; nocase; reference:md5,fe56b5a28eac390aa8cfb1402360958b; classtype:trojan-activity; sid:2018480; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2014_05_16, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.happyyongzi Keepalive to CnC"; flow:established,to_server; content:"|ad 4a 6c bb a7 9c 30 3e 44 bc cf a5 db 77 3c 62|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017354; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zendran ELF IRCBot Joining Channel"; flow:established,to_server; content:"USER ass localhost localhost"; nocase; reference:url,blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html; reference:url,capsop.com/lightaidra-cc-investigation/; classtype:trojan-activity; sid:2018482; rev:2; metadata:created_at 2014_05_19, updated_at 2014_05_19;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.key@123 Keepalive to CnC"; flow:established,to_server; content:"|ef 80 7b ec 93 e6 92 06 17 12 27 be e3 e2 e1 19|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017355; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zendran ELF IRCBot Joining Channel 2"; flow:established,to_server; content:"PASS eYmUrmyAfG"; reference:url,blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html; reference:url,capsop.com/lightaidra-cc-investigation/; classtype:trojan-activity; sid:2018483; rev:2; metadata:created_at 2014_05_19, updated_at 2014_05_19;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.gwx@123 Keepalive to CnC"; flow:established,to_server; content:"|6c 6e d3 08 a6 26 34 c7 bf c6 d3 d9 df 04 25 97|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017356; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Zendran ELF IRCBot Server Banner"; dsize:>14; flow:established,from_server; content:"|3a|Hell.Network|0d 0a|"; depth:15; reference:url,blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html; reference:url,capsop.com/lightaidra-cc-investigation/; classtype:trojan-activity; sid:2018484; rev:2; metadata:created_at 2014_05_19, updated_at 2014_05_19;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.wwwst@Admin Keepalive to CnC"; flow:established,to_server; content:"|b4 7d 56 44 f3 23 e2 a2 1d 74 18 b6 bc 72 66 2a|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017357; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Width exceeds limit"; flow:established,from_server; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; byte_test:4,>,0x80000000,8,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001191; classtype:misc-activity; sid:2001191; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.xiaoxiaohuli Keepalive to CnC"; flow:established,to_server; content:"|4e c3 69 55 10 ad 3f 34 31 cc d1 73 30 ae 16 64|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017358; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET MALWARE .gadget Email Attachment - Possible Upatre"; flow:established,to_server; content:"Content-Type|3a| application/zip|3b|"; nocase; content:".gadget|22|"; distance:7; within:30; nocase; pcre:"/name=\x22[a-z0-9\-_\.\s]{0,25}\.gadget\x22/i"; reference:url,pastebin.com/5eNDazpL; classtype:trojan-activity; sid:2018490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2014_05_21, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.smallfish Keepalive to CnC"; flow:established,to_server; content:"|19 07 1b 24 3b 7a 9d e7 77 1e 84 f6 0f 60 3e 27|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017359; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sV"; fragbits:!M; dsize:0; flags:S,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000545; classtype:attempted-recon; sid:2000545; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.XGstone Keepalive to CnC"; flow:established,to_server; content:"|ed d2 c6 f2 b9 ca 1e df 5c ba b7 0c 59 8e 9c 49|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017360; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Cert May 20 2014"; flow:established,from_server; content:"|11|www.myparadis.com"; reference:md5,ba7debd3ff51356135866a76116f595b; reference:md5,8a49c032efb6aa3a347a173d196a8bcb; classtype:trojan-activity; sid:2018492; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_05_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PoisonIvy.fishplay Keepalive to CnC"; flow:established,to_server; content:"|77 1b 13 19 a2 d1 8d a1 b5 05 8f fa 3f aa c0 8a|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017361; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT JamMail Jammail.pl Remote Command Execution Attempt"; flow: to_server,established; content:"/cgi-bin/jammail.pl?"; nocase; http_uri; fast_pattern:only; pcre:"/[\?&]mail=[^&]+?[\x3b\x2c\x7c\x27]/Ui"; reference:bugtraq,13937; reference:url,doc.emergingthreats.net/bin/view/Main/2001990; classtype:web-application-attack; sid:2001990; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH"; http_method; content:"/"; http_uri; urilen:1; content:" HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|"; within:255; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2102091; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Gongda EK Secondary Landing"; flow:established,from_server; file_data; content:"fdsaw[fwegg]"; nocase; pcre:"/^\s*?=\s*?window\.document\.createElement/Rsi"; classtype:exploit-kit; sid:2018501; rev:2; metadata:created_at 2014_05_28, former_category CURRENT_EVENTS, updated_at 2014_05_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mashigoom/Tranwos/RevProxy ClickFraud - hello"; flow:established,to_server; threshold:type both,track by_src,seconds 60,count 1; dsize:<150; content:"hello/"; depth:6; content:"/"; within:3; distance:2; content:"/"; pcre:"/^hello\/[0-9]\.[0-9]\/[0-9]{3}/"; classtype:trojan-activity; sid:2016292; rev:6; metadata:created_at 2013_01_26, updated_at 2013_01_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Gongda EK Landing 1"; flow:established,from_server; file_data; content:"{var bmw=[263,275,275,271,217,206,206,262,256,274,269,260,274,205,258,270,268,217,215,207,210,206,207,207,208,205,260,279,159,260]"; classtype:exploit-kit; sid:2018502; rev:2; metadata:created_at 2014_05_28, former_category CURRENT_EVENTS, updated_at 2014_05_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AutoIT C&C Check-In 2013-08-23 URL"; flow:established,to_server; content:"GET"; http_method; content:"/panel/panel.bin"; http_uri; reference:url,malwr.com/analysis/MWM3NDA2NTdhM2U4NGE0NjgwY2IzN2Y3ZDk4ZTcyMmM/; classtype:trojan-activity; sid:2017370; rev:2; metadata:created_at 2013_08_23, updated_at 2013_08_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Gongda EK Landing 2"; flow:established,from_server; file_data; content:"function(/*jsckvip*/p,/*jsckvip*/a,/*jsckvip*/c,k,/*jsckvip*/e,/*jsckvip*/d/*jsckvip*/)"; classtype:exploit-kit; sid:2018503; rev:2; metadata:created_at 2014_05_28, former_category CURRENT_EVENTS, updated_at 2014_05_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Winwebsec/Zbot/Luder Checkin Response"; flow:established,from_server; file_data; content:"ingdx.htmA{ip}"; nocase; classtype:trojan-activity; sid:2016851; rev:3; metadata:created_at 2013_05_16, former_category CURRENT_EVENTS, updated_at 2013_05_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OneLouder EXE download possibly installing Zeus P2P"; flow:to_client,established; flowbits:isset,ET.OneLouder.Header; file_data; content:"MZ"; within:2; byte_jump:4,60,little,from_beginning; content:"PE|00 00|"; within:4; classtype:trojan-activity; sid:2018464; rev:4; metadata:created_at 2014_05_13, former_category MALWARE, updated_at 2014_05_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Browseraid.com Agent Updating"; flow: to_server,established; content:"/perl/uptodate.pl"; nocase; http_uri; content:"uptodate.browseraid.com"; nocase; http_header; reference:url,www.browseraid.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001304; classtype:trojan-activity; sid:2001304; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre Compromised Site hot-buys"; flow:established,to_client; content:"|55 04 03|"; content:"|0c|hot-buys.org"; distance:1; within:14; nocase; reference:md5,bad758023d2e3cc17b61423720cdb5b7; classtype:trojan-activity; sid:2018506; rev:1; metadata:created_at 2014_05_29, updated_at 2014_05_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CookieBomb Generic JavaScript Format"; flow:from_server,established; file_data; content:"/*/"; fast_pattern; pcre:"/^[a-f0-9]{6}\*\//R"; content:"="; pcre:"/^[\r\n\s]*?\x5c?[\x22\x27]/R"; content:!"|22|"; within:500; content:!"|27|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)|(?P=u)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017373; rev:6; metadata:created_at 2013_08_26, former_category CURRENT_EVENTS, updated_at 2013_08_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/MadnessPro.DDOSBot CnC Beacon"; flow:established,to_server; content:"/?uid="; http_uri; content:"&ver="; http_uri; content:"&mk="; http_uri; content:"&os="; http_uri; content:"&rs="; http_uri; content:"&c="; http_uri; content:"&rq="; http_uri; reference:url,blog.cylance.com/a-study-in-bots-madness-pro; classtype:command-and-control; sid:2018424; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_04_28, deployment Perimeter, signature_severity Major, tag c2, updated_at 2014_04_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CookieBomb Generic PHP Format"; flow:from_server,established; file_data; content:"echo "; fast_pattern; content:"#/"; distance:0; pcre:"/^[a-f0-9]{6}#/R"; content:"="; pcre:"/^[\r\n\s]*?\x5c?[\x22\x27]/R"; content:!"|22|"; within:500; content:!"|27|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)|(?P=u)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017374; rev:6; metadata:created_at 2013_08_26, former_category CURRENT_EVENTS, updated_at 2013_08_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Malicious Injected Redirect June 02 2014"; flow:established,to_client; file_data; content:"s.src"; content:"+Math.random()|3b|document.body.appendChild(s)|3b|"; distance:0; classtype:trojan-activity; sid:2018514; rev:2; metadata:created_at 2014_06_02, former_category CURRENT_EVENTS, updated_at 2014_06_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CookieBomb Generic HTML Format"; flow:from_server,established; file_data; content:"<!--/"; fast_pattern; pcre:"/^[a-f0-9]{6}\-\-\>/R"; content:"="; pcre:"/^[\r\n\s]*?\x5c?[\x22\x27]/R"; content:!"|22|"; within:500; content:!"|27|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)|(?P=u)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017375; rev:6; metadata:created_at 2013_08_26, former_category CURRENT_EVENTS, updated_at 2013_08_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible CritX/SafePack/FlashPack IE Exploit"; flow:established,from_server; file_data; content:"6f"; fast_pattern; nocase; content:"6c"; within:12; nocase; content:"43"; distance:-26; within:24; content:!"|22|"; within:14; content:!"|27|"; within:14; pcre:"/^(?P<sep>[^\x22\x27]{0,10})6f(?P=sep)6c(?P=sep)6c(?P=sep)65(?P=sep)63(?P=sep)74(?P=sep)47(?P=sep)61(?P=sep)72(?P=sep)62(?P=sep)61(?P=sep)67(?P=sep)65(?P=sep)/Rsi"; classtype:exploit-kit; sid:2018330; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_03_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool get command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgwKH08DHh4bVURA"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017378; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
+alert udp any 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole FBI Zeus P2P 1 - 142.0.36.234"; content:"|00 01 00 01|"; content:"|00 04 8e 00 24 ea|"; distance:4; within:6; classtype:trojan-activity; sid:2018517; rev:1; metadata:created_at 2014_06_04, updated_at 2014_06_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool long command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgcABQhLAh4fH1FA"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017379; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Landing June 05 2014"; flow:established,from_server; content:"lrtCfdP.FDP,FDP.FDPorcA"; fast_pattern:only; content:"reverse"; classtype:exploit-kit; sid:2018535; rev:2; metadata:created_at 2014_06_05, former_category CURRENT_EVENTS, updated_at 2014_06_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool smart command received key=okokokjjk"; flow:established,from_server; file_data; content:"QhgCCh0fSgIfGxtV"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017380; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Landing EK Struct"; flow:established,to_server; content:"/3/"; http_uri; fast_pattern:only; content:"/http|3a|/"; http_uri; pcre:"/\/3\/[a-f0-9]{32}\/http\x3a\x2f/U"; classtype:exploit-kit; sid:2018536; rev:2; metadata:created_at 2014_06_05, former_category CURRENT_EVENTS, updated_at 2014_06_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool post1 command received key=okokokjjk"; flow:established,from_server; file_data; content:"QhsAGBtaSgIfGxtV"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017381; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Java Jar"; flow:to_server,established; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/\/(?:M[ABCDFGHIJKMOPSTUZ]|E[ABDEGIJKMNPRSVY]|R[ABCEFGHIKLMNPST]|G[ABCEGKMNPSTUV]|A[BCGLMNPQSUVZ]|O[ABCDFIJMNRST]|S[ABEGILMPRSUW]|T[ABEGHILMPSTY]|N[BCGHIKMPSTV]|I[ABCFGKLNSV]|L[ABCGIMNPST]|W[ABCGKMPRTZ]|Z[ABCDKMNSTU]|F[ABCGMNPTW]|H[BCEGKMPST]|K[CDFHLMPST]|U[ACGHLMNRV]|Y[BCGKLMPSU]|C[CELMNSTV]|D[ABCGIMST]|V[BCLMST]|J[BDFST]|P[GJKMN]|Q[ABGIM]|B[BGLS]|X[ACMS])\/[a-f0-9]{32}(\.[^\x2f]+)?$/Ui"; classtype:exploit-kit; sid:2017467; rev:4; metadata:created_at 2013_09_17, former_category EXPLOIT_KIT, updated_at 2013_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool post2 command received key=okokokjjk"; flow:established,from_server; file_data; content:"QhsAGBtZSgIfGxtV"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017382; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
+alert tcp $EXTERNAL_NET [443,$HTTP_PORTS] -> $HOME_NET any (msg:"ET INFO tor2www .onion Proxy SSL cert"; flow:established,from_server; content:"|55 04 03|"; content:"*.tor2www."; nocase; distance:2; within:10; classtype:trojan-activity; sid:2018538; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_06_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool byte command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgkWHwpL"; within:8; pcre:"/^[A-Za-z0-9\/\+]+={0,2}$/R"; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017383; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
+#alert tcp $EXTERNAL_NET [443,$HTTP_PORTS] -> $HOME_NET any (msg:"ET MALWARE TorExplorer Certificate - Potentially Linked To W32/Cryptowall.Ransomware"; flow:established,to_client; content:"|55 04 03|"; content:"torexplorer.com"; distance:0; reference:url,www.malware-traffic-analysis.net/2014/05/28/index.html; classtype:trojan-activity; sid:2018539; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_06_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2014_06_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool byte command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgIMBh9L"; within:8; pcre:"/^[A-Za-z0-9\/\+]+={0,2}$/R"; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017384; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert"; flow:established,to_client; content:"|55 04 03|"; content:"|1e|static-182-18-143-140.ctrls.in"; distance:1; within:31; reference:md5,b4d63a1178027f64c4c868181437284d; classtype:trojan-activity; sid:2018542; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Nov 09 2012"; flow:established,from_server; file_data; content:"applet"; content:"0b0909041f"; fast_pattern; within:200; classtype:bad-unknown; sid:2015680; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Landing June 05 2014 2"; flow:established,from_server; file_data; content:"hsalFevawkcohS.hsalFevawkcohS"; content:"reverse"; classtype:exploit-kit; sid:2018544; rev:2; metadata:created_at 2014_06_09, former_category CURRENT_EVENTS, updated_at 2014_06_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Aug 27 2013"; flow:established,from_server; file_data; content:"base_decode("; nocase; fast_pattern:only; content:"decodeHex("; nocase; content:"<applet"; nocase; classtype:exploit-kit; sid:2017387; rev:5; metadata:created_at 2013_08_28, former_category CURRENT_EVENTS, updated_at 2013_08_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Putter Panda 3PARA RAT initial beacon"; flow:established,to_server; content:"|c4 65 f1 b3 cf a5 7e e2 c0 1a d4 7f 78 46 26 b5 86 15 f9 34 9c 3d 67 84 6a 48 aa df dc 30 60 24|"; depth:2000; reference:url,resources.crowdstrike.com/putterpanda/; classtype:trojan-activity; sid:2018555; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_06_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_06_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Sweet Orange Payload Download Aug 28 2013"; flow:established,to_server; content:"=java.util.Random@"; http_uri; fast_pattern:only; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017388; rev:3; metadata:created_at 2013_08_28, former_category CURRENT_EVENTS, updated_at 2013_08_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Horde 3.0.9-3.1.0 Help Viewer Remote PHP Exploit"; flow:established,to_server; content:"/services/help/"; nocase; http_uri; pcre:"/module=[^\;]*\;.*\"/UGi"; reference:url,www.exploit-db.com/exploits/1660; reference:cve,2006-1491; reference:bugtraq,17292; classtype:web-application-attack; sid:2002867; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - ASPyder - File Browser - Interface"; flow:established,to_client; file_data; content:"document.myform.txtpath.value"; classtype:trojan-activity; sid:2017390; rev:3; metadata:created_at 2013_08_28, updated_at 2013_08_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BleedingLife Exploit Kit Landing Page Requested"; flow:established,to_server; content:"/load_module.php?user="; http_uri; depth:22; pcre:"/^\x2Fload\x5Fmodule\x2Ephp\x3Fuser\x3D(n1|11?|2)$/U"; reference:url,vrt-blog.snort.org/2014/06/the-never-ending-exploit-kit-shift.html; classtype:exploit-kit; sid:2018562; rev:2; metadata:created_at 2014_06_13, former_category EXPLOIT_KIT, updated_at 2014_06_13;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - ASPyder - Auth Prompt"; flow:established,to_client; file_data; content:"<INPUT type=password name=code >"; classtype:trojan-activity; sid:2017391; rev:2; metadata:created_at 2013_08_28, updated_at 2013_08_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BleedingLife Exploit Kit SWF Exploit Request"; flow:established,to_server; content:"/modules/"; http_uri; depth:9; content:".swf"; http_uri; distance:1; within:5; pcre:"/^\x2Fmodules\x2F(?:n[u3]|1|2)\x2Eswf$/U"; reference:url,vrt-blog.snort.org/2014/06/the-never-ending-exploit-kit-shift.html; reference:cve,2013-0634; reference:cve,2014-0515; classtype:exploit-kit; sid:2018563; rev:2; metadata:created_at 2014_06_13, former_category EXPLOIT_KIT, updated_at 2014_06_13;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - ASPyder - File Upload - Response"; flow:established,to_client; file_data; content:"<title>ASPYDrvsInfo</title>"; classtype:trojan-activity; sid:2017394; rev:2; metadata:created_at 2013_08_28, updated_at 2013_08_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BleedingLife Exploit Kit JAR Exploit Request"; flow:established,to_server; content:"/modules/"; http_uri; depth:9; content:".jar"; http_uri; distance:1; within:4; pcre:"/^\x2Fmodules\x2F(1|2)\x2Ejar$/U"; reference:url,vrt-blog.snort.org/2014/06/the-never-ending-exploit-kit-shift.html; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2013-2465; classtype:exploit-kit; sid:2018564; rev:2; metadata:created_at 2014_06_13, former_category EXPLOIT_KIT, updated_at 2014_06_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Bot Nick in IRC ([country|so version|CPU])"; flow:established,to_server; content:"NICK {"; content:"x86"; within:12; content:"}"; distance:0; pcre:"/NICK {[a-z]{2,3}\x2D.+?x86[a-z]}[a-z]/i"; flowbits:set,ET.IRC.BOT.CntSOCPU; classtype:trojan-activity; sid:2017395; rev:3; metadata:created_at 2013_08_28, updated_at 2013_08_28;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (TTL 1)"; byte_jump:1,6; content:"|a3|"; within:1; content:"|30 0d 06 08 2b 06 01 02 01 04 02 00 02 01 01|"; distance:9; threshold: type limit, track by_src, count 1, seconds 120; classtype:attempted-dos; sid:2018568; rev:1; metadata:created_at 2014_06_17, updated_at 2014_06_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Apple CoreText Exploit Specific string"; flow:established,from_server; file_data; content:"|D8 B3 D9 85 D9 8E D9 80 D9 8E D9 91 D9 88 D9 8F D9 88 D9 8F D8 AD D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 D8 A7 D9 85 D8 A7 D8 B1 D8 AA D9 8A D8 AE 20 CC B7 CC B4 CC 90 D8 AE|"; reference:url,techcrunch.com/2013/08/29/bug-in-apples-coretext-allows-specific-string-of-characters-to-crash-ios-6-os-x-10-8-apps/; classtype:bad-unknown; sid:2017397; rev:2; metadata:created_at 2013_08_30, updated_at 2013_08_30;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (Disable Forwarding)"; byte_jump:1,6; content:"|a3|"; within:1; content:"|30 0d 06 08 2b 06 01 02 01 04 01 00 02 01 02|"; distance:9; threshold: type limit, track by_src, count 1, seconds 120; classtype:attempted-dos; sid:2018569; rev:1; metadata:created_at 2014_06_17, updated_at 2014_06_17;)
 
-alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Connection Request"; dsize:35; content:"|e4 21|"; depth:2; threshold: type limit, count 1, seconds 300, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009967; classtype:policy-violation; sid:2009967; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)"; flow:from_server,established; flowbits:isset,ET.Suspicious.Domain.Fake.Browser; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2018572; rev:2; metadata:created_at 2014_06_17, former_category HUNTING, updated_at 2014_06_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet July 08 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?(?P<dot>[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<p>(?!(?P=dot))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<h>(?!((?P=p)|(?P=dot)))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P=p).+?value[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?(?P=dot)([^a-f0-9]{2}){1,20}(?P<e>[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<x>(?!(?P=e))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P=e)(([^a-f0-9]{2}){1,20})?[\x22\x27]/Rs"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017115; rev:8; metadata:created_at 2013_07_09, former_category EXPLOIT_KIT, updated_at 2013_07_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing"; flow:established,to_client; file_data; content:".getVersion"; pcre:"/^\s*?\(\s*?[\x22\x27]Java[\x22\x27]/Rsi"; content:"621"; distance:0; pcre:"/^\W.{0,50}<\s*?=\s*?645\W[^{]*?{[^\}]*?\(\s*?document\s*?\)\s*?\[\s*?[\x22\x27]body[\x22\x27]\s*?\]\[\s*?[\x22\x27]appendChild[\x22\x27]\s*?\]/Rsi"; content:"700"; pcre:"/^\W.{0,50}<\s*?725\W/Rsi"; content:".getVersion"; pcre:"/^\s*?\(\s*?[\x22\x27]Flash[\x22\x27]/Rsi"; classtype:exploit-kit; sid:2018573; rev:3; metadata:created_at 2014_06_17, former_category CURRENT_EVENTS, updated_at 2014_06_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Njw0rm CnC Beacon"; flow:established,to_server; content:"lv0njxq80"; depth:9; content:"njxq80"; distance:0; reference:url,www.fireeye.com/blog/technical/malware-research/2013/08/njw0rm-brother-from-the-same-mother.html; reference:md5,4c60493b14c666c56db163203e819272; reference:md5,b0e1d20accd9a2ed29cdacb803e4a89d; classtype:command-and-control; sid:2017404; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_08_31, deployment Perimeter, former_category WORM, signature_severity Major, tag c2, updated_at 2013_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing 2"; flow:established,to_client; file_data; content:"/[a-z]/gi"; fast_pattern; content:"substring"; pcre:"/^(?:[\x22\x27]\s*?\])?\s*?\(\s*?(?P<num>\d+)\s*?\*\s*?(?P<cnt>\w+)\s*?,\s*?(?P=num)\s*?\*\s*?(?P=cnt)\s*?\+\s*?(?P=num)\s*?\)\s*?,\s*?\d+\s*?\)/Rsi"; content:"="; pcre:"/^\s*?[\x22\x27][A-Za-z0-9\s]{500}/Rsi"; classtype:exploit-kit; sid:2018577; rev:2; metadata:created_at 2014_06_17, former_category CURRENT_EVENTS, updated_at 2014_06_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura Landing with Applet Aug 30 2013"; flow:established,from_server; file_data; content:".getVersion"; nocase; content:"|22|PGFwcGxld"; fast_pattern; content:"|22|PGFwcGxld"; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017407; rev:2; metadata:created_at 2013_09_03, updated_at 2013_09_03;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id ASCII"; flow:established,to_server; content:"/page.asp?"; nocase; http_uri; content:"art_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004838; classtype:web-application-attack; sid:2004838; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Winsoftware.com Spyware Activity"; flow: to_server,established; content:"/?proto="; nocase; http_uri; content:"&rc="; nocase; http_uri; content:"&abbr="; nocase; http_uri; content:"platform="; nocase; http_uri; content:"&os_version="; nocase; http_uri; content:"&appid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003471; classtype:trojan-activity; sid:2003471; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 3000:8000 -> $HOME_NET any (msg:"ET DELETED Unknown Trojan P2P Data Download"; flow:established,from_server; dsize:>1000; content:"|00 00 00|"; depth:5; offset:2; content:"|00 01 01 00 00 05 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_dst; reference:url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/; reference:url,doc.emergingthreats.net/2008770; classtype:trojan-activity; sid:2008770; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Weird on the Web /180 Solutions Update"; flow: to_server,established; content:"/notifier/updates"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002041; classtype:trojan-activity; sid:2002041; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3000:8000 (msg:"ET DELETED Unknown Trojan P2P Download Request"; flow:established,to_server; dsize:<100; content:"|00 00 00 00|"; depth:5; offset:1; content:"|00 01 01 00 00 08 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_src; reference:url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/; reference:url,doc.emergingthreats.net/2008771; classtype:trojan-activity; sid:2008771; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 180solutions Spyware Reporting"; flow: to_server,established; uricontent:"/showme.aspx?"; nocase; uricontent:"partner_id="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001400; classtype:trojan-activity; sid:2001400; rev:12; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3000:8000 (msg:"ET DELETED Unknown Trojan P2P Request"; flow:established,to_server; dsize:<60; content:"|00 00 00 00|"; depth:5; offset:1; content:"|00 01 01 00 00 03 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_src; reference:url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/; reference:url,doc.emergingthreats.net/2008772; classtype:trojan-activity; sid:2008772; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Browseraid.com Agent Reporting Data"; flow: to_server,established; content:"/perl/ads.pl"; nocase; http_uri; reference:url,www.browseraid.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001266; classtype:trojan-activity; sid:2001266; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange EK Common Java Exploit"; flow:to_server,established; content:"/testi.jnlp"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2018583; rev:4; metadata:created_at 2014_06_20, former_category CURRENT_EVENTS, updated_at 2014_06_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Browseraid.com User-Agent (Browser Adv)"; flow: to_server,established; content:"Browser Adv"; http_header; fast_pattern:only; reference:url,www.browseraid.com; reference:url,doc.emergingthreats.net/2001295; classtype:trojan-activity; sid:2001295; rev:24; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious Redirect 8x8 script tag"; flow:established,from_server; file_data; content:".php?id="; content:"/"; distance:-17; within:1; pcre:"/^[a-z0-9A-Z]*?[A-Z0-9][a-z0-9A-Z]*?\.php\?id=\d{6,9}[\x22\x27]/R"; content:"<script"; nocase; pcre:"/^(?:(?!<\/script>).)*?\ssrc\s*?=\s*?[\x22\x27][^\x22\x27]+?\/[a-z0-9A-Z]{8}\.php\?id=\d{6,9}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2018053; rev:4; metadata:created_at 2014_02_01, former_category CURRENT_EVENTS, updated_at 2014_02_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Keep-Alive (OUTBOUND)"; flow:to_server,established; content:"P[endof]"; dsize:8; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017418; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK CVE-2013-3918"; flow:established,to_server; content:"/m20133918.php"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018593; rev:2; metadata:created_at 2014_06_20, former_category CURRENT_EVENTS, updated_at 2014_06_20;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Checkin"; flow:to_server,established; content:"lv"; depth:2; content:"[endof]"; isdataat:!2,relative; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017419; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing May 23 2014"; flow:from_server,established; content:"|0d 0a|Vary|3a 20|Accept-Encoding,User-Agent"; http_header; content:"|0d 0a|X-Powered-By|3a 20|PHP"; http_header; file_data; content:"|ef bb bf|<html>|0d 0a|<body bgcolor|3d 22|#"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}<script>var/R"; classtype:exploit-kit; sid:2018595; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_06_24, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (File Manager)"; flow:from_server,established; content:"FM|7c 27 7c 27 7c|"; depth:7; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017420; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Trojan-Banker.JS.Banker fraudulent redirect boleto payment code"; flow:to_server,established; content:"/boleto"; http_uri; fast_pattern:only; content:".php?"; http_uri; pcre:"/^Host\x3a\x20[^\r\n]+(\r\n)?\r\n$/Hi"; reference:url,brazil.kaspersky.com/sobre-a-kaspersky/centro-de-imprensa/blog-da-kaspersky/extensoes-maliciosas-boleto; reference:md5,de38bc962f92eb99d63eebecb3930906; classtype:trojan-activity; sid:2018591; rev:5; metadata:created_at 2014_06_20, former_category CURRENT_EVENTS, updated_at 2014_06_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command Response (File Manager)"; flow:to_server,established; content:"rn|7c 27 7c 27 7c|"; depth:7; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017421; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET DELETED EXPLOIT MS-SQL DOS bouncing packets"; content:"|0A|"; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000381; classtype:attempted-dos; sid:2000381; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Remote Desktop)"; flow:from_server,established; content:"sc~|7c 27 7c 27 7c|"; depth:8; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017422; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Win32/Tesch.A Checkin"; flow:to_server,established; dsize:<100; content:"|01 00 30 01 01 00|"; fast_pattern; depth:6; content:!"|00|"; distance:3; within:1; content:"|00|"; distance:4; within:1; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/R"; reference:md5,f2e5900061c5ac470fa005580681be94; reference:md5,872763d48730506af7eee0bf22c2f47b; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FTesch.A; classtype:trojan-activity; sid:2018611; rev:5; metadata:created_at 2013_11_15, updated_at 2013_11_15;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command Response (Remote Desktop)"; flow:to_server,established; content:"scPK|7c 27 7c 27 7c|"; depth:9; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017423; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Malvertising Redirect URI Struct"; flow:established,to_server; content:"/assets/js/jquery-"; depth:18; http_uri; fast_pattern; content:"min.js?ver="; http_uri; distance:0; pcre:"/^\/assets\/js\/jquery-[0-9]\.[0-9]\.[0-9]\.min\.js\?ver=[0-9]+\.[0-9]+\.[0-9]+$/U"; classtype:trojan-activity; sid:2018454; rev:4; metadata:created_at 2014_05_08, former_category CURRENT_EVENTS, updated_at 2014_05_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Remote Cam)"; flow:from_server,established; content:"CAM|7c 27 7c 27 7c|"; depth:8; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017424; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil EK Redirector Cookie June 27 2014"; flow:established,from_server; content:"lvqwg="; depth:6; http_cookie; nocase; classtype:exploit-kit; sid:2018613; rev:3; metadata:created_at 2014_06_28, former_category CURRENT_EVENTS, updated_at 2014_06_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Remote Shell)"; flow:from_server,established; content:"rs|7c 27 7c 27 7c|"; depth:8; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017426; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sharik C2 Incoming Crafted Request"; flow:established,from_server; content:"|4d 00 02 02 00|"; depth:5; fast_pattern; content:"/"; distance:4; within:5; content:" HTTP/1."; distance:0; reference:md5,f9f30307ca22d092c02701c108aa6402; classtype:command-and-control; sid:2018616; rev:1; metadata:created_at 2014_06_30, former_category MALWARE, updated_at 2014_06_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command Response (Process listing)"; flow:to_server,established; content:"proc|7c 27 7c 27 7c|"; depth:9; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017427; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Alexa Search Toolbar User-Agent (Alexa Toolbar)"; flow: to_server,established; content:" Alexa Toolbar|3b|"; http_header; reference:url,www.spywareguide.com/product_show.php?id=418; reference:url,doc.emergingthreats.net/2002166; classtype:trojan-activity; sid:2002166; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Kill Process)"; flow:from_server,established; content:"k|7c 27 7c 27 7c|"; depth:6; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017428; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing June 25 2014"; flow:established,to_client; file_data; content:"t=|22|1|3b|url=about|3a|Tabs|22|"; fast_pattern:only; content:"<body>"; pcre:"/^[\r\n\s]*?<script>[\r\n\s]*?[A-Za-z]+[\r\n\s]*?=[\r\n\s]*?[\x22\x27][A-Za-z]{9}\x20[A-Za-z\x20]{300}/R"; classtype:exploit-kit; sid:2018606; rev:4; metadata:created_at 2014_06_26, former_category CURRENT_EVENTS, updated_at 2014_06_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible BHEK Landing URI Format"; flow:to_server,established; urilen:>41; content:".php"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{32}\/[a-z]+?\-[a-z]+?\.php/U"; classtype:exploit-kit; sid:2017376; rev:7; metadata:created_at 2013_08_27, former_category EXPLOIT_KIT, updated_at 2013_08_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Sweet Orange WxH redirection"; flow:established,to_server; urilen:23<>50; content:"x"; http_uri; depth:4; offset:2; content:".php?"; fast_pattern; http_uri; content:"="; http_uri; within:3; pcre:"/^\/[0-9]{2,3}x[0-9]{2,3}\/[a-z]+\.php\?[a-z]{2}=[0-9a-z]+$/U"; classtype:exploit-kit; sid:2018493; rev:4; metadata:created_at 2014_05_21, former_category CURRENT_EVENTS, updated_at 2014_05_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Bleeding EK Variant Landing JAR Sep 06 2013"; flow:established,to_server; content:"Java/1."; fast_pattern:only; http_user_agent; content:".php?e="; nocase; http_uri; pcre:"/\.php\?e=\d+(&|$)/Ui"; classtype:exploit-kit; sid:2017435; rev:4; metadata:created_at 2013_09_07, former_category CURRENT_EVENTS, updated_at 2013_09_07;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server Command (bot is ready to start receiving commands)"; flow:established,from_server; dsize:4; flowbits:isset,ET.Tesch; content:"|05 00 01 01|"; depth:4; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:trojan-activity; sid:2018626; rev:5; metadata:created_at 2014_07_02, updated_at 2014_07_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit Landing Page"; flow:established,from_server; file_data; content:"|22|0x|22 3b|"; content:"="; distance:0; pcre:"/^[\r\n\s]*?[\x22\x27][a-f0-9]{2}(?P<sep>[^a-f0-9]{1,10})(?P<a>[a-f0-9]{2})(?P=sep)(?P<p>[a-f0-9]{2})(?P=sep)(?P=p)(?P=sep)(?P<l>[a-f0-9]{2})(?P=sep)(?P<e>[a-f0-9]{2})[^\x22\x27]+?(?P=sep)(?P=p)(?P=sep)(?P=a)(?P=sep)[a-f0-9]{2}(?P=sep)(?P=a)(?P=sep)[^\x22\x27]+?(?P=sep)(?P=a)(?P=sep)(?P=l)(?P=sep)[a-f0-9]{2}(?P=sep)(?P=e)/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017451; rev:6; metadata:created_at 2013_09_11, updated_at 2013_09_11;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server Command (Confirm C2 IP and port) 2"; flow:established,from_server; flowbits:isset,ET.Tesch; dsize:9; content:"|04 00 06|"; depth:3; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:command-and-control; sid:2018625; rev:5; metadata:created_at 2014_07_02, former_category MALWARE, updated_at 2014_07_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole hex and wordlist initial landing and exploit path"; flow:established,to_server; urilen:>70; content:".php"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{5,}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2017452; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_11, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Downloader.Win32.Tesch.A Bot Command (OK acknowledgement)"; flow:established,to_server; flowbits:isset,ET.Tesch; dsize:3; content:"|0a 00 00|"; depth:3; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:trojan-activity; sid:2018622; rev:6; metadata:created_at 2014_07_02, updated_at 2014_07_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Variant PDF Download Sep 11 2013"; flow:established,to_server; urilen:>56; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:[^&](?:5[5-9a-e]|8[9a-e])){5}[^=]+=[^&]+&[^=]+=(?:[^&](?:5[5-9a-f]|8[9a-e])){10}([^&]60[^&]60(?:[^&](?:5[5-9a-f]|8[9a-e])){10})*?&/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017456; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Bot Command (Proxy command)"; flow:established,from_server; flowbits:isset,ET.Tesch; dsize:28; content:"|09 00 19|"; depth:3; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:trojan-activity; sid:2018623; rev:5; metadata:created_at 2014_07_02, updated_at 2014_07_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT X20 EK Landing July 22 2013"; flow:established,from_server; file_data; content:"&7&.y|22|></param></applet></table></body></html>"; nocase; classtype:exploit-kit; sid:2017167; rev:4; metadata:created_at 2013_07_23, updated_at 2013_07_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET MALWARE TrojanSpy.Win32/Banker.AMB SQL Checkin"; flow:established,to_server; content:"I|00|N|00|S|00|E|00|R|00|T"; content:"I|00|N|00|T|00|O"; distance:0; content:"B|00|R|00|O|00|W|00|S|00|E|00|R|00|L|00|O|00|G|00|U|00|S|00|B|00|"; reference:md5,dd141287cb45a2067592eeb9d3aa7162; classtype:command-and-control; sid:2018645; rev:2; metadata:created_at 2014_07_07, former_category MALWARE, updated_at 2014_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated base64 decoder Sep 12 2013"; flow:established,from_server; file_data; content:" & 15) << 4)"; content:" & 3) << (3+3))"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017461; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert 999servers.com"; flow:established,to_client; content:"|55 04 03|"; content:"|10|*.999servers.com"; distance:1; within:17; reference:md5,b9ffad739bb47a0e4619b76af51d9a74; classtype:trojan-activity; sid:2018647; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SNET EK Encoded VBS 1"; flow:established,from_server; file_data; content:"BDbGVhckludGVybmV0Q2FjaGUo"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017470; rev:2; metadata:created_at 2013_09_17, updated_at 2013_09_17;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Cert July 7 2014"; flow:established,from_server; content:"|16 03 00|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"smalbach2424@hotmail.com"; distance:2; within:24; reference:md5,52084660d2ae0ee8f033621a9252cfb9; classtype:trojan-activity; sid:2018651; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_07_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SNET EK Encoded VBS 2"; flow:established,from_server; file_data; content:"IENsZWFySW50ZXJuZXRDYWNoZS"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017471; rev:2; metadata:created_at 2013_09_17, updated_at 2013_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED food.com compromise hostile JavaScript gate"; flow:established,to_server; content:".html?0."; http_uri; fast_pattern:only; pcre:"/\/[a-z]{1,6}\.html\?0\.[0-9]+[a-z]?$/U"; classtype:trojan-activity; sid:2018505; rev:6; metadata:created_at 2014_05_28, updated_at 2014_05_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SNET EK Encoded VBS 3"; flow:established,from_server; file_data; content:"Q2xlYXJJbnRlcm5ldENhY2hlK"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017472; rev:2; metadata:created_at 2013_09_17, updated_at 2013_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Enfal.F Checkin via HTTP Post 7"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/Owpp4.cgi"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; content:!"Referer|3a 20|"; pcre:"/^[^\r\n]{15}\x5f[^\r\n]{2}\x2d[^\r\n]{2}\x2d[^\r\n]{2}\x2d[^\r\n]{2}\x2d[^\r\n]{2}/m"; reference:url,blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2; classtype:trojan-activity; sid:2018665; rev:4; metadata:created_at 2014_07_11, updated_at 2014_07_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible SNET EK VBS Download"; flow:to_server,established; content:"/cod/"; http_uri; fast_pattern; content:".vbs"; http_uri; distance:0; pcre:"/\/cod\/[^\x2f]+\.vbs$/U"; classtype:exploit-kit; sid:2017469; rev:5; metadata:created_at 2013_09_17, former_category CURRENT_EVENTS, updated_at 2013_09_17;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Zeus P2P Variant DGA NXDOMAIN Responses July 11 2014"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; pcre:"/^..[\x0d-\x20](?=\d{0,27}[a-z])(?=[a-z]{0,27}\d)[a-z0-9]{21,28}(?:\x03(?:biz|com|net|org))\x00\x00\x01\x00\x01/Rs"; threshold: type both, track by_dst, count 12, seconds 120; reference:url,blog.malcovery.com/blog/breaking-gameover-zeus-returns; reference:md5,5e5e46145409fb4a5c8a004217eef836; classtype:trojan-activity; sid:2018666; rev:4; metadata:created_at 2014_07_11, former_category MALWARE, updated_at 2014_07_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Embedded Open Type Font file .eot"; flow:established,to_client; file_data; content:"|02 00 02  00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40  00|a|00|b|00|c|00|d|00|e|00|f|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:exploit-kit; sid:2016065; rev:4; metadata:created_at 2012_12_20, former_category EXPLOIT_KIT, updated_at 2012_12_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing Jul 11 2014"; flow:established,to_client; file_data; content:"t=|22|1|3b|url=about|3a|Tabs|22|"; content:"/[a-z]/gi"; content:"|5c|x66|5c|x72|5c|x6F|5c|x6D|5c|x43|5c|x68|5c|x61|5c|x72|5c|x43|5c|x6F|5c|x64|5c|x65"; fast_pattern; classtype:exploit-kit; sid:2018668; rev:5; metadata:created_at 2014_07_12, former_category CURRENT_EVENTS, updated_at 2014_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole initial landing/gate"; flow:established,to_server; content:"/jquery/get.php?ver=jquery.latest.js"; http_uri; classtype:trojan-activity; sid:2017481; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert acesecureshop.com"; flow:established,to_client; content:"|55 04 03|"; content:"|11|acesecureshop.com"; distance:1; within:18; reference:md5,c2e85512ceaacbf8306321f9cc2b1eaf; classtype:trojan-activity; sid:2018671; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Styx - TDS - Redirect To Landing Page"; flow:established,to_client; file_data; content:"<body onLoad="; content:"Redirect..."; fast_pattern; classtype:exploit-kit; sid:2017482; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert new-install.privatedns.com"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|1a|new-install.privatedns.com"; distance:1; within:27; fast_pattern; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|1e|ssl@new-install.privatedns.com"; distance:1; within:31; reference:md5,280a3a944878d57bc44ead271a0cc457; classtype:trojan-activity; sid:2018672; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) - Landing Page - Java ClassID and 32HexChar.jar"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:".jar"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:exploit-kit; sid:2015901; rev:3; metadata:created_at 2012_11_20, former_category EXPLOIT_KIT, updated_at 2012_11_20;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert July 14 2014"; flow:established,to_client; content:"|55 04 03|"; content:"|0f|groberts.com.au"; distance:1; within:16; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|13|info@dctreasure.com"; distance:1; within:20; reference:md5,9f48eb74687492978259edb8f79ac397; classtype:trojan-activity; sid:2018673; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess Outbound udp traffic detected"; content:"|28 94 8d ab c9 c0 d1 99|"; offset:4; depth:8; dsize:16; threshold: type both, track by_src, count 10, seconds 600; classtype:trojan-activity; sid:2015482; rev:8; metadata:created_at 2012_07_17, updated_at 2012_07_17;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert faithmentoringandmore.com"; flow:established,to_client; content:"|55 04 03|"; content:"|1d|www.faithmentoringandmore.com"; distance:1; within:31; reference:md5,b5df3ba04c987692929f35d9c64e0c0d; classtype:trojan-activity; sid:2018674; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Unknown Malware CnC response with exe file"; flow:from_server,established; dsize:>0; byte_jump:2,1,little,post_offset -4; isdataat:!2,relative; content:"!This program cannot be run in DOS mode."; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:command-and-control; sid:2017414; rev:3; metadata:created_at 2013_09_04, updated_at 2013_09_04;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux DDoS bot Antiq IRC"; flow:established,to_server; content:"PRIVMSG|20|#"; content:"status checking progam online"; within:60; reference:url,deependresearch.org/2014/07/another-linux-ddos-bot-via-cve-2012-1823.html; classtype:trojan-activity; sid:2018675; rev:1; metadata:created_at 2014_07_14, updated_at 2014_07_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"function Suck("; fast_pattern:only; classtype:exploit-kit; sid:2017484; rev:3; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Malvertising Redirect URI Struct Jul 16 2014"; flow:established,to_server; content:"/js/metrika/watch.js?ver="; depth:25; http_uri; fast_pattern; pcre:"/^\/js\/metrika\/watch\.js\?ver=[0-9]+\.[0-9]+\.[0-9]+$/U"; classtype:trojan-activity; sid:2018686; rev:5; metadata:created_at 2014_07_16, former_category CURRENT_EVENTS, updated_at 2014_07_16;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"function align_esp("; fast_pattern:only; classtype:exploit-kit; sid:2017485; rev:1; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Technique)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"INSERT INTO"; nocase; distance:0; content:"#pragma namespace("; nocase; distance:0; content:"|5c 5c 5c|.|5c 5c 5c 5c|root|5c 5c 5c 5c|"; nocase; distance:0; content:"__EventFilter"; nocase; distance:0; content:" __InstanceModificationEvent"; nocase; distance:0; content:"TargetInstance"; nocase; distance:0; content:"Win32_LocalTime"; nocase; distance:0; content:"ActiveScriptEventConsumer"; nocase; distance:0; content:"JScript"; nocase; distance:0; content:"WScript.Shell"; nocase; distance:0; content:"WSH.run"; nocase; distance:0; content:".exe"; distance:0; content:"__FilterToConsumerBinding"; pcre:"/WSH\.run\x28\x5c+?[\x22\x27][a-z0-9_-]+?\.exe/"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015996; rev:3; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"CollectGarbage"; nocase; fast_pattern:only; content:"eval(|27|unescape|27|)"; nocase; content:"|27|%u|27|"; classtype:exploit-kit; sid:2017486; rev:2; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain"; content:"|00 01 00 01|"; content:"|00 04 cc 5f 63|"; distance:4; within:5; classtype:trojan-activity; sid:2018642; rev:2; metadata:created_at 2014_07_04, updated_at 2014_07_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible JavaFX Click To Run Bypass 1"; flow:established,to_client; file_data; content:"cHJlbG9hZGVyLWNsYXNz"; reference:url,seclists.org/bugtraq/2013/Jul/41; classtype:attempted-user; sid:2017494; rev:2; metadata:created_at 2013_09_20, updated_at 2013_09_20;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert karinejoncas.com"; flow:established,from_server; content:"|55 04 03|"; content:"|14|www.karinejoncas.com"; distance:1; within:21; reference:md5,87bbf4bc45ef30507b1d239edc727067; classtype:trojan-activity; sid:2018690; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible JavaFX Click To Run Bypass 2"; flow:established,to_client; file_data; content:"wcmVsb2FkZXItY2xhc3"; reference:url,seclists.org/bugtraq/2013/Jul/41; classtype:attempted-user; sid:2017495; rev:3; metadata:created_at 2013_09_20, updated_at 2013_09_20;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert deslematin.ca"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|deslematin.ca"; distance:1; within:14; reference:md5,87bbf4bc45ef30507b1d239edc727067; classtype:trojan-activity; sid:2018691; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible JavaFX Click To Run Bypass 3"; flow:established,to_client; file_data; content:"ByZWxvYWRlci1jbGFzc"; reference:url,seclists.org/bugtraq/2013/Jul/41; classtype:attempted-user; sid:2017496; rev:3; metadata:created_at 2013_09_20, updated_at 2013_09_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|www.newdomaininfo.ru"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018692; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK - Java Exploit - bona.jar"; flow:established,to_server; content:"/bona.jar"; http_uri; classtype:exploit-kit; sid:2017497; rev:2; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|duosecure.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018696; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"(|22|ms-help|3a|//|22|)|3b|"; nocase; content:"(|22|ms-help|3a|//|22|)|3b|"; distance:0; content:"(|22|ms-help|3a 22|)|3b|"; nocase; content:"(|22|ms-help|3a 22|)|3b|"; nocase; distance:0; classtype:exploit-kit; sid:2017488; rev:3; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,to_client; content:"|55 04 03|"; content:"|11|bloggershop.co.vu"; distance:1; within:19; nocase; reference:md5,fe56b5a28eac390aa8cfb1402360958b; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018494; rev:2; metadata:attack_target Client_and_Server, created_at 2014_05_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Probably Evil Long Unicode string only string and unescape 1"; flow:established,from_server; file_data; content:"unescape"; content:"|22|%u"; content:!"|22|"; within:120; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017499; rev:2; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fake CDN Sweet Orange Gate July 17 2014"; flow:established,to_server; content:"GET"; http_method; urilen:>10; content:"?"; http_uri; offset:2; depth:1; content:"Host|3a 20|cdn"; http_header; fast_pattern:only; pcre:"/^\/[a-z]\?[a-z]=[0-9]{5,}$/U"; classtype:exploit-kit; sid:2018737; rev:2; metadata:created_at 2014_07_18, former_category CURRENT_EVENTS, updated_at 2014_07_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Probably Evil Long Unicode string only string and unescape 2"; flow:established,from_server; file_data; content:"unescape"; content:"|27|%u"; nocase; content:!"|27|"; within:120; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017500; rev:2; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange redirection 21 July 2014"; flow:to_client,established; file_data; content:"jquery_datepicker=|27|"; pcre:"/[^0-9a-f]{1,3}68[^0-9a-f]{1,3}74[^0-9a-f]{1,3}74[^0-9a-f]{1,3}70[0-9a-f]{1,3}3a/Ri"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018751; rev:2; metadata:created_at 2014_07_22, former_category EXPLOIT_KIT, updated_at 2014_07_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Probably Evil Long Unicode string only string and unescape 3"; flow:established,from_server; file_data; content:"unescape"; content:"|22 5f|u"; nocase; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017501; rev:2; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT XMLDOM Check for Presence Kaspersky AV Observed in RIG EK"; flow:from_server,established; file_data; content:"loadXML"; nocase; content:"parseError"; content:"-2147023083"; fast_pattern:only; content:"|5c|kl1.sys"; nocase; pcre:"/^[\x22\x27]/Rs"; reference:url,research.zscaler.com/2014/07/de-obfuscating-dom-based-javascript.html; classtype:exploit-kit; sid:2018756; rev:2; metadata:created_at 2014_07_23, former_category CURRENT_EVENTS, updated_at 2014_07_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Probably Evil Long Unicode string only string and unescape 3"; flow:established,from_server; file_data; content:"unescape"; content:"|27 5f|u"; nocase; content:!"|27|"; within:100; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017502; rev:2; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT XMLDOM Check for Presence TrendMicro AV Observed in RIG EK"; flow:from_server,established; file_data; content:"loadXML"; nocase; content:"parseError"; content:"-2147023083"; fast_pattern:only; content:"|5c|tm"; nocase; pcre:"/^(?:e(?:vtmgr|ext)|actmon|nciesc|EBC32|comm|tdi)\.sys[\x22\x27]/Rsi"; reference:url,research.zscaler.com/2014/07/de-obfuscating-dom-based-javascript.html; classtype:exploit-kit; sid:2018757; rev:2; metadata:created_at 2014_07_23, former_category CURRENT_EVENTS, updated_at 2014_07_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Used in various watering hole attacks"; flow:established,from_server; file_data; content:"ConVertData"; pcre:"/^[^a-z0-9]/Ri"; content:"checka"; pcre:"/^[^a-z0-9]/Ri"; content:"checkb"; pcre:"/^[^a-z0-9]/Ri"; classtype:exploit-kit; sid:2017503; rev:2; metadata:created_at 2013_09_21, former_category CURRENT_EVENTS, updated_at 2013_09_21;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert twitterbacklinks.com"; flow:established,from_server; content:"|55 04 03|"; content:"|18|www.twitterbacklinks.com"; distance:1; within:25; reference:md5,4cb5a748416b9f03d875245437344177; classtype:trojan-activity; sid:2018758; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Sakura - Java Exploit Recieved - Atomic"; flow:established,to_client; file_data; content:"PK"; within:2; content:"Main-Class|3a| atomic.Atomic"; classtype:trojan-activity; sid:2017506; rev:2; metadata:created_at 2013_09_24, former_category CURRENT_EVENTS, updated_at 2013_09_24;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre Serial Number in SSL Cert"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f4 4b cc 89 9e b7 45 a8|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:md5,55f8682aab1089b68a8a391b927d7a74; classtype:trojan-activity; sid:2018759; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_23, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Cushion Redirection"; flow:established,to_server; content:".php?message="; http_uri; fast_pattern:only; pcre:"/\/(?:app|info)\.php\?message=[A-Za-z0-9\+\/]+={0,2}$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:2017507; rev:2; metadata:created_at 2013_09_24, former_category CURRENT_EVENTS, updated_at 2013_09_24;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|sslbl.abuse.ch"; distance:1; within:15; content:"|1b|we_love_selfsigned@abuse.ch"; distance:0; reference:md5,73705a4a8b03e5f866fac821aaec273a; classtype:domain-c2; sid:2018767; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Styx J7u21 click2play bypass"; flow:established,to_server; content:"/jplay.html"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017508; rev:2; metadata:created_at 2013_09_24, updated_at 2013_09_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious SSL Cert With Script Tags"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"<script>"; content:"</script>"; distance:0; content:"|55 04 03|"; reference:md5,73705a4a8b03e5f866fac821aaec273a; classtype:domain-c2; sid:2018768; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible J7u21 click2play bypass"; flow:established,to_client; file_data; content:"<jfx|3a|"; nocase; content:"preloader-class"; nocase; content:"<jnlp"; nocase; classtype:attempted-user; sid:2017509; rev:2; metadata:created_at 2013_09_24, updated_at 2013_09_24;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert thelabelnashville.com"; flow:established,from_server; content:"|55 04 03|"; content:"|15|thelabelnashville.com"; distance:1; within:22; reference:md5,f75b9bffe33999339d189b1a3d8d8b4e; classtype:trojan-activity; sid:2018776; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura Exploit Kit Encrypted Binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|25 3e fc 75 7b|"; within:5; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016380; rev:4; metadata:created_at 2013_02_08, former_category EXPLOIT_KIT, updated_at 2013_02_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert cactussports.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|cactussports.com"; distance:1; within:17; reference:md5,fe557165290ae68b768591eb746fa1c5; classtype:trojan-activity; sid:2018777; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT W32/Caphaw DriveBy Campaign Ping.html"; flow:established,to_server; content:"/ping.html?id="; http_uri; content:"&js="; http_uri; content:"&key="; http_uri; content:!"/utils/"; http_uri; reference:url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html; reference:url,blog.damballa.com/archives/2147; classtype:trojan-activity; sid:2017513; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert yellowdevilgear.com"; flow:established,from_server; content:"|55 04 03|"; content:"|17|www.yellowdevilgear.com"; distance:1; within:24; reference:md5,2def687d8159d7859e86855b6c4a20c8; classtype:trojan-activity; sid:2018778; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Sep 10 2013"; flow:established,from_server; file_data; content:".getVersion("; nocase; content:!"PluginDetect"; nocase; distance:-24; within:12; pcre:"/^[\r\n\s]*?(?P<q>[\x22\x27])Java(?P=q)/Ri"; content:!"<applet"; nocase; content:"var"; pcre:"/^[^=]+?=[^\x22\x27\x3b]*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?<[^\x22\x27]*?a[^\x22\x27]*?p[^\x22\x27]*?p[^\x22\x27]*?l[^\x22\x27]*?e[^\x22\x27]*?t[^\x22\x27](?:(?!(?P=q)).)+?<[^\x22\x27]*?p[^\x22\x27]*?a[^\x22\x27]*?r[^\x22\x27]*?a[^\x22\x27]*?m/Rs"; classtype:trojan-activity; sid:2017450; rev:3; metadata:created_at 2013_09_11, updated_at 2013_09_11;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert michaelswinecellar.com"; flow:established,from_server; content:"|55 04 03|"; content:"|1a|www.michaelswinecellar.com"; distance:1; within:27; reference:md5,c9869431ad760912a553a63266173442; classtype:trojan-activity; sid:2018779; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Leverage.A Checkin"; flow:established,to_server; content:"|00 00|"; offset:0; depth:2; content:"|00 00 00 01|"; distance:2; within:4; content:"RAM|0a 7c|"; pcre:"/^\d+\w+\/\d+\w+ free \(\d+% used\)/R"; classtype:command-and-control; sid:2017525; rev:2; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2013_09_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert migsparkle.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|migsparkle.com"; distance:1; within:15; reference:md5,bc74dd7e0350ad7ad8f75ca0de6fb9dc; classtype:trojan-activity; sid:2018780; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command response"; flow:established,from_server; file_data; content:"send|3c 7c 3e|"; within:7; pcre:"/^[A-Z]\x3a\x5f/R"; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017523; rev:5; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2013_09_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil XMLDOM Detection of Local File"; flow:from_server,established; file_data; content:"-2147023083"; nocase; fast_pattern:only; content:"res|3a 2f|"; nocase; content:"<!DOCTYPE html PUBLIC"; nocase; reference:url,alienvault.com/open-threat-exchange/blog/attackers-abusing-internet-explorer-to-enumerate-software-and-detect-securi/; classtype:trojan-activity; sid:2018783; rev:2; metadata:created_at 2014_07_25, updated_at 2014_07_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Hiloti/Mufanom CnC Response"; flow:established,from_server; flowbits:isset,ET.Hiloti; file_data; content:"<!-- vbe -->"; distance:0; classtype:command-and-control; sid:2017526; rev:3; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2013_09_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|0d|fuck@abuse.ch"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018745; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT Windows Media Player directory traversal via Content-Disposition attempt"; flow:from_server,established; file_data; content:"Content-Disposition|3A|"; nocase; pcre:"/filename=[^\x3b\x3a\r\n]*(\x2e\x2e|\x25\x32\x65)/smi"; reference:bugtraq,7517; reference:cve,2003-0228; reference:url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx; classtype:attempted-user; sid:2103192; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert server.abaphome.net"; flow:established,from_server; content:"|55 04 03|"; content:"|13|server.abaphome.net"; distance:1; within:20; reference:md5,cfe7cade32e463f0ef7efd134c56b5c8; classtype:trojan-activity; sid:2018790; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT LightsOut EK Payload Download"; flow:to_server,established; content:".php?dwl="; http_uri; fast_pattern:only; nocase; pcre:"/\.php\?dwl=[a-z]+$/U"; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017529; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert 1stopmall.us"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.1stopmall.us"; distance:1; within:17; reference:md5,b833914b8171bc8f400b41449c3ef06b; classtype:trojan-activity; sid:2018791; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK info3i.html"; flow:to_server,established; content:"/info3i.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017530; rev:2; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing June 28 2014"; flow:established,to_client; file_data; content:"t=|22|1|3b|url=about|3a|Tabs|22|"; content:"hex2bin"; fast_pattern:only; content:"eval"; pcre:"/^(?:[\x22\x27]\s*?\])?\(\s*?(?:\[[\x22\x27])?rc4(?:[\x22\x27]\s*?\])?\(\s*?[\x22\x27][^\x22\x27]+?[\x22\x27]\s*?,\s*?(?:\[[\x22\x27])?hex2bin(?:[\x22\x27]\s*?\])?\(/Rsi"; classtype:exploit-kit; sid:2018794; rev:5; metadata:created_at 2014_07_28, former_category CURRENT_EVENTS, updated_at 2014_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK info3i.php"; flow:to_server,established; content:"/info3i.php"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017531; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Plugin Detect IE Exploit"; flow:established,to_client; file_data; content:"|2f|Trident|5c 2f|(|5c|d)|2f|"; content:"|7c|2551"; pcre:"/^[\x22\x27]/R"; distance:0; content:"|7c|3918"; pcre:"/^[\x22\x27]/R"; content:"|7c|0322"; pcre:"/^[\x22\x27]/R"; classtype:exploit-kit; sid:2018795; rev:5; metadata:created_at 2014_07_28, former_category CURRENT_EVENTS, updated_at 2014_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK inden2i.html"; flow:to_server,established; content:"/inden2i.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017532; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Plugin Detect Java Exploit"; flow:established,to_client; file_data; content:"getVersion"; nocase; content:"Java"; distance:0; content:"3544"; pcre:"/^[\x22\x27]/R"; distance:0; content:"2471"; pcre:"/^[\x22\x27]/R"; content:"2460"; pcre:"/^[\x22\x27]/R"; classtype:exploit-kit; sid:2018796; rev:5; metadata:created_at 2014_07_28, former_category CURRENT_EVENTS, updated_at 2014_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK leks.html"; flow:to_server,established; content:"/leks.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017534; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Plugin Detect Flash Exploit"; flow:established,to_client; file_data; content:"getVersion"; nocase; content:"Flash"; distance:0; content:"0515"; pcre:"/^[\x22\x27]/R"; distance:0; content:"0634"; pcre:"/^[\x22\x27]/R"; content:"0497"; pcre:"/^[\x22\x27]/R"; classtype:exploit-kit; sid:2018797; rev:5; metadata:created_at 2014_07_28, former_category CURRENT_EVENTS, updated_at 2014_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK negc.html"; flow:to_server,established; content:"/negc.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017535; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Infostealer.KLPROXY Checkin via SMTP"; flow:to_server,established; content:"Subject|3a|"; content:"C-H-E-G-O A-V-I-S-O! |2e 3a 3a|Infect|3a 3a 2e|"; distance:5; within:33; reference:md5,422ce789b284eb5aa32124a6bbe86000; classtype:command-and-control; sid:2018798; rev:2; metadata:created_at 2014_07_29, former_category MALWARE, updated_at 2014_07_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK negq.html"; flow:to_server,established; content:"/negq.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017536; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible ShellCode Passed as Argument to FlashVars"; flow:from_server,established; file_data; content:",0x"; fast_pattern; content:",0x"; distance:8; within:3; content:",0x"; distance:8; within:3; content:"FlashVars"; nocase; content:"<param"; nocase; pcre:"/^(?=(?:(?!<\/>).)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27][^=\x22\x27]+=(?:0x[a-f0-9]{8},){15}/Rsi"; classtype:trojan-activity; sid:2018785; rev:3; metadata:created_at 2014_07_26, updated_at 2014_07_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK leks.jar"; flow:to_server,established; content:"/leks.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017537; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert host-galaxy.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|host-galaxy.com"; distance:1; within:16; reference:md5,83c2eb9a2a5315e7fc15d85387886a19; classtype:trojan-activity; sid:2018802; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK start.jar"; flow:to_server,established; content:"/start.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017538; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert fxbingpanel.fareexchange.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|1e|fxbingpanel.fareexchange.co.uk"; distance:1; within:31; reference:md5,3c4e0c0e4dbe2bf0e4d3ca825b95209c; classtype:trojan-activity; sid:2018803; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK stoq.jar"; flow:to_server,established; content:"/stoq.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017539; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert 66h.66hosting.net"; flow:established,from_server; content:"|55 04 03|"; content:"|11|66h.66hosting.net"; distance:1; within:18; reference:md5,f9c0bc6e8c08acbe520df0ab6efcd962; classtype:trojan-activity; sid:2018804; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK erno_rfq.html"; flow:to_server,established; content:"/erno_rfq.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017540; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert businesswebstudios.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|businesswebstudios.com"; distance:1; within:23; reference:md5,b8ca6c78deeb448421073a65f708c34e; classtype:trojan-activity; sid:2018805; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK inden2i.php"; flow:to_server,established; content:"/inden2i.php"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017541; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert udderperfection.com"; flow:established,from_server; content:"|55 04 03|"; content:"|17|www.udderperfection.com"; distance:1; within:24; reference:md5,c8020934a53e888059e734b934043794; classtype:trojan-activity; sid:2018806; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK gami.html"; flow:to_server,established; content:"/gami.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017542; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange EK CDN Landing Page"; flow:established,to_server; content:"GET"; http_method; content:"stargalaxy.php?nebula="; http_uri; reference:url,malware-traffic-analysis.net/2014/07/24/index.html; classtype:exploit-kit; sid:2018786; rev:3; metadata:created_at 2014_07_26, former_category CURRENT_EVENTS, updated_at 2014_07_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK gami.jar"; flow:to_server,established; content:"/gami.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017543; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DYNAMIC_DNS HTTP Request to *.passinggas.net Domain (Sitelutions)"; flow:established,to_server; content:".passinggas.net"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.passinggas\.net(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018847; rev:2; metadata:created_at 2014_07_30, updated_at 2014_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text|HTML)/Ri"; content:"onlosecapture"; nocase; fast_pattern; pcre:"/^(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?(?!function)(?P<func>[^\r\n\s]+)\b.+?function[\r\n\s]+(?P=func)[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{((?!function).)*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(\x22\x22|\x27\x27))?((?!function).)*?document\.write\([\r\n\s]*?(\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\)/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017480; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DYNAMIC_DNS Query to *.passinggas.net Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|0a|passinggas|03|net|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018848; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text|HTML)/Ri"; content:"onlosecapture"; fast_pattern; nocase; pcre:"/^(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?function[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{.*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(\x22\x22|\x27\x27))?.*?document\.write\([\r\n\s]*?(\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\)/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017478; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert www.senorwooly.com"; flow:established,from_server; content:"|55 04 03|"; content:"|12|www.senorwooly.com"; distance:1; within:19; reference:md5,c860eee9ca6a7c570b3b4cd7b8e2cd17; classtype:trojan-activity; sid:2018849; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole EK Jar Download URI Struct"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,16}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|[a-z]{16,20}\/[a-z]{16,20}|closest\/[a-z0-9]+)\.php\?[A-Za-z0-9\!\(\)\*\-\_]+=[A-Za-z0-9\!\(\)\*\-\_]+&[A-Za-z0-9\!\(\)\*\-\_]+=[A-Za-z0-9\!\(\)\*\-\_]+$/U"; classtype:exploit-kit; sid:2017140; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert ns2.sicher.in"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|ns2.sicher.in"; distance:1; within:14; reference:md5,c860eee9ca6a7c570b3b4cd7b8e2cd17; classtype:trojan-activity; sid:2018850; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Obfuscated http 2 digit sep in applet (Seen in HiMan EK)"; flow:established,from_server; file_data; content:"<applet"; content:"value"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]h(?P<sep>\d{2})t(?P=sep)t(?P=sep)p(?P=sep)\x3a/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017551; rev:2; metadata:created_at 2013_10_02, updated_at 2013_10_02;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|badsokspad.in"; distance:1; within:14; reference:md5,c4fe829fc49bb9efec92fe4a8a5d29fc; classtype:domain-c2; sid:2018852; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible CritX/SafePack/FlashPack EXE Download"; flow:established,from_server; content:"filename=e"; http_header; content:".exe"; distance:23; within:4; http_header; pcre:"/filename=e[a-f0-9]{23}\.exe/H"; classtype:exploit-kit; sid:2017297; rev:6; metadata:created_at 2013_08_08, former_category CURRENT_EVENTS, updated_at 2013_08_08;)
+#alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET PHISHING Possible Phishing E-ZPass Email Toll Notification July 30 2014"; flow:to_server,established; content:"|0d 0a|Subject|3a|"; nocase; content:"toll road"; distance:2; within:75; nocase; content:"|0d 0a|From|3a|"; nocase; content:"E-ZPass"; distance:2; within:10; nocase; fast_pattern; reference:url,isc.sans.edu/forums/diary/E-ZPass+phishing+scam/18389; classtype:social-engineering; sid:2018853; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_07_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Variant Payload Download"; flow:established,to_server; urilen:>48; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:3[0-2a-e8-9]|[47][0-2]|2[d-j]|5[2-7]|6[c-e]){5}&[^=]+=(?:3[0-2a-e8-9]|[47][0-2]|2[d-j]|5[2-7]|6[c-e]){10}&/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017076; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a *.rr.nu domain"; flow:established,to_server; content:".rr.nu|0D 0A|"; http_header; classtype:bad-unknown; sid:2012330; rev:5; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT HiMan EK Reporting Host/Exploit Info"; flow:established,to_server; content:".php?ex="; http_uri; content:"&os="; http_uri; content:"&name="; http_uri; content:"&ver="; http_uri; classtype:exploit-kit; sid:2017553; rev:3; metadata:created_at 2013_10_03, former_category CURRENT_EVENTS, updated_at 2013_10_03;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert chinasemservice.com"; flow:established,from_server; content:"|55 04 03|"; content:"|13|chinasemservice.com"; distance:1; within:20; reference:md5,c2ecc111018491cee3853e2c93472bb9; classtype:trojan-activity; sid:2018868; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK sort.html"; flow:to_server,established; content:"/sort.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017533; rev:5; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert ns7-777.777servers.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|ns7-777.777servers.com"; distance:1; within:23; reference:md5,b5b97b4da688aaa6ddbdb6a6e567ffba; classtype:trojan-activity; sid:2018870; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:" DropPayload("; fast_pattern:only; classtype:exploit-kit; sid:2017483; rev:4; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert adodis.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|adodis.com"; distance:1; within:11; reference:md5,cca48e10973344ccc4e995be8e151176; classtype:trojan-activity; sid:2018871; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Payload Download Sep 11 2013"; flow:established,to_server; urilen:>56; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:[^&]?(?:3[0-2a-e8-9]|7[x-y6-7\-3]|x[b-e6-9xz]|\-[b-hy-z9]|w[wa-f6-9]|5[2-9a-e]|[47][0-2]|8[a-ez9]|2[d-j]|6[c-e])){5}&[^=]+=(?:[^&]?(?:3[0-2a-e8-9]|7[x-y6-7\-3]|x[b-e6-9xz]|\-[b-hy-z9]|w[wa-f6-9]|5[2-9a-e]|[47][0-2]|8[a-ez9]|2[d-j]|6[c-e])){10}&/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017454; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert power2.mschosting.com"; flow:established,from_server; content:"|55 04 03|"; content:"|15|power2.mschosting.com"; distance:1; within:22; reference:md5,fb89ab865465d9bf38e24af73cdcd656; classtype:trojan-activity; sid:2018881; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackHole EK Variant PDF Download"; flow:established,from_server; content:".pdf"; http_header; fast_pattern:only; file_data; content:"%PDF-"; within:100; flowbits:isset,et.BHEK.PDF; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017416; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows Command Prompt OUTBOUND"; flow:established,to_server; content:"Microsoft Windows"; content:"[Version|20|"; distance:0; pcre:"/^\d\.\d\.\d{4}\]\r\n\(C\)\x20Copyright\x20\d{4}(\x2d\d{4})?\x20Microsoft Corp(:?\.|oration)/Ri"; content:"|0d 0a 0d 0a|C|3a 5c 3e|"; fast_pattern; distance:0; isdataat:!2,relative; classtype:trojan-activity; sid:2018885; rev:2; metadata:created_at 2014_08_04, updated_at 2014_08_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Variant PDF Download"; flow:established,to_server; urilen:>48; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=[^&]{10}&[^=]+=[^&]+&[^=]+=[^&]{20}((?P<sep>[^&]{2})(?P=sep)[^&]{20})*?&/U"; flowbits:set,et.BHEK.PDF; flowbits:noalert; classtype:exploit-kit; sid:2017556; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MOBILE_MALWARE Android/Trogle.A Possible Exfiltration of SMS via SMTP"; flow:established,to_server; content:"MAIL FROM|3a|<a137736513@qq.com>"; nocase; reference:md5,ef819779fc4bee6117c124fb752abf57; classtype:trojan-activity; sid:2018887; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_08_04, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE SSH Connection on 443 - Mevade Banner"; flow:to_server,established; content:"SSH-2.0-PuTTY_Local|3a|_Feb__5_2013_18|3a|26|3a|54"; depth:41; classtype:trojan-activity; sid:2017559; rev:2; metadata:created_at 2013_10_05, updated_at 2013_10_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BitcoinMiner C2 SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|19|www.webanalyticsystem.com"; distance:1; within:26; reference:url,www.malware-traffic-analysis.net/2014/07/28/index.html; classtype:coin-mining; sid:2018896; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_08_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Coinminer, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing with Applet Oct 4 2013"; flow:established,from_server; file_data; content:"Embassy  Tokyo, Japan"; fast_pattern; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017562; rev:6; metadata:created_at 2013_10_05, former_category EXPLOIT_KIT, updated_at 2013_10_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert tradeledstore.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|15 2a 2e|tradeledstore.co.uk"; distance:1; within:22; reference:md5,5b447247c8778b91650e0a9c2e36b1e6; classtype:trojan-activity; sid:2018898; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java CVE-2013-2465 Based on PoC"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"$MyColorModel.class"; content:"$MyColorSpace.class"; reference:cve,2013-2465; reference:url,seclists.org/fulldisclosure/2013/Aug/134; reference:url,malwageddon.blogspot.com/2013/10/unknown-ek-i-wanna-be-billionaire-so.html; classtype:exploit-kit; sid:2017563; rev:3; metadata:created_at 2013_10_08, updated_at 2013_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK Variant Landing Page - Applet Sep 16 2013"; flow:established,to_client; file_data; content:".class"; nocase; fast_pattern:only; content:"<param"; nocase; content:"value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?[\?\&]e=\d+[\x22\x27]/R"; classtype:exploit-kit; sid:2017474; rev:4; metadata:created_at 2013_09_17, former_category EXPLOIT_KIT, updated_at 2013_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"name=|22|kurban|22|"; distance:0; nocase; content:".exe"; nocase; reference:cve,2013-2465; reference:url,malwageddon.blogspot.com/2013/10/unknown-ek-i-wanna-be-billionaire-so.html; reference:url,seclists.org/fulldisclosure/2013/Aug/134; classtype:attempted-user; sid:2017564; rev:3; metadata:created_at 2013_10_08, former_category CURRENT_EVENTS, updated_at 2013_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing 07/22/13 2"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"param"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017169; rev:4; metadata:created_at 2013_07_23, former_category CURRENT_EVENTS, updated_at 2013_07_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx EK jply.html"; flow:established,to_server; content:"/jply.html"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2017576; rev:2; metadata:created_at 2013_10_10, former_category CURRENT_EVENTS, updated_at 2013_10_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT libpng tRNS overflow attempt"; flow: established,to_client; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:!"PLTE"; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; reference:cve,CAN-2004-0597; reference:url,doc.emergingthreats.net/bin/view/Main/2001058; classtype:attempted-admin; sid:2001058; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fake MS Security Update EK (Payload Download)"; flow:established,to_server; content:"/winddl32.exe"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017578; rev:2; metadata:created_at 2013_10_11, former_category CURRENT_EVENTS, updated_at 2013_10_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"unescape"; nocase; fast_pattern:only; content:"[|22|replace|22|]("; nocase; content:"/g"; distance:0; pcre:"/^[\r\n\s]*?\,[\r\n\s]*?[\x22\x27][\%\\]u"/Rsi"; classtype:exploit-kit; sid:2017487; rev:4; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Possible Secondary Indicator of Java Exploit (Artifact Observed mostly in EKs/a few mis-configured apps)"; flow:established,to_server; content:"/javax.xml.datatype.DatatypeFactory"; http_uri; content:"Java/1."; http_header; classtype:exploit-kit; sid:2017579; rev:2; metadata:created_at 2013_10_11, former_category EXPLOIT_KIT, updated_at 2013_10_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SigPlus Pro 3.74 ActiveX LCDWriteString Method Remote Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"69A40DA3-4D42-11D0-86B0-0000C025864A"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; distance:0; content:"|2e|LCDWriteString"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*69A40DA3-4D42-11D0-86B0-0000C025864A\s*}?(.*)\>/si"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*D27CDB6E-AE6D-11cf-96B8-444553540000\s*}?(.*)\>/si"; reference:cve,2010-2931; reference:url,www.exploit-db.com/exploits/14514/; classtype:attempted-user; sid:2012134; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DotkaChef Payload October 09"; flow:to_server,established; content:"sm_main.mp3"; http_uri; fast_pattern; content:"Java/1."; http_header; classtype:trojan-activity; sid:2017580; rev:2; metadata:created_at 2013_10_11, updated_at 2013_10_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MS13-055 CAnchorElement Use-After-Free"; flow:established,from_server; file_data; content:".outer"; fast_pattern; pcre:"/^(?:Text|HTML)[\r\n\s]*?=[\r\n\s]*?(?:\x22\x22|\x27\x27)/Ri"; content:".getElementById("; nocase; content:"<span"; nocase; content:"on"; pcre:"/^(?:(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; content:"<table"; nocase; pcre:"/^((?!<table>).)+?<tr[\r\n\s\>]((?!<\/tr>).)*?<span[\r\n\s\>]((?!<\/span>).)*?<(?:[QU]|S(?:TR(?:IKE|ONG)|U[BP]|MALL|AMP)?|B(?:LINK|DO|IG)?|A(?:CRONYM|BBR)|R(?:[PT]|UBY)|(?:NOB|VA)R|C(?:IT|OD)E|D(?:EL|FN)|I(?:NS)?|KBD|EM|TT)[^>]*?\bid[\r\n\s]*?=/Rsi"; classtype:attempted-user; sid:2017463; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_13, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing with Applet Aug 30 2013"; flow:established,from_server; file_data; content:"var pp100"; fast_pattern; content:"document.write("; distance:0; pcre:"/^[\r\n\s]*?[\x22\x27]<(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?a(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?p(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?p(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?l(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?e(?:[\x27\x22]\s*?\+\s*?[\x27\x22])?t/Ri"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017405; rev:6; metadata:created_at 2013_09_03, former_category EXPLOIT_KIT, updated_at 2013_09_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument ActiveXObject Uninitialized Memory Corruption Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"MSXML2."; fast_pattern; content:"DOMDocument"; within:23; content:"definition"; nocase; pcre:"/MSXML2\.(FreeThreaded)?DOMDocument(\.[3-6]\.0)?/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-user; sid:2015556; rev:21; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, signature_severity Major, tag ActiveX, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert ip $HOME_NET any -> [195.22.26.231,195.22.26.232] any (msg:"ET MALWARE Connection to AnubisNetworks Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016993; rev:3; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dyre SSL Self-Signed Cert Aug 06 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|94.23.236.54"; distance:1; within:13; reference:md5,384a3c3a250341aa7f7c6aba11467afb; classtype:trojan-activity; sid:2018903; rev:2; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS D-LINK Router Backdoor via Specific UA"; flow:to_server,established; content:"xmlset_roodkcableoj28840ybtide"; http_user_agent; reference:url,www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/; classtype:attempted-admin; sid:2017590; rev:3; metadata:created_at 2013_10_14, updated_at 2013_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing 07/22/13 3"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"jnlp_"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017170; rev:5; metadata:created_at 2013_07_23, former_category CURRENT_EVENTS, updated_at 2013_07_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Initial Payload Internet Connectivity Check"; flow:established,to_server; content:"/ep/cl.php"; http_uri; fast_pattern:only; pcre:"/^\/ep\/cl\.php$/U"; reference:url,malwageddon.blogspot.fi/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:exploit-kit; sid:2017589; rev:3; metadata:created_at 2013_10_14, former_category CURRENT_EVENTS, updated_at 2013_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing 07/22/13 4"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:".jar"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017171; rev:4; metadata:created_at 2013_07_23, former_category CURRENT_EVENTS, updated_at 2013_07_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising Related EK Landing Oct 14 2013"; flow:established,from_server; content:"(2)!=7"; fast_pattern:only; content:"(7)==0"; content:"(6)==1"; content:"javafx_version"; content:"jnlp_href"; content:".getVersion("; pcre:"/^[\r\n\s]*?[\x22\x27]Java[\x22\x27]/R"; content:"document.write("; pcre:"/^[\r\n\s]*?[\x22\x27]<applet/R"; content:"document.write("; pcre:"/^[\r\n\s]*?[\x22\x27]<applet/R"; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2017591; rev:2; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2013_10_15;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 00|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018904; rev:6; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Unknown Malvertising Related EK Redirect Oct 14 2013"; flow:established,to_server; content:".php?tnzppl="; fast_pattern; content:"&endovenafsl="; distance:0; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/mi"; reference:url,malwageddon.blogspot.fi/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:exploit-kit; sid:2017592; rev:1; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2013_10_15;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 02|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018905; rev:6; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NfLog Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/Nfile.asp"; fast_pattern:only; http_uri; content:"Content-Length|3a| 7|0d 0a|"; http_header; content:"GetFile"; depth:7; http_client_body; reference:url,contagiodump.blogspot.com/2012/02/feb-9-cve-2011-1980-msoffice-dll.html; classtype:command-and-control; sid:2014229; rev:3; metadata:created_at 2012_02_16, former_category MALWARE, updated_at 2012_02_16;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 04|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018906; rev:6; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format Oct 15 2013"; flow:established,to_server; content:"GET"; http_method; content:"/o"; depth:2; http_uri; content:"?h"; http_uri; pcre:"/^\/o[a-z]{4,13}\?h[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017593; rev:7; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag true)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 06|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018907; rev:5; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PHP WebShell Embedded In GIF (OUTBOUND)"; flow:established,to_client; file_data; content:"GIF89"; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017604; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Trojan-Spy.Win32.HavexSysinfo Response"; flow:from_server,established; file_data; content:"<!--havexhavex-->"; fast_pattern:only; reference:url,securelist.com/blog/research/65240/energetic-bear-more-like-a-crouching-yeti/; reference:md5,bdd1d473a56607ec366bb2e3af5aedea; reference:url,802bba9d078a09530189e95e459adcdf; classtype:trojan-activity; sid:2018921; rev:2; metadata:created_at 2014_08_11, updated_at 2014_08_11;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PHP WebShell Embedded In JPG (OUTBOUND)"; flow:established,to_client; file_data; content:"JFIF|00|"; distance:6; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017605; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Applet"; flow:established,from_server; file_data; content:"/x-java-applet"; fast_pattern:only; content:"spl"; nocase; pcre:"/^[\x22\x27]/R"; content:"<object"; nocase; pcre:"/^(?=(?:(?!<\/object>).)+?codebase\s*?=\s*?[\x22\x27]spl[\x22\x27])(?=(?:(?!<\/object>).)+?\/x-java-applet)/Rsi"; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018922; rev:2; metadata:created_at 2014_08_12, former_category CURRENT_EVENTS, updated_at 2014_08_12;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PHP WebShell Embedded In PNG (OUTBOUND)"; flow:established,to_client; file_data; content:"PNG|0D 0A 1A 0A|"; distance:1; within:7; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017606; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"fawa/"; nocase; pcre:"/^[\w.]*?\.class/Rsi"; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018923; rev:2; metadata:created_at 2014_08_12, former_category CURRENT_EVENTS, updated_at 2014_08_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP WebShell Embedded In GIF (INBOUND)"; flow:established,from_server; file_data; content:"GIF89"; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017607; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"a/hidden.class"; nocase; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018924; rev:2; metadata:created_at 2014_08_12, former_category CURRENT_EVENTS, updated_at 2014_08_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP WebShell Embedded In JPG (INBOUND)"; flow:established,from_server; file_data; content:"JFIF|00|"; distance:6; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017608; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PRISM Backdoor"; content:"PRISM v"; pcre:"/^\d+?\.\d+?\sstarted/R"; classtype:trojan-activity; sid:2017314; rev:3; metadata:created_at 2013_08_12, updated_at 2013_08_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED vBulletin Administrator Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/install/upgrade.php"; http_uri; content:"username"; http_client_body; content:"password"; http_client_body; distance:0; content:"confirmpassword"; http_client_body; distance:0; reference:url,blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html; classtype:web-application-attack; sid:2017610; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Archie.EK PluginDetect URI Struct"; flow:to_server,established; content:"/log.html?"; http_uri; content:"java="; http_uri; content:"gie="; http_uri; content:"header="; http_uri; classtype:exploit-kit; sid:2018930; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET DELETED Kelihos p2p traffic detected via byte_test CnC Response"; flow:established,from_server; flowbits:isset,ET.Kelihos-P2P; byte_extract:2,2,kelihos.p2p; byte_test:2,=,kelihos.p2p,6; byte_test:2,=,kelihos.p2p,10; byte_test:2,=,kelihos.p2p,14; byte_test:2,=,kelihos.p2p,18; byte_test:2,=,kelihos.p2p,22; byte_test:2,!=,kelihos.p2p,0; byte_test:2,!=,kelihos.p2p,4; byte_test:2,!=,kelihos.p2p,8; byte_test:2,!=,kelihos.p2p,25; classtype:command-and-control; sid:2017614; rev:2; metadata:created_at 2013_10_18, updated_at 2013_10_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Archie.EK CVE-2013-2551 URI Struct"; flow:to_server,established; content:"/ie8910.html"; http_uri; classtype:exploit-kit; sid:2018931; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Onkod.Downloader Executable Download"; flow:established,to_server; content:"/js/"; http_uri; content:".exe"; fast_pattern; http_uri; content:"User-Agent|3A 20|Mozilla/5.0 (Windows NT 6.1|3b| WOW64|3b| rv|3a|22.0) Gecko/20100101 Firefox/22.0|0D 0A|"; http_header; pcre:"/\x2Fjs\x2F[\r\n]*\x2Eexe$/U"; reference:url,blog.fortinet.com/Avoiding-Heuristic-Detection/; classtype:trojan-activity; sid:2017617; rev:3; metadata:created_at 2013_10_18, former_category MALWARE, updated_at 2019_10_16;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,to_client; content:"|55 04 03|"; content:"|12|alohafriends12.com"; distance:1; within:19; reference:md5,9c98ef776a651cc4269acde3755d3a5a; classtype:domain-c2; sid:2018935; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET DELETED Kelihos p2p traffic detected via byte_test - SET"; flow:established,to_server; dsize:100<>2000; pcre:"/^[^OGHPDTCMLUVRBAS]/"; content:!"HTTP/1."; byte_extract:2,2,kelihos.p2p; byte_test:2,=,kelihos.p2p,6; byte_test:2,=,kelihos.p2p,10; byte_test:2,=,kelihos.p2p,14; byte_test:2,=,kelihos.p2p,18; byte_test:2,=,kelihos.p2p,22; byte_test:2,!=,kelihos.p2p,0; byte_test:2,!=,kelihos.p2p,4; byte_test:2,!=,kelihos.p2p,8; byte_test:2,!=,kelihos.p2p,25; flowbits:set,ET.Kelihos-P2P; flowbits:noalert; classtype:trojan-activity; sid:2017612; rev:5; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoWall C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1f|kpai7ycr7jxqkilp.totortoweb.com"; distance:1; within:32; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018939; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT Possible Cutwail Redirect to Magnitude EK"; flow:established,to_server; urilen:15; content:"/messag_id.html"; http_uri; fast_pattern:only; reference:url,www.secureworks.com/resources/blog/research/cutwail-spam-swapping-blackhole-for-magnitude-exploit-kit/; classtype:exploit-kit; sid:2017621; rev:3; metadata:created_at 2013_10_21, former_category CURRENT_EVENTS, updated_at 2013_10_21;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible ClickFraud Trojan Socks5 Connection"; flow:to_server,established; content:"socks5init|3a|"; depth:11; threshold: type limit,track by_src, count 1, seconds 300; flowbits:set,ET.2018855; reference:md5,2a0e042fdb2d85c2abf8bd35499ee1aa; reference:md5,c4d3db0eadc650372225d0093cd442ba; reference:md5,4c1f7c4f6d00869a6fca9fdcbadc9633; classtype:trojan-activity; sid:2018855; rev:2; metadata:created_at 2014_07_30, updated_at 2014_07_30;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tenda Router Backdoor 1"; content:"w302r_mfg|00|"; depth:10; reference:url,www.devttys0.com/2013/10/from-china-with-love/; classtype:attempted-admin; sid:2017623; rev:3; metadata:created_at 2013_10_21, updated_at 2013_10_21;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ClickFraud Trojan Socks5 Init Response"; flow:established,from_server; flowbits:isset,ET.2018855; dsize:6<>9; content:"|fe|"; depth:1; content:"|1f|"; distance:4; within:1; reference:md5,de31e17ff4b3791c92a93b72d779e61f; classtype:trojan-activity; sid:2018941; rev:2; metadata:created_at 2014_08_14, updated_at 2014_08_14;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tenda Router Backdoor 2"; content:"rlink_mfg|00|"; depth:10; reference:url,www.devttys0.com/2013/10/from-china-with-love/; classtype:attempted-admin; sid:2017624; rev:3; metadata:created_at 2013_10_21, updated_at 2013_10_21;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|koskoskos11.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018942; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS 81a338 Hacked Site Response (Outbound)"; flow:established,from_server; file_data; content:"<!--81a338-->"; fast_pattern:only; classtype:trojan-activity; sid:2017625; rev:6; metadata:created_at 2013_10_22, updated_at 2013_10_22;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|atspotfto.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018943; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS 81a338 Hacked Site Response (Inbound)"; flow:established,from_server; file_data; content:"<!--81a338-->"; fast_pattern:only; classtype:trojan-activity; sid:2017626; rev:7; metadata:created_at 2013_10_22, updated_at 2013_10_22;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.securessl.in"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018944; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE Possible Sakura Jar Download Oct 22 2013"; flow:to_server,established; content:!".jar"; http_uri; content:"Java/1."; http_user_agent; fast_pattern:only; content:".pl|3a|"; http_header; pcre:"/^\/[a-z]+([_-][a-z]+)*\.[a-z]{1,3}$/U"; pcre:"/^Host\x3a\x20[a-z0-9]+\.[a-z0-9]+\.[a-z0-9]+\.pl\x3a\d{2,5}\r$/Hm"; classtype:trojan-activity; sid:2017628; rev:4; metadata:created_at 2013_10_23, former_category CURRENT_EVENTS, updated_at 2013_10_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|zao-sky.ru"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018947; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack Oct 23 2013"; flow:to_server,established; content:".php?cashe="; http_uri; fast_pattern:only; content:"Java/1."; http_user_agent; pcre:"/\.php\?cashe=\d+$/U"; classtype:trojan-activity; sid:2017629; rev:4; metadata:created_at 2013_10_23, updated_at 2013_10_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ZeroLocker EXE Download"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|5c 50 72 6f 6a 65 63 74 73 5c 5a 65 72 6f 4c 6f 63 6b 65 72 5c|"; reference:url,securelist.com/blog/incidents/66135/zerolocker-wont-come-to-your-rescue/; reference:url,webroot.com/blog/2014/08/14/zero-locker/; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-081521-4509-9; classtype:trojan-activity; sid:2018963; rev:2; metadata:created_at 2014_08_19, former_category CURRENT_EVENTS, updated_at 2014_08_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|7c 68 a3 34 36|"; within:5; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017630; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malvertising Leading to EK Aug 19 2014 M3"; flow:established,from_server; file_data; content:"<script>function z("; content:"createElement|28 22|iframe|22 29|"; distance:0; content:".style.left = |22|-"; content:".style.top = |22|-"; content:"|3b|}z()|3b|</script></body></html>"; distance:0; fast_pattern; classtype:exploit-kit; sid:2018965; rev:2; metadata:created_at 2014_08_20, former_category CURRENT_EVENTS, updated_at 2014_08_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible CoolEK Variant Payload Download Sep 16 2013"; flow:to_server,established; content:"Java/1."; http_user_agent; content:"&e="; http_uri; content:!"osk188.com"; http_header; pcre:"/=\d+&e=\d+$/U"; classtype:exploit-kit; sid:2017473; rev:6; metadata:created_at 2013_09_17, former_category EXPLOIT_KIT, updated_at 2013_09_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malvertising Leading to EK Aug 19 2014 M1"; flow:established,from_server; file_data; content:"readed|3b| max-age"; fast_pattern:only; content:"document.cookie"; pcre:"/^\s*?=\s*?[\x22\x27](?P<var>[^\s\x3b]+)\s*?=\s*?readed\x3b.*?document.cookie.indexOf\s*?\(\s*?[\x22\x27](?P=var)[\x22\x27]/Rsi"; content:".top"; pcre:"/^\s*?=\s*?[\x22\x27]\-/Rsi"; classtype:exploit-kit; sid:2018966; rev:2; metadata:created_at 2014_08_20, former_category CURRENT_EVENTS, updated_at 2014_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netgear WNDR4700 Auth Bypass"; flow:to_server,established; content:"/BRS_03B_haveBackupFile_fileRestore.html"; http_uri; nocase; reference:url,securityevaluators.com/content/case-studies/routers/netgear_wndr4700.jsp; classtype:attempted-admin; sid:2017631; rev:2; metadata:created_at 2013_10_25, updated_at 2013_10_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malvertising Leading to EK Aug 19 2014 M2"; flow:established,from_server; file_data; content:"readed|3b| max-age"; fast_pattern:only; content:"document.cookie.indexOf"; pcre:"/^\s*?\(\s*?[\x22\x27](?P<var>[^\x22\x27]+)[\x22\x27].+?document\.cookie\s*?=\s*?[\x22\x27][^\x22\x27]*?(?P=var)\s*?=\s*?readed\x3b/Rsi"; content:".top"; pcre:"/^\s*?=\s*?[\x22\x27]\-/Rsi"; classtype:exploit-kit; sid:2018967; rev:2; metadata:created_at 2014_08_20, former_category CURRENT_EVENTS, updated_at 2014_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netgear WNDR3700 Auth Bypass"; flow:to_server,established; content:"/BRS_02_genieHelp.html"; http_uri; nocase; reference:url,shadow-file.blogspot.ro/2013/10/complete-persistent-compromise-of.html; classtype:attempted-admin; sid:2017632; rev:2; metadata:created_at 2013_10_25, updated_at 2013_10_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Social Engineering Toolkit Web Clone code detected"; flow:established,from_server; file_data; content:"|3c|param name=|22|"; content:"value=|22|nix.bin|22 3e|"; distance:0; reference:url,trustedsec.com/downloads/social-engineer-toolkit/; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:2018972; rev:2; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_08_21, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Glazunov EK Downloading Jar"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".zip"; http_uri; pcre:"/\/\d+\/\d\.zip$/U"; classtype:exploit-kit; sid:2017011; rev:7; metadata:created_at 2013_06_13, updated_at 2013_06_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PE downloaded malicious SSL certificate (CZ Solutions)"; flow:established,to_client; flowbits:isset,ET.http.binary; file_data; content:"|43 5a 20 53 6f 6c 75 74 69 6f 6e 20 43 6f 2e 2c 20 4c 74 64 2e|"; reference:url,www.fireeye.com/blog/technical/2014/07/the-little-signature-that-could-the-curious-case-of-cz-solution.html; classtype:domain-c2; sid:2018748; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx Landing Page Oct 25 2013"; flow:established,from_server; file_data; content:"fromCharCode"; content:"+0+0+3-1-1"; fast_pattern; within:100; content:"substr"; content:"(3-1)"; within:100; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017635; rev:4; metadata:created_at 2013_10_25, updated_at 2013_10_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE LDPinch SMTP Password Report with mail client The Bat!"; flow:established,to_server; content:"X-Mailer|3a| The Bat!"; fast_pattern; content:"|0d 0a|Content-Disposition|3a| attachment|3b|"; content:!"|0d 0a|Subject|3a| Undeliverable|3a|"; reference:url,doc.emergingthreats.net/2008411; classtype:trojan-activity; sid:2008411; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated fromCharCode"; flow:established,from_server; file_data; content:"|22|f"; nocase; content:!"romCharcode"; nocase; within:11; pcre:"/^(?:\x22\s*?\+\s*?\x22)?r(?:\x22\s*?\+\s*?\x22)?o(?:\x22\s*?\+\s*?\x22)?m(?:\x22\s*?\+\s*?\x22)?C(?:\x22\s*?\+\s*?\x22)?h(?:\x22\s*?\+\s*?\x22)?a(?:\x22\s*?\+\s*?\x22)?r(?:\x22\s*?\+\s*?\x22)?c(?:\x22\s*?\+\s*?\x22)?o(?:\x22\s*?\+\s*?\x22)?d(?:\x22\s*?\+\s*?\x22)?e/Ri"; classtype:bad-unknown; sid:2017565; rev:4; metadata:created_at 2013_10_08, updated_at 2013_10_08;)
+#alert tcp $EXTERNAL_NET [!21,!22,!23,!2100,!3535] -> $HOME_NET 1024:65535 (msg:"ET WEB_CLIENT Possible GnuTLS Client ServerHello SessionID Overflow CVE-2014-3466"; flow:established,to_client; content:"|16 03|"; depth:2; byte_test:1,<,4,2; content:"|02|"; distance:3; within:1; content:"|03|"; distance:3; within:1; byte_test:1,<,4,0,relative; byte_test:4,>,1370396981,1,relative; byte_test:4,<,1465091381,1,relative; byte_test:1,>,32,33,relative; reference:url,radare.today/technical-analysis-of-the-gnutls-hello-vulnerability/; reference:cve,2014-3466; classtype:attempted-user; sid:2018537; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_06_06, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated fromCharCode"; flow:established,from_server; file_data; content:"|27|f"; nocase; content:!"romCharcode"; nocase; within:11; pcre:"/^(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?o(?:\x27\s*?\+\s*?\x27)?m(?:\x27\s*?\+\s*?\x27)?C(?:\x27\s*?\+\s*?\x27)?h(?:\x27\s*?\+\s*?\x27)?a(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?c(?:\x27\s*?\+\s*?\x27)?o(?:\x27\s*?\+\s*?\x27)?d(?:\x27\s*?\+\s*?\x27)?e/Ri"; classtype:bad-unknown; sid:2017566; rev:5; metadata:created_at 2013_10_08, updated_at 2013_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Hoic.zip retrieval"; flow:from_server,established; file_data; content:"Hoic/buttons2/PK"; content:"Hoic/buttons2/buttons.rar"; distance:0; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018976; rev:3; metadata:created_at 2014_08_21, updated_at 2014_08_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SibHost Jar Request"; flow:established,to_server; content:".jar?m="; http_uri; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; pcre:"/\.jar\?m=[1-2]$/U"; classtype:trojan-activity; sid:2015951; rev:17; metadata:created_at 2012_11_28, updated_at 2012_11_28;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Machete FTP activity"; flow:established,to_server; content:"CWD |2e 2e 2f|KeyLog_History"; depth:21; classtype:trojan-activity; sid:2018980; rev:2; metadata:created_at 2014_08_22, updated_at 2014_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible SibHost PDF Request"; flow:established,to_server; content:".pdf?p=1&s="; http_uri; fast_pattern:only; pcre:"/\.pdf\?p=1&s=[1-2]$/U"; classtype:trojan-activity; sid:2016035; rev:3; metadata:created_at 2012_12_14, updated_at 2012_12_14;)
+alert tcp $HOME_NET 1023: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.VB.Alsci/Dragon Eye RAT Checkin (sending user info)"; flow:to_server,established; content:"Auth"; nocase; depth:4; content:" @ "; within:128; content:"|5C 23 2F|"; within:128; content:"|5C 23 2F|"; within:32; content:"|5C 23 2F|"; fast_pattern; within:20; reference:md5,37207835e128516fe17af3dacc83a00c; reference:md5,e7d9bc670d69ad8a6ad2784255324eec; classtype:command-and-control; sid:2016913; rev:5; metadata:created_at 2011_05_17, former_category MALWARE, updated_at 2011_05_17;)
 
-#alert http any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Alpha Networks ADSL2/2+ router remote administration password disclosure"; flow:to_server,established; content:"/APIS/returnJSON.htm"; http_uri; reference:url,packetstorm.foofus.com/1208-exploits/asl26555_pass_disclosure.txt; classtype:attempted-admin; sid:2017638; rev:2; metadata:created_at 2013_10_28, updated_at 2013_10_28;)
+#alert tcp 188.95.234.6 any -> $HOME_NET [22,443] (msg:"ET SCAN Non-Malicious SSH/SSL Scanner on the run"; threshold: type limit, track by_src, seconds 60, count 1; reference:url,pki.net.in.tum.de/node/21; reference:url,isc.sans.edu/diary/SSH%2bscans%2bfrom%2b188.95.234.6/15532; classtype:network-scan; sid:2016763; rev:7; metadata:created_at 2013_04_17, updated_at 2013_04_17;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Adwave Agent Access"; flow: to_server,established; uricontent:"/search_404.aspx?aff="; nocase; reference:url,www.intermute.com/spyware/HuntBar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001318; classtype:policy-violation; sid:2001318; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Info Stealer - HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|0d 0a|Content-Type|3a| multipart/form-data|3b| boundary|3d|"; nocase; content:"name=\"id\"|0d 0a|"; nocase; content:"name=\"upt\"|0d 0a|"; nocase; content:"name=\"mode\"|0d 0a|"; nocase; content:"name=\"version\"|0d 0a|"; nocase; content:"name=\"cpu\"|0d 0a|"; nocase; fast_pattern; content:"name=\"ram\"|0d 0a|"; nocase; content:"name=\"os\"|0d 0a|"; nocase; content:"name=\"user\"|0d 0a|"; nocase; content:"name=\"user\"|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2009470; classtype:trojan-activity; sid:2009470; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Host Domain .bit"; flow:established,to_server; content:".bit|0D 0A|"; fast_pattern:only; http_header; pcre:"/^Host\x3a [^\r\n]+?\.bit\r\n$/Hmi"; reference:url,www.normanshark.com/blog/necurs-cc-domains-non-censorable/; classtype:bad-unknown; sid:2017644; rev:2; metadata:created_at 2013_10_30, updated_at 2013_10_30;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1023: (msg:"ET MALWARE Turkojan C&C nxt Command (nxt)"; flow:established,from_server; dsize:3; content:"nxt"; depth:3; reference:url,doc.emergingthreats.net/2008029; classtype:command-and-control; sid:2008029; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.NfLog Checkin (TTip)"; flow:to_server,established; content:"/NfStart.asp?ClientId="; http_uri; nocase; reference:url,contagiodump.blogspot.com/2012/02/feb-9-cve-2011-1980-msoffice-dll.html; classtype:command-and-control; sid:2014266; rev:4; metadata:created_at 2012_02_21, former_category MALWARE, updated_at 2012_02_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange EK Thread Specific Java Exploit"; flow:established,to_server; content:"GET"; http_method; content:"/Fqxzdh.jar"; http_uri; fast_pattern:only; content:" Java/1."; http_user_agent; pcre:"/\/Fqxzdh\.jar$/U"; reference:url,malware-traffic-analysis.net/2014/07/24/index.html; classtype:exploit-kit; sid:2018987; rev:4; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SofosFO/Grandsoft Plugin-Detect"; flow:established,to_client; file_data; content:"go2Page(|27|/|27|+PluginDetect.getVersion(|22|AdobeReader|22|)+|27|.pdf|27|)|3b|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017650; rev:2; metadata:created_at 2013_10_31, updated_at 2013_10_31;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Landing Aug 22 2014"; flow:established,from_server; file_data; content:"|5d 2f 67 2c 27 27 29 2e 73 75 62 73 74 72 28|"; content:"|5d 2f 67 2c 27 27 29 2e 73 75 62 73 74 72 28|"; within:500; content:"ActiveXObject"; pcre:"/^\s*?\(\s*?[\x22\x27](?!AgControl\.AgControl)[^\x22\x27]*?A[^\x22\x27]*?g[^\x22\x27]*?C[^\x22\x27]*?o[^\x22\x27]*?n[^\x22\x27]*?t[^\x22\x27]*?r[^\x22\x27]*?o[^\x22\x27]*?l[^\x22\x27]*?\.[^\x22\x27]*?A[^\x22\x27]*?g[^\x22\x27]*?C[^\x22\x27]*?o[^\x22\x27]*?n[^\x22\x27]*?t[^\x22\x27]*?r[^\x22\x27]*?o[^\x22\x27]*?l[^\x22\x27]*?[\x22\x27]\s*?\.\s*?replace\s*?\(/Rsi"; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018988; rev:2; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET DELETED Possible Neutrino EK Landing URI Format Nov 1 2013"; flow:established,to_server; urilen:18<>37; content:"GET"; http_method; content:"?"; http_uri; offset:6; depth:11; content:"="; http_uri; distance:5; within:8; pcre:"/^\/[a-z]{5,14}\?[a-z]{5,12}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017652; rev:8; metadata:created_at 2013_11_01, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Landing URI Sruct Aug 22 2014"; flow:established,to_server; urilen:16; content:"/nhqdxa/eipm.php"; http_uri; fast_pattern:only; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018989; rev:2; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download Sep 19 2013"; flow:established,to_server; content:"Java/1."; fast_pattern:only; http_user_agent; content:"/f"; http_uri; content:"?j"; http_uri; distance:0; pcre:"/\/f[a-z]+?\?j[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017493; rev:4; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Payload URI Sruct Aug 22 2014"; flow:established,to_server; urilen:16; content:"/nhqdxa/yztl.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018990; rev:2; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Exploit Download Sep 19 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/r"; http_uri; content:"?j"; http_uri; distance:0; pcre:"/\/r[a-z]+?\?j[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017492; rev:4; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Silverlight URI Sruct Aug 22 2014"; flow:established,to_server; urilen:16; content:"/nhqdxa/vpclcy.x"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018991; rev:3; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format Sep 19 2013"; flow:established,to_server; content:"GET"; http_method; content:"/g"; depth:2; http_uri; content:"?t"; http_uri; distance:0; pcre:"/^\/g[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?t[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017491; rev:5; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Flash URI Sruct Aug 22 2014"; flow:established,to_server; urilen:17; content:"/nhqdxa/oujyt.swf"; http_uri; fast_pattern:only; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018992; rev:2; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format Sep 30 2013"; flow:established,to_server; content:"GET"; http_method; content:"/k"; depth:2; http_uri; content:"?e"; http_uri; pcre:"/^\/k[a-z]{4,13}\?e[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017266; rev:7; metadata:created_at 2013_08_01, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Payload URI Sruct Aug 22 2014"; flow:established,to_server; urilen:19; content:"/nhqdxa/gjtzssq.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018993; rev:2; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download Sep 30 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/f"; http_uri; content:"?f"; http_uri; distance:0; pcre:"/\/f[a-z]+?\?f[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017268; rev:7; metadata:created_at 2013_08_01, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Secondary Landing Aug 24 2014"; flow:established,to_server; content:"/ie8910b.html"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018997; rev:3; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download 2"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/j"; http_uri; pcre:"/\/j[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017180; rev:4; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows systeminfo Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Host Name|3a|"; content:"OS Name|3a|"; content:"OS Version|3a|"; content:"OS Manufacturer|3a|"; content:"Microsoft Corporation"; distance:0; content:"OS Configuration|3a|"; content:"OS Build Type|3a|"; content:"Registered Owner|3a|"; content:"Registered Organization|3a|"; content:"Product ID|3a|"; content:"Original Install Date|3a|"; content:"System Up Time|3a|"; content:"System Manufacturer|3a|"; content:"System Model|3a|"; content:"System type|3a|"; content:"Processor|28|s|29 3a|"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019002; rev:1; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/j"; http_uri; content:"?l"; http_uri; distance:0; pcre:"/\/j[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017179; rev:4; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Exploit Flash Post Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"id="; http_client_body; depth:3; content:"&dom=687474703a2f2f"; http_client_body; fast_pattern:only; content:"2e706870"; http_client_body; pcre:"/^id=[^&]+&dom=687474703a2f2f[a-f0-9]+2e706870\s*?$/Ps"; classtype:exploit-kit; sid:2019004; rev:2; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format July 04 2013"; flow:established,to_server; content:"GET"; http_method; content:"/s"; depth:2; http_uri; pcre:"/^\/s[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?d[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017104; rev:4; metadata:created_at 2013_07_05, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Exploit Landing Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"/msie.php"; http_uri; pcre:"/[^=]+?=(?:(?:[46][1-9a-f]|[57][0-9a]|3[0-9]|2d)+?2e)+(?:[46][1-9a-f]|[57][0-9a]|3[0-9]|2d)+\s*?/P"; classtype:exploit-kit; sid:2019006; rev:2; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format"; flow:established,to_server; content:"GET"; http_method; content:"/a"; depth:2; http_uri; pcre:"/^\/a[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?q[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2016975; rev:3; metadata:created_at 2013_06_05, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlashPack EK JS Include Aug 25 2014"; flow:established,from_server; file_data; content:"function hex2bin(hex)"; within:21; content:"function rc4"; distance:0; content:!"function "; distance:0; classtype:exploit-kit; sid:2019007; rev:2; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Downloading Jar"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/m"; http_uri; content:"?l"; http_uri; distance:0; pcre:"/\/m[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2016551; rev:8; metadata:created_at 2013_03_08, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack Java Payload"; flow:established,to_server; content:"/load"; http_uri; fast_pattern:only; content:".php?id="; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2019008; rev:8; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Payload Download"; flow:established,to_server; urilen:15; content:"Java/1."; http_header; content:"/1"; depth:2; http_uri; pcre:"/^\/1[a-z0-9]{13}$/U"; classtype:exploit-kit; sid:2017571; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack Payload"; flow:established,to_server; content:"/load"; http_uri; fast_pattern:only; content:".php"; http_uri; pcre:"/\/load(?:fla(2001[34]|0515)|msie\d{0,2}|20132551|jimage|silver|0322|db|im|rh)\.php/U"; content:!"Referer|3a|"; http_header; classtype:exploit-kit; sid:2017813; rev:9; metadata:created_at 2013_12_06, former_category CURRENT_EVENTS, updated_at 2013_12_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Malicious Cookie Set By Flash Malvertising"; flow:established,to_server; content:"|0d 0a|Cookie|3a 20|asg325we234=1|0d 0a|"; reference:md5,cce9dcad030c4cba605a8ee65572136a; classtype:trojan-activity; sid:2017660; rev:2; metadata:created_at 2013_11_04, former_category CURRENT_EVENTS, updated_at 2013_11_04;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 b8 68 97 9e dc 1f a8 cc|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0c|local.domain"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019009; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Fredcot campaign php5-cgi initial exploit"; flow:to_server,established; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"Mobile/10A5355d"; http_user_agent; content:"<?php"; depth:5; http_client_body; content:"fredcot"; http_client_body; fast_pattern; reference:cve,2012-1823; reference:url,eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/; classtype:web-application-attack; sid:2017663; rev:2; metadata:created_at 2013_11_05, former_category CURRENT_EVENTS, updated_at 2013_11_05;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019010; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-#alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fredcot campaign IRC CnC"; flow:to_server,established; content:"JOIN #1111 ddosit"; reference:md5,e69bbd29f2822c1846d569ace710c9d5; reference:url,permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/20243; classtype:command-and-control; sid:2017665; rev:3; metadata:created_at 2013_11_05, former_category CURRENT_EVENTS, updated_at 2013_11_05;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019011; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-#alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET 21 (msg:"ET MALWARE Fredcot campaign payload download"; flow:to_server,established; content:"PASS fredcot123|0d 0a|"; reference:md5,e69bbd29f2822c1846d569ace710c9d5; reference:url,permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/20243; classtype:trojan-activity; sid:2017664; rev:5; metadata:created_at 2013_11_05, former_category CURRENT_EVENTS, updated_at 2013_11_05;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019012; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Napolar Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:"v="; depth:2; http_client_body; content:"&u="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; content:"&s={"; distance:0; http_client_body; content:"}&w="; fast_pattern; distance:0; http_client_body; content:"&b="; distance:0; http_client_body; pcre:"/&s=\{[A-Z0-9]{8}-([A-Z0-9]{4}-){3}[A-Z0-9]{12}\}&w=(\d{1,2}\.){2}\d{1,2}&b=(32|64)$/Pi"; reference:url,blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/; reference:url,www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/; reference:md5,2c344add2ee6201f4e2cdf604548408b; classtype:trojan-activity; sid:2017527; rev:3; metadata:created_at 2013_09_27, updated_at 2013_09_27;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019013; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Backdoor.Adwind Download"; flow:established,from_server; file_data; content:"plugins/AdwindServer.class"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99&tabid=3; classtype:attempted-user; sid:2017668; rev:4; metadata:created_at 2013_11_06, updated_at 2013_11_06;)
+alert udp any 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 106.187.96.49 blacklistthisdomain.com"; content:"|00 01 00 01|"; content:"|00 04 6a bb 60 31|"; distance:4; within:6; classtype:trojan-activity; sid:2016591; rev:6; metadata:created_at 2013_03_19, updated_at 2013_03_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Zip File"; flow:established,from_server; file_data; content:"PK|03 04|"; within:4; flowbits:set,et.http.PK; flowbits:noalert; classtype:misc-activity; sid:2017669; rev:5; metadata:created_at 2013_11_06, updated_at 2013_11_06;)
+#alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg:"ET DELETED iroffer IRC Bot offered files advertisement"; flow: from_server,established; content:"|54 6F 74 61 6C 20 4F 66 66 65 72 65 64 3A|"; depth: 500; reference:url,iroffer.org; reference:url,doc.emergingthreats.net/bin/view/Main/2000339; classtype:trojan-activity; sid:2000339; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible CVE-2013-3906 CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"MyWebClient"; depth:11; http_user_agent; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:command-and-control; sid:2017671; rev:5; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2013_11_06;)
+#alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg:"ET DELETED iroffer IRC Bot help message"; flow: from_server,established; content:"|54 6F 20 72 65 71 75 65 73 74 20 61 20 66 69 6C 65 20 74 79 70 65 3A 20 22 2F 6D 73 67|"; depth: 500; reference:url,iroffer.org; reference:url,doc.emergingthreats.net/bin/view/Main/2000338; classtype:trojan-activity; sid:2000338; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Word DOCX with Many ActiveX Objects and Media"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"word/activeX/activeX40.xml"; nocase; content:"word/media/"; nocase; reference:url,blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2; classtype:trojan-activity; sid:2017670; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan peer exchange"; flow:established,to_server; content:"|01|hs5p|0000|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003138; classtype:trojan-activity; sid:2003138; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx iframe with obfuscated Java version check Jul 04 2013"; flow:established,from_server; file_data; content:"<html>|0d 0a|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">|0d 0a|<div"; within:8; pcre:"/(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{10,20}(?P=space)[0-9a-z]{2}(?P=space)(?P<w>[0-9a-z]{2})(?P<i>[0-9a-z]{2})(?P<n>[0-9a-z]{2})[0-9a-z]{4}(?P=w)[0-9a-z]{10}(?P=i)(?P=n)[0-9a-z]{28}(?P=i)[0-9a-z]{2}(?P=n)[0-9a-z]{6}(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017295; rev:6; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
+#alert tcp any 25 -> any any (msg:"ET DELETED SpamThru trojan SMTP test successful"; flow:established,to_client; dsize:6; content:"XSMTPX"; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003139; classtype:trojan-activity; sid:2003139; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx iframe with obfuscated CVE-2013-2551"; flow:established,from_server; file_data; content:"<html>|0d 0a|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">|0d 0a|<div"; within:8; pcre:"/(?P<a>[0-9a-z]{2})(?P<s>(?!(?P=a))[0-9a-z]{2})[0-9a-z]{2}(?P=s)[0-9a-z]{2}(?P<y>[0-9a-z]{2})[0-9a-z]{4}(?P<dot>[0-9a-z]{2})(?P=a)(?P<r>[0-9a-z]{2})(?P=r)(?P=a)(?P=y)(?P=dot)/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017693; rev:2; metadata:created_at 2013_11_07, updated_at 2013_11_07;)
+#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan update request"; flow:established,to_server; content:"|01|hs5p|0001|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003140; classtype:trojan-activity; sid:2003140; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT FaceBook IM & Web Driven Facebook Trojan Download"; flow:established,to_server; content:"/dlimage4.php"; http_uri; content:".best.lt.ua|0d 0a|"; http_header; pcre:"/Host\x3a\x20[a-z]{6}\.best.lt\.ua\r$/Hm"; reference:url,pastebin.com/raw.php?i=tdATTg7L; classtype:trojan-activity; sid:2017696; rev:5; metadata:created_at 2013_11_08, former_category CURRENT_EVENTS, updated_at 2013_11_08;)
+#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan AV DLL request"; flow:established,to_server; content:"|01|hs5p|0007|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003141; classtype:trojan-activity; sid:2003141; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:attempted-user; sid:2015663; rev:4; metadata:created_at 2012_08_29, updated_at 2012_08_29;)
+#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan spam template request"; flow:established,to_server; content:"|01|hs5p|0004|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003142; classtype:trojan-activity; sid:2003142; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Daemonize Trojan Proxy Initial Checkin"; flow:established,to_server; content:"/command.php?IP="; http_uri; content:"&P1="; http_uri; content:"&P2="; http_uri; content:"&ID="; http_uri; content:"&SP="; http_uri; content:"&CT="; http_uri; content:"&L1="; http_uri; content:"&L2="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanProxy%3AWin32%2FDaemonize.A&ThreatID=-2147464655; classtype:trojan-activity; sid:2013541; rev:3; metadata:created_at 2011_09_06, updated_at 2011_09_06;)
+#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan spam run report"; flow:established,to_server; content:"|01|hs5p|0005|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003143; classtype:trojan-activity; sid:2003143; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET DELETED Wordpress possible Malicious DNS-Requests - wordpress.com.*"; content:"|09|wordpress|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013356; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan AV scan report"; flow:established,to_server; content:"|01|hs5p|0008|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003144; classtype:trojan-activity; sid:2003144; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/basicstats.php?"; nocase; http_uri; content:"AjaxHandler="; nocase; http_uri; pcre:"/AjaxHandler\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,46771; reference:url,xforce.iss.net/xforce/xfdb/65942; reference:url,packetstorm.linuxsecurity.com/1103-exploits/Interleave5.5.0.2-xss.txt; classtype:web-application-attack; sid:2012582; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Status OK"; flow:established,to_server; dsize:2; content:"OK"; reference:url,doc.emergingthreats.net/2007963; classtype:trojan-activity; sid:2007963; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED mySeatXT SQL Injection Attempt autocomplete.php field DELETE"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012578; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Vipdataend C&C Traffic - Status OK (variant 2)"; flowbits:isset,ET.vipdataend; flow:established,to_server; dsize:1; content:"1"; depth:1; reference:url,doc.emergingthreats.net/2009026; classtype:command-and-control; sid:2009026; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED mySeatXT SQL Injection Attempt autocomplete.php field UNION SELECT"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012576; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Checkin (variant 3)"; flow:established,to_server; dsize:<42; content:"|3a|Windows "; depth:11; offset:2; reference:url,doc.emergingthreats.net/2009037; classtype:trojan-activity; sid:2009037; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php UPDATE"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005870; classtype:web-application-attack; sid:2005870; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic Checkin"; flow:established,to_server; dsize:<20; content:"|3a 20|"; offset:2; depth:6; content:"|20 7c 20|"; within:10; reference:url,doc.emergingthreats.net/2007962; classtype:trojan-activity; sid:2007962; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php ASCII"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005869; classtype:web-application-attack; sid:2005869; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Server Status OK"; flow:established,to_server; dsize:2; content:"OK"; reference:url,doc.emergingthreats.net/2007964; classtype:trojan-activity; sid:2007964; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php DELETE"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005868; classtype:web-application-attack; sid:2005868; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Checkin (XY)"; flow:established,to_server; dsize:<20; content:"XY|3a|2|7c|212"; offset:0; depth:9; reference:url,doc.emergingthreats.net/2007970; classtype:trojan-activity; sid:2007970; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php INSERT"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005867; classtype:web-application-attack; sid:2005867; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Checkin (FYWL)"; flow:established,to_server; dsize:11; content:"FYWL|3a|2|7c|212"; offset:0; depth:11; reference:url,doc.emergingthreats.net/2008223; classtype:trojan-activity; sid:2008223; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005866; classtype:web-application-attack; sid:2005866; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Checkin (XYLL)"; flow:established,to_server; dsize:11; content:"XYLL|3a|2|7c|212"; offset:0; depth:11; reference:url,doc.emergingthreats.net/2008224; classtype:trojan-activity; sid:2008224; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php SELECT"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005865; classtype:web-application-attack; sid:2005865; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend/Ceckno C&C Traffic - Checkin"; flow:established,to_server; dsize:<30; content:"VERSONEXc|3a|2|7c|212|7c|"; depth:16; reference:url,doc.emergingthreats.net/2008254; classtype:trojan-activity; sid:2008254; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005371; classtype:web-application-attack; sid:2005371; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED Delf CnC Channel Packet 1 reply"; flowbits:isset,ET.unk.1; flow:established,from_server; dsize:<15; content:"|05 00 00 00|"; depth:4; flowbits:set,ET.unk.2; reference:url,doc.emergingthreats.net/2008007; classtype:command-and-control; sid:2008007; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass ASCII"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005370; classtype:web-application-attack; sid:2005370; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Delf CnC Channel Checkin Replies"; flowbits:isset,ET.unk.2; flow:established,to_server; dsize:<20; content:"|09 00 00 00|"; depth:4; reference:url,doc.emergingthreats.net/2008008; classtype:command-and-control; sid:2008008; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass DELETE"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005369; classtype:web-application-attack; sid:2005369; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Delf CnC Channel Packet 1"; flowbits:isnotset,ET.unk.1; flow:established,to_server; dsize:<200; content:"|8e 00 d0 00|"; depth:4; flowbits:set,ET.unk.1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008006; classtype:command-and-control; sid:2008006; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass INSERT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005368; classtype:web-application-attack; sid:2005368; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED Banker.maf SMTP Checkin (Not in the Control...)"; flow:established,to_server; content:"|0a|X-Mailer|3a| Microsoft CDO for Windows 2000"; content:"|0d 0a|_-=|7c| Not in the Control System 6.0 |7c|=-_|0d 0a|.|0d 0a|"; distance:0; reference:url,doc.emergingthreats.net/2008033; classtype:trojan-activity; sid:2008033; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UNION SELECT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005367; classtype:web-application-attack; sid:2005367; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED System.Poser HTTP Checkin"; flow:established,to_server; content:"/check.php?c="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"User-Agent|3a| Microsoft BITS"; http_header; reference:url,doc.emergingthreats.net/2008035; classtype:trojan-activity; sid:2008035; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass SELECT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005366; classtype:web-application-attack; sid:2005366; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Nginx Server with modified version string - Often Hostile Traffic"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"|0d 0a|Server|3a| nginx/"; nocase; pcre:"/Server\: nginx/[a-zA-Z]/i"; threshold:type limit, seconds 60, count 3, track by_src; reference:url,doc.emergingthreats.net/2008065; classtype:bad-unknown; sid:2008065; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004735; classtype:web-application-attack; sid:2004735; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED General Downloader URL Pattern (/loader/setup.php)"; flow:established,to_server; content:"/loader/setup.php?id="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008076; classtype:trojan-activity; sid:2008076; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php ASCII"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004734; classtype:web-application-attack; sid:2004734; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Xorer.ez HTTP Checkin to CnC"; flow:established,to_server; content:"/qq.html?username="; nocase; http_uri; content:"&zhaosp="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008081; classtype:command-and-control; sid:2008081; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php DELETE"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004733; classtype:web-application-attack; sid:2004733; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 81:90 (msg:"ET DELETED Looked.P/Gamania/Delf #108/! Style CnC Checkin"; flow:established,to_server; dsize:6; content:"#1"; depth:2; content:"/!"; distance:2; within:2; pcre:"/^\x23\d\d\d\x2f\x21/"; reference:url,doc.emergingthreats.net/bin/view/Main/Win32Looked; classtype:command-and-control; sid:2008219; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php INSERT"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004732; classtype:web-application-attack; sid:2004732; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Winspywareprotect.com Fake AV/Anti-Spyware Secondary Checkin"; flow:established,to_server; content:"/stat.php?func=scanfinished&id="; http_uri; reference:url,doc.emergingthreats.net/2008251; classtype:trojan-activity; sid:2008251; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php UNION SELECT"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004731; classtype:web-application-attack; sid:2004731; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Emogen Infection Checkin Initial Packet"; flow:established,to_server; dsize:<100; content:"|00 00 00 00 00 00|WindowsXP|00 00 00|"; flowbits:set,ET.emogen1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008269; classtype:trojan-activity; sid:2008269; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php SELECT"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004730; classtype:web-application-attack; sid:2004730; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Emogen Infection Checkin CnC Keepalive"; flow:established,to_server; flowbits:isset,ET.emogen1; dsize:4; content:"test"; reference:url,doc.emergingthreats.net/2008270; classtype:command-and-control; sid:2008270; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004151; classtype:web-application-attack; sid:2004151; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Banker Infostealer/PRG POST on High Port"; flow:to_server,established; content:"POST"; nocase; http_method; content:"|2E|php|3F|2="; nocase; content:"|26|n="; nocase; content:"|26|v="; nocase; content:"|26|i="; nocase; content:"|26|sp="; nocase; content:"|26|lcp="; nocase; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2008326; classtype:trojan-activity; sid:2008326; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php ASCII"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004150; classtype:web-application-attack; sid:2004150; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unnamed - kuaiche.com related"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/config/fgun_install_"; http_uri; content:"User-Agent|3a| NSI SDL/1.2 (Mozilla)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008359; classtype:trojan-activity; sid:2008359; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php DELETE"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004149; classtype:web-application-attack; sid:2004149; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"ET DELETED Win32.Testlink Trojan Speed Test Start port 8888"; flow:established,to_server; dsize:25; content:"GET /test_link HTTP/1.0|0d 0a|"; reference:url,doc.emergingthreats.net/2008435; classtype:trojan-activity; sid:2008435; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php INSERT"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004148; classtype:web-application-attack; sid:2004148; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"ET DELETED Win32.Testlink Trojan Checkin port 8888"; flow:established,to_server; content:"/stat?uptime="; content:"&downlink="; distance:0; content:"&uplink="; distance:0; content:"&id="; distance:0; reference:url,doc.emergingthreats.net/2008437; classtype:trojan-activity; sid:2008437; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php SELECT"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004146; classtype:web-application-attack; sid:2004146; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"ET DELETED Win32.Testlink Trojan Speed Test port 8888"; flow:established,to_server; dsize:>1000; content:"Data|3a| |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:35; reference:url,doc.emergingthreats.net/2008436; classtype:trojan-activity; sid:2008436; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Magnitude Landing Nov 11 2013"; flow:established,from_server; file_data; content:".fromCharCode("; nocase; pcre:"/^[^\)]+\][\r\n\s]*?\^[\r\n\s]*?\d+?[\r\n\s]*?\)/R"; content:"eval("; nocase; content:".split("; nocase; pcre:"/^[\r\n\s]*?[\x22\x27](?P<sp>[^\x22\x27]+)[\x22\x27].+?eval\([^\)\(]+?\([\x22\x27]\d{2,3}(?P=sp)\d{2,3}(?P=sp)/Rsi"; classtype:exploit-kit; sid:2017698; rev:2; metadata:created_at 2013_11_09, former_category CURRENT_EVENTS, updated_at 2013_11_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED XPantivirus2008 Download"; flow:to_server,established; content:"GET"; depth:3; http_method; content:"XPantivirus20"; nocase; http_uri; pcre:"/XPantivirus20\d{2}_v\d{6}\.exe/Ui"; reference:url,www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/page4.html; reference:url,seo.mhvt.net/blog/?p=390; reference:url,virscan.org/report/a61cd44fc387188da2ee3fbdeda10782.html; reference:url,doc.emergingthreats.net/2008516; classtype:trojan-activity; sid:2008516; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Websearch.com Cab Download"; flow: to_server,established; content:"/Dnl/T_"; nocase; http_uri; pcre:"/\/\S+\.cab/Ui"; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2003242; classtype:trojan-activity; sid:2003242; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED Possible External Ultrasurf Anonymizer DNS Query"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; threshold:type limit, track by_src,count 1, seconds 60; reference:url,doc.emergingthreats.net/2008533; classtype:policy-violation; sid:2008533; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED AskSearch Toolbar Spyware User-Agent (AskTBar)"; flow:to_server,established; content:"|3b| AskTb"; http_header; pcre:"/User-Agent\x3a[^\n]+AskTB/iH"; reference:url,doc.emergingthreats.net/2003494; classtype:policy-violation; sid:2003494; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Minor, tag Spyware_User_Agent, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1030 (msg:"ET DELETED Ipbill.com Related Dialer Trojan Checkin"; flow:established,to_server; dsize:7; content:"|0a|"; offset:6; pcre:"/\d\d\d\d\d\d\x0a/"; flowbits:set,ET.ipbill1; reference:url,doc.emergingthreats.net/2008730; classtype:trojan-activity; sid:2008730; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Findwhat.com Spyware (sendtracker)"; flow: to_server,established; content:"/bin/findwhat.dll?sendtracker&"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003580; classtype:trojan-activity; sid:2003580; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 1030 -> $HOME_NET any (msg:"ET DELETED Ipbill.com Related Dialer Trojan Server Response"; flow:established,from_server; dsize:<20; content:"|0a 5b 27|"; offset:2; depth:5; content:"|27 5d 0a|"; distance:0; flowbits:isset,ET.ipbill1; reference:url,doc.emergingthreats.net/2008731; classtype:trojan-activity; sid:2008731; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Nulprot Checkin Response"; flow:established,from_server; content:"200"; http_stat_code; content:"Encryption|3a| on|0d 0a|Content-Length|3a| "; http_header; depth:32; reference:url,doc.emergingthreats.net/2007669; classtype:trojan-activity; sid:2007669; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any any -> any 5554 (msg:"ET DELETED Sasser FTP Traffic"; flow: to_server,established; content:"up.exe"; reference:url,vil.mcafeesecurity.com/vil/content/Print125009.htm; reference:url,doc.emergingthreats.net/2000040; classtype:misc-activity; sid:2000040; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Theinstalls.com Trojan Download"; flow:established,to_server; content:"/files/programs/"; http_uri; content:"|0d 0a|Host|3a| "; http_header; content:"theinstalls.com|0d 0a|"; http_header;  reference:url,www.theinstalls.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007798; classtype:trojan-activity; sid:2007798; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert tcp any any -> any 9996 (msg:"ET DELETED Sasser Transfer _up.exe"; flow: established,to_server; content:"|5F75702E657865|"; depth: 250; reference:url,vil.mcafeesecurity.com/vil/content/Print125009.htm; reference:url,doc.emergingthreats.net/2000047; classtype:misc-activity; sid:2000047; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Delf HTTP Post Checkin (1)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"Content-type|3a| image/gif"; http_header; content:"x|da|"; http_client_body; depth:2; content:"|0d 0a|Content-type|3a| image/gif|0d 0a 0d 0a|x|da|"; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2007867; classtype:trojan-activity; sid:2007867; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Dyreza RAT Checkin Response"; flow:established,to_client; content:"|a5 46 da 53 0a 00 68 00 65 00 6c 00 6c 00 6f|"; offset:4; depth:15; reference:md5,b61145a54698753cecf8748359c9d81e; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:command-and-control; sid:2018596; rev:3; metadata:created_at 2014_06_12, former_category MALWARE, updated_at 2014_06_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Emo/Downloader.uxk checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; content:"v="; http_uri; content:"&id="; http_uri; content:"&rs="; http_uri; fast_pattern; content:"&cc="; http_uri; reference:url,doc.emergingthreats.net/2008452; classtype:trojan-activity; sid:2008452; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dyreza RAT Checkin Response 2"; flow:established,to_client; dsize:3; content:"/1/"; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:trojan-activity; sid:2018597; rev:4; metadata:created_at 2014_06_24, updated_at 2014_06_24;)
 
-#alert udp $HOME_NET 6345:6349 -> $EXTERNAL_NET 6345:6349 (msg:"ET DELETED UDP traffic - Likely Limewire"; threshold: type threshold,track by_src,count 40, seconds 300; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001841; classtype:policy-violation; sid:2001841; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32/Sasser.worm.b"; flow: established; content:"|58 BC 0C FF 59 57 32 31 BD EC 34 64 6E D6 E3 8D 65 04 68 58 62 79 DF D8 2C 25 6A B5 28 BA 13 74|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html; reference:url,doc.emergingthreats.net/2001056; classtype:misc-activity; sid:2001056; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Saturn Proxy Checkin Response"; flow:established,from_server; flowbits:isset,ET.saturn.checkin; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"Encryption|3a| on|0d 0a|"; depth:16; reference:url,doc.emergingthreats.net/2007752; classtype:command-and-control; sid:2007752; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32/Sasser.worm.a"; flow: established; content:"|BC 3B 74 0B 50 8B 3D E8 46 A7 3D 09 85 B8 F8 CD 76 40 DE 7C 5B 5C D7 2A A8 E8 58 75 62 96 25 24|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html; reference:url,doc.emergingthreats.net/2001057; classtype:misc-activity; sid:2001057; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal Jun 26 2013"; flow:established,from_server; file_data; content:"mCharCode"; pcre:"/(?P<p>[0-7]{3})(?P<d>[0-7]{3})(?P=p)(?P=d)([0-7]{3}){10}(?P<q>[0-7]{3})[0-7]{3}(?P<dot>[0-7]{3})[0-7]{3}(?P=dot)[0-7]{3}(?P=q)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017072; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible CIA Trojan download/upload attempt"; content:"|6C 75 66 6A 65 6F 6F|"; reference:url,doc.emergingthreats.net/2001233; classtype:trojan-activity; sid:2001233; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal Apr 18 2013"; flow:established,from_server; file_data; content:"telppa"; pcre:"/(?P<p>[0-7]{2,4})(?P<sep>[^0-7])(?P<d>(?!(?P=p))[0-7]{2,4})(?P=sep)(?P=p)(?P=sep)(?P=d)(?P=sep)([0-7]{2,4}(?P=sep)){10}(?P<q>[0-7]{2,4})(?P=sep)[0-7]{2,4}(?P=sep)(?P<dot>[0-7]{2,4})(?P=sep)[0-7]{2,4}(?P=sep)(?P=dot)(?P=sep)[0-7]{2,4}(?P=sep)(?P=q)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016776; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_19, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Beagle User Agent Detected"; flow: to_server,established; dsize:<150; content:"User-Agent|3a| beagle_beagle"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.i@mm.html; reference:url,doc.emergingthreats.net/2001269; classtype:trojan-activity; sid:2001269; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 1"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:".requiredClaims"; nocase; content:".remove("; nocase; content:".add("; nocase; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017704; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED Outbound W32.Novarg.A worm"; flow: established; content:"TVqQAAMAAAAEAAAA"; content:"8AALgAAAAAAAAAQ"; within: 20; distance: 2; content:"UEUA..AEwBAW"; content:"DgAA8BCwEHAABQAAAAE"; within: 40; distance: 16; content:"ABVUFgwAAAAAABgAAAAEAAAAAAAAAAEA"; content:"ACAAADg"; within: 30; distance: 16; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.a@mm.html; reference:url,doc.emergingthreats.net/2001273; classtype:trojan-activity; sid:2001273; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 2"; flow:established,from_server; file_data; content:"InformationCardSigninHelper"; nocase; content:".requiredClaims"; nocase; content:".remove("; nocase; content:".add("; nocase; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017705; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> any 445 (msg:"ET DELETED Korgo.P offering executable"; flow: to_server,established; content:"|FF|SMB"; depth: 10; content:"|58|http"; content:".exe"; nocase; within: 36; reference:url,www.f-secure.com/v-descs/korgo_p.shtml; reference:url,doc.emergingthreats.net/2001337; classtype:trojan-activity; sid:2001337; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 3"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"|5c|u"; content:"|5c|u"; distance:4; within:4; content:"|5c|u"; distance:4; within:4; pcre:"/^\{?[a-fA-F0-9]{4}\}?(\x5cu\{?[a-fA-F0-9]{4}\}?){20}/Rs"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017708; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> any any (msg:"ET DELETED Korgo.P binary upload"; flow: to_server,established; content:"|aa4f7ea86c90457d686868f0de687a68689768686868|"; reference:url,www.f-secure.com/v-descs/korgo_p.shtml; reference:url,doc.emergingthreats.net/2001338; classtype:trojan-activity; sid:2001338; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 4"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"|25|u"; content:"|25|u"; distance:4; within:4; content:"|25|u"; distance:4; within:4; pcre:"/^\{?[a-fA-F0-9]{4}\}?(\x25u\{?[a-fA-F0-9]{4}\}?){20}/Rs"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017709; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Couponage Reporting"; flow: to_server,established; content:"/?keyword="; nocase; content:"couponage.com"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001455; classtype:policy-violation; sid:2001455; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Possible Flash/IE Payload"; flow:established,to_server; urilen:15; content:"/1"; depth:2; http_uri; pcre:"/^\/1[a-z0-9]{13}$/U"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:exploit-kit; sid:2017703; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 5554 (msg:"ET DELETED Sasser FTP exploit attempt"; flow: to_server,established; dsize: >150; content:"PORT "; depth: 5; reference:url,www.lurhq.com/dabber.html; reference:url,doc.emergingthreats.net/2001548; classtype:attempted-admin; sid:2001548; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Flash Exploit"; flow:established,to_server; urilen:15; content:"/0"; depth:2; http_uri; pcre:"/^GET \/0(?P<baseuri>[a-z0-9]{10})[a-z0-9]{3} HTTP\/1\.[01]\r\n.*?Referer\x3a http\x3a\/\/[^\/]+?\/(?P=baseuri)\r\n/s"; classtype:exploit-kit; sid:2017695; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED F5 BIG-IP 3DNS TCP Probe 1"; id: 1; dsize: 24; flags: S,12; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; window: 2048; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001609; classtype:misc-activity; sid:2001609; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Fake Codec Download"; flow:established,to_server; content:"/Setup.exe?tid="; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017711; rev:2; metadata:created_at 2013_11_14, former_category CURRENT_EVENTS, updated_at 2013_11_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED F5 BIG-IP 3DNS TCP Probe 2"; id: 2; dsize: 24; flags: S,12; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; window: 2048; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001610; classtype:misc-activity; sid:2001610; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Taidoor Checkin"; flow:to_server,established; content:".jsp?"; fast_pattern:only; http_uri; pcre:"/^\/(?:p(?:a(?:rs|g)e|rocess)|(?:securit|quer)y|(?:defaul|abou)t|index|login|user)\.jsp\?[a-z]{2}\x3d[a-z0-9]{9}[A-F0-9]{9}$/Ui"; content:"User-Agent|3a| "; depth:12; http_header; content:!"Referer"; http_header; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017415; rev:4; metadata:created_at 2013_09_04, updated_at 2013_09_04;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED F5 BIG-IP 3DNS TCP Probe 3"; id: 3; dsize: 24; flags: S,12; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; window: 2048; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001611; classtype:misc-activity; sid:2001611; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS  [25,587] (msg:"ET EXPLOIT Microsoft Outlook/Crypto API X.509 oid id-pe-authorityInfoAccessSyntax design bug allow blind HTTP requests attempt"; flow:to_server,established; content:"multipart/signed|3B|"; nocase; content:"application/pkcs7-signature|3B|"; nocase; distance:0; content:"|0A|QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB|0D|"; distance:0; reference:cve,2013-3870; reference:url,www.microsoft.com/technet/security/bulletin/MS13-068.mspx; reference:url,blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex; classtype:attempted-admin; sid:2017712; rev:10; metadata:created_at 2013_11_14, updated_at 2013_11_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED JoltID Agent P2P via Proxy Server"; flow: to_server,established; content:"POST http|3a|//"; nocase; content:"|3a|3531/.pkt"; nocase; within: 20; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001679; classtype:trojan-activity; sid:2001679; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Athena Bot Nick in IRC"; flow:established,to_server; content:"NICK "; content:"|5b|"; distance:1; within:1; pcre:"/^[A-Z]{3}\|[UA]\|[DL]\|W([78]|_XP|VIS)\|x(86|64)\|/R"; reference:url,arbornetworks.com/asert/2013/11/athena-a-ddos-malware-odyssey/; reference:md5,859c2fec50ba1212dca9f00aa4a64ec4; classtype:trojan-activity; sid:2017716; rev:3; metadata:created_at 2013_11_15, updated_at 2013_11_15;)
+#alert tcp $HOME_NET any -> [208.8.81.0/24,64.68.96.0/19] 443 (msg:"ET DELETED MyWebEx Server Traffic"; flow: to_server,established; dsize: <50; content:"|17|"; offset: 0; depth: 1; threshold: type limit,track by_src, count 1, seconds 360; reference:url,www.mywebexpc.com; reference:url,doc.emergingthreats.net/2001712; classtype:policy-violation; sid:2001712; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.BlackRev Polling for DoS targets"; flow:established,to_server; content:"/gate.php?cmd=urls"; http_uri; fast_pattern:only; pcre:"/\/gate\.php\?cmd=urls$/U"; content:!"Referer|3a 20|"; http_header; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016900; rev:5; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
+#alert tcp $HOME_NET any -> [208.8.81.0/24,64.68.96.0/19] $HTTP_PORTS (msg:"ET DELETED MyWebEx Installation"; flow: to_server,established; content:"/pc/r.php?AT=RS"; nocase; threshold: type limit, track by_src, count 1, seconds 30; reference:url,www.mywebexpc.com; reference:url,doc.emergingthreats.net/2001713; classtype:policy-violation; sid:2001713; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.BlackRev Download Executable"; flow:established,to_server; content:"/gate.php?cmd=getexe"; http_uri; fast_pattern:only; pcre:"/\/gate\.php\?cmd=getexe$/U"; content:!"Referer|3a 20|"; http_header; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016901; rev:5; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
+#alert tcp [208.8.81.0/24,64.68.96.0/19] 443 -> $HOME_NET any (msg:"ET DELETED MyWebEx Incoming Connection"; flow: to_client,established; content:"|16 03|"; offset: 0; depth: 2; content:"Comodo"; nocase; depth: 240; content:"accessanywhere.com"; nocase; offset: 592; depth: 48; reference:url,www.mywebexpc.com; reference:url,doc.emergingthreats.net/2001714; classtype:policy-violation; sid:2001714; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert icmp any any -> any any (msg:"ET MALWARE PWS Win32/Lmir.BMQ checkin"; dsize:19; content:"This|27|s|20|Ping|20|Packet|21|"; reference:md5,0fe0cf9a2d8c3ccd1c92acbb81ff6343; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=PWS%3AWin32%2FLmir.BMQ; classtype:command-and-control; sid:2017724; rev:3; metadata:created_at 2013_11_15, former_category MALWARE, updated_at 2013_11_15;)
+#alert tcp $HOME_NET !21:587 -> any any (msg:"ET DELETED Spambot Suspicious 220 Banner on Local Port"; flow: established; content:"220 "; offset: 0; depth: 4; tag: session, 20, packets; reference:url,doc.emergingthreats.net/bin/view/Main/2001815; classtype:non-standard-protocol; sid:2001815; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Trojan.Dropper.Win32.Dapato.braa.AMN CnC traffic"; flow:to_server,established; content:"9002"; depth:4; reference:md5,6ef66c2336b2b5aaa697c2d0ab2b66e2; classtype:command-and-control; sid:2017728; rev:2; metadata:created_at 2013_11_20, former_category MALWARE, updated_at 2013_11_20;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1345 (msg:"ET DELETED AIM Bot Outbound Control Channel Open and Login"; flow: to_server,established; content:"PASS"; nocase; pcre:"/PASS\s.*?\x0d\x0aNICK\s.*?\x0d\x0aUSER\s.*?\s\d\s\d\s\:\S/im"; reference:url,doc.emergingthreats.net/2001910; classtype:trojan-activity; sid:2001910; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Java payload request (2)"; flow:established,to_server; content:"Java/1"; http_header; content:"&partners="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016142; rev:3; metadata:created_at 2013_01_03, former_category CURRENT_EVENTS, updated_at 2013_01_03;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible MSN Worm Exploit exe"; flow: established; content:"X-MMS-IM-"; depth:153; content:"http"; nocase; content:".exe"; nocase; reference:url,doc.emergingthreats.net/2002323; classtype:misc-activity; sid:2002323; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Sweet Orange Landing Page May 16 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"Seven guids Seven g"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016860; rev:18; metadata:created_at 2013_05_17, former_category CURRENT_EVENTS, updated_at 2013_05_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible MSN Worm Exploit php"; flow: established; content:"X-MMS-IM-"; depth:153; content:"http"; nocase; content:".php"; nocase; reference:url,doc.emergingthreats.net/2002322; classtype:misc-activity; sid:2002322; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet structure Jul 05 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; fast_pattern; content:"000000000000000000|22| name=|22|WindowSize"; distance:0; content:"000000000000000000|22| name=|22|WindowSize"; distance:0; content:"000000000000000000|22| name=|22|WindowSize"; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017110; rev:7; metadata:created_at 2013_07_05, former_category CURRENT_EVENTS, updated_at 2013_07_05;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible MSN Worm Exploit pif"; flow: established; content:"X-MMS-IM-"; depth:153; content:"http"; nocase; content:".pif"; nocase; reference:url,doc.emergingthreats.net/2002324; classtype:misc-activity; sid:2002324; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Sweet Orange Landing with Applet July 08 2013"; flow:established,from_server; file_data; content:" Passage to India "; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017116; rev:5; metadata:created_at 2013_07_09, former_category CURRENT_EVENTS, updated_at 2013_07_09;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32.kelvir.HI"; flow: established; content:"X-MMS-IM-"; depth:153; content:"search.php?data="; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.kelvir.hi.html; reference:url,doc.emergingthreats.net/2002325; classtype:misc-activity; sid:2002325; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> any 22 (msg:"ET MALWARE Possible SSH Linux.Fokirtor backchannel command"; flow:established,to_server; content:"|3a 21 3b 2e|"; pcre:"/^(?:[A-Za-z0-9\+\/]{4})*(?:[A-Za-z0-9\+\/]{2}==|[A-Za-z0-9\+\/]{3}=|[A-Za-z0-9\+\/]{4})/R"; reference:url,www.symantec.com/connect/blogs/linux-back-door-uses-covert-communication-protocol; classtype:trojan-activity; sid:2017727; rev:6; metadata:created_at 2013_11_16, updated_at 2013_11_16;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET DELETED Mercury v4.01a IMAP RENAME Buffer Overflow"; flow:established,to_server; flowbits:isset,mercury.imap.401a; content:"a001 RENAME"; pcre:"/[0-9A-Z]{240,}/smi"; reference:url,www.pmail.com/whatsnew/m32401.htm; reference:url,metasploit.com/projects/Framework/exploits.html#mercury_imap; reference:bugtraq,11775; reference:url,doc.emergingthreats.net/bin/view/Main/2002390; classtype:misc-attack; sid:2002390; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT WhiteLotus EK PluginDetect Nov 20 2013"; flow:established,from_server; file_data; content:"makeid"; pcre:"/^[\r\n\s]*?\(/R"; content:"replaceIt"; pcre:"/^[\r\n\s]*?\(/R"; content:".getVersion"; nocase; content:"Silverlight"; nocase; content:"Java"; nocase; content:"Reader"; nocase; content:"Flash"; nocase; classtype:exploit-kit; sid:2017735; rev:4; metadata:created_at 2013_11_21, former_category CURRENT_EVENTS, updated_at 2013_11_21;)
+#alert tcp $HOME_NET 143 -> $EXTERNAL_NET any (msg:"ET DELETED Vulnerable Mercury 4.01a IMAP Banner"; flow: from_server,established; content:"IMAP4rev1 Mercury/32 v4.01a server ready"; flowbits:set,mercury.imap.401a; reference:url,www.pmail.com/whatsnew/m32401.htm; reference:bugtraq,11775; reference:url,doc.emergingthreats.net/bin/view/Main/2002389; classtype:successful-recon-limited; sid:2002389; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible WhiteLotus EK 2013-2551 Exploit 1"; flow:established,from_server; file_data; content:"a0dmblxmL5FmcyFmLlxWe0NHazFGZ"; classtype:exploit-kit; sid:2017736; rev:4; metadata:created_at 2013_11_21, updated_at 2013_11_21;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Web Only - all versions"; flow:established,from_server; flowbits:isnotset,emerging_wmf_http; content:"HTTP"; depth:4; nocase; flowbits:set,emerging_wmf_http; flowbits:noalert; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002743; classtype:unknown; sid:2002743; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible WhiteLotus EK 2013-2551 Exploit 2"; flow:established,from_server; file_data; content:"gGdn5WZs5SehJnch5SZslHdzh2chR"; classtype:exploit-kit; sid:2017737; rev:4; metadata:created_at 2013_11_21, updated_at 2013_11_21;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Web Only - version 3"; flow:established; flowbits:isset,emerging_wmf_http; flowbits:isnotset,emerging_wmf_expl; flowbits:isnotset,emerging_wmf_expl_v1; content:"|00 09 00 00 03|"; content:"|00 00|"; distance:10; within:12; flowbits:set,emerging_wmf_expl; flowbits:noalert; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002741; classtype:unknown; sid:2002741; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible WhiteLotus EK 2013-2551 Exploit 3"; flow:established,from_server; file_data; content:"oR3ZuVGbukXYyJXYuUGb5R3coNXYk"; classtype:exploit-kit; sid:2017738; rev:4; metadata:created_at 2013_11_21, updated_at 2013_11_21;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Web Only - version 1"; flow:established; flowbits:isset,emerging_wmf_http; flowbits:isnotset,emerging_wmf_expl; flowbits:isnotset,emerging_wmf_expl_v1; content:"|00 09 00 00 01|"; content:"|00 00|"; distance:10; within:12; flowbits:set,emerging_wmf_expl_v1; flowbits:noalert; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002757; classtype:unknown; sid:2002757; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible WhiteLotus Java Payload"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/?"; depth:2; http_uri; pcre:"/^\/\?[A-Za-z0-9]+=(?P<v1>[^&]+)&(?P=v1)=[^\/\.]+$/U"; classtype:trojan-activity; sid:2017739; rev:4; metadata:created_at 2013_11_21, updated_at 2013_11_21;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Version 1"; flow:established; flowbits:isset,emerging_wmf_expl_v1; pcre:"/\x26[\x00-\xff]\x09\x00/"; flowbits:unset,emerging_wmf_http; flowbits:unset,emerging_wmf_expl; flowbits:unset,emerging_wmf_expl_v1; threshold:type limit, track by_src, count 1,seconds 120; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002758; classtype:attempted-user; sid:2002758; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT StyX EK Payload Cookie"; flow:established,to_server; content:"Cookie|3a 20|fGGhTasdas=http"; classtype:exploit-kit; sid:2017744; rev:2; metadata:created_at 2013_11_22, former_category CURRENT_EVENTS, updated_at 2013_11_22;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Version 3"; flow:established; flowbits:isset,emerging_wmf_expl; pcre:"/\x26[\x00-\xff]\x09\x00/"; flowbits:unset,emerging_wmf_http; flowbits:unset,emerging_wmf_expl; flowbits:unset,emerging_wmf_expl_v1; threshold:type limit, track by_src, count 1,seconds 120; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002742; classtype:attempted-user; sid:2002742; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Media Player malware binary requested"; flow:established,to_server; content:"&filename=Media Player "; http_uri; content:".exe"; http_uri; classtype:trojan-activity; sid:2017745; rev:2; metadata:created_at 2013_11_22, updated_at 2013_11_22;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED VMM Detecting Torpig/Anserin/Sinowal Trojan"; flow:to_client,established; content:"|51 51 0F 01 4C 24 00 8B 44 24 02 59 59 C3 E8 ED FF FF FF 25 00 00 00 FF 33 C9 3D 00 00 00 80 0F 95 C1 8B C1 C3|"; reference:url,doc.emergingthreats.net/2003094; classtype:trojan-activity; sid:2003094; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Font File Download Dec 18 2012"; flow:to_server,established; content:".eot"; http_uri; nocase; fast_pattern:only; pcre:"/\/(?:(?:article|contact|new)s|read|(?:fo|tu)r)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.eot|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.EOT)$/U"; classtype:exploit-kit; sid:2016057; rev:8; metadata:created_at 2012_12_19, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED (UPX) VMM Detecting Torpig/Anserin/Sinowal Trojan"; flow:to_client,established; content:"|51 51 0F 01 27 00 C1 FB B5 D5 35 02 E2 C3 D1 66 25 32 BD 83 7F B7 4E 3D 06 80 0F 95 C1 8B C1 C3|"; reference:url,doc.emergingthreats.net/2003095; classtype:trojan-activity; sid:2003095; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Java Downloading Archive flowbit no alert"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; flowbits:set,et.JavaArchiveOrClass; flowbits:noalert; classtype:misc-activity; sid:2017748; rev:6; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Warezov/Stration Challenge Response"; flowbits:isset,BEposs.warezov.challenge; flow:established,from_server; dsize:4; content:"|00 00 00 00|"; reference:url,www.sophos.com/security/analyses/w32strationbo.html; reference:url,doc.emergingthreats.net/2003176; classtype:trojan-activity; sid:2003176; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Java Downloading Class flowbit no alert"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"|CA FE BA BE|"; within:4; flowbits:set,et.JavaArchiveOrClass; flowbits:noalert; classtype:misc-activity; sid:2017749; rev:6; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Warezov/Stration Challenge"; flow:established,to_server; dsize:1; content:"|38|"; flowbits:noalert; flowbits:set,BEposs.warezov.challenge; reference:url,www.sophos.com/security/analyses/w32strationbo.html; reference:url,doc.emergingthreats.net/2003175; classtype:not-suspicious; sid:2003175; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Goon EK Jar Download"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"Goon.class"; classtype:exploit-kit; sid:2017756; rev:2; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
+#alert http any any -> any $HTTP_PORTS (msg:"ET DELETED Allaple Unique HTTP Request - Possibly part of DDOS"; flow:established,to_server; content:"GET /  HTTP/1.1|0d 0a|"; rawbytes; depth:20; threshold:type both, count 1, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2003484; reference:url,isc.sans.org/diary.html?storyid=2451; classtype:trojan-activity; sid:2003484; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Lang Runtime in B64 Observed in Goon EK 1"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"amF2YS9sYW5nL1J1bnRpbW"; classtype:exploit-kit; sid:2017757; rev:2; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1800 (msg:"ET DELETED TroDjan 2.0 Infection Report"; flow:established,to_server; dsize:<60; content:"Windows NT "; depth:11; reference:url,doc.emergingthreats.net/2008587; classtype:trojan-activity; sid:2008587; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Lang Runtime in B64 Observed in Goon EK 2"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"phdmEvbGFuZy9SdW50aW1l"; classtype:exploit-kit; sid:2017758; rev:3; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
+#alert tcp $EXTERNAL_NET 1802 -> $HOME_NET any (msg:"ET DELETED TroDjan 2.0 FTP Channel Open Command"; flow:established,to_server; dsize:7; content:"ftpopen"; reference:url,doc.emergingthreats.net/2008588; classtype:trojan-activity; sid:2008588; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class file Accessing Security Manager"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"etSecurityManager"; classtype:bad-unknown; sid:2017760; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8392 (msg:"ET DELETED Torpig Initial CnC Connect on port 8392"; flow:established,to_server; dsize:4; content:"|00 00 78 e3|"; flowbits:set,ET.torpig.init; reference:url,doc.emergingthreats.net/2010826; classtype:command-and-control; sid:2010826; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class file Importing Protection Domain"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/security/ProtectionDomain"; classtype:bad-unknown; sid:2017761; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8392 (msg:"ET DELETED Torpig CnC Connect on port 8392"; flowbits:isset,ET.torpig.init; flow:established,to_server; content:"|00 00|"; depth:2; content:"|00 00 00|"; distance:2; within:5; flowbits:set,ET.torpig.fosure; reference:url,doc.emergingthreats.net/2010827; classtype:command-and-control; sid:2010827; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Accessing Importing glassfish"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"glassfish/gmbal"; classtype:bad-unknown; sid:2017762; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
+#alert tcp $EXTERNAL_NET 8392 -> $HOME_NET any (msg:"ET DELETED Torpig CnC IP Report Command on port 8392"; flowbits:isset,ET.torpig.fosure; flow:established,from_server; dsize:4; content:"|00 00 00 0d|"; reference:url,doc.emergingthreats.net/2010828; classtype:command-and-control; sid:2010828; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class B64 encoded class"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"yv66v"; classtype:bad-unknown; sid:2017763; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
+#alert tcp $EXTERNAL_NET 8392 -> $HOME_NET any (msg:"ET DELETED Torpig CnC Report Command on port 8392"; flowbits:isset,ET.torpig.fosure; flow:established,from_server; dsize:4; content:"|00 00 01 6f|"; reference:url,doc.emergingthreats.net/2010829; classtype:command-and-control; sid:2010829; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing jmx mbeanserver"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"jmx/mbeanserver"; classtype:bad-unknown; sid:2017764; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BleedingLife EK Variant Aug 26 2014"; flow:established,to_server; content:".php?spl="; http_uri; fast_pattern:only; pcre:"/\.php\?spl=[\w_]+$/Ui"; classtype:exploit-kit; sid:2019023; rev:2; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing mbeanserver Introspector"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"mbeanserver/Introspector"; classtype:bad-unknown; sid:2017765; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Offensive Security EMET Bypass Observed in BleedingLife Variant Aug 26 2014"; flow:established,to_client; file_data; content:"|22 25 75 22 2b 67 65 74 6d 6f 64 75 6c 65 77 31 2b 22 25 75 22 2b 67 65 74 6d 6f 64 75 6c 65 77 32 29|"; classtype:trojan-activity; sid:2019024; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing glassfish external statistics impl"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"glassfish/external/statistics/impl"; classtype:bad-unknown; sid:2017766; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; content:"/?bot_id=0&mode=1"; http_uri; fast_pattern:only; reference:url,doc.emergingthreats.net/2008358; classtype:command-and-control; sid:2008358; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing management MBeanServer"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"management/MBeanServer"; classtype:bad-unknown; sid:2017767; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Srizbi requesting template"; flow:established,to_server; content:"GET|20|/"; depth:5; content:"|0d0a|X-Flags|3a20|"; within:200; content:"|0d0a|X-TM|3a20|"; within:20; content:"|0d0a|X-BI|3a20|"; within:20; reference:url,www.secureworks.com/research/threats/ronpaul/; reference:url,doc.emergingthreats.net/2007712; classtype:trojan-activity; sid:2007712; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Mozilla JS Class Creation"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"sun.org.mozilla.javascript.internal.Context"; content:"sun.org.mozilla.javascript.internal.GeneratedClassLoader"; classtype:trojan-activity; sid:2017768; rev:3; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Universal1337 FTP Upload of Compromised Data"; flow:established,to_server; content:"#############|0d 0a|"; content:"###########"; distance:0; content:" Universal1337 "; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanUniversal1337; reference:url,www.megasecurity.org/trojans/u/universal1337/Universal1337v2.html; classtype:trojan-activity; sid:2007967; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Hex Encoded Class file"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"CAFEBABE"; classtype:bad-unknown; sid:2017769; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Universal1337 Email Upload of Compromised Data"; flow:established,to_server; content:"#############|0d 0a|"; content:"###########"; distance:0; content:" Universal1337 "; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanUniversal1337; reference:url,www.megasecurity.org/trojans/u/universal1337/Universal1337v2.html; classtype:trojan-activity; sid:2007968; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing tracing Provider Factory"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"tracing/ProviderFactory"; classtype:bad-unknown; sid:2017770; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java Downloader likely malicious payload download src=xrun"; flow:established,to_server; content:"/get?src=xrun"; nocase; content:"Request|3a| "; nocase; http_header; reference:url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html; reference:url,doc.emergingthreats.net/2010821; classtype:trojan-activity; sid:2010821; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classes used in awt exploits"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image"; content:"Raster"; content:"SampleModel"; classtype:bad-unknown; sid:2017771; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Steam Pass Stealer FTP Upload"; flow:established,to_server; dsize:33; content:"STEAM nicht eingespeichert!!!"; reference:url,doc.emergingthreats.net/2008332; classtype:trojan-activity; sid:2008332; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear/Safe/CritX/FlashPack - Java Request - 32char hex-ascii"; flow:to_server,established; content:".jar"; offset:32; http_uri; fast_pattern; content:"Java/1"; http_user_agent; pcre:"/\/[a-z0-9]{32}\.jar$/U"; classtype:exploit-kit; sid:2014751; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_17, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE VirtualProtect Packed Binary - Likely Hostile"; flow:established,from_server; content:"|2E 72 73 72 63|"; content:"|2E 70 61 63 6B 33 32 00|"; within:49; reference:url,bits.packetninjas.org/eblog/?p=3; reference:url,doc.emergingthreats.net/2008509; classtype:trojan-activity; sid:2008509; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Darkness DDoS HTTP Target/EXE"; flow:from_server,established; file_data; content:"Z"; within:1; content:"PWh0dHA"; distance:2; within:9; pcre:"/^[a-z0-9\+\/]+={0,2}$/Rsi"; classtype:trojan-activity; sid:2017775; rev:7; metadata:created_at 2013_11_27, updated_at 2013_11_27;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Visual Shock Keylogger Reporting to Controller"; flow:established,to_server; dsize:<150; content:"|00 00|Visual Shock Keylogger "; offset:10; depth:34; flowbits:set,ET.vskeylogger; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=42573; reference:url,doc.emergingthreats.net/2008601; classtype:trojan-activity; sid:2008601; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Darkness DDoS Common Intial Check-in Response wtf"; flow:from_server,established; file_data; content:"d3Rm"; within:4; pcre:"/^(?:\r\n|$)/R"; reference:md5,a9af388f5a627aa66c34074ef45db1b7; classtype:trojan-activity; sid:2017776; rev:7; metadata:created_at 2013_11_27, updated_at 2013_11_27;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Visual Shock Keylogger Reporting Idle to Controller"; flowbits:isset,ET.vskeylogger; flow:established,to_server; dsize:8; content:"|08 00 00 00 00 00 00 00|"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=42573; reference:url,doc.emergingthreats.net/2008602; classtype:trojan-activity; sid:2008602; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Badur.Spy User Agent HWMPro"; flow:established,to_server; content:"HWMPro"; depth:6; http_user_agent; reference:md5,234c47b5b29a2cfcc00900bbc13ea181; classtype:trojan-activity; sid:2017654; rev:4; metadata:created_at 2013_11_01, updated_at 2013_11_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy-Net Trojan Connection (2)"; flow:established; content:"conectado|7c 0a|"; depth:11; reference:url,doc.emergingthreats.net/2008645; classtype:trojan-activity; sid:2008645; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Landing Page Recieved - applet and flowbit"; flow:from_server,established; flowbits:isset,et.exploitkitlanding; content:"<applet"; classtype:bad-unknown; sid:2014443; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_29, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Torpig Infection Reporting"; flow:established,to_server; content:"POST"; depth:4; http_method; content:!"User-Agent|3a| "; http_header; content:"Content-Length|3a| 0|0d 0a|"; http_header; content:"Connection|3a| close|0d 0a|"; http_header; pcre:"/^\/[0-9A-F]{16}\/[0-9A-Za-z\+\/]{100,}$/U"; reference:url,www2.gmer.net/mbr/; reference:url,www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf; reference:url,doc.emergingthreats.net/2008660; reference:url,offensivecomputing.net/?q=node/909; classtype:trojan-activity; sid:2008660; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET 1023: -> $EXTERNAL_NET 53 (msg:"ET MALWARE Potential DNS Command and Control via TXT queries"; flow:established,to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:4; content:"|00 00 10 00 01|"; threshold:type both, track by_src,count 10, seconds 300; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-September/015625.html; classtype:trojan-activity; sid:2013515; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 31 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008744; classtype:policy-violation; sid:2008744; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SNET EK Activity Nov 27 2013"; flow:established,to_server; content:"?src="; content:"request|3a 20|microsoft_update|0d 0a|"; pcre:"/^[^\s]*?\s*?\/[^\r\n\s]*?\?src=/i"; classtype:exploit-kit; sid:2017786; rev:2; metadata:created_at 2013_11_28, former_category CURRENT_EVENTS, updated_at 2013_11_28;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 32 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008745; classtype:policy-violation; sid:2008745; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JJEncode Encoded Script Inside of PDF Likely Evil"; flow:established,from_server; flowbits:isset,ET.pdf.in.http; file_data; content:"|2c 24 24 24 24 3a 28 21 5b 5d 2b 22 22 29 5b|"; reference:md5,6776bda19a3a8ed4c2870c34279dbaa9; classtype:trojan-activity; sid:2017789; rev:4; metadata:created_at 2013_11_30, updated_at 2013_11_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 33 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008746; classtype:policy-violation; sid:2008746; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Polling/Check-in/Compromise from fake DHL mailing campaign"; flow:established,to_server; content:"/golden/index.php"; http_uri; content:" MSIE 7.0"; http_header; content:"q=0.1|0d 0a|"; http_header; classtype:trojan-activity; sid:2017791; rev:2; metadata:created_at 2013_12_02, updated_at 2013_12_02;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 34 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008747; classtype:policy-violation; sid:2008747; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Hostile fake DHL mailing campaign"; flow:established,to_server; content:"but no one bell unresponsive"; content:"The best regard DHL.com."; content:"filename=Notice"; classtype:trojan-activity; sid:2017792; rev:2; metadata:created_at 2013_12_02, updated_at 2013_12_02;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 35 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 3, seconds 30; reference:url,doc.emergingthreats.net/2008748; classtype:policy-violation; sid:2008748; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HiMan EK - Flash Exploit"; flow:established,to_client; file_data; content:"function Flash_Exploit() {"; classtype:exploit-kit; sid:2017794; rev:2; metadata:created_at 2013_12_05, former_category CURRENT_EVENTS, updated_at 2013_12_05;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trash Family - HTTP POST"; flow:established,to_server; content:"POST"; depth:4; http_method; content:!"User-Agent|3a|"; http_header; nocase; content:"Type="; http_client_body; nocase; content:"&Dvip="; http_client_body; nocase; content:"&Mask="; http_client_body; nocase; content:"&Guid="; http_client_body; nocase; content:"&Addr="; http_client_body; nocase; content:"&Protect="; http_client_body; nocase; content:"Url"; http_client_body; nocase; content:"&OSVer="; http_client_body; nocase; reference:url,www.spywareguide.com/product_show.php?id=1935; reference:url,www.sunbeltsecurity.com/threatdisplay.aspx?name=Trojan.Trash.Gen&tid=178782&cs=03253E96A71C3EE824071E5BE3A32CCD; reference:url,doc.emergingthreats.net/2009449; classtype:trojan-activity; sid:2009449; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED HiMan EK - Payload Downloaded - EXE in ZIP Downloaded by Java"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".exe"; fast_pattern; nocase; classtype:exploit-kit; sid:2017795; rev:2; metadata:created_at 2013_12_05, updated_at 2013_12_05;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE VMProtect Demo version Packed Binary - Likely Hostile"; flow:from_server,established; content:"|2E|rsrc|00|"; content:"vmp0|00|"; within: 50; content:"vmp1|00|"; within:50; reference:url,www.vmprotect.ru; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2009019; classtype:trojan-activity; sid:2009019; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT HiMan EK - TDS - POST hyt="; flow:established,to_server; content:"POST"; http_method; content:"hyt="; http_client_body; depth:4; content:"&vre="; http_client_body; classtype:exploit-kit; sid:2017797; rev:2; metadata:created_at 2013_12_05, former_category CURRENT_EVENTS, updated_at 2013_12_05;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE Asprox-style Message ID"; flow:established,to_server; dsize:<80; content:"Message-ID|3a20|"; depth:12; content:"|0d0a|"; within: 68; flowbits:set,ET.asproxmessageid; flowbits:noalert; reference:url,www.secureworks.com/research/threats/danmecasprox; reference:url,doc.emergingthreats.net/2008221; classtype:trojan-activity; sid:2008221; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Java Exploit Kit 32 byte hex with trailing digit java payload request"; flow:established,to_server; urilen:>32; content:"Java/1."; http_user_agent; pcre:"/^\/(?:[\/_]*?[a-f0-9][\/_]*?){32}\/\d+?$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015888; rev:8; metadata:created_at 2012_11_15, former_category EXPLOIT_KIT, updated_at 2012_11_15;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE Asprox phishing email detected"; flow:established,to_server; content:"From|3a20|"; depth:6; content:"|0d0a|Bcc|3a20|"; within:150; flowbits:isset,ET.asproxmessageid; reference:url,www.secureworks.com/research/threats/danmecasprox; reference:url,doc.emergingthreats.net/2008222; classtype:trojan-activity; sid:2008222; rev:5; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK - Landing Page - Java ClassID and 32/32 archive Oct 16 2013"; flow:established,to_client; file_data; content:"applet"; nocase; fast_pattern; content:"archive"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?\/(?:[\/_]*?[a-f0-9][\/_]*?){64}[\x22\x27]/R"; classtype:exploit-kit; sid:2017602; rev:5; metadata:created_at 2013_10_17, former_category CURRENT_EVENTS, updated_at 2013_10_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Key Checkin (Clicker.Win32.Delf.afl)"; flow:established,to_server; content:".php?key=???????+????????????"; content:"+Dial-up+??????+?+??????????????"; reference:url,doc.emergingthreats.net/2008666; classtype:command-and-control; sid:2008666; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XOR'd Payload"; flow:from_server,established; file_data; content:"|7c 68 a3 34 36 36 37 38|"; within:8; classtype:exploit-kit; sid:2017809; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Agent.fvt Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?"; nocase; http_uri; content:"lversion="; nocase; http_uri; content:"wversion=&eversion=&fid="; nocase; http_uri; content:"&mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008667; classtype:command-and-control; sid:2008667; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Java Jar Download"; flow:established,to_server; urilen:>32; content:"Java/1."; http_header; pcre:"/^\/(?:[\/_]*?[a-f0-9][\/_]*?){32}$/U"; content:"_"; http_uri; content:"/"; http_uri; offset:1; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017811; rev:2; metadata:created_at 2013_12_06, former_category EXPLOIT_KIT, updated_at 2013_12_06;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 91 (msg:"ET MALWARE Backdoor.Win32.Assasin.20.C Control Session Start"; flow:established,to_server; content:"11000"; depth:5; content:"^"; distance:4; within:5; flowbits:isnotset,ET.assassin.start; flowbits:set,ET.assassin.start; reference:url,doc.emergingthreats.net/2008675; classtype:trojan-activity; sid:2008675; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Edwards Packed PluginDetect"; flow:established,to_client; file_data; content:"|7C|PluginDetect|7C|"; classtype:exploit-kit; sid:2017815; rev:2; metadata:created_at 2013_12_06, former_category CURRENT_EVENTS, updated_at 2013_12_06;)
+#alert tcp $EXTERNAL_NET 91 -> $HOME_NET any (msg:"ET MALWARE Backdoor.Win32.Assasin.20.C Control Session Server Reply"; flowbits:isset,ET.assassin.start; flow:established,from_server; dsize:12; content:"10000002|5e 2a|"; depth:10; flowbits:set,ET.assassin.reply; reference:url,doc.emergingthreats.net/2008676; classtype:trojan-activity; sid:2008676; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Trojan-Downloader Win32.Genome.AV server response"; flow:to_client,established; file_data; content:"|5b|Soft"; pcre:"/^\d+?\x5d/R"; content:"SoftTitle="; distance:0; flowbits:isset,et.GENOME.AV; reference:md5,d14314ceb74c8c1a8e1e8ca368d75501; classtype:trojan-activity; sid:2017747; rev:3; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 91 (msg:"ET MALWARE Backdoor.Win32.Assasin.20.C Control Channel Client Reply"; flow:established,to_server; dsize:10; content:"10000000|5e 2a|"; flowbits:isset,ET.assassin.reply; reference:url,doc.emergingthreats.net/2008677; classtype:trojan-activity; sid:2008677; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Lang Runtime in B64 Observed in Goon EK 3"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"qYXZhL2xhbmcvUnVudGltZ"; classtype:exploit-kit; sid:2017759; rev:3; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER SQL Injection Attempt (Agent NV32ts)"; flow:to_server,established; content:"User-Agent|3a| NV32ts"; reference:url,doc.emergingthreats.net/2009029; classtype:web-application-attack; sid:2009029; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_10_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Probable Sakura exploit kit landing page obfuscated applet tag Mar 1 2013"; flow:established,from_server; file_data; content:"<#a#p#p#l#e#t#"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016520; rev:3; metadata:created_at 2013_03_05, former_category EXPLOIT_KIT, updated_at 2013_03_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Armitage Loader Check-in"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/lds.php"; http_uri; reference:url,doc.emergingthreats.net/2009036; classtype:trojan-activity; sid:2009036; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing Page Nov 21 2013"; flow:established,from_server; file_data; content:"object|22|.substring(15)"; content:"|22|"; distance:-37; within:1; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017740; rev:3; metadata:created_at 2013_11_22, former_category EXPLOIT_KIT, updated_at 2013_11_22;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN SQLNinja MSSQL Version Scan"; flow:to_server,established; content:"?param=a"; content:"if%20not%28substring%28%28select%20%40%40version"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009038; classtype:attempted-recon; sid:2009038; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx EK iexp.html"; flow:established,to_server; content:"/iexp.html"; http_uri; content:!"&"; http_uri; classtype:exploit-kit; sid:2017819; rev:5; metadata:created_at 2013_12_10, former_category CURRENT_EVENTS, updated_at 2013_12_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert freeb4u.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|freeb4u.com"; distance:1; within:12; reference:md5,3c140d775b33a5201089e8f8118b7fb5; classtype:trojan-activity; sid:2019025; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT heapSpray in jjencode"; flow:from_server,established; file_data; content:".__$+"; pcre:"/^(?P<sep>((?!\.\$\_\$\+).){1,10})\.\$\_\$\+(?P=sep)\.___\+(?P=sep)\.\$\$\$\_\+(?P=sep)\.\$\_\$\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\_\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\_\$\_\+(?P=sep)\.\_\$\$\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\_\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\$\_\+(?P=sep)\.\$\_\$\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\$\+(?P=sep)\.\_\_\$/R"; reference:url,www.invincea.com/2013/12/e-k-i-a-adobe-reader-exploit-cve-2013-3346-kernel-ndproxy-sys-zero-day-eop/; classtype:exploit-kit; sid:2017823; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert developmentinn.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|www.developmentinn.com"; distance:1; within:23; reference:md5,2f17d82e939efe315a89f1aa42e93cf1; classtype:trojan-activity; sid:2019026; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC Scanning Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Scanning"; fast_pattern; within:50; content:"for open ports."; within:40; classtype:trojan-activity; sid:2017828; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert directory92.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|directory92.com"; distance:1; within:16; reference:md5,dc7939920cb93e58c990a8e0a0295bb7; classtype:trojan-activity; sid:2019027; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC Open Ports Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Open port(s)|3A| "; fast_pattern; within:50; classtype:trojan-activity; sid:2017829; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert epr-co.ch"; flow:established,from_server; content:"|55 04 03|"; content:"|09|epr-co.ch"; distance:1; within:10; reference:md5,dc7939920cb93e58c990a8e0a0295bb7; classtype:trojan-activity; sid:2019028; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC No Open Ports Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"No open ports found"; fast_pattern; within:50; classtype:trojan-activity; sid:2017830; rev:1; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert pouyasazan.org"; flow:established,from_server; content:"|55 04 03|"; content:"|15|linux4.pouyasazan.org"; distance:1; within:22; reference:md5,b978929f93fe8e10d8f7f6f52953cbba; classtype:trojan-activity; sid:2019029; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Attacking Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Attacking"; within:50; fast_pattern; classtype:trojan-activity; sid:2017831; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert ara-photos.net"; flow:established,from_server; content:"|55 04 03|"; content:"|12|www.ara-photos.net"; distance:1; within:19; reference:md5,b978929f93fe8e10d8f7f6f52953cbba; classtype:trojan-activity; sid:2019030; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Attack Done Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Attack"; fast_pattern; within:50; content:"done"; within:8; classtype:trojan-activity; sid:2017832; rev:1; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert tecktalk.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.tecktalk.com"; distance:1; within:17; reference:md5,0181d134ff73743e8dd5e23b9cf7ff51; classtype:trojan-activity; sid:2019031; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS PerlBot Version Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"perlb0t ver"; within:50; classtype:trojan-activity; sid:2017833; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert cyclivate.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|www.cyclivate.com"; distance:1; within:18; reference:md5,b911327d0ba6ce016e8e33ba97e87e83; classtype:trojan-activity; sid:2019032; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Mambo Scanning Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Scanning for unpatched mambo for"; within:80; classtype:trojan-activity; sid:2017834; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert mentoringgroup.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|www.mentoringgroup.com"; distance:1; within:23; reference:md5,444dd80b551ac28e43380c2ef0bc4df0; classtype:trojan-activity; sid:2019033; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Exploited Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Exploited"; within:50; content:"boxes in"; within:30; classtype:trojan-activity; sid:2017835; rev:3; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert ssshosting.net"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|ssshosting.net"; distance:1; within:15; reference:md5,8f13400f01f5ad3404bc6700279ac7aa; classtype:trojan-activity; sid:2019035; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Hostile Gate landing seen with pamdql/Sweet Orange /in.php?q="; flow:established,to_server; content:"/in.php?q="; http_uri; classtype:exploit-kit; sid:2016090; rev:3; metadata:created_at 2012_12_28, former_category CURRENT_EVENTS, updated_at 2012_12_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert erotikturk.com"; flow:established,from_server; content:"|55 04 03|"; content:"|15|server.erotikturk.com"; distance:1; within:22; reference:md5,8f13400f01f5ad3404bc6700279ac7aa; classtype:trojan-activity; sid:2019036; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing try catch try catch math eval Aug 27 2012"; flow:established,from_server; file_data; content:"try{"; content:"|3b|}catch("; within:25; content:"){try{"; fast_pattern; within:15; content:"}catch("; within:35; content:"eval("; distance:0; classtype:bad-unknown; sid:2015654; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert mtnoutfitters.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|mtnoutfitters.com"; distance:1; within:18; reference:md5,ebca10e0a4eb99758f0fb3612fa970ba; classtype:trojan-activity; sid:2019037; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Zbot Activity Common Download Struct"; flow:to_server,established; content:".bin"; fast_pattern; http_uri; pcre:"/\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"User-Agent|3a 20|"; http_header; depth:12; content:" MSIE "; http_header; pcre:"/^User-Agent\x3a[^\r\n]*?\sMSIE\s/H"; classtype:trojan-activity; sid:2017837; rev:3; metadata:created_at 2013_12_12, updated_at 2013_12_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert jojik-international.com"; flow:established,from_server; content:"|55 04 03|"; content:"|17|jojik-international.com"; distance:1; within:24; reference:md5,ffa19cd3be6a89da96bcfb5a1a52b6ae; classtype:trojan-activity; sid:2019038; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit - JAR Exploit"; flow:to_server,established; urilen:>300; content:"Java/1."; http_user_agent; content:".jar"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.jar$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:exploit-kit; sid:2017840; rev:3; metadata:created_at 2013_12_12, former_category EXPLOIT_KIT, updated_at 2013_12_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert abarsolutions.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|abarsolutions.com"; distance:1; within:18; reference:md5,029e3713002bd3514b1f2493caea8294; classtype:trojan-activity; sid:2019039; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit - EOT Exploit"; flow:to_server,established; urilen:>300; content:".eot"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.eot$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:exploit-kit; sid:2017844; rev:3; metadata:created_at 2013_12_12, former_category EXPLOIT_KIT, updated_at 2013_12_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert eastwoodvalley.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|www.eastwoodvalley.com"; distance:1; within:23; reference:md5,450b394d88a69f6cb9722a5b56168ce6; classtype:trojan-activity; sid:2019040; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HiMan EK - Landing Page"; flow:established,to_client; file_data; content:"687474703a2f2f"; fast_pattern:only; content:"<applet"; nocase; pcre:"/^((?!<\/applet>).)+?[\x22\x27]687474703a2f2f/Rsi"; classtype:exploit-kit; sid:2017796; rev:3; metadata:created_at 2013_12_05, former_category CURRENT_EVENTS, updated_at 2013_12_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert pejlain.se"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|pejlain.se"; distance:1; within:11; reference:md5,1658e12bb1fe8a25127e8bd09b923acd; classtype:trojan-activity; sid:2019042; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Browlock Landing Page URI Struct"; flow:to_server,established; content:"/?flow_id"; http_uri; content:"/case_id="; http_uri; fast_pattern:only; pcre:"/\/\?flow_id=\d+?&\d+?=\d+?\/case_id=\d+$/U"; classtype:trojan-activity; sid:2017847; rev:2; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2013_12_13;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert dominionthe.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|dominionthe.com"; distance:1; within:16; reference:md5,911bc6e1c581e9295d193bcdbcce1ddd; classtype:trojan-activity; sid:2019043; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK SilverLight"; flow:to_server,established; content:".html?sv="; http_uri; fast_pattern:only; pcre:"/\.html\?sv=[1-5](\,\d+?){1,3}$/U"; classtype:exploit-kit; sid:2017848; rev:2; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2013_12_13;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert delanecanada.ca"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|delanecanada.ca"; distance:1; within:16; reference:md5,911bc6e1c581e9295d193bcdbcce1ddd; classtype:trojan-activity; sid:2019044; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible CVE-2013-2551 As seen in SPL2 EK"; flow:from_server,established; file_data; content:".dashstyle.array.length"; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(?:-[\r\n\s]*?\d|0[\r\n\s]*?-)/Ri"; classtype:exploit-kit; sid:2017849; rev:2; metadata:created_at 2013_12_13, updated_at 2013_12_13;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert hebergement-solutions.com"; flow:established,from_server; content:"|55 04 03|"; content:"|19|hebergement-solutions.com"; distance:1; within:26; reference:md5,e5f8caba2b2832de5c13a16d5b4f6d6f; classtype:trojan-activity; sid:2019045; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SPL2 PluginDetect Data Hash"; flow:to_server,established; content:".html?id"; http_uri; fast_pattern:only; pcre:"/\.html\?id\d*?=[a-f0-9]{32}$/U"; pcre:"/GET\s[^\r\n]*?(?P<name>\/[^\.\/]+\.html)\?id\d*?=[a-f0-9]{32}\sHTTP\/1\..+?\r\nReferer\x3a\x20[^\r\n]*?(?P=name)(:?\d{1,5})?\r\n/s"; classtype:trojan-activity; sid:2017850; rev:2; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2017_09_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert sportofteniq.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|sportofteniq.com"; distance:1; within:17; reference:md5,d06ec89944b566df8dcd959a2196b37c; classtype:trojan-activity; sid:2019046; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT HiMan EK Exploit URI Struct"; flow:to_server,established; content:"=687474703a2f2f"; http_uri; content:".php?"; http_uri; pcre:"/\/(?:d|xie|fla)\.php\?[a-z]+?=687474703a2f2f/U"; classtype:exploit-kit; sid:2017851; rev:2; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2013_12_13;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert adoraacc.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|adoraacc.com"; distance:1; within:13; reference:md5,a938c50d686663f97d62dff812fc575b; classtype:trojan-activity; sid:2019047; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Landing Dec 09 2013"; flow:from_server,established; file_data; content:"$.getVersion(|22|Silverlight|22|)"; content:"$.getVersion(|22|Java|22|)"; content:"calcMD5(encode_utf8(location"; classtype:exploit-kit; sid:2017826; rev:3; metadata:created_at 2013_12_10, former_category CURRENT_EVENTS, updated_at 2013_12_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert tristacey.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|tristacey.com"; distance:1; within:14; reference:md5,e40ec448fd7cfea641a18fb6b38e4e92; classtype:trojan-activity; sid:2019048; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Dec 09 2013 Java Request"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".html%3fjar"; http_raw_uri; pcre:"/\.html\?jar$/U"; classtype:exploit-kit; sid:2017827; rev:6; metadata:created_at 2013_12_10, former_category CURRENT_EVENTS, updated_at 2013_12_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert nbc-mail.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nbc-mail.com"; distance:1; within:13; reference:md5,348b8a9e693a6784a6cf26d9afe6fed9; classtype:trojan-activity; sid:2019049; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-QBP Checkin Response 1 - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"|3c|!--<2010QBP"; content:" 2010QBP//-->"; within:150; reference:url,intelreport.mandiant.com; reference:md5,0cf9e999c574ec89595263446978dc9f; reference:md5,fcdaa67e33357f64bc4ce7b57491fc53; classtype:targeted-activity; sid:2016451; rev:3; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert tridayacipta.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|tridayacipta.com"; distance:1; within:17; reference:md5,010e6b78b6ec2fd6970b0c709e70acec; classtype:trojan-activity; sid:2019050; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Grandsoft/SofosFO EK Java Payload URI Struct"; flow:established,to_server; content:"Java/1."; http_header; pcre:"/^\/\d{4,5}\/\d{7}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017861; rev:3; metadata:created_at 2013_12_13, updated_at 2013_12_13;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert trainthetrainerinternational.com"; flow:established,from_server; content:"|55 04 03|"; content:"|20|trainthetrainerinternational.com"; distance:1; within:33; reference:md5,010e6b78b6ec2fd6970b0c709e70acec; classtype:trojan-activity; sid:2019051; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Initial Connection Server Response"; flow:established,to_client; content:"|22|result|22 3A| [[|22|mining.notify|22|"; depth:120; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2017872; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert lingayasuniversity.edu.in"; flow:established,from_server; content:"|55 04 03|"; content:"|1d|www.lingayasuniversity.edu.in"; distance:1; within:30; reference:md5,b2c3bb2b56876e325d86731a693fd138; classtype:trojan-activity; sid:2019052; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER W32/BitCoinMiner Fake Flash Player Distribution Campaign - December 2013"; flow:established,to_server; content:"/blam/flashplayerv"; nocase; http_uri; reference:url,blog.malwarebytes.org/fraud-scam/2013/12/fake-flash-player-wants-to-go-mining/; reference:url,esearch.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; classtype:coin-mining; sid:2017874; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert uleideargan.com"; flow:established,from_server; content:"|55 04 03|"; content:"|13|www.uleideargan.com"; distance:1; within:20; reference:md5,ba402e41e140af41d57788e24c4c56d4; classtype:trojan-activity; sid:2019053; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JAR Download From Crimepack Exploit Kit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"cpak/Crimepack"; nocase; reference:url,doc.emergingthreats.net/2011544; reference:url,krebsonsecurity.com/tag/crimepack/; reference:url,www.offensivecomputing.net/?q=node/1572; classtype:exploit-kit; sid:2011544; rev:7; metadata:created_at 2010_09_27, former_category MALWARE, updated_at 2010_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert picklingtank.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|picklingtank.com"; distance:1; within:17; reference:md5,ba402e41e140af41d57788e24c4c56d4; classtype:trojan-activity; sid:2019054; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Work Server Response"; flow:established,to_client; content:"|22|params|22 3A| [|22|"; depth:120; content:"|22|method|22 3A| |22|mining.notify|22|"; distance:0; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2017873; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert vcomdesign.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|vcomdesign.com"; distance:1; within:15; reference:md5,9ad86fc9a57b620e96082cd61aa1b494; classtype:trojan-activity; sid:2019055; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Getblocktemplate Protocol Server Connection"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3A| |22|getblocktemplate|22|"; within:40; reference:url,en.bitcoin.it/wiki/Getblocktemplate; classtype:coin-mining; sid:2017878; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert technosysuk.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|technosysuk.com"; distance:1; within:16; reference:md5,fc23d6cbe926a022cac003214679ec7a; classtype:trojan-activity; sid:2019056; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Getblocktemplate Protocol Server Coinbasetxn Begin Mining Response"; flow:established,to_client; content:"|22|result|22 3A| {"; depth:50; content:"|22|coinbasetxn|22 3A| {"; within:30; content:"|22|data|22 3A| |22|"; within:30; reference:url,en.bitcoin.it/wiki/Getblocktemplate; classtype:coin-mining; sid:2017879; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert slmp-550-105.slc.westdc.net"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|slmp-550-105.slc.westdc.net"; distance:1; within:28; reference:md5,f053b1aa875751944bae74fce67fe965; classtype:trojan-activity; sid:2019057; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Ferret DDOS Bot CnC Beacon"; flow:established,to_server; urilen:14; content:"POST"; http_method; content:"/hor/input.php"; http_uri; content:"Mozilla Gecko Firefox 25"; http_user_agent; content:"m="; http_client_body; depth:2; content:"&h="; http_client_body; within:50; reference:md5,c49e3411294521d63c7cc28e08cf8a77; reference:url,www.arbornetworks.com/asert/2013/12/a-business-of-ferrets/; classtype:command-and-control; sid:2017883; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_19, deployment Perimeter, signature_severity Major, tag c2, updated_at 2013_12_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert itiltrainingcertworkshop.com"; flow:established,from_server; content:"|55 04 03|"; content:"|23|server.itiltrainingcertworkshop.com"; distance:1; within:36; reference:md5,f7b715ad4235599ed21179a369279225; classtype:trojan-activity; sid:2019058; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Upatre Downloader SSL certificate"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; pcre:"/^.{2}(?P<fake_email>([asdfgh]+|[qwerty]+|[zxcvbn]+)\@([asdfgh]+|[qwerty]+|[zxcvbn]+)\.).+?\x2a\x86\x48\x86\xf7\x0d\x01\x09\x01.{2}(?P=fake_email)/Rs"; classtype:trojan-activity; sid:2017733; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_20, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert udderperfection.com"; flow:established,from_server; content:"|55 04 03|"; content:"|13|udderperfection.com"; distance:1; within:20; reference:md5,27938e57f7928e9559e71d384a8fffe6; classtype:trojan-activity; sid:2019059; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - ZIP file with .exe filename inside (Inbound)"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(5leG|LmV4|uZXhl)/R"; classtype:bad-unknown; sid:2017884; rev:5; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert efind.co.il"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|efind.co.il"; distance:1; within:12; reference:md5,6d8a5b36f61e392aaa048b97b3d9e090; classtype:trojan-activity; sid:2019060; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - RAR file with .exe filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(5leG|LmV4|uZXhl)/R"; classtype:bad-unknown; sid:2017885; rev:5; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert bloodsoft.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|bloodsoft.com"; distance:1; within:14; reference:md5,1b1626f65c4bac3af1220898f971f3ac; classtype:trojan-activity; sid:2019061; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - ZIP file with .com filename inside"; flow:established; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(uY29t|5jb2|LmNvb)/R"; classtype:bad-unknown; sid:2017887; rev:2; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert walletmix.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|www.walletmix.com"; distance:1; within:18; reference:md5,1b1626f65c4bac3af1220898f971f3ac; classtype:trojan-activity; sid:2019062; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - RAR file with .com filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(uY29t|5jb2|LmNvb)/R"; classtype:bad-unknown; sid:2017888; rev:2; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert turnaliinsaat.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|turnaliinsaat.com"; distance:1; within:18; reference:md5,feb5304d966a0f1610e642984a64d54c; classtype:trojan-activity; sid:2019063; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - ZIP file with .scr filename inside"; flow:established; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(LnNjc|Euc2Ny|S5zY3)/R"; classtype:bad-unknown; sid:2017889; rev:2; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert mdus-pp-wb12.webhostbox.net"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|mdus-pp-wb12.webhostbox.net"; distance:1; within:28; reference:md5,309efe8603c6db1218e8a95b6f4d2840; classtype:trojan-activity; sid:2019064; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - RAR file with .scr filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(LnNjc|Euc2Ny|S5zY3)/R"; classtype:bad-unknown; sid:2017890; rev:2; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert plastics-technology.com"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|www.plastics-technology.com"; distance:1; within:28; reference:md5,309efe8603c6db1218e8a95b6f4d2840; classtype:trojan-activity; sid:2019065; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/GMUnpacker.Downloader Download Instructions Response From CnC"; flow:established,to_client; file_data; content:"<AD>"; within:4; content:"<TIPAD>"; distance:0; content:"<POPUP>"; distance:0; content:"<REG>HKEY_LOCAL_MACHINE|5c|SOFTWARE|5c|Microsoft|5c|Windows|5c|CurrentVersion|5c|"; distance:0; reference:md5,43e89125ad40b18d22e01f997da8929a; classtype:command-and-control; sid:2017891; rev:2; metadata:created_at 2013_12_20, former_category MALWARE, updated_at 2013_12_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert deserve.org.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|deserve.org.uk"; distance:1; within:15; reference:md5,9d16352f292d86f40236afc7e06bce08; classtype:trojan-activity; sid:2019067; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DotkaChef Landing URI Struct"; flow:established,to_server; content:"/?"; http_uri; content:"LvoDc0RHa8NnZ"; http_uri; pcre:"/\/\?={0,2}[A-Za-z0-9\+\/]+?LvoDc0RHa8NnZ$/U"; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/analyzing-dotkachef-exploit-pack/; classtype:exploit-kit; sid:2017893; rev:4; metadata:created_at 2013_12_21, updated_at 2013_12_21;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert worldbuy.biz"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.worldbuy.biz"; distance:1; within:17; reference:md5,57c73f511f3ed23df07e2c1b88e007ca; classtype:trojan-activity; sid:2019068; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DotkaChef Payload Dec 20 2013"; flow:established,to_server; content:"/?f=bb.mp3"; http_uri; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/analyzing-dotkachef-exploit-pack/; classtype:exploit-kit; sid:2017894; rev:3; metadata:created_at 2013_12_21, updated_at 2013_12_21;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL DELETED wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"["; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:2101377; rev:18; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit 2013-3346"; flow:established,from_server; file_data; content:"5 0 R>>|0a|endobj|0a|5 0 obj |0a|<</"; pcre:"/^(?:L|#4c)(?:e|#65)(?:n|#6e)(?:g|#67)(?:t|#74)(?:h|#68)\x20\d+?\/(?:F|#46)(?:i|#69)(?:l|#6c)(?:t|#74)(?:e|#65)(?:r|#72)\[\/(?:F|#46)(?:l|#6c)(?:a|#61)(?:t|#74)(?:e|#65)(?:D|#44)(?:e|#65)(?:c|#63)(?:o|#6f)(?:d|#64)(?:e|#65)\/(?:A|#41)(?:S|#53)(?:C|#43)(?:I|#49){2}(?:H|#48)(?:e|#65)(?:x|#78)(?:D|#44)(?:e|#65)(?:c|#63)(?:o|#6f)(?:d|#64)(?:e|#65)\]>>/Rs"; content:"5 0 R>>|0a|endobj|0a|5 0 obj |0a|<<"; pcre:"/^(?:(?!>>).)+?#(?:[46][1-9a-fA-F]|[57][\daA])/Rs"; classtype:attempted-admin; sid:2017900; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category MALWARE, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL DELETED wu-ftp bad file completion attempt with brace"; flow:to_server,established; content:"~"; content:"{"; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:2101378; rev:18; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Flash Exploit Dec 24 2013"; flow:established,to_server; urilen:15; content:"/4"; depth:2; http_uri; pcre:"/^GET \/4(?P<baseuri>[a-z0-9]{10})[a-z0-9]{3} HTTP\/1\.[01]\r\n.*?Referer\x3a http\x3a\/\/[^\/]+?\/(?P=baseuri)\r\n/s"; classtype:exploit-kit; sid:2017901; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NullHole EK Landing Aug 27 2014"; flow:established,to_client; file_data; content:"|28 36 39 33 37 34 31 29 2e 74 6f 53 74 72 69 6e 67 28 33 36 29 3b 77 69 6e 64 6f 77|"; classtype:exploit-kit; sid:2019071; rev:3; metadata:created_at 2014_08_27, former_category CURRENT_EVENTS, updated_at 2014_08_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Possible Flash/IE Payload Dec 24 2013"; flow:established,to_server; urilen:15; content:"/3"; depth:2; http_uri; pcre:"/^\/3[a-z0-9]{13}$/U"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:exploit-kit; sid:2017902; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing URI Struct"; flow:established,to_server; content:"/?PHPSSESID=njr"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2019072; rev:3; metadata:created_at 2014_08_27, former_category CURRENT_EVENTS, updated_at 2014_08_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Flash Exploit Dec 26 2013"; flow:established,to_server; content:"/4"; depth:2; http_uri; content:"?&xkey="; http_uri; content:"&exec=aHR0cDov"; http_uri; pcre:"/\/4[a-z0-9]{13}\?&xkey=/U"; classtype:exploit-kit; sid:2017904; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tcp $HOME_NET 81 -> $EXTERNAL_NET any (msg:"ET DELETED Bifrose Response from victim"; flow:established,from_server; dsize:13; content:"|09 00 00 00 9a|"; depth:5; content:"|74|"; distance:7; within:8; reference:url,doc.emergingthreats.net/2009797; classtype:trojan-activity; sid:2009797; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO/GrandSoft PDF"; flow:established,from_server; file_data; content:"/TM(gawgewafgwe[0].#subform[0]"; classtype:trojan-activity; sid:2017905; rev:3; metadata:created_at 2013_12_27, updated_at 2013_12_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Attack Tool Morfeus F Scanner - M"; flow:established,to_server; content:"M Fucking Scanner"; http_user_agent; nocase; reference:url,www.webmasterworld.com/search_engine_spiders/3227720.htm; reference:url,doc.emergingthreats.net/2003466; classtype:web-application-attack; sid:2009799; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS TDS Unknown_.aso - URI - IP.aso"; flow:established,to_server; content:".aso"; http_uri; fast_pattern:only; pcre:"/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\.aso$/U"; classtype:bad-unknown; sid:2017906; rev:2; metadata:created_at 2013_12_27, updated_at 2013_12_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NullHole EK Landing Redirect Aug 27 2014"; flow:established,to_client; content:"Server|3a 20|CppCMS-Embedded/1.0.4|0d 0a|"; http_header; content:"302"; http_stat_code; content:"nhweb="; http_cookie; depth:6; classtype:exploit-kit; sid:2019073; rev:2; metadata:created_at 2014_08_27, former_category CURRENT_EVENTS, updated_at 2014_08_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible PDF Dictionary Entry with Hex/Ascii replacement"; flow:established,from_server; file_data; content:"%PDF-"; fast_pattern; within:5; content:"obj"; pcre:"/^[\r\n\s]*?<<(?:(?!>>).)+?\/[a-zA-Z\d]*?#(?:[46][1-9a-fA-F]|[57][\daA])(?:[a-zA-Z\d])*?#(?:[46][1-9a-fA-F]|[57][\daA])/Rsi"; classtype:trojan-activity; sid:2017899; rev:4; metadata:created_at 2013_12_24, former_category INFO, updated_at 2013_12_24;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert paydaypedro.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|11|paydaypedro.co.uk"; distance:1; within:18; reference:md5,39877be17bd3435f275fc54577beaa6e; classtype:trojan-activity; sid:2019075; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK encrypted binary (1)"; flow:established,to_client; file_data; content:"|20 69 c3 34 55 6d 33 53|"; depth:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017908; rev:2; metadata:created_at 2013_12_30, updated_at 2013_12_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert chatso.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|chatso.com"; distance:1; within:11; reference:md5,ef88df67a0bcb872143543ebad0ba91d; classtype:trojan-activity; sid:2019076; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing with CVE-2013-2551 Dec 29 2013"; flow:established,from_server; file_data; content:"javafx_version"; fast_pattern:only; content:"fromCharCode"; pcre:"/^[\r\n\s]*?\([\r\n\s]*?[a-zA-Z_$][^\r\n\s]*?\.charCodeAt[\r\n\s]*?\([\r\n\s]*?[a-zA-Z_$][^\r\n\s]*[\r\n\s]*?\)[\r\n\s]*?\^[\r\n\s]*?[a-zA-Z_$][^\r\n\s]*\.charCodeAt[\r\n\s]*?\(/Rsi"; content:"decodeURIComponent"; content:"applet"; classtype:exploit-kit; sid:2017907; rev:4; metadata:created_at 2013_12_30, updated_at 2013_12_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sinowal/Torpig Checkin"; flow:to_server,established; content:"GET"; http_method; content:"idcomp="; http_uri; content:"MyValue="; http_uri; content:"&load1="; http_uri; content:"&hist=downloaded_user_"; http_uri; pcre:"/MyValue=[a-f0-9]{32}/Ui"; reference:url,doc.emergingthreats.net/2010267; classtype:command-and-control; sid:2010267; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING suspicious - uncompressed pack200-ed JAR"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"|ca fe d0 0d|"; depth:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017909; rev:3; metadata:created_at 2013_12_30, former_category INFO, updated_at 2013_12_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.SillyFDC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php"; nocase; http_uri; content:"getowner=1&uniqueid="; http_uri; content:"User-Agent|3a| WinHttp.WinHttpRequest"; http_header; reference:url,doc.emergingthreats.net/2010268; classtype:command-and-control; sid:2010268; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING suspicious - gzipped file via JAVA - could be pack200-ed JAR"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"|1f 8b 08 00|"; depth:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017910; rev:3; metadata:created_at 2013_12_30, former_category INFO, updated_at 2013_12_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache mod_perl Apache Status and Apache2 Status Cross Site Scripting Attempt"; flow:established,to_server; content:"|2F|APR|3A 3A|SockAddr|3A 3A|port|2F|"; http_uri; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/34383/info; reference:cve,2009-0796; reference:url,doc.emergingthreats.net/2010281; classtype:attempted-user; sid:2010281; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
 
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02"; content:"|00 02 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017918; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Clod/Sereki Communication with C&C"; flow:established,to_server; content:".php?id="; http_uri; nocase; content:"&cnt="; http_uri; nocase; pcre:"/\.php\?id=\d+_[0-9a-f]{8}-[0-9a-f]+-[0-9a-f]{8}&cnt=/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:url,doc.emergingthreats.net/2010289; reference:md5,bbb6ac2181dbbe15efd13c294cb991fa; reference:md5,3c39bfc78fcf3fe805c7472296bf6319; classtype:trojan-activity; sid:2010289; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03"; content:"|00 03 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017919; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Clod/Sereki Checkin with C&C (noalert)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/chck.dat"; fast_pattern; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; flowbits:set,ET.clod1; flowbits:noalert; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:url,doc.emergingthreats.net/2010290; reference:md5,bbb6ac2181dbbe15efd13c294cb991fa; reference:md5,3c39bfc78fcf3fe805c7472296bf6319; classtype:trojan-activity; sid:2010290; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017920; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Clod/Sereki Checkin Response"; flow:established,from_server; content:"|0d 0a 0d 0a|!chckOK!"; nocase; flowbits:isset,ET.clod1; reference:url,doc.emergingthreats.net/2010291; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:md5,bbb6ac2181dbbe15efd13c294cb991fa; reference:md5,3c39bfc78fcf3fe805c7472296bf6319; classtype:trojan-activity; sid:2010291; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017921; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN pangolin SQL injection tool"; flow:established,to_server; content:"pangolin"; http_user_agent; reference:url,www.lifedork.net/pangolin-best-sql-injection-tool.html; classtype:web-application-activity; sid:2010343; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Systemdoctor.com/Antivir2008 related Fake Anti-Virus User-Agent (AntivirXP)"; flow:established,to_server; content:"|3b 20|Antivir"; http_user_agent; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.wiki-security.com/wiki/Parasite/Antivirus2008; reference:url,doc.emergingthreats.net/2008549; classtype:pup-activity; sid:2008549; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER RFI Scanner Success (Fx29ID)"; flow:established,from_server; content:"FeeLCoMzFeeLCoMz"; reference:url,doc.emergingthreats.net/2010463; reference:url,opinion.josepino.com/php/howto_website_hack1; classtype:successful-user; sid:2010463; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Little Endian)"; flow:established,to_server; content:"MMcS"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017923; rev:2; metadata:created_at 2014_01_04, updated_at 2014_01_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Non-Escaping backslash in User-Agent Outbound"; flow:established,to_server; content:"|5C|"; http_user_agent; depth:200; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_user_agent; pcre:"/User-Agent\x3a.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]/Hi"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; classtype:bad-unknown; sid:2010721; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2010_07_30;)
 
-alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Big Endian)"; flow:established,to_server; content:"ScMM"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017924; rev:2; metadata:created_at 2014_01_04, updated_at 2014_01_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Non-Escaping backslash in User-Agent Inbound"; flow:established,to_server; content:"|5C|"; http_user_agent; depth:200; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_user_agent; pcre:"/User-Agent\:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]/Hi"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010722; classtype:bad-unknown; sid:2010722; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Redirection - Injection - Modified Edwards Packer Script"; flow:established,to_client; file_data; content:"function(s,a,c,k,e,d"; classtype:trojan-activity; sid:2017931; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_01_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp [174.129.0.0/16,67.202.0.0/18,79.125.0.0/17,184.72.0.0/15,75.101.128.0/17,174.129.0.0/16,204.236.128.0/17] any -> $HOME_NET any (msg:"ET DELETED Incoming Connection Attempt From Amazon EC2 Cloud"; flow:to_server; flags:S,12; reference:url,doc.emergingthreats.net/2010815; classtype:misc-activity; sid:2010815; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PWS-LDPinch Reporting User Activity"; flow:established,to_server; content:".php?ut="; nocase; http_uri; content:"&idr="; nocase; http_uri; content:"&lang="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&winver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2002812; classtype:trojan-activity; sid:2002812; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pragma hack Detected Outbound - Likely Infected Source"; flow:established,to_client; content:"Pragma|3a| hack/"; nocase; http_header; classtype:trojan-activity; sid:2010872; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PWS-LDPinch posting data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"a="; http_client_body; nocase; content:"&b="; http_client_body; nocase; content:"&d="; http_client_body; nocase; content:".bin&"; fast_pattern; http_client_body; nocase; content:"u="; http_client_body; nocase; content:"&c="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2006385; classtype:trojan-activity; sid:2006385; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Twitter Status Update"; flow:to_server,established; content:"POST"; http_method; content:"/status/update"; http_uri; content:"twitter.com"; nocase; content:"authenticity_token="; nocase; content:"status="; nocase; reference:url,twitter.com; reference:url,doc.emergingthreats.net/2010797; classtype:policy-violation; sid:2010797; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PWS-LDPinch posting data (2)"; flow:established,to_server; content:"POST"; nocase; http_method; urilen:1; content:"/"; http_uri; content:"HTTP/1.1"; content:!"BDNC"; http_user_agent; depth:4;  content:"a="; depth:2; http_client_body; fast_pattern; content:"&b="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; reference:url,doc.emergingthreats.net/2007756; classtype:trojan-activity; sid:2007756; rev:11; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"ET DELETED JoltID Agent Communicating TCP"; flow: to_server,established; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000901; classtype:trojan-activity; sid:2000901; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; nocase; content:"&d="; http_client_body; nocase; content:".bin&c="; http_client_body; reference:url,doc.emergingthreats.net/2007828; classtype:trojan-activity; sid:2007828; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any <> $EXTERNAL_NET 3531 (msg:"ET DELETED JoltID Agent Requesting File"; flow: established,to_server; content:"GIVE "; content:"User-Agent|3a|"; nocase; content:"PeerEnabler"; within:120; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001654; classtype:trojan-activity; sid:2001654; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Checkin (4)"; flow:established,to_server; content:"a="; content:"&b=Pinch"; nocase; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2008061; classtype:trojan-activity; sid:2008061; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"ET DELETED JoltID Agent Keep-Alive"; flow: to_server,established; dsize: 1; content:"|4b|"; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001015; classtype:trojan-activity; sid:2001015; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Checkin (8)"; flow:established,to_server; content:"/view.php"; nocase; http_uri; content:"a="; content:"&b=Passes"; distance:0; content:"&d=Pass"; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2008091; classtype:trojan-activity; sid:2008091; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 fc 61 00 6b e6 e5 a0 17|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019079; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Checkin (9)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/gate.php"; http_uri; content:"a=&b=&d=&c="; http_client_body; reference:url,doc.emergingthreats.net/2008213; classtype:trojan-activity; sid:2008213; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible DavTest WebDav Vulnerability Scanner Initial Check Detected"; flow:established,to_server; content:"PROPFIND "; depth:9; content:"D|3A|propfind xmlns|3A|D=|22|DAV|3A 22|><D|3A|allprop/></D|3A|propfind>"; distance:0; reference:url,www.darknet.org.uk/2010/04/davtest-webdav-vulerability-scanning-scanner-tool/; reference:url,code.google.com/p/davtest/; reference:url,doc.emergingthreats.net/2011088; classtype:attempted-recon; sid:2011088; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 82 (msg:"ET DELETED LDPinch Checkin on Port 82"; flow:established,to_server; content:".php"; nocase; content:"a="; content:"&b=Pinch"; distance:0; content:"&d="; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2008354; classtype:trojan-activity; sid:2008354; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 9295 (msg:"ET DELETED Troxen GetSpeed Request"; flow:established,to_server; content:"GetSpeed |0d 0a|"; depth:11; reference:md5,af89d15930fe59dcb621069abc83cc66; reference:url,doc.emergingthreats.net/2011233; classtype:trojan-activity; sid:2011233; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Checkin v2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/gate.php"; fast_pattern; nocase; http_uri; content:"application|2F|x-www-form-urlencoded|0D 0A|"; http_header; content:"a=";  http_client_body; depth:2; nocase; content:"b="; http_client_body; nocase; content:"d="; http_client_body; nocase; content:"c="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2008469; classtype:trojan-activity; sid:2008469; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED General Trojan FakeAV Downloader"; flow:established,to_server; content:".php?id="; http_uri; content:"&os="; http_uri; content:"&n="; http_uri; classtype:trojan-activity; sid:2011416; rev:6; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Loader Binary Request"; flow:established,to_server; content:"HTTP/1.0|0d 0a|Host|3a|"; content:".exe"; http_uri; nocase; content:"User-Agent|3a| "; http_header; content:"|0a 0a|Connection|3a| close|0d 0a 0d 0a|"; http_header; classtype:trojan-activity; sid:2013994; rev:4; metadata:created_at 2011_12_07, updated_at 2011_12_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER TIEHTTP User-Agent"; flow:to_server,established; content:"User-Agent|3a| tiehttp"; nocase; reference:url,www.torry.net/authorsmore.php?id=4292; classtype:web-application-activity; sid:2011759; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TROJAN LDPinch Loader Binary Request"; flow:to_server,established; content:"HTTP/1.0|0D 0A|Host|3a|"; content:".exe"; http_uri; nocase; content:"User-Agent|3a| "; http_header; content:"|0D 0A|Connection|3a| close|0D 0A 0D 0A|"; http_header; classtype:trojan-activity; sid:2014015; rev:7; metadata:created_at 2011_12_09, updated_at 2011_12_09;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET MALWARE Avzhan DDOS Bot Inbound Hardcoded Malformed GET Request Denial Of Service Attack Detected"; flow:established,to_server; content:"GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm"; depth:49; nocase; threshold:type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; classtype:attempted-dos; sid:2011767; rev:4; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LDPinch Checkin (3)"; flow:established,to_server; content:"a="; content:"&b=Passes from"; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2007862; classtype:command-and-control; sid:2007862; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED vb exploits / trojan vietshow"; flow:established,to_server; content:"GET"; http_method; content:"~vietshow/"; nocase; http_uri; classtype:bad-unknown; sid:2011897; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ATTACKER WebShell - PHP Offender - Title"; flow:established,to_client; file_data; content:"<title>PHP Shell offender</title>"; nocase; classtype:web-application-attack; sid:2017951; rev:3; metadata:created_at 2014_01_11, updated_at 2014_01_11;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan perflogger ~duydati/inst_PCvw.exe"; flow:established,to_server; content:"GET"; http_method; content:"~duydati/inst_PCvw.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011899; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014"; flow:established,to_client; file_data; content:"window.GetKey"; nocase; fast_pattern; content:"window.GetUrl"; nocase; content:"aHR0cDov"; distance:0; content:"#default#VML"; classtype:exploit-kit; sid:2017953; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Phishing ~mbscom/moneybookers/app/login/login.html"; flow:established,to_server; content:"GET"; http_method; content:"~mbscom/moneybookers/app/login/login.html"; nocase; http_uri; classtype:bad-unknown; sid:2011902; rev:2; metadata:attack_target Client_Endpoint, created_at 2010_11_09, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014 1"; flow:established,to_client; file_data; content:"ODAvM"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?ODAvM[a-zA-Z0-9\/\+]{18}(?:=|%3D)[\x22\x27]/R"; classtype:exploit-kit; sid:2017954; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Hacked server to exploits ~rio1/admin/login.php"; flow:established,to_server; content:"GET"; http_method; content:"~rio1/admin/login.php"; nocase; http_uri; classtype:bad-unknown; sid:2011901; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014 2"; flow:established,to_client; file_data; content:"4MC8x"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?4MC8x[a-zA-Z0-9\/\+]{18}(?:=|%3D){2}[\x22\x27]/R"; classtype:exploit-kit; sid:2017955; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED iframe Phoenix Exploit & ZBot vt073pd/photo.exe"; flow:established,to_server; content:"GET"; http_method; content:"vt073pd/photo.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011903; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014 3"; flow:established,to_client; file_data; content:"OjgwL"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?OjgwL[a-zA-Z0-9\/\+]{19}[\x22\x27]/R"; classtype:exploit-kit; sid:2017956; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED trojan renos Flash.HD.exe"; flow:established,to_server; content:"GET"; http_method; content:"Flash.HD.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011909; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Jan 10 2014"; flow:established,to_client; file_data; content:"javafx_version"; fast_pattern:only; nocase; content:"46"; pcre:"/^(?P<sep>[^\x22\x27]{1,10})100(?P=sep)97(?P=sep)115(?P=sep)104(?P=sep)115(?P=sep)116(?P=sep)121(?P=sep)108(?P=sep)101(?P=sep)46(?P=sep)97(?P=sep)114(?P=sep)114(?P=sep)97(?P=sep)121(?P=sep)/R"; classtype:exploit-kit; sid:2017957; rev:2; metadata:created_at 2014_01_11, updated_at 2014_01_11;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED fast flux rogue antivirus download.php?id=2004"; flow:established,to_server; content:"GET"; http_method; nocase; content:"download.php?id=2004"; nocase; http_uri; classtype:bad-unknown; sid:2011904; rev:3; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
 
-#alert tcp $EXTERNAL_NET 8000 -> $HOME_NET any (msg:"ET DELETED Possible Neutrino EK SilverLight Exploit Jan 11 2014"; flow:established,from_server; file_data; content:"AppManifest.xaml"; content:"dig.dll"; nocase; fast_pattern:only; pcre:"/\bdig\.dll\b/"; classtype:exploit-kit; sid:2017958; rev:2; metadata:created_at 2014_01_11, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Exploited By SMB/JavaWebStart"; flow:established,to_server; content:"loadsmb.php"; http_uri; classtype:trojan-activity; sid:2011951; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017965; rev:3; metadata:created_at 2014_01_14, updated_at 2014_01_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Exploited By PDF"; flow:established,to_server; content:"loadlibtiff.php"; http_uri; classtype:trojan-activity; sid:2011952; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 2012:2014 (msg:"ET MALWARE Win32.Morix.B checkin"; flow:to_server,established; content:"|00 00 42 42 43 42 43|"; offset:2; depth:7; reference:md5,25623fa3a64f6bed301822f8fe6aa9b5; classtype:command-and-control; sid:2017922; rev:3; metadata:created_at 2014_01_03, former_category MALWARE, updated_at 2014_01_03;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY SEO Obfuscated JavaScript srctable"; flow:established,to_client; content:"var srctable=|27|"; depth:14; classtype:bad-unknown; sid:2011959; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SpyEye Bot Checkin"; flow:established,to_server; content:".php?guid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&stat="; nocase; http_uri; content:"&cpu="; nocase; http_uri; content:"&ccrc="; nocase; http_uri; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-020216-0135-99; reference:url,malwareint.blogspot.com/2010/01/spyeye-new-bot-on-market.html; reference:url,doc.emergingthreats.net/2010789; reference:url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot; reference:md5,2b8a408b56eaf3ce0198c9d1d8a75ec0; classtype:trojan-activity; sid:2010789; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY SEO Obfuscated JavaScript desttable"; flow:established,to_client; content:"var desttable=|27|"; depth:15; classtype:bad-unknown; sid:2011958; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED PE EXE or DLL Windows file download disguised as ASCII - SET"; flow:established; content:"|34 44 35 41|"; byte_jump:8,116,relative,multiplier 2,little,string; isdataat:1,relative; flowbits:set,ET.http.binary.ASCII; flowbits:noalert; classtype:trojan-activity; sid:2017961; rev:5; metadata:created_at 2014_01_13, updated_at 2014_01_13;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious loadpeers.php"; flow:established,to_server; content:"loadpeers.php"; http_uri; classtype:bad-unknown; sid:2011956; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-3918"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"Array"; nocase; distance:0; content:"|22|"; nocase; within:500; content:!"|22|"; within:500; pcre:"/^[a-z0-9]{1,500}?(?P<s>[a-z0-9]{2})(?P<t>(?!(?P=s))[a-z0-9]{2})(?P<r>(?!(?:(?P=s)|(?P=t)))[a-z0-9]{2})(?P=t)(?P<o>(?!(?:(?P=s)|(?P=t)|(?P=r)))[a-z0-9]{2})(?P<b>(?!(?:(?P=s)|(?P=t)|(?P=r)|(?P=o)))[a-z0-9]{2})(?P<y>(?!(?:(?P=s)|(?P=t)|(?P=r)|(?P=o)|(?P=b)))[a-z0-9]{2})(?P=t)(?:(?!(?:(?P=s)|(?P=t)|(?P=r)))[a-z0-9]{4})(?P=s)(?P=t)(?P=r)/Rs"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017973; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_16, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious lib.pdf"; flow:established,to_server; content:"/files/lib.pdf"; http_uri; classtype:bad-unknown; sid:2011955; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Updatre SSL Certificate cardiffpower"; flow:established,from_server; content:"|55 04 03|"; content:"|10|cardiffpower.com"; distance:1; within:17; content:"|55 04 03|"; distance:0; content:"|10|cardiffpower.com"; distance:1; within:17; classtype:domain-c2; sid:2017977; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_25;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious loadjjar.php"; flow:established,to_server; content:"loadjjar.php"; http_uri; classtype:bad-unknown; sid:2011954; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Updatre Compromised SSL Certificate marchsf"; flow:established,from_server; content:"|02 07 04 81 e4 de 05 6a 5a|"; content:"|0b|marchsf.com"; distance:0; fast_pattern; classtype:trojan-activity; sid:2017978; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious jjar.jar"; flow:established,to_server; content:"/files/jjar.jar"; http_uri; classtype:bad-unknown; sid:2011953; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Updatre Compromised SSL Certificate california89"; flow:established,from_server; content:"|02 07 2b 00 ee 19 5e ab 1f|"; content:"|10|california89.com"; distance:0; classtype:trojan-activity; sid:2017979; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+#alert tcp $HOME_NET any -> 212.26.42.47 9090 (msg:"ET DELETED ProFTPD Backdoor outbound Request Sent"; flow:established,to_server; content:"GET /AB"; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url,sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; classtype:trojan-activity; sid:2011993; rev:2; metadata:created_at 2010_12_02, updated_at 2010_12_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO InformationCardSigninHelper ClassID (Vulnerable ActiveX Control in CVE-2013-3918)"; flow:established,to_client; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; classtype:misc-activity; sid:2017980; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Spy.YEK MAC and IP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition|3A| form-data|3B| name=|22|MAC|22|"; http_header; nocase; content:"Content-Disposition|3A| form-data|3B| name=|22|IP|22|"; nocase; http_header; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20101115; classtype:trojan-activity; sid:2011999; rev:7; metadata:created_at 2010_12_07, updated_at 2010_12_07;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Updatre Compromised SSL Certificate thebostonshaker"; flow:established,from_server; content:"|02 07 27 7d 65 4a cd bf 4e|"; content:"|17|www.thebostonshaker.com"; distance:0; classtype:trojan-activity; sid:2017981; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware Tools Update OS Command Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"exec|3A|"; nocase; content:"args|3A|"; nocase; distance:0; content:"UpgradeTools_Task"; distance:0; reference:url,www.exploit-db.com/exploits/15717/; reference:cve,2010-4297; classtype:attempted-admin; sid:2012045; rev:5; metadata:created_at 2010_12_11, updated_at 2010_12_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Styx/Angler EK SilverLight Exploit"; flow:established,from_server; file_data; content:"PK"; within:2; content:"ababbss.dll"; fast_pattern; content:"AppManifest.xaml"; classtype:exploit-kit; sid:2017732; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Successful DD-WRT Information Disclosure"; flowbits:isset,et.ddwrt.infodis; flow:established,from_server; content:"lan_mac|3A 3A|"; content:"wlan_mac|3A 3A|"; distance:0; content:"lan_ip|3A 3A|"; distance:0; content:"mem_info|3A 3A|"; distance:0; reference:url,www.exploit-db.com/exploits/15842/; classtype:successful-recon-limited; sid:2012117; rev:3; metadata:created_at 2010_12_30, updated_at 2010_12_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (2) Jan 17 2013"; flow:established,to_client; file_data; content:"|2c 3e f2 32 30 34 6e 68|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017985; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Adobe Reader 9.4 doc.printSeps Memory Corruption Attempt"; flow:established,to_client; content:"%PDF-"; nocase; depth:300; content:"doc.printSeps"; nocase; distance:0; reference:bid,44638; reference:cve,2010-4091; classtype:attempted-user; sid:2012156; rev:2; metadata:created_at 2011_01_06, updated_at 2011_01_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (3) Jan 17 2013"; flow:established,to_client; file_data; content:"|7d 6b f8 64 76 74 6e 66|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017986; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED Post Express Inbound SPAM (possible Spyeye)"; flow:established,to_server; content:"Content-Disposition|3A|attachment|3b|"; nocase; content:"filename=|22|Post_Express_Label_"; nocase; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012275; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Compromised site appsredeeem"; flow:established,to_client; content:"|12|www.appsredeem.com"; nocase; classtype:trojan-activity; sid:2017987; rev:2; metadata:created_at 2014_01_17, former_category CURRENT_EVENTS, updated_at 2014_01_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential Trojan dropper Wlock.A (AS1680)"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/pornoplayer.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=pworldxxx.info; classtype:trojan-activity; sid:2012301; rev:4; metadata:created_at 2011_02_07, updated_at 2011_02_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible AnglerEK Landing URI Struct"; flow:established,to_server; content:"?thread="; http_uri; nocase; content:"key="; http_uri; nocase; pcre:"/^\/[a-z0-9]+?\?thread=\d+?&x?key=[A-F0-9]{32}$/U"; classtype:exploit-kit; sid:2017975; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Fast Flux Trojan Rogue Antivirus"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/SecurIns_194.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=microantivirus5.com; classtype:bad-unknown; sid:2012332; rev:3; metadata:created_at 2011_02_22, updated_at 2011_02_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Page"; flow:established,from_server; file_data; content:".javaEnabled"; content:"f1=true"; nocase; fast_pattern:only; content:"window."; nocase; pcre:"/^(?P<windname>[a-z0-9]+)(?P<plug1>([sj]|f1))=true.+?window\.(?P=windname)(?P<plug2>(?:(?!(?P=plug1))([sj]|f1)))=true.+?window\.(?P=windname)(?!(?:(?P=plug1)|(?P=plug2)))(?:[sj]|f1)=true/Rsi"; classtype:exploit-kit; sid:2017569; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> 184.105.245.17 8080 (msg:"ET DELETED DroidDream Android Trojan info upload"; flow:to_server,established; content:"/GMServer/GMServlet"; http_uri; reference:url,androguard.blogspot.com/2011/03/droiddream.html; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=79&blogId=1; reference:url,blog.mylookout.com/2011/03/android-malware-droiddream-how-it-works/; reference:url,countermeasures.trendmicro.eu/google-android-rooted-backdoored-infected/; classtype:trojan-activity; sid:2012410; rev:3; metadata:created_at 2011_03_03, updated_at 2011_03_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (1) Jan 17 2013"; flow:established,to_client; file_data; content:"|2c 36 f4 6f 6d 6a 66 67|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017984; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Fast Flux Rogue Antivirus"; flow:established,to_server; content:"GET"; nocase; http_method; content:"download/Setup_2004.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=spyremover-k3.com; classtype:trojan-activity; sid:2012447; rev:3; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (4)"; flow:established,to_client; file_data; content:"|21 3b e3 70 65 6e 66 64|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017989; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android Trojan HongTouTou Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/index.aspx?im="; http_uri; nocase; content:"|0d 0a|User-Agent|3a| Apache-HttpClient"; http_header; reference:url,blog.netqin.com/en/?p=451; classtype:trojan-activity; sid:2012450; rev:4; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cybergate/Rebhip/Spyrat Backdoor Keepalive Response"; flow:to_server,established; dsize:<100; content:"pong|7c|"; depth:5; classtype:trojan-activity; sid:2017991; rev:6; metadata:created_at 2011_04_09, updated_at 2011_04_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Zbot Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/games/pdf"; nocase; http_uri; content:"php?f=7"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=poleoa.net; classtype:trojan-activity; sid:2012538; rev:3; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java/Jacksbot Check-in"; flow:established,to_server; content:"|00 2d 00 68 00 20 00 32 00 66 00|"; pcre:"/^(?:4\x00[1-9a-f]|5\x00[\da])/Rs"; content:"|00 33 00 61 00|"; within:5; reference:md5,6d93fc6132ae6938013cdd95354bff4e; classtype:trojan-activity; sid:2017983; rev:3; metadata:created_at 2014_01_17, updated_at 2014_01_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Rogue Antivirus"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/installer.0042.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=umbralinversiones.com; classtype:trojan-activity; sid:2012539; rev:3; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Jan 21 2013 SilverLight 1"; flow:established,from_server; file_data; content:"Y21kLmV4ZSA"; pcre:"/^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x)/R"; classtype:exploit-kit; sid:2017995; rev:2; metadata:created_at 2014_01_22, updated_at 2014_01_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Win32 Backdoor Poison"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/salvando-usb.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=arteencueros.com; classtype:trojan-activity; sid:2012540; rev:3; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Jan 21 2013 SilverLight 2"; flow:established,from_server; file_data; content:"NtZC5leGUg"; pcre:"/^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x)/R"; classtype:exploit-kit; sid:2017996; rev:2; metadata:created_at 2014_01_22, updated_at 2014_01_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/CazinoSilver Download VegasVIP_setup.exe"; flow:established,to_server; content:"/VegasVIP_setup.exe"; nocase; http_uri; reference:url,ddanchev.blogspot.com/2011/04/dont-play-poker-on-infected-table-part.html; classtype:trojan-activity; sid:2012685; rev:3; metadata:created_at 2011_04_12, updated_at 2011_04_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Jan 21 2013 SilverLight 3"; flow:established,from_server; file_data; content:"jbWQuZXhlI"; pcre:"/^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x)/R"; classtype:exploit-kit; sid:2017997; rev:2; metadata:created_at 2014_01_22, updated_at 2014_01_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows arp -a Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Interface|3a|"; content:"--- 0x"; distance:0; content:"Internet Address"; content:"Physical Address"; fast_pattern; distance:0; content:"Type"; content:"dynamic"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019080; rev:1; metadata:created_at 2014_08_28, updated_at 2014_08_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Feodo Banking Trojan Receiving Configuration File"; flow:established,from_server; content:"ibanking-services.com"; nocase; content:"webcash"; nocase; distance:0; content:"/wires/"; nocase; content:"amazon.com"; nocase; distance:0; content:"EncryptPassword"; nocase; distance:0; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html; classtype:trojan-activity; sid:2011863; rev:5; metadata:created_at 2010_10_28, updated_at 2010_10_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows set Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"ALLUSERSPROFILE="; fast_pattern; content:"APPDATA="; distance:0; content:"CLIENTNAME="; content:"CommonProgramFiles="; distance:0; content:"COMPUTERNAME="; content:"ComSpec="; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019081; rev:1; metadata:created_at 2014_08_28, updated_at 2014_08_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Browlock Hostname Format US"; flow:established,to_server; content:"Host|3a 20|fbi.gov."; http_header; fast_pattern:only; classtype:trojan-activity; sid:2018006; rev:3; metadata:created_at 2014_01_23, updated_at 2014_01_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SSL MiTM Vulnerable or EOL iOS 3.x device"; flow:established,to_server; content:"Mozilla/5.0 |28|iP"; http_header; content:" OS 3_"; http_header; distance:0; threshold: type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; reference:url,github.com/jan0/isslfix; reference:cve,CVE-2011-0228; classtype:not-suspicious; sid:2013406; rev:6; metadata:created_at 2011_08_12, updated_at 2011_08_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing Jan 24 2013"; flow:established,to_client; file_data; content:"0x3dcde1&&"; nocase; content:"0x4e207d"; nocase; within:50; classtype:exploit-kit; sid:2018011; rev:2; metadata:created_at 2014_01_24, former_category CURRENT_EVENTS, updated_at 2014_01_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SSL MiTM Vulnerable or EOL iOS 4.x device"; flow:established,to_server; content:"Mozilla/5.0 (iP"; http_header; content:" OS 4_"; http_header; distance:0; pcre:"/OS 4_[0-3]_[1-4] like/H"; threshold: type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; reference:url,github.com/jan0/isslfix; reference:cve,CVE-2011-0228; classtype:not-suspicious; sid:2013407; rev:6; metadata:created_at 2011_08_12, updated_at 2011_08_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent 100 non-printable char"; flow:to_server,established; content:"User-Agent|3a 20|"; http_header; pcre:"/^([\x7f-\xff]){100}/HRi"; reference:md5,176638536e926019e3e79370777d5e03; classtype:pup-activity; sid:2017982; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential Blackhole Exploit Pack landing"; flow:established,to_server; content:".php?f="; http_uri; content:!"Cookie|3a|"; http_header; pcre:"/\.php\?f=\d+$/U"; reference:url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/; classtype:bad-unknown; sid:2012688; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_04_15, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Limitless Logger Sending Data over SMTP 2"; flow:to_server,established; content:"Limitless Logger successfully ran on this computer."; nocase; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:trojan-activity; sid:2018016; rev:2; metadata:created_at 2014_01_28, updated_at 2014_01_28;)
+#alert ip $HOME_NET any -> 83.236.140.90 any (msg:"ET DELETED Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-2"; threshold:type limit, track by_dst, count 1, seconds 60; reference:url,www.ccc.de/de/updates/2011/staatstrojaner; reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf; reference:url,www.f-secure.com/weblog/archives/00002249.html; reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html; reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545; reference:url,www.ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013754; rev:5; metadata:created_at 2011_10_11, updated_at 2011_10_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Xtrat C2 Response"; flow:established,from_server; content:"S|00|T|00|A|00|R|00|T|00|S|00|E|00|R|00|V|00|E|00|R|00|B|00|U|00|F|00|F|00|E|00|R"; depth:33; reference:md5,f45b1b82c849fbbea3374ae7e9200092; classtype:command-and-control; sid:2018027; rev:2; metadata:created_at 2014_01_28, former_category MALWARE, updated_at 2014_01_28;)
+#alert ip 83.236.140.90 any -> $HOME_NET any (msg:"ET DELETED Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-2"; threshold:type limit, track by_src, count 1, seconds 60; reference:url,www.ccc.de/de/updates/2011/staatstrojaner; reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf; reference:url,www.f-secure.com/weblog/archives/00002249.html; reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html; reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545; reference:url,www.ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013753; rev:5; metadata:created_at 2011_10_11, updated_at 2011_10_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ehow/livestrong Malicious Flash 10/11"; flow:established,to_server; urilen:13; content:".swf"; http_uri; offset:9; depth:4; pcre:"/^\/[a-f0-9]{8}\.swf$/U"; pcre:"/^Referer\x3a[^\r\n]+\/[a-f0-9]{8}\/1(?:0\/[0-2]|1\/\d)\/\r$/Hm"; classtype:trojan-activity; sid:2018029; rev:2; metadata:created_at 2014_01_28, former_category CURRENT_EVENTS, updated_at 2014_01_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED AirOS .css Worm Outbound Propagation Sweep"; flow:established,to_server; content:"/admin.cgi/.gif"; http_uri; pcre:"/Host\x3a ([0-9]{1,3}\.){3}[0-9]{1,3}/H"; reference:url,seclists.org/fulldisclosure/2011/Dec/419; reference:url,www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/; classtype:trojan-activity; sid:2014041; rev:6; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Banker.AALV checkin"; flow:to_server,established; content:"CHEGOU-NOIS"; fast_pattern; content:"|20 7c 20|PLUGIN|3a|"; distance:0; content:"|20 7c 20|BROWSER|3a|"; reference:md5,74bfd81b345a6ef36be5fcf6964af6e1; classtype:command-and-control; sid:2018034; rev:1; metadata:created_at 2014_01_29, former_category MALWARE, updated_at 2014_01_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED AirOS admin.cgi/css Exploit Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/etc/persistent/.skynet/install&action=cli"; http_uri; reference:url,seclists.org/fulldisclosure/2011/Dec/419; reference:url,www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/; classtype:trojan-activity; sid:2014042; rev:5; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT StyX Landing Jan 29 2014"; flow:from_server,established; file_data; content:"<applet"; fast_pattern:only; content:".exe"; pcre:"/^[\x22\x27]/R"; content:"var"; pcre:"/^\s+?(?P<vname>[^\s=]+)\s*?=\s*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?\.exe(?P=q).+?<applet(?:(?!<\/applet>).)+?value\s*?=\s*?(?:\x22\x27|\x27\x22)\s*?\+\s*?(?P=vname)\s*?\+\s*?(?:\x22\x27|\x27\x22)/Rsi"; classtype:trojan-activity; sid:2018035; rev:4; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2014_01_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Syrian Malware Checkin"; flow:established,to_server; content:"|2f|j|7c|n|5c|"; offset:2; depth:5; content:"[endof]"; fast_pattern; distance:0; reference:url,fireeye.com/blog/technical/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html; reference:md5,a8cf815c3800202d448d035300985dc7; classtype:command-and-control; sid:2019084; rev:1; metadata:created_at 2014_08_29, former_category MALWARE, updated_at 2014_08_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PHISH Visa - Landing Page"; flow:established,to_client; file_data; content:"Enter your password Verified by Visa / MasterCard SecureCode"; classtype:social-engineering; sid:2018043; rev:2; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2017_10_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert dineshuthayakumar.in"; flow:established,from_server; content:"|55 04 03|"; content:"|14|dineshuthayakumar.in"; distance:1; within:21; reference:md5,0c96fd25ec4139063ac7d83511835d20; classtype:trojan-activity; sid:2019034; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SolarBot Plugin Download Server Response"; flow:from_server,established; file_data; content:"SOLAR|00|"; within:6; content:"MZP"; distance:0; classtype:trojan-activity; sid:2018036; rev:5; metadata:created_at 2014_01_30, updated_at 2014_01_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.SWF; content:"Content-Disposition|3a|"; http_header; content:".swf"; http_header; content:"X-Powered-By|3a|"; http_header; pcre:"/^Content-Disposition\x3a[^\r\n]+\.swf/Hm"; content:"ZWS"; classtype:exploit-kit; sid:2018362; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_04, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert udp any 53 -> $HOME_NET any (msg:"ET DELETED Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|02|ru|00|"; fast_pattern:only; pcre:"/[^a-z0-9\-\.][a-z0-9]{32,48}\x02ru\x00\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:command-and-control; sid:2014373; rev:2; metadata:created_at 2012_03_14, updated_at 2012_03_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tor based locker Ransom Page"; flow:established,to_server; content:"/buy.php?"; http_uri; content:"iet7v4dciocgxhdv."; nocase; fast_pattern; http_header; classtype:trojan-activity; sid:2018873; rev:3; metadata:created_at 2014_08_01, updated_at 2014_08_01;)
 
-#alert udp any 53 -> $HOME_NET any (msg:"ET DELETED Possible Zeus .info CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|04|info|00|"; fast_pattern:only; pcre:"/[^a-z0-9\-\.][a-z0-9]{32,48}\x04info\x00\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:command-and-control; sid:2014374; rev:3; metadata:created_at 2012_03_14, updated_at 2012_03_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks"; flow:from_server,established; file_data; content:"scanbox.crypt._utf8_encode"; classtype:trojan-activity; sid:2019093; rev:3; metadata:created_at 2014_08_30, updated_at 2014_08_30;)
 
-#alert udp any 53 -> $HOME_NET any (msg:"ET DELETED Possible Zeus .biz CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|03|biz|00|"; fast_pattern:only; pcre:"/[^a-z0-9\-\.][a-z0-9]{32,48}\x03biz\x00\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:command-and-control; sid:2014375; rev:2; metadata:created_at 2012_03_14, updated_at 2012_03_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks (POST) PluginData"; flow:to_server,established; content:"POST"; http_method; content:"pluginid="; http_client_body; fast_pattern:only; content:"projectid="; http_client_body; content:"seed="; http_client_body; content:"data="; http_client_body; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019095; rev:3; metadata:created_at 2014_08_30, updated_at 2014_08_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 444 (msg:"ET MALWARE W32/FakeAlert.FT.gen.Eldorado Downloading DLL"; flow:to_server,established; content:"SIZE libcurl-4.dll|0d 0a|"; reference:md5,0f352448103f7d487e265220006a1c32; classtype:trojan-activity; sid:2018072; rev:2; metadata:created_at 2014_02_05, updated_at 2014_02_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks KeepAlive"; flow:to_server,established; content:"GET"; http_method; content:".php?seed="; http_uri; fast_pattern:only; content:"&alivetime="; http_uri; content:"&r="; http_uri; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019096; rev:3; metadata:created_at 2014_08_30, updated_at 2014_08_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/FakeAlert.FT.gen.Eldorado Downloading VBS"; flow:to_server,established; content:"SIZE explore.vbs|0d 0a|"; reference:md5,0f352448103f7d487e265220006a1c32; classtype:trojan-activity; sid:2018073; rev:2; metadata:created_at 2014_02_05, updated_at 2014_02_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Sending Plugin-Detect Data"; flow:to_server,established; content:"dump="; http_client_body; depth:5; content:"%7C"; http_client_body; distance:0; content:"%7C"; http_client_body; distance:0; content:"%7C"; http_client_body; distance:0; content:"&ua="; http_client_body; distance:0; content:"&ref="; http_client_body; distance:0; classtype:exploit-kit; sid:2019098; rev:2; metadata:created_at 2014_08_30, former_category CURRENT_EVENTS, updated_at 2014_08_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BeEF Default SSL Cert"; flow:established,from_server; content:"|0b|Bovine Land"; fast_pattern; content:"|1e|Browser Exploitation Framework"; classtype:attempted-user; sid:2018089; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Archie/Metasploit SilverLight Exploit"; flow:from_server,established; file_data; content:"SilverApp1.dllPK"; classtype:exploit-kit; sid:2019099; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2014_08_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category EXPLOIT_KIT, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BeEF Module in use"; flow:established,from_server; file_data; content:"beef.execute"; pcre:"/^\s*?\(/Rs"; threshold: type limit, track by_src, seconds 300, count 1; classtype:attempted-user; sid:2018090; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_07, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tcp any any -> any any (msg:"ET SCAN Malformed Packet SYN FIN"; flags:SF; classtype:bad-unknown; sid:2011367; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Flash Exploit CVE-2014-0497"; flow:established,from_server; file_data; content:"makePayloadWin"; reference:url,www.securelist.com/en/blog/8177/CVE_2014_0497_a_0_day_vulnerability; classtype:exploit-kit; sid:2018091; rev:2; metadata:created_at 2014_02_07, updated_at 2014_02_07;)
+#alert tcp any any -> any any (msg:"ET SCAN Malformed Packet SYN RST"; flags:SR; classtype:bad-unknown; sid:2011368; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Oracle Reports Parse Query Returned Creds CVE-2012-3153"; flow:established,to_client; file_data; content:"Result Reports Server Command"; content:"userid="; distance:0; content:"/"; distance:0; content:"@"; distance:0; reference:url,netinfiltration.com; classtype:web-application-attack; sid:2018093; rev:2; metadata:created_at 2014_02_07, updated_at 2014_02_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PeopleOnPage Install"; flow: to_server,established; content:"/install/pop"; nocase; http_uri; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001445; classtype:policy-violation; sid:2001445; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Safekeeper.Adware CnC Beacon"; flow:established,to_server; content:"/app_version/solution/cfg/exn.php?pid="; http_uri; content:".dll|0D 0A|"; http_header; pcre:"/User-Agent\x3A\x20[^\r\n]*\x2Edll\x0D\x0A/H"; reference:md5,9a1c669203b5e9ebb68e2c2cfc964daa; classtype:pup-activity; sid:2018099; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_02_10, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2014_02_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Outbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007634; classtype:trojan-activity; sid:2007634; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TecSystems (Possible Mask) Signed PE EXE Download"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|55 04 0a|"; content:"|0e|TecSystem Ltd."; distance:1; within:15; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:2018103; rev:2; metadata:created_at 2014_02_11, former_category CURRENT_EVENTS, updated_at 2014_02_11;)
+#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Inbound - Likely Connect Ack"; dsize:2; threshold: type threshold, count 10, seconds 60, track by_dst; reference:url,doc.emergingthreats.net/2007635; classtype:trojan-activity; sid:2007635; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE FTP File Upload - BlackPOS Naming Scheme"; flow:established,to_server; content:"STOR "; depth:5; content:".txt"; pcre:"/data_\d{4}_\d{1,2}_\d{1,2}_\d{1,2}_\d{1,2}\.txt/"; reference:url,www.cyphort.com/blog/cyphort-tracks-down-new-variants-of-target-malware/; classtype:trojan-activity; sid:2018115; rev:1; metadata:created_at 2014_02_12, updated_at 2014_02_12;)
+#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Inbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_dst; reference:url,doc.emergingthreats.net/2007636; classtype:trojan-activity; sid:2007636; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET MALWARE MS Remote Desktop edc User Login Request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=edc|0d 0a|"; nocase; reference:url,intelcrawler.com/about/press08; classtype:protocol-command-decode; sid:2018116; rev:1; metadata:created_at 2014_02_12, updated_at 2014_02_12;)
+#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Outbound - Likely Connect Ack"; dsize:2; threshold: type threshold, count 10, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007637; classtype:trojan-activity; sid:2007637; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET MALWARE MS Remote Desktop micros User Login Request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=micros|0d 0a|"; nocase; reference:url,intelcrawler.com/about/press08; classtype:protocol-command-decode; sid:2018124; rev:3; metadata:created_at 2014_02_12, updated_at 2014_02_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Redirect Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"gate.php"; http_uri; fast_pattern:only; content:".swf/[[DYNAMIC]]/1"; http_header; classtype:exploit-kit; sid:2019005; rev:3; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.Sality.bh Checkin"; flow:to_server,established; content:"/logo.gif?"; http_uri; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| .NET CLR 1.1.4322|3b| .NET CLR 2.0.50728)|0d 0a|Host|3a| "; http_header; pcre:"/\x2flogo\x2egif\x3f([0-9a-z]){5}\x3d\d{6,7}/U"; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; reference:md5,c15f4fe2e180150dc511aa64427404c5; classtype:trojan-activity; sid:2018111; rev:3; metadata:created_at 2012_04_09, updated_at 2012_04_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Redirect Sept 01 2014"; flow:established,to_server; content:".php"; http_uri; pcre:"/\.php$/U"; content:".php/[[DYNAMIC]]/"; http_header; pcre:"/Referer\x3a[^\r\n]+\.php\/\[\[DYNAMIC\]\]\/\d/Hm"; classtype:exploit-kit; sid:2019100; rev:3; metadata:created_at 2014_09_02, former_category CURRENT_EVENTS, updated_at 2014_09_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS .CPL File Inside of Zip"; flow:established,from_server; file_data; content:"PK|01 02|"; within:4; content:".cpl"; nocase; fast_pattern; distance:42; within:500; content:"PK|05 06|"; within:52; content:"|01 00 01 00|"; distance:4; within:4; classtype:trojan-activity; sid:2018126; rev:3; metadata:created_at 2014_02_13, former_category CURRENT_EVENTS, updated_at 2014_02_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 4899 (msg:"ET POLICY Radmin Remote Control Session Setup Initiate OUTBOUND"; flow:to_server,established; dsize:10; content:"|01 00 00 00 01 00 00 00 08 08|"; depth:10; classtype:policy-violation; sid:2019101; rev:2; metadata:created_at 2014_09_02, updated_at 2014_09_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Goon EK Java JNLP URI Struct Feb 12 2014"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".xml"; http_uri; pcre:"/\/[A-Z]\.xml$/U"; classtype:exploit-kit; sid:2018127; rev:3; metadata:created_at 2014_02_13, former_category CURRENT_EVENTS, updated_at 2014_02_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED WindowsEnterpriseSuite FakeAV Dynamic User-Agent"; flow:established,to_server; content:"User-Agent|3a| We"; content:!"User-Agent|3a| Webmin|0d 0a|"; http_header; pcre:"/User-Agent\x3a We[a-z0-9]{4}\x0d\x0a/H"; reference:url,doc.emergingthreats.net/2010262; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; classtype:trojan-activity; sid:2010262; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Probable Golfhole exploit kit landing page #2"; flow:established,to_server; content:"/index.php?"; http_uri; depth:11; urilen:43; pcre:"/index.php\?[0-9a-f]{32}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014844; rev:3; metadata:created_at 2012_06_01, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Possible SSDP Amplification Scan in Progress"; content:"M-SEARCH * HTTP/1.1"; content:"ST|3a 20|ssdp|3a|all|0d 0a|"; nocase; distance:0; fast_pattern; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/29/weekly-metasploit-update; classtype:attempted-dos; sid:2019102; rev:1; metadata:created_at 2014_09_03, updated_at 2014_09_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Probable Golfhole exploit kit binary download #2"; flow:established,to_server; content:"/o/"; http_uri; depth:3; urilen:47; pcre:"/o/\d{9}\/[0-9a-f]{32}\/[0-9]$/U"; classtype:exploit-kit; sid:2014845; rev:3; metadata:created_at 2012_06_01, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert tls 66.147.244.132 any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert bluehost.com Aug 27 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|0e 2a 2e|bluehost.com"; distance:1; within:15; reference:md5,19bb8e0b16c14194862d0750916ce338; classtype:trojan-activity; sid:2019105; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1431 (msg:"ET MALWARE Win32/Tapazom.A"; flow:established,to_server; content:"GIVEME|7c|"; reference:md5,dc7284b199d212e73c26a21a0913c69d; classtype:trojan-activity; sid:2018133; rev:1; metadata:created_at 2014_02_13, updated_at 2014_02_13;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ed 7a 4e 2c 6d 48 5c a6|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019106; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1431 (msg:"ET MALWARE Win32/Tapazom.A 2"; flow:established,to_server; content:"GETSERVER|7c|"; reference:md5,030f3840d2729243280d3cea3d99d8e6; classtype:trojan-activity; sid:2018134; rev:1; metadata:created_at 2014_02_13, updated_at 2014_02_13;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 c6 af 2f 81 7b a2 2b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019107; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Current Asprox Spam Campaign"; flow:established,to_server; urilen:>60; content:"/viewtopic.php?"; http_uri; fast_pattern:only; pcre:"/\/viewtopic\.php\?[^=]+=[a-zA-Z0-9\x2b\x2f]{43}=$/U"; classtype:trojan-activity; sid:2018041; rev:4; metadata:created_at 2014_01_30, updated_at 2014_01_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (AddPage)"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"083B40D3-CCBA-11D2-AFE0-00C04F7993D6"; nocase; distance:0; content:".AddPage"; nocase; content:"<OBJECT"; nocase; pcre:"/^[^>]*?classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*?083B40D3-CCBA-11D2-AFE0-00C04F7993D6/Rsi"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013730; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Current Asprox Spam Campaign 2"; flow:established,to_server; urilen:>60; content:"/handler.php?"; http_uri; fast_pattern:only; pcre:"/\/handler\.php\?[^=]+=[a-zA-Z0-9\x2b\x2f]{43}=$/U"; classtype:trojan-activity; sid:2018135; rev:3; metadata:created_at 2014_02_14, updated_at 2014_02_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (DeletePage)"; flow:to_client,established; file_data; content:"083B40D3-CCBA-11D2-AFE0-00C04F7993D6"; nocase; distance:0; content:".DeletePage"; nocase; content:"<OBJECT"; pcre:"/^[^>]*?classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*083B40D3-CCBA-11D2-AFE0-00C04F7993D6/Rsi"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013731; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - photobucket.com.*"; content:"|0b|photobucket|03|com"; nocase; content:!"|00|"; within:1; content:!"|09|footprint|03|net|00|"; nocase; distance:0; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013360; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category WEB_CLIENT, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 33033 (msg:"ET CHAT Skype Bootstrap Node (udp)"; threshold: type both, count 5, track by_src, seconds 120; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2003022; classtype:policy-violation; sid:2003022; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT EXE Accessing Kaspersky System Driver (Possible Mask)"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|5c 5c 2e 5c|KLIF"; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:bad-unknown; sid:2018104; rev:3; metadata:created_at 2014_02_11, former_category CURRENT_EVENTS, updated_at 2014_02_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Large amount of TCP ZeroWindow - Possible Nkiller2 DDos attack"; flags:A; window:0; threshold: type both, track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2009414; classtype:attempted-dos; sid:2009414; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SMTP EXE - ZIP file with .pif filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(LnBpZ|5waW|ucGlm)/R"; classtype:bad-unknown; sid:2018144; rev:2; metadata:created_at 2014_02_15, updated_at 2014_02_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Rdxrp.com Traffic (Generic)"; flow: to_server,established; content:"/rdxr"; nocase; http_uri; content:".dat"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001312; classtype:trojan-activity; sid:2001312; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Torrent Client User-Agent (Solid Core/0.82)"; flow:to_server,established; content:"User-Agent|3a| Solid Core/"; http_header; reference:url,sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=4a9f376e8d01cb5f7990576ed927869b; classtype:policy-violation; sid:2013869; rev:7; metadata:created_at 2011_11_08, updated_at 2011_11_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Sogu Remote Access Trojan Social Media Embedded CnC Channel"; flow:established,to_client; content:"DZKS"; content:"DZJS"; within:50; reference:url,blogs.norman.com/2012/security-research/trojan-moves-its-configuration-to-twitter-linkedin-msdn-and-baidu; classtype:command-and-control; sid:2014618; rev:3; metadata:created_at 2012_04_20, former_category MALWARE, updated_at 2012_04_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/InstallMonetizer.Adware Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"NSIS_Inetc (Mozilla)"; depth:20; http_user_agent; content:"from="; http_client_body; depth:5; content:"&type="; http_client_body; distance:0; content:"&mode="; http_client_body; distance:0; content:"&subid="; http_client_body; distance:0; content:"&mid="; http_client_body; distance:0; classtype:pup-activity; sid:2018149; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_02_18, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2014_02_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Frosparf.B Downloading Hosts File"; flow:established,from_server; file_data; content:"9.9.9.9 "; within:8; pcre:"/^(?:[a-zA-Z0-9\x2d\x5f]{1,63}\.)+?[a-zA-Z0-9\x2d\x5f]{1,63}[\r\n]*?9\.9\.9\.9\s+?(?:[a-zA-Z0-9\_\-]{1,63}\.)+?[a-zA-Z0-9\x2d\x5f]{1,63}[\r\n]/R"; reference:md5,4ad55877464aa92e49231d913d00eb69; classtype:trojan-activity; sid:2019142; rev:2; metadata:created_at 2014_09_09, updated_at 2014_09_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Azbreg.Backdoor CnC Beacon"; flow:established,to_server; urilen:17; content:"/instant_messages"; http_uri; content:"sid="; http_cookie; content:"locale="; http_cookie; distance:0; content:"name="; http_cookie; distance:0; content:"password="; http_cookie; content:"uid="; http_cookie; distance:0; reference:md5,4b435a3f43d0e7ffa71453cf18804b70; classtype:command-and-control; sid:2018151; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_02_18, deployment Perimeter, signature_severity Major, tag c2, updated_at 2014_02_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RedKit Repeated Exploit Request Pattern"; flow:established,to_server; content:".php?t="; nocase; http_uri; pcre:"/\.php\?t=\d{2,7}$/U"; threshold:type both, track by_src, count 5, seconds 15; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; reference:url,malware.dontneedcoffee.com/2012/05/inside-redkit.html; reference:url,malware.dontneedcoffee.com/2012/05/redkit-not-so-red-anymore.html; reference:url,www.malwaredomainlist.com/forums/index.php?topic=4855.msg23470; classtype:exploit-kit; sid:2014748; rev:4; metadata:created_at 2012_05_14, updated_at 2012_05_14;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Fake Googlebot UA 1 Inbound"; flow:established,to_server; content:"User-Agent|3a|"; http_header; content:!" Mozilla/5.0 (compatible|3b| Googlebot/2.1|3b| +http|3a|//www.google.com/bot.html)|0d 0a|"; http_header; within:75; content:!" Googlebot/2.1 (+http|3a|//www.google.com/bot.html)|0d 0a|"; http_header; within:50; content:"Googlebot"; fast_pattern; http_header; nocase; distance:0; pcre:"/^User-Agent\x3a[^\r\n]+?Googlebot[^\-].+?\r$/Hmi"; reference:url,www.incapsula.com/the-incapsula-blog/item/369-was-that-really-a-google-bot-crawling-my-site; reference:url,support.google.com/webmasters/bin/answer.py?hl=en&answer=1061943; classtype:bad-unknown; sid:2015526; rev:4; metadata:created_at 2012_07_25, updated_at 2012_07_25;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET DELETED Cisco Torch SNMP Scan"; content:"public"; content:"|30 0C 06 08 2B 06 01 02 01 01 01 00 05 00|"; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008597; classtype:attempted-recon; sid:2008597; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET 8083 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linksys Failed Upgrade BackDoor Access (Server Response)"; flow:from_server,established; file_data; content:"Utopia_Init|3a 20|SUCCEEDED"; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018160; rev:3; metadata:created_at 2014_02_19, updated_at 2014_02_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 33 9e 92 b0 3e 35 b8|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019147; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fake FedEX/Pony spam campaign URI Struct"; flow:established,to_server; content:".php?label="; http_uri; nocase; fast_pattern:only; pcre:"/\.php\?label=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Ui"; content:!"dynamicdrive.com"; nocase; http_header; classtype:trojan-activity; sid:2017258; rev:5; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Tomcat Successful default credential login from external source"; flow:from_server,established; content:"HTTP/1."; depth:7; content:"200"; http_stat_code; content:"OK"; http_stat_msg; reference:url,tomcat.apache.org; classtype:successful-admin; sid:2009219; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible GoonEK Landing Feb 19 2014 1"; flow:from_server,established; file_data; content:"javafx_version"; nocase; fast_pattern:only; content:"jnlp_href"; nocase; content:"</applet><object"; nocase; content:"data|3a|application/x-silverlight-2"; nocase; within:100; classtype:exploit-kit; sid:2018161; rev:2; metadata:created_at 2014_02_20, updated_at 2014_02_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea c4 eb c7 a8 ae c0 8c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019148; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Feb 19 2014 2"; flow:from_server,established; file_data; content:"stroke>"; fast_pattern:only; content:!"#default#VML"; content:"eval"; content:"35"; pcre:"/^(?P<sep>((?!100).){1,20})100(?P=sep)101(?P=sep)102(?P=sep)97(?P=sep)117(?P=sep)108(?P=sep)116(?P=sep)35(?P=sep)86(?P=sep)77(?P=sep)76(?P=sep)/Rsi"; classtype:exploit-kit; sid:2018163; rev:2; metadata:created_at 2014_02_20, updated_at 2014_02_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|19|groundbellsinc2@yahoo.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019149; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Ebury SSH Rootkit data exfiltration"; content:"|12 0b 01 00 00 01|"; depth:6; pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}(([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs"; reference:url,cert-bund.de/ebury-faq; classtype:trojan-activity; sid:2018164; rev:1; metadata:created_at 2014_02_21, updated_at 2014_02_21;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 10 d6 2f a9 1d 55 7b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019150; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic CnC"; flow:established,to_server; content:" Mini BackDoor|00|"; offset:9; depth:20; reference:md5,398b6622a2c86d472a4340d3e79e654b; classtype:command-and-control; sid:2018167; rev:1; metadata:created_at 2014_02_21, former_category MALWARE, updated_at 2014_02_21;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 96 2c 97 86 ef 94 08 62|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019151; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gh0st Trojan CnC 3"; flow:established,to_server; dsize:14; content:"Gh0st"; depth:5; reference:md5,6a814cacb0c4b464d85ab874f68a5344; classtype:command-and-control; sid:2018165; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_21, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 33 9e 92 b0 3e 35 b8|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019152; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS XXTEA UTF-16 Encoded HTTP Response"; flow:from_server,established; content:"u|00|t|00|f|00|8|00|t|00|o|00|1|00|6|00|"; nocase; content:"x|00|x|00|t|00|e|00|a|00|_|00|d|00|e|00|c|00|r|00|y|00|p|00|t|00|"; nocase; fast_pattern; content:"b|00|a|00|s|00|e|00|6|00|4|00|d|00|e|00|c|00|o|00|d|00|e"; nocase; classtype:bad-unknown; sid:2018175; rev:2; metadata:created_at 2014_02_25, former_category CURRENT_EVENTS, updated_at 2014_02_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 69 ac|"; within:30; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0f|serveradmin.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019153; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS OnClick Anti-BOT TDS POST Feb 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"/tds/"; http_uri; fast_pattern:only; nocase; pcre:"/\/tds\/[a-f0-9]{32}$/U"; content:"ua="; http_client_body; content:"ip="; http_client_body; classtype:trojan-activity; sid:2018177; rev:5; metadata:created_at 2014_02_26, updated_at 2014_02_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft Office PNG overflow attempt invalid tEXt chunk length"; flow:established,to_client; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"IHDR"; distance:0; content:"tEXt"; distance:13; byte_test:4,>,2147483647,-8,relative; reference:cve,2013-1331; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017005; rev:6; metadata:created_at 2013_06_12, updated_at 2013_06_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS OnClick Anti-BOT TDS Hidden Form Feb 25 2014"; flow:established,from_server; file_data; content:"<form"; nocase; content:"action"; nocase; distance:0; content:"/tds/"; fast_pattern; distance:0; pcre:"/^[a-f0-9]{32}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2018178; rev:4; metadata:created_at 2014_02_26, updated_at 2014_02_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Georgian Targeted Attack - Server Response"; flow:established,from_server; flowbits:isset,ET.cyberEspionageGeorgia; file_data; content:"<html><head><META HTTP-EQUIV=|22|Pragma|22| CONTENT=|22|no-cache|22|></head><body>TV"; content:"VGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGU"; within:360; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015852; rev:6; metadata:created_at 2012_11_01, updated_at 2012_11_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS .PIF File Inside of Zip"; flow:established,from_server; file_data; content:"PK"; within:2; content:".pif"; nocase; fast_pattern; within:500; reference:md5,2e760350a5c692bd94c7c6d1233af72c; classtype:trojan-activity; sid:2018125; rev:5; metadata:created_at 2014_02_13, former_category CURRENT_EVENTS, updated_at 2014_02_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Georgian Targeted Attack - Client Request"; flow:established,to_server; urilen:9; content:"/calc.php"; http_uri; flowbits:set,ET.cyberEspionageGeorgia; flowbits:noalert; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015851; rev:4; metadata:created_at 2012_11_01, updated_at 2012_11_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE W32/FakeFlash.Dropper Initial CnC Beacon"; flow:established,to_server; dsize:8; content:"PutToken"; depth:8; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018185; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_02_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange EK Java Exploit"; flow:established,to_server; content:"/view_policy_free.jnlp"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2019154; rev:3; metadata:created_at 2014_09_10, former_category CURRENT_EVENTS, updated_at 2014_09_10;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE W32/FakeFlash.Dropper Initial CnC Beacon Acknowledgement"; flow:established,to_client; dsize:12; content:"TokenRecived"; depth:12; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018186; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_02_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit FireFox WebIDL Privileged Javascript Injection"; flow:from_server,established; file_data; content:".atob(String.fromCharCode("; pcre:"/^(?:90|0x5a|0+?132)\s*?,\s*?(?:71|0x47|0+?107)\s*?,\s*?(?:70|0x46|0+?106)\s*?,\s*?(?:48|0x30|0+?60)\s*?,\s*?(?:89|0x59|0+?131)\s*?,\s*?(?:84|0x54|0+?124)\s*?,\s*?(?:112|0x70|0+?160)/Rsi"; reference:url,www.exploit-db.com/exploits/34448/; classtype:trojan-activity; sid:2019085; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2014_08_29, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE W32/FakeFlash.Dropper PutInformation CnC Beacon"; flow:established,to_server; dsize:18; content:"PutInformation_New"; depth:18; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018187; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_02_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TSPY_POCARDL.U Possible FTP Login"; flow:established,to_server; content:"USER user drupalzf"; reference:md5,ceb5b99c13b107cf07331bcbddb43b1f; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019159; rev:2; metadata:created_at 2014_09_11, updated_at 2014_09_11;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE W32/FakeFlash.Dropper GetInformation CnC Beacon Acknowledgement"; flow:established,to_client; dsize:14; content:"GetInformation"; depth:14; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018188; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_02_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|googleforking.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018912; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.joggver backdoor initialization packet"; flow:established,to_server; dsize:32; content:"|03 01 74 80|"; depth:4; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:14; within:14; classtype:trojan-activity; sid:2018189; rev:1; metadata:created_at 2014_02_27, updated_at 2014_02_27;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert webhostingpad.com"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|10 00 89 36 39 2c a7 4f ef 26 13 4f 11 2e d4 22 64|"; fast_pattern:only; content:"|55 04 03|"; content:"|13|*.webhostingpad.com"; distance:1; within:20; reference:md5,be7a7252865b3407498170f142efe471; classtype:trojan-activity; sid:2018594; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_06_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Trojan.Delf-5496 New Infection Report"; flow:established,to_server; dsize:<500; content:"|7c|OnConnect|7c|"; depth:20; pcre:"/^\d+?\x7cOnConnect\x7c/"; reference:url,doc.emergingthreats.net/2008908; reference:md5,3a7f11fbaf815cd2338d633de175e252; classtype:trojan-activity; sid:2008908; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS"; flow:to_server,established; content:"hihihihihihihihihihihihihihihihi"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012048; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible FakeAV .exe.vbe HTTP Content-Disposition"; flow:established,to_client; content:".exe.vbe"; http_header; nocase; fast_pattern:only; pcre:"/Content-Disposition\x3a[^\r\n]*?\.exe\.vbe/Hi"; reference:url,www.malwaresigs.com/2014/02/07/fakeav-is-still-alive/; classtype:trojan-activity; sid:2018190; rev:3; metadata:created_at 2014_02_27, updated_at 2014_02_27;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Inbound Low Orbit Ion Cannon LOIC DDOS Tool desu string"; flow:to_server,established; content:"desudesudesu"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012049; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android FakeInst.BX checkin"; flow:to_server; content:".html?c="; http_uri; content:"&o="; http_uri; distance:2; within:3; content:"&n="; http_uri; distance:0; content:"&pid="; http_uri; distance:10; within:10; content:"Apache-HttpClient"; http_user_agent; reference:md5,b2397ddc90e57f2d0eb6b0d3b8bb63f8; classtype:trojan-activity; sid:2018180; rev:6; metadata:created_at 2014_02_27, updated_at 2014_02_27;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS desu string"; flow:to_server,established; content:"desudesudesu"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012050; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Blatantly Evil JS Function"; flow:established,from_server; file_data; content:"function heap"; nocase; content:"spray"; nocase; within:6; classtype:trojan-activity; sid:2017498; rev:3; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible JKDDOS download 500.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/500.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012456; rev:3; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY LoJack asset recovery/tracking - not malicious"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"TagId|3a 20|"; http_header; fast_pattern; content:".namequery.com|0d 0a|"; http_header; threshold: type limit, count 2, seconds 300, track by_src; reference:url,www.absolute.com/en/lojackforlaptops/home.aspx; classtype:attempted-recon; sid:2012689; rev:6; metadata:created_at 2011_04_15, updated_at 2011_04_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible JKDDOS download desyms.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/desyms.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012458; rev:3; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious Spam Redirection Feb 28 2014"; flow:established,from_server; file_data; content:"Connecting to server...</div></td></tr></table>"; within:500; classtype:trojan-activity; sid:2018196; rev:3; metadata:created_at 2014_02_28, former_category CURRENT_EVENTS, updated_at 2014_02_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible JKDDOS download 1691.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/1691.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012459; rev:3; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Hello/LightsOut EK Secondary Landing"; flow:established,to_server; content:".php?a="; http_uri; fast_pattern:only; content:"&f="; http_uri; content:"&u="; http_uri; pcre:"/\.php\?a=[^&]+&f=[a-f0-9]{32}&u=[^&]+$/I"; reference:url,vrt-blog.snort.org/2014/03/hello-new-exploit-kit.html; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/; classtype:exploit-kit; sid:2018206; rev:2; metadata:created_at 2014_03_05, former_category CURRENT_EVENTS, updated_at 2014_03_05;)
+alert tcp any any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Perl.Shellbot.cd IRC Bot that have DoS/DDoS functions"; flow:from_server,established; flowbits:isset,is_proto_irc; content:"PRIVMSG|20|"; pcre:"/^PRIVMSG.*@(portscan|back|(tcp|udp|http)flood|tsunami|(de)?voice|reset|die|say|join|part|(de)?op)/mi"; reference:url,theprojectxblog.net/another-perl-irc-bot-that-have-dosddos-functions/; classtype:trojan-activity; sid:2025065; rev:3; metadata:created_at 2012_05_22, former_category TROJAN, updated_at 2017_11_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT LightsOut EK Exploit/Payload Request"; flow:to_server,established; content:".php?a="; http_uri; fast_pattern:only; nocase; pcre:"/\.php\?a=(?:dw[a-z0-9]|[hr][2-7])$/U"; reference:url,vrt-blog.snort.org/2014/03/hello-new-exploit-kit.html; classtype:exploit-kit; sid:2018207; rev:2; metadata:created_at 2014_03_05, former_category CURRENT_EVENTS, updated_at 2014_03_05;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET [22,23,80,443,10000] (msg:"ET DOS Possible Cisco PIX/ASA Denial Of Service Attempt (Hping Created Packets)"; flow:to_server; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; depth:40; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; distance:300; isdataat:300,relative; threshold: type threshold, track by_src, count 60, seconds 80; reference:url,www.securityfocus.com/bid/34429/info; reference:url,www.securityfocus.com/bid/34429/exploit; reference:url,www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html; reference:cve,2009-1157; reference:url,doc.emergingthreats.net/2010624; classtype:attempted-dos; sid:2010624; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java fakav.jar"; flow:established,to_server; content:"/fakav.jar"; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2018209; rev:7; metadata:created_at 2014_03_05, former_category CURRENT_EVENTS, updated_at 2014_03_05;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE DHL Spam Inbound"; flow:established,to_server; content:"name=|22|DHL"; nocase; content:".zip|22|"; within:68; nocase; pcre:"/name=\x22DHL(\s|_|\-)?[a-z0-9\-_\.\s]{0,63}\.zip\x22/i"; reference:url,doc.emergingthreats.net/2010148; classtype:trojan-activity; sid:2010148; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Fiesta Jar with four-letter class names"; flow:established,from_server; file_data; content:"PK"; depth:2; content:".classPK"; pcre:"/(PK\x01\x02.{24}\x0a\x00.{16}[a-z]{4}.class){4}/"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018225; rev:2; metadata:created_at 2014_03_06, former_category EXPLOIT_KIT, updated_at 2014_03_06;)
+#alert tcp ![66.220.157.64/26,66.220.157.16/29,66.220.157.48/28,66.220.157.24/29,66.220.144.128/27,66.220.157.128/27,66.220.144.160/29,66.220.157.160/29,66.220.144.168/29,66.220.157.168/29] any -> $SMTP_SERVERS 25 (msg:"ET DELETED Facebook Spam Inbound (1)"; flow:established,to_server; content:"facebook.com"; nocase; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; content:"Facebook_"; within:50; pcre:"/filename=.*facebook.*\.(rar|exe|zip)/i"; reference:url,doc.emergingthreats.net/2010497; reference:url,postmaster.facebook.com/outbound; classtype:trojan-activity; sid:2010497; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Rawin Flash Landing URI Struct March 05 2014"; flow:established,to_server; content:".php?b="; http_uri; content:"&css="; http_uri; pcre:"/\.php\?b=[A-F0-9]{6}&css=[a-z]+$/"; classtype:trojan-activity; sid:2018227; rev:2; metadata:created_at 2014_03_06, former_category CURRENT_EVENTS, updated_at 2014_03_06;)
+#alert tcp !152.0.0.0/16 any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Spam Inbound"; flow:established,to_server; content:"ups.com"; nocase; fast_pattern; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; pcre:"/filename\s*?=[^\n]*?(UPS|United Parcel Service)[^\n]*?\.(rar|exe|zip)/im"; classtype:trojan-activity; sid:2010644; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Darkshell.A Checkin XOR C0 Win XP"; flow:to_server,established; dsize:<512; content:"|e0 e0 e0 e0 97 89 8e 84 8f|"; content:"|98 90 e0|"; distance:2; within:3; classtype:command-and-control; sid:2018229; rev:2; metadata:created_at 2014_03_06, former_category MALWARE, updated_at 2014_03_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV Download with Cookie WinSec"; flow:established,to_server; content:"/down.php?c="; nocase; http_uri; content:"Cookie|3a| WinSec"; nocase; reference:url,www.virustotal.com/analisis/6b5ff522ddf418a5cca87ebd924736774c1a58a9b51bb44ee72dac01f0db317a-1278686791; reference:url,doc.emergingthreats.net/2011178; classtype:trojan-activity; sid:2011178; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Hack.PcClient.g CnC (OUTBOUND) XOR b5"; flow:to_server,established; content:"|d0 cd d0 db d4 d8 d0|"; content:"|d9 da d2 dc db|"; distance:0; content:"|d1 da d6 d8 d1|"; distance:0; content:"|dd da c6 c1 db d4 d8 d0|"; fast_pattern; distance:0; content:"|c2 dc db d1 da c2 c6|"; distance:0; reference:md5,dfd6b93dac698dccd9ef565a172123f3; classtype:command-and-control; sid:2018154; rev:3; metadata:created_at 2014_02_19, former_category MALWARE, updated_at 2014_02_19;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible JAVA pack200-zip-exploit attempt"; flow:to_client; content:"e.pack.gz"; content:"|0d 0a|Content-Encoding|3a| pack200-gzip"; within:55; reference:url,isc.sans.org/diary.html?storyid=6805&rss; reference:url,doc.emergingthreats.net/2009665; classtype:attempted-user; sid:2009665; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Look2Me Activity"; flow:established,to_server; content:"&ID={"; http_uri; fast_pattern:only; content:"&rand="; http_uri; content:"User-Agent|3a|Mozilla/4.0 (compatible|3b|"; http_header; pcre:"/&ID=\x7b[0-9A-F]{8}(?:-[A-F0-9]{4}){3}-[A-F0-9]{12}\x7d/U"; reference:url,doc.emergingthreats.net/bin/view/Main/2008474; classtype:pup-activity; sid:2008474; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Microsoft Windows .lnk File Processing WebDAV Arbitrary Code Execution Attempt"; flow:established,to_client; content:"<lp2|3A|executable>T</lp2|3A|executable>"; nocase; content:"<D|3A|lockscope><D|3A|exclusive/></D|3A|lockscope>"; nocase; distance:0; content:"</D|3A|lockentry>"; nocase; distance:0; content:"<D|3A|lockscope><D|3A|shared/></D|3A|lockscope>"; nocase; distance:0; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20918; reference:url,www.kb.cert.org/vuls/id/940193; reference:url,www.microsoft.com/technet/security/advisory/2286198.mspx; reference:cve,2010-2568; classtype:attempted-user; sid:2011270; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RedKit/Sakura/CritX/SafePack/FlashPack applet + obfuscated URL Apr 10 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; pcre:"/^((?!(?i:<\/applet>)).)+?(?i:value)[\r\n\s]*=[\r\n\s]*\x5c?[\x22\x27](?!http\x3a\/\/)(?P<h>[^\x22\x27])(?P<t>(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P<slash>(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]+(?P=slash)/Rs"; classtype:exploit-kit; sid:2016751; rev:10; metadata:created_at 2013_04_12, former_category EXPLOIT_KIT, updated_at 2013_04_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Likely Rogue Antivirus Download - ws.zip"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/install/ws.zip"; nocase; http_uri; reference:url,doc.emergingthreats.net/2010052; classtype:trojan-activity; sid:2010052; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CritX/SafePack/FlashPack CVE-2013-2551"; flow:established,from_server; file_data; content:"#default#VML"; content:"stroke"; content:"%66%75%6e%63%74%69%6f%6e"; nocase; content:"%66%72%6f%6d%43%68%61%72%43%6f%64%65"; content:"%63%68%61%72%41%74"; fast_pattern:only; classtype:exploit-kit; sid:2018235; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Tinba Server Response"; flow:established,to_client; flowbits:isset,ET.Tinba.Checkin; file_data; content:"|64 b4 dc a4|"; within:4; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019169; rev:4; metadata:created_at 2014_09_12, updated_at 2014_09_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CritX/SafePack/FlashPack SilverLight Secondary Landing"; flow:established,from_server; file_data; content:"/x-silverlight-2"; content:"aHR0cDov"; distance:0; pcre:"/^[A-Za-z0-9\+\/]+(?:(?:LmVvdA=|5lb3Q)=|uZW90)[\x22\x27]/Rsi"; content:".eot"; classtype:exploit-kit; sid:2018236; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely TDSS Download (pcdef.exe)"; flow:established,to_server; content:"GET"; http_method; content:"/pcdef.exe"; http_uri; nocase; classtype:trojan-activity; sid:2010055; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack SilverLight file as eot"; flow:established,from_server; content:"Content-Type|3a 20|application/vnd.ms-fontobject|0d 0a|"; http_header; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; distance:0; fast_pattern; classtype:exploit-kit; sid:2018237; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Fake Antivirus Download installpv.exe"; flow:established,to_server; content:"GET"; http_method; content:"/installpv.exe"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010057; classtype:trojan-activity; sid:2010057; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javadb.php"; flow:established,to_server; content:"/javadb.php"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018238; rev:4; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Malware Download flash-HQ-plugin exe"; flow:established,to_server; content:"GET"; http_method; content:"flash-"; http_uri; nocase; content:"-plugin"; http_uri; nocase; content:".exe"; nocase; http_uri; pcre:"/flash-[A-Z0-9]+-plugin\.[A-Z0-9]+\.exe/Ui"; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010440; classtype:bad-unknown; sid:2010440; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javaim.php"; flow:established,to_server; content:"/javaim.php"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018239; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Client Visiting Possibly Compromised Site (HaCKeD By BeLa & BodyguarD)"; flow:established,from_server; content:"HaCKeD By BeLa & BodyguarD"; content:".js"; reference:url,www.incidents.org/diary.html?storyid=4405; classtype:web-application-attack; sid:2008206; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javarh.php"; flow:established,to_server; content:"/javarh.php"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018240; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD)"; flow:established,to_server; content:"HaCKeD By BeLa & BodyguarD"; reference:url,www.incidents.org/diary.html?storyid=4405; classtype:web-application-attack; sid:2008207; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Havex Rat Check-in URI Struct"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a 20|"; content:".php?id"; http_uri; content:"&v1="; http_uri; content:"&v2="; http_uri; content:"&q="; http_uri; pcre:"/\.php\?id=[A-F0-9]+\-[A-F0-9]+&v1=[A-F0-9]+&v2=[A-F0-9]+&q=[A-F0-9]+$/U"; reference:md5,6557d6518c3f6bcb8b1b2de77165c962; classtype:trojan-activity; sid:2018251; rev:2; metadata:created_at 2014_03_11, updated_at 2014_03_11;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Psyb0t Bot Nick"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK [NIP]-"; fast_pattern:only; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009171; classtype:trojan-activity; sid:2009171; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE TDLv4 SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|*.city.com"; distance:1; within:11; content:"|55 04 07|"; content:"|06|Cities"; distance:1; within:7; content:"|55 04 0a|"; content:"|0a|State Corp"; distance:1; within:11; classtype:trojan-activity; sid:2018256; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_03_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 1"; flow:established,to_server; content:"POST"; http_method; content:"/senm.php?data="; nocase; http_uri; content:"data="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2010234; reference:md5,7ca709f154e6abc678fbc4df8a3256b6; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; classtype:trojan-activity; sid:2010234; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Page Mar 12 2014"; flow:established,from_server; file_data; content:"/[a-zA-Z]/g|3b|"; fast_pattern; content:"/[0-9]/g|3b|"; content:"|22|f"; pcre:"/^\d+r\d+o\d+m\d/R"; content:"|22|p"; pcre:"/^\d+u\d+s\d+h\d/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018261; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_03_12, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 1"; flow:established,to_server; content:"GET"; http_method; content:"/perce/"; http_uri; nocase; content:"/qwerce.gif"; http_uri; nocase; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; classtype:trojan-activity; sid:2010231; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http any any -> any any (msg:"ET CURRENT_EVENTS Dell Kace backdoor"; flow:established,to_server; content:"POST"; http_method; content:"/kbot_upload.php"; nocase; http_uri; content:"filename=db.php"; nocase; distance:0; http_uri; content:"machineId="; nocase; pcre:"/(?:\.\.\/)+kboxwww\/tmp\//Ri"; content:"KSudoClient.class.php"; nocase; http_client_body; content:"KSudoClient|3a 3a|RunCommand"; distance:0; http_client_body; reference:url,console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypiratela.html; classtype:attempted-admin; sid:2018263; rev:2; metadata:created_at 2014_03_13, former_category CURRENT_EVENTS, updated_at 2014_03_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 2"; flow:established,to_server; content:"POST"; http_method; content:"/perce/"; nocase; http_uri; content:"/qwerce.gif"; http_uri; nocase; content:"data="; nocase; http_client_body; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,doc.emergingthreats.net/2010235; classtype:trojan-activity; sid:2010235; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool/BHEK/Goon Applet with Alpha-Numeric Encoded HTML entity"; flow:established,from_server; file_data; content:"<applet"; nocase; pcre:"/^((?!<\/applet>).)+?&#(?:0*?(?:1(?:[0-1]\d|2[0-2])|[78][0-9]|9[07-9]|4[8-9]|5[0-7]|6[5-9])|x0*?(?:[46][1-9A-F]|[57][0-9A]|3[0-9]))(\x3b|&#)/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017064; rev:18; metadata:created_at 2013_06_25, former_category EXPLOIT_KIT, updated_at 2013_06_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 3"; flow:established,to_server; content:"POST"; http_method; content:"/werber/"; nocase; http_uri; content:"/217.gif"; http_uri; nocase; content:"data="; nocase; http_client_body; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,doc.emergingthreats.net/2010236; classtype:trojan-activity; sid:2010236; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Styx Landing Page Mar 08 2014"; flow:established,from_server; file_data; content:"fromCharCode"; content:"substr"; within:200; content:",2,"; within:20; fast_pattern; content:"-"; distance:2; within:4; pcre:"/^\s*?\d/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018260; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_03_12, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 4"; flow:established,to_server; content:"POST"; http_method; content:"/item/"; nocase; http_uri; content:"/titem.gif"; nocase; http_uri; content:"data="; nocase; http_client_body; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,doc.emergingthreats.net/2010237; classtype:trojan-activity; sid:2010237; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS MtGox Leak wallet stealer UA"; flow:established,to_server; content:"MtGoxBackOffice"; depth:15; http_user_agent; reference:url,www.securelist.com/en/blog/8196/Analysis_of_Malware_from_the_MtGox_leak_archive; reference:md5,c4e99fdcd40bee6eb6ce85167969348d; classtype:trojan-activity; sid:2018279; rev:3; metadata:created_at 2014_03_14, former_category CURRENT_EVENTS, updated_at 2017_11_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 5"; flow:established,to_server; content:"POST"; http_method; content:"/report.php?data="; nocase; http_uri; content:"data="; nocase; http_client_body; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,doc.emergingthreats.net/2010238; classtype:trojan-activity; sid:2010238; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Server Login OK Packet"; flowbits:isset,ET.gadu.loginsent; flow:established,from_server; content:"|03 00 00 00|"; depth:4; byte_jump:4,0,relative,little,post_offset -1; isdataat:!2,relative; flowbits:set,ET.gadu.loggedin; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008299; classtype:policy-violation; sid:2008299; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 6"; flow:established,to_server; content:"POST"; http_method; content:"/arrows/"; nocase; http_uri; content:"/arrow_up.gif"; nocase; http_uri; content:"data="; nocase; http_client_body; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,doc.emergingthreats.net/2010239; reference:md5,316fd88ac18d21889b1dbf9b979c1959; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; classtype:trojan-activity; sid:2010239; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EMET.DLL in jjencode"; flow:established,from_server; file_data; content:"|22 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 22|+"; pcre:"/^(?P<var>.{1,10})\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\$\_\+(?P=var)\.\$\_\_\+\x22\.\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\_\+\x22/R"; classtype:trojan-activity; sid:2018286; rev:3; metadata:created_at 2014_03_18, updated_at 2014_03_18;)
+#alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET MALWARE Infected System Looking up chr.santa-inbox.com CnC Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|chr|0b|santa-inbox|03|com"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008531; classtype:command-and-control; sid:2008531; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Linux/Onimiki DNS trojan activity long format (Outbound)"; byte_test:1,!&,128,2; content:"|00 01 00 00 00 00 00 00 38|"; offset:4; depth:9; pcre:"/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00\x01\x00\x01/Rsi"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018275; rev:8; metadata:created_at 2014_03_14, updated_at 2014_03_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Client requesting fake scanner page /scan/?key="; flow:established,to_server; content:"/scan/?key="; http_uri; classtype:bad-unknown; sid:2011545; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET MALWARE Linux/Onimiki DNS trojan activity long format (Inbound)"; byte_test:1,!&,128,2; content:"|00 01 00 00 00 00 00 00 38|"; offset:4; depth:9; pcre:"/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00\x01\x00\x01/Rsi"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018276; rev:6; metadata:created_at 2014_03_14, updated_at 2014_03_14;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Eleonore - landing page"; flow:established,to_client; content:"{display|3A|none}</style><a class="; classtype:bad-unknown; sid:2011510; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp any any -> any $SSH_PORTS (msg:"ET MALWARE Linux/Kimodin SSH backdoor activity"; flow:established,to_server; content:"SSH-2.0-"; depth:8; isdataat:22,relative; pcre:"/^[0-9a-f]{22,46}/R"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018264; rev:8; metadata:created_at 2014_03_13, updated_at 2014_03_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe CoolType Smart INdependent Glyplets - SING - Table uniqueName Stack Buffer Overflow Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"SING"; distance:0; content:"|01 00 01 0E|"; within:100; content:"|00 3A|"; within:100; isdataat:100,relative; content:!"|0A|"; within:100; reference:url,contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html; reference:cve,2010-2883; classtype:attempted-user; sid:2011501; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Keep-Alive (INBOUND)"; flow:from_server,established; content:"P[endof]"; dsize:8; reference:md5,0ae2261385c482d55519be9b0e4afef3; reference:url,anubis.iseclab.org/?action=result&task_id=1043e1f5f61319b944d51d0d6d7e23f2e; reference:md5,41a0a4c0831dbcbbfd877c7d37b671e0; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2012/09/the-story-behind-backdoorlv.html; classtype:command-and-control; sid:2017417; rev:9; metadata:created_at 2012_07_31, former_category MALWARE, updated_at 2012_07_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Executable Download named to be .com FQDN"; flow:established,to_server; content:"GET"; nocase; http_method; content:".com.exe"; http_uri; nocase; reference:url,malwareurl.com; classtype:trojan-activity; sid:2011495; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.WinSpy.pob Sending Data over SMTP"; flow:to_server,established; content:"filename="; content:"PC_Active_Time.txt"; within:19; content:"|0d 0a|"; within:3; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018019; rev:3; metadata:created_at 2014_01_28, updated_at 2014_01_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Executable Download named to be FQDN"; flow:established,to_server; content:"GET"; nocase; http_method; content:".exe"; http_uri; nocase; fast_pattern; content:"."; depth:200; content:".exe"; nocase; distance:2; within:6; pcre:"/\/.+(www\.)?[a-z0-9]+\.[a-z]{2,3}\.exe$/Ui"; reference:url,malwareurl.com; classtype:trojan-activity; sid:2011496; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.WinSpy.pob Sending Data over SMTP 2"; flow:to_server,established; content:"Subject|3a 20|LOG|20|FILE|20 20|Current User|3a|"; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018020; rev:3; metadata:created_at 2014_01_28, updated_at 2014_01_28;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Phoenix landing page - valium"; flow:established,to_client; content:"var string = val+|22|ium|22|\;"; classtype:bad-unknown; sid:2011486; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 1024"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009582; classtype:attempted-recon; sid:2009582; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV client requesting fake scanner page"; flow:established,to_server; content:"/?p=p"; http_uri; content:".co.cc|0D 0A|"; http_header; classtype:bad-unknown; sid:2011373; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 3072"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:3072; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009583; classtype:attempted-recon; sid:2009583; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY hide-my-ip.com POST version check"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Host|3A|"; nocase; http_header; content:"hide|2d|my|2d|ip|2e|com"; nocase; within:20; http_header; content:"cmd|3d|"; nocase; content:"ver|3d|"; nocase; content:"hcode|3d|"; nocase; content:"product|3d|"; nocase; content:"year|3d|"; nocase; content:"xhcode|3d|"; nocase; classtype:policy-violation; sid:2011312; rev:4; metadata:created_at 2010_09_28, former_category POLICY, updated_at 2010_09_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 4096"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:4096; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009584; classtype:attempted-recon; sid:2009584; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Fragus - landing page delivered"; flow:established,to_client; content:"|0d 0a 0d 0a|var CRYPT={signature|3a|"; classtype:bad-unknown; sid:2011330; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WEBSHELL CFM Shell Access"; flow:established,from_server; file_data; content:"<title>CFM shell"; nocase; reference:url,blog.spiderlabs.com/2014/03/coldfusion-admin-compromise-analysis-cve-2010-2861.html; classtype:successful-admin; sid:2018290; rev:2; metadata:created_at 2014_03_18, updated_at 2014_03_18;)
+#alert tcp any $HTTP_PORTS -> any any (msg:"ET DELETED Malvertising DRIVEBY Fragus Admin Panel Delivered To Client"; flow:established,to_client; content:"<head>|0D 0A 09 09|<title>Fragus</title>"; classtype:bad-unknown; sid:2011342; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MultiThreat/Winspy.RAT Keep-Alive (flowbit set)"; flow:established,to_server; dsize:2; content:"/P"; depth:2; flowbits:set,WinSpy.KeepAlive; flowbits:noalert; reference:url,www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-in-to-multi-vector-attack-mechanisms-in-rats.html; reference:md5,815576890789003a7575c2948508c6b1; classtype:trojan-activity; sid:2018291; rev:1; metadata:created_at 2014_03_18, former_category MALWARE, updated_at 2014_03_18;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED POST to /x48/x58/ Possible Zeus Version 3 Command and Control Server Traffic"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/x48/x58/"; http_uri; nocase; content:".php"; http_uri; nocase; reference:url,www.m86security.com/labs/i/Customers-of-Global-Financial-Institution-Hit-by-Cybercrime,trace.1431~.asp; reference:url,www.m86security.com/documents/pdfs/security_labs/cybercriminals_target_online_banking.pdf; classtype:trojan-activity; sid:2011344; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MultiThreat/Winspy.RAT Keep-Alive Server Response"; flow:established,from_server; dsize:2; content:"/P"; depth:2; flowbits:isset,WinSpy.KeepAlive; threshold:type limit,count 2,track by_src,seconds 300; reference:url,www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-in-to-multi-vector-attack-mechanisms-in-rats.html; classtype:trojan-activity; sid:2018292; rev:1; metadata:created_at 2014_03_18, updated_at 2014_03_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Zeus Version 3 Infection Posting Banking HTTP Log to Command and Control Server"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/get_dr.php?"; http_uri; nocase; content:"https|3A|//"; nocase; pcre:"/\x2Fget\x5Fdr\x2Ephp\x3F(e|ini)\x3D/Ui"; reference:url,www.m86security.com/labs/i/Customers-of-Global-Financial-Institution-Hit-by-Cybercrime,trace.1431~.asp; reference:url,www.m86security.com/documents/pdfs/security_labs/cybercriminals_target_online_banking.pdf; classtype:trojan-activity; sid:2011345; rev:5; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 37 (msg:"ET MALWARE MultiThreat/Winspy.RAT SMTP Data Exfiltration"; flow:established,to_server; content:"X-Mailer|3A| SysMon v1.0.0"; reference:url,www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-in-to-multi-vector-attack-mechanisms-in-rats.html; classtype:trojan-activity; sid:2018293; rev:1; metadata:created_at 2014_03_18, updated_at 2014_03_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV landing page - sector.hdd.png no-repeat"; flow:established,to_client; content:"sector.hdd.png) no-repeat"; classtype:bad-unknown; sid:2011419; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET MALWARE MultiThreat/Winspy.RAT FTP File Download Command"; flow:established,to_server; dsize:>0; content:"/CD |5C 5C 5C|"; depth:9; pcre:"/^(?:(?:PCACTIV|ONLIN)ETIME|WEBSITE[DS]|CHATROOM|KEYLOGS)/Ri"; reference:url,www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-in-to-multi-vector-attack-mechanisms-in-rats.html; classtype:trojan-activity; sid:2018294; rev:1; metadata:created_at 2014_03_18, updated_at 2014_03_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKEAV client requesting image - sector.hdd.png"; flow:established,to_server; content:"sector.hdd.png"; nocase; http_uri; classtype:bad-unknown; sid:2011420; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK encrypted binary (3)"; flow:established,to_client; file_data; content:"|89 b4 f4 6a 24 1f 46 14|"; depth:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018297; rev:2; metadata:created_at 2014_03_20, former_category EXPLOIT_KIT, updated_at 2014_03_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV scanner page enocuntered - .hdd_icon"; flow:established,to_client; content:".hdd_icon"; nocase; classtype:bad-unknown; sid:2011475; rev:4; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Mar 20 2014"; flow:established,from_server; file_data; content:"jnlp_href"; nocase; fast_pattern:only; content:"application/x-silverlight-2"; nocase; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][^\x22\x27\x3d]{1,20}=[a-zA-z0-9\/\+]{10}/R"; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; nocase; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][^\x22\x27\x3d]{1,20}=[a-f0-9]{20}/R"; classtype:exploit-kit; sid:2018298; rev:3; metadata:created_at 2014_03_20, updated_at 2014_03_20;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Driveby Bredolab - client requesting java exploit"; flow:established,to_server; content:"/Notes1.pdf"; depth:11; http_uri; classtype:bad-unknown; sid:2011795; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_10_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; reference:url,doc.emergingthreats.net/bin/view/Main/2003519; classtype:attempted-admin; sid:2003519; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Driveby Bredolab - landing page"; flow:established,to_client; content:"Server|3a| nginx"; content:"<div style=|22|visibility|3a| hidden|3b||22|><"; depth:120; classtype:bad-unknown; sid:2011796; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_10_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM file transfer request"; flow: established; content:"YMSG"; nocase; depth: 4; content:"|00 dc|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001259; classtype:policy-violation; sid:2001259; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Driveby Bredolab - client exploited by acrobat"; flow:established,to_server; content:"?reader_version="; http_uri; content:"&exn=CVE-"; http_uri; classtype:trojan-activity; sid:2011797; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_10_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-1761 HTTP"; flow:from_server,established; file_data; content:"{|5c|rt{"; content:"|5c|objocx|5c|"; distance:0; content:"MSComctlLib."; content:"|5c|u-554"; fast_pattern; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018313; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_03_25, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft IE CSS Clip Attribute Memory Corruption (POC SPECIFIC)"; flow:from_server,established; file_data; content:"position|3A|absolute|3B|"; content:"clip|3A|"; within:20; content:"rect|28|0|29|"; fast_pattern; within:20; reference:url,extraexploit.blogspot.com/2010/11/cve-2010-3962-yet-another-internet.html; reference:url,www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks; reference:url,blog.fireeye.com/research/2010/11/ie-0-day-hupigon-joins-the-party.html; reference:url,www.offensive-security.com/0day/ie-0day.txt; reference:url,www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms10_xxx_ie_css_clip.rb; classtype:attempted-user; sid:2011892; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_11_05, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN NMAP SIP Version Detect OPTIONS Scan"; flow:established,to_server; content:"OPTIONS sip|3A|nm SIP/"; depth:19; classtype:attempted-recon; sid:2018317; rev:1; metadata:created_at 2014_03_25, updated_at 2014_03_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Interleaving document.write and appendChild Overflow (POC SPECIFIC)"; flow:from_server,established; content:"document.body.appendChild(cobj)"; content:"document.getElementById|28 22|suv|22 29|.innerHTML"; content:"new|20|Array|28|"; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=607222; reference:url,blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/; classtype:attempted-user; sid:2011893; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_11_06, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5060:5061 (msg:"ET SCAN NMAP SIP Version Detection Script Activity"; content:"Via|3A| SIP/2.0/TCP nm"; content:"From|3A| <sip|3A|nm@nm"; within:150; fast_pattern; classtype:attempted-recon; sid:2018318; rev:1; metadata:created_at 2014_03_25, updated_at 2014_03_25;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Driveby leads to exploits aaitsol1/networks.php"; flow:established,to_server; content:"GET"; http_method; content:"~aaitsol1/networks.php"; nocase; http_uri; classtype:bad-unknown; sid:2011895; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Compromised site trudeausociety"; flow:established,to_client; content:"|12|trudeausociety.com"; fast_pattern:only; classtype:trojan-activity; sid:2018319; rev:1; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY SEO Landing Page Encountered"; flow:established,to_client; content:"<script src=|27|src.js|27|></script><script src=|27|dest.js|27|></script><script>var "; depth:73; classtype:bad-unknown; sid:2011957; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Captcha Malware C2 SSL Certificate"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|Mojolicious"; distance:1; within:17; content:"|55 04 0a|"; distance:0; content:"|0b|Mojolicious"; distance:1; within:17; reference:url,community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/03/25/captcha-protected-malware-downloader; classtype:command-and-control; sid:2018322; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_03_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MALVERTISING SEO iframe redirect to drive by"; flow:established,to_client; content:"document.write|28|unescape|28 22|%3Ciframe src=|22 3b| content|3a 22|style=|27|visibility|3a|hidden|3b 27| width=|27|1|27| height=|27|1|27| %3E%3C/iframe%3E|22 29 29 3b|"; classtype:bad-unknown; sid:2011960; rev:4; metadata:created_at 2010_11_20, updated_at 2010_11_20;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sisproc"; flow:established,to_server; content:"/page_"; content:"Cookie|3a 20|XX=0|3b 20|BX=0"; reference:url,www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html; reference:md5,aaf73666cbd750ed22b80ed836d2b1e4; classtype:trojan-activity; sid:2018320; rev:3; metadata:created_at 2014_03_26, updated_at 2014_03_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan downloader (AS8514)"; flow:established,to_server; content:"GET"; http_method; content:"/tube/Adobe__Flash__Player.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=1001jimm.ru; classtype:trojan-activity; sid:2011966; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_22, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED JCE Joomla Extension User-Agent (BOT)"; flow:to_server,established; content:"BOT/0.1 (BOT for JCE)"; depth:21; http_user_agent; reference:url,exploit-db.com/exploits/17734/; reference:url,blog.spiderlabs.com/2014/03/honeypot-alert-jce-joomla-extension-attacks.html; classtype:attempted-recon; sid:2018327; rev:4; metadata:created_at 2014_03_26, updated_at 2014_03_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan Banker (AS33182)"; flow:established,to_server; content:"GET"; http_method; content:"/update/html2.exe.bak"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=allmobilefashion.com; classtype:trojan-activity; sid:2011968; rev:3; metadata:created_at 2010_11_22, updated_at 2010_11_22;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE Bozok.RAT checkin"; flow:to_server; content:"|00 00 00|"; offset:1; depth:4; content:"|00 7C 00|"; within:32; content:"|00 7C 00|"; within:32; content:"|00 7C 00|"; within:64; content:"|00 7C 00|"; within:12; content:"|00 7C 00|"; within:5; content:"|00 7C 00|0|00 7c 00|2|00|"; within:32; reference:md5,a45d3564d1fa27161b33712f035a5962; reference:url,www.fireeye.com/blog/technical/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html; classtype:command-and-control; sid:2018325; rev:3; metadata:created_at 2014_03_26, former_category MALWARE, updated_at 2014_03_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Ircbrute Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/imagFaceBook.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=egyboys.net; classtype:bad-unknown; sid:2011980; rev:3; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Win32/Kryptik.AZER C2 SSL Stolen Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|junrio.com"; distance:1; within:11; reference:md5,b27e0561283697c1fb1a973c37b52265; classtype:command-and-control; sid:2018328; rev:2; metadata:created_at 2014_03_27, updated_at 2014_03_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Eleonore Exploit Pack / Trojan Brebolab"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/QuickTime_Update_KB673901.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=media-download-kb572810.biz; classtype:bad-unknown; sid:2011981; rev:3; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Payload Filename Used in Various 2014-0322 Attacks"; flow:established,to_server; content:"/Erido.jpg"; nocase; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018329; rev:2; metadata:created_at 2014_03_28, former_category CURRENT_EVENTS, updated_at 2019_09_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Fast Flux Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/av-scanner.48370.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=mediafilesonline.net; classtype:bad-unknown; sid:2011983; rev:4; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Dorkbot.AR Join IRC channel"; flow:to_server,established; content:"NICK n|7B|"; nocase; pcre:"/^\S{2,3}\x7c\S+?[au]\x7D\w{2,11}\x0d?\x0a/Ri"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32/Dorkbot.AR; reference:md5,7e76c7db8706511fc59508af4aef27fa; classtype:trojan-activity; sid:2016768; rev:4; metadata:created_at 2013_04_18, updated_at 2013_04_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Fast Flux Rogue Antivirus MalvRem"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/MalvRem_"; nocase; http_uri; pcre:"/MalvRem_\d{3,4}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=giga-protectiona.com; reference:url,www.malwareurl.com/listing.php?domain=protectsystemf.com; reference:url,www.malwareurl.com/listing.php?domain=1cnetantispy.com; reference:url,www.malwareurl.com/listing.php?domain=3gb-scanner.com; classtype:bad-unknown; sid:2011984; rev:4; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phish - Saved Website Comment Observed"; flow:established,to_client; file_data; content:"<!-- saved from url=("; pcre:"/^\s*?\d+?\s*?\)https\x3a\x2f/Rsi"; content:"<form"; nocase; distance:0; classtype:bad-unknown; sid:2018334; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_03_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2014_03_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Fast Flux Rogue Antivirus avdistr"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/avdistr_"; nocase; http_uri; pcre:"/avdistr_\d{3,4}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=giga-protectiona.com; reference:url,www.malwareurl.com/listing.php?domain=protectsystemf.com; reference:url,www.malwareurl.com/listing.php?domain=1cnetantispy.com; reference:url,www.malwareurl.com/listing.php?domain=3gb-scanner.com; classtype:bad-unknown; sid:2011985; rev:4; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/DownloadAdmin.Adware CnC Beacon"; flow:established,to_server; content:"/dl?gclid="; fast_pattern:only; http_uri; content:"&source="; http_uri; content:"&c="; http_uri; content:"&aid="; http_uri; content:"&bc="; http_uri; content:"&country="; http_uri; reference:url,malwaretips.com/blogs/remove-pup-downloadadmin-virus-removal-guide/; classtype:pup-activity; sid:2018338; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_03_31, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2014_03_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Fast Flux Rogue Antivirus RunAV"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/RunAV_"; nocase; http_uri; pcre:"/RunAV_\d{3,4}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=giga-protectiona.com; reference:url,www.malwareurl.com/listing.php?domain=protectsystemf.com; reference:url,www.malwareurl.com/listing.php?domain=1cnetantispy.com; reference:url,www.malwareurl.com/listing.php?domain=3gb-scanner.com; classtype:bad-unknown; sid:2011986; rev:3; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/DownloadAdmin.Adware Executable Download Request"; flow:established,to_server; content:"/download/"; http_uri; content:"/dl?s="; fast_pattern:only; http_uri; content:"&c="; http_uri; content:"&brand="; http_uri; content:"&pid="; http_uri; content:"&aid="; http_uri; content:"&bc="; http_uri; content:"&country="; http_uri; content:"&cb="; http_uri; reference:url,malwaretips.com/blogs/remove-pup-downloadadmin-virus-removal-guide/; classtype:pup-activity; sid:2018339; rev:3; metadata:created_at 2014_03_31, former_category ADWARE_PUP, updated_at 2014_03_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious executable download adobe-flash.v"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/adobe-flash.v"; nocase; http_uri; pcre:"/adobe-flash\.v\.\d{5}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=realmultimediaonline.com; classtype:bad-unknown; sid:2011989; rev:2; metadata:created_at 2010_12_01, updated_at 2010_12_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Goon/Infinity EK Landing Mar 31 2014"; flow:established,to_client; file_data; content:".text+=String.fromCharCode"; content:"35"; pcre:"/^[^\d]{1,20}100[^\d]{1,20}101[^\d]{1,20}102[^\d]{1,20}97[^\d]{1,20}117[^\d]{1,20}108[^\d]{1,20}116[^\d]{1,20}35[^\d]{1,20}86[^\d]{1,20}77[^\d]{1,20}76/Rsi"; classtype:exploit-kit; sid:2018337; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_03_31, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Rogue AV (installer.xxxx.exe)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/installer."; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/installer\.\d{4}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=scripttoscan.co.cc; classtype:bad-unknown; sid:2011990; rev:4; metadata:created_at 2010_12_01, updated_at 2010_12_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY fetch User Agent"; flow:established,to_server; content:"fetch"; nocase; http_user_agent; reference:url,gobsd.com/code/freebsd/lib/libfetch; reference:url,doc.emergingthreats.net/2002826; classtype:attempted-recon; sid:2002826; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any any -> $HOME_NET 21 (msg:"ET FTP ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHEZ)"; flow:established,to_server; content:"HELP "; depth:5; content:"ACIDBITCHEZ"; distance:0; nocase; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url,sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; classtype:trojan-activity; sid:2011994; rev:5; metadata:created_at 2010_12_02, former_category FTP, updated_at 2010_12_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Goon/Infinity EK Landing Mar 31 2014"; flow:established,to_client; file_data; content:"117"; fast_pattern; content:"108"; within:24; content:"116"; within:24; content:"35"; pcre:"/^[^\d](?:.{0,20}[^\d])?100[^\d](?:.{0,20}[^\d])?101[^\d](?:.{0,20}[^\d])?102[^\d](?:.{0,20}[^\d])?97[^\d](?:.{0,20}[^\d])?117[^\d](?:.{1,20}[^\d])?108[^\d](?:.{0,20}[^\d])?116[^\d](?:.{0,20}[^\d])?35[^\d](?:[^\d].{0,20}[^\d])?86[^\d](?:.{0,20}[^\d])?77[^\d](?:.{0,20}[^\d])?76[^\d]/Rsi"; classtype:exploit-kit; sid:2018342; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_04_02, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious invoice.scr Download Request"; flow:established,to_server; content:"GET"; http_method; content:"|2F|invoice.scr"; nocase; http_uri; pcre:"/\x2Finvoice\x2Escr$/Ui"; classtype:trojan-activity; sid:2011995; rev:4; metadata:created_at 2010_12_02, updated_at 2010_12_02;)
 
-#alert http any any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hikvision DVR Synology Recon Scan Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/k.php?h="; http_uri; depth:9; content:"ballsack"; depth:8; http_user_agent; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,isc.sans.edu/forums/diary/More+Device+Malware+This+is+why+your+DVR+attacked+my+Synology+Disk+Station+and+now+with+Bitcoin+Miner/17879; classtype:trojan-activity; sid:2018344; rev:3; metadata:created_at 2014_04_02, former_category CURRENT_EVENTS, updated_at 2014_04_02;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DoS.Linux/Elknot.E Checkin"; flow:established,to_server; dsize:401; content:!"|00 00|"; depth:2; content:"|10 27 60 ea|Linux|20|"; offset:4; depth:64; reference:md5,9a2a00f4bba2f3e0b1211a1f0cb48896; classtype:command-and-control; sid:2019171; rev:2; metadata:created_at 2014_09_12, former_category MALWARE, updated_at 2014_09_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Apr 01 2014"; flow:established,to_client; file_data; content:"|3a|stroke id="; content:"|3a|oval>"; content:"(function"; pcre:"/^\s*?\(\s*?\)\s*?{\s*?return\s*?(?:[^\s]+\(\s*?)?[\x22\x27][a-f0-9]{10}/Rs"; content:"(function"; distance:0; pcre:"/^\s*?\(\s*?\)\s*?{\s*?return\s*?(?:[^\s]+\(\s*?)?[\x22\x27][a-f0-9]{10}/Rs"; content:"/*"; pcre:"/^[a-zA-Z0-9]+\*\//R"; content:"/*"; distance:0; pcre:"/^[a-zA-Z0-9]+\*\//R"; content:"/*"; distance:0; pcre:"/^[a-zA-Z0-9]+\*\//R"; classtype:exploit-kit; sid:2018346; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED p2pshare.org Malware Related Activity"; flow:to_server,established; content:"GET"; http_method; content:"Host|3A| p2pshare.org|3A|999"; http_header; classtype:trojan-activity; sid:2012132; rev:6; metadata:created_at 2011_01_04, updated_at 2011_01_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Deep Panda WateringHole Related URI Struct"; flow:established,to_server; content:".php?v=webhp"; fast_pattern:only; http_uri; nocase; classtype:trojan-activity; sid:2018348; rev:3; metadata:created_at 2014_04_02, updated_at 2014_04_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MUROFET/Licat Trojan Checkin Forum"; flow:established,to_server; content:"GET"; http_method; content:!"|0d 0a|Referer|3a|"; nocase; content:"/forum/?"; http_uri; fast_pattern; pcre:"/forum\/\?[0-9a-f]{8}$/U"; reference:md5,531e84b0894a7496479d186712acd7d2; reference:url,extraexploit.blogspot.com/2010/10/some-domains-for-licatmurofettrojanzbot.html; classtype:command-and-control; sid:2012248; rev:5; metadata:created_at 2011_01_29, former_category MALWARE, updated_at 2011_01_29;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Possible BackupExec Metasploit Exploit (inbound)"; flow:established,to_server; content: "|09 01|"; offset:18; depth:2; content:"|00 03|"; distance:10; within:2; byte_jump:2,2,relative,big; content:"|00 00|"; within:2; byte_test:2,>,512,0,relative,big; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; reference:url,doc.emergingthreats.net/bin/view/Main/2002061; classtype:attempted-admin; sid:2002061; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE USPS Inbound SPAM"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|USPS_Document.zip"; nocase; classtype:trojan-activity; sid:2012276; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP MyWaySearch Products Spyware User Agent"; flow: established,to_server; content:"MyWay"; http_user_agent; reference:url,doc.emergingthreats.net/2002079; reference:url,www.funwebproducts.com; classtype:pup-activity; sid:2002079; rev:19; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye HTTP Library Checkin"; flow:established,to_server; content:"POST"; http_method; content:"form-data|3b 20|name=|22|sid|22|"; http_client_body; content:"form-data|3b 20|name=|22|ping|22|"; http_client_body; content:"form-data|3b 20|name=|22|guid|22|"; http_client_body; content:"form-data|3b 20|name=|22|GB|22 3b 20|filename=|22|GB.TXT|22|"; http_client_body; fast_pattern; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:command-and-control; sid:2012279; rev:4; metadata:created_at 2011_02_03, former_category MALWARE, updated_at 2011_02_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SofosFO/GrandSoft landing applet plus class Mar 03 2013"; flow:established,to_client; file_data; content:"<applet"; content:"MyApplet"; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016541; rev:4; metadata:created_at 2013_03_06, updated_at 2013_03_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Fake AV Scan (AS31252)"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/powersecure_2005-19_ibr8.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=scan.dpowerprotection.com; classtype:trojan-activity; sid:2012302; rev:3; metadata:created_at 2011_02_07, updated_at 2011_02_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/ZeroAccess Counter.img Checkin"; flow:established,to_server; content:"/counter.img?theme="; fast_pattern; http_uri; content:"&digits="; http_uri; content:"&siteId="; http_uri; content:"Opera/9 (Windows NT "; http_user_agent; reference:url,malwaremustdie.blogspot.co.uk/2013/02/blackhole-of-closest-version-with.html; classtype:trojan-activity; sid:2016358; rev:5; metadata:created_at 2013_02_07, updated_at 2013_02_07;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE IRS Inbound SMTP Malware"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|irs_legalauth-tax_payment_notice_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012319; rev:2; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Compromised site potpourriflowers"; flow:established,to_client; content:"|55 04 03|"; content:"|1a|www.potpourriflowers.co.uk"; distance:1; within:27; nocase; classtype:trojan-activity; sid:2018350; rev:2; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2014_04_03;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE IRS Inbound SPAM"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|IRS-TaxPaymentNotification"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012320; rev:2; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Compromised site kionic"; flow:established,to_client; content:"|55 04 03|"; content:"|0a|kionic.com"; distance:1; within:11; nocase; reference:url,blog.malwaremustdie.org/2014/04/upatre-downloading-gmo-is-back-to-ssl.html; classtype:trojan-activity; sid:2018351; rev:2; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2014_04_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.cx.cc domain"; flow: to_server,established; content:".cx.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2012321; rev:3; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible FakeAV binary download (setup)"; content:"GET"; http_method; content:"index.php?key="; http_uri; content:"&key2=download"; http_uri; classtype:trojan-activity; sid:2018352; rev:2; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2014_04_03;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE IRS Inbound SPAM variant 3"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|Individual_Income_Tax_Rtrn_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012329; rev:2; metadata:created_at 2011_02_21, updated_at 2011_02_21;)
 
-#alert http $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute Scan (Outgoing)"; flow:to_server,established; urilen:1; content:"/"; http_uri; content:"Microsoft-WebDAV-MiniRedir/5.1.2600"; http_user_agent; depth:35; content:"Referer|3a 20|http|3a|//"; pcre:"/^Host\x3a (?P<ipaddr>\b([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\b).*Referer\x3a http\x3a\/\/(?P=ipaddr)\//Hs"; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:attempted-recon; sid:2018353; rev:4; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2014_04_03;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE USPS SPAM Inbound possible spyeye trojan"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|USPS_"; nocase; content:".zip|22|"; nocase; reference:url,www.virustotal.com/file-scan/report.html?id=ed1766eb13cc7f41243dd722baab9973560c999c1489763c0704debebe8f4cb1-1298551066; classtype:trojan-activity; sid:2012388; rev:2; metadata:created_at 2011_02_27, updated_at 2011_02_27;)
 
-#alert http $EXTERNAL_NET any -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute Scan (incoming)"; flow:to_server,established; urilen:1; content:"/"; http_uri; content:"Microsoft-WebDAV-MiniRedir/5.1.2600"; depth:35; http_user_agent; content:"Referer|3a 20|http|3a|//"; pcre:"/^Host\x3a (?P<ipaddr>\b([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\b).*Referer\x3a http\x3a\/\/(?P=ipaddr)\//Hs"; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:attempted-recon; sid:2018354; rev:4; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2014_04_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Rogue Antivirus FakePAV"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/firefox_update_2011.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=76.76.102.214; classtype:trojan-activity; sid:2012403; rev:3; metadata:created_at 2011_03_01, updated_at 2011_03_01;)
 
-#alert http any 80 -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute http response"; flow:to_client,established; file_data; content:"<html>kenji oke</html>|0d 0a|"; depth:24; flowbits:isset,ET.Rbrute.incoming; reference:md5,055a9be75e469f8817c9311390a449f6; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:trojan-activity; sid:2018356; rev:3; metadata:created_at 2014_04_04, updated_at 2014_04_04;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE UPS Inbound bad attachment v.5"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS"; nocase; content:".zip|22|"; nocase; pcre:"/ups(_parcel_delivery-tracking-notice-|-Delivery-Notification-Message_)\S*\.zip/Ui"; classtype:trojan-activity; sid:2012443; rev:2; metadata:created_at 2011_03_09, updated_at 2011_03_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT EvilTDS Redirection"; flow:established,to_server; content:"/zyso.cgi?"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018357; rev:10; metadata:created_at 2014_04_04, former_category CURRENT_EVENTS, updated_at 2014_04_04;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE UPS Inbound bad attachment v.6"; flow:established,to_server; content:"From|3a| |22|United Parcel Service|22|"; nocase; content:"|40|ups.com"; nocase; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|document.zip|22|"; nocase; classtype:trojan-activity; sid:2012444; rev:3; metadata:created_at 2011_03_09, updated_at 2011_03_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK PDF"; flow:established,from_server; file_data; content:"13 0 obj"; pcre:"/^\s*?<<\s*?\/[A-Z0-9a-z]+\([A-Z0-9a-z]+\)\s*?/Rs"; content:"/XFA[(config)17 0 R] /Fields [14 0 R]|0d 0a|>>"; classtype:exploit-kit; sid:2018363; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE Post Express Inbound bad attachment"; flow:established,to_server; content:"Post Express|22|"; nocase; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|Post_Express_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012445; rev:6; metadata:created_at 2011_03_09, updated_at 2011_03_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Goldun Reporting User Activity 2"; flow:established,to_server; content:"?phid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&nn="; nocase; http_uri; content:"User-Agent|3a| z|0d 0a|"; http_header; reference:url,www.avira.com/en/threats/TR_Spy_Goldun_de_1_details.html; reference:url,doc.emergingthreats.net/2002780; classtype:trojan-activity; sid:2002780; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE DHL Spam Inbound"; flow:established,to_server; content:"|40|dhl.com"; nocase; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012492; rev:2; metadata:created_at 2011_03_12, updated_at 2011_03_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CWS Related Installer"; flow:established,to_server; content:"/image_tracker.php?l="; http_uri; fast_pattern:only; content:"&x="; http_uri; content:"&deptid="; distance:0; http_uri; content:"&page"; distance:0; http_uri; content:"&unique="; distance:0; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002932; classtype:trojan-activity; sid:2002932; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE DHL Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; content:"|22|filename=dhl_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012493; rev:3; metadata:created_at 2011_03_12, updated_at 2011_03_12;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WEBSHELL K-Shell/ZHC Shell 1.0/Aspx Shell Backdoor NetCat_Listener"; flow:established,from_server; file_data; content:"Silentz's Tricks:"; content:"action=cmd2"; content:"Start NC"; reference:url,www.fidelissecurity.com/webfm_send/377; reference:url,pastebin.com/XAG1Hnfd; classtype:web-application-attack; sid:2018369; rev:2; metadata:created_at 2014_04_07, updated_at 2014_04_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV InstallInternetDefender Download"; flow:established,from_server; content:"attachment|3b 20|filename=|22|InstallInternetDefender_"; nocase; classtype:trojan-activity; sid:2012494; rev:4; metadata:created_at 2011_03_14, updated_at 2011_03_14;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ATTACKER WebShell - Zehir4.asp - content"; flow:established,from_server; file_data; content:"<title>zehir3--> powered by zehir"; content:"Sistem Bilgileri"; content:"color=red>Local Adres</td"; content:"zehirhacker"; reference:url,pastebin.com/m44e60e60; reference:url,www.fidelissecurity.com/webfm_send/377; classtype:web-application-attack; sid:2018371; rev:2; metadata:created_at 2014_04_07, updated_at 2014_04_07;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED FakeAV campaign related JavaScript eval document obfuscation"; flow:established,from_server; content:"|20|=|20|eval('docu'+'men'+'t')|3b 0d 0a 0d 0a|"; classtype:trojan-activity; sid:2012495; rev:2; metadata:created_at 2011_03_14, updated_at 2011_03_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Netwire RAT Client HeartBeat S1 (no alert)"; flow:established,from_server; dsize:5; content:"|01 00 00 00 01|"; flowbits:isset,ET.Netwire.HB.1; flowbits:isnotset,ET.Netwire.HB.2; flowbits:unset,ET.Netwire.HB.1; flowbits:set,ET.Netwire.HB.2; flowbits:noalert; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,9475f91a426ac45d1f074373034cbea6; classtype:trojan-activity; sid:2018282; rev:3; metadata:created_at 2014_03_14, former_category TROJAN, updated_at 2017_12_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Win32 Banker Trojan CheckIn"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"/sys7."; http_uri; fast_pattern; reference:url,www.xandora.net/xangui/malware/view/18e5c43b3d430526e90799e7cc2c3ec8; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FBancos.ZY; classtype:command-and-control; sid:2012521; rev:3; metadata:created_at 2011_03_21, former_category MALWARE, updated_at 2011_03_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Small User Agent Detected (NetScafe)"; flow:established,to_server; content:"NetScafe"; http_user_agent; depth:8; reference:url,doc.emergingthreats.net/2003641; classtype:trojan-activity; sid:2003641; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Zbot Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/trusteer.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=umbralinversiones.com; classtype:trojan-activity; sid:2012537; rev:3; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vinself Backdoor Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"GIF89a|50 00 00 00|"; http_client_body; depth:10; fast_pattern; content:"|0A|Content-Length|3A| 90|0D 0A|"; http_header; pcre:"/^\/[A-Z]{1}[0-9]{1,3}\/[A-X]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}\/[A-Z]{1}[0-9]{4,5}[A-M]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}\/$/Um"; reference:url,blog.fireeye.com/research/2010/11/winself-a-new-backdoor-in-town.html; classtype:command-and-control; sid:2012865; rev:11; metadata:created_at 2010_12_22, former_category MALWARE, updated_at 2010_12_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Malware PatchPathNewS3.dat Request"; flow:established,to_server; content:"/PatchPathNewS3.dat"; nocase; http_uri; classtype:trojan-activity; sid:2012617; rev:5; metadata:created_at 2011_04_01, updated_at 2011_04_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan/Hacktool.Sniffer Successful Install Message"; flow:established,to_server; content:"/Install/Post.asp?Uid="; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2013199; rev:5; metadata:created_at 2011_07_05, updated_at 2011_07_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a Malware Related Numerical .cn Domain"; flow:established,to_server; content:"Host|3a| "; http_header; content:".cn|0d 0a|"; within:25; http_header; fast_pattern; pcre:"/Host\x3A\x20[^a-z]*[0-9]{4,30}\x2Ecn\x0D\x0A/Hi"; classtype:misc-activity; sid:2012650; rev:7; metadata:created_at 2011_04_08, updated_at 2011_04_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Successful Fake Banking App Install CnC Server Acknowledgement"; flow:established,to_client; file_data; content:"|7b 22|success|22 3A|1,|22|message|22 3A 22|Product successfully updated.|22|}"; within:55; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:command-and-control; sid:2017788; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_11_28, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV BestAntivirus2011 Download"; flow:established,from_server; content:"|3b 20|filename=|22|BestAntivirus20"; nocase; classtype:trojan-activity; sid:2012714; rev:4; metadata:created_at 2011_04_22, updated_at 2011_04_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Executable purporting to be .txt file with no Referer - Likely Malware"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; http_header; content:".txt"; nocase; http_uri; pcre:"/\.txt$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010500; classtype:pup-activity; sid:2010500; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Known Hostile Domain citi-bank.ru Lookup"; content:"|09|citi-bank|02|ru|00|"; nocase; classtype:trojan-activity; sid:2012728; rev:4; metadata:created_at 2011_04_26, updated_at 2011_04_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Executable purporting to be .cfg file with no Referer - Likely Malware"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; http_header; content:".cfg"; nocase; http_uri; pcre:"/\.cfg$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010501; classtype:pup-activity; sid:2010501; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin"; flow:to_server,established; content:"|20|HTTP|2f|1|2e|1|0d 0a|User-Agent|3a 20|"; fast_pattern; content:"|0d 0a|Host|3a 20|"; within:13; content:"|3a|8080|0d 0a|Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; http_header; pcre:"/User-Agent\x3a\x20[a-z]{3,4}\x0d\x0a/H"; reference:md5,014945cf93ffc94833f7a3efd92fe263; classtype:command-and-control; sid:2012736; rev:9; metadata:created_at 2011_04_28, former_category MALWARE, updated_at 2011_04_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_InIFRAME - In Referer"; flow:established,to_server; content:"/iniframe/"; http_header; content:"/"; distance:32; within:1; http_header; content:"/"; distance:1; within:5; http_header; content:"/"; distance:32; within:1; http_header; classtype:exploit-kit; sid:2017031; rev:3; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Malicious Facebook Javascript"; flow:established,to_client; content:"eval|28|function|28|p,a,c,k,e,"; nocase; content:"replace|28|newRegExp|28|"; nocase; distance:0; content:"SocialGraphManager"; fast_pattern; nocase; distance:0; reference:url,blog.trendmicro.com/dubious-javascript-code-found-in-facebook-application/; classtype:bad-unknown; sid:2012812; rev:4; metadata:created_at 2011_05_17, updated_at 2011_05_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Malicious Redirect Evernote Spam Campaign Feb 19 2014"; flow:to_server,established; content:"/1.txt"; http_uri; nocase; pcre:"/\/1\.txt$/Ui"; content:"/1.html"; http_header; nocase; pcre:"/Referer\x3a\x20[^\r\n]+?\/1\.html[\x3a\r]/Hi"; classtype:attempted-admin; sid:2018162; rev:3; metadata:created_at 2014_02_20, former_category CURRENT_EVENTS, updated_at 2014_02_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TDSS Trojan GET with xxxx_ string"; flow:established,to_server; content:"/xxxx_"; http_uri; pcre:"/\/xxxx_\d+\//U"; classtype:trojan-activity; sid:2012918; rev:4; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP authorized_keys file transferred"; flow:to_server,established; content:"authorized_keys"; classtype:suspicious-filename-detect; sid:2101927; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV Gemini - JavaScript Redirection To Scanning Page"; flow:established,to_client; content:"|28|navigator.appVersion.indexof|28 22|Mac|22 29|!=-1|29|"; nocase; content:"window.location="; nocase; within:17; classtype:bad-unknown; sid:2011917; rev:4; metadata:created_at 2010_11_10, updated_at 2010_11_10;)
 
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 1"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"M1"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018059; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV CryptMEN - Random Named DeObfuscation JavaScript File Download"; flow:established,from_server; content:"encrypt|3a| function|28|m, e, n|29|"; depth:64; classtype:bad-unknown; sid:2011922; rev:5; metadata:created_at 2010_11_11, updated_at 2010_11_11;)
 
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 2"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Mf"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018060; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED p2pshares.org Related Malware"; flow:to_server,established; content:"GET"; http_method; content:"Host|3A| p2pshares.org|3A|"; http_header; classtype:trojan-activity; sid:2012177; rev:6; metadata:created_at 2011_01_13, updated_at 2011_01_13;)
 
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 3"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Mh"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018061; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible CVE-2011-2110 Flash Exploit Campaign Log.txt Request"; flow:established,to_server; content:"GET"; http_method; content:"/log.txt"; http_uri; content:"|2E|swf?info=02"; http_header; reference:cve,2011-2110; reference:url,blog.fireeye.com/research/2011/06/old-wine-in-a-new-bottle.html; classtype:trojan-activity; sid:2013113; rev:4; metadata:created_at 2011_06_24, updated_at 2011_06_24;)
 
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 4"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Ml"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018062; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Ponmocup C2 Malware Update before fake JPEG download"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/shopping3.cgi?a="; nocase; http_uri; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013179; rev:9; metadata:created_at 2011_07_04, updated_at 2011_07_04;)
 
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 5"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"T1"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018063; rev:3; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Ponmocup C2 Malware Update after fake JPEG download"; flow:established,to_server; content:"/cgi-bin/unshopping3.cgi?b="; nocase; http_uri; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013180; rev:10; metadata:created_at 2011_07_04, updated_at 2011_07_04;)
 
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 6"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Tf"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018064; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Known Facebook Iframe Phishing Attempt"; flow:established,to_client; content:"FB.IframeUtil.CanvasUtil"; nocase; content:"iframe_canvas"; nocase; distance:0; content:"action=|5C 22|http|3A|"; nocase; distance:0; content:"canvas_iframe_post"; nocase; distance:0; content:"onsubmit="; nocase; distance:0; reference:url,www.f-secure.com/weblog/archives/00002196.html; classtype:bad-unknown; sid:2013183; rev:4; metadata:attack_target Client_Endpoint, created_at 2011_07_04, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
 
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 7"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Th"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018065; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Dropper HTTP POST Check-in"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| NSIS_InetLoad (Mozilla)"; http_header; content:"spill&a="; http_client_body; reference:url,www.mywot.com/en/forum/13816-clickjacking-scam-spreading-on-facebook; classtype:trojan-activity; sid:2013189; rev:3; metadata:created_at 2011_07_05, updated_at 2011_07_05;)
 
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 8"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Tl"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018066; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET WEB_CLIENT Nuclear landing with obfuscated plugindetect Apr 29 2013"; flow:established,from_server; file_data; content:"visibility|3a|hidden"; pcre:"/(?P<e>\d{2})(?P<t>(?!(?P=e))\d{2})(?P=e)\d{2}(?P=t)\d{6}(?P=e)\d{12}(?P<q>(?!((?P=e)|(?P=t)))\d{2})\d{2}(?P<dot>(?!((?P=e)|(?P=t)|(?P=q)))\d{2})\d{2}(?P=dot)\d{2}(?P=q)/R"; classtype:trojan-activity; sid:2016801; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 9"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"sh"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018067; rev:3; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Known in Wild Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Attempt"; flow:established,to_client; content:"TTu0d0fu0d0eKKJJu0d0du0d0dLL1043416UU"; reference:url,labs.m86security.com/2011/06/0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/; reference:bid,48206; reference:cve,2011-1255; classtype:attempted-user; sid:2013251; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 10"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"sl"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018068; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query for Known Hostile Domain gooqlepics com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|gooqlepics|03|com|00|"; reference:url,blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html; classtype:bad-unknown; sid:2013328; rev:4; metadata:created_at 2011_07_27, updated_at 2011_07_27;)
 
-#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED eMule KAD Network Hello Request (2)"; dsize:27; content:"|e4 10|"; depth:2; byte_test:2,<,65535,0,relative; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; classtype:policy-violation; sid:2009971; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTran/SensLiceld.A response to infected host"; flow:established,from_server; dsize:<80; content:"|5b|SERVER|5d|connection|20|to|20|"; depth:22; reference:url,www.secureworks.com/research/threats/htran/; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-120716-4344-99&tabid=2; reference:url,www.securelist.com/en/descriptions/10120120/Trojan-Spy.Win32.Agent.bptu; classtype:trojan-activity; sid:2013361; rev:5; metadata:created_at 2011_08_05, updated_at 2011_08_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Trojan-Gypikon Server Check-in Response"; flow:established,from_server; dsize:16; content:"|85 19 00 00 25 04 00 00 00 00|"; content:"|40 00 00 00 00|"; distance:1; within:6; reference:md5,f27bf471d2f2c0a76331d25fc4761e10; reference:md5,792b725b6a2a52e4eecde846b39eea7d; classtype:trojan-activity; sid:2018130; rev:3; metadata:created_at 2014_02_13, updated_at 2014_02_13;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTran/SensLiceld.A Checkin 2 (unicode)"; flow:established,from_server; dsize:<120; content:"|5b00|S|00|E|00|R|00|V|00|E|00|R|005d00|c|00|o|00|n|00|n|00|e|00|c|00|t|00|i|00|o|00|n|002000|t|00|o|002000|"; depth:44; reference:url,www.secureworks.com/research/threats/htran/; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-120716-4344-99&tabid=2; reference:url,www.securelist.com/en/descriptions/10120120/Trojan-Spy.Win32.Agent.bptu; classtype:command-and-control; sid:2013362; rev:7; metadata:created_at 2011_08_05, former_category MALWARE, updated_at 2011_08_05;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Trojan-Gypikon Sending Data"; flow:established,to_server; content:"@"; pcre:"/^(?:x(?:86|64)@)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/R"; content:" OS|3a 20|Win"; within:8; content:" CPU|3a|"; distance:0; content:"Hz|2c|RAM|3a|"; distance:0; reference:md5,f27bf471d2f2c0a76331d25fc4761e10; reference:md5,792b725b6a2a52e4eecde846b39eea7d; classtype:trojan-activity; sid:2018129; rev:4; metadata:created_at 2014_02_13, updated_at 2014_02_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE windows_security_update Fake AV download"; flow:established,from_server; content:"|0d 0a 0d 0a|"; content:"filename=|22|windows_security_update_"; distance:0; classtype:trojan-activity; sid:2013364; rev:7; metadata:created_at 2011_08_05, updated_at 2011_08_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS 2search.org User Agent (2search)"; flow:to_server,established; content:"2search"; http_user_agent; fast_pattern:only; reference:url,doc.emergingthreats.net/2003335; classtype:trojan-activity; sid:2003335; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV Landing Page Checking firewall status"; flow:established,from_server; content:"|5c|r|5c|n Checking firewall status|5c|r|5c|n"; classtype:command-and-control; sid:2013413; rev:3; metadata:created_at 2011_08_16, former_category MALWARE, updated_at 2011_08_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BAT.Qhost - SET"; flow:established,to_server; content:"GET"; http_method; content:"/stat/tuk/"; http_uri; flowbits:set,ETPRO.Trojan.BAT.Qhost; flowbits:noalert; reference:md5,f6e1583aca310c4c0d55db1dae942b2b; classtype:trojan-activity; sid:2014758; rev:5; metadata:created_at 2012_05_16, former_category MALWARE, updated_at 2012_05_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Morto Worm Rar Download"; flow:established,to_server; content:"GET /160.rar HTTP"; depth:17; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:trojan-activity; sid:2013517; rev:4; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Trojan.BAT.Qhost Response from Controller"; flow:established,from_server; flowbits:isset,ETPRO.Trojan.BAT.Qhost; content:"Set-Cookie|3a| ci_session="; content:"session_id"; distance:0; content:"ip_address"; distance:0; content:"user_agent"; distance:0; content:"last_activity"; distance:0; content:"user_data"; distance:0; reference:md5,f6e1583aca310c4c0d55db1dae942b2b; classtype:trojan-activity; sid:2014759; rev:4; metadata:created_at 2012_05_16, updated_at 2012_05_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32/Bifrose Second Stage Obfuscated Binary Download Claiming to Be JPEG"; flow:established,to_client; content:"Content-Type|3A 20|image/jpeg"; http_header; file_data; content:"|54 48 00 F7 20 10 72 6F 67 52|"; content:"|61 6E 6E 4F 1D A4 62 05 20 72 75 4E 49 ED 6E 40 44 4F 53|"; fast_pattern; within:50; classtype:trojan-activity; sid:2013796; rev:7; metadata:created_at 2011_10_24, updated_at 2011_10_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE cryptodefense Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type|3a| multipart/form-data|3b 20|boundary="; pcre:"/^[\x2d]+(?P<boundry>[0-9]+)\r\n.+filename\x3d[\x22\x27](?P=boundry)[\x22\x27]/Rsi"; content:!"Referer"; http_header; content:!"Accept-Encoding|3a|"; http_header; content:"filename="; fast_pattern:only; http_client_body; content:"form-data|3b| name="; pcre:"/^[\x22\x27][a-z][\x27\x22]/Ri"; classtype:command-and-control; sid:2018386; rev:2; metadata:created_at 2014_04_14, former_category MALWARE, updated_at 2014_04_14;)
+alert udp any 53 -> $DNS_SERVERS any (msg:"ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) to google.com.br possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; content:"|06|google|03|com|02|br|00|"; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; classtype:bad-unknown; sid:2013894; rev:5; metadata:created_at 2011_11_10, updated_at 2011_11_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Apr 14 2014"; flow:established,from_server; file_data; content:"Cjw/eG1sIHZlcnNpb249"; content:"^="; content:"eval"; pcre:"/^\W/R"; content:"/*"; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; classtype:bad-unknown; sid:2018387; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_04_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ZeuS estatements mailing campaign landing page"; flow:established,to_server; content:"/estatements/stetement_id."; http_uri; pcre:"/\/stetement_id\.\d+\//U"; classtype:trojan-activity; sid:2013908; rev:3; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 110 (msg:"ET MALWARE Gh0st_Apple Checkin"; flow:to_server,established; content:"GET"; http_method; content:".gif?pid"; fast_pattern; content:"&v="; content:"Mozilla/4.0("; http_user_agent; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; reference:md5,82644661f6639c9fcb021ad197b565f7; classtype:command-and-control; sid:2017412; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ZeuS estatements fake transaction page flash warning"; flow:established,from_server; content:"&nbsp|3b|Notification of Incompatibility</font></strong></font></td>"; content:">Your version of Macromedia Flash Player is too old to continue. <a href="; classtype:trojan-activity; sid:2013909; rev:3; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole Landing to 7-8 chr folder plus index.htm or index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:18<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html?$/U"; pcre:"/^\/[A-Za-z0-9]{7,8}\/index\.html?$/U"; classtype:bad-unknown; sid:2015709; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_18, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely CryptMEN FakeAV Download vclean"; flow:established,from_server; content:"filename=|22|vclean"; nocase; http_header; content:".exe"; nocase; http_header; within:20; classtype:trojan-activity; sid:2014028; rev:3; metadata:created_at 2011_12_15, updated_at 2011_12_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole Landing to 8 chr folder plus js.js"; flow:established,to_server; content:"/js.js"; http_uri; urilen:15; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/js\.js$/U"; classtype:bad-unknown; sid:2014629; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_20, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious executable download possible Trojan NgrBot"; flow:established,to_server; content:"GET"; http_method; content:"/adobe-flash.exe"; http_uri; classtype:bad-unknown; sid:2014150; rev:3; metadata:created_at 2012_01_26, updated_at 2012_01_26;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32/Zegost.Q CnC traffic (OUTBOUND)"; flow:to_server,established; dsize:>11; content:"|55 60 67 6c 69 70 9a|"; offset:8; depth:7; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,4f0d365408b439eb9aaf0b2352abb662; classtype:command-and-control; sid:2018390; rev:1; metadata:created_at 2014_04_16, former_category MALWARE, updated_at 2014_04_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Windows Media component specific exploit"; flow:established,to_client; content:"bang()"; content:"cloned"; distance:0; content:"unescape(|22|%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c|22|)"; distance:0; reference:cve,2012-0003; classtype:attempted-user; sid:2014156; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE CryptoDefense DNS Domain Lookup"; content:"|10|rj2bocejarqnpuhm"; nocase; pcre:"/^[^\x00]+?\x00/Rs"; classtype:trojan-activity; sid:2018397; rev:3; metadata:created_at 2014_04_16, updated_at 2014_04_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN ClickCounter Connectivity Check"; flow:established,to_server; content:" clickme=1|0d 0a|"; http_header; content:"clickme=1"; http_cookie; classtype:trojan-activity; sid:2014172; rev:3; metadata:created_at 2012_01_31, updated_at 2012_01_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BitCrypt Ransomware Domain"; flow:established,to_server; content:"bitcrypt.cc"; nocase; http_header; pcre:"/Host\x3a\x20(?:[^\r\n]+\.)?bitcrypt\.cc(?:\x3a\d{1,5})?\r\n/Hmi"; classtype:trojan-activity; sid:2018400; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_04_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2014_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Win32/Cridex.B Self Signed SSL Certificate (root@ks310208.kimsufi.com)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"root@ks310208.kimsufi.com"; content:"SomeOrganizationalUnit1"; classtype:trojan-activity; sid:2014240; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32/Pushdo CnC Server Fake JPEG Response"; flow:established,to_client; file_data; content:"<!--[if IE]"; distance:0; content:"<img src=|22|data|3A|image/jpeg|3B|base64"; distance:0; reference:url,www.damballa.com/downloads/r_pubs/Damballa_mv20_case_study.pdf; classtype:command-and-control; sid:2016857; rev:3; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TDS Trojan Stream request /stream?"; flow:established,to_server; urilen:9; content:"/stream?"; http_uri; pcre:"/^\/stream\?\d$/U"; classtype:bad-unknown; sid:2014242; rev:6; metadata:created_at 2012_02_20, updated_at 2012_02_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Inbox View"; flow:to_server,established; content:"/ym/ShowFolder"; http_uri; nocase; content:"rb=Inbox"; nocase; reference:url,doc.emergingthreats.net/2000041; classtype:policy-violation; sid:2000041; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/DarkComet Second Stage Download Request"; flow:established,to_server; content:"GET"; http_method; content:"/Update/Update.bin"; http_uri; reference:url,blog.trendmicro.com/darkcomet-surfaced-in-the-targeted-attacks-in-syrian-conflict/; classtype:trojan-activity; sid:2014273; rev:3; metadata:created_at 2012_02_24, updated_at 2012_02_24;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Message View"; flow:to_server,established; content:"/ym/ShowLetter"; nocase; http_uri; content:"MsgId"; nocase; reference:url,doc.emergingthreats.net/2000042; classtype:policy-violation; sid:2000042; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED OSX/Flashback Checkin via Twitter Hashtag Pepbyfadxeoa"; flow:established,to_server; content:"/searches?q=#pepbyfadxeoa"; fast_pattern; http_uri; content:"Host|3A 20|mobile.twitter.com|0d 0a|"; http_header; reference:url,blog.intego.com/flashback-mac-malware-uses-twitter-as-command-and-control-center/; classtype:trojan-activity; sid:2014333; rev:4; metadata:created_at 2012_03_07, updated_at 2012_03_07;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Message Compose Open"; flow:to_server,established; content:"/ym/Compose"; http_uri; nocase; reference:url,doc.emergingthreats.net/2000043; classtype:policy-violation; sid:2000043; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Malformed MP4 Remote Code Execution Attempt"; flow:established,to_client; content:"|66 74 79 70 6D 70 34|"; content:"|01 6D 70 34 32 69 73 6F 6D|"; distance:0; content:"|63 70 72 74 00 FF FF FF|"; distance:0; reference:url,contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html; reference:bid,52034; reference:cve,2012-0754; classtype:attempted-user; sid:2014335; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_03_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Styx Kein Landing URI Struct"; flow:to_server,established; content:"/?"; depth:2; http_uri; fast_pattern; pcre:"/^\/\?[^=&\?]{4,}=[^&]{20,}$/U"; content:"Host|3a 20|www"; http_header; content:!"."; within:1; http_header; pcre:"/^Host\x3a\x20www\d+?\.[^\.]+?\.[^\.]+?\.([^\.]+\.)*?[a-z]{2,4}(?:\x3a\d{1,5})?\r$/Hmi"; classtype:trojan-activity; sid:2017947; rev:4; metadata:created_at 2014_01_09, updated_at 2014_01_09;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Banload Trojan Downloader Dropped Binary"; flow:established,to_client; content:"C|00|o|00|m|00|p|00|a|00|n|00|y|00|N|00|a|00|m|00|e|00|"; content:"m|00|i|00|l|00|k|00|"; fast_pattern; within:30; content:"I|00|n|00|t|00|e|00|r|00|n|00|a|00|l|00|N|00|a|00|m|00|e|00|"; distance:0; content:"m|00|i|00|l|00|k|00|"; within:30; content:"L|00|e|00|g|00|a|00|l|00|C|00|o|00|p|00|y|00|r|00|i|00|g|00|h|00|t|00|"; distance:0; content:"m|00|i|00|l|00|k|00|"; within:30; reference:md5,31bb4e0d67a5af96d5b5691966e25d73; classtype:trojan-activity; sid:2014367; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_13, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Potential Common Malicious JavaScript Loop"; flow:established,to_client; content:"for("; content:"|3B|"; within:20; content:">=0|3B|"; fast_pattern; within:10; content:"--)"; within:10; pcre:"/for\x28[^\x3D\r\n]*[0-9]{1,6}\x2D[0-9]{1,5}\x3B[^\x3D\r\n]\x3E\x3D0\x3B[^\x29\r\n]\x2D\x2D\x29/"; classtype:bad-unknown; sid:2015045; rev:4; metadata:created_at 2012_07_07, updated_at 2012_07_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV Landing Page - Initializing Protection System"; flow:established,from_server; content:">Initializing Protection System...</"; fast_pattern; content:">System Tasks</"; distance:0; classtype:trojan-activity; sid:2014437; rev:6; metadata:created_at 2012_03_28, updated_at 2012_03_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Oracle Java 6 Object Tag launchjnlp docbase Parameters Buffer Overflow"; flow:to_client,established; flowbits:isset,NtDll.ImageBase.Module.Called; content:"ZwProtectVirtualMemory|22|"; content:"strDup|28|"; distance:0; content:"<object|20|"; distance:0; content:"application|2f|x|2d|java|2d|applet"; within:35; content:"|3c|param|20|name"; distance:0; content:"|22|launchjnlp|22|"; within:20; content:"|3c|param|20|name"; distance:0; content:"|22|docbase|22|"; within:20; content:"|3c|fieldset|3e 3c|legend|3e|"; distance:0; content:"object"; within:10; content:"|2e|innerHTML"; distance:0; reference:url,www.exploit-db.com/exploits/15241/; reference:cve,2010-3552; reference:bid,44023; classtype:attempted-user; sid:2012100; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_22, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a known malware domain (regicsgf.net)"; flow: to_server,established; content:"regicsgf.net|0D 0A|"; http_header; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014570; rev:6; metadata:created_at 2012_04_16, updated_at 2012_04_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Downloader Win32.Genome.avan"; flow:to_server,established; content:"mac="; http_uri; content:"&hdid="; http_uri; content:"&wlid="; http_uri; fast_pattern:only; content:"&start="; http_uri; content:"&os="; http_uri; content:"&mem="; http_uri; content:"&alive="; http_uri; content:"&ver="; http_uri; reference:url,doc.emergingthreats.net/2011236; classtype:trojan-activity; sid:2011236; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET INFO RuggedCom Banner with MAC"; flow:to_client,established; content:"Rugged Operating System"; content:"Copyright |28|c|29| RuggedCom"; distance:0; content:"MAC Address|3A|"; distance:0; flowbits:set,ET.RUGGED.BANNER; reference:url,www.exploit-db.com/exploits/18779/; reference:url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars; classtype:attempted-admin; sid:2014645; rev:3; metadata:created_at 2012_04_28, former_category INFO, updated_at 2012_04_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fiesta PDF Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"%PDF"; within:1024; classtype:exploit-kit; sid:2018408; rev:2; metadata:created_at 2014_04_23, former_category CURRENT_EVENTS, updated_at 2014_04_23;)
+#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Backdoor.BAT.Agent.W User Botnet"; flow:established,to_server; content:"USER botnet"; reference:md5,fc7059ec1e3e86fd0a664c3747f09725; classtype:trojan-activity; sid:2014700; rev:3; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta SilverLight Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"AppManifest.xaml"; nocase; classtype:exploit-kit; sid:2018409; rev:2; metadata:created_at 2014_04_23, former_category EXPLOIT_KIT, updated_at 2014_04_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/HupigonUser.Backdoor Rabclib UA Checkin"; flow:established,to_server; content:".txt"; http_uri; content:"User-Agent|3A 20|RAbcLib|0D 0A|"; http_header; reference:md5,65467e7ff3140f42f4758eca7b76185c; classtype:command-and-control; sid:2014755; rev:4; metadata:created_at 2012_05_17, former_category MALWARE, updated_at 2012_05_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fiesta Flash Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"ZWS"; within:3; classtype:exploit-kit; sid:2018410; rev:2; metadata:created_at 2014_04_23, former_category CURRENT_EVENTS, updated_at 2014_04_23;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dakotavolandos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|dakotavolandos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:command-and-control; sid:2014859; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta Flash Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"CWS"; within:3; classtype:exploit-kit; sid:2018411; rev:2; metadata:created_at 2014_04_23, former_category EXPLOIT_KIT, updated_at 2014_04_23;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dak1otavola1ndos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dak1otavola1ndos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:command-and-control; sid:2014860; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; pcre:"/\/\?[0-9a-f]{60,66}[\;\d\x2c]*$/U"; classtype:exploit-kit; sid:2013094; rev:9; metadata:created_at 2011_06_22, former_category CURRENT_EVENTS, updated_at 2011_06_22;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dako22tavol2andos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|dako22tavol2andos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:command-and-control; sid:2014861; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Wapomi.AD Variant Checkin"; flow:established,to_server; content:"/passport.asp?ID="; http_uri; content:"&fn="; http_uri; content:"&Var="; http_uri; reference:md5,37ab252df52f5e1a46b3b40e9afb40c0; classtype:command-and-control; sid:2013720; rev:5; metadata:created_at 2011_10_01, former_category MALWARE, updated_at 2011_10_01;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - d3akotav33olandos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|d3akotav33olandos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:command-and-control; sid:2014862; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan Checkin to CnC Server"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/passport.asp?ID="; http_uri; content:"&fn="; http_uri; content:"&Var="; http_uri; classtype:command-and-control; sid:2013344; rev:5; metadata:created_at 2011_08_02, updated_at 2011_08_02;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - d4ak4otavolandos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|d4ak4otavolandos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:command-and-control; sid:2014863; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
 
-#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PSW.Win32.Ruftar.lon File Stealer FTP File Upload"; flow:established,to_server; content:"CWD Stealer"; classtype:trojan-activity; sid:2013346; rev:4; metadata:created_at 2011_08_02, updated_at 2011_08_02;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SQL MySQL mysql.user Dump (Used in Metasploit Auth-Bypass Module)"; flow:established,to_server; content:"SELECT|20|user|2c|password|20|from|20|mysql|2e|user"; classtype:bad-unknown; sid:2014910; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_06_16, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Bravesentry.com/Protectwin.com Fake Antispyware Reporting"; flow:established,to_server; content:"/download.php?&advid="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&p="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; content:"Host|3a| "; http_header; content:".bravesentry.com"; nocase; http_header; fast_pattern; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; reference:url,doc.emergingthreats.net/bin/view/Main/2003542; classtype:trojan-activity; sid:2003542; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Googlebot User-Agent Outbound (likely malicious)"; flow:to_server,established; content:"Googlebot"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*?Googlebot/Hmi"; classtype:bad-unknown; sid:2015529; rev:4; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan Download"; flow:established,to_server; content:"/taskmgr.exe"; http_uri; fast_pattern; content:"Accept-Language|3a 20|zh-cn|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; http_header; reference:md5,3a2c3b422a7ec78f88a939d20ed07615; classtype:trojan-activity; sid:2017659; rev:6; metadata:created_at 2013_11_04, updated_at 2013_11_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to RunForestRun DGA Domain 16-alpha.waw.pl"; flow:established,to_server; content:".waw.pl|0D 0A|"; nocase; http_header; pcre:"/^Host\x3a\s[^\r\n]+?\.[abedgfihkmlonqpsruwvyxz]{16}\.waw\.pl\r$/Hmi"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015530; rev:5; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan Secondary Download"; flow:established,to_server; content:"/calc.exe"; http_uri; fast_pattern; content:"Accept-Language|3a 20|zh-cn|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; http_header; reference:md5,3a2c3b422a7ec78f88a939d20ed07615; classtype:trojan-activity; sid:2017658; rev:6; metadata:created_at 2013_11_04, updated_at 2013_11_04;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to RunForestRun DGA Domain 16-alpha.waw.pl"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|"; distance:0; content:"|03|waw|02|pl|00|"; fast_pattern; within:24; nocase; pcre:"/\x10[abedgfihkmlonqpsruwvyxz]{16}\x03waw\x02pl\x00/i"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015531; rev:4; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
 
-#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ftpchk3.php possible upload success"; flow:to_client,established; content:"|0d 0a|150 "; content:"ftpchk3.php|0d 0a|226 "; distance:0; nocase; reference:url,digitalpbk.blogspot.com/2009/10/ftpchk3-virus-php-pl-hacked-website.html; reference:url,labs.mwrinfosecurity.com/system/assets/131/original/Journey-to-the-Centre-of-the-Breach.pdf; classtype:attempted-admin; sid:2018417; rev:3; metadata:created_at 2014_04_24, updated_at 2014_04_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Karagany checkin (sid5 1)"; flow:to_server,established; content:"?f="; http_uri; content:"&t="; http_uri; content:"&sid5="; http_uri; fast_pattern; content:!"Accept|3a| "; http_header; classtype:command-and-control; sid:2015533; rev:4; metadata:created_at 2012_07_27, former_category MALWARE, updated_at 2012_07_27;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cutwail.BE Checkin 2"; flow:established,from_client; dsize:32; content:"|00 00 00 00 FF FF FF FF 3F 57|"; depth:10; content:"|FE FF FF FF FF FF FF FF FF FF FF|"; distance:3; within:11; threshold: type limit, track by_src, seconds 60, count 1; reference:md5,c6d256edcc8879717539f348706061f2; reference:md5,8f17e2a9e7c6cbec772ae56dfffb13cb; classtype:command-and-control; sid:2014272; rev:3; metadata:created_at 2012_02_22, former_category MALWARE, updated_at 2012_02_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Karagany checkin (sid5 2)"; flow:to_server,established; content:"?mode="; http_uri; content:"&f="; http_uri; content:"&sid5="; http_uri; fast_pattern; content:!"Accept|3a| "; http_header; classtype:command-and-control; sid:2015534; rev:4; metadata:created_at 2012_07_27, former_category MALWARE, updated_at 2012_07_27;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cutwail.BE Checkin 1"; flow:established,from_client; dsize:234; content:"|16 03 00 00 37 01 00 00 33 03 00|"; depth:11; threshold: type limit, track by_src, seconds 60, count 1; reference:md5,4352407efc8891215b514a54db5b8a1d; reference:md5,45ab3554f3d60d07fc5228faff7784e1; classtype:command-and-control; sid:2014271; rev:3; metadata:created_at 2012_02_22, former_category MALWARE, updated_at 2012_02_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Cridex checkin"; flow:established,to_server; content:"POST"; http_method; content:"/mx5/B/in/"; http_uri; reference:url,blog.webroot.com/2012/07/13/spamvertised-american-airlines-themed-emails-lead-to-black-hole-exploit-kit/; reference:url,stopmalvertising.com/rootkits/analysis-of-cridex.html; classtype:command-and-control; sid:2015546; rev:5; metadata:created_at 2012_07_31, former_category MALWARE, updated_at 2012_07_31;)
 
-alert icmp $HOME_NET any -> any any (msg:"ET MALWARE Backdoor.Win32.RShot Ping Outbound"; icode:0; itype:8; icmp_id:512; dsize:32; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; reference:md5,34477e29f7408966d2703f3471741618; reference:md5,adf4c3a16f5f6d4baa634b2c50bf7454; classtype:trojan-activity; sid:2014270; rev:3; metadata:created_at 2012_02_21, updated_at 2012_02_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Astrum EK Landing"; flow:established,from_server; file_data; content:"|7b 72 65 74 75 72 6e 20 75 6e 65 73 63 61 70 65|"; content:"|3e 3e 38 26 32 35 35 29 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 32 3a|"; content:"|29 5e 32 35 35 26|"; classtype:exploit-kit; sid:2019130; rev:3; metadata:created_at 2014_09_08, former_category CURRENT_EVENTS, updated_at 2014_09_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Crystalize Filter in Uncompressed Flash"; flow:from_server,established; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"Crystallize -filter"; content:"|41 41 41 41|"; distance:0; reference:url,www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks; classtype:trojan-activity; sid:2018428; rev:2; metadata:created_at 2014_04_28, former_category CURRENT_EVENTS, updated_at 2014_04_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Astrum EK Landing"; flow:established,from_server; file_data; content:"%65%64%6f%43%72%61%68%43%6d%6f%72%66"; content:"%74%41%65%64%6f%43%72%61%68%63"; classtype:exploit-kit; sid:2019131; rev:6; metadata:created_at 2014_09_08, former_category CURRENT_EVENTS, updated_at 2014_09_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED My Search Bar Install"; flow: to_server,established; content:"/mysetup.exe"; nocase; http_uri; fast_pattern:only;  reference:url,www.2-spyware.com/parasite-my-search-bar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001040; classtype:trojan-activity; sid:2001040; rev:11; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Hupigon CnC Data Post (variant abb)"; flow:established,to_server; dsize:>200; content:"Windows "; content:"Service Pack "; distance:0; content:"HACK|00 00|"; fast_pattern; distance:100; reference:url,doc.emergingthreats.net/2008042; classtype:command-and-control; sid:2008042; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102710; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malvertising Leading to EK Aug 19 2014 M4"; flow:established,from_server; content:"Server|3a 20|nginx|0d 0a|"; http_header; content:"X-Powered-By|3a 20|PHP"; http_header; content:"text/javascript"; http_header; file_data; content:"if|28|[removed].indexOf|28|"; within:27; fast_pattern; pcre:"/^\s*?[\x22\x27](?P<var>[^\x22\x27]+)[\x22\x27]\s*?\x29\s*?==\s*?-1\x29\x7b[^\r\n]*?document\.cookie\s*?=\s*?[\x22\x27](?P=var)\s*?\x3d\s*?[^\r\n]+?[\r\n]*?$/Rsi"; content:"iframe"; content:"top"; pcre:"/^\s*?[\x3a\x3d]\s*?[\x22\x27]?\-/Rsi"; content:"left"; pcre:"/^\s*?[\x3a\x3d]\s*?[\x22\x27]?\-/Rsi"; classtype:exploit-kit; sid:2019180; rev:3; metadata:created_at 2014_09_16, former_category CURRENT_EVENTS, updated_at 2014_09_16;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102716; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Silverlight Based Redirect"; flow:established,from_server; file_data; content:"AppManifest.xamlPK"; fast_pattern:only; content:"iframe.dllPK"; classtype:exploit-kit; sid:2019184; rev:3; metadata:created_at 2014_09_16, former_category CURRENT_EVENTS, updated_at 2014_09_16;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102787; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Payload URI Struct Nov 05 2013"; flow:established,to_server; content:"/f/"; http_uri; depth:3; pcre:"/^\/f(?:\/[^\x2f]+)?\/14\d{8}(?:\/\d{9,10})?(?:\/\d)+(?:\/x[a-f0-9]+(?:\x3b\d)+?)?$/U"; classtype:exploit-kit; sid:2017667; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_05, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102794; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO WebSocket Session Initiation Request"; flow:established,to_server; flowbits:set,ETPRO.WebSocket.Request; content:"Connection|3a 20|Upgrade|0d 0a|"; fast_pattern; nocase; content:"Upgrade|3a 20|websocket|0d 0a|"; reference:url,tools.ietf.org/html/rfc6455; classtype:policy-violation; sid:2036219; rev:2; metadata:created_at 2014_09_17, former_category POLICY, updated_at 2014_09_17;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(refresh_template_name|user_name)[\r\n\s]*=>[\r\n\s]*\2|(refresh_template_name|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102803; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 Sept 17 2014"; flow:established,from_server; file_data; content:"|76 5c 3a 2a 7b 62 65 68 61 76 69 6f 72 3a 75 72 6c 28 23 64 65 66 61 75 6c 74 23 56 4d 4c 29 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d|"; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28|"; distance:0; content:"|3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 62 6c 61 63 6b|"; distance:0; classtype:exploit-kit; sid:2019188; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_17, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic Password Stealer Checkin URL Detected"; flow:established,to_server; content:"method=get"; nocase; http_uri; content:"&port="; nocase; http_uri; content:"&type="; nocase; http_uri; content:"&winver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006384; classtype:trojan-activity; sid:2006384; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 URI Struct Sept 17 2014"; flow:established,to_server; content:"/14"; http_uri; content:".htm"; http_uri; distance:8; within:4; pcre:"/^\/[a-z0-9]+?(?:\/\d)?\/14\d{8}\.htm$/U"; pcre:"/^Referer\x3a[^\r\n]+?\/[a-f0-9A-Z\_\-]{14,}\.html(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019189; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_18, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Upatre Binary Download April 28 2014"; flow:established,from_server; file_data; content:"|ff d1 4e 8d|"; within:4; classtype:trojan-activity; sid:2018422; rev:3; metadata:created_at 2014_04_28, updated_at 2014_04_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent Traffic"; flow: established; content:"|0000400907000000|"; depth:8; threshold: type limit, count 1, seconds 120, track by_src; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000357; classtype:policy-violation; sid:2000357; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible W32/Zbot.InfoStealer SSL Cert Parallels.com"; flow:established,to_client; content:"|16 03 01|"; depth:3; content:"|16 03 01|"; distance:0; content:"|52 14 cb 90|"; distance:0; content:"|12|info@parallels.com"; distance:0; reference:md5,19e17898e99af83e5fff9c3bad553bb2; classtype:trojan-activity; sid:2018418; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_04_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET P2P Vuze BT UDP Connection (5)"; dsize:<20; content:"|00 00 04 17 27 10 19 80 00 00 00 00|"; depth:12; threshold: type limit, count 1, seconds 120, track by_src; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010144; classtype:policy-violation; sid:2010144; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Common Bad Actor Indicators Used in Various Targeted 0-day Attacks"; flow:from_server,established; file_data; content:"dword2data"; fast_pattern; pcre:"/^\s*?\(/Rs"; content:"function"; pcre:"/^\s*?fun\s*?\(/Rs"; content:"CollectGarbage"; reference:cve,2014-0322; reference:cve,2014-1776; classtype:trojan-activity; sid:2018439; rev:4; metadata:created_at 2014_04_30, former_category CURRENT_EVENTS, updated_at 2014_04_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Infostealer.Banprox Proxy.pac Download 3"; flow:from_server,established; file_data; content:"FindProxyForURL"; fast_pattern; distance:0; content:"return |22|PROXY"; pcre:"/^[^\x3b]+\\x(?:[57][0-9a]|4[0-9a-f]|6[1-9a-f]|3[0-9])/Ri"; reference:md5,6f2dc4ba05774f3e5ebf6c502db48a71; classtype:trojan-activity; sid:2019191; rev:13; metadata:created_at 2014_09_18, updated_at 2014_09_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT 32-byte by 32-byte PHP EK Gate with HTTP POST"; flow:established,to_server; urilen:72; content:"POST"; http_method; content:".php?q="; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{32}\.php\?q=[a-f0-9]{32}$/U"; classtype:exploit-kit; sid:2018442; rev:3; metadata:created_at 2014_05_02, former_category CURRENT_EVENTS, updated_at 2014_05_02;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb 27 b3 4f ab ba bf 8b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019192; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Spy.Win32.Zbot.hmcm Checkin"; flow:established,to_server; content:"/b/"; depth:3; http_uri; pcre:"/^\/b\/(eve|opt|req)\/[\-f0-9A-F]{24}$/U"; reference:md5,291b5ce96b3932944a32031d33bc8cfc; classtype:trojan-activity; sid:2018437; rev:4; metadata:created_at 2013_01_26, updated_at 2013_01_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FAKEAV Gemini - JavaScript Redirection To FakeAV Binary"; flow:established,to_client; content:"<script type=|22|text/javascript|22|>"; nocase; content:"location.assign|28|"; nocase; within:17; classtype:bad-unknown; sid:2011918; rev:5; metadata:created_at 2010_11_10, updated_at 2010_11_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Base64 Encoded Java Value"; flow:established,to_client; file_data; content:"<applet"; content:"<param"; distance:0; content:"<value="; distance:0; pcre:"/\x3Cvalue\x3D\x22([a-z0-9+/]{4})*(?:[a-z0-9+/]{2}==|[a-z0-9+/]{3}=)/smi"; reference:url,vrt-blog.snort.org/2014/05/continued-analysis-of-lightsout-exploit.html; classtype:bad-unknown; sid:2018447; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_05_05, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Infostealer.Banprox Proxy.pac Download 2"; flow:from_server,established; file_data; content:"FindProxyForURL"; fast_pattern; distance:0; content:"|22|PROXY"; distance:0; pcre:"/^(?P<q>[\x22\x27])(?:(?!(?P=q))[^\r\n\x2c])+?(?P=q)\s*?\+\s*?[\x22\x27][^\r\n\x2c]*?[cg][\x22\x27\+\s]*?[o][\x22\x27\+\s]*?[vm][\x22\x27\+\s]*?\.[\x22\x27\+\s]*?b[\x22\x27\+\s]*?r[\x22\x27\+\s]*?\x2c/m"; reference:md5,6e4a990b1540fa6b5896034b976ccecf; classtype:trojan-activity; sid:2019190; rev:14; metadata:created_at 2014_09_18, updated_at 2014_09_18;)
 
-#alert tcp any any -> any 443 (msg:"ET DELETED Potential Selfint C2 traffic (from client)"; flow: from_client,established; content:"PuTTY-Local|3a| Feb 5 2013 18|3a|27|3a|27"; classtype:command-and-control; sid:2018450; rev:7; metadata:created_at 2014_05_05, updated_at 2014_05_05;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !25 (msg:"ET MALWARE Gh0st Trojan CnC 2"; flow:established,to_server; dsize:<250; content:"Gh0st"; offset:8; depth:5; classtype:command-and-control; sid:2017505; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_21, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Goon/Infinity URI Struct EK Landing May 05 2014"; flow:established,to_server; content:".php?req="; nocase; http_uri; fast_pattern; content:"&PHPSSESID="; http_uri; pcre:"/\.php\?req=(?:swf(?:IE)?|x(?:ap|ml)|jar|mp3)&/Ui"; classtype:exploit-kit; sid:2018441; rev:10; metadata:created_at 2014_05_02, former_category CURRENT_EVENTS, updated_at 2014_05_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV Security Shield payment page request"; flow:established,to_server; content:!"Referer|3a| "; http_header; content:"/payform/?k="; http_uri; classtype:trojan-activity; sid:2014631; rev:4; metadata:created_at 2012_04_23, updated_at 2012_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NeoSploit Jar with three-letter class names"; flow:established,from_server; file_data; content:"PK"; depth:2; content:".classPK"; pcre:"/(\0[a-z]{3}\.classPK.{43}){4}/"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015846; rev:3; metadata:created_at 2012_10_27, updated_at 2012_10_27;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown .rr.nu Malware landing page"; flow:established,to_server; content:"/sl.php"; http_uri; content:".rr.nu|0D 0A|"; fast_pattern:only; http_header; reference:url,isc.sans.edu/diary.html?storyid=13864; classtype:bad-unknown; sid:2015596; rev:2; metadata:created_at 2012_08_09, updated_at 2012_08_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/ProxyChanger.InfoStealer Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/abc.php"; http_uri; fast_pattern; content:"User-Agent|3A 20|Mozilla/3.0|20 28|compatible|3B 20|Indy Library|29|"; http_header; content:"ABC="; http_client_body; depth:4; content:"&XRE="; http_client_body; within:30; reference:md5,67c9799940dce6b9af2e6f98f52afdf7; classtype:command-and-control; sid:2014356; rev:5; metadata:created_at 2012_03_09, former_category MALWARE, updated_at 2012_03_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day"; flow:established,to_client; file_data; content:".execCommand|28|"; nocase; fast_pattern; pcre:"/^[\r\n\s]*[\x22\x27](s|\\(x|u00)[57]3)(e|\\(x|u00)[46]5)(l|\\(x|u00)[46]c)(e|\\(x|u00)[46]5)(c|\\(x|u00)[46]3)(t|\\(x|u00)[57]4)(A|\\(x|u00)[46]1)(l|\\(x|u00)[46]c){2}/Ri"; content:".write("; nocase; content:"parent|2e|"; nocase; distance:0; pcre:"/^\w+?\[[^\]]+?\]\.src[\r\n\s]*=/Ri"; content:"onselect"; nocase; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2015711; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_09_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.Win32.VBKrypt.cugq Checkin"; flow:to_server,established; content:"/bot.php"; http_uri; content:"umbra"; depth:5; nocase; http_user_agent; reference:url,www.securelist.com/en/descriptions/10316591/Trojan.Win32.VBKrypt.cugq; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=456326; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-RDK/detailed-analysis.aspx; reference:md5,79e24434a74a985e1c64925fd0ac4b28; classtype:trojan-activity; sid:2017348; rev:6; metadata:created_at 2011_04_28, updated_at 2011_04_28;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain palauone.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|08|palauone|03|com|00|"; nocase; distance:4; within:14; fast_pattern; classtype:command-and-control; sid:2015719; rev:2; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Possible WebShell Login Form (Outbound)"; flow:established,from_server; file_data; content:"<pre align=center><form method=post>Password|3a| <input type=password name=pass><input type=submit value=|27|>>|27|></form></pre>"; within:120; isdataat:!2,relative; reference:url,blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html; classtype:trojan-activity; sid:2018459; rev:2; metadata:created_at 2014_05_09, former_category WEB_SERVER, updated_at 2014_05_09;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain traindiscover.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0d|traindiscover|03|com|00|"; nocase; distance:4; within:19; fast_pattern; classtype:command-and-control; sid:2015720; rev:3; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Daemonize Trojan Proxy Initial Checkin"; flow:established,to_server; content:"/command.php?IP="; http_uri; content:"ID="; http_uri; content:"User-Agent|3a 20 5c 0d 0a|"; pcre:"/ID=\d{24}($|&)/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanProxy%3AWin32%2FDaemonize.A&ThreatID=-2147464655; classtype:command-and-control; sid:2013723; rev:3; metadata:created_at 2011_10_01, former_category MALWARE, updated_at 2011_10_01;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain manymanyd.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|09|manymanyd|03|com|00|"; nocase; distance:4; within:15; fast_pattern; classtype:command-and-control; sid:2015721; rev:3; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Compromised site iclasshd.net"; flow:established,to_client; content:"|55 04 03|"; content:"|0c|iclasshd.net"; distance:1; within:14; nocase; reference:md5,abe131828ce5beae41ef341238016547; classtype:trojan-activity; sid:2018460; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2014_05_09, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain whatandwhyeh.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0c|whatandwhyeh|03|com|00|"; nocase; distance:4; within:18; fast_pattern; classtype:command-and-control; sid:2015722; rev:3; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Compromised site sabzevarsez.com"; flow:established,to_client; content:"|55 04 03|"; content:"|13|www.sabzevarsez.com"; distance:1; within:21; nocase; reference:md5,36cf205b39bd27b6dc981dd0da8a311a; classtype:trojan-activity; sid:2018461; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2014_05_09, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain bktwenty.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|08|bktwenty|03|com|00|"; nocase; distance:4; within:14; fast_pattern; classtype:command-and-control; sid:2015728; rev:3; metadata:created_at 2012_09_22, former_category MALWARE, updated_at 2012_09_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hacked Website Response '/*km0ae9gr6m*/' Jun 25 2012"; flow:established,from_server; content:"/*km0ae9gr6m*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014964; rev:4; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain sleeveblouse.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0c|sleeveblouse|03|com|00|"; nocase; distance:4; within:18; fast_pattern; classtype:command-and-control; sid:2015730; rev:3; metadata:created_at 2012_09_22, former_category MALWARE, updated_at 2012_09_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hacked Website Response '/*qhk6sa6g1c*/' Jun 25 2012"; flow:established,from_server; content:"/*qhk6sa6g1c*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014965; rev:4; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain defmaybe.com 09/25/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|defmaybe|03|com|00|"; nocase; distance:0; classtype:command-and-control; sid:2015736; rev:4; metadata:created_at 2012_09_26, former_category MALWARE, updated_at 2012_09_26;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET DELETED SSL Bomb DoS Attempt"; flow:to_server,established; content:"|16 03 00|"; offset:0; depth:3; content:"|01|"; within:1; distance:2; byte_jump:1,37,relative,align; byte_test:2,>,255,0,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2000016; classtype:attempted-dos; sid:2000016; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain adbullion.com 09/26/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|adbullion|03|com|00|"; nocase; distance:0; classtype:command-and-control; sid:2015741; rev:4; metadata:created_at 2012_09_27, former_category MALWARE, updated_at 2012_09_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Backdoor.Unrecom Download"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"Unrecom"; nocase; pcre:"/^[a-z0-9_-]*?\.class/Rsi"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99&tabid=3; reference:url,www.crowdstrike.com/blog/adwind-rat-rebranding/index.html; classtype:trojan-activity; sid:2018466; rev:6; metadata:created_at 2014_05_13, updated_at 2014_05_13;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Revoked Adobe Code Signing Certificate Seen"; flow:established,to_client; content:"|30 82|"; content:"|a0 03 02 01 02 02 10 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00|"; distance:6; within:38; content:"|1e 17 0d|101215000000Z|17 0d|121214235959Z0"; distance:184; within:32; content:"Adobe Systems Incorporated"; distance:66; within:26; reference:url,www.adobe.com/support/security/advisories/apsa12-01.html; classtype:policy-violation; sid:2015743; rev:2; metadata:created_at 2012_09_28, former_category INFO, updated_at 2012_09_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PandoraRat/Refroso.bsp Activity"; flow:established,to_server; content:"|c3 b8 ba ab a0 bc b0 b1 c1 7c|"; depth:10; content:"|7c|N|7c|"; within:200; reference:md5,9972e686d36f1e98ba9bb82b5528255a; classtype:trojan-activity; sid:2018467; rev:4; metadata:created_at 2014_05_13, updated_at 2014_05_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Anti-Hacking Tool"; flow:established,to_server; content:"/update/WinUpdater.exe"; http_uri; content:!"User-Agent|3a|"; http_header; reference:md5,93443e59c473b89b5afad940a843982a; reference:url,eff.org/deeplinks/2012/08/syrian-malware-post; classtype:trojan-activity; sid:2015748; rev:3; metadata:created_at 2012_09_28, updated_at 2012_09_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PandoraRat/Refroso.bsp Directory Listing Sent To Server"; flow:established,to_server; content:"|7C|DIR#0#bin|7C|DIR#0"; reference:md5,9972e686d36f1e98ba9bb82b5528255a; classtype:trojan-activity; sid:2018468; rev:4; metadata:created_at 2014_05_13, updated_at 2014_05_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible exploitation of CVE-2012-5076 by an exploit kit Nov 13 2012"; flow:from_server,established; file_data; content:"<object"; content:"0b0909041f"; distance:0; fast_pattern; content:"3131"; distance:0; classtype:exploit-kit; sid:2015887; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_11_14, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack Flash Exploit flash2013.php"; flow:established,to_server; content:"/flash2013.php"; http_uri; nocase; classtype:exploit-kit; sid:2018470; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert udp $HOME_NET 53 -> any any (msg:"ET DOS DNS Amplification Attack Outbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016017; rev:7; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack Flash Exploit flash2014.php"; flow:established,to_server; content:"/flash2014.php"; http_uri; nocase; classtype:exploit-kit; sid:2018471; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FakeScan - Landing Page - Title - Microsoft Antivirus 2013"; flow:established,to_client; content:"<title>Microsoft Antivirus 2013</title>"; classtype:bad-unknown; sid:2016020; rev:4; metadata:created_at 2012_12_13, updated_at 2012_12_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack Plugin-Detect May 13 2014"; flow:from_server,established; file_data; content:"javarhino"; fast_pattern; nocase; pcre:"/^[\x22\x27]/R"; content:"javaimage"; pcre:"/^[\x22\x27]/R"; content:"javadb"; pcre:"/^[\x22\x27]/R"; content:"getVersion"; content:"SilverLight"; classtype:exploit-kit; sid:2018472; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FakeScan - Payload Download Received"; flow:established,to_client; content:"attachment"; http_header; content:"freescan"; http_header; fast_pattern; file_data; content:"MZ"; within:2; classtype:bad-unknown; sid:2016021; rev:3; metadata:created_at 2012_12_13, updated_at 2012_12_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Alina.POS-Trojan CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:20; content:"/insidee/loading.php"; fast_pattern:only; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| InfoPath.1 Spark v1.1|0D 0A|"; http_header; reference:url,pages.arbornetworks.com/rs/arbor/images/Uncovering_PoS_Malware.pdf; classtype:command-and-control; sid:2018473; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag c2, updated_at 2014_05_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN Unk_Banker - Check In"; flow:established,to_server; content:"POST"; http_method; content:"Opera/11.1"; depth:10; http_user_agent; content:"&action=check"; http_client_body; content:"&id="; http_client_body; content:"&version2="; http_client_body; classtype:trojan-activity; sid:2016087; rev:4; metadata:created_at 2012_12_22, updated_at 2012_12_22;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED TROJAN Downloader.Win32.Tesch.A Client CnC Checkin"; flow:established,to_server; content:"|01 00 30 01 01 00|"; fast_pattern; depth:6; content:"|00|"; distance:4; within:1; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/R"; reference:md5,86b5491831522f3c7bdcdacb17417514; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:command-and-control; sid:2018476; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_15, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Potential Zeus Binary Download - Specific PE Sections Structure"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program cannot be run in DOS mode"; distance:0; content:"PE|00 00|"; distance:0; content:".text"; distance:0; content:"m13"; distance:0; content:"m12"; distance:0; content:"m11"; distance:0; content:"m10"; distance:0; content:"m9"; distance:0; content:"m8"; distance:0; content:"m7"; distance:0; content:"m6"; distance:0; content:"m5"; distance:0; content:"m4"; distance:0; content:"m3"; distance:0; content:".data"; distance:0; content:".data2"; distance:0; reference:url,ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf; classtype:trojan-activity; sid:2016188; rev:4; metadata:created_at 2013_01_12, updated_at 2013_01_12;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Compromised site dfsdirect.ca"; flow:established,to_client; content:"|55 04 03|"; content:"|0c|dfsdirect.ca"; distance:1; within:14; nocase; reference:md5,fe56b5a28eac390aa8cfb1402360958b; classtype:trojan-activity; sid:2018480; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2014_05_16, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2013-0156 Ruby On Rails XML YAML tag with !ruby"; flow:established,to_server; content:" type"; nocase; fast_pattern; content:"yaml"; distance:0; nocase; content:"!ruby"; nocase; distance:0; pcre:"/<(?P<tname>[^\s]+)[^>]*?\stype\s*=\s*(?P<q>[\x22\x27])yaml(?P=q)((?!<\/(?P=tname)).+?)!ruby/si"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-attack; sid:2016204; rev:4; metadata:created_at 2013_01_12, updated_at 2013_01_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Webprefix checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?email="; fast_pattern:only; http_uri; content:!"User-Agent|3a| "; http_header; content:!"Referer"; http_header; content:!"Accept-"; http_header; content:"|0d 0a 0d 0a|"; pcre:"/^Accept\x3a\x20\*\/\*\r\nConnection\x3a\x20close\r\nHost\x3a\x20[^\r\n\x2e]+\x2e[^\r\n\x2e]+(?:\x3a\d{1,5})?\r\n(?:\r\n)?$/H"; reference:md5,8284c2202342102000ae9a04dd07bb76; classtype:command-and-control; sid:2018481; rev:8; metadata:created_at 2012_01_23, former_category MALWARE, updated_at 2017_11_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Request for FakeAV Binary /two/data.exe Infection Campaign"; flow:established,to_server; content:"/index/two/data.exe"; http_uri; classtype:trojan-activity; sid:2016243; rev:3; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zendran ELF IRCBot Joining Channel"; flow:established,to_server; content:"USER ass localhost localhost"; nocase; reference:url,blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html; reference:url,capsop.com/lightaidra-cc-investigation/; classtype:trojan-activity; sid:2018482; rev:2; metadata:created_at 2014_05_19, updated_at 2014_05_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CommentCrew UGX Backdoor initial connection"; flow:established,to_server; content:"|dd b5 61 f0 20 47 20 57 d6 65 9c cb 31 1b 65 42 00 00 00 00|"; depth:20; classtype:targeted-activity; sid:2016474; rev:3; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zendran ELF IRCBot Joining Channel 2"; flow:established,to_server; content:"PASS eYmUrmyAfG"; reference:url,blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html; reference:url,capsop.com/lightaidra-cc-investigation/; classtype:trojan-activity; sid:2018483; rev:2; metadata:created_at 2014_05_19, updated_at 2014_05_19;)
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications get system"; flow:established,to_client; content:"Y29tbWFuZD1nZXRzeXN0ZW07"; classtype:targeted-activity; sid:2016476; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Zendran ELF IRCBot Server Banner"; dsize:>14; flow:established,from_server; content:"|3a|Hell.Network|0d 0a|"; depth:15; reference:url,blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html; reference:url,capsop.com/lightaidra-cc-investigation/; classtype:trojan-activity; sid:2018484; rev:2; metadata:created_at 2014_05_19, updated_at 2014_05_19;)
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications html return 1"; flow:established,to_client; content:"|48 54 54 50 2f 31 2e 30 20 32 30 30 20 4f 4b 0d 0a|"; content:"|43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 0d 0a|"; content:"|43 6f 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a|"; content:"|53 65 74 2d 43 6f 6f 6b 69 65 3a|"; content:"|0d 0a 20 31|"; classtype:targeted-activity; sid:2016477; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Width exceeds limit"; flow:established,from_server; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; byte_test:4,>,0x80000000,8,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001191; classtype:misc-activity; sid:2001191; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep"; flow:established,to_client; file_data; content:"<!-- dWdzMTA= -->"; classtype:targeted-activity; sid:2016478; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET MALWARE .gadget Email Attachment - Possible Upatre"; flow:established,to_server; content:"Content-Type|3a| application/zip|3b|"; nocase; content:".gadget|22|"; distance:7; within:30; nocase; pcre:"/name=\x22[a-z0-9\-_\.\s]{0,25}\.gadget\x22/i"; reference:url,pastebin.com/5eNDazpL; classtype:trojan-activity; sid:2018490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2014_05_21, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep2"; flow:established,to_client; file_data; content:"<!-- dWdzMw== -->"; classtype:targeted-activity; sid:2016479; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sV"; fragbits:!M; dsize:0; flags:S,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000545; classtype:attempted-recon; sid:2000545; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep3"; flow:established,to_client; file_data; content:"<!--czoxMzc=--!>"; classtype:targeted-activity; sid:2016480; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Cert May 20 2014"; flow:established,from_server; content:"|11|www.myparadis.com"; reference:md5,ba7debd3ff51356135866a76116f595b; reference:md5,8a49c032efb6aa3a347a173d196a8bcb; classtype:trojan-activity; sid:2018492; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_05_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep5"; flow:established,to_client; file_data; content:"<!-- czoy -->"; classtype:targeted-activity; sid:2016482; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Statblaster Receiving New configuration (update)"; flow: to_server,established; content:"/updatestats/update"; nocase; http_uri; content:".xml"; nocase; http_uri; content:"update"; depth:6; http_user_agent; content:"statblaster"; http_header; fast_pattern:only; pcre:"/\/updatestats\/update\d+?\.xml$/U"; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001225; classtype:pup-activity; sid:2001225; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications download client.png"; flow:established,to_client; file_data; content:"<!-- dWdlY2xpZW50LnBuZw== -->"; classtype:targeted-activity; sid:2016483; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Styx/Angler EK SilverLight Exploit 2"; flow:established,from_server; file_data; content:"PK"; within:2; content:"fotosaster.dll"; fast_pattern; content:"AppManifest.xaml"; classtype:exploit-kit; sid:2018498; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT crabdance backdoor base64 head 2"; flow:established,to_client; file_data; content:"FSssJi01MWwnOic="; classtype:targeted-activity; sid:2016484; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT JamMail Jammail.pl Remote Command Execution Attempt"; flow: to_server,established; content:"/cgi-bin/jammail.pl?"; nocase; http_uri; fast_pattern:only; pcre:"/[\?&]mail=[^&]+?[\x3b\x2c\x7c\x27]/Ui"; reference:bugtraq,13937; reference:url,doc.emergingthreats.net/bin/view/Main/2001990; classtype:web-application-attack; sid:2001990; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT crabdance backdoor base64 head"; flow:established,to_client; file_data; content:"MS4nJzJ4cHZyeQ=="; classtype:targeted-activity; sid:2016485; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Gongda EK Secondary Landing"; flow:established,from_server; file_data; content:"fdsaw[fwegg]"; nocase; pcre:"/^\s*?=\s*?window\.document\.createElement/Rsi"; classtype:exploit-kit; sid:2018501; rev:2; metadata:created_at 2014_05_28, former_category CURRENT_EVENTS, updated_at 2014_05_28;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT backdoor stage 2 download base64 update.gif"; flow:established,to_client; file_data; content:"IHVwZGF0ZS5naWY="; classtype:targeted-activity; sid:2016486; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Gongda EK Landing 1"; flow:established,from_server; file_data; content:"{var bmw=[263,275,275,271,217,206,206,262,256,274,269,260,274,205,258,270,268,217,215,207,210,206,207,207,208,205,260,279,159,260]"; classtype:exploit-kit; sid:2018502; rev:2; metadata:created_at 2014_05_28, former_category CURRENT_EVENTS, updated_at 2014_05_28;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications get command client key"; flow:established,to_client; content:"Y29tbWFuZD1HZXRDb21tYW5kO2NsaWVudGtleT"; content:"O2hvc3RuYW1lPW"; classtype:targeted-activity; sid:2016488; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Gongda EK Landing 2"; flow:established,from_server; file_data; content:"function(/*jsckvip*/p,/*jsckvip*/a,/*jsckvip*/c,k,/*jsckvip*/e,/*jsckvip*/d/*jsckvip*/)"; classtype:exploit-kit; sid:2018503; rev:2; metadata:created_at 2014_05_28, former_category CURRENT_EVENTS, updated_at 2014_05_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeuS Ransomware win_unlock"; flow:established,to_server; content:"/locker/lock.php?id="; http_uri; reference:url,www.f-secure.com/weblog/archives/00002367.html; reference:md5,14a1d23b5a8b4f5c186bc5082ede4596; classtype:trojan-activity; sid:2014797; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_05_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2012_05_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OneLouder EXE download possibly installing Zeus P2P"; flow:to_client,established; flowbits:isset,ET.OneLouder.Header; file_data; content:"MZ"; within:2; byte_jump:4,60,little,from_beginning; content:"PE|00 00|"; within:4; classtype:trojan-activity; sid:2018464; rev:4; metadata:created_at 2014_05_13, former_category MALWARE, updated_at 2014_05_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zeus Spam Campaign pdf.exe In ZIP - 26th Feb 2014"; flow:established,to_client; file_data; content:"PK"; within:2; content:"pdf.exe"; distance:42; within:500; classtype:trojan-activity; sid:2018182; rev:3; metadata:created_at 2014_02_27, updated_at 2014_02_27;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre Compromised Site hot-buys"; flow:established,to_client; content:"|55 04 03|"; content:"|0c|hot-buys.org"; distance:1; within:14; nocase; reference:md5,bad758023d2e3cc17b61423720cdb5b7; classtype:trojan-activity; sid:2018506; rev:1; metadata:created_at 2014_05_29, updated_at 2014_05_29;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; pcre:"/^..[\x0d-\x20][a-z]{13,32}(?:\x03(?:biz|com|net|org)|\x04info|\x02ru)\x00\x00\x01\x00\x01/Rs"; threshold: type both, track by_dst, count 12, seconds 120; reference:url,vrt-blog.snort.org/2014/03/decoding-domain-generation-algorithms.html; classtype:trojan-activity; sid:2018316; rev:4; metadata:created_at 2014_03_25, former_category MALWARE, updated_at 2014_03_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/MadnessPro.DDOSBot CnC Beacon"; flow:established,to_server; content:"/?uid="; http_uri; content:"&ver="; http_uri; content:"&mk="; http_uri; content:"&os="; http_uri; content:"&rs="; http_uri; content:"&c="; http_uri; content:"&rq="; http_uri; reference:url,blog.cylance.com/a-study-in-bots-madness-pro; classtype:command-and-control; sid:2018424; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_04_28, deployment Perimeter, signature_severity Major, tag c2, updated_at 2014_04_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download"; flow:established,to_client; flowbits:isset,ET.Onelouder.bin; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2018982; rev:2; metadata:created_at 2014_08_22, updated_at 2014_08_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (5)"; flow:established,to_client; file_data; content:"|3a 0e a6 51 77 79 53 59|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018509; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Trojan Dropped by Angler Aug 29 2014"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|00 c4 a8 4b da 47 94 14 c1|"; within:35; content:"|55 04 0b|"; distance:0; content:"|55 04 0b|"; distance:0; content:"|06|office"; distance:1; within:7; classtype:trojan-activity; sid:2019086; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_29, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (6)"; flow:established,to_client; file_data; content:"|2c 3e c2 32 61 34 6e 68|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018510; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a3 e8 dc 5d 2a ee 44 a3|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019205; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (7)"; flow:established,to_client; file_data; content:"|0b 28 ff 53 4b 75 39 68|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018511; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_31, deployment Perimeter, former_category TROJAN, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 b7 93 80 9f 87 5d ab|"; within:35; content:"|55 04 03|"; distance:0; content:"|0c 31 30 38 2e 36 31 2e 34 39 2e 33 30|"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019206; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Malicious Injected Redirect June 02 2014"; flow:established,to_client; file_data; content:"s.src"; content:"+Math.random()|3b|document.body.appendChild(s)|3b|"; distance:0; classtype:trojan-activity; sid:2018514; rev:2; metadata:created_at 2014_06_02, former_category CURRENT_EVENTS, updated_at 2014_06_02;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/BillGates Checkin"; flow:established,to_server; content:"|01 00 00 00|"; depth:4; content:"|00 00 00 f4 01 00 00 32 00 00 00 e8 03|"; distance:0; content:"|01 01 02 00 00 00 01 00 00 00|"; distance:0; reference:md5,b4dd0283c73d0b288e7322b95df0cb1b; classtype:command-and-control; sid:2019207; rev:1; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2014_09_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible CritX/SafePack/FlashPack IE Exploit"; flow:established,from_server; file_data; content:"6f"; fast_pattern; nocase; content:"6c"; within:12; nocase; content:"43"; distance:-26; within:24; content:!"|22|"; within:14; content:!"|27|"; within:14; pcre:"/^(?P<sep>[^\x22\x27]{0,10})6f(?P=sep)6c(?P=sep)6c(?P=sep)65(?P=sep)63(?P=sep)74(?P=sep)47(?P=sep)61(?P=sep)72(?P=sep)62(?P=sep)61(?P=sep)67(?P=sep)65(?P=sep)/Rsi"; classtype:exploit-kit; sid:2018330; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_03_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/BillGates Checkin Response"; flow:established,from_server; dsize:20; content:"|08 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 e8 fd 00 00|"; reference:md5,b4dd0283c73d0b288e7322b95df0cb1b; classtype:command-and-control; sid:2019208; rev:1; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2014_09_22;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole FBI Zeus P2P 1 - 142.0.36.234"; content:"|00 01 00 01|"; content:"|00 04 8e 00 24 ea|"; distance:4; within:6; classtype:trojan-activity; sid:2018517; rev:1; metadata:created_at 2014_06_04, updated_at 2014_06_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/AES.DDoS Sending Real/Fake CPU&BW Info"; flow:established,to_server; content:"INFO|3a|"; depth:5; pcre:"/^\d/R"; content:"|25 7c|"; distance:0; threshold: type both, count 1, seconds 30, track by_src; reference:md5,d8059b555dde05e184c0b16bbff523f1; classtype:trojan-activity; sid:2019177; rev:3; metadata:created_at 2014_09_15, updated_at 2014_09_15;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Landing June 05 2014"; flow:established,from_server; content:"lrtCfdP.FDP,FDP.FDPorcA"; fast_pattern:only; content:"reverse"; classtype:exploit-kit; sid:2018535; rev:2; metadata:created_at 2014_06_05, former_category CURRENT_EVENTS, updated_at 2014_06_05;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 3"; flow:to_server,established; content:"|33 33|"; offset:2; depth:2; content:!"|33 33|"; within:2; content:"|33 33|"; distance:2; within:2; content:!"|33 33|"; within:2; content:"|33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33|"; pcre:"/[^\x33][^\x6f\x19\x18\x0e\x4f\x09\x08\x11\x0c\x0f\x0d\x1f\x10\x39][\x00-\x07\x0b\x0a\x1e\x1d\x12\x13\x15\x10\x1b\x1a\x54-\x5f\x50-\x52\x40-\x4b\x4d\x4e\x70-\x7f\x60-\x67\x69-\x6d]{1,14}\x33/R"; reference:md5,c150f9738142278e2d39417a7ef53cae; classtype:command-and-control; sid:2019203; rev:2; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2014_09_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Landing EK Struct"; flow:established,to_server; content:"/3/"; http_uri; fast_pattern:only; content:"/http|3a|/"; http_uri; pcre:"/\/3\/[a-f0-9]{32}\/http\x3a\x2f/U"; classtype:exploit-kit; sid:2018536; rev:2; metadata:created_at 2014_06_05, former_category CURRENT_EVENTS, updated_at 2014_06_05;)
+#alert tcp any any -> any any (msg:"ET DELETED njrat ver 0.7d Malware CnC Callback"; flow:from_client,established; content:"|00|ll|7C 27 7C 27 7C|"; fast_pattern; content:"0.7d"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019223; rev:1; metadata:created_at 2014_09_23, updated_at 2014_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Java Jar"; flow:to_server,established; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/\/(?:M[ABCDFGHIJKMOPSTUZ]|E[ABDEGIJKMNPRSVY]|R[ABCEFGHIKLMNPST]|G[ABCEGKMNPSTUV]|A[BCGLMNPQSUVZ]|O[ABCDFIJMNRST]|S[ABEGILMPRSUW]|T[ABEGHILMPSTY]|N[BCGHIKMPSTV]|I[ABCFGKLNSV]|L[ABCGIMNPST]|W[ABCGKMPRTZ]|Z[ABCDKMNSTU]|F[ABCGMNPTW]|H[BCEGKMPST]|K[CDFHLMPST]|U[ACGHLMNRV]|Y[BCGKLMPSU]|C[CELMNSTV]|D[ABCGIMST]|V[BCLMST]|J[BDFST]|P[GJKMN]|Q[ABGIM]|B[BGLS]|X[ACMS])\/[a-f0-9]{32}(\.[^\x2f]+)?$/Ui"; classtype:exploit-kit; sid:2017467; rev:4; metadata:created_at 2013_09_17, former_category EXPLOIT_KIT, updated_at 2013_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing Page Dec 09 2013"; flow:established,from_server; file_data; content:"display|3a| none|3b 22|"; nocase; content:">"; within:500; content:!">"; nocase; within:500; content:"f"; within:200; pcre:"/^(?P<sep>.{1,50})u(?P=sep)n(?P=sep)c(?P=sep)t(?P=sep)i(?P=sep)o(?P=sep)n(?P=sep)\s/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017817; rev:11; metadata:created_at 2013_12_10, former_category EXPLOIT_KIT, updated_at 2013_12_10;)
 
-alert tcp $EXTERNAL_NET [443,$HTTP_PORTS] -> $HOME_NET any (msg:"ET INFO tor2www .onion Proxy SSL cert"; flow:established,from_server; content:"|55 04 03|"; content:"*.tor2www."; nocase; distance:2; within:10; classtype:trojan-activity; sid:2018538; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_06_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 82 1f ee 3e 8f cb 87 80|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019225; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET [443,$HTTP_PORTS] -> $HOME_NET any (msg:"ET MALWARE TorExplorer Certificate - Potentially Linked To W32/Cryptowall.Ransomware"; flow:established,to_client; content:"|55 04 03|"; content:"torexplorer.com"; distance:0; reference:url,www.malware-traffic-analysis.net/2014/05/28/index.html; classtype:trojan-activity; sid:2018539; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_06_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2014_06_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Cridex Response from exfiltrated data upload"; flow:to_client,established; file_data; content:"|de ad be ef|"; fast_pattern; content:"|00 01 00 00 00|"; distance:3; within:5; reference:url,www.virustotal.com/file/00bf5b6f32b6a8223b8e55055800ef7870f8acaed334cb12484e44489b2ace24/analysis/; reference:url,www.packetninjas.net; classtype:trojan-activity; sid:2015629; rev:6; metadata:created_at 2012_08_16, updated_at 2012_08_16;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert"; flow:established,to_client; content:"|55 04 03|"; content:"|1e|static-182-18-143-140.ctrls.in"; distance:1; within:31; reference:md5,b4d63a1178027f64c4c868181437284d; classtype:trojan-activity; sid:2018542; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Yangji.A Checkin"; flow:established,to_server; dsize:1024; content:"cngameanti|7c|"; depth:11; pcre:"/^\x2d?\d/R"; reference:md5,b5badeb16414cba66999742601c092b8; classtype:command-and-control; sid:2019229; rev:1; metadata:created_at 2014_09_24, former_category MALWARE, updated_at 2014_09_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Landing June 05 2014 2"; flow:established,from_server; file_data; content:"hsalFevawkcohS.hsalFevawkcohS"; content:"reverse"; classtype:exploit-kit; sid:2018544; rev:2; metadata:created_at 2014_06_09, former_category CURRENT_EVENTS, updated_at 2014_06_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Aug 27 2014"; flow:from_server,established; content:"|0d 0a|X-Powered-By|3a 20|PHP"; http_header; file_data; content:"|3c 68 74 6d 6c 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23|"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}(?:\r\n)*?<script>[^\r\n]+?\We[\x22\x27\+]*?v[\x22\x27\+]*?a[\x22\x27\+]*?l\W/R"; classtype:exploit-kit; sid:2019078; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_08_28, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Putter Panda 3PARA RAT initial beacon"; flow:established,to_server; content:"|c4 65 f1 b3 cf a5 7e e2 c0 1a d4 7f 78 46 26 b5 86 15 f9 34 9c 3d 67 84 6a 48 aa df dc 30 60 24|"; depth:2000; reference:url,resources.crowdstrike.com/putterpanda/; classtype:trojan-activity; sid:2018555; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_06_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_06_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [443,$HTTP_PORTS] (msg:"ET MALWARE Pushdo v3 Checkin"; flow:established,to_server; dsize:20; content:"|02 00 00 00|"; depth:4; reference:md5,776d6c20a7016cb0f0db354785fe0d71; classtype:command-and-control; sid:2019235; rev:1; metadata:created_at 2014_09_25, former_category MALWARE, updated_at 2014_09_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Horde 3.0.9-3.1.0 Help Viewer Remote PHP Exploit"; flow:established,to_server; content:"/services/help/"; nocase; http_uri; pcre:"/module=[^\;]*\;.*\"/UGi"; reference:url,www.exploit-db.com/exploits/1660; reference:cve,2006-1491; reference:bugtraq,17292; classtype:web-application-attack; sid:2002867; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp any 67 -> any 68 (msg:"ET DELETED Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK - option 67"; content:"|02 01|"; depth:2; content:"|43|"; distance:238; content:"|28 29 20 7b 20|"; distance:1; within:10; reference:url,access.redhat.com/articles/1200223; reference:cve,2014-6271; classtype:attempted-admin; sid:2019238; rev:2; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 1"; flow:to_server,established; uricontent:"/posting.php"; content:"color="; nocase; content:"xss|3a|expression"; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009679; classtype:web-application-attack; sid:2009679; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Kuluoz/Asprox CnC Response"; flow:from_server,established; flowbits:isset,ET.Kuluoz; content:"|0d 0a 0d 0a|"; content:"|0d 0a 80 00 00 00|"; distance:2; within:6; reference:md5,a3e0f51356d48124fba25485d1871b28; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; reference:url,blog.fortinet.com/post/changes-in-the-asprox-botnet; classtype:command-and-control; sid:2019187; rev:5; metadata:created_at 2014_09_17, former_category MALWARE, updated_at 2014_09_17;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 2"; flow:to_server,established; uricontent:"/posting.php"; content:"size="; nocase; content:"xss|3a|expression"; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009680; classtype:web-application-attack; sid:2009680; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Dyre SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cb f9 86 23 19 20 43 f0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,c32f1e7d9d6f88c4d2468fe205f4abfc; classtype:trojan-activity; sid:2019274; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 3"; flow:to_server,established; uricontent:"/posting.php"; content:"color="; nocase; content:"javascript"; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009681; classtype:web-application-attack; sid:2009681; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert santa.my"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|www.santa.my"; distance:1; within:13; reference:md5,cfbfac0a9bf37b71e46ed43d95df4aec; classtype:trojan-activity; sid:2019277; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 4"; flow:to_server,established; uricontent:"/posting.php"; content:"size="; nocase; content:"javascript"; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009682; classtype:web-application-attack; sid:2009682; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert glynwedasia.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|glynwedasia.com"; distance:1; within:16; reference:md5,cfbfac0a9bf37b71e46ed43d95df4aec; classtype:trojan-activity; sid:2019278; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 5"; flow:to_server,established; uricontent:"/posting.php"; content:"color="; nocase; content:"|3a|url("; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009683; classtype:web-application-attack; sid:2009683; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf ac 1a b8 3d 7f 11 16|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|06|debian"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019279; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 6"; flow:to_server,established; uricontent:"/posting.php"; content:"size="; nocase; content:"|3a|url("; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009684; classtype:web-application-attack; sid:2009684; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf ac 1a b8 3d 7f 11 16|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|06|debian"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019280; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BleedingLife Exploit Kit Landing Page Requested"; flow:established,to_server; content:"/load_module.php?user="; http_uri; depth:22; pcre:"/^\x2Fload\x5Fmodule\x2Ephp\x3Fuser\x3D(n1|11?|2)$/U"; reference:url,vrt-blog.snort.org/2014/06/the-never-ending-exploit-kit-shift.html; classtype:exploit-kit; sid:2018562; rev:2; metadata:created_at 2014_06_13, former_category EXPLOIT_KIT, updated_at 2014_06_13;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 1"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|{|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019244; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BleedingLife Exploit Kit SWF Exploit Request"; flow:established,to_server; content:"/modules/"; http_uri; depth:9; content:".swf"; http_uri; distance:1; within:5; pcre:"/^\x2Fmodules\x2F(?:n[u3]|1|2)\x2Eswf$/U"; reference:url,vrt-blog.snort.org/2014/06/the-never-ending-exploit-kit-shift.html; reference:cve,2013-0634; reference:cve,2014-0515; classtype:exploit-kit; sid:2018563; rev:2; metadata:created_at 2014_06_13, former_category EXPLOIT_KIT, updated_at 2014_06_13;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 2"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|{%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019245; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BleedingLife Exploit Kit JAR Exploit Request"; flow:established,to_server; content:"/modules/"; http_uri; depth:9; content:".jar"; http_uri; distance:1; within:4; pcre:"/^\x2Fmodules\x2F(1|2)\x2Ejar$/U"; reference:url,vrt-blog.snort.org/2014/06/the-never-ending-exploit-kit-shift.html; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2013-2465; classtype:exploit-kit; sid:2018564; rev:2; metadata:created_at 2014_06_13, former_category EXPLOIT_KIT, updated_at 2014_06_13;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 3"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|%7b|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019246; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (TTL 1)"; byte_jump:1,6; content:"|a3|"; within:1; content:"|30 0d 06 08 2b 06 01 02 01 04 02 00 02 01 01|"; distance:9; threshold: type limit, track by_src, count 1, seconds 120; classtype:attempted-dos; sid:2018568; rev:1; metadata:created_at 2014_06_17, updated_at 2014_06_17;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 4"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|%7b%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019247; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (Disable Forwarding)"; byte_jump:1,6; content:"|a3|"; within:1; content:"|30 0d 06 08 2b 06 01 02 01 04 01 00 02 01 02|"; distance:9; threshold: type limit, track by_src, count 1, seconds 120; classtype:attempted-dos; sid:2018569; rev:1; metadata:created_at 2014_06_17, updated_at 2014_06_17;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 5"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20{|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019248; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)"; flow:from_server,established; flowbits:isset,ET.Suspicious.Domain.Fake.Browser; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2018572; rev:2; metadata:created_at 2014_06_17, former_category HUNTING, updated_at 2014_06_17;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 6"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20{%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019249; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing"; flow:established,to_client; file_data; content:".getVersion"; pcre:"/^\s*?\(\s*?[\x22\x27]Java[\x22\x27]/Rsi"; content:"621"; distance:0; pcre:"/^\W.{0,50}<\s*?=\s*?645\W[^{]*?{[^\}]*?\(\s*?document\s*?\)\s*?\[\s*?[\x22\x27]body[\x22\x27]\s*?\]\[\s*?[\x22\x27]appendChild[\x22\x27]\s*?\]/Rsi"; content:"700"; pcre:"/^\W.{0,50}<\s*?725\W/Rsi"; content:".getVersion"; pcre:"/^\s*?\(\s*?[\x22\x27]Flash[\x22\x27]/Rsi"; classtype:exploit-kit; sid:2018573; rev:3; metadata:created_at 2014_06_17, former_category CURRENT_EVENTS, updated_at 2014_06_17;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 7"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20%7b|20|"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019250; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing 2"; flow:established,to_client; file_data; content:"/[a-z]/gi"; fast_pattern; content:"substring"; pcre:"/^(?:[\x22\x27]\s*?\])?\s*?\(\s*?(?P<num>\d+)\s*?\*\s*?(?P<cnt>\w+)\s*?,\s*?(?P=num)\s*?\*\s*?(?P=cnt)\s*?\+\s*?(?P=num)\s*?\)\s*?,\s*?\d+\s*?\)/Rsi"; content:"="; pcre:"/^\s*?[\x22\x27][A-Za-z0-9\s]{500}/Rsi"; classtype:exploit-kit; sid:2018577; rev:2; metadata:created_at 2014_06_17, former_category CURRENT_EVENTS, updated_at 2014_06_17;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 8"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20%7b%20"; nocase; fast_pattern; within:15; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019251; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id ASCII"; flow:established,to_server; content:"/page.asp?"; nocase; http_uri; content:"art_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004838; classtype:web-application-attack; sid:2004838; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 9"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|{|20|"; nocase; fast_pattern; within:6; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019252; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert tcp $EXTERNAL_NET 3000:8000 -> $HOME_NET any (msg:"ET DELETED Unknown Trojan P2P Data Download"; flow:established,from_server; dsize:>1000; content:"|00 00 00|"; depth:5; offset:2; content:"|00 01 01 00 00 05 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_dst; reference:url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/; reference:url,doc.emergingthreats.net/2008770; classtype:trojan-activity; sid:2008770; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 10"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|{%20"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019253; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3000:8000 (msg:"ET DELETED Unknown Trojan P2P Download Request"; flow:established,to_server; dsize:<100; content:"|00 00 00 00|"; depth:5; offset:1; content:"|00 01 01 00 00 08 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_src; reference:url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/; reference:url,doc.emergingthreats.net/2008771; classtype:trojan-activity; sid:2008771; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 11"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|%7b|20|"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019254; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3000:8000 (msg:"ET DELETED Unknown Trojan P2P Request"; flow:established,to_server; dsize:<60; content:"|00 00 00 00|"; depth:5; offset:1; content:"|00 01 01 00 00 03 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_src; reference:url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/; reference:url,doc.emergingthreats.net/2008772; classtype:trojan-activity; sid:2008772; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 12"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|%7b%20"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019255; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange EK Common Java Exploit"; flow:to_server,established; content:"/testi.jnlp"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2018583; rev:4; metadata:created_at 2014_06_20, former_category CURRENT_EVENTS, updated_at 2014_06_20;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 13"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20{|20|"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019256; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious Redirect 8x8 script tag"; flow:established,from_server; file_data; content:".php?id="; content:"/"; distance:-17; within:1; pcre:"/^[a-z0-9A-Z]*?[A-Z0-9][a-z0-9A-Z]*?\.php\?id=\d{6,9}[\x22\x27]/R"; content:"<script"; nocase; pcre:"/^(?:(?!<\/script>).)*?\ssrc\s*?=\s*?[\x22\x27][^\x22\x27]+?\/[a-z0-9A-Z]{8}\.php\?id=\d{6,9}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2018053; rev:4; metadata:created_at 2014_02_01, former_category CURRENT_EVENTS, updated_at 2014_02_01;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 14"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20{%20"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019257; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK CVE-2013-3918"; flow:established,to_server; content:"/m20133918.php"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018593; rev:2; metadata:created_at 2014_06_20, former_category CURRENT_EVENTS, updated_at 2014_06_20;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 15"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20%7b|20|"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019258; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing May 23 2014"; flow:from_server,established; content:"|0d 0a|Vary|3a 20|Accept-Encoding,User-Agent"; http_header; content:"|0d 0a|X-Powered-By|3a 20|PHP"; http_header; file_data; content:"|ef bb bf|<html>|0d 0a|<body bgcolor|3d 22|#"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}<script>var/R"; classtype:exploit-kit; sid:2018595; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_06_24, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 16"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20%7b%20"; nocase; fast_pattern; within:12; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019259; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Trojan-Banker.JS.Banker fraudulent redirect boleto payment code"; flow:to_server,established; content:"/boleto"; http_uri; fast_pattern:only; content:".php?"; http_uri; pcre:"/^Host\x3a\x20[^\r\n]+(\r\n)?\r\n$/Hi"; reference:url,brazil.kaspersky.com/sobre-a-kaspersky/centro-de-imprensa/blog-da-kaspersky/extensoes-maliciosas-boleto; reference:md5,de38bc962f92eb99d63eebecb3930906; classtype:trojan-activity; sid:2018591; rev:5; metadata:created_at 2014_06_20, former_category CURRENT_EVENTS, updated_at 2014_06_20;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 17"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|{|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019260; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET DELETED EXPLOIT MS-SQL DOS bouncing packets"; content:"|0A|"; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000381; classtype:attempted-dos; sid:2000381; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 18"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|{%20"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019261; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Win32/Tesch.A Checkin"; flow:to_server,established; dsize:<100; content:"|01 00 30 01 01 00|"; fast_pattern; depth:6; content:!"|00|"; distance:3; within:1; content:"|00|"; distance:4; within:1; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/R"; reference:md5,f2e5900061c5ac470fa005580681be94; reference:md5,872763d48730506af7eee0bf22c2f47b; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FTesch.A; classtype:trojan-activity; sid:2018611; rev:5; metadata:created_at 2013_11_15, updated_at 2013_11_15;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 19"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|%7b|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019262; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Malvertising Redirect URI Struct"; flow:established,to_server; content:"/assets/js/jquery-"; depth:18; http_uri; fast_pattern; content:"min.js?ver="; http_uri; distance:0; pcre:"/^\/assets\/js\/jquery-[0-9]\.[0-9]\.[0-9]\.min\.js\?ver=[0-9]+\.[0-9]+\.[0-9]+$/U"; classtype:trojan-activity; sid:2018454; rev:4; metadata:created_at 2014_05_08, former_category CURRENT_EVENTS, updated_at 2014_05_08;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 20"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|%7b%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019263; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil EK Redirector Cookie June 27 2014"; flow:established,from_server; content:"lvqwg="; depth:6; http_cookie; nocase; classtype:exploit-kit; sid:2018613; rev:3; metadata:created_at 2014_06_28, former_category CURRENT_EVENTS, updated_at 2014_06_28;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 21"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20{|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019264; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sharik C2 Incoming Crafted Request"; flow:established,from_server; content:"|4d 00 02 02 00|"; depth:5; fast_pattern; content:"/"; distance:4; within:5; content:" HTTP/1."; distance:0; reference:md5,f9f30307ca22d092c02701c108aa6402; classtype:command-and-control; sid:2018616; rev:1; metadata:created_at 2014_06_30, former_category MALWARE, updated_at 2014_06_30;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 22"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20{%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019265; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - Old PDF Exploit - Dec 18 2012"; flow:established,to_server; content:"2.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new|sale)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})2\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}2\.PDF)$/U"; classtype:exploit-kit; sid:2016059; rev:14; metadata:created_at 2012_12_19, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 23"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20%7b|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019266; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Alexa Search Toolbar User-Agent (Alexa Toolbar)"; flow: to_server,established; content:" Alexa Toolbar|3b|"; http_header; reference:url,www.spywareguide.com/product_show.php?id=418; reference:url,doc.emergingthreats.net/2002166; classtype:trojan-activity; sid:2002166; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 24"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20%7b%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019267; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing June 25 2014"; flow:established,to_client; file_data; content:"t=|22|1|3b|url=about|3a|Tabs|22|"; fast_pattern:only; content:"<body>"; pcre:"/^[\r\n\s]*?<script>[\r\n\s]*?[A-Za-z]+[\r\n\s]*?=[\r\n\s]*?[\x22\x27][A-Za-z]{9}\x20[A-Za-z\x20]{300}/R"; classtype:exploit-kit; sid:2018606; rev:4; metadata:created_at 2014_06_26, former_category CURRENT_EVENTS, updated_at 2014_06_26;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 26"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|%7b|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019269; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Sweet Orange WxH redirection"; flow:established,to_server; urilen:23<>50; content:"x"; http_uri; depth:4; offset:2; content:".php?"; fast_pattern; http_uri; content:"="; http_uri; within:3; pcre:"/^\/[0-9]{2,3}x[0-9]{2,3}\/[a-z]+\.php\?[a-z]{2}=[0-9a-z]+$/U"; classtype:exploit-kit; sid:2018493; rev:4; metadata:created_at 2014_05_21, former_category CURRENT_EVENTS, updated_at 2014_05_21;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 27"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|%7b%20"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019270; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server Command (bot is ready to start receiving commands)"; flow:established,from_server; dsize:4; flowbits:isset,ET.Tesch; content:"|05 00 01 01|"; depth:4; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:trojan-activity; sid:2018626; rev:5; metadata:created_at 2014_07_02, updated_at 2014_07_02;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 28"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20{|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019271; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server Command (Confirm C2 IP and port) 2"; flow:established,from_server; flowbits:isset,ET.Tesch; dsize:9; content:"|04 00 06|"; depth:3; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:command-and-control; sid:2018625; rev:5; metadata:created_at 2014_07_02, former_category MALWARE, updated_at 2014_07_02;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 29"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20%7b|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019272; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Downloader.Win32.Tesch.A Bot Command (OK acknowledgement)"; flow:established,to_server; flowbits:isset,ET.Tesch; dsize:3; content:"|0a 00 00|"; depth:3; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:trojan-activity; sid:2018622; rev:6; metadata:created_at 2014_07_02, updated_at 2014_07_02;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 30"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20%7b%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019273; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Bot Command (Proxy command)"; flow:established,from_server; flowbits:isset,ET.Tesch; dsize:28; content:"|09 00 19|"; depth:3; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:trojan-activity; sid:2018623; rev:5; metadata:created_at 2014_07_02, updated_at 2014_07_02;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 25"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|{%20"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019268; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET MALWARE TrojanSpy.Win32/Banker.AMB SQL Checkin"; flow:established,to_server; content:"I|00|N|00|S|00|E|00|R|00|T"; content:"I|00|N|00|T|00|O"; distance:0; content:"B|00|R|00|O|00|W|00|S|00|E|00|R|00|L|00|O|00|G|00|U|00|S|00|B|00|"; reference:md5,dd141287cb45a2067592eeb9d3aa7162; classtype:command-and-control; sid:2018645; rev:2; metadata:created_at 2014_07_07, former_category MALWARE, updated_at 2014_07_07;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Output of id command from HTTP server"; flow:established; content:"uid="; pcre:"/^\d+[^\r\n\s]+/R"; content:" gid="; within:5; pcre:"/^\d+[^\r\n\s]+/R"; content:" groups="; within:8; classtype:bad-unknown; sid:2019284; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert 999servers.com"; flow:established,to_client; content:"|55 04 03|"; content:"|10|*.999servers.com"; distance:1; within:17; reference:md5,b9ffad739bb47a0e4619b76af51d9a74; classtype:trojan-activity; sid:2018647; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Reporting IP"; flow:established,to_server; dsize:<24; content:"My IP|3A| "; depth:7; pcre:"/My\x20IP\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x0A/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:trojan-activity; sid:2019294; rev:1; metadata:created_at 2014_09_29, updated_at 2014_09_29;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Cert July 7 2014"; flow:established,from_server; content:"|16 03 00|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"smalbach2424@hotmail.com"; distance:2; within:24; reference:md5,52084660d2ae0ee8f033621a9252cfb9; classtype:trojan-activity; sid:2018651; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_07_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre redirector GET Sept 29 2014"; flow:established,to_server; content:".php?h="; http_uri; fast_pattern; pcre:"/^\d+&w=\d+&ua=.+&e=1$/UR"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019311; rev:3; metadata:created_at 2014_09_29, former_category CURRENT_EVENTS, updated_at 2014_09_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED food.com compromise hostile JavaScript gate"; flow:established,to_server; content:".html?0."; http_uri; fast_pattern:only; pcre:"/\/[a-z]{1,6}\.html\?0\.[0-9]+[a-z]?$/U"; classtype:trojan-activity; sid:2018505; rev:6; metadata:created_at 2014_05_28, updated_at 2014_05_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 75 2c 71 a2 5b fd 9f|"; within:35; content:"|55 04 07|"; distance:0; content:"|07|Houston"; distance:1; within:8; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019316; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Enfal.F Checkin via HTTP Post 7"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/Owpp4.cgi"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; content:!"Referer|3a 20|"; pcre:"/^[^\r\n]{15}\x5f[^\r\n]{2}\x2d[^\r\n]{2}\x2d[^\r\n]{2}\x2d[^\r\n]{2}\x2d[^\r\n]{2}/m"; reference:url,blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2; classtype:trojan-activity; sid:2018665; rev:4; metadata:created_at 2014_07_11, updated_at 2014_07_11;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cb f9 86 23 19 20 43 f0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019317; rev:4; metadata:attack_target Client_and_Server, created_at 2014_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Zeus P2P Variant DGA NXDOMAIN Responses July 11 2014"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; pcre:"/^..[\x0d-\x20](?=\d{0,27}[a-z])(?=[a-z]{0,27}\d)[a-z0-9]{21,28}(?:\x03(?:biz|com|net|org))\x00\x00\x01\x00\x01/Rs"; threshold: type both, track by_dst, count 12, seconds 120; reference:url,blog.malcovery.com/blog/breaking-gameover-zeus-returns; reference:md5,5e5e46145409fb4a5c8a004217eef836; classtype:trojan-activity; sid:2018666; rev:4; metadata:created_at 2014_07_11, former_category MALWARE, updated_at 2014_07_11;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Ares over UDP"; content:"Ares "; offset:36; depth:7; threshold: type limit, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003437; classtype:policy-violation; sid:2003437; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing Jul 11 2014"; flow:established,to_client; file_data; content:"t=|22|1|3b|url=about|3a|Tabs|22|"; content:"/[a-z]/gi"; content:"|5c|x66|5c|x72|5c|x6F|5c|x6D|5c|x43|5c|x68|5c|x61|5c|x72|5c|x43|5c|x6F|5c|x64|5c|x65"; fast_pattern; classtype:exploit-kit; sid:2018668; rev:5; metadata:created_at 2014_07_12, former_category CURRENT_EVENTS, updated_at 2014_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Common Downloader Trojan Checkin"; flow:established,to_server; content:".php?pid="; nocase; http_uri; content:"mac="; nocase; http_uri; content:"&amd="; nocase; http_uri; content:"&win64="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007975; classtype:trojan-activity; sid:2007975; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Probable FlimKit Redirect July 10 2013"; flow:established,to_server; content:"/b.swf|0d 0a|"; http_header; fast_pattern:only; content:!"revolvermaps.com"; http_header; pcre:"/^Referer\x3a[^\r\n]+\/b.swf\r$/Hm"; flowbits:set,FlimKit.SWF.Redirect; classtype:trojan-activity; sid:2017125; rev:4; metadata:created_at 2013_07_11, former_category CURRENT_EVENTS, updated_at 2017_05_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING suspicious embedded zip file in web page"; flow:established,to_client; file_data; content:"data|3a|"; nocase; content:"base64,UEsDB"; within:40; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019324; rev:2; metadata:created_at 2014_09_30, former_category EXPLOIT_KIT, updated_at 2014_09_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert acesecureshop.com"; flow:established,to_client; content:"|55 04 03|"; content:"|11|acesecureshop.com"; distance:1; within:18; reference:md5,c2e85512ceaacbf8306321f9cc2b1eaf; classtype:trojan-activity; sid:2018671; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre redirector 29 Sept 2014 - POST"; flow:established,to_server; content:"POST"; http_method; content:"h="; http_client_body; depth:3; content:"w="; http_client_body; within:8; content:"ua="; http_client_body; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019321; rev:3; metadata:created_at 2014_09_30, former_category CURRENT_EVENTS, updated_at 2014_09_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert new-install.privatedns.com"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|1a|new-install.privatedns.com"; distance:1; within:27; fast_pattern; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|1e|ssl@new-install.privatedns.com"; distance:1; within:31; reference:md5,280a3a944878d57bc44ead271a0cc457; classtype:trojan-activity; sid:2018672; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 7e e9 92 50 35 4f 1e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019328; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert July 14 2014"; flow:established,to_client; content:"|55 04 03|"; content:"|0f|groberts.com.au"; distance:1; within:16; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|13|info@dctreasure.com"; distance:1; within:20; reference:md5,9f48eb74687492978259edb8f79ac397; classtype:trojan-activity; sid:2018673; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 90 47 1b dd 5a 78 af e5|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019329; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert faithmentoringandmore.com"; flow:established,to_client; content:"|55 04 03|"; content:"|1d|www.faithmentoringandmore.com"; distance:1; within:31; reference:md5,b5df3ba04c987692929f35d9c64e0c0d; classtype:trojan-activity; sid:2018674; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Bot Nick in IRC (Country Code ISO 3166-1 alpha-2)"; flow:established,to_server; content:"NICK"; depth:5; pcre:"/^[^\r\n]{0,7}\b(?:M[ACDEFGHKLMNOPQRSTUVWXYZ]|B[ABDEFGHIJLMNOQRSTVWYZ]|S[ABCDEGHIJKLMNORSTVXYZ]|C[ACDFGHIKLMNORUVWXYZ]|G[ABDEFGHILMNPQRSTUWY]|A[DEFGILMOQRSTUWXZ]|T[CDFGHJKLMNORTVWZ]|P[AEFGHKLMNRSTWY]|N[ACEFGILOPRUZ]|K[EGHIMNPRWYZ]|L[ABCIKRSTUVY]|I[DELMNOQRST]|E[CEGHRST]|V[ACEGINU]|D[EJKMOZ]|F[IJKMOR]|H[KMNRTU]|U[AGMSYZ]|R[EOSUW]|J[EMOP]|Z[AMW]|W[FS]|Y[ET]|OM|QA)\b/R"; classtype:trojan-activity; sid:2019326; rev:6; metadata:created_at 2014_10_01, former_category MALWARE, updated_at 2014_10_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux DDoS bot Antiq IRC"; flow:established,to_server; content:"PRIVMSG|20|#"; content:"status checking progam online"; within:60; reference:url,deependresearch.org/2014/07/another-linux-ddos-bot-via-cve-2012-1823.html; classtype:trojan-activity; sid:2018675; rev:1; metadata:created_at 2014_07_14, updated_at 2014_07_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Bot Nick in IRC (Country Code ISO 3166-1 alpha-3)"; flow:established,to_server; content:"NICK"; depth:5; pcre:"/^[^\r\n]{0,7}\b(?:M(?:A[CFR]|D[AGV]|N[EGP]|L[IT]|Y[ST]|[MS]R|CO|EX|HL|KD|OZ|RT|TQ|US|WI)|S(?:L[BEV]|[DEH]N|[JOP]M|G[PS]|V[KN]|W[EZ]|Y[CR]|[MU]R|AU|RB|SD|TP)|B(?:L[MRZ]|R[ABN]|E[LN]|G[DR]|H[RS]|[FW]A|DI|IH|MU|OL|TN|VT)|C(?:O[DGKLM]|H[ELN]|A[FN]|Y[MP]|[IP]V|[MX]R|CK|RI|UB|ZE)|A(?:R[EGM]|T[AFG]|L[AB]|N[DT]|U[ST]|BW|FG|GO|IA|SM|ZE)|G(?:R[CDL]|U[FMY]|I[BN]|N[BQ]|[AM]B|BR|EO|GY|HA|LP|TM)|T(?:U[NRV]|C[AD]|K[LM]|[GT]O|[HZ]A|[OW]N|JK|LS)|P(?:R[IKTY]|A[KN]|[HO]L|CN|ER|LW|NG|SE|YF)|N(?:[CPZ]L|I[CU]|[EO]R|AM|FK|GA|LD|RU)|L(?:B[NRY]|[CKV]A|[AS]O|IE|TU|UX)|I(?:R[LNQ]|S[LR]|[DM]N|ND|OT|TA)|K(?:[AG]Z|[IO]R|EN|HM|NA|WT)|E(?:S[HPT]|CU|GY|RI|TH)|V(?:[ACU]T|EN|GB|IR|NM)|D(?:[MZ]A|EU|JI|NK|OM)|F(?:R[AO]|IN|JI|LK|SM)|H(?:[MN]D|KG|RV|TI|UN)|U(?:[GS]A|KR|MI|RY|ZB)|J(?:AM|EY|OR|PN)|R(?:[EO]U|US|WA)|Z(?:AF|MB|WE)|W(?:LF|SM)|OMN|QAT|YEM)\b/R"; classtype:trojan-activity; sid:2019327; rev:6; metadata:created_at 2014_10_01, former_category MALWARE, updated_at 2014_10_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Malvertising Redirect URI Struct Jul 16 2014"; flow:established,to_server; content:"/js/metrika/watch.js?ver="; depth:25; http_uri; fast_pattern; pcre:"/^\/js\/metrika\/watch\.js\?ver=[0-9]+\.[0-9]+\.[0-9]+$/U"; classtype:trojan-activity; sid:2018686; rev:5; metadata:created_at 2014_07_16, former_category CURRENT_EVENTS, updated_at 2014_07_16;)
+alert udp any any -> $HOME_NET 53 (msg:"ET DOS DNS Amplification Attack Inbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type both, track by_dst, seconds 60, count 5; classtype:bad-unknown; sid:2016016; rev:8; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Technique)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"INSERT INTO"; nocase; distance:0; content:"#pragma namespace("; nocase; distance:0; content:"|5c 5c 5c|.|5c 5c 5c 5c|root|5c 5c 5c 5c|"; nocase; distance:0; content:"__EventFilter"; nocase; distance:0; content:" __InstanceModificationEvent"; nocase; distance:0; content:"TargetInstance"; nocase; distance:0; content:"Win32_LocalTime"; nocase; distance:0; content:"ActiveScriptEventConsumer"; nocase; distance:0; content:"JScript"; nocase; distance:0; content:"WScript.Shell"; nocase; distance:0; content:"WSH.run"; nocase; distance:0; content:".exe"; distance:0; content:"__FilterToConsumerBinding"; pcre:"/WSH\.run\x28\x5c+?[\x22\x27][a-z0-9_-]+?\.exe/"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015996; rev:3; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 ea 18 ab 15 ab 25 ad|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019330; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain"; content:"|00 01 00 01|"; content:"|00 04 cc 5f 63|"; distance:4; within:5; classtype:trojan-activity; sid:2018642; rev:2; metadata:created_at 2014_07_04, updated_at 2014_07_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Backdoor.Adwind Download 2"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"Adwin"; pcre:"/^[a-z0-9_-]*?\.class/Rsi"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99&tabid=3; reference:url,www.crowdstrike.com/blog/adwind-rat-rebranding/index.html; classtype:trojan-activity; sid:2018465; rev:6; metadata:created_at 2014_05_13, updated_at 2014_05_13;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert karinejoncas.com"; flow:established,from_server; content:"|55 04 03|"; content:"|14|www.karinejoncas.com"; distance:1; within:21; reference:md5,87bbf4bc45ef30507b1d239edc727067; classtype:trojan-activity; sid:2018690; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Corpsespyware.net Distribution - fesexy"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"fesexy.net"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002768; classtype:trojan-activity; sid:2002768; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert deslematin.ca"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|deslematin.ca"; distance:1; within:14; reference:md5,87bbf4bc45ef30507b1d239edc727067; classtype:trojan-activity; sid:2018691; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential FakeAV HTTP POST Check-IN (?r=)"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"User-Agent|3a| Microsoft Internet Explorer|0d 0a|"; http_header; nocase; content:"loads2.php?r="; nocase; http_uri; fast_pattern; pcre:"/loads2\.php\?r=[0-9]{2}\.[0-9]/Ui"; reference:url,doc.emergingthreats.net/2010594; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3190.420; reference:md5,94e13e13c6da5e32bde00bc527475bd2; classtype:trojan-activity; sid:2010594; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|www.newdomaininfo.ru"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018692; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert mypreschool.sg"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|mypreschool.sg"; distance:1; within:15; reference:md5,f186984320d0cf0a4fd501e50c7a40c5; classtype:trojan-activity; sid:2019337; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|duosecure.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018696; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Generic URLENCODED CollectGarbage"; flow:established,from_server; file_data; content:"%43%6f%6c%6c%65%63%74%47%61%72%62%61%67%65"; classtype:trojan-activity; sid:2019339; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,to_client; content:"|55 04 03|"; content:"|11|bloggershop.co.vu"; distance:1; within:19; nocase; reference:md5,fe56b5a28eac390aa8cfb1402360958b; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018494; rev:2; metadata:attack_target Client_and_Server, created_at 2014_05_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Protux.B Download Update"; flow:from_client,established; content:"Mozilla/4.2.20 (compatible|3B| MSIE 5.0.2|3B| Win32|29 0D 0A|"; http_header; reference:md5,0cab2e1959a2c9eaa3aed1f2e556bf17; classtype:trojan-activity; sid:2014361; rev:3; metadata:created_at 2012_03_10, updated_at 2012_03_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fake CDN Sweet Orange Gate July 17 2014"; flow:established,to_server; content:"GET"; http_method; urilen:>10; content:"?"; http_uri; offset:2; depth:1; content:"Host|3a 20|cdn"; http_header; fast_pattern:only; pcre:"/^\/[a-z]\?[a-z]=[0-9]{5,}$/U"; classtype:exploit-kit; sid:2018737; rev:2; metadata:created_at 2014_07_18, former_category CURRENT_EVENTS, updated_at 2014_07_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible CryptoLocker TorComponent DL"; flow:from_server,established; flowbits:isset,FakeIEMinimal; file_data; byte_extract:1,0,size,relative; content:"|00 00 00|"; within:3; content:!"|00|"; within:size; content:"|00|"; distance:size; within:1; pcre:"/^.\x00\x00\x00[a-z0-9]+?\x00/s"; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019345; rev:2; metadata:created_at 2014_10_03, former_category CURRENT_EVENTS, updated_at 2014_10_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com App and Search Bar Install (1)"; flow: to_server,established; content:"/vsn/ISA/"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000908; classtype:pup-activity; sid:2000908; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SpyClicker.ClickFraud Query Instructions CnC Response"; flow:established,to_client; content:"|0D 0A 0D 0A|{|22|query|22 3A|"; content:"|22|tasks|22 3A|"; distance:0; content:"|22|referer|22 3A|"; distance:0; content:"|22|useragent|22 3A|"; distance:0; content:"|22|clickurl|22 3A|"; distance:0; reference:url,stopmalvertising.com/malware-reports/anatomy-of-a-net-click-fraud-bot.html; reference:md5,17b077840ab874a8370c98c840b6c671; classtype:command-and-control; sid:2019357; rev:2; metadata:created_at 2014_10_06, former_category MALWARE, updated_at 2014_10_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com App and Search Bar Install (2)"; flow: to_server,established; content:"/Appinstall?app=VVSN"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000909; classtype:pup-activity; sid:2000909; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.Zonebac.D"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"cid="; nocase; http_uri;content:"&aid="; nocase; http_uri; content:"&time="; nocase; http_uri; content:"&fw="; nocase; http_uri; content:"&v="; nocase; http_uri;content:"&m="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008682; classtype:trojan-activity; sid:2008682; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Clock Sync App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=clock"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000910; classtype:pup-activity; sid:2000910; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e1 57 49 5f fb bc c6 aa|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019360; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Weather App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=weather"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000911; classtype:pup-activity; sid:2000911; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 31 cd 1f 49 b2 be 4c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019361; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Clock Sync App Checkin (1)"; flow: to_server,established; content:"/clock?id="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000912; classtype:pup-activity; sid:2000912; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 42"; flow:to_server,established; dsize:>11; content:"|7c 01|"; offset:9; depth:2; byte_jump:4,-6,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]{5}.{4}\x7c\x01/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,6a6ef7b4c7e8300a73b206e32e14ce3c; classtype:command-and-control; sid:2019362; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Clock Sync App Checkin (2)"; flow: to_server,established; content:"/clockDB"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000913; classtype:pup-activity; sid:2000913; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Virut.A joining an IRC Channel"; flow:established,to_server; content:"JOIN &virtu"; depth:27; reference:md5,06b522eacdfe51bed5d041fd672e880f; reference:url,doc.emergingthreats.net/2003603; classtype:trojan-activity; sid:2003603; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Weather App Checkin (1)"; flow: to_server,established; content:"/weatherDB"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000914; classtype:pup-activity; sid:2000914; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TeslaCrypt)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|www.reomesoess.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019363; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Weather App Checkin (2)"; flow: to_server,established; content:"/weather?id="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000915; classtype:pup-activity; sid:2000915; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Smoke Loader C2 Response"; flow:established,from_server; content:"Content-Length|3a| 4|0d 0a|"; http_header; file_data; content:"Smk"; depth:3; fast_pattern; pcre:"/^\d+[\r\n]*?$/Rs"; classtype:command-and-control; sid:2015835; rev:7; metadata:created_at 2012_10_23, former_category MALWARE, updated_at 2012_10_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com WhenUSave App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=whenusave"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000916; classtype:pup-activity; sid:2000916; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Generic CollectGarbage in Hex"; flow:established,from_server; file_data; content:"|5c|x43|5c|x6f|5c|x6c|5c|x6c|5c|x65|5c|x63|5c|x74|5c|x47|5c|x61|5c|x72|5c|x62|5c|x61|5c|x67|5c|x65"; nocase; classtype:suspicious-filename-detect; sid:2019338; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_02, deployment Perimeter, former_category HUNTING, signature_severity Informational, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com WhenUSave Data Retrieval (offersdata)"; flow: to_server,established; content:"/OffersDataGZ?update="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000917; classtype:pup-activity; sid:2000917; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK Landing"; flow:established,from_server; file_data; content:"DetectFlashForMSIE()"; content:"DetectPdfForMSIE()"; content:"http|3a 2f 2f|localhost"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019367; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Desktop Bar Install"; flow: to_server,established; content:"/Appinstall?app=desktop"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000918; classtype:pup-activity; sid:2000918; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M2"; flow:established,from_server; file_data; content:"|5c|x3c|5c|x64|5c|x69|5c|x76|5c|x20|5c|x69|5c|x64|5c|x3d|5c|x22|5c|x6c|5c|x6f|5c|x6c|5c|x22"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019369; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com WhenUSave Data Retrieval (DataChunksGZ)"; flow: to_server,established; content:"/DataChunksGZ?update="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"svr="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2003404; classtype:pup-activity; sid:2003404; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M3"; flow:established,from_server; file_data; content:"1776_concat.swf"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019370; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Application Version Check"; flow: to_server,established; content:"/versions.html"; nocase; http_uri; content:"whenu.com"; nocase; http_header; fast_pattern; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2003389; classtype:pup-activity; sid:2003389; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-1347 M2"; flow:established,from_server; file_data; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 22 39 30 22 20 2b 20 22 39 30 22 29|"; nocase; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 22 39 30 22 20 2b 20 22 39 30 22 29|"; nocase; distance:0; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 70 61 72 73 65 49 6e 74 28|"; content:"|2e 73 75 62 73 74 72 28 30 2c 32 29 2c 31 36 29 2e 74 6f 53 74 72 69 6e 67 28 31 36 29|"; distance:4; within:29; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019372; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange redirection 21 July 2014"; flow:to_client,established; file_data; content:"jquery_datepicker=|27|"; pcre:"/[^0-9a-f]{1,3}68[^0-9a-f]{1,3}74[^0-9a-f]{1,3}74[^0-9a-f]{1,3}70[0-9a-f]{1,3}3a/Ri"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018751; rev:2; metadata:created_at 2014_07_22, former_category EXPLOIT_KIT, updated_at 2014_07_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic CollectGarbage in JJEncode (Observed in Sednit)"; flow:established,from_server; file_data; content:".__$+"; pcre:"/^(?P<sep>.{1,20})\.___\+(?P=sep)\._\$\$\+(?P=sep)\._\$\+\(\!\[\]\+\x22\x22\)\[(?P=sep)\._\$_\]\+\(\!\[\]\+\x22\x22\)\[(?P=sep)\._\$_\]\+(?P=sep)\.\$\$\$_\+(?P=sep)\.\$\$__\+(?P=sep)\.__\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.___\+(?P=sep)\.\$\$\$\+(?P=sep)\.\$_\$_\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.\$\$_\+(?P=sep)\._\$_\+(?P=sep)\.\$_\$\$\+(?P=sep)\.\$_\$_\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.\$__\+(?P=sep)\.\$\$\$\+(?P=sep)\.\$\$\$_\+/R"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019373; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT XMLDOM Check for Presence Kaspersky AV Observed in RIG EK"; flow:from_server,established; file_data; content:"loadXML"; nocase; content:"parseError"; content:"-2147023083"; fast_pattern:only; content:"|5c|kl1.sys"; nocase; pcre:"/^[\x22\x27]/Rs"; reference:url,research.zscaler.com/2014/07/de-obfuscating-dom-based-javascript.html; classtype:exploit-kit; sid:2018756; rev:2; metadata:created_at 2014_07_23, former_category CURRENT_EVENTS, updated_at 2014_07_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-3897 M1"; flow:established,from_server; file_data; content:"|5c|x76|5c|x61|5c|x72|5c|x20|5c|x73|5c|x74|5c|x72|5c|x3d|5c|x75|5c|x6e|5c|x65|5c|x73|5c|x63|5c|x61|5c|x70|5c|x65|5c|x28|5c|x22|5c|x25|5c|x75|5c|x31|5c|x34|5c|x31|5c|x34|5c|x25|5c|x75|5c|x31|5c|x34|5c|x31|5c|x34|5c|x22|5c|x29|5c|x3b"; nocase; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019374; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT XMLDOM Check for Presence TrendMicro AV Observed in RIG EK"; flow:from_server,established; file_data; content:"loadXML"; nocase; content:"parseError"; content:"-2147023083"; fast_pattern:only; content:"|5c|tm"; nocase; pcre:"/^(?:e(?:vtmgr|ext)|actmon|nciesc|EBC32|comm|tdi)\.sys[\x22\x27]/Rsi"; reference:url,research.zscaler.com/2014/07/de-obfuscating-dom-based-javascript.html; classtype:exploit-kit; sid:2018757; rev:2; metadata:created_at 2014_07_23, former_category CURRENT_EVENTS, updated_at 2014_07_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 10000: (msg:"ET DELETED Possible Sweet Orange Secondary Landing"; flow:established,to_server; content:"GET "; depth:4; pcre:"/(?:\/[a-z-]+)+\.php\?[a-z]+=[0-9]+[^\r\n]+HTTP\/1\.1/R"; content:"3 HTTP/1.1"; fast_pattern:only; classtype:exploit-kit; sid:2019351; rev:3; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert twitterbacklinks.com"; flow:established,from_server; content:"|55 04 03|"; content:"|18|www.twitterbacklinks.com"; distance:1; within:25; reference:md5,4cb5a748416b9f03d875245437344177; classtype:trojan-activity; sid:2018758; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Winreanimator.com Fake AV Install Attempt"; flow:established,to_server; content:"/inst.php?wmid="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&l="; nocase; http_uri; content:"&s="; nocase; http_uri; reference:url,www.winreanimator.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007865; classtype:trojan-activity; sid:2007865; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre Serial Number in SSL Cert"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f4 4b cc 89 9e b7 45 a8|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:md5,55f8682aab1089b68a8a391b927d7a74; classtype:trojan-activity; sid:2018759; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_23, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Job314 EK Payload Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/knock"; depth:6; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"Mozilla/5.0 (X11|3b| Ubuntu|3b| Linux x86_64|3b| rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; http_user_agent; classtype:command-and-control; sid:2019286; rev:4; metadata:created_at 2014_09_27, former_category MALWARE, updated_at 2014_09_27;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|sslbl.abuse.ch"; distance:1; within:15; content:"|1b|we_love_selfsigned@abuse.ch"; distance:0; reference:md5,73705a4a8b03e5f866fac821aaec273a; classtype:domain-c2; sid:2018767; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/SpyClicker.ClickFraud Click CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/click?sid="; http_uri; depth:11; content:"&cid="; http_uri; distance:0; pcre:"/&cid=\d+$/U"; reference:url,stopmalvertising.com/malware-reports/anatomy-of-a-net-click-fraud-bot.html; reference:md5,17b077840ab874a8370c98c840b6c671; classtype:command-and-control; sid:2019356; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, signature_severity Major, tag c2, updated_at 2014_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious SSL Cert With Script Tags"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"<script>"; content:"</script>"; distance:0; content:"|55 04 03|"; reference:md5,73705a4a8b03e5f866fac821aaec273a; classtype:domain-c2; sid:2018768; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 3653 (msg:"ET POLICY gogo6/Freenet6 Authentication Attempt"; content:"AUTHENTICATE|20|"; offset:8; pcre:"/^(?:ANONYMOUS|PASSDSS-3DES-1)\r\n/R"; threshold: type both, count 1, seconds 60, track by_src; classtype:policy-violation; sid:2019383; rev:1; metadata:created_at 2014_10_10, updated_at 2014_10_10;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert thelabelnashville.com"; flow:established,from_server; content:"|55 04 03|"; content:"|15|thelabelnashville.com"; distance:1; within:22; reference:md5,f75b9bffe33999339d189b1a3d8d8b4e; classtype:trojan-activity; sid:2018776; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fun Web Products Stampchooser Spyware"; flow: to_server,established; content:"/StampChooser.html?"; nocase; http_uri; content: "v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002307; classtype:policy-violation; sid:2002307; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert cactussports.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|cactussports.com"; distance:1; within:17; reference:md5,fe557165290ae68b768591eb746fa1c5; classtype:trojan-activity; sid:2018777; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible TWiki RCE attempt"; flow:established,to_server; content:"debugenableplugins="; http_uri; pcre:"/debugenableplugins=[a-zA-Z0-9]+?\x3b/U"; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236; reference:cve,2014-7236; classtype:attempted-admin; sid:2019385; rev:2; metadata:created_at 2014_10_10, updated_at 2014_10_10;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert yellowdevilgear.com"; flow:established,from_server; content:"|55 04 03|"; content:"|17|www.yellowdevilgear.com"; distance:1; within:24; reference:md5,2def687d8159d7859e86855b6c4a20c8; classtype:trojan-activity; sid:2018778; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible TWiki Apache config file upload attempt"; flow:established,to_server; content:"POST"; http_method; content:"filename=|22 00|.htaccess"; http_client_body; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7237; reference:cve,2014-7237; classtype:attempted-admin; sid:2019386; rev:2; metadata:created_at 2014_10_10, updated_at 2014_10_10;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert michaelswinecellar.com"; flow:established,from_server; content:"|55 04 03|"; content:"|1a|www.michaelswinecellar.com"; distance:1; within:27; reference:md5,c9869431ad760912a553a63266173442; classtype:trojan-activity; sid:2018779; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|junrio.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018719; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert migsparkle.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|migsparkle.com"; distance:1; within:15; reference:md5,bc74dd7e0350ad7ad8f75ca0de6fb9dc; classtype:trojan-activity; sid:2018780; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|whaugirls.ru"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019388; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil XMLDOM Detection of Local File"; flow:from_server,established; file_data; content:"-2147023083"; nocase; fast_pattern:only; content:"res|3a 2f|"; nocase; content:"<!DOCTYPE html PUBLIC"; nocase; reference:url,alienvault.com/open-threat-exchange/blog/attackers-abusing-internet-explorer-to-enumerate-software-and-detect-securi/; classtype:trojan-activity; sid:2018783; rev:2; metadata:created_at 2014_07_25, updated_at 2014_07_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible SandWorm INF Download"; flow:to_client,established; file_data; content:"Software|5c|Microsoft|5c|Windows|5c|CurrentVersion|5c|Run"; nocase; content:"7EBEFBC0-3200-11d2-B4C2-00A0C9697D17"; nocase; content:"ClassGuid"; nocase; content:"DefaultInstall"; nocase; classtype:attempted-user; sid:2019395; rev:2; metadata:created_at 2014_10_14, former_category CURRENT_EVENTS, updated_at 2014_10_14;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|0d|fuck@abuse.ch"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018745; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible SandWorm INF Download (UNICODE)"; flow:to_client,established; file_data; content:"S|00|o|00|f|00|t|00|w|00|a|00|r|00|e|00 5c 00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|C|00|u|00|r|00|r|00|e|00|n|00|t|00|V|00|e|00|r|00|s|00|i|00|o|00|n|00 5c 00|R|00|u|00|n|00|"; nocase; content:"7|00|E|00|B|00|E|00|F|00|B|00|C|00|0|00 2d 00|3|00|2|00|0|00|0|00 2d 00|1|00|1|00|d|00|2|00 2d 00|B|00|4|00|C|00|2|00 2d 00|0|00|0|00|A|00|0|00|C|00|9|00|6|00|9|00|7|00|D|00|1|00|7"; nocase; content:"C|00|l|00|a|00|s|00|s|00|G|00|u|00|i|00|d|00|"; nocase; content:"D|00|e|00|f|00|a|00|u|00|l|00|t|00|I|00|n|00|s|00|t|00|a|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2019397; rev:2; metadata:created_at 2014_10_14, former_category CURRENT_EVENTS, updated_at 2014_10_14;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert server.abaphome.net"; flow:established,from_server; content:"|55 04 03|"; content:"|13|server.abaphome.net"; distance:1; within:20; reference:md5,cfe7cade32e463f0ef7efd134c56b5c8; classtype:trojan-activity; sid:2018790; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET [445,139] -> $HOME_NET any (msg:"ET MALWARE Possible SandWorm INF Download (SMB)"; flow:to_client,established; content:"Software|5c|Microsoft|5c|Windows|5c|CurrentVersion|5c|Run"; nocase; content:"7EBEFBC0-3200-11d2-B4C2-00A0C9697D17"; fast_pattern; nocase; content:"ClassGuid"; nocase; content:"DefaultInstall"; nocase; classtype:attempted-user; sid:2019398; rev:2; metadata:created_at 2014_10_14, former_category CURRENT_EVENTS, updated_at 2014_10_14;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert 1stopmall.us"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.1stopmall.us"; distance:1; within:17; reference:md5,b833914b8171bc8f400b41449c3ef06b; classtype:trojan-activity; sid:2018791; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET [445,139] -> $HOME_NET any (msg:"ET MALWARE Possible SandWorm INF Download (SMB UNICODE)"; flow:to_client,established; content:"S|00|o|00|f|00|t|00|w|00|a|00|r|00|e|00 5c 00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|C|00|u|00|r|00|r|00|e|00|n|00|t|00|V|00|e|00|r|00|s|00|i|00|o|00|n|00 5c 00|R|00|u|00|n|00|"; nocase; content:"7|00|E|00|B|00|E|00|F|00|B|00|C|00|0|00 2d 00|3|00|2|00|0|00|0|00 2d 00|1|00|1|00|d|00|2|00 2d 00|B|00|4|00|C|00|2|00 2d 00|0|00|0|00|A|00|0|00|C|00|9|00|6|00|9|00|7|00|D|00|1|00|7"; fast_pattern; nocase; content:"C|00|l|00|a|00|s|00|s|00|G|00|u|00|i|00|d|00|"; nocase; content:"D|00|e|00|f|00|a|00|u|00|l|00|t|00|I|00|n|00|s|00|t|00|a|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2019399; rev:3; metadata:created_at 2014_10_14, former_category CURRENT_EVENTS, updated_at 2014_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing June 28 2014"; flow:established,to_client; file_data; content:"t=|22|1|3b|url=about|3a|Tabs|22|"; content:"hex2bin"; fast_pattern:only; content:"eval"; pcre:"/^(?:[\x22\x27]\s*?\])?\(\s*?(?:\[[\x22\x27])?rc4(?:[\x22\x27]\s*?\])?\(\s*?[\x22\x27][^\x22\x27]+?[\x22\x27]\s*?,\s*?(?:\[[\x22\x27])?hex2bin(?:[\x22\x27]\s*?\])?\(/Rsi"; classtype:exploit-kit; sid:2018794; rev:5; metadata:created_at 2014_07_28, former_category CURRENT_EVENTS, updated_at 2014_07_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY ASProtect/ASPack Packed Binary"; flow:from_server,established; flowbits:isnotset,ET.http.binary; content:"|2E 61 73 70 61 63 6B|"; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,www.aspack.com/downloads.aspx; reference:url,bits.packetninjas.org/eblog/; reference:url,doc.emergingthreats.net/2008575; classtype:trojan-activity; sid:2008575; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Plugin Detect IE Exploit"; flow:established,to_client; file_data; content:"|2f|Trident|5c 2f|(|5c|d)|2f|"; content:"|7c|2551"; pcre:"/^[\x22\x27]/R"; distance:0; content:"|7c|3918"; pcre:"/^[\x22\x27]/R"; content:"|7c|0322"; pcre:"/^[\x22\x27]/R"; classtype:exploit-kit; sid:2018795; rev:5; metadata:created_at 2014_07_28, former_category CURRENT_EVENTS, updated_at 2014_07_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PPT Download with Embedded OLE Object"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"ppt/embeddings/oleObject"; classtype:misc-activity; sid:2019405; rev:6; metadata:created_at 2014_10_15, former_category CURRENT_EVENTS, updated_at 2014_10_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Plugin Detect Java Exploit"; flow:established,to_client; file_data; content:"getVersion"; nocase; content:"Java"; distance:0; content:"3544"; pcre:"/^[\x22\x27]/R"; distance:0; content:"2471"; pcre:"/^[\x22\x27]/R"; content:"2460"; pcre:"/^[\x22\x27]/R"; classtype:exploit-kit; sid:2018796; rev:5; metadata:created_at 2014_07_28, former_category CURRENT_EVENTS, updated_at 2014_07_28;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M2"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?c[\x0d\x0a]{0,2}H[\x0d\x0a]{0,2}B[\x0d\x0a]{0,2}0[\x0d\x0a]{0,2}L[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}t[\x0d\x0a]{0,2}Y[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}k[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}G[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}u[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}3[\x0d\x0a]{0,2}M[\x0d\x0a]{0,2}v[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}x[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}T[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}J[\x0d\x0a]{0,2}q[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}N[\x0d\x0a]{0,2}0/R"; classtype:misc-activity; sid:2019407; rev:2; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Plugin Detect Flash Exploit"; flow:established,to_client; file_data; content:"getVersion"; nocase; content:"Flash"; distance:0; content:"0515"; pcre:"/^[\x22\x27]/R"; distance:0; content:"0634"; pcre:"/^[\x22\x27]/R"; content:"0497"; pcre:"/^[\x22\x27]/R"; classtype:exploit-kit; sid:2018797; rev:5; metadata:created_at 2014_07_28, former_category CURRENT_EVENTS, updated_at 2014_07_28;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M3"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?c[\x0d\x0a]{0,2}H[\x0d\x0a]{0,2}Q[\x0d\x0a]{0,2}v[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}1[\x0d\x0a]{0,2}i[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}R[\x0d\x0a]{0,2}k[\x0d\x0a]{0,2}a[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}5[\x0d\x0a]{0,2}n[\x0d\x0a]{0,2}c[\x0d\x0a]{0,2}y[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}v[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}G[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}P[\x0d\x0a]{0,2}Y[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}p[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}Y[\x0d\x0a]{0,2}3/R"; classtype:misc-activity; sid:2019408; rev:2; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Infostealer.KLPROXY Checkin via SMTP"; flow:to_server,established; content:"Subject|3a|"; content:"C-H-E-G-O A-V-I-S-O! |2e 3a 3a|Infect|3a 3a 2e|"; distance:5; within:33; reference:md5,422ce789b284eb5aa32124a6bbe86000; classtype:command-and-control; sid:2018798; rev:2; metadata:created_at 2014_07_29, former_category MALWARE, updated_at 2014_07_29;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M4"; flow:established,to_server; content:"cHB0L2VtYmVkZGluZ3Mvb2xlT2JqZWN0"; classtype:misc-activity; sid:2019409; rev:2; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible ShellCode Passed as Argument to FlashVars"; flow:from_server,established; file_data; content:",0x"; fast_pattern; content:",0x"; distance:8; within:3; content:",0x"; distance:8; within:3; content:"FlashVars"; nocase; content:"<param"; nocase; pcre:"/^(?=(?:(?!<\/>).)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27][^=\x22\x27]+=(?:0x[a-f0-9]{8},){15}/Rsi"; classtype:trojan-activity; sid:2018785; rev:3; metadata:created_at 2014_07_26, updated_at 2014_07_26;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M5"; flow:established,to_server; content:"cHQvZW1iZWRkaW5ncy9vbGVPYmplY3"; classtype:misc-activity; sid:2019410; rev:2; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert host-galaxy.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|host-galaxy.com"; distance:1; within:16; reference:md5,83c2eb9a2a5315e7fc15d85387886a19; classtype:trojan-activity; sid:2018802; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M6"; flow:established,to_server; content:"BwdC9lbWJlZGRpbmdzL29sZU9iamVjd"; classtype:misc-activity; sid:2019411; rev:2; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert fxbingpanel.fareexchange.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|1e|fxbingpanel.fareexchange.co.uk"; distance:1; within:31; reference:md5,3c4e0c0e4dbe2bf0e4d3ca825b95209c; classtype:trojan-activity; sid:2018803; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 85 d5 29 cf 78 44 88 25|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019414; rev:3; metadata:attack_target Client_and_Server, created_at 2014_10_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert 66h.66hosting.net"; flow:established,from_server; content:"|55 04 03|"; content:"|11|66h.66hosting.net"; distance:1; within:18; reference:md5,f9c0bc6e8c08acbe520df0ab6efcd962; classtype:trojan-activity; sid:2018804; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Sweet Orange redirection Oct 8 2014"; flow:established,to_client; file_data; content:"String.fromCharCode(parseInt|28 28|"; pcre:"/^\s*?(?P<var1>[^\x29\x5b]+)\x5b\s*?(?P<cntr>[^\x5d]+)\s*?\x5d\s*?\+\s*?(?P=var1)\x5b\s*?(?P=cntr)\s*?\+\s*?1\s*?\x5d\s*?\x29\s*?,\s*?16\s*?\x29\s*?\^\s*?parseInt\x28\x28\s*?(?P<var2>[^\x29\x5b]+)\x5b\s*?(?P=cntr)\s*?\x5d\s*?\+\s*?(?P=var2)\x5b\s*?(?P=cntr)\s*?\+\s*?1\s*?\x5d\s*?\x29\s*?,\s*16\s*?\x29\x29\s*?\x3b\s*?(?P=cntr)\s*?\+=\s*?2\s*?\x3b/Rs"; reference:url,malware-traffic-analysis.net/2014/10/06/index2.html; classtype:exploit-kit; sid:2019375; rev:4; metadata:created_at 2014_10_09, former_category CURRENT_EVENTS, updated_at 2014_10_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert businesswebstudios.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|businesswebstudios.com"; distance:1; within:23; reference:md5,b8ca6c78deeb448421073a65f708c34e; classtype:trojan-activity; sid:2018805; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack Payload URI Struct Oct 16 2014"; flow:established,to_server; content:"/loxotrap.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2019456; rev:2; metadata:created_at 2014_10_16, updated_at 2014_10_16;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert udderperfection.com"; flow:established,from_server; content:"|55 04 03|"; content:"|17|www.udderperfection.com"; distance:1; within:24; reference:md5,c8020934a53e888059e734b934043794; classtype:trojan-activity; sid:2018806; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK CVE-2014-0515 Aug 24 2014"; flow:established,to_server; content:"GET"; http_method; content:"flashhigh.swf"; fast_pattern:only; http_uri; pcre:"/^\/(?:pruncd)?flashhigh\.swf$/U"; classtype:exploit-kit; sid:2018995; rev:4; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange EK CDN Landing Page"; flow:established,to_server; content:"GET"; http_method; content:"stargalaxy.php?nebula="; http_uri; reference:url,malware-traffic-analysis.net/2014/07/24/index.html; classtype:exploit-kit; sid:2018786; rev:3; metadata:created_at 2014_07_26, former_category CURRENT_EVENTS, updated_at 2014_07_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK CVE-2014-0497 Aug 24 2014"; flow:established,to_server; content:"flashlow.swf"; http_uri; fast_pattern:only; pcre:"/^\/(?:pruncd)?flashlow\.swf$/U"; classtype:exploit-kit; sid:2018996; rev:3; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DYNAMIC_DNS HTTP Request to *.passinggas.net Domain (Sitelutions)"; flow:established,to_server; content:".passinggas.net"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.passinggas\.net(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018847; rev:2; metadata:created_at 2014_07_30, updated_at 2014_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK SilverLight URI Struct"; flow:to_server,established; content:"silverapp1.xap"; http_uri; fast_pattern:only; pcre:"/^\/(?:pruncd)?silverapp1\.xap$/U"; classtype:exploit-kit; sid:2019097; rev:3; metadata:created_at 2014_08_30, former_category CURRENT_EVENTS, updated_at 2014_08_30;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DYNAMIC_DNS Query to *.passinggas.net Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|0a|passinggas|03|net|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018848; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE1"; flow:established,to_server; content:"/YXJyYWtpczAy/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019461; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert www.senorwooly.com"; flow:established,from_server; content:"|55 04 03|"; content:"|12|www.senorwooly.com"; distance:1; within:19; reference:md5,c860eee9ca6a7c570b3b4cd7b8e2cd17; classtype:trojan-activity; sid:2018849; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE2"; flow:established,to_server; content:"/aG91c2VhdHJlaWRlczk0/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019462; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert ns2.sicher.in"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|ns2.sicher.in"; distance:1; within:14; reference:md5,c860eee9ca6a7c570b3b4cd7b8e2cd17; classtype:trojan-activity; sid:2018850; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE3"; flow:established,to_server; content:"/QmFzaGFyb2Z0aGVTYXJkYXVrYXJz/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019463; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|badsokspad.in"; distance:1; within:14; reference:md5,c4fe829fc49bb9efec92fe4a8a5d29fc; classtype:domain-c2; sid:2018852; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE4"; flow:established,to_server; content:"/U2FsdXNhU2VjdW5kdXMy/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019464; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
 
-#alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET PHISHING Possible Phishing E-ZPass Email Toll Notification July 30 2014"; flow:to_server,established; content:"|0d 0a|Subject|3a|"; nocase; content:"toll road"; distance:2; within:75; nocase; content:"|0d 0a|From|3a|"; nocase; content:"E-ZPass"; distance:2; within:10; nocase; fast_pattern; reference:url,isc.sans.edu/forums/diary/E-ZPass+phishing+scam/18389; classtype:social-engineering; sid:2018853; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_07_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE5"; flow:established,to_server; content:"/ZXBzaWxvbmVyaWRhbmkw/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019465; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a *.rr.nu domain"; flow:established,to_server; content:".rr.nu|0D 0A|"; http_header; classtype:bad-unknown; sid:2012330; rev:5; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|13|www.arrystreamre.ru"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019466; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert chinasemservice.com"; flow:established,from_server; content:"|55 04 03|"; content:"|13|chinasemservice.com"; distance:1; within:20; reference:md5,c2ecc111018491cee3853e2c93472bb9; classtype:trojan-activity; sid:2018868; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Spy.KeyLogger.ODN Exfiltrating Data"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"pcname="; depth:7; http_client_body; content:"&note="; distance:0; http_client_body; content:"&country="; distance:0; http_client_body; content:"&user="; distance:0; http_client_body; content:"&log="; distance:0; http_client_body; content:!"Referer|3a|"; http_header; reference:md5,4e83c405f35efd128ab8c324c12dbde9; classtype:trojan-activity; sid:2019468; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert ns7-777.777servers.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|ns7-777.777servers.com"; distance:1; within:23; reference:md5,b5b97b4da688aaa6ddbdb6a6e567ffba; classtype:trojan-activity; sid:2018870; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET [443,465,993,995,25] -> $HOME_NET any (msg:"ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack"; flow:established,from_server; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019416; rev:3; metadata:created_at 2014_10_15, updated_at 2014_10_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert adodis.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|adodis.com"; distance:1; within:11; reference:md5,cca48e10973344ccc4e995be8e151176; classtype:trojan-activity; sid:2018871; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b4 9e 90 15 d2 12 7f c0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019477; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert power2.mschosting.com"; flow:established,from_server; content:"|55 04 03|"; content:"|15|power2.mschosting.com"; distance:1; within:22; reference:md5,fb89ab865465d9bf38e24af73cdcd656; classtype:trojan-activity; sid:2018881; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Job314 EK URI Landing Struct"; flow:established,to_server; content:".html?action=lnd"; http_uri; pcre:"/\?action=lnd$/U"; classtype:exploit-kit; sid:2019480; rev:2; metadata:created_at 2014_10_20, former_category CURRENT_EVENTS, updated_at 2014_10_20;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows Command Prompt OUTBOUND"; flow:established,to_server; content:"Microsoft Windows"; content:"[Version|20|"; distance:0; pcre:"/^\d\.\d\.\d{4}\]\r\n\(C\)\x20Copyright\x20\d{4}(\x2d\d{4})?\x20Microsoft Corp(:?\.|oration)/Ri"; content:"|0d 0a 0d 0a|C|3a 5c 3e|"; fast_pattern; distance:0; isdataat:!2,relative; classtype:trojan-activity; sid:2018885; rev:2; metadata:created_at 2014_08_04, updated_at 2014_08_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Job314 EK URI Exploit/Payload Struct"; flow:established,to_server; content:"?action="; http_uri; content:"&exp="; http_uri; fast_pattern; pcre:"/\?action=(?:pld|exp)&exp=/U"; classtype:exploit-kit; sid:2019479; rev:3; metadata:created_at 2014_10_20, former_category CURRENT_EVENTS, updated_at 2014_10_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MOBILE_MALWARE Android/Trogle.A Possible Exfiltration of SMS via SMTP"; flow:established,to_server; content:"MAIL FROM|3a|<a137736513@qq.com>"; nocase; reference:md5,ef819779fc4bee6117c124fb752abf57; classtype:trojan-activity; sid:2018887; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_08_04, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IRCBot.DDOS Common Commands"; flow:established,to_client; content:"PRIVMSG "; depth:8; pcre:"/^[^\r\n]*?\x3a[^\r\n]*?(?:port(?:scan)?|udp[1-3]|tcp|http|download)[^\r\n]+?(?:\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}|https?\x3A\x2F\x2F)/Ri"; reference:md5,ef54080af1782dd29356032b7ff20849; classtype:trojan-activity; sid:2019471; rev:3; metadata:created_at 2014_10_20, updated_at 2014_10_20;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BitcoinMiner C2 SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|19|www.webanalyticsystem.com"; distance:1; within:26; reference:url,www.malware-traffic-analysis.net/2014/07/28/index.html; classtype:coin-mining; sid:2018896; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_08_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Coinminer, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IRC Bot Common PRIVMSG Commands"; flow:established,to_client; content:"PRIVMSG "; depth:8; pcre:"/^[^\r\n]*?(?:p[ao]rt|udp|c?tcp|http|d(?:ie|ownload)|mail|c?back|(?:msg|notice)?flood)/Ri"; classtype:trojan-activity; sid:2019486; rev:1; metadata:created_at 2014_10_21, updated_at 2014_10_21;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert tradeledstore.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|15 2a 2e|tradeledstore.co.uk"; distance:1; within:22; reference:md5,5b447247c8778b91650e0a9c2e36b1e6; classtype:trojan-activity; sid:2018898; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack Payload URI Struct Oct 22 2014"; flow:established,to_server; content:"/ldcigar.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2019487; rev:2; metadata:created_at 2014_10_22, updated_at 2014_10_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK Variant Landing Page - Applet Sep 16 2013"; flow:established,to_client; file_data; content:".class"; nocase; fast_pattern:only; content:"<param"; nocase; content:"value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?[\?\&]e=\d+[\x22\x27]/R"; classtype:exploit-kit; sid:2017474; rev:4; metadata:created_at 2013_09_17, former_category EXPLOIT_KIT, updated_at 2013_09_17;)
+alert udp $HOME_NET 5351 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response Successful TCP Map to External Network"; dsize:16; content:"|82 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019491; rev:2; metadata:created_at 2014_10_22, updated_at 2014_10_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing 07/22/13 2"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"param"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017169; rev:4; metadata:created_at 2013_07_23, former_category CURRENT_EVENTS, updated_at 2013_07_23;)
+alert udp $HOME_NET 5351 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response Successful UDP Map to External Network"; dsize:16; content:"|81 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019492; rev:2; metadata:created_at 2014_10_22, updated_at 2014_10_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT libpng tRNS overflow attempt"; flow: established,to_client; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:!"PLTE"; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; reference:cve,CAN-2004-0597; reference:url,doc.emergingthreats.net/bin/view/Main/2001058; classtype:attempted-admin; sid:2001058; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET [443,465,993,995,25] -> any any (msg:"ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack"; flow:established,to_client; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019415; rev:3; metadata:created_at 2014_10_15, updated_at 2014_10_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"unescape"; nocase; fast_pattern:only; content:"[|22|replace|22|]("; nocase; content:"/g"; distance:0; pcre:"/^[\r\n\s]*?\,[\r\n\s]*?[\x22\x27][\%\\]u"/Rsi"; classtype:exploit-kit; sid:2017487; rev:4; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SSL SinkHole Cert Possible Infected Host"; flow:established,from_server; content:"|14|www.kitchensinks.n0t"; nocase; classtype:trojan-activity; sid:2019503; rev:2; metadata:created_at 2014_10_24, updated_at 2014_10_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SigPlus Pro 3.74 ActiveX LCDWriteString Method Remote Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"69A40DA3-4D42-11D0-86B0-0000C025864A"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; distance:0; content:"|2e|LCDWriteString"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*69A40DA3-4D42-11D0-86B0-0000C025864A\s*}?(.*)\>/si"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*D27CDB6E-AE6D-11cf-96B8-444553540000\s*}?(.*)\>/si"; reference:cve,2010-2931; reference:url,www.exploit-db.com/exploits/14514/; classtype:attempted-user; sid:2012134; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BlackEnergy SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9a ba cb 13 6d 76 5b 79|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-the-scada-connection; classtype:trojan-activity; sid:2019504; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MS13-055 CAnchorElement Use-After-Free"; flow:established,from_server; file_data; content:".outer"; fast_pattern; pcre:"/^(?:Text|HTML)[\r\n\s]*?=[\r\n\s]*?(?:\x22\x22|\x27\x27)/Ri"; content:".getElementById("; nocase; content:"<span"; nocase; content:"on"; pcre:"/^(?:(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; content:"<table"; nocase; pcre:"/^((?!<table>).)+?<tr[\r\n\s\>]((?!<\/tr>).)*?<span[\r\n\s\>]((?!<\/span>).)*?<(?:[QU]|S(?:TR(?:IKE|ONG)|U[BP]|MALL|AMP)?|B(?:LINK|DO|IG)?|A(?:CRONYM|BBR)|R(?:[PT]|UBY)|(?:NOB|VA)R|C(?:IT|OD)E|D(?:EL|FN)|I(?:NS)?|KBD|EM|TT)[^>]*?\bid[\r\n\s]*?=/Rsi"; classtype:attempted-user; sid:2017463; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_13, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BlackEnergy SSL Cert"; flow:from_server,established; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0b|"; distance:0; content:"|07|NETWORK"; distance:1; within:8; content:"|55 04 03|"; distance:0; content:"|0d|144.76.119.48"; distance:1; within:14; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-the-scada-connection; classtype:trojan-activity; sid:2019505; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument ActiveXObject Uninitialized Memory Corruption Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"MSXML2."; fast_pattern; content:"DOMDocument"; within:23; content:"definition"; nocase; pcre:"/MSXML2\.(FreeThreaded)?DOMDocument(\.[3-6]\.0)?/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-user; sid:2015556; rev:21; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, signature_severity Major, tag ActiveX, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV CryptMEN - Landing Page Download Contains .hdd_icon"; flow:established,to_client; content:".hdd_icon"; content:!"nmap.org"; content:!"seclists.org"; classtype:bad-unknown; sid:2011921; rev:7; metadata:created_at 2010_11_11, updated_at 2010_11_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dyre SSL Self-Signed Cert Aug 06 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|94.23.236.54"; distance:1; within:13; reference:md5,384a3c3a250341aa7f7c6aba11467afb; classtype:trojan-activity; sid:2018903; rev:2; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DarkComet-RAT init connection"; flow:from_server,established; dsize:12; content:"|38 45 41 34 41 42 30 35 46 41 37 45|"; flowbits:set,ET.DarkCometJoin; reference:url,www.darkcomet-rat.com; reference:url,anubis.iseclab.org/?action=result&task_id=1a7326f61fef1ecb4ed4fbf3de3f3b8cb&format=txt; classtype:trojan-activity; sid:2013283; rev:4; metadata:created_at 2011_07_18, updated_at 2011_07_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing 07/22/13 3"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"jnlp_"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017170; rev:5; metadata:created_at 2013_07_23, former_category CURRENT_EVENTS, updated_at 2013_07_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert Oct 24 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e6 91 76 a5 11 ca 47 2d|"; within:35; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|04|none"; distance:1; within:5; content:"|55 04 08|"; distance:0; content:"|0c|Someprovince"; distance:1; within:13; reference:md5,35f6b510f94bd96ed9bc44e1f7bf7f38; classtype:trojan-activity; sid:2019506; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing 07/22/13 4"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:".jar"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017171; rev:4; metadata:created_at 2013_07_23, former_category CURRENT_EVENTS, updated_at 2013_07_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert www.tradeledstore.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|17|www.tradeledstore.co.uk"; distance:1; within:24; reference:md5,b12730a51341a8bfaa5c7d7e4421fe6c; classtype:trojan-activity; sid:2019507; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 00|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018904; rev:6; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Backoff CnC)"; flow:from_server,established; content:"|55 04 08|"; content:"|0a|Some-State"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0d|cyberwise.biz"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019516; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 02|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018905; rev:6; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0e|rikitifer.info"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019517; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 04|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018906; rev:6; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP undefined code"; icode:>18; classtype:misc-activity; sid:2100197; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag true)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 06|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018907; rev:5; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Outoing Message"; flow:to_server,established; content:"<message"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100233; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|googleforking.com"; distance:1; within:18; tls.fingerprint:"4c:1c:1a:aa:58:80:31:74:58:79:8a:04:db:76:42:8e:ce:55:f1:40"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018703; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Outgoing Traffic"; flow:to_server,established; content:"<stream"; nocase; reference:url,www.google.com/talk/; classtype:not-suspicious; sid:2100230; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Trojan-Spy.Win32.HavexSysinfo Response"; flow:from_server,established; file_data; content:"<!--havexhavex-->"; fast_pattern:only; reference:url,securelist.com/blog/research/65240/energetic-bear-more-like-a-crouching-yeti/; reference:md5,bdd1d473a56607ec366bb2e3af5aedea; reference:url,802bba9d078a09530189e95e459adcdf; classtype:trojan-activity; sid:2018921; rev:2; metadata:created_at 2014_08_11, updated_at 2014_08_11;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Outgoing Auth"; flow:to_server,established; content:"<auth"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100231; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Applet"; flow:established,from_server; file_data; content:"/x-java-applet"; fast_pattern:only; content:"spl"; nocase; pcre:"/^[\x22\x27]/R"; content:"<object"; nocase; pcre:"/^(?=(?:(?!<\/object>).)+?codebase\s*?=\s*?[\x22\x27]spl[\x22\x27])(?=(?:(?!<\/object>).)+?\/x-java-applet)/Rsi"; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018922; rev:2; metadata:created_at 2014_08_12, former_category CURRENT_EVENTS, updated_at 2014_08_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Log Out"; flow:to_server,established; content:"</stream"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100234; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"fawa/"; nocase; pcre:"/^[\w.]*?\.class/Rsi"; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018923; rev:2; metadata:created_at 2014_08_12, former_category CURRENT_EVENTS, updated_at 2014_08_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Google Talk Startup"; flow: established,to_server; content:"google.com"; nocase; content:"jabber|3A|client"; nocase; threshold: type limit, track by_src, count 1, seconds 300; classtype:policy-violation; sid:2100877; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"a/hidden.class"; nocase; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018924; rev:2; metadata:created_at 2014_08_12, former_category CURRENT_EVENTS, updated_at 2014_08_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Google Talk Logon"; flow:to_server,established; content:"<stream|3a|stream to=\"gmail.com\""; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100232; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool obfuscated plugindetect in charcodes w/o sep Jul 10 2013"; flow:established,from_server; file_data; content:"<div>"; content:!"<"; within:1000; pcre:"/^([0-9a-z]{8})?(?P<p>[0-9a-z]{2})(?P<d>(?!(?P=p))[0-9a-z]{2})(?P=p)(?P=d)([0-9a-z]{2}){10}(?P<q>[0-9a-z]{2})[0-9a-z]{2}(?P<dot>[0-9a-z]{2})[0-9a-z]{2}(?P=dot)[0-9a-z]{2}(?P=q)/R"; classtype:trojan-activity; sid:2017346; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert tcp $EXTERNAL_NET 5222 -> $HOME_NET any (msg:"GPL CHAT Jabber/Google Talk Logon Success"; flow:to_client,established; content:"<success"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100235; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Feb 04 2012"; flow:established,from_server; file_data; content:"applet"; content:"Ojj"; within:300; content:"Dyy"; within:300; classtype:bad-unknown; sid:2016341; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_02_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert tcp $EXTERNAL_NET 5222 -> $HOME_NET any (msg:"GPL CHAT Jabber/Google Talk Incoming Message"; flow:to_client,established; content:"<message"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100236; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PRISM Backdoor"; content:"PRISM v"; pcre:"/^\d+?\.\d+?\sstarted/R"; classtype:trojan-activity; sid:2017314; rev:3; metadata:created_at 2013_08_12, updated_at 2013_08_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Likely SweetOrange EK Flash Exploit URI Struct"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/\/(?=[a-z0-9]{0,10}[A-Z])(?=[A-Z0-9]{0,10}[a-z])[A-Z-a-z0-9]{5,11}$/U"; pcre:"/^Referer\x3a[^\r\n]+\x3a\d{1,5}\/[^\r\n]*?[a-z]+?\.php\?[a-z]+?=\d/Hm"; classtype:exploit-kit; sid:2019543; rev:2; metadata:created_at 2014_10_28, former_category CURRENT_EVENTS, updated_at 2014_10_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Archie.EK PluginDetect URI Struct"; flow:to_server,established; content:"/log.html?"; http_uri; content:"java="; http_uri; content:"gie="; http_uri; content:"header="; http_uri; classtype:exploit-kit; sid:2018930; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED SAP WAS syscmd access"; flow:to_server,established; content:"/sap/bc/BSp/sap/menu/frameset.htm"; http_uri; nocase; content:"sap-syscmd"; http_uri; nocase; reference:url,www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf; classtype:web-application-activity; sid:2100183; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Archie.EK CVE-2013-2551 URI Struct"; flow:to_server,established; content:"/ie8910.html"; http_uri; classtype:exploit-kit; sid:2018931; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Potential Sofacy Phishing Redirect"; flow:established,to_client; file_data; content:"|22 5c|x6C|5c|x6F|5c|x63|5c|x61|5c|x74|5c|x69|5c|x6F|5c|x6E"; nocase; content:"window[_0x"; content:"[1]][_0x"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/phresh-phishing-against-government-defence-and-energy.html; classtype:targeted-activity; sid:2019540; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_10_28, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,to_client; content:"|55 04 03|"; content:"|12|alohafriends12.com"; distance:1; within:19; reference:md5,9c98ef776a651cc4269acde3755d3a5a; classtype:domain-c2; sid:2018935; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MyWay Spyware Posting Activity Report - Dell Related"; flow:to_server,established; content:"/script/bzDellHpData.js?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003621; classtype:trojan-activity; sid:2003621; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoWall C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1f|kpai7ycr7jxqkilp.totortoweb.com"; distance:1; within:32; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018939; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/ZxShell Server Checkin Response"; flow:established,from_server; dsize:16; content:"|85 19 00 00 25 04 00 00|"; depth:8; reference:url,blogs.cisco.com/talos/opening-zxshell/; classtype:command-and-control; sid:2019587; rev:1; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2014_10_29;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible ClickFraud Trojan Socks5 Connection"; flow:to_server,established; content:"socks5init|3a|"; depth:11; threshold: type limit,track by_src, count 1, seconds 300; flowbits:set,ET.2018855; reference:md5,2a0e042fdb2d85c2abf8bd35499ee1aa; reference:md5,c4d3db0eadc650372225d0093cd442ba; reference:md5,4c1f7c4f6d00869a6fca9fdcbadc9633; classtype:trojan-activity; sid:2018855; rev:2; metadata:created_at 2014_07_30, updated_at 2014_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/ZxShell Checkin"; flow:established,from_server; dsize:16; content:"|86 19 00 00 04 01 00 00|"; depth:8; reference:url,blogs.cisco.com/talos/opening-zxshell/; classtype:command-and-control; sid:2019588; rev:1; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2014_10_29;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ClickFraud Trojan Socks5 Init Response"; flow:established,from_server; flowbits:isset,ET.2018855; dsize:6<>9; content:"|fe|"; depth:1; content:"|1f|"; distance:4; within:1; reference:md5,de31e17ff4b3791c92a93b72d779e61f; classtype:trojan-activity; sid:2018941; rev:2; metadata:created_at 2014_08_14, updated_at 2014_08_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|b6 8b ac d3 d7 e0 e7 36 f0 b5 63 65 1e 1a 31 ae|"; offset:16; depth:16; reference:md5,184a9d13616702154fb10ff9c5d67041; classtype:command-and-control; sid:2019589; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|koskoskos11.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018942; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|01 ec 7e 05 1d 5f 65 ab db 1c df 93 99 cd 06 21|"; offset:16; depth:16; reference:md5,09d4c2f1f24fbdcb1c286b2f4c5589d2; classtype:command-and-control; sid:2019590; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|atspotfto.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018943; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|52 13 34 da 18 3d 2f 45 a2 09 93 52 01 23 51 e3|"; offset:16; depth:16; reference:md5,ca22207c5441a100437b75d7ce0d3fe2; classtype:command-and-control; sid:2019591; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.securessl.in"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018944; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|52 13 34 da 18 3d 2f 45 a2 09 93 52 01 23 51 e3|"; offset:16; depth:16; reference:md5,2b825e46ae60a9d15b5a731e57410425; classtype:command-and-control; sid:2019592; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|zao-sky.ru"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018947; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|3e 5c d1 68 e7 8c 47 8c ea 2f da 02 fe 43 62 47|"; offset:16; depth:16; reference:md5,afc4d73bde2a536d7a9b7596288ce180; classtype:command-and-control; sid:2019593; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Aug 16 2014"; flow:established,to_client; file_data; content:"0|22 29 3b 0a 0d 0a|</script>"; pcre:"/^\s*?<script>\s*?(?P<func>[A-Za-z0-9]+)\s*?\(\s*?[\x22\x27](?P<var>[^1\x22\x27]+)1[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>\s*?(?P=func)\s*?\(\s*?[\x22\x27](?P=var)2[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>\s*?(?P=func)\s*?\(\s*?[\x22\x27](?P=var)3[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>/Rsi"; classtype:exploit-kit; sid:2018950; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_08_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Plugin-Detect Post"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"=0oPDPAP6Prooodj"; http_client_body; fast_pattern; classtype:exploit-kit; sid:2019594; rev:2; metadata:created_at 2014_10_30, former_category CURRENT_EVENTS, updated_at 2014_10_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Encoded Shellcode IE"; flow:established,from_server; file_data; content:"|f1 f4 c2 a2 8b 34 6e 68|"; within:8; classtype:exploit-kit; sid:2018954; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FlashPack Payload Download Oct 29"; flow:established,to_server; content:"/lofla1.php"; http_uri; classtype:trojan-activity; sid:2019595; rev:2; metadata:created_at 2014_10_30, former_category CURRENT_EVENTS, updated_at 2014_10_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Encoded Shellcode Silverlight"; flow:established,from_server; file_data; content:"|f1 fc f4 ff 87 6a 66 67|"; within:8; classtype:exploit-kit; sid:2018955; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlashPack Secondary Landing Oct 29"; flow:established,from_server; file_data; content:"Windows%20"; within:10; content:"<br>|0d 0a|"; within:10; pcre:"/^\d/R"; content:"FlashVars=|22|exec="; pcre:"/^(?!687474703a2f2f)(?P<h>[a-f0-9]{2})(?P<t>[a-f0-9]{2})(?P=t)(?P<p>[a-f0-9]{2})(?P<colon>[a-f0-9]{2})(?P<slash>[a-f0-9]{2})(?P=slash)/R"; classtype:trojan-activity; sid:2019596; rev:2; metadata:created_at 2014_10_30, former_category CURRENT_EVENTS, updated_at 2014_10_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Encoded Shellcode Flash"; flow:established,from_server; file_data; content:"|e7 c4 a6 c1 9d 79 53 59|"; within:8; classtype:exploit-kit; sid:2018956; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Likely SweetOrange EK Java Exploit Struct (JNLP)"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".jnlp"; http_uri; pcre:"/\/(?=[a-z]*?[A-Z])(?=[A-Z]*?[a-z])[A-Z-a-z]{18}\.jnlp$/U"; classtype:exploit-kit; sid:2019600; rev:3; metadata:created_at 2014_10_30, former_category CURRENT_EVENTS, updated_at 2014_10_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Encoded Shellcode Java"; flow:established,from_server; file_data; content:"|d6 e2 ff c3 a1 75 39 68|"; within:8; classtype:exploit-kit; sid:2018957; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a9 39 70 34 44 e2 04 31|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019603; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ZeroLocker EXE Download"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|5c 50 72 6f 6a 65 63 74 73 5c 5a 65 72 6f 4c 6f 63 6b 65 72 5c|"; reference:url,securelist.com/blog/incidents/66135/zerolocker-wont-come-to-your-rescue/; reference:url,webroot.com/blog/2014/08/14/zero-locker/; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-081521-4509-9; classtype:trojan-activity; sid:2018963; rev:2; metadata:created_at 2014_08_19, former_category CURRENT_EVENTS, updated_at 2014_08_19;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Ropest.H CnC - INBOUND set"; flow:established,from_server; content:"|28 00 00 00 00 01 00 00|"; depth:8; flowbits:set,ET.Zberp; flowbits:noalert; reference:md5,a0d843b52e33ba4f1dc72f5a28729806; classtype:command-and-control; sid:2025068; rev:1; metadata:created_at 2014_10_30, former_category MALWARE, updated_at 2017_11_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malvertising Leading to EK Aug 19 2014 M3"; flow:established,from_server; file_data; content:"<script>function z("; content:"createElement|28 22|iframe|22 29|"; distance:0; content:".style.left = |22|-"; content:".style.top = |22|-"; content:"|3b|}z()|3b|</script></body></html>"; distance:0; fast_pattern; classtype:exploit-kit; sid:2018965; rev:2; metadata:created_at 2014_08_20, former_category CURRENT_EVENTS, updated_at 2014_08_20;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Ropest.H CnC - INBOUND"; flow:established,from_server; flowbits:isset,ET.Zberp; dsize:24; content:"|10 00 00 00 00 01 00 00|"; depth:8; reference:md5,a0d843b52e33ba4f1dc72f5a28729806; classtype:command-and-control; sid:2025069; rev:1; metadata:created_at 2014_10_30, former_category MALWARE, updated_at 2017_11_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malvertising Leading to EK Aug 19 2014 M1"; flow:established,from_server; file_data; content:"readed|3b| max-age"; fast_pattern:only; content:"document.cookie"; pcre:"/^\s*?=\s*?[\x22\x27](?P<var>[^\s\x3b]+)\s*?=\s*?readed\x3b.*?document.cookie.indexOf\s*?\(\s*?[\x22\x27](?P=var)[\x22\x27]/Rsi"; content:".top"; pcre:"/^\s*?=\s*?[\x22\x27]\-/Rsi"; classtype:exploit-kit; sid:2018966; rev:2; metadata:created_at 2014_08_20, former_category CURRENT_EVENTS, updated_at 2014_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER WEB-IIS Remote IIS Server Name spoof attempt loopback IP"; flow:to_server,established; content:"http|3a|//127.0.0.1"; pcre:"/http\x3A\/\/127\.0\.0\.1\/.*\.asp/i"; reference:cve,2005-2678; classtype:web-application-activity; sid:2100139; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malvertising Leading to EK Aug 19 2014 M2"; flow:established,from_server; file_data; content:"readed|3b| max-age"; fast_pattern:only; content:"document.cookie.indexOf"; pcre:"/^\s*?\(\s*?[\x22\x27](?P<var>[^\x22\x27]+)[\x22\x27].+?document\.cookie\s*?=\s*?[\x22\x27][^\x22\x27]*?(?P=var)\s*?=\s*?readed\x3b/Rsi"; content:".top"; pcre:"/^\s*?=\s*?[\x22\x27]\-/Rsi"; classtype:exploit-kit; sid:2018967; rev:2; metadata:created_at 2014_08_20, former_category CURRENT_EVENTS, updated_at 2014_08_20;)
+alert ip any any -> any 5060 (msg:"GPL VOIP SIP INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:2100158; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Social Engineering Toolkit Web Clone code detected"; flow:established,from_server; file_data; content:"|3c|param name=|22|"; content:"value=|22|nix.bin|22 3e|"; distance:0; reference:url,trustedsec.com/downloads/social-engineer-toolkit/; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:2018972; rev:2; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_08_21, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, tag DriveBy, updated_at 2016_07_01;)
+alert ip any any -> any 5060 (msg:"GPL VOIP SIP 407 Proxy Authentication Required Flood"; content:"SIP/2.0 407 Proxy Authentication Required"; depth:42; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:2100163; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PE downloaded malicious SSL certificate (CZ Solutions)"; flow:established,to_client; flowbits:isset,ET.http.binary; file_data; content:"|43 5a 20 53 6f 6c 75 74 69 6f 6e 20 43 6f 2e 2c 20 4c 74 64 2e|"; reference:url,www.fireeye.com/blog/technical/2014/07/the-little-signature-that-could-the-curious-case-of-cz-solution.html; classtype:domain-c2; sid:2018748; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP MISC TFTP32 Get Format string attempt"; content:"|00 01 25 2E|"; depth:4; reference:url,www.securityfocus.com/archive/1/422405/30/0/threaded; reference:url,www.critical.lt/?vulnerabilities/200; classtype:attempted-admin; sid:2101222; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Aug 20 2014 D1"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 89 aa ac b6 40 58 a5 8c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,70bb2e450fe927ee32884cda6fe948b5; classtype:trojan-activity; sid:2018973; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_08_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert udp any any -> any 53 (msg:"GPL POLICY MISC Tunneling IP over DNS with NSTX"; byte_test: 1,>,32,12; content: "|00 10 00 01|"; offset: 12; rawbytes; threshold: type threshold, track by_src, count 50, seconds 60; reference:url,nstx.dereference.de/nstx/; reference:url,slashdot.org/articles/00/09/10/2230242.shtml; classtype:policy-violation; sid:2100208; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Aug 20 2014 D2"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 9c 96 01 9e 7e d5 38 fd|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2018974; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_08_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth:128; reference:arachnids,181; classtype:shellcode-detect; sid:2100648; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE LDPinch SMTP Password Report with mail client The Bat!"; flow:established,to_server; content:"X-Mailer|3a| The Bat!"; fast_pattern; content:"|0d 0a|Content-Disposition|3a| attachment|3b|"; content:!"|0d 0a|Subject|3a| Undeliverable|3a|"; reference:url,doc.emergingthreats.net/2008411; classtype:trojan-activity; sid:2008411; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2100653; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET [!21,!22,!23,!2100,!3535] -> $HOME_NET 1024:65535 (msg:"ET WEB_CLIENT Possible GnuTLS Client ServerHello SessionID Overflow CVE-2014-3466"; flow:established,to_client; content:"|16 03|"; depth:2; byte_test:1,<,4,2; content:"|02|"; distance:3; within:1; content:"|03|"; distance:3; within:1; byte_test:1,<,4,0,relative; byte_test:4,>,1370396981,1,relative; byte_test:4,<,1465091381,1,relative; byte_test:1,>,32,33,relative; reference:url,radare.today/technical-analysis-of-the-gnutls-hello-vulnerability/; reference:cve,2014-3466; classtype:attempted-user; sid:2018537; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_06_06, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"GPL VOIP EXPLOIT SIP UDP Softphone overflow attempt"; content:"|3B|branch|3D|"; content:"a|3D|"; pcre:"/^a\x3D[^\n]{1000,}/smi"; reference:bugtraq,16213; reference:cve,2006-0189; classtype:misc-attack; sid:2100223; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Hoic.zip retrieval"; flow:from_server,established; file_data; content:"Hoic/buttons2/PK"; content:"Hoic/buttons2/buttons.rar"; distance:0; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018976; rev:3; metadata:created_at 2014_08_21, updated_at 2014_08_21;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Tinba DGA NXDOMAIN Responses (2)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ru|00|"; distance:15; within:4; fast_pattern; content:"|0c|"; distance:-17; within:1; pcre:"/^[a-z]{12}/R"; threshold:type both, track by_src, count 50, seconds 10; reference:md5,5808cc73c78263a8114eb205f510f6a7; reference:url,blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/; classtype:trojan-activity; sid:2019609; rev:1; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Machete FTP activity"; flow:established,to_server; content:"CWD |2e 2e 2f|KeyLog_History"; depth:21; classtype:trojan-activity; sid:2018980; rev:2; metadata:created_at 2014_08_22, updated_at 2014_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible EITest Flash Redirect"; flow:established,to_client; file_data; content:"|20|name=|22|EITest|22 20|"; fast_pattern; reference:url,blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/; classtype:trojan-activity; sid:2019610; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
 
-alert tcp $HOME_NET 1023: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.VB.Alsci/Dragon Eye RAT Checkin (sending user info)"; flow:to_server,established; content:"Auth"; nocase; depth:4; content:" @ "; within:128; content:"|5C 23 2F|"; within:128; content:"|5C 23 2F|"; within:32; content:"|5C 23 2F|"; fast_pattern; within:20; reference:md5,37207835e128516fe17af3dacc83a00c; reference:md5,e7d9bc670d69ad8a6ad2784255324eec; classtype:command-and-control; sid:2016913; rev:5; metadata:created_at 2011_05_17, former_category MALWARE, updated_at 2011_05_17;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M1"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?B[\x0d\x0a]{0,2}w[\x0d\x0a]{0,2}d[\x0d\x0a]{0,2}C[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}J[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}G[\x0d\x0a]{0,2}R[\x0d\x0a]{0,2}p[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}d[\x0d\x0a]{0,2}z[\x0d\x0a]{0,2}L[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}s[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}U[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}i[\x0d\x0a]{0,2}a[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}j[\x0d\x0a]{0,2}d/R"; classtype:misc-activity; sid:2019406; rev:3; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
 
-#alert tcp 188.95.234.6 any -> $HOME_NET [22,443] (msg:"ET SCAN Non-Malicious SSH/SSL Scanner on the run"; threshold: type limit, track by_src, seconds 60, count 1; reference:url,pki.net.in.tum.de/node/21; reference:url,isc.sans.edu/diary/SSH%2bscans%2bfrom%2b188.95.234.6/15532; classtype:network-scan; sid:2016763; rev:7; metadata:created_at 2013_04_17, updated_at 2013_04_17;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"QQB1AHQAbwBPAHAAZQBu"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019615; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Info Stealer - HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|0d 0a|Content-Type|3a| multipart/form-data|3b| boundary|3d|"; nocase; content:"name=\"id\"|0d 0a|"; nocase; content:"name=\"upt\"|0d 0a|"; nocase; content:"name=\"mode\"|0d 0a|"; nocase; content:"name=\"version\"|0d 0a|"; nocase; content:"name=\"cpu\"|0d 0a|"; nocase; fast_pattern; content:"name=\"ram\"|0d 0a|"; nocase; content:"name=\"os\"|0d 0a|"; nocase; content:"name=\"user\"|0d 0a|"; nocase; content:"name=\"user\"|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2009470; classtype:trojan-activity; sid:2009470; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"EAdQB0AG8ATwBwAGUAb"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019616; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1023: (msg:"ET MALWARE Turkojan C&C nxt Command (nxt)"; flow:established,from_server; dsize:3; content:"nxt"; depth:3; reference:url,doc.emergingthreats.net/2008029; classtype:command-and-control; sid:2008029; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"BAHUAdABvAE8AcABlAG"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019617; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Exploit Kit Delivering Compressed Flash Content to Client"; flow:established,to_client; flowbits:isset,et.exploitkitlanding; content:"|0d 0a 0d 0a|CWS"; classtype:exploit-kit; sid:2014527; rev:4; metadata:created_at 2012_04_06, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"QQB1AHQAbwBFAHgAZQBj"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019618; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange EK Thread Specific Java Exploit"; flow:established,to_server; content:"GET"; http_method; content:"/Fqxzdh.jar"; http_uri; fast_pattern:only; content:" Java/1."; http_user_agent; pcre:"/\/Fqxzdh\.jar$/U"; reference:url,malware-traffic-analysis.net/2014/07/24/index.html; classtype:exploit-kit; sid:2018987; rev:4; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"EAdQB0AG8ARQB4AGUAY"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019619; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Landing Aug 22 2014"; flow:established,from_server; file_data; content:"|5d 2f 67 2c 27 27 29 2e 73 75 62 73 74 72 28|"; content:"|5d 2f 67 2c 27 27 29 2e 73 75 62 73 74 72 28|"; within:500; content:"ActiveXObject"; pcre:"/^\s*?\(\s*?[\x22\x27](?!AgControl\.AgControl)[^\x22\x27]*?A[^\x22\x27]*?g[^\x22\x27]*?C[^\x22\x27]*?o[^\x22\x27]*?n[^\x22\x27]*?t[^\x22\x27]*?r[^\x22\x27]*?o[^\x22\x27]*?l[^\x22\x27]*?\.[^\x22\x27]*?A[^\x22\x27]*?g[^\x22\x27]*?C[^\x22\x27]*?o[^\x22\x27]*?n[^\x22\x27]*?t[^\x22\x27]*?r[^\x22\x27]*?o[^\x22\x27]*?l[^\x22\x27]*?[\x22\x27]\s*?\.\s*?replace\s*?\(/Rsi"; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018988; rev:2; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"BAHUAdABvAEUAeABlAG"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019620; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Landing URI Sruct Aug 22 2014"; flow:established,to_server; urilen:16; content:"/nhqdxa/eipm.php"; http_uri; fast_pattern:only; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018989; rev:2; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Fiesta Java Exploit/Payload URI Struct"; flow:established,to_server; urilen:68<>101; content:"Java/1."; http_user_agent; fast_pattern; content:!"="; http_uri; content:!"&"; http_uri; pcre:"/\/\??[a-f0-9]{60,}(?:\x3b\d+){1,4}$/U"; classtype:exploit-kit; sid:2019611; rev:8; metadata:created_at 2014_10_31, former_category CURRENT_EVENTS, updated_at 2014_10_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Payload URI Sruct Aug 22 2014"; flow:established,to_server; urilen:16; content:"/nhqdxa/yztl.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018990; rev:2; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Fiesta SilverLight 4.x Exploit URI Struct"; flow:established,to_server; urilen:>68; content:"|3b|4"; http_uri; offset:60; pcre:"/\/\??[a-f0-9]{60,}\x3b4[0-1]\d{5}$/U"; classtype:exploit-kit; sid:2019623; rev:2; metadata:created_at 2014_11_03, former_category CURRENT_EVENTS, updated_at 2014_11_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Silverlight URI Sruct Aug 22 2014"; flow:established,to_server; urilen:16; content:"/nhqdxa/vpclcy.x"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018991; rev:3; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.TrojanProxy Configuration file Download"; flow:established,from_server; file_data; content:"@$@"; fast_pattern; within:3; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x40\x24\x40$/Ri"; reference:url,fireeye.com/blog/technical/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html; classtype:trojan-activity; sid:2019631; rev:2; metadata:created_at 2014_11_03, updated_at 2014_11_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Flash URI Sruct Aug 22 2014"; flow:established,to_server; urilen:17; content:"/nhqdxa/oujyt.swf"; http_uri; fast_pattern:only; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018992; rev:2; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Genome Download.php HTTP Request"; flow:established,to_server; content:"GET"; http_method; content:"/download.php?nd="; http_uri; content:"&id="; http_uri; classtype:trojan-activity; sid:2013197; rev:3; metadata:created_at 2011_07_05, updated_at 2011_07_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Payload URI Sruct Aug 22 2014"; flow:established,to_server; urilen:19; content:"/nhqdxa/gjtzssq.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018993; rev:2; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing Nov 3 2014"; flow:established,to_client; file_data; content:"|61 72 73 79 6d 5b 30 5d 3d 22 65 6e 74 22 3b|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019634; rev:6; metadata:created_at 2014_11_04, former_category EXPLOIT_KIT, updated_at 2014_11_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Secondary Landing Aug 24 2014"; flow:established,to_server; content:"/ie8910b.html"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018997; rev:3; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ROM/BackOff C2 SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ed fd 42 65 de 77 35 ea|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,blog.fortinet.com/post/rom-a-new-version-of-the-backoff-pos-malware; classtype:command-and-control; sid:2019635; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows systeminfo Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Host Name|3a|"; content:"OS Name|3a|"; content:"OS Version|3a|"; content:"OS Manufacturer|3a|"; content:"Microsoft Corporation"; distance:0; content:"OS Configuration|3a|"; content:"OS Build Type|3a|"; content:"Registered Owner|3a|"; content:"Registered Organization|3a|"; content:"Product ID|3a|"; content:"Original Install Date|3a|"; content:"System Up Time|3a|"; content:"System Manufacturer|3a|"; content:"System Model|3a|"; content:"System type|3a|"; content:"Processor|28|s|29 3a|"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019002; rev:1; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+#alert tcp any any -> $EXTERNAL_NET any (msg:"ET MALWARE Shellshock Backdoor.Perl.Shellbot.F C2"; flow:to_server,established; content:"JOIN #shock 777"; content:"PRIVMSG #shock|20 3a|uid="; distance:0; reference:url,pastebin.com/JpnznR3j; reference:md5,fc230c9f998c196ac6897a979e08c58d; classtype:command-and-control; sid:2019637; rev:1; metadata:created_at 2014_11_04, former_category MALWARE, updated_at 2014_11_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Exploit Flash Post Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"id="; http_client_body; depth:3; content:"&dom=687474703a2f2f"; http_client_body; fast_pattern:only; content:"2e706870"; http_client_body; pcre:"/^id=[^&]+&dom=687474703a2f2f[a-f0-9]+2e706870\s*?$/Ps"; classtype:exploit-kit; sid:2019004; rev:2; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil EK Redirector Cookie Nov 03 2014"; flow:established,from_server; content:"ruarc="; fast_pattern:only; content:"ruarc="; depth:6; http_cookie; classtype:exploit-kit; sid:2019638; rev:4; metadata:created_at 2014_11_04, former_category CURRENT_EVENTS, updated_at 2014_11_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Exploit Landing Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"/msie.php"; http_uri; pcre:"/[^=]+?=(?:(?:[46][1-9a-f]|[57][0-9a]|3[0-9]|2d)+?2e)+(?:[46][1-9a-f]|[57][0-9a]|3[0-9]|2d)+\s*?/P"; classtype:exploit-kit; sid:2019006; rev:2; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange CDN Gate Sept 09 2014 Method 2"; flow:established,to_server; content:"/k?t"; http_uri; fast_pattern:only; pcre:"/\/k\?t[a-z]*=\d{5,}$/U"; classtype:exploit-kit; sid:2019146; rev:6; metadata:created_at 2014_09_10, former_category CURRENT_EVENTS, updated_at 2014_09_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlashPack EK JS Include Aug 25 2014"; flow:established,from_server; file_data; content:"function hex2bin(hex)"; within:21; content:"function rc4"; distance:0; content:!"function "; distance:0; classtype:exploit-kit; sid:2019007; rev:2; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange redirection 19 September 2014"; flow:to_client,established; file_data; content:"var ajax_data_source"; within:20; pcre:"/^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f/Ri"; flowbits:set,et.exploitkitlanding; reference:url,malware-traffic-analysis.net/2014/10/03/index.html; classtype:exploit-kit; sid:2019352; rev:3; metadata:created_at 2014_10_03, former_category EXPLOIT_KIT, updated_at 2014_10_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack Java Payload"; flow:established,to_server; content:"/load"; http_uri; fast_pattern:only; content:".php?id="; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2019008; rev:8; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
+#alert tcp $HOME_NET any -> 195.22.26.192/26 any (msg:"ET MALWARE AnubisNetworks Sinkhole TCP Connection"; flow:to_server; classtype:trojan-activity; sid:2019629; rev:2; metadata:created_at 2014_11_03, updated_at 2014_11_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack Payload"; flow:established,to_server; content:"/load"; http_uri; fast_pattern:only; content:".php"; http_uri; pcre:"/\/load(?:fla(2001[34]|0515)|msie\d{0,2}|20132551|jimage|silver|0322|db|im|rh)\.php/U"; content:!"Referer|3a|"; http_header; classtype:exploit-kit; sid:2017813; rev:9; metadata:created_at 2013_12_06, former_category CURRENT_EVENTS, updated_at 2013_12_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shellshock Backdoor.Perl.Shellbot.F retrieval"; flow:to_client,established; file_data; content:"#you got shellshocked???"; depth:24; reference:url,pastebin.com/JpnznR3j; reference:md5,fc230c9f998c196ac6897a979e08c58d; classtype:trojan-activity; sid:2019644; rev:2; metadata:created_at 2014_11_05, updated_at 2014_11_05;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 b8 68 97 9e dc 1f a8 cc|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0c|local.domain"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019009; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Bedep SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"|0b|Company Ltd"; distance:1; within:12; fast_pattern; content:"|55 04 0b|"; content:"|06|office"; distance:1; within:7; reference:url,malware-traffic-analysis.net/2014/11/02/index.html; reference:md5,11837229f834d296342b205433e9bc48; classtype:trojan-activity; sid:2019645; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019010; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED IBiz E-Banking Integrator V2 ActiveX Edition Insecure Method"; flow:to_client,established; content:"24445430-F789-11CE-86F8-0020AFD8C6DB"; nocase; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/i"; content:"WriteOFXDataFile"; nocase; reference:url,www.milw0rm.com/exploits/5416; reference:url,doc.emergingthreats.net/2008126; classtype:web-application-attack; sid:2008126; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019011; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ff 33 b2 e5 24 44 a4 09|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019648; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019012; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a6 08 2f bd 75 7f 25 39|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019649; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019013; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Malicious Attachment With Double Extension Ending In EXE"; flow:established,to_client; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; nocase; http_header; content:".exe|0d 0a|"; distance:0; http_header; fast_pattern; pcre:"/^Content-Disposition\x3a\x20attachment\x3b\x20filename=[^\r\n]+?\.[a-z]{2,4}\.exe\r?$/Hmi"; classtype:trojan-activity; sid:2019650; rev:2; metadata:created_at 2014_11_05, updated_at 2014_11_05;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 106.187.96.49 blacklistthisdomain.com"; content:"|00 01 00 01|"; content:"|00 04 6a bb 60 31|"; distance:4; within:6; classtype:trojan-activity; sid:2016591; rev:6; metadata:created_at 2013_03_19, updated_at 2013_03_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit Flash URI Struct"; flow:established,to_server; content:"flashhigh.swf"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?flashhigh\.swf$/U"; classtype:exploit-kit; sid:2019656; rev:2; metadata:created_at 2014_11_06, former_category CURRENT_EVENTS, updated_at 2014_11_06;)
 
-#alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg:"ET DELETED iroffer IRC Bot offered files advertisement"; flow: from_server,established; content:"|54 6F 74 61 6C 20 4F 66 66 65 72 65 64 3A|"; depth: 500; reference:url,iroffer.org; reference:url,doc.emergingthreats.net/bin/view/Main/2000339; classtype:trojan-activity; sid:2000339; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit Flash URI Struct"; flow:established,to_server; content:"flashlow.swf"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?flashlow\.swf$/U"; classtype:exploit-kit; sid:2019657; rev:2; metadata:created_at 2014_11_06, former_category CURRENT_EVENTS, updated_at 2014_11_06;)
 
-#alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg:"ET DELETED iroffer IRC Bot help message"; flow: from_server,established; content:"|54 6F 20 72 65 71 75 65 73 74 20 61 20 66 69 6C 65 20 74 79 70 65 3A 20 22 2F 6D 73 67|"; depth: 500; reference:url,iroffer.org; reference:url,doc.emergingthreats.net/bin/view/Main/2000338; classtype:trojan-activity; sid:2000338; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit IE URI Struct"; flow:established,to_server; content:"iebasic.html"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?iebasic\.html$/U"; classtype:exploit-kit; sid:2019659; rev:2; metadata:created_at 2014_11_06, former_category CURRENT_EVENTS, updated_at 2014_11_06;)
 
-#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan peer exchange"; flow:established,to_server; content:"|01|hs5p|0000|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003138; classtype:trojan-activity; sid:2003138; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert ip any 5060 -> any any (msg:"GPL VOIP SIP 401 Unauthorized Flood"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_dst, count 100, seconds 60; classtype:attempted-dos; sid:2100162; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp any 25 -> any any (msg:"ET DELETED SpamThru trojan SMTP test successful"; flow:established,to_client; dsize:6; content:"XSMTPX"; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003139; classtype:trojan-activity; sid:2003139; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX Buildpath method stack overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"BuildPath"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010746; classtype:attempted-user; sid:2010746; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan update request"; flow:established,to_server; content:"|01|hs5p|0001|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003140; classtype:trojan-activity; sid:2003140; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX stack overfow Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"SoftArtisans.FileManager.1"; distance:0; nocase; pcre:"/(Buildpath|GetDriveName|DriveExists|DeleteFile)/i"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010745; classtype:attempted-user; sid:2010745; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan AV DLL request"; flow:established,to_server; content:"|01|hs5p|0007|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003141; classtype:trojan-activity; sid:2003141; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX GetDriveName method stack overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"GetDriveName"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010747; classtype:attempted-user; sid:2010747; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan spam template request"; flow:established,to_server; content:"|01|hs5p|0004|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003142; classtype:trojan-activity; sid:2003142; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX DriveExists method stack overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"DriveExists"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010748; classtype:attempted-user; sid:2010748; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan spam run report"; flow:established,to_server; content:"|01|hs5p|0005|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003143; classtype:trojan-activity; sid:2003143; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX DeleteFile method stack overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"DeleteFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010749; classtype:attempted-user; sid:2010749; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan AV scan report"; flow:established,to_server; content:"|01|hs5p|0008|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003144; classtype:trojan-activity; sid:2003144; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt % Encoding"; flow:established,to_client; content:"%70%61%72%73%65%49%6e%74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012260; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Status OK"; flow:established,to_server; dsize:2; content:"OK"; reference:url,doc.emergingthreats.net/2007963; classtype:trojan-activity; sid:2007963; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-8 Encoding"; flow:established,to_client; content:"%u70%u61%u72%u73%u65%u49%u6e%u74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012261; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Vipdataend C&C Traffic - Status OK (variant 2)"; flowbits:isset,ET.vipdataend; flow:established,to_server; dsize:1; content:"1"; depth:1; reference:url,doc.emergingthreats.net/2009026; classtype:command-and-control; sid:2009026; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-16 Encoding"; flow:established,to_client; content:"%u7061%u7273%u6549%u6e74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012262; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Checkin (variant 3)"; flow:established,to_server; dsize:<42; content:"|3a|Windows "; depth:11; offset:2; reference:url,doc.emergingthreats.net/2009037; classtype:trojan-activity; sid:2009037; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag % Encoding"; flow:established,to_client; content:"%3c%73%63%72%69%70%74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012263; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic Checkin"; flow:established,to_server; dsize:<20; content:"|3a 20|"; offset:2; depth:6; content:"|20 7c 20|"; within:10; reference:url,doc.emergingthreats.net/2007962; classtype:trojan-activity; sid:2007962; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.Win32.Qhost C&C Traffic Outbound (case1)"; flow:established; dsize:>1000; content:"|00 00 00 28 0a 00 00 02 0f|Service Pack 1|00|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=142254; reference:url,doc.emergingthreats.net/2007578; classtype:trojan-activity; sid:2007578; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Server Status OK"; flow:established,to_server; dsize:2; content:"OK"; reference:url,doc.emergingthreats.net/2007964; classtype:trojan-activity; sid:2007964; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.Win32.Qhost C&C Traffic Outbound (case2)"; flow:established; dsize:>1000; content:"|00 00 00 28 0a 00 00 02 0f|Service Pack 2|00|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=142254; reference:url,doc.emergingthreats.net/2007579; classtype:trojan-activity; sid:2007579; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Checkin (XY)"; flow:established,to_server; dsize:<20; content:"XY|3a|2|7c|212"; offset:0; depth:9; reference:url,doc.emergingthreats.net/2007970; classtype:trojan-activity; sid:2007970; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Trojan.Win32.Qhost C&C Traffic Inbound (case1)"; flow:established; dsize:>1000; content:"|00 00 00 28 0a 00 00 02 0f|Service Pack 1|00|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=142254; reference:url,doc.emergingthreats.net/2007580; classtype:trojan-activity; sid:2007580; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Checkin (FYWL)"; flow:established,to_server; dsize:11; content:"FYWL|3a|2|7c|212"; offset:0; depth:11; reference:url,doc.emergingthreats.net/2008223; classtype:trojan-activity; sid:2008223; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Trojan.Win32.Qhost C&C Traffic Inbound (case2)"; flow:established; dsize:>1000; content:"|00 00 00 28 0a 00 00 02 0f|Service Pack 2|00|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=142254; reference:url,doc.emergingthreats.net/2007581; classtype:trojan-activity; sid:2007581; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Checkin (XYLL)"; flow:established,to_server; dsize:11; content:"XYLL|3a|2|7c|212"; offset:0; depth:11; reference:url,doc.emergingthreats.net/2008224; classtype:trojan-activity; sid:2008224; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit SilverLight URI Struct"; flow:established,to_server; content:"silverapp1.xap"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?silverapp1\.xap$/U"; classtype:exploit-kit; sid:2019658; rev:4; metadata:created_at 2014_11_06, former_category CURRENT_EVENTS, updated_at 2014_11_06;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend/Ceckno C&C Traffic - Checkin"; flow:established,to_server; dsize:<30; content:"VERSONEXc|3a|2|7c|212|7c|"; depth:16; reference:url,doc.emergingthreats.net/2008254; classtype:trojan-activity; sid:2008254; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear SilverLight Exploit"; flow:established,from_server; flowbits:isset,et.Nuclear.SilverLight; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; classtype:exploit-kit; sid:2019669; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_11_07, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Beizhu/Womble/Vipdataend Checking in with Controller"; flow:established,to_server; dsize:<70; content:"|3a|Windows"; depth:11; offset:2; content:"|7c|212("; distance:0; within:15; reference:url,doc.emergingthreats.net/2008334; classtype:trojan-activity; sid:2008334; rev:10; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e0 62 d9 f2 16 04 d1 be|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019670; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED Delf CnC Channel Packet 1 reply"; flowbits:isset,ET.unk.1; flow:established,from_server; dsize:<15; content:"|05 00 00 00|"; depth:4; flowbits:set,ET.unk.2; reference:url,doc.emergingthreats.net/2008007; classtype:command-and-control; sid:2008007; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 de 17 24 ba 29 9a a6 c6|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019671; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Delf CnC Channel Checkin Replies"; flowbits:isset,ET.unk.2; flow:established,to_server; dsize:<20; content:"|09 00 00 00|"; depth:4; reference:url,doc.emergingthreats.net/2008008; classtype:command-and-control; sid:2008008; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> [216.157.99.0/24,72.51.32.0/20,76.74.152.0/21] any (msg:"ET EXPLOIT_KIT Possible HanJuan EK Flash Payload DL"; flow:to_server,established; content:"/"; http_uri; content:".php"; http_uri; fast_pattern; within:11; pcre:"/\/[a-z]{3,7}\.php$/U"; content:!"User-Agent"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:"Cache-Control|3a|"; http_header; classtype:exploit-kit; sid:2019672; rev:2; metadata:created_at 2014_11_07, former_category CURRENT_EVENTS, updated_at 2014_11_07;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Delf CnC Channel Packet 1"; flowbits:isnotset,ET.unk.1; flow:established,to_server; dsize:<200; content:"|8e 00 d0 00|"; depth:4; flowbits:set,ET.unk.1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008006; classtype:command-and-control; sid:2008006; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> [216.157.99.0/24,72.51.32.0/20,76.74.152.0/21] any (msg:"ET EXPLOIT_KIT Possible HanJuan EK URI Struct Actor Specific"; flow:to_server,established; content:"?zho="; http_uri; fast_pattern:only; pcre:"/\/(?:[a-z0-9]{1,7}\.php)?\?zho=/U"; classtype:exploit-kit; sid:2019673; rev:2; metadata:created_at 2014_11_07, former_category CURRENT_EVENTS, updated_at 2014_11_07;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED Banker.maf SMTP Checkin (Not in the Control...)"; flow:established,to_server; content:"|0a|X-Mailer|3a| Microsoft CDO for Windows 2000"; content:"|0d 0a|_-=|7c| Not in the Control System 6.0 |7c|=-_|0d 0a|.|0d 0a|"; distance:0; reference:url,doc.emergingthreats.net/2008033; classtype:trojan-activity; sid:2008033; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> [216.157.99.0/24,72.51.32.0/20,76.74.152.0/21] any (msg:"ET EXPLOIT Possible HanJuan Flash Exploit"; flow:to_server,established; content:".swf"; http_uri; fast_pattern:only; pcre:"/^\/(?:[a-z0-9]{3,7}\/)?[a-z]{3,7}\.swf$/U"; classtype:trojan-activity; sid:2019674; rev:2; metadata:created_at 2014_11_07, former_category CURRENT_EVENTS, updated_at 2014_11_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED System.Poser HTTP Checkin"; flow:established,to_server; content:"/check.php?c="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"User-Agent|3a| Microsoft BITS"; http_header; reference:url,doc.emergingthreats.net/2008035; classtype:trojan-activity; sid:2008035; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible HanJuan EK Actor Specific Injected iframe"; flow:from_server,established; content:"|3c 6c 69 20 63 6c 61 73 73 3d 22 69 73 2d 6e 65 77 22 3e|"; nocase; content:"|22 20 63 6c 61 73 73 3d 22 74 6f 6f 6c 74 69 70 22 20 74 69 74 6c 65 3d 22 22 3e|"; nocase; distance:0; content:"<iframe"; nocase; distance:0; content:" vspace="; nocase; content:"0"; within:3; content:" hspace="; content:"0"; within:3; content:" marginwidth="; content:"0"; within:3; content:"|3c 6c 69 20 63 6c 61 73 73 3d 22 69 73 2d 6e 65 77 22 3e|"; nocase; distance:0; classtype:exploit-kit; sid:2019675; rev:2; metadata:created_at 2014_11_07, former_category CURRENT_EVENTS, updated_at 2014_11_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Nginx Server with modified version string - Often Hostile Traffic"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"|0d 0a|Server|3a| nginx/"; nocase; pcre:"/Server\: nginx/[a-zA-Z]/i"; threshold:type limit, seconds 60, count 3, track by_src; reference:url,doc.emergingthreats.net/2008065; classtype:bad-unknown; sid:2008065; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit Flash URI Struct"; flow:established,to_server; content:"prancerBlit15xa.swf"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2019677; rev:2; metadata:created_at 2014_11_07, former_category CURRENT_EVENTS, updated_at 2014_11_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED General Downloader URL Pattern (/loader/setup.php)"; flow:established,to_server; content:"/loader/setup.php?id="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008076; classtype:trojan-activity; sid:2008076; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Operation Huyao Landing Page Nov 07 2014"; flow:established,to_server; content:"/tslyphper"; fast_pattern:only; http_uri; pcre:"/\/tslyphper(?:[A-Za-z0-9+/-_]{4})*(?:[A-Za-z0-9+/-_]{2}==|[A-Za-z0-9+/-_]{3}=|[A-Za-z0-9+/-_]{4})\.html$/U"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-phishing-technique-outfoxes-site-owners-operation-huyao/; classtype:social-engineering; sid:2019681; rev:3; metadata:created_at 2014_11_08, updated_at 2014_11_08;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Xorer.ez HTTP Checkin to CnC"; flow:established,to_server; content:"/qq.html?username="; nocase; http_uri; content:"&zhaosp="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008081; classtype:command-and-control; sid:2008081; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil EK Redirector Cookie Nov 07 2014"; flow:established,from_server; content:"usid=sid|3a 7b 27|"; fast_pattern:only; reference:url,blog.malwarebytes.org/malvertising-2/2014/11/the-proof-is-in-the-cookie/; classtype:exploit-kit; sid:2019684; rev:3; metadata:created_at 2014_11_08, former_category CURRENT_EVENTS, updated_at 2014_11_08;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 81:90 (msg:"ET DELETED Looked.P/Gamania/Delf #108/! Style CnC Checkin"; flow:established,to_server; dsize:6; content:"#1"; depth:2; content:"/!"; distance:2; within:2; pcre:"/^\x23\d\d\d\x2f\x21/"; reference:url,doc.emergingthreats.net/bin/view/Main/Win32Looked; classtype:command-and-control; sid:2008219; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing URI Struct"; flow:established,to_server; urilen:15; content:"/abhgtnedg.html"; http_uri; classtype:exploit-kit; sid:2019685; rev:2; metadata:created_at 2014_11_10, former_category CURRENT_EVENTS, updated_at 2014_11_10;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Winspywareprotect.com Fake AV/Anti-Spyware Secondary Checkin"; flow:established,to_server; content:"/stat.php?func=scanfinished&id="; http_uri; reference:url,doc.emergingthreats.net/2008251; classtype:trojan-activity; sid:2008251; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing Aug 24 2014"; flow:established,from_server; file_data; content:"+payload"; fast_pattern; nocase; content:"flashLow"; nocase; classtype:exploit-kit; sid:2018998; rev:10; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Emogen Infection Checkin Initial Packet"; flow:established,to_server; dsize:<100; content:"|00 00 00 00 00 00|WindowsXP|00 00 00|"; flowbits:set,ET.emogen1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008269; classtype:trojan-activity; sid:2008269; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a9 db 12 6f 49 21 41 f0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019691; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Emogen Infection Checkin CnC Keepalive"; flow:established,to_server; flowbits:isset,ET.emogen1; dsize:4; content:"test"; reference:url,doc.emergingthreats.net/2008270; classtype:command-and-control; sid:2008270; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Emotet DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|eu|00|"; distance:19; within:4; fast_pattern; content:"|10|"; distance:-21; within:1; pcre:"/^[a-z]{16}/R"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,3083b68cb5c2a345972a5f79e735c7b9; classtype:trojan-activity; sid:2019692; rev:1; metadata:created_at 2014_11_12, updated_at 2014_11_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Banker Infostealer/PRG POST on High Port"; flow:to_server,established; content:"POST"; nocase; http_method; content:"|2E|php|3F|2="; nocase; content:"|26|n="; nocase; content:"|26|v="; nocase; content:"|26|i="; nocase; content:"|26|sp="; nocase; content:"|26|lcp="; nocase; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2008326; classtype:trojan-activity; sid:2008326; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Dridex Campaign Download Nov 11 2014"; flow:established,to_server; content:"/get/get.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/get\/get\.php$/U"; classtype:trojan-activity; sid:2019697; rev:2; metadata:created_at 2014_11_12, former_category CURRENT_EVENTS, updated_at 2014_11_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unnamed - kuaiche.com related"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/config/fgun_install_"; http_uri; content:"User-Agent|3a| NSI SDL/1.2 (Mozilla)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008359; classtype:trojan-activity; sid:2008359; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OSX/WireLurker CnC Beacon"; flow:established,from_server; file_data; content:"|7b 22|result|22 3a 7b 22|version|22 3a 22|"; flowbits:isset,ET.WireLurkerUA; reference:url,paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:command-and-control; sid:2019663; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_11_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"ET DELETED Win32.Testlink Trojan Speed Test Start port 8888"; flow:established,to_server; dsize:25; content:"GET /test_link HTTP/1.0|0d 0a|"; reference:url,doc.emergingthreats.net/2008435; classtype:trojan-activity; sid:2008435; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b9 a5 38 e3 56 d4 39 67|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019708; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"ET DELETED Win32.Testlink Trojan Checkin port 8888"; flow:established,to_server; content:"/stat?uptime="; content:"&downlink="; distance:0; content:"&uplink="; distance:0; content:"&id="; distance:0; reference:url,doc.emergingthreats.net/2008437; classtype:trojan-activity; sid:2008437; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 9b 4d b2 c7 f6 6f f2|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019709; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"ET DELETED Win32.Testlink Trojan Speed Test port 8888"; flow:established,to_server; dsize:>1000; content:"Data|3a| |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:35; reference:url,doc.emergingthreats.net/2008436; classtype:trojan-activity; sid:2008436; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable base64 encoded in XML"; flow: established,from_server; file_data; content:"bin.base64"; nocase; content:"<file"; nocase; content:"<stream"; nocase; content:"<?xml"; nocase; content:"TVqQA"; fast_pattern; pcre:"/^[A-Za-z0-9\s/+]{100}/Rs"; classtype:trojan-activity; sid:2019716; rev:9; metadata:created_at 2014_11_15, updated_at 2014_11_15;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED XPantivirus2008 Download"; flow:to_server,established; content:"GET"; depth:3; http_method; content:"XPantivirus20"; nocase; http_uri; pcre:"/XPantivirus20\d{2}_v\d{6}\.exe/Ui"; reference:url,www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/page4.html; reference:url,seo.mhvt.net/blog/?p=390; reference:url,virscan.org/report/a61cd44fc387188da2ee3fbdeda10782.html; reference:url,doc.emergingthreats.net/2008516; classtype:trojan-activity; sid:2008516; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [8000,8003,9004:] (msg:"ET MALWARE W32Autorun.worm.aaeh Checkin"; flow:established,to_server; content:"Host|3a| ns1.help"; pcre:"/^Host\x3a\x20ns1\.help(?:update(?:d\.(?:com?|net?|org?)|k\.(?:at?|eu?|tw)|r\.net|s\.com)|checks\.net)/mi"; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=1607456; classtype:command-and-control; sid:2019711; rev:4; metadata:created_at 2014_11_15, former_category MALWARE, updated_at 2014_11_15;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED Possible External Ultrasurf Anonymizer DNS Query"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; threshold:type limit, track by_src,count 1, seconds 60; reference:url,doc.emergingthreats.net/2008533; classtype:policy-violation; sid:2008533; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ce 60 aa 87 c5 4a 56 2f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0f|fvhch6y1sszzgbh"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019720; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1030 (msg:"ET DELETED Ipbill.com Related Dialer Trojan Checkin"; flow:established,to_server; dsize:7; content:"|0a|"; offset:6; pcre:"/\d\d\d\d\d\d\x0a/"; flowbits:set,ET.ipbill1; reference:url,doc.emergingthreats.net/2008730; classtype:trojan-activity; sid:2008730; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ce 63 1a 95 03 94 55 2e|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0c|HAMBURG GMBH"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019721; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET 1030 -> $HOME_NET any (msg:"ET DELETED Ipbill.com Related Dialer Trojan Server Response"; flow:established,from_server; dsize:<20; content:"|0a 5b 27|"; offset:2; depth:5; content:"|27 5d 0a|"; distance:0; flowbits:isset,ET.ipbill1; reference:url,doc.emergingthreats.net/2008731; classtype:trojan-activity; sid:2008731; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing Nov 17 2014"; flow:established,from_server; file_data; content:"flash_run2"; nocase; content:"silver_run"; nocase; content:"msie_run"; nocase; classtype:exploit-kit; sid:2019722; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.Yokbar Checkin URL"; flow:established,to_server; content:"?p="; http_uri; content:"&v="; http_uri; content:"&m="; http_uri; content:"&d=200"; http_uri; content:"&x="; http_uri; content:"&t="; http_uri; reference:url,doc.emergingthreats.net/2008753; classtype:pup-activity; sid:2008753; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing Nov 17 2014 M2"; flow:established,from_server; file_data; content:"|66 66 62 67 72 6e 74 68 35 77 65 28 61 29|"; classtype:exploit-kit; sid:2019723; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
 
-#alert tcp any any -> any 5554 (msg:"ET DELETED Sasser FTP Traffic"; flow: to_server,established; content:"up.exe"; reference:url,vil.mcafeesecurity.com/vil/content/Print125009.htm; reference:url,doc.emergingthreats.net/2000040; classtype:misc-activity; sid:2000040; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Flash Exploit URI Struct Nov 17 2014"; flow:established,to_server; content:"/5c5390116e606055c51b2c86340beb2bd1668f6e3bbf56240a01d43db5ac6b9d.swf"; http_uri; classtype:exploit-kit; sid:2019724; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
 
-#alert tcp any any -> any 9996 (msg:"ET DELETED Sasser Transfer _up.exe"; flow: established,to_server; content:"|5F75702E657865|"; depth: 250; reference:url,vil.mcafeesecurity.com/vil/content/Print125009.htm; reference:url,doc.emergingthreats.net/2000047; classtype:misc-activity; sid:2000047; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Flash Exploit URI Struct 2 Nov 17 2014"; flow:established,to_server; content:"/6896a114d0047db5679d5da0be7eb87d77ef59ed49ef942e7b74f60fb3df2ce3.swf"; http_uri; classtype:exploit-kit; sid:2019725; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Dyreza RAT Checkin Response"; flow:established,to_client; content:"|a5 46 da 53 0a 00 68 00 65 00 6c 00 6c 00 6f|"; offset:4; depth:15; reference:md5,b61145a54698753cecf8748359c9d81e; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:command-and-control; sid:2018596; rev:3; metadata:created_at 2014_06_12, former_category MALWARE, updated_at 2014_06_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing URI Struct 2 Nov 17 2014"; flow:established,to_server; content:"/9e675626486f3804603227533ab83b26f4a95a0c4f5eebbc00507558da27edc0.html"; http_uri; classtype:exploit-kit; sid:2019726; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dyreza RAT Checkin Response 2"; flow:established,to_client; dsize:3; content:"/1/"; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:trojan-activity; sid:2018597; rev:4; metadata:created_at 2014_06_24, updated_at 2014_06_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NullHole EK Exploit URI Struct"; flow:established,to_server; urilen:>34; content:"/"; offset:33; depth:1; http_uri; content:"Cookie|3a 20|nhweb="; fast_pattern; pcre:"/^\/[a-f0-9]{32}\/(?=[a-z]*?[A-Z])(?=[A-Z]*?[a-z])[A-Za-z]+\.(?:html|jar|swf)$/U"; classtype:exploit-kit; sid:2019727; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32/Sasser.worm.b"; flow: established; content:"|58 BC 0C FF 59 57 32 31 BD EC 34 64 6E D6 E3 8D 65 04 68 58 62 79 DF D8 2C 25 6A B5 28 BA 13 74|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html; reference:url,doc.emergingthreats.net/2001056; classtype:misc-activity; sid:2001056; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Percent Hex Encode"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"redim|25|"; nocase; fast_pattern; pcre:"/^(?:25)?20(?:\x25(?:25)?20|\s)*?Preserve/Rsi"; content:"redim|25|"; nocase; distance:0; pcre:"/^(?:25)?20(?:\x25(?:25)?20|\s)*?Preserve/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019732; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32/Sasser.worm.a"; flow: established; content:"|BC 3B 74 0B 50 8B 3D E8 46 A7 3D 09 85 B8 F8 CD 76 40 DE 7C 5B 5C D7 2A A8 E8 58 75 62 96 25 24|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html; reference:url,doc.emergingthreats.net/2001057; classtype:misc-activity; sid:2001057; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct"; flow:to_client,established; file_data; content:"chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)"; reference:cve,2014-6332; classtype:attempted-user; sid:2019734; rev:3; metadata:created_at 2014_11_18, updated_at 2014_11_18;)
 
-#alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible CIA Trojan download/upload attempt"; content:"|6C 75 66 6A 65 6F 6F|"; reference:url,doc.emergingthreats.net/2001233; classtype:trojan-activity; sid:2001233; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct Hex Encode"; flow:to_client,established; file_data; content:"chrw|25|"; pcre:"/^(?:25)?282176\x25(?:25)?29\x25(?:25)?26chrw\x25(?:25)?2801/Rs"; reference:cve,2014-6332; classtype:attempted-user; sid:2019735; rev:3; metadata:created_at 2014_11_18, updated_at 2014_11_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Beagle User Agent Detected"; flow: to_server,established; dsize:<150; content:"User-Agent|3a| beagle_beagle"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.i@mm.html; reference:url,doc.emergingthreats.net/2001269; classtype:trojan-activity; sid:2001269; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT_KIT SPL2 EK JS HashLib Nov 18 2014"; flow:to_server,established; urilen:8; content:"/mdd5.js"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2019744; rev:3; metadata:created_at 2014_11_19, former_category CURRENT_EVENTS, updated_at 2014_11_19;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED Outbound W32.Novarg.A worm"; flow: established; content:"TVqQAAMAAAAEAAAA"; content:"8AALgAAAAAAAAAQ"; within: 20; distance: 2; content:"UEUA..AEwBAW"; content:"DgAA8BCwEHAABQAAAAE"; within: 40; distance: 16; content:"ABVUFgwAAAAAABgAAAAEAAAAAAAAAAEA"; content:"ACAAADg"; within: 30; distance: 16; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.a@mm.html; reference:url,doc.emergingthreats.net/2001273; classtype:trojan-activity; sid:2001273; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Landing Nov 18 2014"; flow:established,from_server; file_data; content:"v|3a|stroke id=|27|beg|27|"; fast_pattern:only; content:"<h1>Forbidden</h1>"; classtype:exploit-kit; sid:2019742; rev:3; metadata:created_at 2014_11_19, former_category CURRENT_EVENTS, updated_at 2014_11_19;)
 
-#alert tcp $HOME_NET any -> any 445 (msg:"ET DELETED Korgo.P offering executable"; flow: to_server,established; content:"|FF|SMB"; depth: 10; content:"|58|http"; content:".exe"; nocase; within: 36; reference:url,www.f-secure.com/v-descs/korgo_p.shtml; reference:url,doc.emergingthreats.net/2001337; classtype:trojan-activity; sid:2001337; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Flash Exploit Nov 18 2014"; flow:to_server,established; content:"/Drop2"; http_uri; fast_pattern:only; pcre:"/^\/Drop2(?:-\d+)\.swf$/U"; classtype:exploit-kit; sid:2019745; rev:2; metadata:created_at 2014_11_19, former_category CURRENT_EVENTS, updated_at 2014_11_19;)
 
-#alert tcp $HOME_NET any -> any any (msg:"ET DELETED Korgo.P binary upload"; flow: to_server,established; content:"|aa4f7ea86c90457d686868f0de687a68689768686868|"; reference:url,www.f-secure.com/v-descs/korgo_p.shtml; reference:url,doc.emergingthreats.net/2001338; classtype:trojan-activity; sid:2001338; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK PluginDetect Data Hash Nov 18 2014"; flow:to_server,established; content:".html?"; http_uri; fast_pattern:only; content:"-"; http_uri; pcre:"/\/[a-z]+?-[a-z]+?-[a-z]+?\.html\?[a-z]+\d*?=[a-f0-9]{32}$/U"; content:"GET "; pcre:"/^[^\r\n]*?(?P<name>\/[^\.\/]+\.html)\?[a-z]+?\d*?=[a-f0-9]{32}\sHTTP\/1\..+?\r\nReferer\x3a\x20[^\r\n]*?(?P=name)(?:\d{1,5})?\r\n/Rs"; classtype:exploit-kit; sid:2019743; rev:5; metadata:created_at 2014_11_19, former_category CURRENT_EVENTS, updated_at 2014_11_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Couponage Reporting"; flow: to_server,established; content:"/?keyword="; nocase; content:"couponage.com"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001455; classtype:policy-violation; sid:2001455; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible FlashPack (FlashOnly) Payload Struct Nov 19 2014"; flow:established,to_server; content:"GET"; http_method; content:"/load.php"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9]+\/load\.php$/U"; content:!"User-Agent|3a|"; http_header; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2019753; rev:2; metadata:created_at 2014_11_20, updated_at 2014_11_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 5554 (msg:"ET DELETED Sasser FTP exploit attempt"; flow: to_server,established; dsize: >150; content:"PORT "; depth: 5; reference:url,www.lurhq.com/dabber.html; reference:url,doc.emergingthreats.net/2001548; classtype:attempted-admin; sid:2001548; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bamital Checkin Response 1"; flow:established,from_server; file_data; content:"$$$$"; within:4; fast_pattern; pcre:"/^<(?P<var1>[a-z])>[a-z0-9/]+<\/(?P=var1)><(?P<var2>[a-z])>[a-z0-9/]+<\/(?P=var2)>/Ri"; classtype:command-and-control; sid:2019757; rev:2; metadata:created_at 2014_11_20, former_category MALWARE, updated_at 2014_11_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED F5 BIG-IP 3DNS TCP Probe 1"; id: 1; dsize: 24; flags: S,12; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; window: 2048; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001609; classtype:misc-activity; sid:2001609; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.SWF; content:"Content-Disposition|3a|"; http_header; content:".swf"; http_header; content:"X-Powered-By|3a|"; http_header; pcre:"/^Content-Disposition\x3a[^\r\n]+\.swf/Hm"; content:"CWS"; classtype:exploit-kit; sid:2019765; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_11_21, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED F5 BIG-IP 3DNS TCP Probe 2"; id: 2; dsize: 24; flags: S,12; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; window: 2048; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001610; classtype:misc-activity; sid:2001610; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT FlashPack Flash Exploit Nov 20 2014"; flow:established,to_server; content:"/Main.swf"; http_uri; content:"/gate.php"; http_header; pcre:"/^Referer\x3a[^\r\n]+\/gate.php\r$/Hm"; classtype:trojan-activity; sid:2019766; rev:3; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2014_11_21;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED F5 BIG-IP 3DNS TCP Probe 3"; id: 3; dsize: 24; flags: S,12; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; window: 2048; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001611; classtype:misc-activity; sid:2001611; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (1)"; flow:established,to_server; urilen:>35; content:".php"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9A-Z]{15,35}\/((\d+[A-Z]){3}\d+|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016706; rev:20; metadata:created_at 2013_04_01, updated_at 2013_04_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED JoltID Agent P2P via Proxy Server"; flow: to_server,established; content:"POST http|3a|//"; nocase; content:"|3a|3531/.pkt"; nocase; within: 20; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001679; classtype:trojan-activity; sid:2001679; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Exploit Requested - /spl/"; flow:established,to_server; content:"/spl/"; http_uri; fast_pattern:only; content:".jar"; http_uri; content:"Java/"; http_header; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018925; rev:5; metadata:created_at 2014_08_12, former_category CURRENT_EVENTS, updated_at 2014_08_12;)
 
-#alert tcp $HOME_NET any -> [208.8.81.0/24,64.68.96.0/19] 443 (msg:"ET DELETED MyWebEx Server Traffic"; flow: to_server,established; dsize: <50; content:"|17|"; offset: 0; depth: 1; threshold: type limit,track by_src, count 1, seconds 360; reference:url,www.mywebexpc.com; reference:url,doc.emergingthreats.net/2001712; classtype:policy-violation; sid:2001712; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Archie EK T2 Landing Struct Nov 20 2014"; flow:established,to_server; urilen:70; content:".html"; http_uri; offset:65; depth:5; pcre:"/^\/[a-f0-9]{64}\.html$/U"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r?\n)/Hmi"; classtype:exploit-kit; sid:2019769; rev:4; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2014_11_21;)
 
-#alert tcp $HOME_NET any -> [208.8.81.0/24,64.68.96.0/19] $HTTP_PORTS (msg:"ET DELETED MyWebEx Installation"; flow: to_server,established; content:"/pc/r.php?AT=RS"; nocase; threshold: type limit, track by_src, count 1, seconds 30; reference:url,www.mywebexpc.com; reference:url,doc.emergingthreats.net/2001713; classtype:policy-violation; sid:2001713; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Archie EK T2 PD Struct Nov 20 2014"; flow:established,to_server; urilen:68; content:"|2f|"; http_uri; depth:1; content:".js"; http_uri; offset:65; depth:3; pcre:"/^\/[a-f0-9]{64}\.js$/U"; pcre:"/^Referer\x3a[^\r\n]+\x3a\d{1,5}\/[a-f0-9]{64}\.html\r$/Hm"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r?\n)/Hmi"; classtype:exploit-kit; sid:2019768; rev:4; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2014_11_21;)
 
-#alert tcp [208.8.81.0/24,64.68.96.0/19] 443 -> $HOME_NET any (msg:"ET DELETED MyWebEx Incoming Connection"; flow: to_client,established; content:"|16 03|"; offset: 0; depth: 2; content:"Comodo"; nocase; depth: 240; content:"accessanywhere.com"; nocase; offset: 592; depth: 48; reference:url,www.mywebexpc.com; reference:url,doc.emergingthreats.net/2001714; classtype:policy-violation; sid:2001714; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing Nov 05 2014"; flow:from_server,established; file_data; content:"=|27|c"; pcre:"/^(?:\x27\s*?\+\s*?\x27)?h(?:\x27\s*?\+\s*?\x27)?a(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?A(?:\x27\s*?\+\s*?\x27)?/R"; content:"t|27 3b|return"; within:9; fast_pattern; content:".indexOf"; pcre:"/^\s*?\x28\s*?[a-z0-9]{4,6}\s*?\x28\s*?[a-z0-9]{1,3}\s*?,\s*?[a-z0-9]{1,3}\s*?\x29\s*?\x29\s*?\x3b\s*?(?P<var>[a-z0-9]{1,3})\s*?\x3d\s*?\x28\s*?(?P=var)\s*?\x2b\s*?[a-z0-9]{1,3}\s*?\x29\s*?\x25\s*?[a-z0-9]{1,3}\.length\x3b/R"; classtype:exploit-kit; sid:2019655; rev:6; metadata:created_at 2014_11_06, former_category EXPLOIT_KIT, updated_at 2014_11_06;)
 
-#alert tcp $HOME_NET !21:587 -> any any (msg:"ET DELETED Spambot Suspicious 220 Banner on Local Port"; flow: established; content:"220 "; offset: 0; depth: 4; tag: session, 20, packets; reference:url,doc.emergingthreats.net/bin/view/Main/2001815; classtype:non-standard-protocol; sid:2001815; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Internet Explorer CVE-2014-6332 Common Construct b64 1 (Observed in Archie EK)"; flow:established,from_server; file_data; content:"Y2hydygwMSkmY2hydygyMTc2KSZjaHJ3KDAxKSZjaHJ3KDAwK"; reference:cve,2014-6332; classtype:exploit-kit; sid:2019773; rev:2; metadata:created_at 2014_11_24, former_category EXPLOIT_KIT, updated_at 2014_11_24;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1345 (msg:"ET DELETED AIM Bot Outbound Control Channel Open and Login"; flow: to_server,established; content:"PASS"; nocase; pcre:"/PASS\s.*?\x0d\x0aNICK\s.*?\x0d\x0aUSER\s.*?\s\d\s\d\s\:\S/im"; reference:url,doc.emergingthreats.net/2001910; classtype:trojan-activity; sid:2001910; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Internet Explorer CVE-2014-6332 Common Construct b64 2 (Observed in Archie EK)"; flow:established,from_server; file_data; content:"NocncoMDEpJmNocncoMjE3NikmY2hydygwMSkmY2hydygwMC"; reference:cve,2014-6332; classtype:exploit-kit; sid:2019774; rev:3; metadata:created_at 2014_11_24, former_category EXPLOIT_KIT, updated_at 2014_11_24;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible MSN Worm Exploit exe"; flow: established; content:"X-MMS-IM-"; depth:153; content:"http"; nocase; content:".exe"; nocase; reference:url,doc.emergingthreats.net/2002323; classtype:misc-activity; sid:2002323; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Internet Explorer CVE-2014-6332 Common Construct b64 3 (Observed in Archie EK)"; flow:established,from_server; file_data; content:"jaHJ3KDAxKSZjaHJ3KDIxNzYpJmNocncoMDEpJmNocncoMDAp"; reference:cve,2014-6332; classtype:exploit-kit; sid:2019775; rev:2; metadata:created_at 2014_11_24, former_category EXPLOIT_KIT, updated_at 2014_11_24;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible MSN Worm Exploit php"; flow: established; content:"X-MMS-IM-"; depth:153; content:"http"; nocase; content:".php"; nocase; reference:url,doc.emergingthreats.net/2002322; classtype:misc-activity; sid:2002322; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f0 34 4a fb 16 96 9d 25|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|ewgcetiyu"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019786; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible MSN Worm Exploit pif"; flow: established; content:"X-MMS-IM-"; depth:153; content:"http"; nocase; content:".pif"; nocase; reference:url,doc.emergingthreats.net/2002324; classtype:misc-activity; sid:2002324; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 90 3b 8c 56 23 94 93|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0b|1234567egeg"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019787; rev:3; metadata:attack_target Client_and_Server, created_at 2014_11_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32.kelvir.HI"; flow: established; content:"X-MMS-IM-"; depth:153; content:"search.php?data="; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.kelvir.hi.html; reference:url,doc.emergingthreats.net/2002325; classtype:misc-activity; sid:2002325; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude Flash Payload"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; fast_pattern; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/^\/\?[a-f0-9]{32}$/U"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; classtype:exploit-kit; sid:2019800; rev:2; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET DELETED Mercury v4.01a IMAP RENAME Buffer Overflow"; flow:established,to_server; flowbits:isset,mercury.imap.401a; content:"a001 RENAME"; pcre:"/[0-9A-Z]{240,}/smi"; reference:url,www.pmail.com/whatsnew/m32401.htm; reference:url,metasploit.com/projects/Framework/exploits.html#mercury_imap; reference:bugtraq,11775; reference:url,doc.emergingthreats.net/bin/view/Main/2002390; classtype:misc-attack; sid:2002390; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing Page Nov 25 2014"; flow:established,from_server; file_data; content:"function ckl|28|"; content:"return bmw|3b|"; distance:0; classtype:exploit-kit; sid:2019807; rev:2; metadata:created_at 2014_11_26, updated_at 2014_11_26;)
 
-#alert tcp $HOME_NET 143 -> $EXTERNAL_NET any (msg:"ET DELETED Vulnerable Mercury 4.01a IMAP Banner"; flow: from_server,established; content:"IMAP4rev1 Mercury/32 v4.01a server ready"; flowbits:set,mercury.imap.401a; reference:url,www.pmail.com/whatsnew/m32401.htm; reference:bugtraq,11775; reference:url,doc.emergingthreats.net/bin/view/Main/2002389; classtype:successful-recon-limited; sid:2002389; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1913 (msg:"ET MALWARE W32/DoubleTap.APT Downloader Socks5 Setup Request"; flow:established,to_server; content:"|05 01 00|"; depth:3; reference:url,www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html; classtype:targeted-activity; sid:2019809; rev:2; metadata:created_at 2014_11_26, former_category MALWARE, updated_at 2014_11_26;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Web Only - all versions"; flow:established,from_server; flowbits:isnotset,emerging_wmf_http; content:"HTTP"; depth:4; nocase; flowbits:set,emerging_wmf_http; flowbits:noalert; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002743; classtype:unknown; sid:2002743; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e1 d9 8a 80 b1 c5 98 08|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0f|tvd5w4gytsfheyh"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019810; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Web Only - version 3"; flow:established; flowbits:isset,emerging_wmf_http; flowbits:isnotset,emerging_wmf_expl; flowbits:isnotset,emerging_wmf_expl_v1; content:"|00 09 00 00 03|"; content:"|00 00|"; distance:10; within:12; flowbits:set,emerging_wmf_expl; flowbits:noalert; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002741; classtype:unknown; sid:2002741; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|11|b85937-static.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019811; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Web Only - version 1"; flow:established; flowbits:isset,emerging_wmf_http; flowbits:isnotset,emerging_wmf_expl; flowbits:isnotset,emerging_wmf_expl_v1; content:"|00 09 00 00 01|"; content:"|00 00|"; distance:10; within:12; flowbits:set,emerging_wmf_expl_v1; flowbits:noalert; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002757; classtype:unknown; sid:2002757; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 b6 2a 4d 61 3d fa c6|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|09|vgergvwtd"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019812; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Version 1"; flow:established; flowbits:isset,emerging_wmf_expl_v1; pcre:"/\x26[\x00-\xff]\x09\x00/"; flowbits:unset,emerging_wmf_http; flowbits:unset,emerging_wmf_expl; flowbits:unset,emerging_wmf_expl_v1; threshold:type limit, track by_src, count 1,seconds 120; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002758; classtype:attempted-user; sid:2002758; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Hesperbot CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ff 02 6f 9a b5 ff c3 9c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019813; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Version 3"; flow:established; flowbits:isset,emerging_wmf_expl; pcre:"/\x26[\x00-\xff]\x09\x00/"; flowbits:unset,emerging_wmf_http; flowbits:unset,emerging_wmf_expl; flowbits:unset,emerging_wmf_expl_v1; threshold:type limit, track by_src, count 1,seconds 120; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002742; classtype:attempted-user; sid:2002742; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 f1 2d d7 7c 92 29 6b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019814; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker kit (bug ie0604)"; flow:established,to_server; uricontent:"ie0604.cgi?bug="; nocase; reference:url,doc.emergingthreats.net/2002871; classtype:web-application-attack; sid:2002871; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d9 5c 3f 2b dc 29 86 c4|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019815; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker kit (exploit1 ie0601)"; flow:established,to_server; uricontent:"ie0601.cgi?exploit"; nocase; reference:url,doc.emergingthreats.net/2002869; classtype:web-application-attack; sid:2002869; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 73 b3 58 98 16 a7 5b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0d|cewceawf2c4ed"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019818; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker kit (ie0606)"; flow:established,to_server; uricontent:"ie0606.cgi?"; nocase; reference:url,doc.emergingthreats.net/2002937; classtype:web-application-attack; sid:2002937; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e7 df 16 fb ce 8d dc 5f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0c|wrgw4r3gwrgh"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019819; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker RootLauncher"; flow:established,to_server; uricontent:"rleadmin.cgi?getexe="; nocase; reference:url,doc.emergingthreats.net/2003063; classtype:web-application-attack; sid:2003063; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO WinHttpRequest Downloading EXE"; flow:established,from_server; flowbits:isset,et.WinHttpRequest; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2019822; rev:7; metadata:created_at 2014_12_01, former_category CURRENT_EVENTS, updated_at 2014_12_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker kit (exploit ie0604)"; flow:established,to_server; uricontent:"ie0604.cgi?exploit"; nocase; reference:url,doc.emergingthreats.net/2002870; classtype:web-application-attack; sid:2002870; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET EXPLOIT_KIT WinHttpRequest Downloading EXE Non-Port 80 (Likely Exploit Kit)"; flow:established,from_server; flowbits:isset,et.WinHttpRequest; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:exploit-kit; sid:2019823; rev:7; metadata:created_at 2014_12_01, former_category EXPLOIT_KIT, updated_at 2014_12_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED VMM Detecting Torpig/Anserin/Sinowal Trojan"; flow:to_client,established; content:"|51 51 0F 01 4C 24 00 8B 44 24 02 59 59 C3 E8 ED FF FF FF 25 00 00 00 FF 33 C9 3D 00 00 00 80 0F 95 C1 8B C1 C3|"; reference:url,doc.emergingthreats.net/2003094; classtype:trojan-activity; sid:2003094; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Microsoft Compact Office Document Format File Download"; flow:established,from_server; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; flowbits:set,et.MCOFF; flowbits:noalert; classtype:misc-activity; sid:2019834; rev:2; metadata:created_at 2014_12_02, updated_at 2014_12_02;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED (UPX) VMM Detecting Torpig/Anserin/Sinowal Trojan"; flow:to_client,established; content:"|51 51 0F 01 27 00 C1 FB B5 D5 35 02 E2 C3 D1 66 25 32 BD 83 7F B7 4E 3D 06 80 0F 95 C1 8B C1 C3|"; reference:url,doc.emergingthreats.net/2003095; classtype:trojan-activity; sid:2003095; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|03 15 45 cd|"; within:35; content:"|55 04 03|"; distance:0; content:"|14|static-630567398.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019839; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Warezov/Stration Challenge Response"; flowbits:isset,BEposs.warezov.challenge; flow:established,from_server; dsize:4; content:"|00 00 00 00|"; reference:url,www.sophos.com/security/analyses/w32strationbo.html; reference:url,doc.emergingthreats.net/2003176; classtype:trojan-activity; sid:2003176; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Execute Shell Command CnC Server Message"; flow:established,to_client; content:"! SH"; depth:4; pcre:"/^[^\r\n]+?\n$/R"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019298; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Warezov/Stration Challenge"; flow:established,to_server; dsize:1; content:"|38|"; flowbits:noalert; flowbits:set,BEposs.warezov.challenge; reference:url,www.sophos.com/security/analyses/w32strationbo.html; reference:url,doc.emergingthreats.net/2003175; classtype:not-suspicious; sid:2003175; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Hidden Embedded File"; flow:established,to_client; flowbits:isset,ET.pdf.in.http; file_data; content:"obj"; distance:0; content:"<<"; within:4; content:"/Embeddedfile"; distance:0; pcre:"/\x3C\x3C[^>]*\x2FEmbeddedfile/sm"; reference:url,blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/; classtype:bad-unknown; sid:2019850; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http any any -> any $HTTP_PORTS (msg:"ET DELETED Allaple Unique HTTP Request - Possibly part of DDOS"; flow:established,to_server; content:"GET /  HTTP/1.1|0d 0a|"; rawbytes; depth:20; threshold:type both, count 1, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2003484; reference:url,isc.sans.org/diary.html?storyid=2451; classtype:trojan-activity; sid:2003484; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Magnitude Flash Exploit (IE)"; flow:established,to_server; urilen:31<>69; content:"x-flash-version"; http_header; fast_pattern:only; pcre:"/^\/\??[a-f0-9]{32}(?:\/[a-f0-9]{32})?\/?$/U"; pcre:"/Host\x3a\x20(?:\.*[a-f0-9]\.*){32}\./Hm"; classtype:exploit-kit; sid:2019799; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zango Spyware Post"; flow:to_server,established; uricontent:"/te.aspx?ver="; nocase; pcre:"/ver=[v\d]+/Ui"; reference:url,usa.kaspersky.com/about-us/news-press-releases.php?smnr_id=900000045; reference:url,doc.emergingthreats.net/bin/view/Main/2007607; classtype:trojan-activity; sid:2007607; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Dec 03 2014"; flow:established,from_server; file_data; content:"=|22|replace|22 3b 27 29 3b|"; content:"|7b 41 3d 5b 5b 61 5d 2c 5b 65 76 61 6c 5d 5d 3b 7d 41 5b 31 5d 5b 30 5d 28 41 5b 30 5d 5b 30 5d 29 3b|"; classtype:exploit-kit; sid:2019874; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1800 (msg:"ET DELETED TroDjan 2.0 Infection Report"; flow:established,to_server; dsize:<60; content:"Windows NT "; depth:11; reference:url,doc.emergingthreats.net/2008587; classtype:trojan-activity; sid:2008587; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AlienSpy RAT Checkin Set"; flow:established,to_server; dsize:4; content:"|ac ed|"; depth:2; flowbits:set,ET.rat.alienspy; flowbits:noalert; reference:url,contagiodump.blogspot.com/2014/11/alienspy-java-rat-samples-and-traffic.html?m=1; classtype:command-and-control; sid:2019738; rev:2; metadata:created_at 2014_11_18, former_category MALWARE, updated_at 2014_11_18;)
 
-#alert tcp $EXTERNAL_NET 1802 -> $HOME_NET any (msg:"ET DELETED TroDjan 2.0 FTP Channel Open Command"; flow:established,to_server; dsize:7; content:"ftpopen"; reference:url,doc.emergingthreats.net/2008588; classtype:trojan-activity; sid:2008588; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"ET SCADA DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow Vulnerability"; flow:established,to_server; content:"GetFlexMLangIResourceBrowser"; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,exploit-db.com/exploits/17417/; classtype:denial-of-service; sid:2013074; rev:2; metadata:created_at 2011_06_21, updated_at 2011_06_21;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 8392 (msg:"ET DELETED Torpig Initial CnC Connect on port 8392"; flow:established,to_server; dsize:4; content:"|00 00 78 e3|"; flowbits:set,ET.torpig.init; reference:url,doc.emergingthreats.net/2010826; classtype:command-and-control; sid:2010826; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE BitCrypt site accessed via .onion SSL Proxy"; flow:established,from_server; content:"|55 04 03|"; content:"kphijmuo2x5expag."; nocase; distance:2; within:17; classtype:trojan-activity; sid:2018399; rev:2; metadata:created_at 2014_04_18, updated_at 2014_04_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 8392 (msg:"ET DELETED Torpig CnC Connect on port 8392"; flowbits:isset,ET.torpig.init; flow:established,to_server; content:"|00 00|"; depth:2; content:"|00 00 00|"; distance:2; within:5; flowbits:set,ET.torpig.fosure; reference:url,doc.emergingthreats.net/2010827; classtype:command-and-control; sid:2010827; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Terminate Process CnC Server Message"; flow:established,to_client; dsize:12; content:"! LOLNOGTFO|0A|"; depth:12; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019304; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
 
-#alert tcp $EXTERNAL_NET 8392 -> $HOME_NET any (msg:"ET DELETED Torpig CnC IP Report Command on port 8392"; flowbits:isset,ET.torpig.fosure; flow:established,from_server; dsize:4; content:"|00 00 00 0d|"; reference:url,doc.emergingthreats.net/2010828; classtype:command-and-control; sid:2010828; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot UDP Flood CnC Server Message"; flow:established,to_client; content:"! UDP "; depth:6; pcre:"/\x21\x20UDP\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019300; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
 
-#alert tcp $EXTERNAL_NET 8392 -> $HOME_NET any (msg:"ET DELETED Torpig CnC Report Command on port 8392"; flowbits:isset,ET.torpig.fosure; flow:established,from_server; dsize:4; content:"|00 00 01 6f|"; reference:url,doc.emergingthreats.net/2010829; classtype:command-and-control; sid:2010829; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot TCP Flood CnC Server Message"; flow:established,to_client; content:"! TCP "; depth:6; pcre:"/\x21\x20TCP\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019301; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BleedingLife EK Variant Aug 26 2014"; flow:established,to_server; content:".php?spl="; http_uri; fast_pattern:only; pcre:"/\.php\?spl=[\w_]+$/Ui"; classtype:exploit-kit; sid:2019023; rev:2; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot HOLD TCP Flood CnC Server Message"; flow:established,to_client; content:"! HOLD "; depth:7; pcre:"/\x21\x20HOLD\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019302; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Offensive Security EMET Bypass Observed in BleedingLife Variant Aug 26 2014"; flow:established,to_client; file_data; content:"|22 25 75 22 2b 67 65 74 6d 6f 64 75 6c 65 77 31 2b 22 25 75 22 2b 67 65 74 6d 6f 64 75 6c 65 77 32 29|"; classtype:trojan-activity; sid:2019024; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Kill Attack CnC Server Message"; flow:established,to_client; dsize:11; content:"! KILLATTK|0A|"; depth:11; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019303; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; content:"/?bot_id=0&mode=1"; http_uri; fast_pattern:only; reference:url,doc.emergingthreats.net/2008358; classtype:command-and-control; sid:2008358; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Enchanim C2 Client Check-in"; flow:established,to_server; content:"some_magic_code1"; depth:16; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:command-and-control; sid:2016772; rev:2; metadata:created_at 2013_04_19, former_category MALWARE, updated_at 2013_04_19;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Srizbi requesting template"; flow:established,to_server; content:"GET|20|/"; depth:5; content:"|0d0a|X-Flags|3a20|"; within:200; content:"|0d0a|X-TM|3a20|"; within:20; content:"|0d0a|X-BI|3a20|"; within:20; reference:url,www.secureworks.com/research/threats/ronpaul/; reference:url,doc.emergingthreats.net/2007712; classtype:trojan-activity; sid:2007712; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Lookup of Known BlackEnergy DDOS Botnet CnC Server globdomain.ru"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0A|globdomain|02|ru"; nocase; distance:0; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110116; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20100913; classtype:command-and-control; sid:2012203; rev:2; metadata:created_at 2011_01_18, updated_at 2011_01_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Universal1337 FTP Upload of Compromised Data"; flow:established,to_server; content:"#############|0d 0a|"; content:"###########"; distance:0; content:" Universal1337 "; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanUniversal1337; reference:url,www.megasecurity.org/trojans/u/universal1337/Universal1337v2.html; classtype:trojan-activity; sid:2007967; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE W32/SpyBanker Infection Confirmation Email"; flow:established,to_server; content:"From|3A 20 22|Bitch Infected|22|"; reference:md5,007eb53d1b0de237f86750a239cae48e; classtype:trojan-activity; sid:2014668; rev:2; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Universal1337 Email Upload of Compromised Data"; flow:established,to_server; content:"#############|0d 0a|"; content:"###########"; distance:0; content:" Universal1337 "; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanUniversal1337; reference:url,www.megasecurity.org/trojans/u/universal1337/Universal1337v2.html; classtype:trojan-activity; sid:2007968; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Winlock.6870 SSL Cert"; flow:from_server,established; content:"|00 cc 05 c7 80 14 cf 3f 50|"; content:"|55 04 08 13 0c|Someprovince"; distance:0; content:"|55 04 07 13 08|Sometown"; distance:0; classtype:trojan-activity; sid:2015795; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_10_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Vapsup User-Agent (doshowmeanad loader v2.1)"; flow:to_server,established; content:"User-Agent|3a| doshowmeanad "; http_header; reference:url,doc.emergingthreats.net/2008142; classtype:trojan-activity; sid:2008142; rev:5; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_10_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP OPTIONS invalid method case outbound"; flow:established,to_server; content:"options "; depth:8; nocase; content:!"OPTIONS "; depth:8; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014382; rev:2; metadata:created_at 2012_03_15, updated_at 2012_03_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java Downloader likely malicious payload download src=xrun"; flow:established,to_server; content:"/get?src=xrun"; nocase; content:"Request|3a| "; nocase; http_header; reference:url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html; reference:url,doc.emergingthreats.net/2010821; classtype:trojan-activity; sid:2010821; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Searchwebmobile.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0F|searchwebmobile|03|com"; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013041; rev:2; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Steam Pass Stealer FTP Upload"; flow:established,to_server; dsize:33; content:"STEAM nicht eingespeichert!!!"; reference:url,doc.emergingthreats.net/2008332; classtype:trojan-activity; sid:2008332; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET MALWARE Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"Wy9GbCAvRmxd"; classtype:trojan-activity; sid:2019117; rev:2; metadata:created_at 2014_09_05, former_category CURRENT_EVENTS, updated_at 2014_09_05;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE VirtualProtect Packed Binary - Likely Hostile"; flow:established,from_server; content:"|2E 72 73 72 63|"; content:"|2E 70 61 63 6B 33 32 00|"; within:49; reference:url,bits.packetninjas.org/eblog/?p=3; reference:url,doc.emergingthreats.net/2008509; classtype:trojan-activity; sid:2008509; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET MALWARE Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"IFsvRmwgL0Zs"; classtype:trojan-activity; sid:2019119; rev:2; metadata:created_at 2014_09_05, former_category CURRENT_EVENTS, updated_at 2014_09_05;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Visual Shock Keylogger Reporting to Controller"; flow:established,to_server; dsize:<150; content:"|00 00|Visual Shock Keylogger "; offset:10; depth:34; flowbits:set,ET.vskeylogger; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=42573; reference:url,doc.emergingthreats.net/2008601; classtype:trojan-activity; sid:2008601; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET MALWARE Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"L0ZsIC9GbF0g"; classtype:trojan-activity; sid:2019118; rev:3; metadata:created_at 2014_09_05, former_category CURRENT_EVENTS, updated_at 2014_09_05;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Visual Shock Keylogger Reporting Idle to Controller"; flowbits:isset,ET.vskeylogger; flow:established,to_server; dsize:8; content:"|08 00 00 00 00 00 00 00|"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=42573; reference:url,doc.emergingthreats.net/2008602; classtype:trojan-activity; sid:2008602; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017966; rev:3; metadata:created_at 2014_01_14, updated_at 2014_01_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy-Net Trojan Connection (2)"; flow:established; content:"conectado|7c 0a|"; depth:11; reference:url,doc.emergingthreats.net/2008645; classtype:trojan-activity; sid:2008645; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"ET INFO NetSSH SSH Version String Hardcoded in Metasploit"; flow:established,to_server; content:"SSH-2.0-OpenSSH_5.0|0d 0a|"; depth:21; reference:url,github.com/rapid7/metasploit-framework/blob/master/lib/net/ssh/transport/server_version.rb; classtype:attempted-user; sid:2014925; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_06_20, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Torpig Infection Reporting"; flow:established,to_server; content:"POST"; depth:4; http_method; content:!"User-Agent|3a| "; http_header; content:"Content-Length|3a| 0|0d 0a|"; http_header; content:"Connection|3a| close|0d 0a|"; http_header; pcre:"/^\/[0-9A-F]{16}\/[0-9A-Za-z\+\/]{100,}$/U"; reference:url,www2.gmer.net/mbr/; reference:url,www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf; reference:url,doc.emergingthreats.net/2008660; reference:url,offensivecomputing.net/?q=node/909; classtype:trojan-activity; sid:2008660; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 4444 (msg:"ET SCADA Golden FTP Server PASS Command Remote Buffer Overflow Attempt"; flow:established,to_server; content:"PASS"; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:bugtraq,45957; classtype:denial-of-service; sid:2013235; rev:2; metadata:created_at 2011_07_08, updated_at 2011_07_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unkown Trojan User-Agent (5.1 ...)"; flow:established,to_server; content:"User-Agent|3a| 5.1 "; http_header; reference:url,doc.emergingthreats.net/2009685; classtype:trojan-activity; sid:2009685; rev:5; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2017_10_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Easy Printer Care Software XMLCacheMgr ActiveX Control Remote Code Execution Attempt"; flow:established,to_client; content:"ActiveXObject"; nocase; content:"HPESPRIT.XMLCacheMgr.1"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:bid,51396; reference:cve,2011-4786; classtype:attempted-user; sid:2014132; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 31 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008744; classtype:policy-violation; sid:2008744; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely GoodBye 5.2 DDoS tool"; flow:to_server,established; dsize:<50; content:"|20|HTTP/1.1Host|3a 20|"; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019350; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 32 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008745; classtype:policy-violation; sid:2008745; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Ping CnC Server Message"; flow:established,to_client; dsize:7; content:"! PING|0A|"; depth:7; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019296; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 33 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008746; classtype:policy-violation; sid:2008746; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Scanner CnC Server Message"; flow:established,to_client; dsize:12<>15; content:"! SCANNER "; depth:10; pcre:"/\x21\x20SCANNER\x20(ON|OFF)\x0A/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019297; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 34 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008747; classtype:policy-violation; sid:2008747; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Get Bot IP CnC Server Message"; flow:established,to_client; dsize:13; content:"! GETLOCALIP|0A|"; depth:13; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019295; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 35 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 3, seconds 30; reference:url,doc.emergingthreats.net/2008748; classtype:policy-violation; sid:2008748; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8444 (msg:"ET POLICY Bitmessage Activity"; flow:established,to_server; content:"version"; offset:4; depth:7; content:"Bitmessage|3a|"; distance:0; reference:url,bitmessage.org; classtype:policy-violation; sid:2019746; rev:2; metadata:created_at 2014_11_19, updated_at 2014_11_19;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trash Family - HTTP POST"; flow:established,to_server; content:"POST"; depth:4; http_method; content:!"User-Agent|3a|"; http_header; nocase; content:"Type="; http_client_body; nocase; content:"&Dvip="; http_client_body; nocase; content:"&Mask="; http_client_body; nocase; content:"&Guid="; http_client_body; nocase; content:"&Addr="; http_client_body; nocase; content:"&Protect="; http_client_body; nocase; content:"Url"; http_client_body; nocase; content:"&OSVer="; http_client_body; nocase; reference:url,www.spywareguide.com/product_show.php?id=1935; reference:url,www.sunbeltsecurity.com/threatdisplay.aspx?name=Trojan.Trash.Gen&tid=178782&cs=03253E96A71C3EE824071E5BE3A32CCD; reference:url,doc.emergingthreats.net/2009449; classtype:trojan-activity; sid:2009449; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/AlienSpy RAT Checkin"; flow:established,to_server; flowbits:isset,ET.rat.alienspy; content:"|78 70|"; depth:2; content:"|1f 8b 08 00 00 00 00 00 00 00 75 54|"; distance:4; within:12; reference:url,contagiodump.blogspot.com/2014/11/alienspy-java-rat-samples-and-traffic.html?m=1; classtype:command-and-control; sid:2019740; rev:2; metadata:created_at 2014_11_18, former_category MALWARE, updated_at 2014_11_18;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE VMProtect Demo version Packed Binary - Likely Hostile"; flow:from_server,established; content:"|2E|rsrc|00|"; content:"vmp0|00|"; within: 50; content:"vmp1|00|"; within:50; reference:url,www.vmprotect.ru; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2009019; classtype:trojan-activity; sid:2009019; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any 6784 -> $HOME_NET 1024: (msg:"ET POLICY Splashtop Remote Control Session Keepalive Response"; flow:established,from_server; dsize:4; content:"|31 00|"; offset:2; depth:2; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014130; rev:2; metadata:created_at 2012_01_16, updated_at 2012_01_16;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE Asprox-style Message ID"; flow:established,to_server; dsize:<80; content:"Message-ID|3a20|"; depth:12; content:"|0d0a|"; within: 68; flowbits:set,ET.asproxmessageid; flowbits:noalert; reference:url,www.secureworks.com/research/threats/danmecasprox; reference:url,doc.emergingthreats.net/2008221; classtype:trojan-activity; sid:2008221; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected (udp) beacon"; content:"|13|QVOD protocol|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:42; reference:md5,816a02a1250d90734059ed322ace72c7; classtype:policy-violation; sid:2015966; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_11_30, deployment Perimeter, former_category P2P, signature_severity Major, tag c2, updated_at 2012_11_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE Asprox phishing email detected"; flow:established,to_server; content:"From|3a20|"; depth:6; content:"|0d0a|Bcc|3a20|"; within:150; flowbits:isset,ET.asproxmessageid; reference:url,www.secureworks.com/research/threats/danmecasprox; reference:url,doc.emergingthreats.net/2008222; classtype:trojan-activity; sid:2008222; rev:5; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 623 (msg:"ET POLICY Possible IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval RAKP message 1 with default BMC usernames (Admin|root|Administrator|USERID)"; content:"|06 12|"; offset:4; depth:2; pcre:"/((\x0d|\x05)Admin(istrator)?|\x04root|\x06USERID)/Ri"; classtype:protocol-command-decode; sid:2017120; rev:2; metadata:created_at 2013_07_09, former_category POLICY, updated_at 2013_07_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Key Checkin (Clicker.Win32.Delf.afl)"; flow:established,to_server; content:".php?key=???????+????????????"; content:"+Dial-up+??????+?+??????????????"; reference:url,doc.emergingthreats.net/2008666; classtype:command-and-control; sid:2008666; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert udp $HOME_NET 623 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval RAKP message 2 status code Unauthorized Name"; content:"|06 13|"; offset:4; depth:2; content:"|0d|"; distance:11; within:1; classtype:protocol-command-decode; sid:2017121; rev:2; metadata:created_at 2013_07_09, former_category ATTACK_RESPONSE, updated_at 2013_07_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Agent.fvt Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?"; nocase; http_uri; content:"lversion="; nocase; http_uri; content:"wversion=&eversion=&fid="; nocase; http_uri; content:"&mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008667; classtype:command-and-control; sid:2008667; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX J-Integra ActiveX SetIdentity Buffer Overflow"; flow:established,to_client; content:"clsid"; nocase; content:"8234E54E-20CB-4A88-9AB6-7986F99BE243"; nocase; content:"|2e|SetIdentity"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*8234E54E-20CB-4A88-9AB6-7986F99BE243\s*}?\s*(.*)(\s|>)/si"; reference:url,www.exploit-db.com/exploits/15655; classtype:attempted-user; sid:2012098; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_12_23, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 91 (msg:"ET MALWARE Backdoor.Win32.Assasin.20.C Control Session Start"; flow:established,to_server; content:"11000"; depth:5; content:"^"; distance:4; within:5; flowbits:isnotset,ET.assassin.start; flowbits:set,ET.assassin.start; reference:url,doc.emergingthreats.net/2008675; classtype:trojan-activity; sid:2008675; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected (udp) payload"; content:"QVOD"; depth:32; reference:md5,816a02a1250d90734059ed322ace72c7; classtype:policy-violation; sid:2015967; rev:2; metadata:created_at 2012_11_30, updated_at 2012_11_30;)
 
-#alert tcp $EXTERNAL_NET 91 -> $HOME_NET any (msg:"ET MALWARE Backdoor.Win32.Assasin.20.C Control Session Server Reply"; flowbits:isset,ET.assassin.start; flow:established,from_server; dsize:12; content:"10000002|5e 2a|"; depth:10; flowbits:set,ET.assassin.reply; reference:url,doc.emergingthreats.net/2008676; classtype:trojan-activity; sid:2008676; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX J-Integra Remote Code Execution"; flow:established,to_client; content:"clsid"; nocase; content:"F21507A7-530F-4A89-8FE4-9D989670FD2C"; nocase; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*F21507A7-530F-4A89-8FE4-9D989670FD2C\s*}?\s*(.*)(\s|)/si"; pcre:"/\x2e[RemoveAccessPermission|AddLaunchPermission|AddAccessPermission|RemoveLaunchPermission]/"; reference:url,www.exploit-db.com/exploits/15648; classtype:attempted-user; sid:2012095; rev:3; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 91 (msg:"ET MALWARE Backdoor.Win32.Assasin.20.C Control Channel Client Reply"; flow:established,to_server; dsize:10; content:"10000000|5e 2a|"; flowbits:isset,ET.assassin.reply; reference:url,doc.emergingthreats.net/2008677; classtype:trojan-activity; sid:2008677; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX WMITools ActiveX Remote Code Execution"; flow:established,to_client; content:"clsid"; nocase; content:"2745E5F5-D234-11D0-847A-00C04FD7BB08"; nocase; distance:0; content:"|2e|AddContextRef"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*2745E5F5-D234-11D0-847A-00C04FD7BB08\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15809/; classtype:attempted-user; sid:2012097; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_12_23, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER SQL Injection Attempt (Agent NV32ts)"; flow:to_server,established; content:"User-Agent|3a| NV32ts"; reference:url,doc.emergingthreats.net/2009029; classtype:web-application-attack; sid:2009029; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_10_15;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate"; flow:established,from_server; content:"|7a 13 4e 00 74 5b c6 78 63 64 27 c1 2f e2 a0 5b bc 79 c5 7b|"; content:"sef1941@gmail.com"; within:250; reference:url,contagiodump.blogspot.com/2011/06/jun-22-cve-2011-0611-pdf-swf-fruits-of.html; classtype:misc-activity; sid:2013223; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_07_06, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Armitage Loader Check-in"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/lds.php"; http_uri; reference:url,doc.emergingthreats.net/2009036; classtype:trojan-activity; sid:2009036; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019346; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN SQLNinja MSSQL Version Scan"; flow:to_server,established; content:"?param=a"; content:"if%20not%28substring%28%28select%20%40%40version"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009038; classtype:attempted-recon; sid:2009038; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS HTTP GET AAAAAAAA Likely FireFlood"; flow:to_server,established; content:"GET AAAAAAAA HTTP/1.1"; content:!"Referer|3a|"; distance:0; content:!"Accept"; distance:0; content:!"|0d 0a|"; distance:0; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019347; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert freeb4u.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|freeb4u.com"; distance:1; within:12; reference:md5,3c140d775b33a5201089e8f8118b7fb5; classtype:trojan-activity; sid:2019025; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely AnonMafiaIC DDoS tool"; flow:to_server,established; dsize:20; content:"GET / HTTP/1.0|0d 0a 0d 0a 0d 0a|"; depth:20; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019348; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert developmentinn.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|www.developmentinn.com"; distance:1; within:23; reference:md5,2f17d82e939efe315a89f1aa42e93cf1; classtype:trojan-activity; sid:2019026; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely AnonGhost DDoS tool"; flow:to_server,established; dsize:20; content:"GET / HTTP/1.1|0d 0a 0d 0a 0d 0a|"; depth:20; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019349; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert directory92.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|directory92.com"; distance:1; within:16; reference:md5,dc7939920cb93e58c990a8e0a0295bb7; classtype:trojan-activity; sid:2019027; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp any 2067 -> $EXTERNAL_NET any (msg:"ET EXPLOIT DLSw Information Disclosure CVE-2014-7992"; flow:established,from_server; content:"Cisco"; nocase; pcre:"/^(?: Systems|\.com\/techsupport)/Ri"; threshold:type both,count 1,seconds 60,track by_dst; reference:url,www.fishnetsecurity.com/6labs/blog/cisco-dlsw-leakage-allows-retrieval-packet-contents-remote-routers; reference:url,github.com/tatehansen/dlsw_exploit; reference:cve,2014-7992; classtype:trojan-activity; sid:2019778; rev:2; metadata:created_at 2014_11_24, updated_at 2014_11_24;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert epr-co.ch"; flow:established,from_server; content:"|55 04 03|"; content:"|09|epr-co.ch"; distance:1; within:10; reference:md5,dc7939920cb93e58c990a8e0a0295bb7; classtype:trojan-activity; sid:2019028; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 3478 (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request)"; content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2016149; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert pouyasazan.org"; flow:established,from_server; content:"|55 04 03|"; content:"|15|linux4.pouyasazan.org"; distance:1; within:22; reference:md5,b978929f93fe8e10d8f7f6f52953cbba; classtype:trojan-activity; sid:2019029; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Random Byte Flood CnC Server Message"; flow:established,to_client; content:"! JUNK "; depth:7; pcre:"/\x21\x20JUNK\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019299; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert ara-photos.net"; flow:established,from_server; content:"|55 04 03|"; content:"|12|www.ara-photos.net"; distance:1; within:19; reference:md5,b978929f93fe8e10d8f7f6f52953cbba; classtype:trojan-activity; sid:2019030; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET MALWARE W32/DoubleTap.APT Downloader CnC Beacon"; flow:established,to_server; content:"|05 01 00 01 c0 b8 3c e5 00 51|"; depth:10; reference:url,www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html; classtype:targeted-activity; sid:2019808; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_11_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert tecktalk.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.tecktalk.com"; distance:1; within:17; reference:md5,0181d134ff73743e8dd5e23b9cf7ff51; classtype:trojan-activity; sid:2019031; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019014; rev:4; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert cyclivate.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|www.cyclivate.com"; distance:1; within:18; reference:md5,b911327d0ba6ce016e8e33ba97e87e83; classtype:trojan-activity; sid:2019032; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019015; rev:4; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert mentoringgroup.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|www.mentoringgroup.com"; distance:1; within:23; reference:md5,444dd80b551ac28e43380c2ef0bc4df0; classtype:trojan-activity; sid:2019033; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019016; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert ssshosting.net"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|ssshosting.net"; distance:1; within:15; reference:md5,8f13400f01f5ad3404bc6700279ac7aa; classtype:trojan-activity; sid:2019035; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019017; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert erotikturk.com"; flow:established,from_server; content:"|55 04 03|"; content:"|15|server.erotikturk.com"; distance:1; within:22; reference:md5,8f13400f01f5ad3404bc6700279ac7aa; classtype:trojan-activity; sid:2019036; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp $EXTERNAL_NET 3478 -> $HOME_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Response)"; content:"|01 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2016150; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert mtnoutfitters.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|mtnoutfitters.com"; distance:1; within:18; reference:md5,ebca10e0a4eb99758f0fb3612fa970ba; classtype:trojan-activity; sid:2019037; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019018; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert jojik-international.com"; flow:established,from_server; content:"|55 04 03|"; content:"|17|jojik-international.com"; distance:1; within:24; reference:md5,ffa19cd3be6a89da96bcfb5a1a52b6ae; classtype:trojan-activity; sid:2019038; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019019; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert abarsolutions.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|abarsolutions.com"; distance:1; within:18; reference:md5,029e3713002bd3514b1f2493caea8294; classtype:trojan-activity; sid:2019039; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Sorbs.net Block Message"; flow:established,from_server; content:"sorbs.net"; classtype:not-suspicious; sid:2012985; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert eastwoodvalley.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|www.eastwoodvalley.com"; distance:1; within:23; reference:md5,450b394d88a69f6cb9722a5b56168ce6; classtype:trojan-activity; sid:2019040; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Sophos.com Block Message"; flow:established,from_server; content:"sophos.com"; classtype:not-suspicious; sid:2012984; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert pejlain.se"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|pejlain.se"; distance:1; within:11; reference:md5,1658e12bb1fe8a25127e8bd09b923acd; classtype:trojan-activity; sid:2019042; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"ET EXPLOIT Zollard PHP Exploit Telnet Outbound"; flow:to_server,established; content:"/var/run/.zollard/"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:attempted-user; sid:2017800; rev:2; metadata:created_at 2013_12_05, updated_at 2013_12_05;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert dominionthe.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|dominionthe.com"; distance:1; within:16; reference:md5,911bc6e1c581e9295d193bcdbcce1ddd; classtype:trojan-activity; sid:2019043; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> [85.255.112.0/20,67.210.0.0/20,93.188.160.0/21,77.67.83.0/24,213.109.64.0/20,64.28.176.0/20] 53 (msg:"ET DELETED Potential DNS Request from Trojan.DNSChanger infected system"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; reference:url,www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf; classtype:trojan-activity; sid:2014043; rev:2; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert delanecanada.ca"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|delanecanada.ca"; distance:1; within:16; reference:md5,911bc6e1c581e9295d193bcdbcce1ddd; classtype:trojan-activity; sid:2019044; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE W32/SCKeyLog.InfoStealer Installation Confirmation Via SMTP"; flow:established,to_server; content:"Subject|3A 20|Installation of SC-KeyLog on host"; nocase; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=910563; reference:md5,cc439073eeb244e6bcecee8b6774b672; classtype:trojan-activity; sid:2014354; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert hebergement-solutions.com"; flow:established,from_server; content:"|55 04 03|"; content:"|19|hebergement-solutions.com"; distance:1; within:26; reference:md5,e5f8caba2b2832de5c13a16d5b4f6d6f; classtype:trojan-activity; sid:2019045; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Zollard PHP Exploit Telnet Inbound"; flow:to_server,established; content:"/var/run/.zollard/"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:attempted-user; sid:2017799; rev:2; metadata:created_at 2013_12_05, updated_at 2013_12_05;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert sportofteniq.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|sportofteniq.com"; distance:1; within:17; reference:md5,d06ec89944b566df8dcd959a2196b37c; classtype:trojan-activity; sid:2019046; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 15525 (msg:"ET MALWARE W32/Keylogger.CI Checkin"; flow:established,to_server; dsize:5; content:"|47 00 46 00 49|"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpyWin32/Keylogger.CI#tab=2; reference:url,www.virustotal.com/en/file/95c65d44a2dd717b27c8008470f95fe46637f624b20d9e19e0c06573b94d20f9/analysis/; classtype:command-and-control; sid:2019712; rev:2; metadata:created_at 2014_11_15, former_category MALWARE, updated_at 2014_11_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert adoraacc.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|adoraacc.com"; distance:1; within:13; reference:md5,a938c50d686663f97d62dff812fc575b; classtype:trojan-activity; sid:2019047; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019021; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert tristacey.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|tristacey.com"; distance:1; within:14; reference:md5,e40ec448fd7cfea641a18fb6b38e4e92; classtype:trojan-activity; sid:2019048; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019020; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert nbc-mail.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nbc-mail.com"; distance:1; within:13; reference:md5,348b8a9e693a6784a6cf26d9afe6fed9; classtype:trojan-activity; sid:2019049; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp any 123 -> any any (msg:"ET DOS Likely NTP DDoS In Progress Multiple UNSETTRAP Mode 6 Responses"; content:"|df 00 00 04 00|"; offset:1; depth:5; byte_test:1,!&,128,0; byte_test:1,!&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,!&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019022; rev:4; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert tridayacipta.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|tridayacipta.com"; distance:1; within:17; reference:md5,010e6b78b6ec2fd6970b0c709e70acec; classtype:trojan-activity; sid:2019050; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Code4hk.A Checkin"; flow:established,to_server; content:"ClientInfo"; content:"isWifi"; distance:0; content:"cpuInfo"; distance:0; content:"firstOnlineIp"; distance:0; content:"firstOnlineTime"; distance:0; content:"imei"; distance:0; content:"ipAddr"; distance:0; content:"phoneBrand"; distance:0; content:"phoneNumber"; distance:0; content:"simOperator"; distance:0; fast_pattern; reference:url,malware.lu/articles/2014/09/29/analysis-of-code4hk.html; classtype:trojan-activity; sid:2019318; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_09_30, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2016_07_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert trainthetrainerinternational.com"; flow:established,from_server; content:"|55 04 03|"; content:"|20|trainthetrainerinternational.com"; distance:1; within:33; reference:md5,010e6b78b6ec2fd6970b0c709e70acec; classtype:trojan-activity; sid:2019051; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MS Office Macro Dridex Download URI Dec 5 2014"; flow:established,to_server; content:"GET"; http_method; urilen:13; content:"/stat/lld.php"; http_uri; fast_pattern:only; content:!"Referer|3A|"; http_header; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/; classtype:trojan-activity; sid:2019877; rev:2; metadata:created_at 2014_12_05, former_category CURRENT_EVENTS, updated_at 2014_12_05;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert lingayasuniversity.edu.in"; flow:established,from_server; content:"|55 04 03|"; content:"|1d|www.lingayasuniversity.edu.in"; distance:1; within:30; reference:md5,b2c3bb2b56876e325d86731a693fd138; classtype:trojan-activity; sid:2019052; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Destover RAT Check-in"; flow:established,to_server; content:"|17 03 01 00 0C E2 C4 Fd D9 E8 E3 F2 9F|"; reference:md5,d1c27ee7ce18675974edf42d4eea25c6; reference:url,www.symantec.com/connect/blogs/destover-destructive-malware-has-links-attacks-south-korea; classtype:trojan-activity; sid:2019878; rev:2; metadata:created_at 2014_12_06, updated_at 2014_12_06;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert uleideargan.com"; flow:established,from_server; content:"|55 04 03|"; content:"|13|www.uleideargan.com"; distance:1; within:20; reference:md5,ba402e41e140af41d57788e24c4c56d4; classtype:trojan-activity; sid:2019053; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 62 ab fb 64 b9 bc de|"; within:35; content:"|55 04 03|"; distance:0; content:"|05|USTiD"; distance:1; within:6; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019879; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert picklingtank.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|picklingtank.com"; distance:1; within:17; reference:md5,ba402e41e140af41d57788e24c4c56d4; classtype:trojan-activity; sid:2019054; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.cc)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|cc|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019882; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert vcomdesign.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|vcomdesign.com"; distance:1; within:15; reference:md5,9ad86fc9a57b620e96082cd61aa1b494; classtype:trojan-activity; sid:2019055; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.ws)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ws|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019883; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert technosysuk.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|technosysuk.com"; distance:1; within:16; reference:md5,fc23d6cbe926a022cac003214679ec7a; classtype:trojan-activity; sid:2019056; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.to)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|to|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019884; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert slmp-550-105.slc.westdc.net"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|slmp-550-105.slc.westdc.net"; distance:1; within:28; reference:md5,f053b1aa875751944bae74fce67fe965; classtype:trojan-activity; sid:2019057; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.in)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|in|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019885; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert itiltrainingcertworkshop.com"; flow:established,from_server; content:"|55 04 03|"; content:"|23|server.itiltrainingcertworkshop.com"; distance:1; within:36; reference:md5,f7b715ad4235599ed21179a369279225; classtype:trojan-activity; sid:2019058; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.hk)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|hk|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019886; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert udderperfection.com"; flow:established,from_server; content:"|55 04 03|"; content:"|13|udderperfection.com"; distance:1; within:20; reference:md5,27938e57f7928e9559e71d384a8fffe6; classtype:trojan-activity; sid:2019059; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.cn)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ck|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019887; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert efind.co.il"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|efind.co.il"; distance:1; within:12; reference:md5,6d8a5b36f61e392aaa048b97b3d9e090; classtype:trojan-activity; sid:2019060; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.tk)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|tk|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019888; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert bloodsoft.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|bloodsoft.com"; distance:1; within:14; reference:md5,1b1626f65c4bac3af1220898f971f3ac; classtype:trojan-activity; sid:2019061; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.so)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|so|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019889; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert walletmix.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|www.walletmix.com"; distance:1; within:18; reference:md5,1b1626f65c4bac3af1220898f971f3ac; classtype:trojan-activity; sid:2019062; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ee 63 19 d5 6a 4c 09 cf|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|UA"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019890; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert turnaliinsaat.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|turnaliinsaat.com"; distance:1; within:18; reference:md5,feb5304d966a0f1610e642984a64d54c; classtype:trojan-activity; sid:2019063; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malicious Iframe Leading to EK Dec 08 2014"; flow:established,from_server; file_data; content:"document.write(|22|<iframe name=|27|"; within:30; pcre:"/^[A-Za-z0-9]+\x27\s*?src=\x27http\x3a[^\x27]+[\x27]\s*width=1\d\s+height=1\d\s+/R"; content:"frameborder=0 marginheight=0 marginwidth=0 scrolling=no"; content:"</|22| +  |22|iframe>|22|)|3b|"; fast_pattern; isdataat:!3,relative; classtype:exploit-kit; sid:2019892; rev:2; metadata:created_at 2014_12_09, former_category CURRENT_EVENTS, updated_at 2014_12_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert mdus-pp-wb12.webhostbox.net"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|mdus-pp-wb12.webhostbox.net"; distance:1; within:28; reference:md5,309efe8603c6db1218e8a95b6f4d2840; classtype:trojan-activity; sid:2019064; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malicious Redirect Leading to EK Dec 08 2014"; flow:established,from_server; content:"Content-Type|3a 20 0d 0a|"; http_header; fast_pattern:only; pcre:"/^Last-Modified\x3a\x20[^A-Za-z]{2}/Hm"; file_data; content:"<meta http-equiv=|22|refresh|22| content=|22|0|3b| url="; classtype:exploit-kit; sid:2019895; rev:2; metadata:created_at 2014_12_09, former_category CURRENT_EVENTS, updated_at 2014_12_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert plastics-technology.com"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|www.plastics-technology.com"; distance:1; within:28; reference:md5,309efe8603c6db1218e8a95b6f4d2840; classtype:trojan-activity; sid:2019065; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Linux.Turla Download"; flow:from_server,established; flowbits:isset,ET.ELFDownload; content:"__we_are_happy__"; content:"__TREX__STOP__STRING__"; distance:0; content:"/dev/random"; distance:1; within:11; reference:url,securelist.com/blog/research/67962/the-penquin-turla-2/; reference:md5,19fbd8cbfb12482e8020a887d6427315; classtype:targeted-activity; sid:2019896; rev:2; metadata:created_at 2014_12_09, updated_at 2014_12_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert deserve.org.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|deserve.org.uk"; distance:1; within:15; reference:md5,9d16352f292d86f40236afc7e06bce08; classtype:trojan-activity; sid:2019067; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Insomnia Shell Outbound CMD Banner"; flow:to_server,established; content:"Shell enroute......."; depth:20; content:"Microsoft Windows "; content:"Copyright |28|c|29| 20"; distance:0; content:"Microsoft Corp"; distance:0; reference:url,www.insomniasec.com/releases; classtype:trojan-activity; sid:2019900; rev:1; metadata:created_at 2014_12_09, updated_at 2014_12_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert worldbuy.biz"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.worldbuy.biz"; distance:1; within:17; reference:md5,57c73f511f3ed23df07e2c1b88e007ca; classtype:trojan-activity; sid:2019068; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp any any -> $HOME_NET 88 (msg:"ET EXPLOIT Possible PYKEK Priv Esc in-use"; flow:established,to_server; content:"|a4 11 18 0f|19700101000000Z|a5 11 18 0f|19700101000000Z|a6 11 18 0f|19700101000000Z"; content:"|a8 05 30 03 02 01 17|"; distance:8; within:7; threshold: type limit, track by_src, seconds 60, count 1; reference:url,github.com/bidord/pykek; reference:cve,CVE-2014-6324; classtype:attempted-admin; sid:2019897; rev:2; metadata:created_at 2014_12_09, updated_at 2014_12_09;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL DELETED wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"["; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:2101377; rev:18; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Payload (flowbits set)"; flow:established,to_server; urilen:>32; content:"/ABs"; http_uri; fast_pattern; depth:4; pcre:"/^\/ABs[A-Za-z0-9_]+(?:\/x?[a-f0-9]+(?:\x3b\d+)+)?$/U"; content:!"Referer"; http_header; flowbits:set,et.Nuclear.Payload; flowbits:noalert; classtype:exploit-kit; sid:2019872; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL DELETED wu-ftp bad file completion attempt with brace"; flow:to_server,established; content:"~"; content:"{"; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:2101378; rev:18; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Cridex CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 00 83 69 b1 31 15 7b|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0b|176.99.6.57"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019906; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NullHole EK Landing Aug 27 2014"; flow:established,to_client; file_data; content:"|28 36 39 33 37 34 31 29 2e 74 6f 53 74 72 69 6e 67 28 33 36 29 3b 77 69 6e 64 6f 77|"; classtype:exploit-kit; sid:2019071; rev:3; metadata:created_at 2014_08_27, former_category CURRENT_EVENTS, updated_at 2014_08_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Exploit Struct"; flow:established,to_server; urilen:>32; content:"/AwoVG"; http_uri; fast_pattern; depth:6; pcre:"/^\/AwoVG[A-Za-z0-9_]+$/U"; content:".html|0d 0a|"; http_header; flowbits:set,et.Nuclear.Exploit; flowbits:noalert; classtype:exploit-kit; sid:2019844; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing URI Struct"; flow:established,to_server; content:"/?PHPSSESID=njr"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2019072; rev:3; metadata:created_at 2014_08_27, former_category CURRENT_EVENTS, updated_at 2014_08_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malicious JS Leading to Fiesta EK"; flow:established,from_server; file_data; content:"xapLoad"; fast_pattern; content:"swfLoad"; content:"xapURL"; content:"swfURL"; content:"errURL"; content:"var id"; classtype:exploit-kit; sid:2019920; rev:2; metadata:created_at 2014_12_11, former_category CURRENT_EVENTS, updated_at 2014_12_11;)
 
-#alert tcp $HOME_NET 81 -> $EXTERNAL_NET any (msg:"ET DELETED Bifrose Response from victim"; flow:established,from_server; dsize:13; content:"|09 00 00 00 9a|"; depth:5; content:"|74|"; distance:7; within:8; reference:url,doc.emergingthreats.net/2009797; classtype:trojan-activity; sid:2009797; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Dalexis.A Possible SSL Cert (smartoptionsinc.com)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|05 11 32 08 1d 81|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0d|Synology Inc."; distance:1; within:14; reference:md5,ef2f9909c76d32b51598c54d5685af7e; classtype:trojan-activity; sid:2019923; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Attack Tool Morfeus F Scanner - M"; flow:established,to_server; content:"M Fucking Scanner"; http_user_agent; nocase; reference:url,www.webmasterworld.com/search_engine_spiders/3227720.htm; reference:url,doc.emergingthreats.net/2003466; classtype:web-application-attack; sid:2009799; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Dalexis.A Possible SSL Cert (ppc.cba.pl)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|11 00 81 3d 59 00 8d f2 04 04 8c 3a d3 d0 8e 36 d4 2a|"; distance:9; within:40; content:"|55 04 03|"; distance:0; content:"|06|cba.pl"; distance:1; within:7; reference:md5,ef2f9909c76d32b51598c54d5685af7e; classtype:trojan-activity; sid:2019924; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NullHole EK Landing Redirect Aug 27 2014"; flow:established,to_client; content:"Server|3a 20|CppCMS-Embedded/1.0.4|0d 0a|"; http_header; content:"302"; http_stat_code; content:"nhweb="; http_cookie; depth:6; classtype:exploit-kit; sid:2019073; rev:2; metadata:created_at 2014_08_27, former_category CURRENT_EVENTS, updated_at 2014_08_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Dalexis.A Possible SSL Cert (cargol.cat)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 a7 5c ad 38 d2 d7 fe|"; distance:9; within:30; content:"|55 04 0a|"; distance:0; content:"|13|Tirabol Produccions"; distance:1; within:20; reference:md5,ef2f9909c76d32b51598c54d5685af7e; classtype:trojan-activity; sid:2019925; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert paydaypedro.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|11|paydaypedro.co.uk"; distance:1; within:18; reference:md5,39877be17bd3435f275fc54577beaa6e; classtype:trojan-activity; sid:2019075; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE HawkEye Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a| HawkEye Keylogger"; nocase; reference:md5,3bbd5ae250b2d912a701f8d74d85353b; classtype:trojan-activity; sid:2019926; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert chatso.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|chatso.com"; distance:1; within:11; reference:md5,ef88df67a0bcb872143543ebad0ba91d; classtype:trojan-activity; sid:2019076; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Beastdoor Keylogger Report via SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a 20|Keylogger"; content:"Victim IP-"; reference:md5,ad99a0a85e1410559030464aac390969; classtype:trojan-activity; sid:2019927; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sinowal/Torpig Checkin"; flow:to_server,established; content:"GET"; http_method; content:"idcomp="; http_uri; content:"MyValue="; http_uri; content:"&load1="; http_uri; content:"&hist=downloaded_user_"; http_uri; pcre:"/MyValue=[a-f0-9]{32}/Ui"; reference:url,doc.emergingthreats.net/2010267; classtype:command-and-control; sid:2010267; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Probable Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a 20|Keylogger"; classtype:trojan-activity; sid:2019928; rev:2; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.SillyFDC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php"; nocase; http_uri; content:"getowner=1&uniqueid="; http_uri; content:"User-Agent|3a| WinHttp.WinHttpRequest"; http_header; reference:url,doc.emergingthreats.net/2010268; classtype:command-and-control; sid:2010268; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Net Crawler SMB Share Access unicode (Operation Cleaver)"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; byte_test:1,!&,0x80,6,relative; content:"|00|_|00|A|00|u|00|t|00|o|00|S|00|h|00|a|00|r|00|e|00|$"; distance:0; reference:md5,8994e16b14cde144a9cebdff685d8676; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019929; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache mod_perl Apache Status and Apache2 Status Cross Site Scripting Attempt"; flow:established,to_server; content:"|2F|APR|3A 3A|SockAddr|3A 3A|port|2F|"; http_uri; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/34383/info; reference:cve,2009-0796; reference:url,doc.emergingthreats.net/2010281; classtype:attempted-user; sid:2010281; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Net Crawler SMB Share Access ascii (Operation Cleaver)"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; byte_test:1,&,0x80,6,relative; content:"_AutoShare$"; distance:0; reference:md5,8994e16b14cde144a9cebdff685d8676; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019930; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Clod/Sereki Communication with C&C"; flow:established,to_server; content:".php?id="; http_uri; nocase; content:"&cnt="; http_uri; nocase; pcre:"/\.php\?id=\d+_[0-9a-f]{8}-[0-9a-f]+-[0-9a-f]{8}&cnt=/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:url,doc.emergingthreats.net/2010289; reference:md5,bbb6ac2181dbbe15efd13c294cb991fa; reference:md5,3c39bfc78fcf3fe805c7472296bf6319; classtype:trojan-activity; sid:2010289; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Trojan/Win32.Espy Report via SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"SUBJECT|3a| I Q - S P Y KeyLogger ["; content:"victim computer name"; reference:md5,1a9a06b11aa537734931f8098bae6b00; classtype:trojan-activity; sid:2019932; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Clod/Sereki Checkin with C&C (noalert)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/chck.dat"; fast_pattern; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; flowbits:set,ET.clod1; flowbits:noalert; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:url,doc.emergingthreats.net/2010290; reference:md5,bbb6ac2181dbbe15efd13c294cb991fa; reference:md5,3c39bfc78fcf3fe805c7472296bf6319; classtype:trojan-activity; sid:2010290; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Statblaster Code Download"; flow: to_server,established; content:"/updatestats/"; nocase; http_uri; content:".exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001524; classtype:policy-violation; sid:2001524; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Clod/Sereki Checkin Response"; flow:established,from_server; content:"|0d 0a 0d 0a|!chckOK!"; nocase; flowbits:isset,ET.clod1; reference:url,doc.emergingthreats.net/2010291; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:md5,bbb6ac2181dbbe15efd13c294cb991fa; reference:md5,3c39bfc78fcf3fe805c7472296bf6319; classtype:trojan-activity; sid:2010291; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query SoakSoak Malware"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|soaksoak|02|ru|00|"; fast_pattern; nocase; distance:0; reference:url,blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html; classtype:trojan-activity; sid:2019940; rev:1; metadata:created_at 2014_12_16, updated_at 2014_12_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN pangolin SQL injection tool"; flow:established,to_server; content:"pangolin"; http_user_agent; reference:url,www.lifedork.net/pangolin-best-sql-injection-tool.html; classtype:web-application-activity; sid:2010343; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 10001 (msg:"ET MALWARE Win32.Bumrat.B Checkin"; flow:established,to_server; dsize:19; content:"|0f 00 00 00|"; depth:4; content:"mconfig_10"; reference:md5,647edeb30a04eeb30b7f8921645c7369; classtype:command-and-control; sid:2019941; rev:1; metadata:created_at 2014_12_16, former_category MALWARE, updated_at 2014_12_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER RFI Scanner Success (Fx29ID)"; flow:established,from_server; content:"FeeLCoMzFeeLCoMz"; reference:url,doc.emergingthreats.net/2010463; reference:url,opinion.josepino.com/php/howto_website_hack1; classtype:successful-user; sid:2010463; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Bedep Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"Content-Length|3a 20|2"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; pcre:"/^Content-Length\x3a 2\d{2}\r?$/Hmi"; flowbits:set,ET.Trojan.Bedep; classtype:trojan-activity; sid:2019949; rev:2; metadata:created_at 2014_12_16, updated_at 2014_12_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Non-Escaping backslash in User-Agent Outbound"; flow:established,to_server; content:"|5C|"; http_user_agent; depth:200; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_user_agent; pcre:"/User-Agent\x3a.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]/Hi"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; classtype:bad-unknown; sid:2010721; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible ASPROX Download URI Struct June 19 2014"; flow:established, to_server; content:"GET"; http_method; content:".php?"; http_uri; fast_pattern:only; content:!"=aHR0cD"; http_uri; content:"User-Agent|3a|"; http_header; content:!"|0d 0a|Referer|3a|"; http_header; pcre:"/\/[a-z]{2,9}\.php\?(?:[a-z0-9]{2,4}|[cktw])=[a-zA-Z0-9\x2b\x2f\x5c]{43,56}=?$/U"; classtype:trojan-activity; sid:2018589; rev:6; metadata:created_at 2014_06_20, updated_at 2014_06_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Non-Escaping backslash in User-Agent Inbound"; flow:established,to_server; content:"|5C|"; http_user_agent; depth:200; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_user_agent; pcre:"/User-Agent\:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]/Hi"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010722; classtype:bad-unknown; sid:2010722; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre Redirector Dec 16 2014 set"; flow:established,to_server; content:"GET"; http_method; urilen:27; content:".html"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/^\/[a-z]{10}\/[a-z]{10}\.html$/U"; flowbits:set,Upatre.Redirector; flowbits:noalert; classtype:trojan-activity; sid:2019953; rev:2; metadata:created_at 2014_12_16, former_category CURRENT_EVENTS, updated_at 2014_12_16;)
 
-#alert tcp [174.129.0.0/16,67.202.0.0/18,79.125.0.0/17,184.72.0.0/15,75.101.128.0/17,174.129.0.0/16,204.236.128.0/17] any -> $HOME_NET any (msg:"ET DELETED Incoming Connection Attempt From Amazon EC2 Cloud"; flow:to_server; flags:S,12; reference:url,doc.emergingthreats.net/2010815; classtype:misc-activity; sid:2010815; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Upatre Redirector Dec 16 2014"; flow:established,from_server; file_data; content:"PK|03 04|"; within:4; flowbits:isset,Upatre.Redirector; classtype:trojan-activity; sid:2019954; rev:2; metadata:created_at 2014_12_17, former_category CURRENT_EVENTS, updated_at 2014_12_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pragma hack Detected Outbound - Likely Infected Source"; flow:established,to_client; content:"Pragma|3a| hack/"; nocase; http_header; classtype:trojan-activity; sid:2010872; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SoakSoak Malware GET request"; flow:established,to_server; content:"GET"; http_method; content:"/xteas/code"; http_uri; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+soaksoak\.ru/Hmi"; pcre:"/^\/xteas\/code$/U"; reference:url,blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html; classtype:trojan-activity; sid:2019939; rev:3; metadata:created_at 2014_12_16, updated_at 2014_12_16;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Twitter Status Update"; flow:to_server,established; content:"POST"; http_method; content:"/status/update"; http_uri; content:"twitter.com"; nocase; content:"authenticity_token="; nocase; content:"status="; nocase; reference:url,twitter.com; reference:url,doc.emergingthreats.net/2010797; classtype:policy-violation; sid:2010797; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Page Sept 17 2014"; flow:established,from_server; file_data; content:"|41 63 74 69 76 65 58 4F 62 6A 65 63 74 28 22 4D 69 63 72 6F 73 22 2B 2F 2A|"; pcre:"/^[a-z0-9]+\x2A\x2F\x22\x6F\x66\x74\x2E/R"; classtype:exploit-kit; sid:2019193; rev:3; metadata:created_at 2014_09_18, former_category CURRENT_EVENTS, updated_at 2014_09_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"ET DELETED JoltID Agent Communicating TCP"; flow: to_server,established; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000901; classtype:trojan-activity; sid:2000901; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED IRC channel topic reptile commands"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"|3a|"; content:"|20|332|20|"; within: 50; content:"|2023|"; within: 20; content:"|203a|"; pcre:"/\.((testdlls|threads|netstatp|nsp|speed|uptime|installed|secure|sec|unsecure|unsec|process|ps|rand|exploitftpd|eftpd|flusharp|farp|flushdns|fdns|resolve|dns|pstore|pst|sysinfo|si|netinfo|ni|driveinfo|di|stats|currentip)\s*[\r\n]|(iestart|ies|login|l|mirccmd|system|file\s+(cat|exists|e|del|rm|rmdir|move|copy|attrib)|down|dl\x|update|reg\s+(query|delete|write))\s+\w+|(banner|ban|advscan|asc|scanall|sa|ntscan|nts)\s*[\n\r])/i"; reference:url,doc.emergingthreats.net/2002385; classtype:trojan-activity; sid:2002385; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any <> $EXTERNAL_NET 3531 (msg:"ET DELETED JoltID Agent Requesting File"; flow: established,to_server; content:"GIVE "; content:"User-Agent|3a|"; nocase; content:"PeerEnabler"; within:120; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001654; classtype:trojan-activity; sid:2001654; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c8 da 58 e3 bc 80 72 25|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019962; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET 3531 -> $EXTERNAL_NET 3531 (msg:"ET DELETED JoltID Agent Probing or Announcing UDP";  reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000900; classtype:trojan-activity; sid:2000900; rev:10; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/AGENT.NXNX checkin"; flow:established,to_server; content:"|24 5d 3b 30 2e 29 23 28 30 34 3b 14 1e 14 13 02 0a 54 55 59|"; reference:url,ahnlabasec.tistory.com/1007; classtype:command-and-control; sid:2019964; rev:1; metadata:created_at 2014_12_18, former_category MALWARE, updated_at 2014_12_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"ET DELETED JoltID Agent Keep-Alive"; flow: to_server,established; dsize: 1; content:"|4b|"; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001015; classtype:trojan-activity; sid:2001015; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Malicious Referer Bulk Traffic Sometimes Leading to EKs (Possible Bedep infection) Dec 16 2014"; flow:established,to_server; content:"rowedmedia.com/search.php"; http_header; fast_pattern:only; pcre:"/^Referer\x3a[^\r\n]+?rowedmedia\.com\/search\.php\r?$/Hmi"; threshold: type limit, track by_src, count 1, seconds 60; classtype:exploit-kit; sid:2019950; rev:3; metadata:created_at 2014_12_16, former_category CURRENT_EVENTS, updated_at 2014_12_16;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 fc 61 00 6b e6 e5 a0 17|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019079; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Upatre Download Redirection Dec 18 2014"; flow:established,from_server; file_data; content:"<br><meta http-equiv=|22|refresh|22| content=|22|0|3b| url="; pcre:"/^[^\x2f\x22]+?\x22>/R"; classtype:trojan-activity; sid:2019970; rev:2; metadata:created_at 2014_12_18, former_category CURRENT_EVENTS, updated_at 2014_12_18;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible DavTest WebDav Vulnerability Scanner Initial Check Detected"; flow:established,to_server; content:"PROPFIND "; depth:9; content:"D|3A|propfind xmlns|3A|D=|22|DAV|3A 22|><D|3A|allprop/></D|3A|propfind>"; distance:0; reference:url,www.darknet.org.uk/2010/04/davtest-webdav-vulerability-scanning-scanner-tool/; reference:url,code.google.com/p/davtest/; reference:url,doc.emergingthreats.net/2011088; classtype:attempted-recon; sid:2011088; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Archie EK T2 Activity Dec 18 2014"; flow:established,to_server; content:"/landing?action="; http_uri; fast_pattern:only; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r\n)/Hmi"; classtype:exploit-kit; sid:2019973; rev:2; metadata:created_at 2014_12_18, former_category CURRENT_EVENTS, updated_at 2014_12_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 9295 (msg:"ET DELETED Troxen GetSpeed Request"; flow:established,to_server; content:"GetSpeed |0d 0a|"; depth:11; reference:md5,af89d15930fe59dcb621069abc83cc66; reference:url,doc.emergingthreats.net/2011233; classtype:trojan-activity; sid:2011233; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Syrian.Slideshow Sending Information via SMTP"; flow:established,to_server; content:"Subject|3a 20|repo|0d 0a|"; content:"filename=|22|mxtd|22|"; reference:md5,f8bfb82aa92ea6a8e4e0b378781b3859; reference:url,citizenlab.org/2014/12/malware-attack-targeting-syrian-isis-critics; classtype:trojan-activity; sid:2019975; rev:1; metadata:created_at 2014_12_18, updated_at 2014_12_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED General Trojan FakeAV Downloader"; flow:established,to_server; content:".php?id="; http_uri; content:"&os="; http_uri; content:"&n="; http_uri; classtype:trojan-activity; sid:2011416; rev:6; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Teerac.A SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf ac 1a b8 3d 7f 11 16|"; within:35; content:"|55 04 03|"; distance:0; content:"|06|debian"; distance:1; within:7; reference:md5,194a931aa49583191eedd19478396ebc; classtype:trojan-activity; sid:2019918; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER TIEHTTP User-Agent"; flow:to_server,established; content:"User-Agent|3a| tiehttp"; nocase; reference:url,www.torry.net/authorsmore.php?id=4292; classtype:web-application-activity; sid:2011759; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dridex Distribution Campaign Dec 19 2014"; flow:established,to_server; content:"GET"; http_method; content:"stat/lldv"; http_uri; fast_pattern:only; content:".php"; offset:10; http_uri; pcre:"/\/s?stat\/lldvs?\.php$/U"; pcre:"/^Host\x3A[^\r\n]+?\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}(?:\x3a\d{1,5})?\r?$/Hmi"; reference:url,blog.dynamoo.com/2014/12/pl-remittance-details-ref844127rh.html; classtype:trojan-activity; sid:2019977; rev:3; metadata:created_at 2014_12_20, former_category CURRENT_EVENTS, updated_at 2014_12_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET MALWARE Avzhan DDOS Bot Inbound Hardcoded Malformed GET Request Denial Of Service Attack Detected"; flow:established,to_server; content:"GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm"; depth:49; nocase; threshold:type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; classtype:attempted-dos; sid:2011767; rev:4; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c9 8c 5b 96 3a e7 56 95|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019987; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED vb exploits / trojan vietshow"; flow:established,to_server; content:"GET"; http_method; content:"~vietshow/"; nocase; http_uri; classtype:bad-unknown; sid:2011897; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Wiper 2"; flow:established; content:"|c9 06 d9 96 fc 37 23 5a fe f9 40 ba 4c 94 14 98|"; depth:16; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019994; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan perflogger ~duydati/inst_PCvw.exe"; flow:established,to_server; content:"GET"; http_method; content:"~duydati/inst_PCvw.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011899; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 1"; flow:established; content:"|0c 1f 1f 1f 4d 5a 4c 4f 50 51 4c 5a 3f 2d 2f 2f 3f 50 54 3e 3e 3e|"; depth:22; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019995; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Phishing ~mbscom/moneybookers/app/login/login.html"; flow:established,to_server; content:"GET"; http_method; content:"~mbscom/moneybookers/app/login/login.html"; nocase; http_uri; classtype:bad-unknown; sid:2011902; rev:2; metadata:attack_target Client_Endpoint, created_at 2010_11_09, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 2"; flow:established; content:"|d3 c4 d2 d1 ce cf d2 c4 a1 b3 b1 b1 a1 ce ca a0 a0 a0|"; depth:18; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019996; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Hacked server to exploits ~rio1/admin/login.php"; flow:established,to_server; content:"GET"; http_method; content:"~rio1/admin/login.php"; nocase; http_uri; classtype:bad-unknown; sid:2011901; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
+#alert ip any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 3"; content:"|17 08 14 13 67 0f 13 13 17 67 15 02 16 12 02 14 13 78 47 47|"; depth:24; classtype:trojan-activity; sid:2019997; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED iframe Phoenix Exploit & ZBot vt073pd/photo.exe"; flow:established,to_server; content:"GET"; http_method; content:"vt073pd/photo.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011903; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
+#alert ip any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 4"; content:"|4f 50 4c 4b 3f 57 4b 4b 4f 3f 4d 5a 4e 4a 5a 4c 4b 20 1f|"; depth:23; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019998; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED trojan renos Flash.HD.exe"; flow:established,to_server; content:"GET"; http_method; content:"Flash.HD.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011909; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
+#alert ip any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 5"; content:"|15 02 14 17 08 09 14 02 67 75 77 77 67 08 0c 66 66 66|"; depth:22; classtype:trojan-activity; sid:2019999; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED fast flux rogue antivirus download.php?id=2004"; flow:established,to_server; content:"GET"; http_method; nocase; content:"download.php?id=2004"; nocase; http_uri; classtype:bad-unknown; sid:2011904; rev:3; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 8"; flow:established; content:"|43 47 47 47 45 67 47 47 43 47 47 47 44 67 47 47|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020002; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SEO/Malvertising Executable Landing exe2.php"; flow:established,to_server; uricontent:"/exe2.php?wm_id=acc"; classtype:trojan-activity; sid:2011916; rev:3; metadata:created_at 2010_11_10, updated_at 2019_08_22;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 9"; flow:established; content:"|43 47 47 47 42 67 47 47 43 47 47 47 4f 67 47 47 43 47 47 47 43 67 47 47 43 47 47 47 4e 67 47 47|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020003; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FAKEAV Gemini - packupdate*.exe download"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=packupdate";  classtype:trojan-activity; sid:2011919; rev:4; metadata:created_at 2010_11_10, updated_at 2020_08_20;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 10"; flow:established; content:"|d1 ce d2 d5 a1 c9 d5 d5 d1 a1 d3 c4 d0 d4 c4 d2 d5 be|"; depth:18; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020004; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Exploited By SMB/JavaWebStart"; flow:established,to_server; content:"loadsmb.php"; http_uri; classtype:trojan-activity; sid:2011951; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 11"; flow:established; content:"|17 08 14 13 67 0f 13 13 17 67 15 02 16 12 02 14 13 78|"; depth:18; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020005; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Exploited By PDF"; flow:established,to_server; content:"loadlibtiff.php"; http_uri; classtype:trojan-activity; sid:2011952; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 12"; flow:established; content:"|0c 1f 1f 1f 4f 50 4c 4b 3f 57 4b 4b 4f 3f 4d 5a 4e 4a 5a 4c 4b 20|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020006; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY SEO Obfuscated JavaScript srctable"; flow:established,to_client; content:"var srctable=|27|"; depth:14; classtype:bad-unknown; sid:2011959; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 3"; flow:established; content:"|4c 4c|"; depth:2; offset:16; content:"|75 14 2a 2a|"; distance:4; within:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020009; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY SEO Obfuscated JavaScript desttable"; flow:established,to_client; content:"var desttable=|27|"; depth:15; classtype:bad-unknown; sid:2011958; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp any [547,8080,133,117,189,159] -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 7"; flow:established,from_server; content:"|7b 08 2a 2a|"; offset:17; content:"|08 2a 2a 01 00|"; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020013; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious loadpeers.php"; flow:established,to_server; content:"loadpeers.php"; http_uri; classtype:bad-unknown; sid:2011956; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Proxy Tool 2"; flow:established; content:!"HTTP/1"; content:"|e2 1d 49 49|"; depth:4; fast_pattern; content:"|49 49 49 49|"; distance:4; within:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020018; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious lib.pdf"; flow:established,to_server; content:"/files/lib.pdf"; http_uri; classtype:bad-unknown; sid:2011955; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp any any -> any [8000,8080] (msg:"ET MALWARE US-CERT TA14-353A WIPER4"; flow:established,to_server; dsize:42; content:"|28 00|"; depth:2; content:"|04 00 00 00|"; offset:38; depth:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020020; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious loadjjar.php"; flow:established,to_server; content:"loadjjar.php"; http_uri; classtype:bad-unknown; sid:2011954; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Operation Poisoned Helmand jar download"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"jre7u61windows/x86/Update.class"; reference:url,threatconnect.com/news/operation-poisoned-helmand/; classtype:trojan-activity; sid:2020021; rev:2; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious jjar.jar"; flow:established,to_server; content:"/files/jjar.jar"; http_uri; classtype:bad-unknown; sid:2011953; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE US-CERT TA14-353A Network Propagation Wiper"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"taskhost"; content:".exe"; distance:2; within:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020023; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tcp $HOME_NET any -> 212.26.42.47 9090 (msg:"ET DELETED ProFTPD Backdoor outbound Request Sent"; flow:established,to_server; content:"GET /AB"; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url,sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; classtype:trojan-activity; sid:2011993; rev:2; metadata:created_at 2010_12_02, updated_at 2010_12_02;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT TCP Checkin 2"; flow:established,to_server; dsize:27; content:"bestpobeda"; depth:10; pcre:"/^[a-f0-9]+$/R"; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020025; rev:2; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2014_12_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Spy.YEK MAC and IP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition|3A| form-data|3B| name=|22|MAC|22|"; http_header; nocase; content:"Content-Disposition|3A| form-data|3B| name=|22|IP|22|"; nocase; http_header; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20101115; classtype:trojan-activity; sid:2011999; rev:7; metadata:created_at 2010_12_07, updated_at 2010_12_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT TCP Keep-Alive"; flow:established,to_server; dsize:24; content:"|09 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00|"; depth:20; threshold:type both, track by_src, count 1, seconds 120; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020026; rev:2; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2014_12_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware Tools Update OS Command Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"exec|3A|"; nocase; content:"args|3A|"; nocase; distance:0; content:"UpgradeTools_Task"; distance:0; reference:url,www.exploit-db.com/exploits/15717/; reference:cve,2010-4297; classtype:attempted-admin; sid:2012045; rev:5; metadata:created_at 2010_12_11, updated_at 2010_12_11;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Trojan.Nurjax SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|www.njaxjs.me"; distance:1; within:14; classtype:trojan-activity; sid:2020033; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_23, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Successful DD-WRT Information Disclosure"; flowbits:isset,et.ddwrt.infodis; flow:established,from_server; content:"lan_mac|3A 3A|"; content:"wlan_mac|3A 3A|"; distance:0; content:"lan_ip|3A 3A|"; distance:0; content:"mem_info|3A 3A|"; distance:0; reference:url,www.exploit-db.com/exploits/15842/; classtype:successful-recon-limited; sid:2012117; rev:3; metadata:created_at 2010_12_30, updated_at 2010_12_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6332 Arrays with Offset Dec 23"; flow:established,from_server; file_data; content:"For i=LBound("; pcre:"/^\s*?(?P<v1>[^\x29\s]+)\s*?\x29\s*?To Ubound\x28(?P=v1)\s*?\x29\s*?(?:dim\s*?)?(?P<v2>[^\s\x3d]+)\s*?\x3d\s*?(?P=v2)\+Cstr\x28\s*?Chr\x28(?P=v1)\x28i\x29[\+\-]\d+\x29\x29.+?Execute\s*?(?P=v2)/Rsi"; reference:md5,d2d3c212f430bff2b5f075fa083de047; reference:cve,2014-6332; classtype:trojan-activity; sid:2020067; rev:3; metadata:created_at 2014_12_24, former_category CURRENT_EVENTS, updated_at 2014_12_24;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Adobe Reader 9.4 doc.printSeps Memory Corruption Attempt"; flow:established,to_client; content:"%PDF-"; nocase; depth:300; content:"doc.printSeps"; nocase; distance:0; reference:bid,44638; reference:cve,2010-4091; classtype:attempted-user; sid:2012156; rev:2; metadata:created_at 2011_01_06, updated_at 2011_01_06;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS query for known Anunak APT Domain (ddnservice11.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|ddnservice11|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020073; rev:1; metadata:created_at 2014_12_29, updated_at 2014_12_29;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED Post Express Inbound SPAM (possible Spyeye)"; flow:established,to_server; content:"Content-Disposition|3A|attachment|3b|"; nocase; content:"filename=|22|Post_Express_Label_"; nocase; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012275; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS query for known Anunak APT Domain (financialnewsonline.pw)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|financialnewsonline|02|pw|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020074; rev:1; metadata:created_at 2014_12_29, updated_at 2014_12_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential Trojan dropper Wlock.A (AS1680)"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/pornoplayer.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=pworldxxx.info; classtype:trojan-activity; sid:2012301; rev:4; metadata:created_at 2011_02_07, updated_at 2011_02_07;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d7 5e db d7 9c 6d e0 4f|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020079; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Fast Flux Trojan Rogue Antivirus"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/SecurIns_194.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=microantivirus5.com; classtype:bad-unknown; sid:2012332; rev:3; metadata:created_at 2011_02_22, updated_at 2011_02_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 9090 (msg:"ET MALWARE Win32.Akdoor Reporting MAC Address"; flow:to_server,established; dsize:20; content:"|01 00 00 00 0c 00 00 00|"; fast_pattern; pcre:"/^[0-9A-F]{12}$/R"; reference:md5,f5ba42117dd02f50b12542131dcd8b5f; classtype:trojan-activity; sid:2020081; rev:1; metadata:created_at 2014_12_29, updated_at 2014_12_29;)
 
-#alert http $HOME_NET any -> 184.105.245.17 8080 (msg:"ET DELETED DroidDream Android Trojan info upload"; flow:to_server,established; content:"/GMServer/GMServlet"; http_uri; reference:url,androguard.blogspot.com/2011/03/droiddream.html; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=79&blogId=1; reference:url,blog.mylookout.com/2011/03/android-malware-droiddream-how-it-works/; reference:url,countermeasures.trendmicro.eu/google-android-rooted-backdoored-infected/; classtype:trojan-activity; sid:2012410; rev:3; metadata:created_at 2011_03_03, updated_at 2011_03_03;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0d|tdmodsecur.pw"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020075; rev:3; metadata:attack_target Client_and_Server, created_at 2014_12_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Fast Flux Rogue Antivirus"; flow:established,to_server; content:"GET"; nocase; http_method; content:"download/Setup_2004.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=spyremover-k3.com; classtype:trojan-activity; sid:2012447; rev:3; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.Win32.Ngrbot.lof Join IRC channel"; flow:to_server,established; content:"NICK New|7B|"; nocase; pcre:"/^\S{2,3}\x2d(XP|2K3|VIS|2K8|W7|ERR)\w?\x2d\w+?\x7D\w+?\r\n?/Ri"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32/Dorkbot.AR; reference:md5,dd05fcd2368d8d410a5b85e8d504a435; classtype:trojan-activity; sid:2016849; rev:3; metadata:created_at 2013_05_14, updated_at 2013_05_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android Trojan HongTouTou Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/index.aspx?im="; http_uri; nocase; content:"|0d 0a|User-Agent|3a| Apache-HttpClient"; http_header; reference:url,blog.netqin.com/en/?p=451; classtype:trojan-activity; sid:2012450; rev:4; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
+#alert udp any any -> 1.1.1.0 80 (msg:"ET MALWARE TROJ_WHAIM.A message"; content:"|57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 00|"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:2020069; rev:3; metadata:created_at 2014_12_26, updated_at 2014_12_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Zbot Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/games/pdf"; nocase; http_uri; content:"php?f=7"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=poleoa.net; classtype:trojan-activity; sid:2012538; rev:3; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft CScript Banner Outbound"; flow:established; content:"Windows Script Host Version"; content:"Copyright |28|C|29|"; distance:0; content:"Microsoft Corp"; distance:0; classtype:successful-admin; sid:2020085; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Rogue Antivirus"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/installer.0042.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=umbralinversiones.com; classtype:trojan-activity; sid:2012539; rev:3; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft WMIC Prompt Outbound"; flow:established; content:"wmic|3a|root|5c|cli>"; classtype:successful-admin; sid:2020086; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Win32 Backdoor Poison"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/salvando-usb.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=arteencueros.com; classtype:trojan-activity; sid:2012540; rev:3; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Netsh Firewall Disable Output Outbound"; flow:established; content:"netsh firewall|22| is deprecated|3b|"; content:"use |22|netsh advfirewall"; distance:0; content:"Ok."; distance:0; classtype:successful-admin; sid:2020087; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/CazinoSilver Download VegasVIP_setup.exe"; flow:established,to_server; content:"/VegasVIP_setup.exe"; nocase; http_uri; reference:url,ddanchev.blogspot.com/2011/04/dont-play-poker-on-infected-table-part.html; classtype:trojan-activity; sid:2012685; rev:3; metadata:created_at 2011_04_12, updated_at 2011_04_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SysInternals sc.exe Output Outbound"; flow:established; content:"SERVICE_NAME|3a|"; content:"TYPE"; distance:0; content:"SERVICE_EXIT_CODE"; distance:0; classtype:successful-admin; sid:2020088; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows arp -a Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Interface|3a|"; content:"--- 0x"; distance:0; content:"Internet Address"; content:"Physical Address"; fast_pattern; distance:0; content:"Type"; content:"dynamic"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019080; rev:1; metadata:created_at 2014_08_28, updated_at 2014_08_28;)
+alert http any any -> any any (msg:"ET WEB_SERVER ATTACKER WebShell - 1337w0rm - Landing Page"; flow:established,to_client; file_data; content:"cPanel Cracker"; classtype:trojan-activity; sid:2020096; rev:3; metadata:created_at 2015_01_06, updated_at 2015_01_06;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows set Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"ALLUSERSPROFILE="; fast_pattern; content:"APPDATA="; distance:0; content:"CLIENTNAME="; content:"CommonProgramFiles="; distance:0; content:"COMPUTERNAME="; content:"ComSpec="; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019081; rev:1; metadata:created_at 2014_08_28, updated_at 2014_08_28;)
+alert http any any -> any [$HTTP_PORTS,7547] (msg:"ET EXPLOIT Possible Misfortune Cookie - SET"; flow:established,to_server; content:"Cookie|3a| C"; nocase; pcre:"/^[0-9][^=]/R"; flowbits:set,ET.Misfortune_Cookie; flowbits:noalert; reference:url,mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf; classtype:trojan-activity; sid:2020100; rev:2; metadata:created_at 2015_01_06, updated_at 2015_01_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SSL MiTM Vulnerable or EOL iOS 3.x device"; flow:established,to_server; content:"Mozilla/5.0 |28|iP"; http_header; content:" OS 3_"; http_header; distance:0; threshold: type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; reference:url,github.com/jan0/isslfix; reference:cve,CVE-2011-0228; classtype:not-suspicious; sid:2013406; rev:6; metadata:created_at 2011_08_12, updated_at 2011_08_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit 2"; flow:established,to_client; file_data; content:"execCommand"; nocase; content:"YMjf"; content:"u0c08"; distance:1; within:6; content:"u0c0cKDog"; distance:1; within:10; fast_pattern; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2020099; rev:8; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, created_at 2015_01_06, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Web_Client_Attacks, tag Metasploit, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SSL MiTM Vulnerable or EOL iOS 4.x device"; flow:established,to_server; content:"Mozilla/5.0 (iP"; http_header; content:" OS 4_"; http_header; distance:0; pcre:"/OS 4_[0-3]_[1-4] like/H"; threshold: type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; reference:url,github.com/jan0/isslfix; reference:cve,CVE-2011-0228; classtype:not-suspicious; sid:2013407; rev:6; metadata:created_at 2011_08_12, updated_at 2011_08_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fd 0c f3 42 0f 46 07 68|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|xx"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020104; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential Blackhole Exploit Pack landing"; flow:established,to_server; content:".php?f="; http_uri; content:!"Cookie|3a|"; http_header; pcre:"/\.php\?f=\d+$/U"; reference:url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/; classtype:bad-unknown; sid:2012688; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_04_15, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 86 c7 7d 23 ec c3 18 fb|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020149; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert ip $HOME_NET any -> 83.236.140.90 any (msg:"ET DELETED Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-2"; threshold:type limit, track by_dst, count 1, seconds 60; reference:url,www.ccc.de/de/updates/2011/staatstrojaner; reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf; reference:url,www.f-secure.com/weblog/archives/00002249.html; reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html; reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545; reference:url,www.ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013754; rev:5; metadata:created_at 2011_10_11, updated_at 2011_10_11;)
+alert tcp $EXTERNAL_NET 9000:10000 -> $HOME_NET any (msg:"ET MALWARE Win32/Recslurp.D C2 Response"; flow:established,from_server; flowbits:isset,ET.Reslurp.D.Client; content:"|e8 03 00 00|"; depth:4; reference:md5,fcf364abd9c82d89f8d0b4b091276b41; classtype:command-and-control; sid:2020155; rev:2; metadata:created_at 2015_01_08, former_category MALWARE, updated_at 2015_01_08;)
 
-#alert ip 83.236.140.90 any -> $HOME_NET any (msg:"ET DELETED Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-2"; threshold:type limit, track by_src, count 1, seconds 60; reference:url,www.ccc.de/de/updates/2011/staatstrojaner; reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf; reference:url,www.f-secure.com/weblog/archives/00002249.html; reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html; reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545; reference:url,www.ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013753; rev:5; metadata:created_at 2011_10_11, updated_at 2011_10_11;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/DDoS.M distributed via CVE-2014-6271 Checkin"; flow:established,to_server; content:"BUILD "; depth:6; pcre:"/^(?:MIPS(?:EL)?|POWERPC|ARM|X86)\x0a$/R"; flowbits:set,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; classtype:command-and-control; sid:2019242; rev:2; metadata:created_at 2014_09_26, former_category MALWARE, updated_at 2014_09_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED AirOS .css Worm Outbound Propagation Sweep"; flow:established,to_server; content:"/admin.cgi/.gif"; http_uri; pcre:"/Host\x3a ([0-9]{1,3}\.){3}[0-9]{1,3}/H"; reference:url,seclists.org/fulldisclosure/2011/Dec/419; reference:url,www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/; classtype:trojan-activity; sid:2014041; rev:6; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M JUNK command"; flow:established,to_client ; content:"JUNK "; depth:5; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020162; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED AirOS admin.cgi/css Exploit Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/etc/persistent/.skynet/install&action=cli"; http_uri; reference:url,seclists.org/fulldisclosure/2011/Dec/419; reference:url,www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/; classtype:trojan-activity; sid:2014042; rev:5; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M GETLOCALIP command"; flow:established,to_client ; content:"GETLOCALIP "; depth:11; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020163; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Syrian Malware Checkin"; flow:established,to_server; content:"|2f|j|7c|n|5c|"; offset:2; depth:5; content:"[endof]"; fast_pattern; distance:0; reference:url,fireeye.com/blog/technical/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html; reference:md5,a8cf815c3800202d448d035300985dc7; classtype:command-and-control; sid:2019084; rev:1; metadata:created_at 2014_08_29, former_category MALWARE, updated_at 2014_08_29;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M SCANNER command"; flow:established,to_client ; content:"SCANNER "; depth:8; pcre:"/^(?:ON|OFF)/R"; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020164; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert dineshuthayakumar.in"; flow:established,from_server; content:"|55 04 03|"; content:"|14|dineshuthayakumar.in"; distance:1; within:21; reference:md5,0c96fd25ec4139063ac7d83511835d20; classtype:trojan-activity; sid:2019034; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M KILLATTK command"; flow:established,to_client ; content:"KILLATTK "; depth:9; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020165; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.SWF; content:"Content-Disposition|3a|"; http_header; content:".swf"; http_header; content:"X-Powered-By|3a|"; http_header; pcre:"/^Content-Disposition\x3a[^\r\n]+\.swf/Hm"; content:"ZWS"; classtype:exploit-kit; sid:2018362; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_04, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M LOLNOGTFO command"; flow:established,to_client ; content:"LOLNOGTFO "; depth:10; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020166; rev:2; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tor based locker Ransom Page"; flow:established,to_server; content:"/buy.php?"; http_uri; content:"iet7v4dciocgxhdv."; nocase; fast_pattern; http_header; classtype:trojan-activity; sid:2018873; rev:3; metadata:created_at 2014_08_01, updated_at 2014_08_01;)
+alert tcp any any -> any 1024: (msg:"ET MALWARE Linux/DDoS.M Admin console status"; flow:established,to_client ; content:"|1b 5d 30 3b|Bots connected|3a 20|"; content:"|7c 20|Clients connected|3a 20|"; distance:0; threshold: type both, count 1, seconds 10, track by_src; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020167; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks"; flow:from_server,established; file_data; content:"scanbox.crypt._utf8_encode"; classtype:trojan-activity; sid:2019093; rev:3; metadata:created_at 2014_08_30, updated_at 2014_08_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)"; flow:established,from_server; flowbits:isset,et.MCOFF; file_data; content:"_|00|V|00|B|00|A|00|_|00|P|00|R|00|O|00|J|00|E|00|C|00|T|00|"; nocase; flowbits:set,et.DocVBAProject; classtype:bad-unknown; sid:2019837; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks (POST) PluginData"; flow:to_server,established; content:"POST"; http_method; content:"pluginid="; http_client_body; fast_pattern:only; content:"projectid="; http_client_body; content:"seed="; http_client_body; content:"data="; http_client_body; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019095; rev:3; metadata:created_at 2014_08_30, updated_at 2014_08_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"ET MALWARE Hong Kong SWC Attack PcClient CnC Beacon"; flow:established,to_server; content:"|BB 4E 4E BC BC BC 7E 7E|"; nocase; offset:160; depth:8; reference:url,blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html; classtype:command-and-control; sid:2020169; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_01_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks KeepAlive"; flow:to_server,established; content:"GET"; http_method; content:".php?seed="; http_uri; fast_pattern:only; content:"&alivetime="; http_uri; content:"&r="; http_uri; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019096; rev:3; metadata:created_at 2014_08_30, updated_at 2014_08_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Office Doc with Embedded VBA containing Reverse Meterpreter Shell"; flow:established,from_server; flowbits:isset,et.DocVBAProject; file_data; content:"windows/meterpreter/reverse_"; nocase; reference:url,github.com/enigma0x3/Generate-Macro/blob/master/Generate-Macro.ps1; classtype:trojan-activity; sid:2020170; rev:2; metadata:created_at 2015_01_13, former_category MALWARE, updated_at 2015_01_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Sending Plugin-Detect Data"; flow:to_server,established; content:"dump="; http_client_body; depth:5; content:"%7C"; http_client_body; distance:0; content:"%7C"; http_client_body; distance:0; content:"%7C"; http_client_body; distance:0; content:"&ua="; http_client_body; distance:0; content:"&ref="; http_client_body; distance:0; classtype:exploit-kit; sid:2019098; rev:2; metadata:created_at 2014_08_30, former_category CURRENT_EVENTS, updated_at 2014_08_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Try Prototype Catch May 11 2012"; flow:from_server,established; file_data; content:"|3b|try{prototype|3b|}catch("; content:"){"; within:6; classtype:trojan-activity; sid:2014745; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_12, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Archie/Metasploit SilverLight Exploit"; flow:from_server,established; file_data; content:"SilverApp1.dllPK"; classtype:exploit-kit; sid:2019099; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2014_08_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category EXPLOIT_KIT, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Eval Variable Obfuscation 3"; flow:established,to_client; file_data; content:"=|22|eva|22 3B|"; content:"+|22|l|22|"; distance:0; pcre:"/\x2B\x22l\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015027; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp any any -> any any (msg:"ET SCAN Malformed Packet SYN FIN"; flags:SF; classtype:bad-unknown; sid:2011367; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Upatre Firefox/Chrome Redirector Receiving Payload Jan 9 2015"; flow:established,from_server; file_data; content:"UEsDB"; content:"var"; pcre:"/^\s*?\w+\s*?=\s*?[\x22\x27]UEsDB/R"; flowbits:isset,ET.Upatre.Redirector; classtype:trojan-activity; sid:2020161; rev:3; metadata:created_at 2015_01_09, former_category CURRENT_EVENTS, updated_at 2015_01_09;)
 
-#alert tcp any any -> any any (msg:"ET SCAN Malformed Packet SYN RST"; flags:SR; classtype:bad-unknown; sid:2011368; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Bedep Checkin Response"; flow:established,from_server; content:"Content-Type|3a 20|text/html|0d 0a|"; http_header; content:"Content-Length|3a| 108|0d 0a|"; http_header; fast_pattern:only; content:!"Keep-Alive|3a 20|"; http_header; file_data; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; classtype:trojan-activity; sid:2019952; rev:5; metadata:created_at 2014_12_16, updated_at 2014_12_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PeopleOnPage Install"; flow: to_server,established; content:"/install/pop"; nocase; http_uri; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001445; classtype:policy-violation; sid:2001445; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 7d f1 a1 50 bc 27 18|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020187; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Outbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007634; classtype:trojan-activity; sid:2007634; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/ChinaZ DDoS Bot Checkin"; flow:established,to_server; content:"|00 00 00 00|"; depth:4; content:!"|00|"; within:1; content:"MHz|00|"; distance:0; content:"|20 2a 20|"; distance:-12; within:5; pcre:"/^\d+MHz\x00/R"; content:"|20|MB|00|"; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3682; classtype:command-and-control; sid:2020188; rev:1; metadata:created_at 2015_01_15, former_category MALWARE, updated_at 2015_01_15;)
 
-#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Inbound - Likely Connect Ack"; dsize:2; threshold: type threshold, count 10, seconds 60, track by_dst; reference:url,doc.emergingthreats.net/2007635; classtype:trojan-activity; sid:2007635; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9d 36 ff 20 e3 b5 4d 15|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020196; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Inbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_dst; reference:url,doc.emergingthreats.net/2007636; classtype:trojan-activity; sid:2007636; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Dalexis Serial Number in SSL Cert"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|00 d7 f0 71 9c ed 67 99 74|"; within:35; fast_pattern; reference:md5,a01fdd1585dc5c8b4e09536eede5e6d4; classtype:trojan-activity; sid:2020208; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_01_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Outbound - Likely Connect Ack"; dsize:2; threshold: type threshold, count 10, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007637; classtype:trojan-activity; sid:2007637; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Win32.ChinaZ.DDoSClient Checkin"; flow:established,to_server; content:"Windows "; depth:8; content:"|20|MHZ|00|"; fast_pattern; distance:0; content:"|00|Win"; distance:0; content:"|00|"; distance:2; within:2; reference:md5,8643a44febdf73159b2d5c437dc40cd3; classtype:command-and-control; sid:2020209; rev:2; metadata:created_at 2015_01_20, former_category MALWARE, updated_at 2015_01_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Redirect Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"gate.php"; http_uri; fast_pattern:only; content:".swf/[[DYNAMIC]]/1"; http_header; classtype:exploit-kit; sid:2019005; rev:3; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (URLzone CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b9 84 73 78 53 8f 36 69|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020216; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, malware_family URLZone, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2018_04_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Redirect Sept 01 2014"; flow:established,to_server; content:".php"; http_uri; pcre:"/\.php$/U"; content:".php/[[DYNAMIC]]/"; http_header; pcre:"/Referer\x3a[^\r\n]+\.php\/\[\[DYNAMIC\]\]\/\d/Hm"; classtype:exploit-kit; sid:2019100; rev:3; metadata:created_at 2014_09_02, former_category CURRENT_EVENTS, updated_at 2014_09_02;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 91 eb 37 30 e6 41 f6|"; within:35; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|CN"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|02|ST"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020217; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 4899 (msg:"ET POLICY Radmin Remote Control Session Setup Initiate OUTBOUND"; flow:to_server,established; dsize:10; content:"|01 00 00 00 01 00 00 00 08 08|"; depth:10; classtype:policy-violation; sid:2019101; rev:2; metadata:created_at 2014_09_02, updated_at 2014_09_02;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e b5 fa 1e d4 7a 9e 36|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020218; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED WindowsEnterpriseSuite FakeAV Dynamic User-Agent"; flow:established,to_server; content:"User-Agent|3a| We"; content:!"User-Agent|3a| Webmin|0d 0a|"; http_header; pcre:"/User-Agent\x3a We[a-z0-9]{4}\x0d\x0a/H"; reference:url,doc.emergingthreats.net/2010262; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; classtype:trojan-activity; sid:2010262; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f3 1c c2 15 72 83 e3 79|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020219; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Possible SSDP Amplification Scan in Progress"; content:"M-SEARCH * HTTP/1.1"; content:"ST|3a 20|ssdp|3a|all|0d 0a|"; nocase; distance:0; fast_pattern; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/29/weekly-metasploit-update; classtype:attempted-dos; sid:2019102; rev:1; metadata:created_at 2014_09_03, updated_at 2014_09_03;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ae 79 0b f9 9e bd 14 a1|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020220; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 3 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9c c5 8b 5d c7 8a 96 b7|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,0d5ad9759753cb4639cd405eddbe2a16; classtype:trojan-activity; sid:2019104; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nitol.A Checkin 2"; flow:from_client,established; dsize:260; content:"MB|00 00|"; content:"Windows|20|"; distance:0; content:"V1.0|00 00|"; offset:180; fast_pattern; reference:md5,b9096b87cf643c5f86789d995e9e773d; classtype:command-and-control; sid:2020222; rev:1; metadata:created_at 2015_01_21, former_category MALWARE, updated_at 2015_01_21;)
 
-#alert tls 66.147.244.132 any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert bluehost.com Aug 27 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|0e 2a 2e|bluehost.com"; distance:1; within:15; reference:md5,19bb8e0b16c14194862d0750916ce338; classtype:trojan-activity; sid:2019105; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (10)"; flow:established,to_client; file_data; content:"|0b c7 6a 1e 7c c2 43 ea|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020227; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ed 7a 4e 2c 6d 48 5c a6|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019106; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Webbuying.net Spyware Install User-Agent 2 (wb v1.6.4)"; flow:to_server,established; content:"User-Agent|3a|"; nocase; http_header; content:"wb v"; http_user_agent; fast_pattern; reference:url,doc.emergingthreats.net/2003449; classtype:pup-activity; sid:2003449; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 c6 af 2f 81 7b a2 2b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019107; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b6 24 74 c1 1f 18 de bb|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020242; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (AddPage)"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"083B40D3-CCBA-11D2-AFE0-00C04F7993D6"; nocase; distance:0; content:".AddPage"; nocase; content:"<OBJECT"; nocase; pcre:"/^[^>]*?classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*?083B40D3-CCBA-11D2-AFE0-00C04F7993D6/Rsi"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013730; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Scieron Possible SSL Cert"; flow:established,from_server; content:"|0b|"; content:"|10 6d 7a 85 10 89 c8 6f bb 41 41 46 e6 96 f2 68 cd|"; within:45; content:"|55 04 03|"; distance:0; content:"|10|RibbonLocalHTTPS"; distance:1; within:17; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020243; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (DeletePage)"; flow:to_client,established; file_data; content:"083B40D3-CCBA-11D2-AFE0-00C04F7993D6"; nocase; distance:0; content:".DeletePage"; nocase; content:"<OBJECT"; pcre:"/^[^>]*?classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*083B40D3-CCBA-11D2-AFE0-00C04F7993D6/Rsi"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013731; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query for Suspicious torwoman.com Domain - Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|torwoman|03|com"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020283; rev:1; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
 
-#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 33033 (msg:"ET CHAT Skype Bootstrap Node (udp)"; threshold: type both, count 5, track by_src, seconds 120; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2003022; classtype:policy-violation; sid:2003022; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange redirection Jan 22 2015"; flow:established,from_server; file_data; content:"var theme_customize"; within:19; pcre:"/^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f/Ri"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020291; rev:2; metadata:created_at 2015_01_23, former_category EXPLOIT_KIT, updated_at 2015_01_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Large amount of TCP ZeroWindow - Possible Nkiller2 DDos attack"; flags:A; window:0; threshold: type both, track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2009414; classtype:attempted-dos; sid:2009414; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Scieron Retrieving Information Response"; flow:established,from_server; file_data; content:"system"; within:6; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})system$/R"; flowbits:isset,ET.Trojan.Scieron.Ret; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; reference:md5,a36db258d0f6f085e8e5030d8e9a9bf4; classtype:trojan-activity; sid:2020297; rev:2; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Rdxrp.com Traffic (Generic)"; flow: to_server,established; content:"/rdxr"; nocase; http_uri; content:".dat"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001312; classtype:trojan-activity; sid:2001312; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/AGENT.NXNX Checkin 2"; flow:to_server,established; dsize:200; content:"D|3a 00 00 00|"; offset:7; depth:13; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}D\x3a\x00+?$/"; reference:md5,fdcf0e3e3ad69cdd570387c4ce9aa8b3; reference:url,ahnlabasec.tistory.com/1007; reference:url,global.ahnlab.com/global/upload/download/asecreport/ASEC%20Report_Vol.58_Eng.pdf; classtype:command-and-control; sid:2020303; rev:2; metadata:created_at 2015_01_23, former_category MALWARE, updated_at 2015_01_23;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ADWARE_PUP Adware/Antivirus360 Config to client"; flow:established,to_client; content:"[InstallerIni]"; nocase; depth:300; content:"|0d 0a|Pid="; nocase; within:6; content:"|0d 0a|Product="; nocase; content:"|0d 0a|FID="; nocase; content:"|0d 0a|Title="; nocase; reference:url,doc.emergingthreats.net/2009809; classtype:pup-activity; sid:2009809; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre Redirector Jan 23 2015"; flow:established,to_server; content:"GET"; http_method; content:"/js/jquery-"; http_uri; fast_pattern:only; pcre:"/^\/js\/jquery-\d+\.\d{2}\.\d{2}\.js$/U"; content:"Referer|3a|"; pcre:"/^[^\r\n]+?\.html?\r?$/Rmi"; classtype:trojan-activity; sid:2020304; rev:2; metadata:created_at 2015_01_23, former_category CURRENT_EVENTS, updated_at 2015_01_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Sogu Remote Access Trojan Social Media Embedded CnC Channel"; flow:established,to_client; content:"DZKS"; content:"DZJS"; within:50; reference:url,blogs.norman.com/2012/security-research/trojan-moves-its-configuration-to-twitter-linkedin-msdn-and-baidu; classtype:command-and-control; sid:2014618; rev:3; metadata:created_at 2012_04_20, former_category MALWARE, updated_at 2012_04_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9d 12 4e cf d7 61 de 81|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020307; rev:4; metadata:attack_target Client_and_Server, created_at 2015_01_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Frosparf.B Downloading Hosts File"; flow:established,from_server; file_data; content:"9.9.9.9 "; within:8; pcre:"/^(?:[a-zA-Z0-9\x2d\x5f]{1,63}\.)+?[a-zA-Z0-9\x2d\x5f]{1,63}[\r\n]*?9\.9\.9\.9\s+?(?:[a-zA-Z0-9\_\-]{1,63}\.)+?[a-zA-Z0-9\x2d\x5f]{1,63}[\r\n]/R"; reference:md5,4ad55877464aa92e49231d913d00eb69; classtype:trojan-activity; sid:2019142; rev:2; metadata:created_at 2014_09_09, updated_at 2014_09_09;)
+#alert tls $EXTERNAL_NET 1025 -> $HOME_NET any (msg:"ET MALWARE Possible Mailer Dropped by Dyre SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02 41 55|"; distance:0; content:"|55 04 08|"; distance:0; pcre:"/^.{2}(?P<var>[a-z0-9]{4,16}[01]).+?\x06\x03\x55\x04\x08.{2}(?P=var)/Rs"; reference:md5,dbcdaf617e19d2a35f763ac996cf8cd7; classtype:trojan-activity; sid:2020205; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_01_19, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RedKit Repeated Exploit Request Pattern"; flow:established,to_server; content:".php?t="; nocase; http_uri; pcre:"/\.php\?t=\d{2,7}$/U"; threshold:type both, track by_src, count 5, seconds 15; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; reference:url,malware.dontneedcoffee.com/2012/05/inside-redkit.html; reference:url,malware.dontneedcoffee.com/2012/05/redkit-not-so-red-anymore.html; reference:url,www.malwaredomainlist.com/forums/index.php?topic=4855.msg23470; classtype:exploit-kit; sid:2014748; rev:4; metadata:created_at 2012_05_14, updated_at 2012_05_14;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Regin Hopscotch Module Accessing SMB2 Named Pipe (Unicode) 1"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|6|00|6|00|f|00|b|00|e|00|8|00|7|00|a|00|-|00|4|00|3|00|7|00|2|00|-|00|1|00|f|00|5|00|1|00|-|00|1|00|0|00|1|00|d|00|-|00|1|00|a|00|a|00|f|00|0|00|0|00|4|00|3|00|1|00|2|00|7|00|a|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin; classtype:trojan-activity; sid:2020309; rev:1; metadata:created_at 2015_01_26, updated_at 2015_01_26;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET DELETED Cisco Torch SNMP Scan"; content:"public"; content:"|30 0C 06 08 2B 06 01 02 01 01 01 00 05 00|"; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008597; classtype:attempted-recon; sid:2008597; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Regin Hopscotch Module Accessing SMB Named Pipe (Unicode) 2"; flow:to_server,established; content:"|FF|SMB"; offset:4; depth:4; content:"|00|{|00|4|00|4|00|f|00|d|00|g|00|2|00|3|00|a|00|-|00|1|00|5|00|2|00|2|00|-|00|6|00|f|00|9|00|e|00|-|00|d|00|0|00|5|00|d|00|-|00|1|00|a|00|a|00|f|00|0|00|1|00|7|00|6|00|1|00|3|00|8|00|a|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin; classtype:trojan-activity; sid:2020310; rev:1; metadata:created_at 2015_01_26, updated_at 2015_01_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 33 9e 92 b0 3e 35 b8|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019147; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 10 f0 a9 8b a2 9b 82|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020313; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Tomcat Successful default credential login from external source"; flow:from_server,established; content:"HTTP/1."; depth:7; content:"200"; http_stat_code; content:"OK"; http_stat_msg; reference:url,tomcat.apache.org; classtype:successful-admin; sid:2009219; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 99 95 bf 9b 4f 7d 85 0e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020314; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea c4 eb c7 a8 ae c0 8c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019148; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Jan 27 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:" id=|22|"; distance:15; within:16; pcre:"/^[A-Za-z]{3,5}/R"; content:"|22| style=|22|display|3a|none|22|>"; within:23; pcre:"/^[a-zA-Z0-9]{9}<\/[^>]+>\s+?<[^\s]+\sid=\x22[a-zA-Z]{3,5}\x22\sstyle=\x22display\x3anone\x22>[A-Za-z0-9]{500}/Rs"; classtype:exploit-kit; sid:2020319; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_28, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|19|groundbellsinc2@yahoo.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019149; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9d 98 f4 2b 01 ee fc d3|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020322; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 10 d6 2f a9 1d 55 7b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019150; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 45 b9 f1 e8 a9 d8 52|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020331; rev:3; metadata:attack_target Client_and_Server, created_at 2015_01_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 96 2c 97 86 ef 94 08 62|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019151; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,465,587] (msg:"ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt (HELO)"; flow:to_server,established; content:"HELO "; nocase; content:!"|0a|"; within:1024; pcre:"/^\s*?\d[\d\x2e]{255}/R"; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:attempted-admin; sid:2020325; rev:2; metadata:created_at 2015_01_28, updated_at 2015_01_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 33 9e 92 b0 3e 35 b8|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019152; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,465,587] (msg:"ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt (EHLO)"; flow:to_server,established; content:"EHLO "; nocase; content:!"|0a|"; within:1024; pcre:"/^\s*?\d[\d\x2e]{255}/R"; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:attempted-admin; sid:2020326; rev:4; metadata:created_at 2015_01_28, updated_at 2015_01_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 69 ac|"; within:30; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0f|serveradmin.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019153; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible WordpressPingbackPortScanner detected"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/xmlrpc.php"; http_uri; content:"pingback.ping"; http_client_body; nocase; threshold: type both, track by_src, seconds 60, count 5; reference:url,seclists.org/bugtraq/2012/Dec/101; reference:url,github.com/FireFart/WordpressPingbackPortScanner/; reference:url,www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability/; classtype:web-application-attack; sid:2016061; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft Office PNG overflow attempt invalid tEXt chunk length"; flow:established,to_client; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"IHDR"; distance:0; content:"tEXt"; distance:13; byte_test:4,>,2147483647,-8,relative; reference:cve,2013-1331; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017005; rev:6; metadata:created_at 2013_06_12, updated_at 2013_06_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Agent.PYO Receiving Config"; flow:established,from_server; file_data; content:"path = "; within:7; content:"|0a|delay = "; distance:0; pcre:"/^\d+\n/R"; content:"hash = "; within:7; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:trojan-activity; sid:2020335; rev:2; metadata:created_at 2015_01_30, updated_at 2015_01_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Georgian Targeted Attack - Server Response"; flow:established,from_server; flowbits:isset,ET.cyberEspionageGeorgia; file_data; content:"<html><head><META HTTP-EQUIV=|22|Pragma|22| CONTENT=|22|no-cache|22|></head><body>TV"; content:"VGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGU"; within:360; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015852; rev:6; metadata:created_at 2012_11_01, updated_at 2012_11_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Flashpack Redirect Method 3"; flow:established,to_server; content:"POST"; http_method; content:!"/gateway.php"; http_uri; content:"gate"; http_uri; fast_pattern:only; content:".php"; http_uri; content:".swf"; http_header; pcre:"/^Referer\x3a[^\r\n]+\.swf/Hmi"; classtype:trojan-activity; sid:2019325; rev:9; metadata:created_at 2014_09_30, updated_at 2014_09_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Georgian Targeted Attack - Client Request"; flow:established,to_server; urilen:9; content:"/calc.php"; http_uri; flowbits:set,ET.cyberEspionageGeorgia; flowbits:noalert; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015851; rev:4; metadata:created_at 2012_11_01, updated_at 2012_11_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT HanJuan Landing Dec 10 2014"; flow:established,from_server; file_data; content:"|27|.replace(/["; pcre:"/^[A-Za-z]{10,}/R"; content:"]/g,|27 27|).substr|28|"; fast_pattern; content:"document.write("; content:"d"; content:!"27cdb6e-ae6d-11cf-96b8-444553540000"; within:35; pcre:"/^[^\x27]*?2[^\x27]*?7[^\x27]*?c[^\x27]*?d[^\x27]*?b[^\x27]*?6[^\x27]*?e[^\x27]*?-[^\x27]*?a[^\x27]*?e[^\x27]*?6[^\x27]*?d[^\x27]*?-[^\x27]*?1[^\x27]*?1[^\x27]*?c[^\x27]*?f[^\x27]*?-[^\x27]*?9[^\x27]*?6[^\x27]*?b[^\x27]*?8[^\x27]*?-[^\x27]*?4[^\x27]*?4[^\x27]*?4[^\x27]*?5[^\x27]*?5[^\x27]*?3[^\x27]*?5[^\x27]*?4[^\x27]*?0[^\x27]*?0[^\x27]*?0[^\x27]*?0/Rsi"; classtype:trojan-activity; sid:2019916; rev:3; metadata:created_at 2014_12_11, former_category CURRENT_EVENTS, updated_at 2014_12_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange EK Java Exploit"; flow:established,to_server; content:"/view_policy_free.jnlp"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2019154; rev:3; metadata:created_at 2014_09_10, former_category CURRENT_EVENTS, updated_at 2014_09_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BePush/Kilim Checkin response"; flow:established,from_server; file_data; content:"Server_ok"; depth:9; flowbits:isset,ET.FB.troj; reference:url,seclists.org/fulldisclosure/2015/Jan/131; reference:md5,cdcc132fad2e819e7ab94e5e564e8968; classtype:command-and-control; sid:2020349; rev:2; metadata:created_at 2015_02_03, former_category MALWARE, updated_at 2015_02_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit FireFox WebIDL Privileged Javascript Injection"; flow:from_server,established; file_data; content:".atob(String.fromCharCode("; pcre:"/^(?:90|0x5a|0+?132)\s*?,\s*?(?:71|0x47|0+?107)\s*?,\s*?(?:70|0x46|0+?106)\s*?,\s*?(?:48|0x30|0+?60)\s*?,\s*?(?:89|0x59|0+?131)\s*?,\s*?(?:84|0x54|0+?124)\s*?,\s*?(?:112|0x70|0+?160)/Rsi"; reference:url,www.exploit-db.com/exploits/34448/; classtype:trojan-activity; sid:2019085; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2014_08_29, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Chaintor/Tordal User-Agent spotted downloading payload"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (Macintosh|3b| Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"; fast_pattern:50,20; http_header; classtype:trojan-activity; sid:2020347; rev:4; metadata:created_at 2015_02_03, updated_at 2015_02_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UCMore Spyware Downloading Ads"; flow: to_server,established; content:"/clientsetupfinish.html?sponsor_id="; http_uri; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; reference:url,doc.emergingthreats.net/bin/view/Main/2001998; classtype:pup-activity; sid:2001998; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible HTTP GET Deep Panda C2 Activity"; flow:established,to_server; content:"GET"; http_method; content:".jpg?id="; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.jpg\?id=\d+$/U"; reference:md5,5acc539355258122f8cdc7f5c13368e1; classtype:command-and-control; sid:2020379; rev:2; metadata:created_at 2015_02_06, updated_at 2015_02_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware Installer Download"; flow:to_server,established; content:"/downloads/valueadd/ping/ping.htm"; nocase; http_uri; content:"zango.com|0d 0a|"; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003058; classtype:pup-activity; sid:2003058; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.XOR Checkin"; flow:to_server,established; content:"BB2FA36AAA9541F0"; depth:500; reference:url,blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html; classtype:command-and-control; sid:2020381; rev:3; metadata:created_at 2015_02_07, former_category MALWARE, malware_family XorDDoS, updated_at 2015_02_07;)
 
-#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TSPY_POCARDL.U Possible FTP Login"; flow:established,to_server; content:"USER user drupalzf"; reference:md5,ceb5b99c13b107cf07331bcbddb43b1f; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019159; rev:2; metadata:created_at 2014_09_11, updated_at 2014_09_11;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (ASCII)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|5c|msuta64.dll"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020173; rev:2; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|googleforking.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018912; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (ASCII)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|5c|ole64.dll"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020174; rev:2; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert webhostingpad.com"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|10 00 89 36 39 2c a7 4f ef 26 13 4f 11 2e d4 22 64|"; fast_pattern:only; content:"|55 04 03|"; content:"|13|*.webhostingpad.com"; distance:1; within:20; reference:md5,be7a7252865b3407498170f142efe471; classtype:trojan-activity; sid:2018594; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_06_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (ASCII)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|5c|ole.dll"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020175; rev:2; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS"; flow:to_server,established; content:"hihihihihihihihihihihihihihihihi"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012048; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (Unicode)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|5c 00|m|00|s|00|u|00|t|00|a|00|6|00|4|00|.|00|d|00|l|00|l"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020176; rev:3; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Inbound Low Orbit Ion Cannon LOIC DDOS Tool desu string"; flow:to_server,established; content:"desudesudesu"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012049; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (Unicode)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|5c 00|o|00|l|00|e|00|6|00|4|00|.|00|d|00|l|00|l"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020177; rev:3; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS desu string"; flow:to_server,established; content:"desudesudesu"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012050; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (Unicode)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|5c 00|o|00|l|00|e|00|.|00|d|00|l|00|l"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020178; rev:3; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible JKDDOS download 500.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/500.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012456; rev:3; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB2 Traffic"; flow:established,to_server; content:"|FE|SMB|40|"; offset:4; depth:5; content:"|16 00|"; distance:0; content:"m|00|s|00|u|00|t|00|a|00|6|00|4|00|.|00|d|00|l|00|l"; distance:8; within:21; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020382; rev:5; metadata:created_at 2015_02_07, former_category MALWARE, updated_at 2015_02_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible JKDDOS download desyms.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/desyms.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012458; rev:3; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB2 Traffic"; flow:established,to_server; content:"|FE|SMB|40|"; offset:4; depth:5; content:"|12 00|"; distance:0; content:"o|00|l|00|e|00|6|00|4|00|.|00|d|00|l|00|l"; distance:8; within:17; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020383; rev:4; metadata:created_at 2015_02_07, updated_at 2015_02_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible JKDDOS download 1691.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/1691.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012459; rev:3; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB2 Traffic"; flow:established,to_server; content:"|FE|SMB|40|"; offset:4; depth:5; content:"|0e 00|"; distance:0; content:"o|00|l|00|e|00|.|00|d|00|l|00|l"; distance:8; within:13; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020384; rev:2; metadata:created_at 2015_02_07, updated_at 2015_02_07;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Perl.Shellbot.cd IRC Bot that have DoS/DDoS functions"; flow:from_server,established; flowbits:isset,is_proto_irc; content:"PRIVMSG|20|"; pcre:"/^PRIVMSG.*@(portscan|back|(tcp|udp|http)flood|tsunami|(de)?voice|reset|die|say|join|part|(de)?op)/mi"; reference:url,theprojectxblog.net/another-perl-irc-bot-that-have-dosddos-functions/; classtype:trojan-activity; sid:2025065; rev:3; metadata:created_at 2012_05_22, former_category TROJAN, updated_at 2017_11_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Sweet Orange Landing Nov 04 2013"; flow:from_server,established; file_data; content:"|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3e|"; fast_pattern:only; content:"|20|id=|22|"; pcre:"/^(?=[a-z]{0,7}[A-Z])(?=[A-Z]{0,7}[a-z])[A-Za-z]{8}\x22[^>]+?>[A-Za-z]{70}/Rs"; classtype:exploit-kit; sid:2019647; rev:5; metadata:created_at 2014_11_05, former_category CURRENT_EVENTS, updated_at 2014_11_05;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET [22,23,80,443,10000] (msg:"ET DOS Possible Cisco PIX/ASA Denial Of Service Attempt (Hping Created Packets)"; flow:to_server; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; depth:40; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; distance:300; isdataat:300,relative; threshold: type threshold, track by_src, count 60, seconds 80; reference:url,www.securityfocus.com/bid/34429/info; reference:url,www.securityfocus.com/bid/34429/exploit; reference:url,www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html; reference:cve,2009-1157; reference:url,doc.emergingthreats.net/2010624; classtype:attempted-dos; sid:2010624; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET DELETED Job314/Neutrino Reboot EK Payload Nov 20 2014"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"User-Agent|3a 20|Mozilla"; http_header; fast_pattern; content:"GET"; http_method; pcre:"/^\/(?:[a-z]+\.[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){3,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)$/U"; classtype:exploit-kit; sid:2019764; rev:9; metadata:created_at 2014_11_21, updated_at 2018_06_18;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE DHL Spam Inbound"; flow:established,to_server; content:"name=|22|DHL"; nocase; content:".zip|22|"; within:68; nocase; pcre:"/name=\x22DHL(\s|_|\-)?[a-z0-9\-_\.\s]{0,63}\.zip\x22/i"; reference:url,doc.emergingthreats.net/2010148; classtype:trojan-activity; sid:2010148; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/AlienSpy RAT Checkin"; flow:established,to_server; flowbits:isset,ET.rat.alienspy; content:"|78 70|"; depth:2; content:"|1f 8b 08 00 00 00 00 00 00 00 6d|"; distance:4; within:11; pcre:"/^[\x53\x54]/R"; reference:url,contagiodump.blogspot.com/2014/11/alienspy-java-rat-samples-and-traffic.html?m=1; classtype:command-and-control; sid:2019739; rev:3; metadata:created_at 2014_11_18, former_category MALWARE, updated_at 2014_11_18;)
 
-#alert tcp ![66.220.157.64/26,66.220.157.16/29,66.220.157.48/28,66.220.157.24/29,66.220.144.128/27,66.220.157.128/27,66.220.144.160/29,66.220.157.160/29,66.220.144.168/29,66.220.157.168/29] any -> $SMTP_SERVERS 25 (msg:"ET DELETED Facebook Spam Inbound (1)"; flow:established,to_server; content:"facebook.com"; nocase; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; content:"Facebook_"; within:50; pcre:"/filename=.*facebook.*\.(rar|exe|zip)/i"; reference:url,doc.emergingthreats.net/2010497; reference:url,postmaster.facebook.com/outbound; classtype:trojan-activity; sid:2010497; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE MSIL/Golroted.B Keylogger FTP"; flow:established,to_server; content:"STOR Logger_"; reference:md5,b2b82fd662dd0ddf53aa37bb9025bf92; classtype:trojan-activity; sid:2020411; rev:1; metadata:created_at 2015_02_12, updated_at 2015_02_12;)
 
-#alert tcp !152.0.0.0/16 any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Spam Inbound"; flow:established,to_server; content:"ups.com"; nocase; fast_pattern; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; pcre:"/filename\s*?=[^\n]*?(UPS|United Parcel Service)[^\n]*?\.(rar|exe|zip)/im"; classtype:trojan-activity; sid:2010644; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE Predator Pain Keylogger FTP"; flow:established,to_server; content:"STOR Predator_Pain"; reference:md5,c9025c9835d1b7d6f0dd2390ea7d5e18; classtype:trojan-activity; sid:2020412; rev:1; metadata:created_at 2015_02_12, updated_at 2015_02_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential FakeAV download ASetup_2009.exe variant"; flow:established,to_server; content:"GET "; nocase; depth:4;  content:"Setup_"; fast_pattern; nocase; http_uri; content:".exe"; distance:0; nocase; http_uri; content:!"|0d 0a|Referer|3a| "; nocase; pcre:"/\/[A-Z]Setup_[0-9]{4}\.exe$/Ui"; reference:url,www.prevx.com/avgraph/1/AVG.html; reference:url,doc.emergingthreats.net/2010901; classtype:trojan-activity; sid:2010901; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED High Probability Blackhole Landing with catch qq"; flow:established,from_server; content:")|3b|}catch(qq"; fast_pattern:only; classtype:bad-unknown; sid:2014294; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_29, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV Download with Cookie WinSec"; flow:established,to_server; content:"/down.php?c="; nocase; http_uri; content:"Cookie|3a| WinSec"; nocase; reference:url,www.virustotal.com/analisis/6b5ff522ddf418a5cca87ebd924736774c1a58a9b51bb44ee72dac01f0db317a-1278686791; reference:url,doc.emergingthreats.net/2011178; classtype:trojan-activity; sid:2011178; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - IP - 161.69.13.44"; content:"|00 01 00 01|"; content:"|00 04 A1 45 0D 2C|"; distance:4; within:6; content:!"|07|sa-live|03|com"; classtype:trojan-activity; sid:2019508; rev:3; metadata:created_at 2014_10_27, updated_at 2014_10_27;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible JAVA pack200-zip-exploit attempt"; flow:to_client; content:"e.pack.gz"; content:"|0d 0a|Content-Encoding|3a| pack200-gzip"; within:55; reference:url,isc.sans.org/diary.html?storyid=6805&rss; reference:url,doc.emergingthreats.net/2009665; classtype:attempted-user; sid:2009665; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY I2P Seeds File Download"; flow:established,to_client; file_data; content:"I2Psu3"; within:6; reference:url,phishme.com/dyre-attackers-shift-tactics/; classtype:policy-violation; sid:2020416; rev:2; metadata:created_at 2015_02_12, updated_at 2015_02_12;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Microsoft Windows .lnk File Processing WebDAV Arbitrary Code Execution Attempt"; flow:established,to_client; content:"<lp2|3A|executable>T</lp2|3A|executable>"; nocase; content:"<D|3A|lockscope><D|3A|exclusive/></D|3A|lockscope>"; nocase; distance:0; content:"</D|3A|lockentry>"; nocase; distance:0; content:"<D|3A|lockscope><D|3A|shared/></D|3A|lockscope>"; nocase; distance:0; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20918; reference:url,www.kb.cert.org/vuls/id/940193; reference:url,www.microsoft.com/technet/security/advisory/2286198.mspx; reference:cve,2010-2568; classtype:attempted-user; sid:2011270; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert udp $HOME_NET 1434 -> $EXTERNAL_NET any (msg:"ET DOS MC-SQLR Response Outbound Possible DDoS Participation"; content:"|05|"; depth:1; content:"ServerName|3b|"; nocase; content:"InstanceName|3b|"; distance:0; content:"IsClustered|3b|"; distance:0; content:"Version|3b|"; distance:0; threshold:type both,track by_src,count 30,seconds 60; reference:url,kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html; classtype:attempted-dos; sid:2020305; rev:4; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Likely Rogue Antivirus Download - ws.zip"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/install/ws.zip"; nocase; http_uri; reference:url,doc.emergingthreats.net/2010052; classtype:trojan-activity; sid:2010052; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert udp $EXTERNAL_NET 1434 -> $HOME_NET any (msg:"ET DOS MC-SQLR Response Inbound Possible DDoS Target"; content:"|05|"; depth:1; content:"ServerName|3b|"; nocase; content:"InstanceName|3b|"; distance:0; content:"IsClustered|3b|"; distance:0; content:"Version|3b|"; distance:0; threshold:type both,track by_dst,count 30,seconds 60; reference:url,kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html; classtype:attempted-dos; sid:2020306; rev:3; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Tinba Server Response"; flow:established,to_client; flowbits:isset,ET.Tinba.Checkin; file_data; content:"|64 b4 dc a4|"; within:4; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019169; rev:4; metadata:created_at 2014_09_12, updated_at 2014_09_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Gulcrypt.B Downloading components"; flow:established,from_server; flowbits:isset,ET.Gulcrypt; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,6c41449d6c3efd4c9f98374a0d132ff6; classtype:trojan-activity; sid:2020421; rev:2; metadata:created_at 2015_02_13, updated_at 2015_02_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely TDSS Download (pcdef.exe)"; flow:established,to_server; content:"GET"; http_method; content:"/pcdef.exe"; http_uri; nocase; classtype:trojan-activity; sid:2010055; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1"; flow:established,from_server; file_data; content:"lRXdjVGeFxGblh2U"; classtype:exploit-kit; sid:2020423; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Fake Antivirus Download installpv.exe"; flow:established,to_server; content:"GET"; http_method; content:"/installpv.exe"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010057; classtype:trojan-activity; sid:2010057; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1"; flow:established,from_server; file_data; content:"Z0V3YlhXRsxWZoN"; classtype:exploit-kit; sid:2020424; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Malware Download flash-HQ-plugin exe"; flow:established,to_server; content:"GET"; http_method; content:"flash-"; http_uri; nocase; content:"-plugin"; http_uri; nocase; content:".exe"; nocase; http_uri; pcre:"/flash-[A-Z0-9]+-plugin\.[A-Z0-9]+\.exe/Ui"; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010440; classtype:bad-unknown; sid:2010440; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1"; flow:established,from_server; file_data; content:"Gd1NWZ4VEbsVGaT"; classtype:exploit-kit; sid:2020425; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Unknown Malware Download Attempt"; flow:established,to_server; uricontent:"/installer/Installer"; nocase; uricontent:".exe"; nocase; pcre:"/\/\d+\/installer\/Installer(Clean)?\.exe$/Ui"; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010796; classtype:bad-unknown; sid:2010796; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M2"; flow:established,from_server; file_data; content:"KkxSZssGLjxSYsAHKu9Wa0Nmb1ZGKsFmdl"; classtype:exploit-kit; sid:2020428; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Client Visiting Possibly Compromised Site (HaCKeD By BeLa & BodyguarD)"; flow:established,from_server; content:"HaCKeD By BeLa & BodyguarD"; content:".js"; reference:url,www.incidents.org/diary.html?storyid=4405; classtype:web-application-attack; sid:2008206; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Uknown EK Java Exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"DFE42z.class"; classtype:exploit-kit; sid:2020429; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD)"; flow:established,to_server; content:"HaCKeD By BeLa & BodyguarD"; reference:url,www.incidents.org/diary.html?storyid=4405; classtype:web-application-attack; sid:2008207; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carbanak APT CnC Beacon 2"; flow:established,to_server; content:"|00 00|OS|3a 20|"; offset:10; depth:6; fast_pattern; content:"|2c 20|Domain|3a 20|"; distance:0; content:"|2c 20|User|3a 20|"; distance:0; content:"|00|"; distance:0; reference:url,securelist.com/files/2015/02/Carbanak_APT_eng.pdf; classtype:targeted-activity; sid:2020456; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_02_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Psyb0t Bot Nick"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK [NIP]-"; fast_pattern:only; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009171; classtype:trojan-activity; sid:2009171; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Payload DL M2 Feb 06 2015"; flow:to_server,established; urilen:>48; content:"HTTP/1.1|0d 0a|Host|3a|"; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"Connection|3a 20|Keep-Alive|0d 0a|"; http_header; pcre:"/^\/(?:[A-Za-z0-9-_]{4}){11,}(?:[A-Za-z0-9-_]{2}==|[A-Za-z0-9-_]{3}=)?$/U"; content:"GET"; http_method; classtype:exploit-kit; sid:2020399; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 1"; flow:established,to_server; content:"POST"; http_method; content:"/senm.php?data="; nocase; http_uri; content:"data="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2010234; reference:md5,7ca709f154e6abc678fbc4df8a3256b6; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; classtype:trojan-activity; sid:2010234; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Jan 27 2015 M1"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:"|5b 2f 2a|"; fast_pattern; pcre:"/^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f[a-zA-Z]{3,5}\W/Rs"; content:"|2f 2a|"; distance:0; pcre:"/^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f/Rs"; content:"|2f 2a|"; distance:0; pcre:"/^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f/Rs"; classtype:exploit-kit; sid:2020318; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_28, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 1"; flow:established,to_server; content:"GET"; http_method; content:"/perce/"; http_uri; nocase; content:"/qwerce.gif"; http_uri; nocase; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; classtype:trojan-activity; sid:2010231; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6332 DECS2"; flow:established,from_server; file_data; content:"102,117,110,99,116,105,111,110,32,114,117,110,109,117,109,97,97"; classtype:trojan-activity; sid:2020460; rev:4; metadata:created_at 2015_02_18, former_category CURRENT_EVENTS, updated_at 2015_02_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 2"; flow:established,to_server; content:"POST"; http_method; content:"/perce/"; nocase; http_uri; content:"/qwerce.gif"; http_uri; nocase; content:"data="; nocase; http_client_body; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,doc.emergingthreats.net/2010235; classtype:trojan-activity; sid:2010235; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin EK Possible Jar Download"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"=Yes"; http_cookie; content:"cck_lasttime="; http_cookie; content:"cck_count="; http_cookie; classtype:exploit-kit; sid:2020477; rev:3; metadata:created_at 2015_02_19, updated_at 2015_02_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 3"; flow:established,to_server; content:"POST"; http_method; content:"/werber/"; nocase; http_uri; content:"/217.gif"; http_uri; nocase; content:"data="; nocase; http_client_body; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,doc.emergingthreats.net/2010236; classtype:trojan-activity; sid:2010236; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin EK Possible Jar Download"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"=Yes"; http_cookie; pcre:"/nb[\d+]=Yes/C"; classtype:exploit-kit; sid:2020478; rev:3; metadata:created_at 2015_02_19, updated_at 2015_02_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 4"; flow:established,to_server; content:"POST"; http_method; content:"/item/"; nocase; http_uri; content:"/titem.gif"; nocase; http_uri; content:"data="; nocase; http_client_body; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,doc.emergingthreats.net/2010237; classtype:trojan-activity; sid:2010237; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY GENERIC CollectGarbage in Hex String No Seps"; flow:to_client,established; file_data; content:"436f6c6c6563744761726261676528"; nocase; classtype:trojan-activity; sid:2020481; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 5"; flow:established,to_server; content:"POST"; http_method; content:"/report.php?data="; nocase; http_uri; content:"data="; nocase; http_client_body; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,doc.emergingthreats.net/2010238; classtype:trojan-activity; sid:2010238; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in Hex No Seps"; flow:to_client,established; file_data; content:"5368656c6c45786563757465"; nocase; classtype:trojan-activity; sid:2020482; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 6"; flow:established,to_server; content:"POST"; http_method; content:"/arrows/"; nocase; http_uri; content:"/arrow_up.gif"; nocase; http_uri; content:"data="; nocase; http_client_body; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,doc.emergingthreats.net/2010239; reference:md5,316fd88ac18d21889b1dbf9b979c1959; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; classtype:trojan-activity; sid:2010239; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in URLENCODE"; flow:to_client,established; file_data; content:"%53%68%65%6c%6c%45%78%65%63%75%74%65"; nocase; classtype:trojan-activity; sid:2020483; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET MALWARE Infected System Looking up chr.santa-inbox.com CnC Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|chr|0b|santa-inbox|03|com"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008531; classtype:command-and-control; sid:2008531; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Comment in Body"; flow:to_client,established; file_data; content:"|3c 21 2d 2d 20 30 39 38 30 32 33 37 36 34 32 20 2d 2d 3e|"; classtype:exploit-kit; sid:2020484; rev:2; metadata:created_at 2015_02_19, updated_at 2015_02_19;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Client requesting fake scanner page /scan/?key="; flow:established,to_server; content:"/scan/?key="; http_uri; classtype:bad-unknown; sid:2011545; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SuperFish Possible SSL Cert CnC Traffic"; flow:established,from_server; content:"|55 04 0a|"; content:"|0e|Superfish Inc."; distance:1; within:15; content:"|55 04 03|"; distance:0; content:"|19|*.best-deals-products.com"; distance:1; within:26; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:command-and-control; sid:2020492; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_02_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Eleonore - landing page"; flow:established,to_client; content:"{display|3A|none}</style><a class="; classtype:bad-unknown; sid:2011510; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing Page M2"; flow:from_server,established; file_data; content:"deconcept.SWFObjectUtil.getPlayerVersion"; fast_pattern; content:"navigator.userAgent.toLowerCase()|3b|"; content:"if|28|document.cookie"; content:"var "; pcre:"/^(?P<vname>[A-Za-z0-9]+)\s*?=\s*?navigator.userAgent.toLowerCase\x28\x29\x3b.+?if\(document.cookie[^\r\n]+\([^\r\n]+(?P=vname)[\x2e\x5b\x22\x27+\s]+i[\x22\x27+\s]*n[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*x[\x22\x27+\s]*O[\x22\x27+\s]*f[\x22\x27+\s]*\x5d?\(\s*?[\x22\x27]b[\x22\x27+\s]*o[\x22\x27+\s]*t[\x22\x27+\s]*[\x22\x27][^\r\n]+(?P=vname)[\x2e\x5b\x22\x27+\s]+i[\x22\x27+\s]*n[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*x[\x22\x27+\s]*O[\x22\x27+\s]*f[\x22\x27+\s]*\x5d?\(\s*?[\x22\x27]s[\x22\x27+\s]*p[\x22\x27+\s]*i[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*r[\x22\x27+\s]*[\x22\x27]/Rs"; classtype:exploit-kit; sid:2020407; rev:5; metadata:created_at 2015_02_12, updated_at 2015_02_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe CoolType Smart INdependent Glyplets - SING - Table uniqueName Stack Buffer Overflow Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"SING"; distance:0; content:"|01 00 01 0E|"; within:100; content:"|00 3A|"; within:100; isdataat:100,relative; content:!"|0A|"; within:100; reference:url,contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html; reference:cve,2010-2883; classtype:attempted-user; sid:2011501; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page M2"; flow:established,from_server; file_data; content:"function llll|28|"; content:"return bmw|3b|"; distance:0; classtype:exploit-kit; sid:2020494; rev:3; metadata:created_at 2015_02_20, updated_at 2015_02_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Executable Download named to be .com FQDN"; flow:established,to_server; content:"GET"; nocase; http_method; content:".com.exe"; http_uri; nocase; reference:url,malwareurl.com; classtype:trojan-activity; sid:2011495; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M3"; flow:established,from_server; file_data; content:"|2a|0xffffffff|2a|"; content:"|2a|str2long|2a|"; content:"|2a|long2str|2a|"; classtype:exploit-kit; sid:2020495; rev:3; metadata:created_at 2015_02_20, updated_at 2015_02_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Executable Download named to be FQDN"; flow:established,to_server; content:"GET"; nocase; http_method; content:".exe"; http_uri; nocase; fast_pattern; content:"."; depth:200; content:".exe"; nocase; distance:2; within:6; pcre:"/\/.+(www\.)?[a-z0-9]+\.[a-z]{2,3}\.exe$/Ui"; reference:url,malwareurl.com; classtype:trojan-activity; sid:2011496; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carbanak APT CnC Beacon 1"; flow:established,to_server; dsize:24; content:"|08|"; depth:1; byte_extract:1,1,Carbanak.Pivot,relative; byte_test:1,!=,Carbanak.Pivot,0,relative; byte_test:1,=,Carbanak.Pivot,3,relative; content:"|00 00 00 02 00 00 00 00 00 00 00 00 00|"; distance:4; within:13; fast_pattern; content:!"|00 00 00|"; within:3; reference:md5,6ae1bb06d10f253116925371c8e3e74b; reference:url,securelist.com/files/2015/02/Carbanak_APT_eng.pdf; classtype:targeted-activity; sid:2020455; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_02_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Phoenix landing page - valium"; flow:established,to_client; content:"var string = val+|22|ium|22|\;"; classtype:bad-unknown; sid:2011486; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible Unknown EK HFS CVE-2014-6332"; flow:established,from_server; content:"Server|3a 20|HFS|20|"; http_header; fast_pattern; file_data; content:"Wscript.Shell"; content:"Microsoft.XMLHTTP"; content:"ADODB.Stream"; content:"cmd.exe"; classtype:exploit-kit; sid:2020498; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_23, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV client requesting fake scanner page"; flow:established,to_server; content:"/?p=p"; http_uri; content:".co.cc|0D 0A|"; http_header; classtype:bad-unknown; sid:2011373; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Unknown EK Landing"; flow:established,from_server; content:"|64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 2e 6c 65 6e 67 74 68 3e 30 29 7b|"; content:"|3d 22 31 22 2b 22 31 22 3b 64 65 6c 65 74 65|"; distance:0; content:"|2b 3d 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22|"; distance:0; classtype:exploit-kit; sid:2020501; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_23, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY phoenix exploit kit landing page"; flow:established,to_client; content:"dev.s.AdgredY"; content:"tmp/des.jar"; content:".php?deserialize"; classtype:exploit-kit; sid:2011369; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2021_06_23;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET DELETED Microsoft Access database error in HTTP response, possible SQL injection point"; flow:from_server,established; content:"JET Database Engine"; fast_pattern:only; classtype:web-application-attack; sid:2020502; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_23, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY hide-my-ip.com POST version check"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Host|3A|"; nocase; http_header; content:"hide|2d|my|2d|ip|2e|com"; nocase; within:20; http_header; content:"cmd|3d|"; nocase; content:"ver|3d|"; nocase; content:"hcode|3d|"; nocase; content:"product|3d|"; nocase; content:"year|3d|"; nocase; content:"xhcode|3d|"; nocase; classtype:policy-violation; sid:2011312; rev:4; metadata:created_at 2010_09_28, former_category POLICY, updated_at 2010_09_28;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"mysql_"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020507; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Games.jar Download Suspicious Possible Exploit Attempt"; flow:established,to_server; content:"/Games.jar"; http_uri; classtype:policy-violation; sid:2011324; rev:4; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2021_06_23;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQL syntax"; fast_pattern; content:"MySQL"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020506; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Fragus - landing page delivered"; flow:established,to_client; content:"|0d 0a 0d 0a|var CRYPT={signature|3a|"; classtype:bad-unknown; sid:2011330; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"MySqlException (0x"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020508; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp any $HTTP_PORTS -> any any (msg:"ET DELETED Malvertising DRIVEBY Fragus Admin Panel Delivered To Client"; flow:established,to_client; content:"<head>|0D 0A 09 09|<title>Fragus</title>"; classtype:bad-unknown; sid:2011342; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"valid MySQL result"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020509; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED POST to /x48/x58/ Possible Zeus Version 3 Command and Control Server Traffic"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/x48/x58/"; http_uri; nocase; content:".php"; http_uri; nocase; reference:url,www.m86security.com/labs/i/Customers-of-Global-Financial-Institution-Hit-by-Cybercrime,trace.1431~.asp; reference:url,www.m86security.com/documents/pdfs/security_labs/cybercriminals_target_online_banking.pdf; classtype:trojan-activity; sid:2011344; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"MySqlClient."; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020510; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Zeus Version 3 Infection Posting Banking HTTP Log to Command and Control Server"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/get_dr.php?"; http_uri; nocase; content:"https|3A|//"; nocase; pcre:"/\x2Fget\x5Fdr\x2Ephp\x3F(e|ini)\x3D/Ui"; reference:url,www.m86security.com/labs/i/Customers-of-Global-Financial-Institution-Hit-by-Cybercrime,trace.1431~.asp; reference:url,www.m86security.com/documents/pdfs/security_labs/cybercriminals_target_online_banking.pdf; classtype:trojan-activity; sid:2011345; rev:5; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"com.mysql.jdbc.exceptions"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020511; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV landing page - sector.hdd.png no-repeat"; flow:established,to_client; content:"sector.hdd.png) no-repeat"; classtype:bad-unknown; sid:2011419; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"PostgreSQL"; fast_pattern; content:"ERROR"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020512; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKEAV client requesting image - sector.hdd.png"; flow:established,to_server; content:"sector.hdd.png"; nocase; http_uri; classtype:bad-unknown; sid:2011420; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"Wpg_"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020513; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MALVERTISING redirect to exploit kit (unoeuro server)"; flow:established,to_client; content:"=|5b 22 5c|x68|5c|x74|5c|x74|5c|x70|5c|x3A|5c|x2F|5c|x2F|5c|"; content:"|0d 0a|Serverxi|3a| Apache/Unoeuro (Unix) - Secured|0d 0a|"; classtype:exploit-kit; sid:2011479; rev:4; metadata:created_at 2010_09_29, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"valid PostgreSQL result"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020514; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV scanner page enocuntered - .hdd_icon"; flow:established,to_client; content:".hdd_icon"; nocase; classtype:bad-unknown; sid:2011475; rev:4; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Npgsql."; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020515; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Driveby Bredolab - client requesting java exploit"; flow:established,to_server; content:"/Notes1.pdf"; depth:11; http_uri; classtype:bad-unknown; sid:2011795; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_10_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"org.postgresql.util.PSQLException"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020516; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Driveby Bredolab - landing page"; flow:established,to_client; content:"Server|3a| nginx"; content:"<div style=|22|visibility|3a| hidden|3b||22|><"; depth:120; classtype:bad-unknown; sid:2011796; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_10_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"ERROR|3a 20 20|syntax error at or near"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020517; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Driveby Bredolab - client exploited by acrobat"; flow:established,to_server; content:"?reader_version="; http_uri; content:"&exn=CVE-"; http_uri; classtype:trojan-activity; sid:2011797; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_10_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Driver"; fast_pattern; pcre:"/^ SQL[-_ ]Server/R"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020518; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft IE CSS Clip Attribute Memory Corruption (POC SPECIFIC)"; flow:from_server,established; file_data; content:"position|3A|absolute|3B|"; content:"clip|3A|"; within:20; content:"rect|28|0|29|"; fast_pattern; within:20; reference:url,extraexploit.blogspot.com/2010/11/cve-2010-3962-yet-another-internet.html; reference:url,www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks; reference:url,blog.fireeye.com/research/2010/11/ie-0-day-hupigon-joins-the-party.html; reference:url,www.offensive-security.com/0day/ie-0day.txt; reference:url,www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms10_xxx_ie_css_clip.rb; classtype:attempted-user; sid:2011892; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_11_05, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"OLEDB"; fast_pattern; content:"|20|SQL Server"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020519; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Interleaving document.write and appendChild Overflow (POC SPECIFIC)"; flow:from_server,established; content:"document.body.appendChild(cobj)"; content:"document.getElementById|28 22|suv|22 29|.innerHTML"; content:"new|20|Array|28|"; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=607222; reference:url,blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/; classtype:attempted-user; sid:2011893; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_11_06, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"mssql_"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020521; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Driveby leads to exploits aaitsol1/networks.php"; flow:established,to_server; content:"GET"; http_method; content:"~aaitsol1/networks.php"; nocase; http_uri; classtype:bad-unknown; sid:2011895; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception"; fast_pattern; content:"System.Data.SqlClient."; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020523; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY SEO Landing Page Encountered"; flow:established,to_client; content:"<script src=|27|src.js|27|></script><script src=|27|dest.js|27|></script><script>var "; depth:73; classtype:bad-unknown; sid:2011957; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception"; fast_pattern; content:"Roadhouse.Cms"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020524; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MALVERTISING SEO iframe redirect to drive by"; flow:established,to_client; content:"document.write|28|unescape|28 22|%3Ciframe src=|22 3b| content|3a 22|style=|27|visibility|3a|hidden|3b 27| width=|27|1|27| height=|27|1|27| %3E%3C/iframe%3E|22 29 29 3b|"; classtype:bad-unknown; sid:2011960; rev:4; metadata:created_at 2010_11_20, updated_at 2010_11_20;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Access error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Microsoft Access"; fast_pattern; pcre:"/^ \d+ Driver/R"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020525; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan downloader (AS8514)"; flow:established,to_server; content:"GET"; http_method; content:"/tube/Adobe__Flash__Player.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=1001jimm.ru; classtype:trojan-activity; sid:2011966; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_22, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Access error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"JET Database Engine"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020526; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan Banker (AS33182)"; flow:established,to_server; content:"GET"; http_method; content:"/update/html2.exe.bak"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=allmobilefashion.com; classtype:trojan-activity; sid:2011968; rev:3; metadata:created_at 2010_11_22, updated_at 2010_11_22;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Access error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Access Database Engine"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020527; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Ircbrute Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/imagFaceBook.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=egyboys.net; classtype:bad-unknown; sid:2011980; rev:3; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"ORA-"; fast_pattern:only; pcre:"/ORA-\d{4}/"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020528; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Eleonore Exploit Pack / Trojan Brebolab"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/QuickTime_Update_KB673901.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=media-download-kb572810.biz; classtype:bad-unknown; sid:2011981; rev:3; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Oracle error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020529; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Fast Flux Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/av-scanner.48370.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=mediafilesonline.net; classtype:bad-unknown; sid:2011983; rev:4; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"oci_"; distance:0; fast_pattern; pcre:"/Warning.*\Woci_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020531; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Fast Flux Rogue Antivirus MalvRem"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/MalvRem_"; nocase; http_uri; pcre:"/MalvRem_\d{3,4}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=giga-protectiona.com; reference:url,www.malwareurl.com/listing.php?domain=protectsystemf.com; reference:url,www.malwareurl.com/listing.php?domain=1cnetantispy.com; reference:url,www.malwareurl.com/listing.php?domain=3gb-scanner.com; classtype:bad-unknown; sid:2011984; rev:4; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"ora_"; fast_pattern; distance:0; pcre:"/Warning.*\Wora_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020532; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Fast Flux Rogue Antivirus avdistr"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/avdistr_"; nocase; http_uri; pcre:"/avdistr_\d{3,4}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=giga-protectiona.com; reference:url,www.malwareurl.com/listing.php?domain=protectsystemf.com; reference:url,www.malwareurl.com/listing.php?domain=1cnetantispy.com; reference:url,www.malwareurl.com/listing.php?domain=3gb-scanner.com; classtype:bad-unknown; sid:2011985; rev:4; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE DB2 error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"CLI Driver"; fast_pattern:only; pcre:"/CLI Driver.*DB2/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020533; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Fast Flux Rogue Antivirus RunAV"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/RunAV_"; nocase; http_uri; pcre:"/RunAV_\d{3,4}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=giga-protectiona.com; reference:url,www.malwareurl.com/listing.php?domain=protectsystemf.com; reference:url,www.malwareurl.com/listing.php?domain=1cnetantispy.com; reference:url,www.malwareurl.com/listing.php?domain=3gb-scanner.com; classtype:bad-unknown; sid:2011986; rev:3; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE DB2 error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"DB2 SQL error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020534; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious executable download adobe-flash.v"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/adobe-flash.v"; nocase; http_uri; pcre:"/adobe-flash\.v\.\d{5}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=realmultimediaonline.com; classtype:bad-unknown; sid:2011989; rev:2; metadata:created_at 2010_12_01, updated_at 2010_12_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE DB2 error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"bdb2_"; fast_pattern:only; pcre:"/bdb2_\w+\(/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020535; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Rogue AV (installer.xxxx.exe)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/installer."; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/installer\.\d{4}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=scripttoscan.co.cc; classtype:bad-unknown; sid:2011990; rev:4; metadata:created_at 2010_12_01, updated_at 2010_12_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Informix error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception"; content:"Informix"; fast_pattern; pcre:"/Exception.*Informix/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020536; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp any any -> $HOME_NET 21 (msg:"ET FTP ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHEZ)"; flow:established,to_server; content:"HELP "; depth:5; content:"ACIDBITCHEZ"; distance:0; nocase; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url,sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; classtype:trojan-activity; sid:2011994; rev:5; metadata:created_at 2010_12_02, former_category FTP, updated_at 2010_12_02;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Firebird error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Dynamic SQL Error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020537; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious invoice.scr Download Request"; flow:established,to_server; content:"GET"; http_method; content:"|2F|invoice.scr"; nocase; http_uri; pcre:"/\x2Finvoice\x2Escr$/Ui"; classtype:trojan-activity; sid:2011995; rev:4; metadata:created_at 2010_12_02, updated_at 2010_12_02;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Firebird error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Dynamic SQL Error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020538; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DoS.Linux/Elknot.E Checkin"; flow:established,to_server; dsize:401; content:!"|00 00|"; depth:2; content:"|10 27 60 ea|Linux|20|"; offset:4; depth:64; reference:md5,9a2a00f4bba2f3e0b1211a1f0cb48896; classtype:command-and-control; sid:2019171; rev:2; metadata:created_at 2014_09_12, former_category MALWARE, updated_at 2014_09_12;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQLite/JDBCDriver"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020539; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED p2pshare.org Malware Related Activity"; flow:to_server,established; content:"GET"; http_method; content:"Host|3A| p2pshare.org|3A|999"; http_header; classtype:trojan-activity; sid:2012132; rev:6; metadata:created_at 2011_01_04, updated_at 2011_01_04;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQLite.Exception"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020540; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MUROFET/Licat Trojan Checkin Forum"; flow:established,to_server; content:"GET"; http_method; content:!"|0d 0a|Referer|3a|"; nocase; content:"/forum/?"; http_uri; fast_pattern; pcre:"/forum\/\?[0-9a-f]{8}$/U"; reference:md5,531e84b0894a7496479d186712acd7d2; reference:url,extraexploit.blogspot.com/2010/10/some-domains-for-licatmurofettrojanzbot.html; classtype:command-and-control; sid:2012248; rev:5; metadata:created_at 2011_01_29, former_category MALWARE, updated_at 2011_01_29;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"System.Data.SQLite.SQLiteException"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020541; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE USPS Inbound SPAM"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|USPS_Document.zip"; nocase; classtype:trojan-activity; sid:2012276; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"SQLite3|3a 3a|"; fast_pattern; distance:0; pcre:"/Warning.*SQLite3::/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020543; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye HTTP Library Checkin"; flow:established,to_server; content:"POST"; http_method; content:"form-data|3b 20|name=|22|sid|22|"; http_client_body; content:"form-data|3b 20|name=|22|ping|22|"; http_client_body; content:"form-data|3b 20|name=|22|guid|22|"; http_client_body; content:"form-data|3b 20|name=|22|GB|22 3b 20|filename=|22|GB.TXT|22|"; http_client_body; fast_pattern; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:command-and-control; sid:2012279; rev:4; metadata:created_at 2011_02_03, former_category MALWARE, updated_at 2011_02_03;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"[SQLITE_ERROR]"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020544; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Fake AV Scan (AS31252)"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/powersecure_2005-19_ibr8.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=scan.dpowerprotection.com; classtype:trojan-activity; sid:2012302; rev:3; metadata:created_at 2011_02_07, updated_at 2011_02_07;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SAP MaxDB error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQL error"; fast_pattern; content:"POS("; distance:0; pcre:"/SQL error.*POS\([0-9]+\)/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020545; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE IRS Inbound SMTP Malware"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|irs_legalauth-tax_payment_notice_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012319; rev:2; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SAP MaxDB error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"maxdb"; fast_pattern; distance:0; pcre:"/Warning.*maxdb/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020546; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE IRS Inbound SPAM"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|IRS-TaxPaymentNotification"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012320; rev:2; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Sybase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"sybase"; fast_pattern; distance:0; pcre:"/i?Warning.*sybase/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020547; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.cx.cc domain"; flow: to_server,established; content:".cx.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2012321; rev:3; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Sybase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Sybase message"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020548; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE IRS Inbound SPAM variant 3"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|Individual_Income_Tax_Rtrn_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012329; rev:2; metadata:created_at 2011_02_21, updated_at 2011_02_21;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Sybase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Sybase Server message"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020549; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE USPS SPAM Inbound possible spyeye trojan"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|USPS_"; nocase; content:".zip|22|"; nocase; reference:url,www.virustotal.com/file-scan/report.html?id=ed1766eb13cc7f41243dd722baab9973560c999c1489763c0704debebe8f4cb1-1298551066; classtype:trojan-activity; sid:2012388; rev:2; metadata:created_at 2011_02_27, updated_at 2011_02_27;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ingres error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"ingres_"; fast_pattern; distance:0; pcre:"/Warning.*ingres_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020550; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Rogue Antivirus FakePAV"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/firefox_update_2011.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=76.76.102.214; classtype:trojan-activity; sid:2012403; rev:3; metadata:created_at 2011_03_01, updated_at 2011_03_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"sqlite_"; fast_pattern; distance:0; pcre:"/Warning.*sqlite_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020542; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE UPS Inbound bad attachment v.5"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS"; nocase; content:".zip|22|"; nocase; pcre:"/ups(_parcel_delivery-tracking-notice-|-Delivery-Notification-Message_)\S*\.zip/Ui"; classtype:trojan-activity; sid:2012443; rev:2; metadata:created_at 2011_03_09, updated_at 2011_03_09;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ingres error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Ingres SQLSTATE"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020551; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE UPS Inbound bad attachment v.6"; flow:established,to_server; content:"From|3a| |22|United Parcel Service|22|"; nocase; content:"|40|ups.com"; nocase; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|document.zip|22|"; nocase; classtype:trojan-activity; sid:2012444; rev:3; metadata:created_at 2011_03_09, updated_at 2011_03_09;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ingres error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Ingres"; fast_pattern; content:"Driver"; distance:0; pcre:"/Ingres\W.*Driver/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020552; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE Post Express Inbound bad attachment"; flow:established,to_server; content:"Post Express|22|"; nocase; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|Post_Express_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012445; rev:6; metadata:created_at 2011_03_09, updated_at 2011_03_09;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Frontbase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception (condition )"; content:". Transaction rollback."; fast_pattern; distance:0; pcre:"/Exception (condition )\d+\. Transaction rollback\./m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020553; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE DHL Spam Inbound"; flow:established,to_server; content:"|40|dhl.com"; nocase; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012492; rev:2; metadata:created_at 2011_03_12, updated_at 2011_03_12;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE HSQLDB error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"org.hsqldb.jdbc"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020554; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE DHL Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; content:"|22|filename=dhl_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012493; rev:3; metadata:created_at 2011_03_12, updated_at 2011_03_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - Weevely - Downloaded"; flow:established,to_client; file_data; content:"<?php|0A|$"; content:"="; distance:4; within:2; content:" str_replace("; distance:0; classtype:trojan-activity; sid:2020555; rev:2; metadata:created_at 2015_02_24, updated_at 2015_02_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV InstallInternetDefender Download"; flow:established,from_server; content:"attachment|3b 20|filename=|22|InstallInternetDefender_"; nocase; classtype:trojan-activity; sid:2012494; rev:4; metadata:created_at 2011_03_14, updated_at 2011_03_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox Watering Hole Content form tag appended to head"; flow:established,from_server; file_data; content:"document.getElementsByTagName('head').item(0).appendChild(form_tag)|3b|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020561; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_25, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED FakeAV campaign related JavaScript eval document obfuscation"; flow:established,from_server; content:"|20|=|20|eval('docu'+'men'+'t')|3b 0d 0a 0d 0a|"; classtype:trojan-activity; sid:2012495; rev:2; metadata:created_at 2011_03_14, updated_at 2011_03_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox Watering Hole function return value"; flow:established,from_server; file_data; content:"return ((!a) ? 'x-'|3a| a) + Math.floor(Math.random() * 99999|29 3b|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020562; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_25, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Win32 Banker Trojan CheckIn"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"/sys7."; http_uri; fast_pattern; reference:url,www.xandora.net/xangui/malware/view/18e5c43b3d430526e90799e7cc2c3ec8; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FBancos.ZY; classtype:command-and-control; sid:2012521; rev:3; metadata:created_at 2011_03_21, former_category MALWARE, updated_at 2011_03_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox Watering Hole iframe"; flow:established,from_server; file_data; content:".item(0).appendChild(iframe_tag)"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020559; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Zbot Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/trusteer.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=umbralinversiones.com; classtype:trojan-activity; sid:2012537; rev:3; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox and Targetted Watering Holes ActiveX Call"; flow:established,from_server; file_data; content:"var version|3b|var ax|3b|var e|3b|try{axo=new ActiveXObject"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020560; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, signature_severity Major, tag ActiveX, tag DriveBy, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for addons.mozilla.org"; flow:established,from_server; content:"|00 92 39 d5 34 8f 40 d1 69 5a 74 54 70 e1 f2 3f|"; content:"addons.mozilla.org"; within:250; classtype:misc-activity; sid:2012546; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox and Targetted Watering Holes PDF"; flow:established,from_server; file_data; content:"plugin_pdf_ie()"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanboxframework-whos-affected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020558; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for Global Trustee"; flow:established,from_server; content:"|00 d8 f3 5f 4e b7 87 2b 2d ab 06 92 e3 15 38 2f b0|"; classtype:misc-activity; sid:2012547; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 94 65 e5 77 66 3b be 2b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020564; rev:2; metadata:attack_target Client_and_Server, created_at 2015_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.live.com"; flow:established,from_server; content:"|00 b0 b7 13 3e d0 96 f9 b5 6f ae 91 c8 74 bd 3a c0|"; content:"login.live.com"; within:250; classtype:misc-activity; sid:2012548; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 94 65 e5 77 66 3b be 2b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020567; rev:2; metadata:attack_target Client_and_Server, created_at 2015_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.skype.com"; flow:established,from_server; content:"|00 e9 02 8b 95 78 e4 15 dc 1a 71 0a 2b 88 15 44 47|"; content:"login.skype.com"; within:250; classtype:misc-activity; sid:2012549; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET !1433 (msg:"ET MALWARE Unknown Trojan Downloading PE via MSSQL Connection to Non-Standard Port"; flow:from_server,established; flowbits:isset,ET.MSSQL; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,754b48c57a00b7c9f0e0640166ac7bb5; classtype:trojan-activity; sid:2020569; rev:1; metadata:created_at 2015_02_25, updated_at 2015_02_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.yahoo.com 1"; flow:established,from_server; content:"|00 d7 55 8f da f5 f1 10 5b b2 13 28 2b 70 77 29 a3|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012550; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; content:"500 Internal Server Error"; file_data; content:"OLE DB Provider for SQL Server"; fast_pattern:only; pcre:"/SQL Server.*?error \x27[0-9a-f]{8}/mi"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020522; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.yahoo.com 2"; flow:established,from_server; content:"|39 2a 43 4f 0e 07 df 1f 8a a3 05 de 34 e0 c2 29|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012551; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET [1024:7989,7991:] -> $HOME_NET any (msg:"ET DELETED Dropper-497 (Yumato) Status Reply from server"; flow:established,from_server; dsize:4; content:"|32 31 0d 0a|"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:trojan-activity; sid:2007920; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.yahoo.com 3"; flow:established,from_server; content:"|3e 75 ce d4 6b 69 30 21 21 88 30 ae 86 a8 2a 71|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012552; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoLocker CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c5 a5 39 20 2d fb d7 22|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020582; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for mail.google.com"; flow:established,from_server; content:"|04 7e cb e9 fc a5 5f 7b d0 9e ae 36 e1 0c ae 1e|"; content:"mail.google.com"; within:250; classtype:misc-activity; sid:2012553; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Sweet Orange EK Flash Exploit IE March 03 2015"; flow:established,to_server; urilen:>12; content:!".swf"; nocase; http_uri; content:"x-flash-version|3a|"; http_header; fast_pattern; content:".php?"; http_header; pcre:"/\/(?=[a-z0-9]{0,20}[A-Z])(?=[A-Z0-9]{0,20}[a-z])(?=[A-Za-z]{0,20}[0-9])[A-Za-z0-9]{12,20}$/U"; pcre:"/^Referer\x3a[^\r\n]+?\x3a\d+[^\r\n]*?\/[a-z0-9]+\.php\?[a-z0-9]+=\d+(?:\r\n|&)/Hm"; classtype:exploit-kit; sid:2020584; rev:3; metadata:created_at 2015_03_03, former_category EXPLOIT_KIT, updated_at 2015_03_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for www.google.com"; flow:established,from_server; content:"|00 f5 c8 6a f3 61 62 f1 3a 64 f5 4f 6d c9 58 7c 06|"; content:"www.google.com"; within:250; classtype:misc-activity; sid:2012554; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Scam - FakeAV Alert Request March 2 2015"; flow:established,to_server; content:"afid="; http_uri; content:"&sid="; distance:0; http_uri; content:"&Expires="; distance:0; http_uri; content:"&Signature="; distance:0; http_uri; content:"&Key-Pair-Id="; distance:0; http_uri; classtype:social-engineering; sid:2020587; rev:2; metadata:created_at 2015_03_03, updated_at 2015_03_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Malware PatchPathNewS3.dat Request"; flow:established,to_server; content:"/PatchPathNewS3.dat"; nocase; http_uri; classtype:trojan-activity; sid:2012617; rev:5; metadata:created_at 2011_04_01, updated_at 2011_04_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"[Microsoft]"; content:"[ODBC SQL Server Driver]"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020520; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a Malware Related Numerical .cn Domain"; flow:established,to_server; content:"Host|3a| "; http_header; content:".cn|0d 0a|"; within:25; http_header; fast_pattern; pcre:"/Host\x3A\x20[^a-z]*[0-9]{4,30}\x2Ecn\x0D\x0A/Hi"; classtype:misc-activity; sid:2012650; rev:7; metadata:created_at 2011_04_08, updated_at 2011_04_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert www.eshaalfoundation.org"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 06 49 5e 75 fb 3f 44|"; within:35; fast_pattern; content:"|55 04 03|"; content:"|18|www.eshaalfoundation.org"; distance:1; within:25; reference:md5,e36073ba13e2df22348cd624ab0a9fbc; classtype:trojan-activity; sid:2020624; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV BestAntivirus2011 Download"; flow:established,from_server; content:"|3b 20|filename=|22|BestAntivirus20"; nocase; classtype:trojan-activity; sid:2012714; rev:4; metadata:created_at 2011_04_22, updated_at 2011_04_22;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cd 0b f5 0a 93 34 88 77|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020625; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Known Hostile Domain citi-bank.ru Lookup"; content:"|09|citi-bank|02|ru|00|"; nocase; classtype:trojan-activity; sid:2012728; rev:4; metadata:created_at 2011_04_26, updated_at 2011_04_26;)
+#alert tcp !$SMTP_SERVERS any -> !$HOME_NET 587 (msg:"ET POLICY Outbound SMTP on port 587"; flow:established; content:"mail from|3a|"; nocase; threshold: type limit, track by_src, count 1, seconds 60; reference:url,doc.emergingthreats.net/2003864; classtype:misc-activity; sid:2003864; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin"; flow:to_server,established; content:"|20|HTTP|2f|1|2e|1|0d 0a|User-Agent|3a 20|"; fast_pattern; content:"|0d 0a|Host|3a 20|"; within:13; content:"|3a|8080|0d 0a|Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; http_header; pcre:"/User-Agent\x3a\x20[a-z]{3,4}\x0d\x0a/H"; reference:md5,014945cf93ffc94833f7a3efd92fe263; classtype:command-and-control; sid:2012736; rev:9; metadata:created_at 2011_04_28, former_category MALWARE, updated_at 2011_04_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED WhenUClick.com Desktop Bar App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=desktop"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2001443; classtype:policy-violation; sid:2001443; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Malicious Facebook Javascript"; flow:established,to_client; content:"eval|28|function|28|p,a,c,k,e,"; nocase; content:"replace|28|newRegExp|28|"; nocase; distance:0; content:"SocialGraphManager"; fast_pattern; nocase; distance:0; reference:url,blog.trendmicro.com/dubious-javascript-code-found-in-facebook-application/; classtype:bad-unknown; sid:2012812; rev:4; metadata:created_at 2011_05_17, updated_at 2011_05_17;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b0 11 9a 92 44 f0 ee 1a|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020647; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TDSS Trojan GET with xxxx_ string"; flow:established,to_server; content:"/xxxx_"; http_uri; pcre:"/\/xxxx_\d+\//U"; classtype:trojan-activity; sid:2012918; rev:4; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible malicious Office doc hidden in XML file"; flow:established,from_server; file_data; content:"<?xml"; within:5; content:"<?mso-application progid=|22|Word.Document|22|?>"; nocase; distance:0; content:"macrosPresent=|22|yes|22|"; distance:0; fast_pattern; reference:url,trustwave.com/Resources/SpiderLabs-Blog/Attackers-concealing-malicious-macros-in-XML-files/; classtype:trojan-activity; sid:2020657; rev:2; metadata:created_at 2015_03_10, updated_at 2015_03_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV Gemini - JavaScript Redirection To Scanning Page"; flow:established,to_client; content:"|28|navigator.appVersion.indexof|28 22|Mac|22 29|!=-1|29|"; nocase; content:"window.location="; nocase; within:17; classtype:bad-unknown; sid:2011917; rev:4; metadata:created_at 2010_11_10, updated_at 2010_11_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Firefox Plug-In Download"; flow:to_client,established; file_data; content:"PK|03 04|"; distance:0; content:"/addon-sdk/"; content:"|00 00|resources|2f|numberchangerfirefox|2f|PK"; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020653; rev:3; metadata:created_at 2015_03_09, updated_at 2015_03_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV CryptMEN - Random Named DeObfuscation JavaScript File Download"; flow:established,from_server; content:"encrypt|3a| function|28|m, e, n|29|"; depth:64; classtype:bad-unknown; sid:2011922; rev:5; metadata:created_at 2010_11_11, updated_at 2010_11_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Redkit URI Struct Flowbit"; flow:established,to_server; content:".htm"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]{4}\.html?(\?[h-j]=\d+)?$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:exploit-kit; sid:2016589; rev:8; metadata:created_at 2013_03_19, updated_at 2013_03_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED p2pshares.org Related Malware"; flow:to_server,established; content:"GET"; http_method; content:"Host|3A| p2pshares.org|3A|"; http_header; classtype:trojan-activity; sid:2012177; rev:6; metadata:created_at 2011_01_13, updated_at 2011_01_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RedKit /h***.htm(l) Landing Page - Set"; flow:established,to_server; urilen:8<>11; content:"/h"; depth:2; http_uri; pcre:"/^\/h[a-z]{3}\.html?$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:exploit-kit; sid:2015927; rev:4; metadata:created_at 2012_11_27, updated_at 2012_11_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible CVE-2011-2110 Flash Exploit Campaign Log.txt Request"; flow:established,to_server; content:"GET"; http_method; content:"/log.txt"; http_uri; content:"|2E|swf?info=02"; http_header; reference:cve,2011-2110; reference:url,blog.fireeye.com/research/2011/06/old-wine-in-a-new-bottle.html; classtype:trojan-activity; sid:2013113; rev:4; metadata:created_at 2011_06_24, updated_at 2011_06_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED RedKit - Landing Page Received - applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.redkit.uri; file_data; content:"<applet"; classtype:exploit-kit; sid:2014917; rev:4; metadata:created_at 2012_06_19, updated_at 2012_06_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Ponmocup C2 Malware Update before fake JPEG download"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/shopping3.cgi?a="; nocase; http_uri; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013179; rev:9; metadata:created_at 2011_07_04, updated_at 2011_07_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RedKit - Landing Page Requested - 8Digit.html"; flow:established,to_server; urilen:14; content:".html"; http_uri; pcre:"/^\/[0-9]{8}\.html$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:exploit-kit; sid:2014916; rev:3; metadata:created_at 2012_06_19, updated_at 2012_06_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Ponmocup C2 Malware Update after fake JPEG download"; flow:established,to_server; content:"/cgi-bin/unshopping3.cgi?b="; nocase; http_uri; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013180; rev:10; metadata:created_at 2011_07_04, updated_at 2011_07_04;)
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 03|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020634; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Known Facebook Iframe Phishing Attempt"; flow:established,to_client; content:"FB.IframeUtil.CanvasUtil"; nocase; content:"iframe_canvas"; nocase; distance:0; content:"action=|5C 22|http|3A|"; nocase; distance:0; content:"canvas_iframe_post"; nocase; distance:0; content:"onsubmit="; nocase; distance:0; reference:url,www.f-secure.com/weblog/archives/00002196.html; classtype:bad-unknown; sid:2013183; rev:4; metadata:attack_target Client_Endpoint, created_at 2011_07_04, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 06|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020635; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Dropper HTTP POST Check-in"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| NSIS_InetLoad (Mozilla)"; http_header; content:"spill&a="; http_client_body; reference:url,www.mywot.com/en/forum/13816-clickjacking-scam-spreading-on-facebook; classtype:trojan-activity; sid:2013189; rev:3; metadata:created_at 2011_07_05, updated_at 2011_07_05;)
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 08|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020636; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
 
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET WEB_CLIENT Nuclear landing with obfuscated plugindetect Apr 29 2013"; flow:established,from_server; file_data; content:"visibility|3a|hidden"; pcre:"/(?P<e>\d{2})(?P<t>(?!(?P=e))\d{2})(?P=e)\d{2}(?P=t)\d{6}(?P=e)\d{12}(?P<q>(?!((?P=e)|(?P=t)))\d{2})\d{2}(?P<dot>(?!((?P=e)|(?P=t)|(?P=q)))\d{2})\d{2}(?P=dot)\d{2}(?P=q)/R"; classtype:trojan-activity; sid:2016801; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 0E|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020637; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED PHP Remote File Inclusion (monster list http)"; flow:established,to_server; content:".php"; nocase; http_uri; content:"http"; nocase; http_uri;  pcre:"/\.php.+?(?:c(?:(?:onfi|f)g|alendar)|p(?:a(?:ge|th)|rog)|l(?:ang(uage)?|ib)|f(?:older|ile|ad)|d(?:omain|ir|f)|s(?:ettings|bp)|a(?:genda|uth)|i(?:con|ncl|d)|n(?:ame|ews)|r(?:oot|f)|gallery|type|ext|mod|[a-z](\[.*\])+?)\s*=\s*https?/Ui"; reference:url,www.sans.org/top20/; reference:url,doc.emergingthreats.net/2002997; classtype:web-application-attack; sid:2002997; rev:12; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET DELETED FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020658; rev:3; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Known in Wild Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Attempt"; flow:established,to_client; content:"TTu0d0fu0d0eKKJJu0d0du0d0dLL1043416UU"; reference:url,labs.m86security.com/2011/06/0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/; reference:bid,48206; reference:cve,2011-1255; classtype:attempted-user; sid:2013251; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 19|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020661; rev:3; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query for Known Hostile Domain gooqlepics com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|gooqlepics|03|com|00|"; reference:url,blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html; classtype:bad-unknown; sid:2013328; rev:4; metadata:created_at 2011_07_27, updated_at 2011_07_27;)
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 11|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020673; rev:3; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTran/SensLiceld.A response to infected host"; flow:established,from_server; dsize:<80; content:"|5b|SERVER|5d|connection|20|to|20|"; depth:22; reference:url,www.secureworks.com/research/threats/htran/; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-120716-4344-99&tabid=2; reference:url,www.securelist.com/en/descriptions/10120120/Trojan-Spy.Win32.Agent.bptu; classtype:trojan-activity; sid:2013361; rev:5; metadata:created_at 2011_08_05, updated_at 2011_08_05;)
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 17|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020675; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTran/SensLiceld.A Checkin 2 (unicode)"; flow:established,from_server; dsize:<120; content:"|5b00|S|00|E|00|R|00|V|00|E|00|R|005d00|c|00|o|00|n|00|n|00|e|00|c|00|t|00|i|00|o|00|n|002000|t|00|o|002000|"; depth:44; reference:url,www.secureworks.com/research/threats/htran/; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-120716-4344-99&tabid=2; reference:url,www.securelist.com/en/descriptions/10120120/Trojan-Spy.Win32.Agent.bptu; classtype:command-and-control; sid:2013362; rev:7; metadata:created_at 2011_08_05, former_category MALWARE, updated_at 2011_08_05;)
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 19|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020676; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE windows_security_update Fake AV download"; flow:established,from_server; content:"|0d 0a 0d 0a|"; content:"filename=|22|windows_security_update_"; distance:0; classtype:trojan-activity; sid:2013364; rev:7; metadata:created_at 2011_08_05, updated_at 2011_08_05;)
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 26|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020677; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV Landing Page Checking firewall status"; flow:established,from_server; content:"|5c|r|5c|n Checking firewall status|5c|r|5c|n"; classtype:command-and-control; sid:2013413; rev:3; metadata:created_at 2011_08_16, former_category MALWARE, updated_at 2011_08_16;)
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 27|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020678; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Morto Worm Rar Download"; flow:established,to_server; content:"GET /160.rar HTTP"; depth:17; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:trojan-activity; sid:2013517; rev:4; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 28|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020679; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32/Bifrose Second Stage Obfuscated Binary Download Claiming to Be JPEG"; flow:established,to_client; content:"Content-Type|3A 20|image/jpeg"; http_header; file_data; content:"|54 48 00 F7 20 10 72 6F 67 52|"; content:"|61 6E 6E 4F 1D A4 62 05 20 72 75 4E 49 ED 6E 40 44 4F 53|"; fast_pattern; within:50; classtype:trojan-activity; sid:2013796; rev:7; metadata:created_at 2011_10_24, updated_at 2011_10_24;)
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 29|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020680; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-alert udp any 53 -> $DNS_SERVERS any (msg:"ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) to google.com.br possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; content:"|06|google|03|com|02|br|00|"; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; classtype:bad-unknown; sid:2013894; rev:5; metadata:created_at 2011_11_10, updated_at 2011_11_10;)
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 2A|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020681; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ZeuS estatements mailing campaign landing page"; flow:established,to_server; content:"/estatements/stetement_id."; http_uri; pcre:"/\/stetement_id\.\d+\//U"; classtype:trojan-activity; sid:2013908; rev:3; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 2B|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020682; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ZeuS estatements fake transaction page flash warning"; flow:established,from_server; content:"&nbsp|3b|Notification of Incompatibility</font></strong></font></td>"; content:">Your version of Macromedia Flash Player is too old to continue. <a href="; classtype:trojan-activity; sid:2013909; rev:3; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 0B|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020672; rev:5; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely CryptMEN FakeAV Download vclean"; flow:established,from_server; content:"filename=|22|vclean"; nocase; http_header; content:".exe"; nocase; http_header; within:20; classtype:trojan-activity; sid:2014028; rev:3; metadata:created_at 2011_12_15, updated_at 2011_12_15;)
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 14|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020674; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious executable download possible Trojan NgrBot"; flow:established,to_server; content:"GET"; http_method; content:"/adobe-flash.exe"; http_uri; classtype:bad-unknown; sid:2014150; rev:3; metadata:created_at 2012_01_26, updated_at 2012_01_26;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c5 a3 08 37 22 97 2f 50|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020687; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Windows Media component specific exploit"; flow:established,to_client; content:"bang()"; content:"cloned"; distance:0; content:"unescape(|22|%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c|22|)"; distance:0; reference:cve,2012-0003; classtype:attempted-user; sid:2014156; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d7 2b 72 5e 83 81 97 47|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020688; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip"; flow:established,to_server; content:"setup."; fast_pattern:only; http_uri; content:".in|0d 0a|"; http_header; pcre:"/\/[a-f0-9]{16}\/([a-z0-9]{1,3}\/)?setup\.(exe|zip)$/U"; pcre:"/^Host\x3a\s.+\.in\r?$/Hmi"; reference:url,isc.sans.edu/diary/+Vulnerabilityqueerprocessbrittleness/13501; classtype:trojan-activity; sid:2014929; rev:3; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2017_12_11;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a7 90 ac fd cd 02 3c 0d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020689; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN ClickCounter Connectivity Check"; flow:established,to_server; content:" clickme=1|0d 0a|"; http_header; content:"clickme=1"; http_cookie; classtype:trojan-activity; sid:2014172; rev:3; metadata:created_at 2012_01_31, updated_at 2012_01_31;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c9 a9 58 45 25 d7 de 84|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020697; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Win32/Cridex.B Self Signed SSL Certificate (root@ks310208.kimsufi.com)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"root@ks310208.kimsufi.com"; content:"SomeOrganizationalUnit1"; classtype:trojan-activity; sid:2014240; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK March 16 2015"; flow:established,to_server; urilen:51<>61; content:"/a"; http_uri; depth:2; pcre:"/^\/a[a-z]{9,}\/[a-f0-9]{40}$/U"; pcre:"/^GET \/(?P<name>a[a-z]{9,})\/.+?\r\nHost\x3a\x20(?P=name)\./sm"; classtype:exploit-kit; sid:2020698; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_03_16, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TDS Trojan Stream request /stream?"; flow:established,to_server; urilen:9; content:"/stream?"; http_uri; pcre:"/^\/stream\?\d$/U"; classtype:bad-unknown; sid:2014242; rev:6; metadata:created_at 2012_02_20, updated_at 2012_02_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Office RTF Stack Buffer Overflow"; flow:from_server,established; file_data; content:"|7b 5c|rt"; within:4; flowbits:set,ETPRO.RTF; flowbits:noalert; reference:cve,2010-3333; classtype:misc-activity; sid:2020699; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_03_16, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/DarkComet Second Stage Download Request"; flow:established,to_server; content:"GET"; http_method; content:"/Update/Update.bin"; http_uri; reference:url,blog.trendmicro.com/darkcomet-surfaced-in-the-targeted-attacks-in-syrian-conflict/; classtype:trojan-activity; sid:2014273; rev:3; metadata:created_at 2012_02_24, updated_at 2012_02_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT MWI Maldoc Exploit Kit Stats Callout"; flow:established,from_server; flowbits:isset,ETPRO.RTF; file_data; content:"INCLUDEPICTURE "; pcre:"/^\s*?[\x22\x27][^\x22\x27]+\.php\?id=\d+[\x22\x27]/Rs"; classtype:exploit-kit; sid:2020700; rev:2; metadata:created_at 2015_03_16, former_category EXPLOIT_KIT, updated_at 2015_03_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED OSX/Flashback Checkin via Twitter Hashtag Pepbyfadxeoa"; flow:established,to_server; content:"/searches?q=#pepbyfadxeoa"; fast_pattern; http_uri; content:"Host|3A 20|mobile.twitter.com|0d 0a|"; http_header; reference:url,blog.intego.com/flashback-mac-malware-uses-twitter-as-command-and-control-center/; classtype:trojan-activity; sid:2014333; rev:4; metadata:created_at 2012_03_07, updated_at 2012_03_07;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query Sinkhole Domain Various Families (Possible Infected Host)"; content:"|00 01 00 00 00 00 00 00|"; depth:8; offset:4; content:"|0f|torpig-sinkhole|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.sysenter-honeynet.org/?p=269; classtype:bad-unknown; sid:2015813; rev:7; metadata:created_at 2012_10_18, updated_at 2012_10_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Malformed MP4 Remote Code Execution Attempt"; flow:established,to_client; content:"|66 74 79 70 6D 70 34|"; content:"|01 6D 70 34 32 69 73 6F 6D|"; distance:0; content:"|63 70 72 74 00 FF FF FF|"; distance:0; reference:url,contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html; reference:bid,52034; reference:cve,2012-0754; classtype:attempted-user; sid:2014335; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_03_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [9200,9292] (msg:"ET WEB_SERVER Possible CVE-2015-1427 Elastic Search Sandbox Escape Remote Code Execution Attempt"; flow:established,to_server; content:"POST /"; depth:6; content:"search"; distance:0; content:"script_fields"; distance:0; nocase; content:".class.forName"; nocase; distance:0; content:"java.lang.Runtime"; nocase; distance:0; reference:url,jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427; classtype:attempted-admin; sid:2020648; rev:2; metadata:created_at 2015_03_09, updated_at 2015_03_09;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Banload Trojan Downloader Dropped Binary"; flow:established,to_client; content:"C|00|o|00|m|00|p|00|a|00|n|00|y|00|N|00|a|00|m|00|e|00|"; content:"m|00|i|00|l|00|k|00|"; fast_pattern; within:30; content:"I|00|n|00|t|00|e|00|r|00|n|00|a|00|l|00|N|00|a|00|m|00|e|00|"; distance:0; content:"m|00|i|00|l|00|k|00|"; within:30; content:"L|00|e|00|g|00|a|00|l|00|C|00|o|00|p|00|y|00|r|00|i|00|g|00|h|00|t|00|"; distance:0; content:"m|00|i|00|l|00|k|00|"; within:30; reference:md5,31bb4e0d67a5af96d5b5691966e25d73; classtype:trojan-activity; sid:2014367; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_13, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Exploit Kit Delivering Office File to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; fast_pattern; content:!".msi"; content:!".img"; content:!"This program cannot"; classtype:exploit-kit; sid:2014099; rev:6; metadata:created_at 2012_01_04, former_category EXPLOIT_KIT, updated_at 2012_01_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV Landing Page - Initializing Protection System"; flow:established,from_server; content:">Initializing Protection System...</"; fast_pattern; content:">System Tasks</"; distance:0; classtype:trojan-activity; sid:2014437; rev:6; metadata:created_at 2012_03_28, updated_at 2012_03_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing March 20 2015"; flow:established,from_server; file_data; content:"function iu7("; content:"ji2"; within:100; pcre:"/^\W/R"; content:"hu2"; pcre:"/^\W/R"; classtype:exploit-kit; sid:2020725; rev:2; metadata:created_at 2015_03_21, updated_at 2015_03_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a known malware domain (regicsgf.net)"; flow: to_server,established; content:"regicsgf.net|0D 0A|"; http_header; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014570; rev:6; metadata:created_at 2012_04_16, updated_at 2012_04_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing March 20 2015 M2"; flow:established,from_server; file_data; content:"|22 29 3b 2f 2a|"; pcre:"/^[^\x2a]+\x2a\x2f(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?(?P<arg>[a-z0-9]{3,})(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?\x28[^\x29]+\x29\x3b\x2f\x2a[^\x2a]+\x2a\x2f(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?(?P=arg)(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?\x28/R"; classtype:exploit-kit; sid:2020726; rev:2; metadata:created_at 2015_03_23, updated_at 2015_03_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a a known malware domain (sektori. org)"; flow: to_server,established; content:"sektori.org|0D 0A|"; http_header; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014571; rev:6; metadata:created_at 2012_04_16, former_category TROJAN, updated_at 2018_01_02;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux.DDoS Checkin"; flow:established,to_server; dsize:1024; content:"VERSONEX|3a|"; depth:9; content:"|7c|Hacker|00 00 00|"; distance:0; reference:md5,0eab12cebbf1c8f25d82c65f34aab9d7; classtype:command-and-control; sid:2019172; rev:4; metadata:created_at 2014_08_19, former_category MALWARE, updated_at 2014_08_19;)
 
-#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET INFO RuggedCom Banner with MAC"; flow:to_client,established; content:"Rugged Operating System"; content:"Copyright |28|c|29| RuggedCom"; distance:0; content:"MAC Address|3A|"; distance:0; flowbits:set,ET.RUGGED.BANNER; reference:url,www.exploit-db.com/exploits/18779/; reference:url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars; classtype:attempted-admin; sid:2014645; rev:3; metadata:created_at 2012_04_28, former_category INFO, updated_at 2012_04_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf 74 65 6a f0 91 13 26|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020735; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Backdoor.BAT.Agent.W User Botnet"; flow:established,to_server; content:"USER botnet"; reference:md5,fc7059ec1e3e86fd0a664c3747f09725; classtype:trojan-activity; sid:2014700; rev:3; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Win32.Hyteod.acox Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|su|00|"; distance:53; within:4; content:"|32|"; distance:-55; within:1; pcre:"/^[a-z0-9]{50}/R"; threshold: type both, track by_src, count 3, seconds 60; classtype:trojan-activity; sid:2020741; rev:1; metadata:created_at 2015_03_25, updated_at 2015_03_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/HupigonUser.Backdoor Rabclib UA Checkin"; flow:established,to_server; content:".txt"; http_uri; content:"User-Agent|3A 20|RAbcLib|0D 0A|"; http_header; reference:md5,65467e7ff3140f42f4758eca7b76185c; classtype:command-and-control; sid:2014755; rev:4; metadata:created_at 2012_05_17, former_category MALWARE, updated_at 2012_05_17;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Win32.Hyteod.acox Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ru|00|"; distance:53; within:4; content:"|32|"; distance:-55; within:1; pcre:"/^[a-z0-9]{50}/R"; threshold: type both, track by_src, count 3, seconds 60; classtype:trojan-activity; sid:2020742; rev:1; metadata:created_at 2015_03_25, updated_at 2015_03_25;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dakotavolandos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|dakotavolandos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:command-and-control; sid:2014859; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HanJuan EK Landing March 24 2015 M1"; flow:established,from_server; file_data; content:"document.createElement|28|"; pcre:"/^\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]/R"; content:"/g,|27 27|).substr|28|"; fast_pattern; within:14; pcre:"/^\s*?\d+,\s*?\d/R"; classtype:exploit-kit; sid:2020743; rev:3; metadata:created_at 2015_03_25, updated_at 2015_03_25;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dak1otavola1ndos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dak1otavola1ndos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:command-and-control; sid:2014860; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HanJuan EK Landing March 24 2015 M2"; flow:established,from_server; file_data; content:"document.createElement|28|"; pcre:"/^\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]/R"; content:"/g,|22 22|).substr|28|"; fast_pattern; within:14; pcre:"/^\s*?\d+,\s*?\d/R"; classtype:exploit-kit; sid:2020744; rev:3; metadata:created_at 2015_03_25, updated_at 2015_03_25;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dako22tavol2andos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|dako22tavol2andos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:command-and-control; sid:2014861; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unauthorized SSL Cert for Google Domains"; flow:established,from_server; content:"|55 04 0a|"; content:"|0a|MCSHOLDING"; distance:1; within:11; reference:url,googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html; classtype:trojan-activity; sid:2020736; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_03_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - d3akotav33olandos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|d3akotav33olandos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:command-and-control; sid:2014862; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d5 72 08 75 83 27 6f ba|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020745; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - d4ak4otavolandos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|d4ak4otavolandos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:command-and-control; sid:2014863; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Browser Exploit Server Plugin Detect"; flow:from_server,established; file_data; content:"misc_addons_detect.hasSilverlight"; classtype:trojan-activity; sid:2017810; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_06, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SQL MySQL mysql.user Dump (Used in Metasploit Auth-Bypass Module)"; flow:established,to_server; content:"SELECT|20|user|2c|password|20|from|20|mysql|2e|user"; classtype:bad-unknown; sid:2014910; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_06_16, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Browser Exploit Server Plugin Detect 2"; flow:from_server,established; file_data; content:"var os_name|3b|"; content:"var os_vendor|3b|"; content:"var os_device|3b|"; content:"var os_flavor|3b|"; classtype:trojan-activity; sid:2020755; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_26, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Googlebot User-Agent Outbound (likely malicious)"; flow:to_server,established; content:"Googlebot"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*?Googlebot/Hmi"; classtype:bad-unknown; sid:2015529; rev:4; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Proxy Prototype RCE Attempt (CVE-2014-8636)"; flow:from_server,established; file_data; content:"chrome|3a 2f 2f|"; nocase; content:"open"; nocase; pcre:"/^\s*?\(\s*?[\x22\x27]chrome\x3a\/\//Ri"; content:"messageManager.loadFrameScript"; nocase; content:"Proxy.create"; nocase; reference:url,community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636; reference:cve,2014-8636; classtype:attempted-user; sid:2020756; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_03_26, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to RunForestRun DGA Domain 16-alpha.waw.pl"; flow:established,to_server; content:".waw.pl|0D 0A|"; nocase; http_header; pcre:"/^Host\x3a\s[^\r\n]+?\.[abedgfihkmlonqpsruwvyxz]{16}\.waw\.pl\r$/Hmi"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015530; rev:5; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ac 19 e6 fb 11 28 a2 20|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020802; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to RunForestRun DGA Domain 16-alpha.waw.pl"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|"; distance:0; content:"|03|waw|02|pl|00|"; fast_pattern; within:24; nocase; pcre:"/\x10[abedgfihkmlonqpsruwvyxz]{16}\x03waw\x02pl\x00/i"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015531; rev:4; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK JAR URI Struct Nov 05 2013"; flow:established,to_server; content:"/14"; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; pcre:"/\/14\d{8}(?:\.jar)?$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017666; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Karagany checkin (sid5 1)"; flow:to_server,established; content:"?f="; http_uri; content:"&t="; http_uri; content:"&sid5="; http_uri; fast_pattern; content:!"Accept|3a| "; http_header; classtype:command-and-control; sid:2015533; rev:4; metadata:created_at 2012_07_27, former_category MALWARE, updated_at 2012_07_27;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive CnC Beacon 1"; flow:established,to_server; content:"==gKg5XI+BmK"; depth:12; reference:md5,11657162940dcc1c124e607b0f248039; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020807; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_03_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Karagany checkin (sid5 2)"; flow:to_server,established; content:"?mode="; http_uri; content:"&f="; http_uri; content:"&sid5="; http_uri; fast_pattern; content:!"Accept|3a| "; http_header; classtype:command-and-control; sid:2015534; rev:4; metadata:created_at 2012_07_27, former_category MALWARE, updated_at 2012_07_27;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive CnC Beacon 2"; flow:established,to_server; content:"|3C 2A 60|"; depth:3; fast_pattern; content:"|60 2A 3E|"; distance:0; pcre:"/^\x3c\x2a\x60[\x20-\x7e]+\x60\x2a\x3e$/"; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020808; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_03_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Cridex checkin"; flow:established,to_server; content:"POST"; http_method; content:"/mx5/B/in/"; http_uri; reference:url,blog.webroot.com/2012/07/13/spamvertised-american-airlines-themed-emails-lead-to-black-hole-exploit-kit/; reference:url,stopmalvertising.com/rootkits/analysis-of-cridex.html; classtype:command-and-control; sid:2015546; rev:5; metadata:created_at 2012_07_31, former_category MALWARE, updated_at 2012_07_31;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive CnC Beacon 3"; flow:established,to_server; content:">Explosive"; offset:4; depth:10; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020809; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_03_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa 95 9f e1 a6 33 7b d9|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,edefcbba2944872f31454fcb98802488; classtype:trojan-activity; sid:2019173; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 2 2015"; flow:established,to_server; content:"GET"; http_method; urilen:12; content:"/8u5_cb06/?"; depth:11; http_uri; classtype:exploit-kit; sid:2020832; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_04_02, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Astrum EK Landing"; flow:established,from_server; file_data; content:"|7b 72 65 74 75 72 6e 20 75 6e 65 73 63 61 70 65|"; content:"|3e 3e 38 26 32 35 35 29 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 32 3a|"; content:"|29 5e 32 35 35 26|"; classtype:exploit-kit; sid:2019130; rev:3; metadata:created_at 2014_09_08, former_category CURRENT_EVENTS, updated_at 2014_09_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"ET MALWARE IRC Bot dropped by Mikey Variant CnC Beacon"; flow:established,to_server; content:"["; content:"]"; distance:0; content:"["; distance:0; content:"]"; distance:0; content:"|0d 0a|NICK|20|"; pcre:"/^[a-z0-9]+\[\d+\]/R"; content:"-"; distance:0; content:"["; distance:0; pcre:"/^\d+\]\r\n$/R"; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:command-and-control; sid:2020836; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_04_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Astrum EK Landing"; flow:established,from_server; file_data; content:"%65%64%6f%43%72%61%68%43%6d%6f%72%66"; content:"%74%41%65%64%6f%43%72%61%68%63"; classtype:exploit-kit; sid:2019131; rev:6; metadata:created_at 2014_09_08, former_category CURRENT_EVENTS, updated_at 2014_09_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.Exploit; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/^[a-z0-9]*\r\n/HR"; file_data; content:"ZWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2019845; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Hupigon CnC Data Post (variant abb)"; flow:established,to_server; dsize:>200; content:"Windows "; content:"Service Pack "; distance:0; content:"HACK|00 00|"; fast_pattern; distance:100; reference:url,doc.emergingthreats.net/2008042; classtype:command-and-control; sid:2008042; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.Exploit; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/^[a-z0-9]*\r\n/HR"; file_data; content:"CWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2019846; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 8c bf 77 7c 33 77 06|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5dd6e69b1e9049f295e314b523679d98; classtype:trojan-activity; sid:2019178; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Payload"; flow:established,from_server; flowbits:isset,et.Nuclear.Payload; content:"application/octet-stream"; http_header; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/filename=[a-z0-9]*\r\n/H"; classtype:exploit-kit; sid:2019873; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malvertising Leading to EK Aug 19 2014 M4"; flow:established,from_server; content:"Server|3a 20|nginx|0d 0a|"; http_header; content:"X-Powered-By|3a 20|PHP"; http_header; content:"text/javascript"; http_header; file_data; content:"if|28|[removed].indexOf|28|"; within:27; fast_pattern; pcre:"/^\s*?[\x22\x27](?P<var>[^\x22\x27]+)[\x22\x27]\s*?\x29\s*?==\s*?-1\x29\x7b[^\r\n]*?document\.cookie\s*?=\s*?[\x22\x27](?P=var)\s*?\x3d\s*?[^\r\n]+?[\r\n]*?$/Rsi"; content:"iframe"; content:"top"; pcre:"/^\s*?[\x3a\x3d]\s*?[\x22\x27]?\-/Rsi"; content:"left"; pcre:"/^\s*?[\x3a\x3d]\s*?[\x22\x27]?\-/Rsi"; classtype:exploit-kit; sid:2019180; rev:3; metadata:created_at 2014_09_16, former_category CURRENT_EVENTS, updated_at 2014_09_16;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Java Web Start Command Injection (.jar)"; flow:established,from_server; content:"http|3a| -J-jar -J|5C 5C 5C 5C|"; nocase; content:".launch("; nocase; pcre:"/http\x3a -J-jar -J\x5C\x5C\x5C\x5C\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x5C\x5C[^\n]*\.jar/i"; reference:url,seclists.org/fulldisclosure/2010/Apr/119; reference:url,doc.emergingthreats.net/2011698; classtype:web-application-attack; sid:2011698; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Silverlight Based Redirect"; flow:established,from_server; file_data; content:"AppManifest.xamlPK"; fast_pattern:only; content:"iframe.dllPK"; classtype:exploit-kit; sid:2019184; rev:3; metadata:created_at 2014_09_16, former_category CURRENT_EVENTS, updated_at 2014_09_16;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL (Linux) Database Privilege Elevation (Exploit Specific)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"select |27|TYPE=TRIGGERS|27| into outfile|27|"; nocase; pcre:"/\s*?\/.+?\.TRG\x27\s*?LINES TERMINATED BY \x27\x5fntriggers=/Ri"; content:"CREATE DEFINER=|60|root|60|@|60|localhost|60|"; nocase; distance:0; pcre:"/\s+?trigger\s+?[^\x20]+?\s+?after\s+?insert\s+?on\s+?/Ri"; content:"UPDATE mysql.user"; nocase; fast_pattern:only; reference:cve,2012-5613; reference:url,seclists.org/fulldisclosure/2012/Dec/6; classtype:attempted-user; sid:2015992; rev:7; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Page Feb 24 2014"; flow:from_server,established; file_data; content:"AgControl.AgControl"; nocase; fast_pattern:only; content:"parseInt"; nocase; content:"32"; pcre:"/^\W/R"; content:"63"; nocase; within:100; pcre:"/^\W/R"; content:"if"; distance:-200; within:200; nocase; pcre:"/^(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?\((?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?(?P<vname>[^\s>=]+)(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?<(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?32\b.{0,200}(?P=vname)(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?\x3d(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?63\b.{1,200}\+=.{0,200}\((?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?(?P=vname)/Rsi"; classtype:exploit-kit; sid:2018171; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3460 (msg:"ET MALWARE PoisonIvy Key Exchange with CnC Init"; flow:established,to_server; dsize:256; flowbits:set,ET.Poison1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008380; classtype:command-and-control; sid:2008380; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e8 66 93 12 61 52 ba b4|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0b|Zatusim.com"; distance:1; within:12; reference:md5,2f52d3921613b2fe06c9eb9051d45e60; classtype:trojan-activity; sid:2019186; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 3460 -> $HOME_NET any (msg:"ET MALWARE PoisonIvy Key Exchange with CnC Response"; flow:established,from_server; dsize:256; flowbits:isset,ET.Poison1; reference:url,doc.emergingthreats.net/2008381; classtype:command-and-control; sid:2008381; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Payload URI Struct Nov 05 2013"; flow:established,to_server; content:"/f/"; http_uri; depth:3; pcre:"/^\/f(?:\/[^\x2f]+)?\/14\d{8}(?:\/\d{9,10})?(?:\/\d)+(?:\/x[a-f0-9]+(?:\x3b\d)+?)?$/U"; classtype:exploit-kit; sid:2017667; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_05, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PoisonIvy RAT/Backdoor follow on POST Data PUSH Packet"; flow:established,to_server; flags:AP,12; content:"op="; nocase; content:"&servidor="; nocase; content:"&senha="; nocase; content:"&usuario="; nocase; content:"&base="; nocase; content:"&sgdb="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPoisonivy.I&ThreatID=-2147363597; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=133781; reference:url,doc.emergingthreats.net/2009806; classtype:trojan-activity; sid:2009806; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO WebSocket Session Initiation Request"; flow:established,to_server; flowbits:set,ETPRO.WebSocket.Request; content:"Connection|3a 20|Upgrade|0d 0a|"; fast_pattern; nocase; content:"Upgrade|3a 20|websocket|0d 0a|"; reference:url,tools.ietf.org/html/rfc6455; classtype:policy-violation; sid:2036219; rev:2; metadata:created_at 2014_09_17, former_category POLICY, updated_at 2014_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Chorns/PoisonIvy related Backdoor Initial Connection"; flow:established; dsize:12; content:"/FIRSTINF/|0d0a|"; reference:url,doc.emergingthreats.net/2010344; reference:md5,9fbd691ffdb797cebe8761006b26b572; classtype:trojan-activity; sid:2010344; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 Sept 17 2014"; flow:established,from_server; file_data; content:"|76 5c 3a 2a 7b 62 65 68 61 76 69 6f 72 3a 75 72 6c 28 23 64 65 66 61 75 6c 74 23 56 4d 4c 29 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d|"; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28|"; distance:0; content:"|3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 62 6c 61 63 6b|"; distance:0; classtype:exploit-kit; sid:2019188; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_17, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Chorns/PoisonIvy related Backdoor Keep Alive"; flow:established; dsize:12; content:"/AVAILABL/|0d0a|"; reference:url,doc.emergingthreats.net/2010345; reference:md5,9fbd691ffdb797cebe8761006b26b572; classtype:trojan-activity; sid:2010345; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 URI Struct Sept 17 2014"; flow:established,to_server; content:"/14"; http_uri; content:".htm"; http_uri; distance:8; within:4; pcre:"/^\/[a-z0-9]+?(?:\/\d)?\/14\d{8}\.htm$/U"; pcre:"/^Referer\x3a[^\r\n]+?\/[a-f0-9A-Z\_\-]{14,}\.html(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019189; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_18, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.2013Jan04 victim beacon"; flow:established,to_server; dsize:48; content:"|1e de 5c f1 1f f6 94 12 d1 fa f1 42 8c fe 8d f7|"; offset:16; depth:16; reference:md5,62f20326e0f08c0786df6886f0427ea7; classtype:trojan-activity; sid:2016167; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_05, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Major, tag PoisonIvy, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent Traffic"; flow: established; content:"|0000400907000000|"; depth:8; threshold: type limit, count 1, seconds 120, track by_src; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000357; classtype:policy-violation; sid:2000357; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PoisonIvy.2013Jan04 server response"; flow:established,from_server; dsize:48; content:"|48 3A E9 78 C0 B9 2E 3F 9A 49 C5 56 65 5F CE 22|"; offset:16; depth:16; reference:md5,62f20326e0f08c0786df6886f0427ea7; classtype:trojan-activity; sid:2016168; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_05, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET P2P Vuze BT UDP Connection (5)"; dsize:<20; content:"|00 00 04 17 27 10 19 80 00 00 00 00|"; depth:12; threshold: type limit, count 1, seconds 120, track by_src; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010144; classtype:policy-violation; sid:2010144; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PoisonIvy Variant Jan 24 2013"; flow:established,from_server; dsize:48; content:"|52 13 34 da 18 3d 2f 45 a2 09 93 52 01 23 51 e3|"; offset: 16; depth:16; reference:url,blog.avast.com/2013/01/22/reporters-without-borders-website-misused-in-wateringhole-attack/; classtype:trojan-activity; sid:2016270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_25, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Infostealer.Banprox Proxy.pac Download 3"; flow:from_server,established; file_data; content:"FindProxyForURL"; fast_pattern; distance:0; content:"return |22|PROXY"; pcre:"/^[^\x3b]+\\x(?:[57][0-9a]|4[0-9a-f]|6[1-9a-f]|3[0-9])/Ri"; reference:md5,6f2dc4ba05774f3e5ebf6c502db48a71; classtype:trojan-activity; sid:2019191; rev:13; metadata:created_at 2014_09_18, updated_at 2014_09_18;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy Variant Jan 24 2013"; flow:established,to_server; dsize:48; content:"|84 a5 f0 be 11 da ce 7e c9 4a 9a af 40 24 8a f5|"; offset:16; depth:16; reference:url,blog.avast.com/2013/01/22/reporters-without-borders-website-misused-in-wateringhole-attack/; classtype:trojan-activity; sid:2016271; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_25, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb 27 b3 4f ab ba bf 8b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019192; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED [CrowdStrike] ANCHOR PANDA - PoisonIvy Keep-Alive - From Controller"; dsize:48; flow:established, from_server; content:"|54 90 1d b0 18 1b 7c ce f4 5b 24 2f ec c7 d2 21|"; depth:16; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016657; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FAKEAV Gemini - JavaScript Redirection To FakeAV Binary"; flow:established,to_client; content:"<script type=|22|text/javascript|22|>"; nocase; content:"location.assign|28|"; nocase; within:17; classtype:bad-unknown; sid:2011918; rev:5; metadata:created_at 2010_11_10, updated_at 2010_11_10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED [CrowdStrike] ANCHOR PANDA - PoisonIvy Keep-Alive - From Victim"; dsize:48; flow: established, to_server; content: "|af c0 bb 65 5d 07 e0 0d bf ab 75 2f 82 79 ae 26|"; depth:16; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016658; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Infostealer.Banprox Proxy.pac Download 2"; flow:from_server,established; file_data; content:"FindProxyForURL"; fast_pattern; distance:0; content:"|22|PROXY"; distance:0; pcre:"/^(?P<q>[\x22\x27])(?:(?!(?P=q))[^\r\n\x2c])+?(?P=q)\s*?\+\s*?[\x22\x27][^\r\n\x2c]*?[cg][\x22\x27\+\s]*?[o][\x22\x27\+\s]*?[vm][\x22\x27\+\s]*?\.[\x22\x27\+\s]*?b[\x22\x27\+\s]*?r[\x22\x27\+\s]*?\x2c/m"; reference:md5,6e4a990b1540fa6b5896034b976ccecf; classtype:trojan-activity; sid:2019190; rev:14; metadata:created_at 2014_09_18, updated_at 2014_09_18;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy [victim beacon]"; flow:established; dsize:48; content:"|a160339a8a1b3bc0d1ab956cf98855a8|"; offset: 16; depth:16; classtype:trojan-activity; sid:2017052; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_22, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Major, tag PoisonIvy, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Androm SSL Cert Sept 18 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; distance:0; content:"|09 00 bf 91 db e3 f1 fb 7c cc|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,ca2f3e2568ac5c01ecf2747f778e13a1; classtype:trojan-activity; sid:2019196; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PoisonIvy [server response]"; flow:established; dsize:48; content:"|b8abf415033717b74132d503b6ea381d|"; offset:16; depth:16; classtype:trojan-activity; sid:2017053; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_22, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !25 (msg:"ET MALWARE Gh0st Trojan CnC 2"; flow:established,to_server; dsize:<250; content:"Gh0st"; offset:8; depth:5; classtype:command-and-control; sid:2017505; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_21, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miniduke variant FTP upload"; flow:to_server,established; content:"USER "; pcre:"/^(?:(?:menelao|ho[mr]u)s|adair|johan|kweku)\r\n/R"; reference:md5,e175be029dd2b78c059278a567b3ada1; reference:url,www.f-secure.com/static/doc/labs_global/Whitepapers/cosmicduke_whitepaper.pdf; classtype:targeted-activity; sid:2023911; rev:4; metadata:created_at 2014_07_03, former_category MALWARE, updated_at 2017_02_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV Security Shield payment page request"; flow:established,to_server; content:!"Referer|3a| "; http_header; content:"/payform/?k="; http_uri; classtype:trojan-activity; sid:2014631; rev:4; metadata:created_at 2012_04_23, updated_at 2012_04_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Malicious Redirect Leading to EK Apr 03 2015"; flow:established,to_server; content:"/wordpress/?bf7N&utm_source="; http_uri; classtype:exploit-kit; sid:2020840; rev:2; metadata:created_at 2015_04_03, updated_at 2015_04_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential FAKEAV Download a-f0-9 x16 download"; flow:to_server,established;  content:"/pr2/"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{16}\/.+?\.(exe|zip)$/U"; classtype:bad-unknown; sid:2014730; rev:8; metadata:created_at 2012_05_11, updated_at 2020_08_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a1 b6 29 6e e4 aa ec fe|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020843; rev:2; metadata:attack_target Client_and_Server, created_at 2015_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown .rr.nu Malware landing page"; flow:established,to_server; content:"/sl.php"; http_uri; content:".rr.nu|0D 0A|"; fast_pattern:only; http_header; reference:url,isc.sans.edu/diary.html?storyid=13864; classtype:bad-unknown; sid:2015596; rev:2; metadata:created_at 2012_08_09, updated_at 2012_08_09;)
+#alert tcp $HOME_NET 50002 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Successful Etrust Secure Transaction Platform Identification and Entitlements Server File Disclosure Attempt"; flowbits:isset,ET.etrust.fieldis; flow:established,from_server; content:"<soap|3A|faultstring>Unknown user"; reference:url,shh.thathost.com/secadv/2009-06-15-entrust-ies.txt; reference:url,securitytracker.com/alerts/2010/Sep/1024391.html; classtype:misc-attack; sid:2011503; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day"; flow:established,to_client; file_data; content:".execCommand|28|"; nocase; fast_pattern; pcre:"/^[\r\n\s]*[\x22\x27](s|\\(x|u00)[57]3)(e|\\(x|u00)[46]5)(l|\\(x|u00)[46]c)(e|\\(x|u00)[46]5)(c|\\(x|u00)[46]3)(t|\\(x|u00)[57]4)(A|\\(x|u00)[46]1)(l|\\(x|u00)[46]c){2}/Ri"; content:".write("; nocase; content:"parent|2e|"; nocase; distance:0; pcre:"/^\w+?\[[^\]]+?\]\.src[\r\n\s]*=/Ri"; content:"onselect"; nocase; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2015711; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_09_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Enchanim C2 Injection Download"; flow:established,to_client; content:"set_url "; content:"|0d 0a|data_before|0d 0a|"; distance:0; content:"|0d 0a|data_end|0d 0a|"; distance:0; content:"|0d 0a|data_inject|0d 0a|"; distance:0; fast_pattern; content:"|0d 0a|data_end|0d 0a|"; distance:0; content:"|0d 0a|data_after|0d 0a|"; distance:0; content:"|0d 0a|data_end|0d 0a|"; distance:0; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:command-and-control; sid:2016771; rev:5; metadata:created_at 2013_04_19, former_category MALWARE, updated_at 2013_04_19;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain palauone.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|08|palauone|03|com|00|"; nocase; distance:4; within:14; fast_pattern; classtype:command-and-control; sid:2015719; rev:2; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Possible Upatre DNS Query (jamco.com.pk)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|jamco|03|com|02|pk|00|"; fast_pattern:only; reference:md5,407cce4873bc8af9077dbb21a8762f37; classtype:bad-unknown; sid:2020846; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2015_04_07, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain traindiscover.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0d|traindiscover|03|com|00|"; nocase; distance:4; within:19; fast_pattern; classtype:command-and-control; sid:2015720; rev:3; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.A Sending UUID and Processes x86"; content:"|00 00 00 02 00 00 00 00 00 00 32 32|"; depth:12; content:"|7b|"; distance:0; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\x7d/R"; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:trojan-activity; sid:2020152; rev:2; metadata:created_at 2015_01_07, updated_at 2015_01_07;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain manymanyd.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|09|manymanyd|03|com|00|"; nocase; distance:4; within:15; fast_pattern; classtype:command-and-control; sid:2015721; rev:3; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.A Sending UUID and Processes x64"; content:"|00 00 00 02 00 00 00 00 00 00 64 32|"; depth:12; content:"|7b|"; distance:0; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\x7d/R"; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:trojan-activity; sid:2020153; rev:3; metadata:created_at 2015_01_07, updated_at 2015_01_07;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain whatandwhyeh.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0c|whatandwhyeh|03|com|00|"; nocase; distance:4; within:18; fast_pattern; classtype:command-and-control; sid:2015722; rev:3; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
+alert tcp any any -> $HOME_NET 1720 (msg:"ET SCAN H.323 Scanning device"; flow:established,to_server; content:"|40 04 00 63 00 69 00 73 00 63 00 6f|"; fast_pattern; offset:55; depth:12; threshold: type limit, track by_src, count 1, seconds 60; reference:url,videonationsltd.co.uk/2014/11/h-323-cisco-spam-calls/; classtype:network-scan; sid:2020853; rev:2; metadata:created_at 2015_04_08, updated_at 2015_04_08;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain bktwenty.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|08|bktwenty|03|com|00|"; nocase; distance:4; within:14; fast_pattern; classtype:command-and-control; sid:2015728; rev:3; metadata:created_at 2012_09_22, former_category MALWARE, updated_at 2012_09_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Router DNS Changer Apr 07 2015"; flow:established,from_server; file_data; content:"|69 66 28 75 72 6c 2e 69 6e 64 65 78 4f 66 28 27 3c 65 6f 70 6c 3e 27 29 3e 30 29 7b|"; reference:url,malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html; classtype:exploit-kit; sid:2020854; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_08, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain sleeveblouse.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0c|sleeveblouse|03|com|00|"; nocase; distance:4; within:18; fast_pattern; classtype:command-and-control; sid:2015730; rev:3; metadata:created_at 2012_09_22, former_category MALWARE, updated_at 2012_09_22;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|04|gu2m"; distance:1; within:5; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020864; rev:2; metadata:attack_target Client_and_Server, created_at 2015_04_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain defmaybe.com 09/25/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|defmaybe|03|com|00|"; nocase; distance:0; classtype:command-and-control; sid:2015736; rev:4; metadata:created_at 2012_09_26, former_category MALWARE, updated_at 2012_09_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,465,587] (msg:"ET MALWARE Kriptovor SMTP Traffic"; flow:established,to_server; content:"|0d 0a|PC|3a 20|"; content:"|0d 0a|Text|3a 20|"; distance:0; content:"|0d 0a|IP|3a 20|"; distance:0; content:"|0d 0a|TS|3a 20|"; distance:0; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,c3ab87f85ca07a7d026d3cbd54029bbe; classtype:trojan-activity; sid:2020884; rev:1; metadata:created_at 2015_04_09, updated_at 2015_04_09;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain adbullion.com 09/26/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|adbullion|03|com|00|"; nocase; distance:0; classtype:command-and-control; sid:2015741; rev:4; metadata:created_at 2012_09_27, former_category MALWARE, updated_at 2012_09_27;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Vobus/Beebone Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 2E F4 15 04|"; distance:4; within:6; reference:url,trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/operation-source-botnet-takedown-trend-micro-solutions; classtype:trojan-activity; sid:2020889; rev:1; metadata:created_at 2015_04_11, updated_at 2015_04_11;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Revoked Adobe Code Signing Certificate Seen"; flow:established,to_client; content:"|30 82|"; content:"|a0 03 02 01 02 02 10 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00|"; distance:6; within:38; content:"|1e 17 0d|101215000000Z|17 0d|121214235959Z0"; distance:184; within:32; content:"Adobe Systems Incorporated"; distance:66; within:26; reference:url,www.adobe.com/support/security/advisories/apsa12-01.html; classtype:policy-violation; sid:2015743; rev:2; metadata:created_at 2012_09_28, former_category INFO, updated_at 2012_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY EXE Embeded in Page Likely Evil M1"; flow:established,from_server; file_data; content:"vbscript"; nocase; content:"|22|4D5A90"; fast_pattern; nocase; content:!"|22|"; within:500; pcre:"/^[a-f0-9]{500}/Rsi"; classtype:trojan-activity; sid:2020893; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Anti-Hacking Tool"; flow:established,to_server; content:"/update/WinUpdater.exe"; http_uri; content:!"User-Agent|3a|"; http_header; reference:md5,93443e59c473b89b5afad940a843982a; reference:url,eff.org/deeplinks/2012/08/syrian-malware-post; classtype:trojan-activity; sid:2015748; rev:3; metadata:created_at 2012_09_28, updated_at 2012_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY EXE Embeded in Page Likely Evil M2"; flow:established,from_server; file_data; content:"vbscript"; nocase; content:"|27|4D5A90"; fast_pattern; nocase; content:!"|27|"; within:500; pcre:"/^[a-f0-9]{500}/Rsi"; classtype:trojan-activity; sid:2020894; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Known Reveton Domain HTTP whatwillber.com"; flow:established,to_server; content:"whatwillber.com|0d 0a|"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015874; rev:5; metadata:created_at 2012_11_09, former_category TROJAN, updated_at 2018_02_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 19 2015"; flow:established,to_server; content:"GET"; http_method; content:"4c2H"; nocase; http_uri; pcre:"/\/\??4c2H(?:$|[&?]utm_source=)/U"; classtype:exploit-kit; sid:2020715; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_03_20, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible exploitation of CVE-2012-5076 by an exploit kit Nov 13 2012"; flow:from_server,established; file_data; content:"<object"; content:"0b0909041f"; distance:0; fast_pattern; content:"3131"; distance:0; classtype:exploit-kit; sid:2015887; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_11_14, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Check-in"; flow:established,to_server; dsize:>68; content:"|41 00 00 00 03|"; depth:5; flowbits:set,ET.NetwireRAT.Client; flowbits:noalert; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:2018426; rev:2; metadata:created_at 2014_04_28, updated_at 2014_04_28;)
 
-#alert udp $HOME_NET 53 -> any any (msg:"ET DOS DNS Amplification Attack Outbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016017; rev:7; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Post-Compromise Data Dump M1"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"QWRtaW5SaWdodHMy"; http_client_body; pcre:"/(?:Byb2NMaXN0|Qcm9jTGlzd|UHJvY0xpc3)/P"; classtype:exploit-kit; sid:2020903; rev:2; metadata:created_at 2015_04_14, updated_at 2015_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FakeScan - Landing Page - Title - Microsoft Antivirus 2013"; flow:established,to_client; content:"<title>Microsoft Antivirus 2013</title>"; classtype:bad-unknown; sid:2016020; rev:4; metadata:created_at 2012_12_13, updated_at 2012_12_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Post-Compromise Data Dump M2"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"FkbWluUmlnaHRzM"; http_client_body; pcre:"/(?:Byb2NMaXN0|Qcm9jTGlzd|UHJvY0xpc3)/P"; classtype:exploit-kit; sid:2020904; rev:2; metadata:created_at 2015_04_14, updated_at 2015_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FakeScan - Payload Download Received"; flow:established,to_client; content:"attachment"; http_header; content:"freescan"; http_header; fast_pattern; file_data; content:"MZ"; within:2; classtype:bad-unknown; sid:2016021; rev:3; metadata:created_at 2012_12_13, updated_at 2012_12_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Post-Compromise Data Dump M3"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"BZG1pblJpZ2h0cz"; http_client_body; pcre:"/(?:Byb2NMaXN0|Qcm9jTGlzd|UHJvY0xpc3)/P"; classtype:exploit-kit; sid:2020905; rev:2; metadata:created_at 2015_04_14, updated_at 2015_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN Unk_Banker - Check In"; flow:established,to_server; content:"POST"; http_method; content:"Opera/11.1"; depth:10; http_user_agent; content:"&action=check"; http_client_body; content:"&id="; http_client_body; content:"&version2="; http_client_body; classtype:trojan-activity; sid:2016087; rev:4; metadata:created_at 2012_12_22, updated_at 2012_12_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CoinVault CnC Beacon Response"; flow:established,from_server; file_data; content:"eyJrbm9ja3RpbWUiOj"; within:18; reference:md5,c7e34daa9e9160ce433a6cae74867711; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:command-and-control; sid:2020909; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_04_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Potential Zeus Binary Download - Specific PE Sections Structure"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program cannot be run in DOS mode"; distance:0; content:"PE|00 00|"; distance:0; content:".text"; distance:0; content:"m13"; distance:0; content:"m12"; distance:0; content:"m11"; distance:0; content:"m10"; distance:0; content:"m9"; distance:0; content:"m8"; distance:0; content:"m7"; distance:0; content:"m6"; distance:0; content:"m5"; distance:0; content:"m4"; distance:0; content:"m3"; distance:0; content:".data"; distance:0; content:".data2"; distance:0; reference:url,ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf; classtype:trojan-activity; sid:2016188; rev:4; metadata:created_at 2013_01_12, updated_at 2013_01_12;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP =XXXXXXXX Likely Precursor to Scan"; itype:8; icode:0; content:"=XXXXXXXX"; reference:url,doc.emergingthreats.net/2010686; classtype:network-scan; sid:2010686; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2013-0156 Ruby On Rails XML YAML tag with !ruby"; flow:established,to_server; content:" type"; nocase; fast_pattern; content:"yaml"; distance:0; nocase; content:"!ruby"; nocase; distance:0; pcre:"/<(?P<tname>[^\s]+)[^>]*?\stype\s*=\s*(?P<q>[\x22\x27])yaml(?P=q)((?!<\/(?P=tname)).+?)!ruby/si"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-attack; sid:2016204; rev:4; metadata:created_at 2013_01_12, updated_at 2013_01_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (linux style)"; flow:established,from_server; file_data; content:"root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002034; classtype:successful-recon-limited; sid:2002034; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Request for FakeAV Binary /two/data.exe Infection Campaign"; flow:established,to_server; content:"/index/two/data.exe"; http_uri; classtype:trojan-activity; sid:2016243; rev:3; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via SMTP (linux style)"; flow:established,to_server; content:"root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003149; classtype:successful-recon-limited; sid:2003149; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> 78.47.139.110 53 (msg:"ET DELETED Possible DNS Data Exfiltration to SSHD Rootkit Last Resort CnC";  reference:url,isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229; classtype:command-and-control; sid:2016473; rev:3; metadata:created_at 2013_02_22, updated_at 2020_08_20;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via SMTP (BSD style)"; flow:established,to_server; content:"root|3a|*|3a|0|3a|0|3a|"; nocase; content:"|3a|/root|3a|/bin"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003150; classtype:successful-recon-limited; sid:2003150; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CommentCrew UGX Backdoor initial connection"; flow:established,to_server; content:"|dd b5 61 f0 20 47 20 57 d6 65 9c cb 31 1b 65 42 00 00 00 00|"; depth:20; classtype:targeted-activity; sid:2016474; rev:3; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
+alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET TELNET External Telnet Attempt To Cisco Device With No Telnet Password Set (Automatically Dissalowed Until Password Set)"; flow:from_server; content:"Password required, but none set"; depth:31; reference:url,doc.emergingthreats.net/bin/view/Main/2008860; classtype:attempted-admin; sid:2008860; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications get system"; flow:established,to_client; content:"Y29tbWFuZD1nZXRzeXN0ZW07"; classtype:targeted-activity; sid:2016476; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Nessus Vulnerability Scanner Plugins Update"; flow:to_client,established; content:"plugins.nessus.org"; content:"https|3a|//www.thawte.com/repository/index.html"; offset:432; depth:88; reference:url,www.nessus.org/nessus/; reference:url,www.nessus.org/plugins/; reference:url,doc.emergingthreats.net/2009706; classtype:policy-violation; sid:2009706; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications html return 1"; flow:established,to_client; content:"|48 54 54 50 2f 31 2e 30 20 32 30 30 20 4f 4b 0d 0a|"; content:"|43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 0d 0a|"; content:"|43 6f 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a|"; content:"|53 65 74 2d 43 6f 6f 6b 69 65 3a|"; content:"|0d 0a 20 31|"; classtype:targeted-activity; sid:2016477; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
+alert ssh $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; threshold: type both, count 5, seconds 30, track by_src; reference:url,doc.emergingthreats.net/2006546; classtype:attempted-admin; sid:2006546; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep"; flow:established,to_client; file_data; content:"<!-- dWdzMTA= -->"; classtype:targeted-activity; sid:2016478; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
+alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP Brute-Force attempt response"; flow:from_server,established; dsize:<100; content:"530 "; depth:4; pcre:"/530\s+(Login|User|Failed|Not)/smi"; threshold: type threshold, track by_dst, count 5, seconds 300; reference:url,doc.emergingthreats.net/2002383; classtype:unsuccessful-user; sid:2002383; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep2"; flow:established,to_client; file_data; content:"<!-- dWdzMw== -->"; classtype:targeted-activity; sid:2016479; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
+#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET TELNET External Telnet Login Prompt from Cisco Device"; flow:from_server,established; pcre:"/^(\r\n)*/"; content:"User Access Verification"; within:24; reference:url,doc.emergingthreats.net/bin/view/Main/2008861; classtype:attempted-admin; sid:2008861; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep3"; flow:established,to_client; file_data; content:"<!--czoxMzc=--!>"; classtype:targeted-activity; sid:2016480; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Exe32Pack Packed Executable Download"; flow:established,to_client; file_data; content:"Packed by exe32pack"; content:"SteelBytes All rights reserved"; distance:0; reference:md5,93be88ad3816c19d74155f8cd3aae1d2; classtype:policy-violation; sid:2020914; rev:2; metadata:created_at 2015_04_15, updated_at 2015_04_15;)
 
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep5"; flow:established,to_client; file_data; content:"<!-- czoy -->"; classtype:targeted-activity; sid:2016482; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unit42 PoisonIvy Keepalive to CnC"; flow:established,to_server; dsize:48; content:"|b8 98 30 04 e8 10 e5 8c e4 06 39 1b e0 51 96 40|"; offset:16; depth:16; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications download client.png"; flow:established,to_client; file_data; content:"<!-- dWdlY2xpZW50LnBuZw== -->"; classtype:targeted-activity; sid:2016483; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dalexis downloader encrypted binary (1)"; flow:established,to_client; file_data; content:"|fc 6e 8e d1 0a 7a be 86|"; within:2048; classtype:trojan-activity; sid:2020929; rev:2; metadata:created_at 2015_04_16, updated_at 2015_04_16;)
 
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT crabdance backdoor base64 head 2"; flow:established,to_client; file_data; content:"FSssJi01MWwnOic="; classtype:targeted-activity; sid:2016484; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dalexis downloader encrypted binary (2)"; flow:established,to_client; file_data; content:"|35 8c 0c 43 e2 1c f7 e4|"; distance:40; within:8; classtype:trojan-activity; sid:2020930; rev:2; metadata:created_at 2015_04_16, updated_at 2015_04_16;)
 
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT crabdance backdoor base64 head"; flow:established,to_client; file_data; content:"MS4nJzJ4cHZyeQ=="; classtype:targeted-activity; sid:2016485; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dalexis downloader encrypted binary (3)"; flow:established,to_client; file_data; content:"|fc 6e 8e d1 0a 7a be 86|"; distance:32; within:8; classtype:trojan-activity; sid:2020931; rev:2; metadata:created_at 2015_04_16, updated_at 2015_04_16;)
 
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT backdoor stage 2 download base64 update.gif"; flow:established,to_client; file_data; content:"IHVwZGF0ZS5naWY="; classtype:targeted-activity; sid:2016486; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|10 58 85 8a 21 5a 27 a4 1f be 8f a1 3a f0 13 c5 94|"; within:40; content:"|55 04 03|"; distance:0; content:"|13|www.tennomewerto.ru"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020932; rev:2; metadata:attack_target Client_and_Server, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications get command client key"; flow:established,to_client; content:"Y29tbWFuZD1HZXRDb21tYW5kO2NsaWVudGtleT"; content:"O2hvc3RuYW1lPW"; classtype:targeted-activity; sid:2016488; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows nbtstat -s Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Connection Table"; fast_pattern; content:"Local Name"; distance:0; content:"State"; distance:0; content:"In/Out"; distance:0; content:"Remote Host"; distance:0; content:"Input"; distance:0; content:"Output"; distance:0; classtype:trojan-activity; sid:2020957; rev:2; metadata:created_at 2015_04_21, updated_at 2015_04_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeuS Ransomware win_unlock"; flow:established,to_server; content:"/locker/lock.php?id="; http_uri; reference:url,www.f-secure.com/weblog/archives/00002367.html; reference:md5,14a1d23b5a8b4f5c186bc5082ede4596; classtype:trojan-activity; sid:2014797; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_05_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2012_05_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Windows nbtstat -r Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Names Resolution and Registration Statistics"; fast_pattern; content:"Name"; distance:0; content:"Type"; distance:0; content:"Status"; distance:0; classtype:trojan-activity; sid:2020956; rev:2; metadata:created_at 2015_04_21, former_category MALWARE, updated_at 2015_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zeus Spam Campaign pdf.exe In ZIP - 26th Feb 2014"; flow:established,to_client; file_data; content:"PK"; within:2; content:"pdf.exe"; distance:42; within:500; classtype:trojan-activity; sid:2018182; rev:3; metadata:created_at 2014_02_27, updated_at 2014_02_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows nbtstat -a Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Remote Machine Name Table"; fast_pattern; content:"Name"; distance:0; content:"Type"; content:"Status"; distance:0; classtype:trojan-activity; sid:2020954; rev:2; metadata:created_at 2015_04_21, updated_at 2015_04_21;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; pcre:"/^..[\x0d-\x20][a-z]{13,32}(?:\x03(?:biz|com|net|org)|\x04info|\x02ru)\x00\x00\x01\x00\x01/Rs"; threshold: type both, track by_dst, count 12, seconds 120; reference:url,vrt-blog.snort.org/2014/03/decoding-domain-generation-algorithms.html; classtype:trojan-activity; sid:2018316; rev:4; metadata:created_at 2014_03_25, former_category MALWARE, updated_at 2014_03_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows nbtstat -n Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Local Name Table"; fast_pattern; content:"Name"; distance:0; content:"Type"; content:"Status"; distance:0; classtype:trojan-activity; sid:2020955; rev:2; metadata:created_at 2015_04_21, updated_at 2015_04_21;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download"; flow:established,to_client; flowbits:isset,ET.Onelouder.bin; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2018982; rev:2; metadata:created_at 2014_08_22, updated_at 2014_08_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT HTTP CnC Beacon Response"; flow:established,from_server; file_data; content:"<--"; within:3; pcre:"/^[A-F0-9]{8,12}/R"; content:"-->|0a|<"; fast_pattern; within:5; flowbits:isset,ET.CozyDuke.HTTP; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:targeted-activity; sid:2020965; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_04_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Trojan Dropped by Angler Aug 29 2014"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|00 c4 a8 4b da 47 94 14 c1|"; within:35; content:"|55 04 0b|"; distance:0; content:"|55 04 0b|"; distance:0; content:"|06|office"; distance:1; within:7; classtype:trojan-activity; sid:2019086; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_29, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body"; flow:established,to_server; content:"|0d 0a|X-Library|3a| Indy "; content:"Nome do Computador.."; nocase; distance:0; reference:url,doc.emergingthreats.net/2007950; classtype:trojan-activity; sid:2007950; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 19 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f8 69 16 89 bb bc f3 d7|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1da03b89c25c9f8999edb8c1abb0c4ed; classtype:trojan-activity; sid:2019200; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Petite Packed Binary Download"; flow:to_client,established; flowbits:isnotset,ET.http.binary; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|43 6F 6D 70 72 65 73 73 65 64 20 62 79 20 50 65 74 69 74 65 20 28 63 29 31 39 39 39 20 49 61 6E 20 4C 75 63 6B 2E 00 00|"; distance:-44; flowbits:set,ET.http.binary; reference:md5,fa2c0e8b486c879f4baee1d5bebdf0a2; classtype:trojan-activity; sid:2020973; rev:5; metadata:created_at 2015_04_22, updated_at 2015_04_22;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a3 e8 dc 5d 2a ee 44 a3|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019205; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Download file with Powershell via LNK file (observed in Sundown EK)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"c|00|m|00|d|00|.|00|e|00|x|00|e"; nocase; content:"P|00|o|00|w|00|e|00|r|00|S|00|h|00|e|00|l|00|l"; nocase; content:"D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00|F|00|i|00|l|00|e"; nocase; classtype:exploit-kit; sid:2020987; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 b7 93 80 9f 87 5d ab|"; within:35; content:"|55 04 03|"; distance:0; content:"|0c 31 30 38 2e 36 31 2e 34 39 2e 33 30|"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019206; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Secondary Landing T1 M2 Apr 24 2015"; flow:established,from_server; file_data; content:"System.Net.WebClient"; nocase; content:"Powershell"; nocase; content:"DownloadFile"; nocase; content:"|3b|d=unescape(m)|3b|document.write(d)|3b|"; classtype:exploit-kit; sid:2020990; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/BillGates Checkin"; flow:established,to_server; content:"|01 00 00 00|"; depth:4; content:"|00 00 00 f4 01 00 00 32 00 00 00 e8 03|"; distance:0; content:"|01 01 02 00 00 00 01 00 00 00|"; distance:0; reference:md5,b4dd0283c73d0b288e7322b95df0cb1b; classtype:command-and-control; sid:2019207; rev:1; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2014_09_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS IonCube Encoded Page (no alert)"; flow:established,from_server; file_data; content:"javascript>c=|22|"; content:"|3b|eval(unescape("; flowbits:noalert; flowbits:set,ET.IonCube; classtype:trojan-activity; sid:2020993; rev:2; metadata:created_at 2015_04_24, former_category CURRENT_EVENTS, updated_at 2015_04_24;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/BillGates Checkin Response"; flow:established,from_server; dsize:20; content:"|08 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 e8 fd 00 00|"; reference:md5,b4dd0283c73d0b288e7322b95df0cb1b; classtype:command-and-control; sid:2019208; rev:1; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2014_09_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK Flash Exploit Struct T2 Apr 24 2015"; flow:established,to_server; flowbits:isset,ET.IonCube; content:"/"; http_uri; content:".swf"; http_uri; distance:4; within:4; pcre:"/\/(?=[A-Za-z]{0,3}\d)(?=\d{0,3}[A-Za-z])[A-Za-z0-9]{4,5}\.swf$/U"; content:".php"; http_header; classtype:exploit-kit; sid:2020994; rev:3; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/AES.DDoS Sending Real/Fake CPU&BW Info"; flow:established,to_server; content:"INFO|3a|"; depth:5; pcre:"/^\d/R"; content:"|25 7c|"; distance:0; threshold: type both, count 1, seconds 30, track by_src; reference:md5,d8059b555dde05e184c0b16bbff523f1; classtype:trojan-activity; sid:2019177; rev:3; metadata:created_at 2014_09_15, updated_at 2014_09_15;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains InternetOpen WinInet API Call - Potentially Dridex MalDoc 1"; flow:established,to_server; content:"SW50ZXJuZXRPcGVu"; fast_pattern; classtype:trojan-activity; sid:2021006; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 95 78 dc d3 77 1b bc 30|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,bf019054fced52ff03ed8d371dfd371d; classtype:trojan-activity; sid:2019213; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains InternetOpen WinInet API Call - Potentially Dridex MalDoc 2"; flow:established,to_server; content:"ludGVybmV0T3Blb"; fast_pattern; classtype:trojan-activity; sid:2021007; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 3"; flow:to_server,established; content:"|33 33|"; offset:2; depth:2; content:!"|33 33|"; within:2; content:"|33 33|"; distance:2; within:2; content:!"|33 33|"; within:2; content:"|33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33|"; pcre:"/[^\x33][^\x6f\x19\x18\x0e\x4f\x09\x08\x11\x0c\x0f\x0d\x1f\x10\x39][\x00-\x07\x0b\x0a\x1e\x1d\x12\x13\x15\x10\x1b\x1a\x54-\x5f\x50-\x52\x40-\x4b\x4d\x4e\x70-\x7f\x60-\x67\x69-\x6d]{1,14}\x33/R"; reference:md5,c150f9738142278e2d39417a7ef53cae; classtype:command-and-control; sid:2019203; rev:2; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2014_09_22;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains InternetOpen WinInet API Call - Potentially Dridex MalDoc 3"; flow:established,to_server; content:"JbnRlcm5ldE9wZW"; fast_pattern; classtype:trojan-activity; sid:2021008; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
 
-#alert tcp any any -> any any (msg:"ET DELETED njrat ver 0.7d Malware CnC Callback"; flow:from_client,established; content:"|00|ll|7C 27 7C 27 7C|"; fast_pattern; content:"0.7d"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019223; rev:1; metadata:created_at 2014_09_23, updated_at 2014_09_23;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains wininet.dll Call - Potentially Dridex MalDoc 1"; flow:established,to_server; content:"d2luaW5ldC5kbG"; fast_pattern; classtype:trojan-activity; sid:2021009; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Apr 01 2014"; flow:established,to_client; content:"Expires|3a| Sat, 26 Jul 1997 05|3a|00|3a|00 GMT|0d 0a|Last-Modified|3a| Sat, 26 Jul 2040 05|3a|00|3a|00 GMT|0d 0a|"; fast_pattern:55,20; http_header; classtype:exploit-kit; sid:2019224; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains wininet.dll Call - Potentially Dridex MalDoc 2"; flow:established,to_server; content:"dpbmluZXQuZGxs"; fast_pattern; classtype:trojan-activity; sid:2021010; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing Page Dec 09 2013"; flow:established,from_server; file_data; content:"display|3a| none|3b 22|"; nocase; content:">"; within:500; content:!">"; nocase; within:500; content:"f"; within:200; pcre:"/^(?P<sep>.{1,50})u(?P=sep)n(?P=sep)c(?P=sep)t(?P=sep)i(?P=sep)o(?P=sep)n(?P=sep)\s/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017817; rev:11; metadata:created_at 2013_12_10, former_category EXPLOIT_KIT, updated_at 2013_12_10;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains wininet.dll Call - Potentially Dridex MalDoc 3"; flow:established,to_server; content:"3aW5pbmV0LmRsb"; fast_pattern; classtype:trojan-activity; sid:2021011; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 82 1f ee 3e 8f cb 87 80|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019225; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CORESHELL Malware Response from server"; flow:from_server,established; file_data; content:"O|00|K|00 00 00|"; within:6; pcre:"/^(?:(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))?$/R"; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019584; rev:3; metadata:created_at 2014_10_29, updated_at 2014_10_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Cridex Response from exfiltrated data upload"; flow:to_client,established; file_data; content:"|de ad be ef|"; fast_pattern; content:"|00 01 00 00 00|"; distance:3; within:5; reference:url,www.virustotal.com/file/00bf5b6f32b6a8223b8e55055800ef7870f8acaed334cb12484e44489b2ace24/analysis/; reference:url,www.packetninjas.net; classtype:trojan-activity; sid:2015629; rev:6; metadata:created_at 2012_08_16, updated_at 2012_08_16;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TorrentLocker SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea a3 3c b6 6e 62 16 33|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,8b2b618a463b906a1005ff1ed7d5f875; classtype:trojan-activity; sid:2021014; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_27, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Spy.Zbot.ACB SSL Cert Sept 24 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 99 56 02 06 27 f8 97 08|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,2ceda25b44378583dfb6df64b92ac654; classtype:trojan-activity; sid:2019227; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Ruckguv.A SSL Cert"; flow:established,from_server; content:"|10 05 86 8b f3 dc 2c ad 1f 00 dd ad fa 27 3c ea d0|"; content:"|55 04 03|"; distance:0; content:"|12|thewinesteward.com"; distance:1; within:19; reference:md5,331bec58cb113999f83c866de4976b62; classtype:trojan-activity; sid:2021015; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_27, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Yangji.A Checkin"; flow:established,to_server; dsize:1024; content:"cngameanti|7c|"; depth:11; pcre:"/^\x2d?\d/R"; reference:md5,b5badeb16414cba66999742601c092b8; classtype:command-and-control; sid:2019229; rev:1; metadata:created_at 2014_09_24, former_category MALWARE, updated_at 2014_09_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Landing Apr 20 2015"; flow:established,from_server; file_data; content:"|27 3b|d=unescape(m)|3b|document.write(d|29 3b|</script>"; content:".swf"; nocase; content:".swf"; nocase; content:"vbscript"; nocase; content:"System.Net.WebClient"; nocase; content:".exe"; nocase; classtype:exploit-kit; sid:2020950; rev:3; metadata:created_at 2015_04_21, updated_at 2015_04_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Aug 27 2014"; flow:from_server,established; content:"|0d 0a|X-Powered-By|3a 20|PHP"; http_header; file_data; content:"|3c 68 74 6d 6c 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23|"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}(?:\r\n)*?<script>[^\r\n]+?\We[\x22\x27\+]*?v[\x22\x27\+]*?a[\x22\x27\+]*?l\W/R"; classtype:exploit-kit; sid:2019078; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_08_28, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Apr 22 2015"; flow:established,from_server; content:"nginx"; http_header; file_data; content:"|0d 0a|<textarea "; fast_pattern; content:!">"; within:21; content:!"</textarea>"; within:500; content:!"|0d|"; within:500; pcre:"/^\s*[^>]*?[a-zA-Z]+\s*?=\s*?[\x22\x27](?=[a-z]{0,20}[A-Z])(?=[A-Z]{0,20}[a-z])[A-Za-z]{15,21}[\x22\x27][^>]*?>(?=[A-Za-z_]{0,200}[0-9])(?=[0-9a-z_]{0,200}[A-Z])(?=[0-9A-Z_]{0,200}[a-z])[A-Za-z0-9_]{200}/R"; classtype:exploit-kit; sid:2020975; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_23, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [443,$HTTP_PORTS] (msg:"ET MALWARE Pushdo v3 Checkin"; flow:established,to_server; dsize:20; content:"|02 00 00 00|"; depth:4; reference:md5,776d6c20a7016cb0f0db354785fe0d71; classtype:command-and-control; sid:2019235; rev:1; metadata:created_at 2014_09_25, former_category MALWARE, updated_at 2014_09_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf 88 cb e4 d5 79 99 98|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021016; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert udp any 67 -> any 68 (msg:"ET DELETED Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK - option 67"; content:"|02 01|"; depth:2; content:"|43|"; distance:238; content:"|28 29 20 7b 20|"; distance:1; within:10; reference:url,access.redhat.com/articles/1200223; reference:cve,2014-6271; classtype:attempted-admin; sid:2019238; rev:2; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+#alert udp any 53 -> $HOME_NET any (msg:"ET DELETED Team Cymru Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 26 E5 46 04|"; distance:4; within:6; classtype:trojan-activity; sid:2021020; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Kuluoz/Asprox CnC Response"; flow:from_server,established; flowbits:isset,ET.Kuluoz; content:"|0d 0a 0d 0a|"; content:"|0d 0a 80 00 00 00|"; distance:2; within:6; reference:md5,a3e0f51356d48124fba25485d1871b28; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; reference:url,blog.fortinet.com/post/changes-in-the-asprox-botnet; classtype:command-and-control; sid:2019187; rev:5; metadata:created_at 2014_09_17, former_category MALWARE, updated_at 2014_09_17;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Kaspersky Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 5F D3 AC 8F|"; distance:4; within:6; classtype:trojan-activity; sid:2021021; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Dyre SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cb f9 86 23 19 20 43 f0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,c32f1e7d9d6f88c4d2468fe205f4abfc; classtype:trojan-activity; sid:2019274; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Wapack Labs Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 17 FD 2E 40|"; distance:4; within:6; classtype:trojan-activity; sid:2021022; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb c0 73 38 d6 b1 99 a5|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,0fa515ad9fd1031b7a7891a46f72f122; classtype:trojan-activity; sid:2019275; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|terriblekira.su"; distance:1; within:16; reference:md5,f752cfdc6aa1d3eac013201357ada0f6; classtype:domain-c2; sid:2021031; rev:1; metadata:attack_target Client_and_Server, created_at 2015_04_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c5 86 50 03 11 16 99 16|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,75a2e3c9f8783dfc953f6aeb8a9eda2f; classtype:trojan-activity; sid:2019276; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|lidline.com"; distance:1; within:112; reference:md5,f752cfdc6aa1d3eac013201357ada0f6; classtype:domain-c2; sid:2021032; rev:1; metadata:attack_target Client_and_Server, created_at 2015_04_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert santa.my"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|www.santa.my"; distance:1; within:13; reference:md5,cfbfac0a9bf37b71e46ed43d95df4aec; classtype:trojan-activity; sid:2019277; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing URI Struct April 29 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:"/5/"; http_uri; fast_pattern; content:"http|3a|/"; distance:0; http_uri; pcre:"/\/5\/[a-f0-9]{32}\/\x20*http\x3a\x2f/U"; classtype:exploit-kit; sid:2021034; rev:2; metadata:created_at 2015_04_30, updated_at 2015_04_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert glynwedasia.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|glynwedasia.com"; distance:1; within:16; reference:md5,cfbfac0a9bf37b71e46ed43d95df4aec; classtype:trojan-activity; sid:2019278; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing April 29 2015"; flow:established,from_server; file_data; content:"lortnoCgA.lortnoCgA"; content:"reverse"; classtype:exploit-kit; sid:2021039; rev:2; metadata:created_at 2015_04_30, updated_at 2015_04_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf ac 1a b8 3d 7f 11 16|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|06|debian"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019279; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Response)"; content:"|01 01 00 44|"; depth:4; content:"|00 01 00 08|"; distance:16; within:4; threshold:type limit, track by_src, count 1, seconds 60; reference:url,tools.ietf.org/html/rfc5389; classtype:protocol-command-decode; sid:2018908; rev:2; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf ac 1a b8 3d 7f 11 16|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|06|debian"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019280; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Page May 01 2015"; flow:from_server,established; file_data; content:"CM|3a 20|u.indexOf(|27|NT 5.1|27|) > -1"; content:"PS|3a 20|u.indexOf(|27|NT 6.|27|) > -1"; classtype:exploit-kit; sid:2021046; rev:2; metadata:created_at 2015_05_02, updated_at 2015_05_02;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackEnergy Possible SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 88 91 e8 ca 54 bb 7d 10|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0b|5.79.80.166"; distance:1; within:12; reference:md5,1821351d67a3dce1045be09e88461fe9; classtype:trojan-activity; sid:2019282; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Secondary Landing Page May 01 2015 M1"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=Y21kIC9jIGVjaG8g"; classtype:exploit-kit; sid:2021047; rev:2; metadata:created_at 2015_05_02, updated_at 2015_05_02;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 1"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|{|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019244; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Secondary Landing Page May 01 2015 M2"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=cG93ZXJzaGVsbC5leGUg"; classtype:exploit-kit; sid:2021048; rev:2; metadata:created_at 2015_05_02, updated_at 2015_05_02;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 2"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|{%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019245; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux.Trojan.IptabLex Variant Checkin"; flow:to_server,established; dsize:157; content:"|77|"; depth:1; pcre:"/^[\x01\x03\x08\x09\x0b]\x00/R"; content:"|20 40 20|"; distance:0; content:"Hz"; nocase; within:15; reference:md5,019765009f7142a89af15aaaac7400cc; reference:url,blog.malwaremustdie.org/2014/06/mmd-0025-2014-itw-infection-of-elf.html; classtype:command-and-control; sid:2021050; rev:1; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2015_05_04;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 3"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|%7b|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019246; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Linux.Mumblehard Spam Command CnC"; flow:to_server,established; content:"POST / HTTP/1."; depth:14; content:"|0d 0a 0d 0a 0f 0f|"; pcre:"/^\d{1,3}[0-2]/R"; reference:url,www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf; reference:md5,86f0b0b74fe8b95b163a1b31d76f7917; classtype:command-and-control; sid:2021053; rev:1; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2015_05_04;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 4"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|%7b%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019247; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Flash Payload ShellCode Apr 23 2015"; flow:established,from_server; file_data; content:"urlmon.dll|00|http|3a 2f|"; pcre:"/^\x2f+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x2f\??[a-f0-9]+\x7chttp\x3a\x2f/Rs"; classtype:exploit-kit; sid:2021054; rev:2; metadata:created_at 2015_05_04, former_category EXPLOIT_KIT, updated_at 2015_05_04;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 5"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20{|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019248; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyre Downloading Mailer 2"; flow:established,to_server; content:"GET"; http_method; content:".tar"; http_uri; content:!"Accept"; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|.NET4.0E|3b 20|.NET4.0C|3b 20|rv|3a|11.0) like Gecko|0d 0a|Host|3a|"; http_header; depth:195; pcre:"/^[^\r\n]+\r\n(?:\r\n)?$/RHi"; pcre:"/\.tar$/U"; reference:url,www.seculert.com/blog/2015/04/new-dyre-version-evades-sandboxes.html; reference:md5,999bc5e16312db6abff5f6c9e54c546f; classtype:trojan-activity; sid:2021056; rev:5; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2015_05_04;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 6"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20{%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019249; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ursnif SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|16|athereforeencourage.pw"; distance:1; within:23; classtype:trojan-activity; sid:2021061; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_06, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 7"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20%7b|20|"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019250; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8d 3d d5 97 44 08 33 d8|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021063; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 8"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20%7b%20"; nocase; fast_pattern; within:15; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019251; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response"; flow:established,to_client; flowbits:isset,http.dottedquadhost; file_data; content:"MZ"; within:2; content:"PE|00 00|"; distance:0; classtype:bad-unknown; sid:2021076; rev:2; metadata:created_at 2015_05_08, former_category INFO, updated_at 2015_05_08;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 9"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|{|20|"; nocase; fast_pattern; within:6; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019252; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Trojan Multi-part Macro Download M1"; flow:established,from_server; file_data; content:"PAB0AGUAeAB0ADEAMAA+ACQA"; within:24; classtype:trojan-activity; sid:2020911; rev:3; metadata:created_at 2015_04_15, former_category CURRENT_EVENTS, updated_at 2015_04_15;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 10"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|{%20"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019253; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Cryptolocker .onion Proxy Domain (24u4jf7s4regu6hn)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|24u4jf7s4regu6hn"; fast_pattern; distance:0; nocase; reference:md5,36095572717aee2399b6bdacef936e22; classtype:trojan-activity; sid:2021085; rev:1; metadata:created_at 2015_05_09, updated_at 2015_05_09;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 11"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|%7b|20|"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019254; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 3"; flow:established,to_server; content:".php?hash="; http_uri; fast_pattern:only; pcre:"/\/(?:java(?:byte|db)|o(?:utput|ther)|r(?:hino|otat)|msie\d|load)\.php\?hash=/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017024; rev:4; metadata:created_at 2013_06_18, former_category CURRENT_EVENTS, updated_at 2013_06_18;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 12"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|%7b%20"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019255; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|10 62 16 fe 1e af 85 65 68 82 0d d7 6f 8e 27 33 02|"; content:"|55 04 03|"; distance:0; content:"|0d|mainbytes.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021086; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 13"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20{|20|"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019256; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a5 12 0c 27 cc 24 bb ef|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021087; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 14"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20{%20"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019257; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Possible Office Doc with Embedded VBA Project"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"/vbaProject"; nocase; pcre:"/\d*?\.bin/Ri"; flowbits:set,et.DocVBAProject; classtype:bad-unknown; sid:2019835; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 15"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20%7b|20|"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019258; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Possible Office Doc with Embedded VBA Project"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"_VBA_PROJECT"; nocase; flowbits:set,et.DocVBAProject; classtype:bad-unknown; sid:2019836; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 16"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20%7b%20"; nocase; fast_pattern; within:12; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019259; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Download file with BITS via LNK file (Likely Malicious)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"|00|b|00|i|00|t|00|s|00|a|00|d|00|m|00|i|00|n|00|"; nocase; content:"|00|t|00|r|00|a|00|n|00|s|00|f|00|e|00|r|00|"; nocase; classtype:trojan-activity; sid:2021092; rev:2; metadata:created_at 2015_05_13, former_category MALWARE, updated_at 2015_05_13;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 17"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|{|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019260; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|roobox.info"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021096; rev:3; metadata:attack_target Client_and_Server, created_at 2015_05_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 18"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|{%20"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019261; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Ruckguv.A SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|11 21 e9 a1 69 3a 6e e9 a8 fb a3 ba 5b ee 9d 6e 60 02|"; fast_pattern; content:"|55 04 03|"; content:"|15|elyseeinvestments.com"; distance:1; within:22; reference:md5,1225b8c9b52d4828b9031267939e8260; classtype:trojan-activity; sid:2021097; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_14, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 19"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|%7b|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019262; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Troldesh.A SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 bf 81 b3 c2 61 36 e4 9d|"; fast_pattern; content:"|55 04 03|"; content:"|16|www.jyxc3nn7eu2iqd.net"; distance:1; within:23; reference:md5,3358793e79042faa2298856373e644dc; classtype:trojan-activity; sid:2021098; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 20"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|%7b%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019263; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rofin.A CnC traffic (OUTBOUND)"; flow:to_server,established; dsize:>11; content:"|dd aa 99 66|"; depth:4; byte_jump:4,4,relative,little,from_beginning, post_offset -2; isdataat:!2,relative; reference:md5,6b71398418c7c6b01cf8abb105bc884d; classtype:command-and-control; sid:2020671; rev:3; metadata:created_at 2015_03_11, former_category MALWARE, updated_at 2015_03_11;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 21"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20{|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019264; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|55 04 08|"; content:"|07|Glasgow"; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|06|Glasgo"; distance:1; within:7; content:"|55 04 0a|"; distance:0; content:"|0b|Green Peace"; distance:1; within:12; reference:md5,3cecc935eb92ed03dc9908fc96b0f795; classtype:domain-c2; sid:2021102; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 22"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20{%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019265; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea 29 4d 2c d5 53 a8 8e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021109; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 23"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20%7b|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019266; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TROJ_NAIKON.A SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|04|donc"; fast_pattern; distance:1; within:5; content:"|55 04 0b|"; content:"|03|abc"; distance:1; within:4; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:2016795; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_04_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 24"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20%7b%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019267; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DNSChanger EK Secondary Landing May 12 2015 M2"; flow:established,from_server; file_data; content:"&|22|+DetectRTC.isWebSocketsSupported+|22|&|22|+"; nocase; content:"CryptoJSAesJson"; nocase; classtype:exploit-kit; sid:2021110; rev:2; metadata:created_at 2015_05_16, updated_at 2015_05_16;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 26"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|%7b|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019269; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|13|Widgets Numbers PTY"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021112; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 27"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|%7b%20"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019270; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|srv2415.domain.local"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021113; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 28"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20{|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019271; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|11|Facebook Porn PTY"; distance:1; within:18; classtype:domain-c2; sid:2021106; rev:3; metadata:attack_target Client_and_Server, created_at 2015_05_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 29"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20%7b|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019272; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert ip $HOME_NET any -> [199.2.137.0/24,207.46.90.0/24] any (msg:"ET MALWARE Connection to Microsoft Sinkhole IP (Possbile Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016999; rev:4; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 30"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20%7b%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019273; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Microsoft - 131.253.18.11-12"; content:"|00 01 00 01|"; content:"|00 04 83 fd 12|"; distance:4; within:5; byte_test:1,>,10,0,relative; byte_test:1,<,13,0,relative; threshold: type limit, count 1, seconds 120, track by_src; classtype:trojan-activity; sid:2016101; rev:6; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 25"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|{%20"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019268; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible APT17 CnC Content in Public Website"; flow:from_server,established; file_data; content:"@MICR0S0FT"; pcre:"/^[a-zA-Z0-9]{8}/R"; content:"C0RP0RATI0N"; within:11; reference:url,github.com/fireeye/iocs/tree/master/APT17; classtype:targeted-activity; sid:2021116; rev:2; metadata:created_at 2015_05_19, former_category MALWARE, updated_at 2015_05_19;)
 
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Output of id command from HTTP server"; flow:established; content:"uid="; pcre:"/^\d+[^\r\n\s]+/R"; content:" gid="; within:5; pcre:"/^\d+[^\r\n\s]+/R"; content:" groups="; within:8; classtype:bad-unknown; sid:2019284; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 19 ef 92 11 51 27 f3|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021121; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Reporting IP"; flow:established,to_server; dsize:<24; content:"My IP|3A| "; depth:7; pcre:"/My\x20IP\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x0A/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:trojan-activity; sid:2019294; rev:1; metadata:created_at 2014_09_29, updated_at 2014_09_29;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaScriptBackdoor SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b7 2f ae e8 e2 55 b5 bf|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,2a63b3a621d8e555734582d83b5e06a5; classtype:trojan-activity; sid:2021134; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre redirector GET Sept 29 2014"; flow:established,to_server; content:".php?h="; http_uri; fast_pattern; pcre:"/^\d+&w=\d+&ua=.+&e=1$/UR"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019311; rev:3; metadata:created_at 2014_09_29, former_category CURRENT_EVENTS, updated_at 2014_09_29;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Dridex SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 08|"; distance:0; content:"|07|Montana"; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|09|Liverpool"; distance:1; within:10; content:"|55 04 03|"; distance:0; content:"|0e|southnorth.org"; distance:1; within:15; fast_pattern; reference:md5,440e5c0aee33cba3c4707ada0856ff6d; classtype:trojan-activity; sid:2021145; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 75 2c 71 a2 5b fd 9f|"; within:35; content:"|55 04 07|"; distance:0; content:"|07|Houston"; distance:1; within:8; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019316; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Linux/Moose Telnet CnC Beacon"; flow:established,to_server; dsize:40; content:"|0e 00 00 00|"; offset:4; depth:4; fast_pattern; content:!"|00|"; within:1; content:!"|00|"; distance:3; within:1; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:4; within:28; content:!"|00 00 00 00|"; depth:4; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021149; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_05_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cb f9 86 23 19 20 43 f0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019317; rev:4; metadata:attack_target Client_and_Server, created_at 2014_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|17|ns343677.ip-94-23-16.eu"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021154; rev:3; metadata:attack_target Client_and_Server, created_at 2015_05_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Ares over UDP"; content:"Ares "; offset:36; depth:7; threshold: type limit, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003437; classtype:policy-violation; sid:2003437; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Yakes CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bd 4b 4b 98 c9 8b 2f 20|"; within:35; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|13|webmaster@localhost"; distance:1; within:20; reference:md5,6cdd93dcb1c54a4e2b036d2e13b51216; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021155; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 30 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c3 04 eb 4f 91 0a 85 aa|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,a3dd0964ee346db49192836569b41203; classtype:trojan-activity; sid:2019319; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil JS iframe Embedded In GIF"; flow:established,from_server; file_data; content:"GIF89a="; nocase; within:8; content:"|3b|url="; nocase; distance:0; content:"iframe"; nocase; distance:0; content:"|3b|tail="; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2021156; rev:2; metadata:created_at 2015_05_28, updated_at 2015_05_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 30 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ba c8 fb e2 d7 61 26 81|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,27ec921595f9e05e7e8933e71d336fa7; classtype:trojan-activity; sid:2019320; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED External IP Lookup - whoer.net"; flow:established,to_server; content:"Host|3a 20|whoer.net|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; classtype:external-ip-check; sid:2021161; rev:2; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Common Downloader Trojan Checkin"; flow:established,to_server; content:".php?pid="; nocase; http_uri; content:"mac="; nocase; http_uri; content:"&amd="; nocase; http_uri; content:"&win64="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007975; classtype:trojan-activity; sid:2007975; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert udp $HOME_NET 5093 -> $EXTERNAL_NET any (msg:"ET DOS Possible Sentinal LM  Application attack in progress Outbound (Response)"; dsize:>1390; content:"|7a 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; threshold: type both,track by_src,count 10,seconds 60; classtype:attempted-dos; sid:2021170; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING suspicious embedded zip file in web page"; flow:established,to_client; file_data; content:"data|3a|"; nocase; content:"base64,UEsDB"; within:40; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019324; rev:2; metadata:created_at 2014_09_30, former_category EXPLOIT_KIT, updated_at 2014_09_30;)
+alert udp $EXTERNAL_NET 5093 -> $HOME_NET any (msg:"ET DOS Possible Sentinal LM Amplification attack (Response) Inbound"; dsize:>1390; content:"|7a 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; threshold: type both,track by_src,count 10,seconds 60; classtype:attempted-dos; sid:2021171; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre redirector 29 Sept 2014 - POST"; flow:established,to_server; content:"POST"; http_method; content:"h="; http_client_body; depth:3; content:"w="; http_client_body; within:8; content:"ua="; http_client_body; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019321; rev:3; metadata:created_at 2014_09_30, former_category CURRENT_EVENTS, updated_at 2014_09_30;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"ET DOS Possible Sentinal LM Amplification attack (Request) Inbound"; dsize:6; content:"|7a 00 00 00 00 00|"; threshold: type both,track by_dst,count 10,seconds 60; classtype:attempted-dos; sid:2021172; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload User-Agent Detected (WebUpdate)"; flow:established,to_server; content:"User-Agent|3a| WebUpdate|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008074; classtype:trojan-activity; sid:2008074; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2017_10_30;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea d4 96 1c 0a 8b 6f a4|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021175; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 7e e9 92 50 35 4f 1e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019328; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible BlackEnergy Accessing SMB/SMB2 Named Pipe (ASCII)"; flow:to_server,established; content:"SMB"; offset:5; depth:4; content:"{AA0EED25-4167-4CBB-BDA8-9A0F5FF93EA8}"; distance:0; nocase; reference:url,cyberx-labs.com/wp-content/uploads/2015/05/BlackEnergy-CyberX-Report_27_May_2015_FINAL.pdf; classtype:trojan-activity; sid:2021179; rev:1; metadata:created_at 2015_06_04, updated_at 2015_06_04;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 90 47 1b dd 5a 78 af e5|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019329; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible BlackEnergy Accessing SMB/SMB2 Named Pipe (Unicode)"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{|00|A|00|A|00|0|00|E|00|E|00|D|00|2|00|5|00|-|00|4|00|1|00|6|00|7|00|-|00|4|00|C|00|B|00|B|00|-|00|B|00|D|00|A|00|8|00|-|00|9|00|A|00|0|00|F|00|5|00|F|00|F|00|9|00|3|00|E|00|A|00|8|00|}"; distance:0; nocase; reference:url,cyberx-labs.com/wp-content/uploads/2015/05/BlackEnergy-CyberX-Report_27_May_2015_FINAL.pdf; classtype:trojan-activity; sid:2021180; rev:1; metadata:created_at 2015_06_04, updated_at 2015_06_04;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Bot Nick in IRC (Country Code ISO 3166-1 alpha-2"; flow:established,to_server; content:"NICK"; depth:5; pcre:"/^[^\r\n]{0,7}\b(?:M[ACDEFGHKLMNOPQRSTUVWXYZ]|B[ABDEFGHIJLMNOQRSTVWYZ]|S[ABCDEGHIJKLMNORSTVXYZ]|C[ACDFGHIKLMNORUVWXYZ]|G[ABDEFGHILMNPQRSTUWY]|A[DEFGILMOQRSTUWXZ]|T[CDFGHJKLMNORTVWZ]|P[AEFGHKLMNRSTWY]|N[ACEFGILOPRUZ]|K[EGHIMNPRWYZ]|L[ABCIKRSTUVY]|I[DELMNOQRST]|E[CEGHRST]|V[ACEGINU]|D[EJKMOZ]|F[IJKMOR]|H[KMNRTU]|U[AGMSYZ]|R[EOSUW]|J[EMOP]|Z[AMW]|W[FS]|Y[ET]|OM|QA)\b/R"; classtype:trojan-activity; sid:2019326; rev:6; metadata:created_at 2014_10_01, updated_at 2014_10_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0b|YouPorn Ltd"; distance:1; within:12; content:"|55 04 03|"; distance:0; content:"|0b|pornhub.xxx"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021186; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Bot Nick in IRC (Country Code ISO 3166-1 alpha-3"; flow:established,to_server; content:"NICK"; depth:5; pcre:"/^[^\r\n]{0,7}\b(?:M(?:A[CFR]|D[AGV]|N[EGP]|L[IT]|Y[ST]|[MS]R|CO|EX|HL|KD|OZ|RT|TQ|US|WI)|S(?:L[BEV]|[DEH]N|[JOP]M|G[PS]|V[KN]|W[EZ]|Y[CR]|[MU]R|AU|RB|SD|TP)|B(?:L[MRZ]|R[ABN]|E[LN]|G[DR]|H[RS]|[FW]A|DI|IH|MU|OL|TN|VT)|C(?:O[DGKLM]|H[ELN]|A[FN]|Y[MP]|[IP]V|[MX]R|CK|RI|UB|ZE)|A(?:R[EGM]|T[AFG]|L[AB]|N[DT]|U[ST]|BW|FG|GO|IA|SM|ZE)|G(?:R[CDL]|U[FMY]|I[BN]|N[BQ]|[AM]B|BR|EO|GY|HA|LP|TM)|T(?:U[NRV]|C[AD]|K[LM]|[GT]O|[HZ]A|[OW]N|JK|LS)|P(?:R[IKTY]|A[KN]|[HO]L|CN|ER|LW|NG|SE|YF)|N(?:[CPZ]L|I[CU]|[EO]R|AM|FK|GA|LD|RU)|L(?:B[NRY]|[CKV]A|[AS]O|IE|TU|UX)|I(?:R[LNQ]|S[LR]|[DM]N|ND|OT|TA)|K(?:[AG]Z|[IO]R|EN|HM|NA|WT)|E(?:S[HPT]|CU|GY|RI|TH)|V(?:[ACU]T|EN|GB|IR|NM)|D(?:[MZ]A|EU|JI|NK|OM)|F(?:R[AO]|IN|JI|LK|SM)|H(?:[MN]D|KG|RV|TI|UN)|U(?:[GS]A|KR|MI|RY|ZB)|J(?:AM|EY|OR|PN)|R(?:[EO]U|US|WA)|Z(?:AF|MB|WE)|W(?:LF|SM)|OMN|QAT|YEM)\b/R"; classtype:trojan-activity; sid:2019327; rev:6; metadata:created_at 2014_10_01, updated_at 2014_10_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|povawfas.us"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021192; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp any any -> $HOME_NET 53 (msg:"ET DOS DNS Amplification Attack Inbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type both, track by_dst, seconds 60, count 5; classtype:bad-unknown; sid:2016016; rev:8; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb 01 dc 12 42 31 23 93|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021193; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 ea 18 ab 15 ab 25 ad|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019330; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Qadars WebInject SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|1e|www.freechristmasgifts2014.com"; distance:1; within:31; reference:md5,06588acf0112a84fe5f684bbafd7dc00; classtype:trojan-activity; sid:2021194; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Backdoor.Adwind Download 2"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"Adwin"; pcre:"/^[a-z0-9_-]*?\.class/Rsi"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99&tabid=3; reference:url,www.crowdstrike.com/blog/adwind-rat-rebranding/index.html; classtype:trojan-activity; sid:2018465; rev:6; metadata:created_at 2014_05_13, updated_at 2014_05_13;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|01 01|"; distance:18; within:2; content:"|55 04 03|"; distance:0; content:"|0d|web.gibnos.pw"; distance:1; within:14; reference:md5,c8131a48e834291be6c7402647250e73; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021196; rev:3; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Corpsespyware.net Distribution - fesexy"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"fesexy.net"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002768; classtype:trojan-activity; sid:2002768; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|povawer.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021197; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential FakeAV HTTP POST Check-IN (?r=)"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"User-Agent|3a| Microsoft Internet Explorer|0d 0a|"; http_header; nocase; content:"loads2.php?r="; nocase; http_uri; fast_pattern; pcre:"/loads2\.php\?r=[0-9]{2}\.[0-9]/Ui"; reference:url,doc.emergingthreats.net/2010594; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3190.420; reference:md5,94e13e13c6da5e32bde00bc527475bd2; classtype:trojan-activity; sid:2010594; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|laxitr.biz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021198; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert mypreschool.sg"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|mypreschool.sg"; distance:1; within:15; reference:md5,f186984320d0cf0a4fd501e50c7a40c5; classtype:trojan-activity; sid:2019337; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|dazopla.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021199; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Generic URLENCODED CollectGarbage"; flow:established,from_server; file_data; content:"%43%6f%6c%6c%65%63%74%47%61%72%62%61%67%65"; classtype:trojan-activity; sid:2019339; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|gipladfe.us"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021208; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Protux.B Download Update"; flow:from_client,established; content:"Mozilla/4.2.20 (compatible|3B| MSIE 5.0.2|3B| Win32|29 0D 0A|"; http_header; reference:md5,0cab2e1959a2c9eaa3aed1f2e556bf17; classtype:trojan-activity; sid:2014361; rev:3; metadata:created_at 2012_03_10, updated_at 2012_03_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|lazeca.biz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021209; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 3 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 02 84 39 97 d9 ef df|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,27b8d15950022f53ca4ca7004932cf2b; classtype:trojan-activity; sid:2019342; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|zolaxap.us"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021210; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible CryptoLocker TorComponent DL"; flow:from_server,established; flowbits:isset,FakeIEMinimal; file_data; byte_extract:1,0,size,relative; content:"|00 00 00|"; within:3; content:!"|00|"; within:size; content:"|00|"; distance:size; within:1; pcre:"/^.\x00\x00\x00[a-z0-9]+?\x00/s"; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019345; rev:2; metadata:created_at 2014_10_03, former_category CURRENT_EVENTS, updated_at 2014_10_03;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0c|babapoti.biz"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021211; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SpyClicker.ClickFraud Query Instructions CnC Response"; flow:established,to_client; content:"|0D 0A 0D 0A|{|22|query|22 3A|"; content:"|22|tasks|22 3A|"; distance:0; content:"|22|referer|22 3A|"; distance:0; content:"|22|useragent|22 3A|"; distance:0; content:"|22|clickurl|22 3A|"; distance:0; reference:url,stopmalvertising.com/malware-reports/anatomy-of-a-net-click-fraud-bot.html; reference:md5,17b077840ab874a8370c98c840b6c671; classtype:command-and-control; sid:2019357; rev:2; metadata:created_at 2014_10_06, former_category MALWARE, updated_at 2014_10_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|09|poknop.us"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021212; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.Zonebac.D"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"cid="; nocase; http_uri;content:"&aid="; nocase; http_uri; content:"&time="; nocase; http_uri; content:"&fw="; nocase; http_uri; content:"&v="; nocase; http_uri;content:"&m="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008682; classtype:trojan-activity; sid:2008682; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Executable Downloaded from Google Cloud Storage"; flow:established,to_client; content:"x-goog-generation|3a 20|"; http_header; fast_pattern; content:"x-goog-metageneration|3a 20|"; http_header; content:"x-goog-stored-content-encoding|3a 20|"; http_header; content:"x-goog-stored-content-length|3a 20|"; http_header; content:"x-goog-hash|3a 20|"; http_header; file_data; content:"MZ"; within:2; reference:md5,e742e844d0ea55ef9f1c68491c702120; classtype:trojan-activity; sid:2021216; rev:3; metadata:created_at 2015_06_09, updated_at 2015_06_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e1 57 49 5f fb bc c6 aa|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019360; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"|74 3d 75 74 66 38 74 6f 31 36 28 78 78 74 65 61 5f 64 65 63 72 79 70 74 28 62 61 73 65 36 34 64 65 63 6f 64 65 28 74 29 2c|"; nocase; classtype:exploit-kit; sid:2021217; rev:2; metadata:created_at 2015_06_09, updated_at 2015_06_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 31 cd 1f 49 b2 be 4c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019361; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|10|www.carinsup.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021220; rev:3; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 42"; flow:to_server,established; dsize:>11; content:"|7c 01|"; offset:9; depth:2; byte_jump:4,-6,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]{5}.{4}\x7c\x01/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,6a6ef7b4c7e8300a73b206e32e14ce3c; classtype:command-and-control; sid:2019362; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|polasde.us"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021221; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Virut.A joining an IRC Channel"; flow:established,to_server; content:"JOIN &virtu"; depth:27; reference:md5,06b522eacdfe51bed5d041fd672e880f; reference:url,doc.emergingthreats.net/2003603; classtype:trojan-activity; sid:2003603; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|paxerba.us"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021222; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TeslaCrypt)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|www.reomesoess.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019363; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|molared.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021223; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Smoke Loader C2 Response"; flow:established,from_server; content:"Content-Length|3a| 4|0d 0a|"; http_header; file_data; content:"Smk"; depth:3; fast_pattern; pcre:"/^\d+[\r\n]*?$/Rs"; classtype:command-and-control; sid:2015835; rev:7; metadata:created_at 2012_10_23, former_category MALWARE, updated_at 2012_10_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|halowsin.us"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021224; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Generic CollectGarbage in Hex"; flow:established,from_server; file_data; content:"|5c|x43|5c|x6f|5c|x6c|5c|x6c|5c|x65|5c|x63|5c|x74|5c|x47|5c|x61|5c|x72|5c|x62|5c|x61|5c|x67|5c|x65"; nocase; classtype:suspicious-filename-detect; sid:2019338; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_02, deployment Perimeter, former_category HUNTING, signature_severity Informational, tag DriveBy, updated_at 2016_07_01;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 1"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021230; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK Landing"; flow:established,from_server; file_data; content:"DetectFlashForMSIE()"; content:"DetectPdfForMSIE()"; content:"http|3a 2f 2f|localhost"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019367; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 2"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{AB6172ED-8105-4996-9D2A-597B5F827501}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021231; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M2"; flow:established,from_server; file_data; content:"|5c|x3c|5c|x64|5c|x69|5c|x76|5c|x20|5c|x69|5c|x64|5c|x3d|5c|x22|5c|x6c|5c|x6f|5c|x6c|5c|x22"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019369; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 3"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{0710880F-3A55-4A2D-AA67-1123384FD859}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021232; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M3"; flow:established,from_server; file_data; content:"1776_concat.swf"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019370; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 4"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{6C51A4DB-E3DE-4FEB-86A4-32F7F8E73B99}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021233; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-1347 M2"; flow:established,from_server; file_data; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 22 39 30 22 20 2b 20 22 39 30 22 29|"; nocase; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 22 39 30 22 20 2b 20 22 39 30 22 29|"; nocase; distance:0; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 70 61 72 73 65 49 6e 74 28|"; content:"|2e 73 75 62 73 74 72 28 30 2c 32 29 2c 31 36 29 2e 74 6f 53 74 72 69 6e 67 28 31 36 29|"; distance:4; within:29; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019372; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 5"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{7F9BCFC0-B36B-45EC-B377-D88597BE5D78}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021234; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic CollectGarbage in JJEncode (Observed in Sednit)"; flow:established,from_server; file_data; content:".__$+"; pcre:"/^(?P<sep>.{1,20})\.___\+(?P=sep)\._\$\$\+(?P=sep)\._\$\+\(\!\[\]\+\x22\x22\)\[(?P=sep)\._\$_\]\+\(\!\[\]\+\x22\x22\)\[(?P=sep)\._\$_\]\+(?P=sep)\.\$\$\$_\+(?P=sep)\.\$\$__\+(?P=sep)\.__\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.___\+(?P=sep)\.\$\$\$\+(?P=sep)\.\$_\$_\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.\$\$_\+(?P=sep)\._\$_\+(?P=sep)\.\$_\$\$\+(?P=sep)\.\$_\$_\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.\$__\+(?P=sep)\.\$\$\$\+(?P=sep)\.\$\$\$_\+/R"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019373; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 6"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{57D2DE92-CE17-4A57-BFD7-CD3C6E965C6A}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021235; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-3897 M1"; flow:established,from_server; file_data; content:"|5c|x76|5c|x61|5c|x72|5c|x20|5c|x73|5c|x74|5c|x72|5c|x3d|5c|x75|5c|x6e|5c|x65|5c|x73|5c|x63|5c|x61|5c|x70|5c|x65|5c|x28|5c|x22|5c|x25|5c|x75|5c|x31|5c|x34|5c|x31|5c|x34|5c|x25|5c|x75|5c|x31|5c|x34|5c|x31|5c|x34|5c|x22|5c|x29|5c|x3b"; nocase; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019374; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 1"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|A|00|A|00|F|00|F|00|C|00|4|00|F|00|0|00|-|00|E|00|0|00|4|00|B|00|-|00|4|00|C|00|7|00|C|00|-|00|B|00|4|00|0|00|A|00|-|00|B|00|4|00|5|00|D|00|E|00|9|00|7|00|1|00|E|00|8|00|1|00|E|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021236; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 10000: (msg:"ET DELETED Possible Sweet Orange Secondary Landing"; flow:established,to_server; content:"GET "; depth:4; pcre:"/(?:\/[a-z-]+)+\.php\?[a-z]+=[0-9]+[^\r\n]+HTTP\/1\.1/R"; content:"3 HTTP/1.1"; fast_pattern:only; classtype:exploit-kit; sid:2019351; rev:3; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 2"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|A|00|B|00|6|00|1|00|7|00|2|00|E|00|D|00|-|00|8|00|1|00|0|00|5|00|-|00|4|00|9|00|9|00|6|00|-|00|9|00|D|00|2|00|A|00|-|00|5|00|9|00|7|00|B|00|5|00|F|00|8|00|2|00|7|00|5|00|0|00|1|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021237; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Winreanimator.com Fake AV Install Attempt"; flow:established,to_server; content:"/inst.php?wmid="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&l="; nocase; http_uri; content:"&s="; nocase; http_uri; reference:url,www.winreanimator.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007865; classtype:trojan-activity; sid:2007865; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 3"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|0|00|7|00|1|00|0|00|8|00|8|00|0|00|F|00|-|00|3|00|A|00|5|00|5|00|-|00|4|00|A|00|2|00|D|00|-|00|A|00|A|00|6|00|7|00|-|00|1|00|1|00|2|00|3|00|3|00|8|00|4|00|F|00|D|00|8|00|5|00|9|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021238; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Job314 EK Payload Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/knock"; depth:6; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"Mozilla/5.0 (X11|3b| Ubuntu|3b| Linux x86_64|3b| rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; http_user_agent; classtype:command-and-control; sid:2019286; rev:4; metadata:created_at 2014_09_27, former_category MALWARE, updated_at 2014_09_27;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 4"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|6|00|C|00|5|00|1|00|A|00|4|00|D|00|B|00|-|00|E|00|3|00|D|00|E|00|-|00|4|00|F|00|E|00|B|00|-|00|8|00|6|00|A|00|4|00|-|00|3|00|2|00|F|00|7|00|F|00|8|00|E|00|7|00|3|00|B|00|9|00|9|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021239; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Zbot SSL Cert Oct 9 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be cf d6 29 b3 79 8f e2|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,3a9f4fc34e121fc2e5c0d7775091714c; classtype:trojan-activity; sid:2019382; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 5"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|7|00|F|00|9|00|B|00|C|00|F|00|C|00|0|00|-|00|B|00|3|00|6|00|B|00|-|00|4|00|5|00|E|00|C|00|-|00|B|00|3|00|7|00|7|00|-|00|D|00|8|00|8|00|5|00|9|00|7|00|B|00|E|00|5|00|D|00|7|00|8|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021240; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/SpyClicker.ClickFraud Click CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/click?sid="; http_uri; depth:11; content:"&cid="; http_uri; distance:0; pcre:"/&cid=\d+$/U"; reference:url,stopmalvertising.com/malware-reports/anatomy-of-a-net-click-fraud-bot.html; reference:md5,17b077840ab874a8370c98c840b6c671; classtype:command-and-control; sid:2019356; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, signature_severity Major, tag c2, updated_at 2014_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 6"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|5|00|7|00|D|00|2|00|D|00|E|00|9|00|2|00|-|00|C|00|E|00|1|00|7|00|-|00|4|00|A|00|5|00|7|00|-|00|B|00|F|00|D|00|7|00|-|00|C|00|D|00|3|00|C|00|6|00|E|00|9|00|6|00|5|00|C|00|6|00|A|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021241; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET 3653 (msg:"ET POLICY gogo6/Freenet6 Authentication Attempt"; content:"AUTHENTICATE|20|"; offset:8; pcre:"/^(?:ANONYMOUS|PASSDSS-3DES-1)\r\n/R"; threshold: type both, count 1, seconds 60, track by_src; classtype:policy-violation; sid:2019383; rev:1; metadata:created_at 2014_10_10, updated_at 2014_10_10;)
+#alert tcp any any -> any [139,445] (msg:"ET DELETED Possible Duqu 2.0 Accessing SMB/SMB2 backdoor"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"tttttttt"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021243; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fun Web Products Stampchooser Spyware"; flow: to_server,established; content:"/StampChooser.html?"; nocase; http_uri; content: "v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002307; classtype:policy-violation; sid:2002307; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex Download June 10 2015"; flow:established,from_server; content:"filename=|22|crypted.120.exe|22|"; http_header; nocase; classtype:trojan-activity; sid:2021244; rev:2; metadata:created_at 2015_06_11, updated_at 2015_06_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products StationaryChooser Spyware"; flow: to_server,established; content:"/StationeryChooser.html?"; nocase; http_uri; content: "v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002858; classtype:pup-activity; sid:2002858; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Cryptolocker C2 SSL cert serial"; flow:established,to_client; content:"|b3 b2 82 08 58 32 5e 8e|"; fast_pattern:only; reference:url,www.hybrid-analysis.com/sample/3ebc6999da89eaf44d94195b588cb869d894ca754a248b074893d11f6dd19188?environmentId=4; reference:md5,2c339dbb40b3b19ee275e4c7c1c17a18; classtype:command-and-control; sid:2021253; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible TWiki RCE attempt"; flow:established,to_server; content:"debugenableplugins="; http_uri; pcre:"/debugenableplugins=[a-zA-Z0-9]+?\x3b/U"; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236; reference:cve,2014-7236; classtype:attempted-admin; sid:2019385; rev:2; metadata:created_at 2014_10_10, updated_at 2014_10_10;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Torrentlocker C2 SSL cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b3 b2 82 08 58 32 5e 8e|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; threshold: type limit, track by_src, count 1, seconds 60; reference:md5,77c99b6f06fe443b72a0efaf8f285e4d; classtype:command-and-control; sid:2021260; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible TWiki Apache config file upload attempt"; flow:established,to_server; content:"POST"; http_method; content:"filename=|22 00|.htaccess"; http_client_body; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7237; reference:cve,2014-7237; classtype:attempted-admin; sid:2019386; rev:2; metadata:created_at 2014_10_10, updated_at 2014_10_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing URI Struct Feb 21"; flow:established,to_server; urilen:<28; content:"/lists/"; depth:7; http_uri; pcre:"/^\/lists\/\d{15}(?:\d{5})?$/U"; classtype:exploit-kit; sid:2020497; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_22, deployment Perimeter, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|junrio.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018719; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Redkit Jar Naming Pattern March 03 2013"; flow:established,to_server; content:".jar"; http_uri; nocase; content:"Java/1."; http_user_agent; pcre:"/^\/[a-z0-9]{2}\.jar$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016588; rev:15; metadata:created_at 2013_03_15, updated_at 2013_03_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|whaugirls.ru"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019388; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TeslaCrypt MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12 2a 2e|pillspharm24.com"; distance:1; within:19; reference:md5,1b4e97af9f327126146338b8cd21dd86; classtype:domain-c2; sid:2021273; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible SandWorm INF Download"; flow:to_client,established; file_data; content:"Software|5c|Microsoft|5c|Windows|5c|CurrentVersion|5c|Run"; nocase; content:"7EBEFBC0-3200-11d2-B4C2-00A0C9697D17"; nocase; content:"ClassGuid"; nocase; content:"DefaultInstall"; nocase; classtype:attempted-user; sid:2019395; rev:2; metadata:created_at 2014_10_14, former_category CURRENT_EVENTS, updated_at 2014_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Elise SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 03|"; distance:0; content:"|0b|eric-office"; distance:1; within:12; reference:md5,8334f346585aa27ac6ae86e5adcaefa2; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:trojan-activity; sid:2021279; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible SandWorm INF Download (UNICODE)"; flow:to_client,established; file_data; content:"S|00|o|00|f|00|t|00|w|00|a|00|r|00|e|00 5c 00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|C|00|u|00|r|00|r|00|e|00|n|00|t|00|V|00|e|00|r|00|s|00|i|00|o|00|n|00 5c 00|R|00|u|00|n|00|"; nocase; content:"7|00|E|00|B|00|E|00|F|00|B|00|C|00|0|00 2d 00|3|00|2|00|0|00|0|00 2d 00|1|00|1|00|d|00|2|00 2d 00|B|00|4|00|C|00|2|00 2d 00|0|00|0|00|A|00|0|00|C|00|9|00|6|00|9|00|7|00|D|00|1|00|7"; nocase; content:"C|00|l|00|a|00|s|00|s|00|G|00|u|00|i|00|d|00|"; nocase; content:"D|00|e|00|f|00|a|00|u|00|l|00|t|00|I|00|n|00|s|00|t|00|a|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2019397; rev:2; metadata:created_at 2014_10_14, former_category CURRENT_EVENTS, updated_at 2014_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Fake AV Phone Scam Landing June 16 2015 M3"; flow:established,to_client; file_data; content:"<title>Virus Firewall Alert!</title>"; nocase; fast_pattern:16,20; content:"myFunction|28 29|"; distance:0; content:"popup-mac-warning.png"; nocase; distance:0; classtype:social-engineering; sid:2021287; rev:2; metadata:created_at 2015_06_17, updated_at 2015_06_17;)
 
-#alert tcp $EXTERNAL_NET [445,139] -> $HOME_NET any (msg:"ET MALWARE Possible SandWorm INF Download (SMB)"; flow:to_client,established; content:"Software|5c|Microsoft|5c|Windows|5c|CurrentVersion|5c|Run"; nocase; content:"7EBEFBC0-3200-11d2-B4C2-00A0C9697D17"; fast_pattern; nocase; content:"ClassGuid"; nocase; content:"DefaultInstall"; nocase; classtype:attempted-user; sid:2019398; rev:2; metadata:created_at 2014_10_14, former_category CURRENT_EVENTS, updated_at 2014_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M4"; flow:established,from_server; file_data; content:"|76 68 7a 32 7a 3d 27 27 3b 74 72 79 7b 77 69 6e 64 6f 77|"; classtype:exploit-kit; sid:2021291; rev:4; metadata:created_at 2015_06_18, updated_at 2015_06_18;)
 
-#alert tcp $EXTERNAL_NET [445,139] -> $HOME_NET any (msg:"ET MALWARE Possible SandWorm INF Download (SMB UNICODE)"; flow:to_client,established; content:"S|00|o|00|f|00|t|00|w|00|a|00|r|00|e|00 5c 00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|C|00|u|00|r|00|r|00|e|00|n|00|t|00|V|00|e|00|r|00|s|00|i|00|o|00|n|00 5c 00|R|00|u|00|n|00|"; nocase; content:"7|00|E|00|B|00|E|00|F|00|B|00|C|00|0|00 2d 00|3|00|2|00|0|00|0|00 2d 00|1|00|1|00|d|00|2|00 2d 00|B|00|4|00|C|00|2|00 2d 00|0|00|0|00|A|00|0|00|C|00|9|00|6|00|9|00|7|00|D|00|1|00|7"; fast_pattern; nocase; content:"C|00|l|00|a|00|s|00|s|00|G|00|u|00|i|00|d|00|"; nocase; content:"D|00|e|00|f|00|a|00|u|00|l|00|t|00|I|00|n|00|s|00|t|00|a|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2019399; rev:3; metadata:created_at 2014_10_14, former_category CURRENT_EVENTS, updated_at 2014_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely CottonCastle/Niteris EK Response June 19 2015"; flow:established,from_server; content:"Refresh|3a 20|"; http_header; content:"|3b 20|url"; distance:0; http_header; content:"/999/00000/|0d 0a|"; distance:0; http_header; fast_pattern; pcre:"/^Refresh\x3a\x20\d+\x3b\x20url[^\r\n]+\/999\/00000\/\r?$/Hm"; classtype:exploit-kit; sid:2021306; rev:2; metadata:created_at 2015_06_19, updated_at 2015_06_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY ASProtect/ASPack Packed Binary"; flow:from_server,established; flowbits:isnotset,ET.http.binary; content:"|2E 61 73 70 61 63 6B|"; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,www.aspack.com/downloads.aspx; reference:url,bits.packetninjas.org/eblog/; reference:url,doc.emergingthreats.net/2008575; classtype:trojan-activity; sid:2008575; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious wininet UA Downloading EXE"; flow:established,from_server; flowbits:isset,ET.wininet.UA; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2021312; rev:2; metadata:created_at 2015_06_19, former_category CURRENT_EVENTS, updated_at 2015_06_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PPT Download with Embedded OLE Object"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"ppt/embeddings/oleObject"; classtype:misc-activity; sid:2019405; rev:6; metadata:created_at 2014_10_15, former_category CURRENT_EVENTS, updated_at 2014_10_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious JS Observed in Unknown EK Landing"; flow:established,from_server; file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 58 4f 52 28 75 6e 65 73 63 61 70 65 28 73 74 72 48 54 4d 4c 29|"; nocase; classtype:exploit-kit; sid:2021313; rev:2; metadata:created_at 2015_06_19, updated_at 2015_06_19;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M2"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?c[\x0d\x0a]{0,2}H[\x0d\x0a]{0,2}B[\x0d\x0a]{0,2}0[\x0d\x0a]{0,2}L[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}t[\x0d\x0a]{0,2}Y[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}k[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}G[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}u[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}3[\x0d\x0a]{0,2}M[\x0d\x0a]{0,2}v[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}x[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}T[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}J[\x0d\x0a]{0,2}q[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}N[\x0d\x0a]{0,2}0/R"; classtype:misc-activity; sid:2019407; rev:2; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Adload (KaiXin Payload) Checkin Response"; flow:established,from_server; file_data; content:"[Config]|0d 0a|"; within:10; content:"[Process]|0d 0a|1="; distance:0; reference:md5,c45810710617f0149678cc1c6cbec7a6; classtype:command-and-control; sid:2021301; rev:4; metadata:created_at 2015_06_18, former_category MALWARE, updated_at 2015_06_18;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M3"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?c[\x0d\x0a]{0,2}H[\x0d\x0a]{0,2}Q[\x0d\x0a]{0,2}v[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}1[\x0d\x0a]{0,2}i[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}R[\x0d\x0a]{0,2}k[\x0d\x0a]{0,2}a[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}5[\x0d\x0a]{0,2}n[\x0d\x0a]{0,2}c[\x0d\x0a]{0,2}y[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}v[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}G[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}P[\x0d\x0a]{0,2}Y[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}p[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}Y[\x0d\x0a]{0,2}3/R"; classtype:misc-activity; sid:2019408; rev:2; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|09|howtoe.pw"; distance:1; within:14; reference:md5,40368db3a68f2db17853750e68cfc662; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021314; rev:3; metadata:attack_target Client_and_Server, created_at 2015_06_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M4"; flow:established,to_server; content:"cHB0L2VtYmVkZGluZ3Mvb2xlT2JqZWN0"; classtype:misc-activity; sid:2019409; rev:2; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Possible Sinkhole)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ef ee 78 a7 ef c6 52 20|"; within:35; content:"|55 04 03|"; distance:0; content:"|0c|mainsinkhole"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021315; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M5"; flow:established,to_server; content:"cHQvZW1iZWRkaW5ncy9vbGVPYmplY3"; classtype:misc-activity; sid:2019410; rev:2; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/ChinaZ DDoS Bot Checkin 2"; flow:established,to_server; content:"*"; pcre:"/^\d+/R"; content:"MHZ|00 00 00 00|"; fast_pattern; within:7; content:"MB|00 00 00 00|"; distance:0; content:"M|00 00 00 00|"; distance:0; content:"|3b|"; distance:0; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/R"; reference:url,blog.malwaremustdie.org/2015/06/the-elf-chinaz-reloaded.html; classtype:command-and-control; sid:2021316; rev:1; metadata:created_at 2015_06_22, former_category MALWARE, updated_at 2015_06_22;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M6"; flow:established,to_server; content:"BwdC9lbWJlZGRpbmdzL29sZU9iamVjd"; classtype:misc-activity; sid:2019411; rev:2; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page June 22 2015"; flow:established,from_server; file_data; content:"return binary_to_base64|28|"; content:"return "; pcre:"/^\s*?[\x22\x27][^\x22\x27a-f0-9]68[^\x22\x27a-f0-9]74[^\x22\x27a-f0-9]74[^\x22\x27a-f0-9]70[^\x22\x27a-f0-9]3a[^\x22\x27a-f0-9]2f[^\x22\x27a-f0-9]2f[^\x22\x27]+?[^\x22\x27a-f0-9]00[\x22\x27]/Ri"; classtype:exploit-kit; sid:2021320; rev:2; metadata:created_at 2015_06_23, updated_at 2015_06_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d5 2e c1 9c b6 e5 96 7d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,05823d6ec6d2a483f94ae1794a06c1a6; classtype:trojan-activity; sid:2019413; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> [88.53.215.64,217.96.33.164,203.131.222.102,208.105.226.235,212.31.102.100,58.185.154.99,200.87.126.116] any (msg:"ET MALWARE Sony Breach Wiper Callout"; flow:established; threshold:type limit,count 2,track by_src,seconds 300; reference:url,krebsonsecurity.com/2014/12/sony-breach-may-have-exposed-employee-healthcare-salary-data; classtype:trojan-activity; sid:2019848; rev:3; metadata:created_at 2014_12_03, updated_at 2014_12_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 85 d5 29 cf 78 44 88 25|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019414; rev:3; metadata:attack_target Client_and_Server, created_at 2014_10_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT suspicious VBE-encoded script (seen in Sundown EK)"; flow:established,from_server; file_data; content:"Script.Encode"; content:"<!--"; within:8; content:"#@~"; within:5; flowbits:set,et.exploitkitlanding; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2021169; rev:3; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa 29 c6 1c 85 a5 85 33|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,38f4f489bd7e59ed91dc6ff95f37999f; classtype:trojan-activity; sid:2019419; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Archie.EK IE Exploit URI Struct"; flow:to_server,established; content:"/ie7.html"; http_uri; classtype:exploit-kit; sid:2018932; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Sweet Orange redirection Oct 8 2014"; flow:established,to_client; file_data; content:"String.fromCharCode(parseInt|28 28|"; pcre:"/^\s*?(?P<var1>[^\x29\x5b]+)\x5b\s*?(?P<cntr>[^\x5d]+)\s*?\x5d\s*?\+\s*?(?P=var1)\x5b\s*?(?P=cntr)\s*?\+\s*?1\s*?\x5d\s*?\x29\s*?,\s*?16\s*?\x29\s*?\^\s*?parseInt\x28\x28\s*?(?P<var2>[^\x29\x5b]+)\x5b\s*?(?P=cntr)\s*?\x5d\s*?\+\s*?(?P=var2)\x5b\s*?(?P=cntr)\s*?\+\s*?1\s*?\x5d\s*?\x29\s*?,\s*16\s*?\x29\x29\s*?\x3b\s*?(?P=cntr)\s*?\+=\s*?2\s*?\x3b/Rs"; reference:url,malware-traffic-analysis.net/2014/10/06/index2.html; classtype:exploit-kit; sid:2019375; rev:4; metadata:created_at 2014_10_09, former_category CURRENT_EVENTS, updated_at 2014_10_09;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|13|1024sslsecurity.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021339; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack Payload URI Struct Oct 16 2014"; flow:established,to_server; content:"/loxotrap.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2019456; rev:2; metadata:created_at 2014_10_16, updated_at 2014_10_16;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0e|typeofways.com"; distance:1; within:15; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021340; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK CVE-2014-0515 Aug 24 2014"; flow:established,to_server; content:"GET"; http_method; content:"flashhigh.swf"; fast_pattern:only; http_uri; pcre:"/^\/(?:pruncd)?flashhigh\.swf$/U"; classtype:exploit-kit; sid:2018995; rev:4; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0f|digination.info"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021341; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK CVE-2014-0497 Aug 24 2014"; flow:established,to_server; content:"flashlow.swf"; http_uri; fast_pattern:only; pcre:"/^\/(?:pruncd)?flashlow\.swf$/U"; classtype:exploit-kit; sid:2018996; rev:3; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|12|ssl.savingscore.pw"; distance:1; within:19; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021342; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK SilverLight URI Struct"; flow:to_server,established; content:"silverapp1.xap"; http_uri; fast_pattern:only; pcre:"/^\/(?:pruncd)?silverapp1\.xap$/U"; classtype:exploit-kit; sid:2019097; rev:3; metadata:created_at 2014_08_30, former_category CURRENT_EVENTS, updated_at 2014_08_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|12|supportupdate.info"; distance:1; within:19; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021343; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE1"; flow:established,to_server; content:"/YXJyYWtpczAy/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019461; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|17|patient-advertising.com"; distance:1; within:24; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021344; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE2"; flow:established,to_server; content:"/aG91c2VhdHJlaWRlczk0/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019462; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0c|pdata-next.ru"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021345; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE3"; flow:established,to_server; content:"/QmFzaGFyb2Z0aGVTYXJkYXVrYXJz/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019463; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0f|live-advert.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021346; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE4"; flow:established,to_server; content:"/U2FsdXNhU2VjdW5kdXMy/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019464; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0a|can-ip.com"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021347; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE5"; flow:established,to_server; content:"/ZXBzaWxvbmVyaWRhbmkw/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019465; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b|pandolin.ru"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021348; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|13|www.arrystreamre.ru"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019466; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0c|securebnk.eu"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021349; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Spy.KeyLogger.ODN Exfiltrating Data"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"pcname="; depth:7; http_client_body; content:"&note="; distance:0; http_client_body; content:"&country="; distance:0; http_client_body; content:"&user="; distance:0; http_client_body; content:"&log="; distance:0; http_client_body; content:!"Referer|3a|"; http_header; reference:md5,4e83c405f35efd128ab8c324c12dbde9; classtype:trojan-activity; sid:2019468; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b|fuxaloba.com"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021350; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET [443,465,993,995,25] -> $HOME_NET any (msg:"ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack"; flow:established,from_server; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019416; rev:3; metadata:created_at 2014_10_15, updated_at 2014_10_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Payload DL M1 Feb 06 2015"; flow:to_server,established; urilen:>48; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; fast_pattern:2,20; offset:49; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"|0d 0a|Host|3a|"; http_header; pcre:"/^\/(?:[A-Za-z0-9-_]{4}){11,}(?:[A-Za-z0-9-_]{2}==|[A-Za-z0-9-_]{3}=)?$/U"; content:"GET"; http_method; classtype:exploit-kit; sid:2020385; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_07, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Zbot SSL Cert Oct 17 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f6 a0 9e 7c 8c 25 3a d0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,ae773f234152fb5df1ab35116dbb82bd; classtype:trojan-activity; sid:2019470; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET DELETED Possible Upatre or Dyre SSL Cert June 9 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021225; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_10, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b4 9e 90 15 d2 12 7f c0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019477; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Elasticsearch CVE-2015-1427 Exploit Campaign SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 08|"; distance:0; content:"|06|hacked"; distance:1; within:7; content:"|01 09 01|"; distance:0; content:"|10|hackking@126.com"; distance:1; within:17; reference:url,blog.malwaremustdie.org/2015/06/mmd-0034-2015-new-elf.html; classtype:trojan-activity; sid:2021351; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Job314 EK URI Landing Struct"; flow:established,to_server; content:".html?action=lnd"; http_uri; pcre:"/\?action=lnd$/U"; classtype:exploit-kit; sid:2019480; rev:2; metadata:created_at 2014_10_20, former_category CURRENT_EVENTS, updated_at 2014_10_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 08|"; distance:0; content:"|07|Indiana"; distance:1; within:8; content:"|55 04 03|"; distance:0; content:"|0d|koalashelp.au"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021353; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Job314 EK URI Exploit/Payload Struct"; flow:established,to_server; content:"?action="; http_uri; content:"&exp="; http_uri; fast_pattern; pcre:"/\?action=(?:pld|exp)&exp=/U"; classtype:exploit-kit; sid:2019479; rev:3; metadata:created_at 2014_10_20, former_category CURRENT_EVENTS, updated_at 2014_10_20;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8f e3 5b c8 ea 55 d6 4a|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021354; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Zbot SSL Cert Oct 21 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ca 38 a4 ec ec c1 f1 9a|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1fedcd44951c3dfb861fa83ddcec2b84; classtype:trojan-activity; sid:2019485; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b|tsescase.tk"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021355; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IRCBot.DDOS Common Commands"; flow:established,to_client; content:"PRIVMSG "; depth:8; pcre:"/^[^\r\n]*?\x3a[^\r\n]*?(?:port(?:scan)?|udp[1-3]|tcp|http|download)[^\r\n]+?(?:\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}|https?\x3A\x2F\x2F)/Ri"; reference:md5,ef54080af1782dd29356032b7ff20849; classtype:trojan-activity; sid:2019471; rev:3; metadata:created_at 2014_10_20, updated_at 2014_10_20;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET DELETED Possible Upatre or Dyre SSL Cert June 29 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,8,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-zA-Z]{0,119}[0-9])[a-zA-Z0-9]{9,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-zA-Z]{0,119}[0-9])[a-zA-Z0-9]{9,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-zA-Z]{0,119}[0-9])(?P<var>[a-zA-Z0-9]{9,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021369; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_29, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IRC Bot Common PRIVMSG Commands"; flow:established,to_client; content:"PRIVMSG "; depth:8; pcre:"/^[^\r\n]*?(?:p[ao]rt|udp|c?tcp|http|d(?:ie|ownload)|mail|c?back|(?:msg|notice)?flood)/Ri"; classtype:trojan-activity; sid:2019486; rev:1; metadata:created_at 2014_10_21, updated_at 2014_10_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SPL Landing Page Requested"; flow:established,to_server; content:"/?"; http_uri; content:"YWZmaWQ9"; http_uri; classtype:trojan-activity; sid:2015698; rev:3; metadata:created_at 2012_09_12, updated_at 2012_09_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack Payload URI Struct Oct 22 2014"; flow:established,to_server; content:"/ldcigar.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2019487; rev:2; metadata:created_at 2014_10_22, updated_at 2014_10_22;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 95 12 ee 90 e8 0f 66|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,22b0d4ff64d3cb3080feb47ce52988e9; classtype:domain-c2; sid:2021375; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Oct 22 2014"; flow:established,from_server; file_data; content:".join(|22 22|)|3b 3b|"; pcre:"/^\s*?\n\s*?(?P<func>[^\x28\r\n\s]+)\s*?\(\s*?(?P<var>[^\+\x29]+)\+[^\r\n]+\r?\n\s*?<\/script>\s+<script>\s+(?P=func)\s*?\x28\s*?(?P=var)\+[^\r\n]+\r?\n\s*?<\/script>\s+<script>\s+(?P=func)\s*?\x28\s*?(?P=var)\+/Rs"; classtype:exploit-kit; sid:2019489; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Mocelpa Client Hello CnC Beacon"; flow:established,to_server; content:"|16 03 01|"; depth:3; content:"|54 b4 c9 7b|"; distance:0; content:"|00 00 00 12 00 10 00 00 0d|www.apple.com"; distance:0; reference:url,blog.dragonthreatlabs.com/2015/07/dtl-06282015-01-apt-on-taiwan-insight.html; classtype:command-and-control; sid:2021379; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_07_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert udp $HOME_NET 5351 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response Successful TCP Map to External Network"; dsize:16; content:"|82 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019491; rev:2; metadata:created_at 2014_10_22, updated_at 2014_10_22;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dridex SSL Cert July 6 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 0e 34 be 9a f3 1e d7|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|07|pace.eu"; distance:1; within:8; reference:md5,0facc32fc6f9c67650575c8a8298bef2; classtype:trojan-activity; sid:2021380; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_06, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert udp $HOME_NET 5351 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response Successful UDP Map to External Network"; dsize:16; content:"|81 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019492; rev:2; metadata:created_at 2014_10_22, updated_at 2014_10_22;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Denisca.A CnC Beacon"; content:"|7c 2a 26|"; depth:3; fast_pattern; content:"|7c|"; distance:0; content:"|7c|"; distance:16; within:1; content:"|7c|"; distance:0; pcre:"/\x7c[a-f0-9]{16}\x7c\d+\x7c$/"; reference:md5,0075c4d976984436443b30926ad818dd; classtype:command-and-control; sid:2021385; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_07_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_07_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ca f1 2e 3e cb c1 4a c0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,f4c26252042b9d520cd832b8b4a66de0; classtype:trojan-activity; sid:2019493; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex SSL Cert 30 June 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|0a|Passio dpt"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0b|romantik.it"; distance:1; within:12; reference:md5,0a977dfcb93301f1841dbe2272d3102b; classtype:trojan-activity; sid:2021370; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_06_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8c 54 a8 06 20 b6 93 90|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1754d4765a05e4637d2dcdbd1c28eaf1; classtype:trojan-activity; sid:2019494; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex SSL Cert 1 July 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|0a|gay rights"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|07|pace.eu"; distance:1; within:12; reference:md5,865164ef97c50bdd8e8740621234a3cf; classtype:trojan-activity; sid:2021372; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_02, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d6 cd df 4e c0 3c fc 13|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5159780c47b8df01d5eb00d858b4d35a; classtype:trojan-activity; sid:2019495; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Dridex SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|08|portable"; distance:1; within:9; content:"|55 04 03|"; distance:0; content:"|0b|nintendo.jp"; distance:1; within:12; classtype:trojan-activity; sid:2021388; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d1 be 1b e1 6a 4d bf 01|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,f66bf24aa5516e335873c758d007ed3c; classtype:trojan-activity; sid:2019496; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Denisca.A CnC Beacon 2"; dsize:37; content:"|2a 26|"; depth:2; content:"|26 5e|"; distance:22; fast_pattern; reference:md5,aaa4304dd5f22a017930a9eeebc8898f; classtype:command-and-control; sid:2021389; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_07_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_07_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $HOME_NET [443,465,993,995,25] -> any any (msg:"ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack"; flow:established,to_client; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019415; rev:3; metadata:created_at 2014_10_15, updated_at 2014_10_15;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|disaronnoterrace.es"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021391; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SSL SinkHole Cert Possible Infected Host"; flow:established,from_server; content:"|14|www.kitchensinks.n0t"; nocase; classtype:trojan-activity; sid:2019503; rev:2; metadata:created_at 2014_10_24, updated_at 2014_10_24;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wekby PCRat/Gh0st CnC Beacon (Outbound)"; flow:to_server,established; content:"HTTP|5c|1.1 Sycmentec"; depth:18; reference:md5,cfbcb83f8515bd169afd0b22488b4430; reference:url,www.volexity.com/blog/?p=158; classtype:command-and-control; sid:2021395; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Major, tag PCRAT, tag Gh0st, tag RAT, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BlackEnergy SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9a ba cb 13 6d 76 5b 79|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-the-scada-connection; classtype:trojan-activity; sid:2019504; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Wekby PCRat/Gh0st CnC Beacon (Inbound)"; flow:established,to_client; content:"HTTP|5c|1.1 Sycmentec"; depth:18; reference:md5,cfbcb83f8515bd169afd0b22488b4430; reference:url,www.volexity.com/blog/?p=158; classtype:command-and-control; sid:2021396; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Major, tag PCRAT, tag Gh0st, tag RAT, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BlackEnergy SSL Cert"; flow:from_server,established; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0b|"; distance:0; content:"|07|NETWORK"; distance:1; within:8; content:"|55 04 03|"; distance:0; content:"|0d|144.76.119.48"; distance:1; within:14; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-the-scada-connection; classtype:trojan-activity; sid:2019505; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK SilverLight Exploit"; flow:established,to_server; urilen:15; content:"/0"; depth:2; http_uri; fast_pattern; pcre:"/^\/0[a-z0-9]{13}$/U"; content:!"Referer|3a|"; http_header; content:"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:exploit-kit; sid:2017715; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_14, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV CryptMEN - Landing Page Download Contains .hdd_icon"; flow:established,to_client; content:".hdd_icon"; content:!"nmap.org"; content:!"seclists.org"; classtype:bad-unknown; sid:2011921; rev:7; metadata:created_at 2010_11_11, updated_at 2010_11_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HiMan EK - Payload Requested"; flow:established,to_server; content:".php?e="; http_uri; content:"&ver="; http_uri; distance:0; classtype:exploit-kit; sid:2017793; rev:4; metadata:created_at 2013_12_05, updated_at 2013_12_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DarkComet-RAT init connection"; flow:from_server,established; dsize:12; content:"|38 45 41 34 41 42 30 35 46 41 37 45|"; flowbits:set,ET.DarkCometJoin; reference:url,www.darkcomet-rat.com; reference:url,anubis.iseclab.org/?action=result&task_id=1a7326f61fef1ecb4ed4fbf3de3f3b8cb&format=txt; classtype:trojan-activity; sid:2013283; rev:4; metadata:created_at 2011_07_18, updated_at 2011_07_18;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoLocker CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 84 d3 15 4c 18 a1 18 9f|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021397; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert Oct 24 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e6 91 76 a5 11 ca 47 2d|"; within:35; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|04|none"; distance:1; within:5; content:"|55 04 08|"; distance:0; content:"|0c|Someprovince"; distance:1; within:13; reference:md5,35f6b510f94bd96ed9bc44e1f7bf7f38; classtype:trojan-activity; sid:2019506; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED External IP Lookup ip-api.com"; flow:established,to_server; content:"GET"; http_method; content:"/xml"; http_uri; content:"ip-api.com"; fast_pattern:only; http_header; classtype:external-ip-check; sid:2021406; rev:3; metadata:created_at 2015_07_13, updated_at 2015_07_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert www.tradeledstore.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|17|www.tradeledstore.co.uk"; distance:1; within:24; reference:md5,b12730a51341a8bfaa5c7d7e4421fe6c; classtype:trojan-activity; sid:2019507; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0e|protectthegays"; distance:1; within:15; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|08|gay team"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021393; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Backoff CnC)"; flow:from_server,established; content:"|55 04 08|"; content:"|0a|Some-State"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0d|cyberwise.biz"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019516; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c6 89 56 e5 bd 59 77 67|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,40368db3a68f2db17853750e68cfc662; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021411; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0e|rikitifer.info"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019517; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e5 d3 05 ec 6a a7 12 c5|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021417; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ba 53 8e c8 a2 a1 6c 17|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,e5395918babb67b495a094040efff909; classtype:trojan-activity; sid:2019520; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:35; content:"|55 04 03|"; distance:0; content:"|0c|cowsgirlz.es"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021426; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fe d5 e3 3b b2 f8 4e f4|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,e5395918babb67b495a094040efff909; classtype:trojan-activity; sid:2019521; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|16|Ubiquiti Networks Inc."; distance:1; within:23; content:"|55 04 03|"; distance:0; content:"|04|UBNT"; distance:1; within:5; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021427; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 81 01 15 1a 78 7f e9 6e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,2841fb14060f579e46a301baf234a1e7; classtype:trojan-activity; sid:2019522; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 4"; flow:to_server,established; content:"|28 28|"; offset:2; depth:2; content:!"|28 28|"; within:2; content:"|28 28|"; distance:2; within:2; content:!"|28 28|"; within:2; content:"|28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28|"; pcre:"/[^\x28][^\x76\x74\x02\x03\x15\x54\x12\x13\x0a\x17\x14\x16\x04\x0b\x22][\x05\x09\x0b\x0e\x08\x06\x1a-\x1f\x10\x11\x18\x19\x40-\x47\x48-\x4f\x50-\x53\x55\x56\x58-\x5e\x60-\x68\x6a-\x6f\x70\x72\x76-\x7e]{1,14}\x28/R"; reference:md5,0c2cb38062e0fb6b040518a384418b7b; classtype:command-and-control; sid:2019601; rev:6; metadata:created_at 2014_10_30, former_category MALWARE, updated_at 2014_10_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 10 4b 4c 47 43 e9 4b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,bd3fd9f55900e2c63d5f4977053e8f68; classtype:trojan-activity; sid:2019523; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Archie.EK IE CVE-2013-2551 Payload Struct"; flow:to_server,established; urilen:3; content:"/dd"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:" MSIE "; http_header; classtype:exploit-kit; sid:2018934; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP undefined code"; icode:>18; classtype:misc-activity; sid:2100197; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible CVE-2015-2424 RTF Dropping Sofacy"; flow:established,from_server; file_data; content:"D0CF11E0A1B11AE1"; nocase; content:"ffffffffff74303074"; nocase; distance:0; fast_pattern; reference:md5,112c64f7c07a959a1cbff6621850a4ad; reference:url,isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/; classtype:targeted-activity; sid:2021431; rev:2; metadata:created_at 2015_07_17, former_category MALWARE, updated_at 2015_07_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Outoing Message"; flow:to_server,established; content:"<message"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100233; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download"; flow:to_client,established; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|fb ff ff ff|"; content:"|0b 00 00 00 01 00 00 00|"; content:"|25 00 00 00 01 00 00 00|"; content:"|8b 00 00 00 01 00 00 00|"; fast_pattern; reference:url,blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/; reference:cve,2014-4141; classtype:attempted-user; sid:2019420; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Outgoing Traffic"; flow:to_server,established; content:"<stream"; nocase; reference:url,www.google.com/talk/; classtype:not-suspicious; sid:2100230; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|httpsgatevalidator.com"; distance:1; within:23; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021436; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Outgoing Auth"; flow:to_server,established; content:"<auth"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100231; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Tsyrval Panda CnC Beacon"; flow:established,to_server; content:"|75 1C 11 10 75 01 14 07 12 58 5F|"; offset:3; depth:14; classtype:command-and-control; sid:2021437; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_07_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_07_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Log Out"; flow:to_server,established; content:"</stream"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100234; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|expresstrevel.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021445; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Google Talk Startup"; flow: established,to_server; content:"google.com"; nocase; content:"jabber|3A|client"; nocase; threshold: type limit, track by_src, count 1, seconds 300; classtype:policy-violation; sid:2100877; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d9 07 45 6b c2 ad 90 a1|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021446; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Google Talk Logon"; flow:to_server,established; content:"<stream|3a|stream to=\"gmail.com\""; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100232; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Fake AV Phone Scam Landing July 20 2015 M3"; flow:to_client,established; file_data; content:"html class=|22|js js sessionstorage|22|"; fast_pattern:13,20; content:"getURLParameter"; distance:0; content:"Toll Free"; nocase; distance:0; content:"myFunction|28 29|"; nocase; distance:0; classtype:social-engineering; sid:2021448; rev:2; metadata:created_at 2015_07_20, updated_at 2015_07_20;)
 
-alert tcp $EXTERNAL_NET 5222 -> $HOME_NET any (msg:"GPL CHAT Jabber/Google Talk Logon Success"; flow:to_client,established; content:"<success"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100235; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/DDoS.Sotdas/IptabLex Checkin"; flow:to_server,established; dsize:296; content:"|72 8D 90 89 7E D6|"; offset:224; depth:6; fast_pattern; content:"|b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6|"; reference:md5,f7556d9ede5d988400b1edbb1a172634; classtype:command-and-control; sid:2021049; rev:2; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2015_05_04;)
 
-alert tcp $EXTERNAL_NET 5222 -> $HOME_NET any (msg:"GPL CHAT Jabber/Google Talk Incoming Message"; flow:to_client,established; content:"<message"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100236; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Likely SweetOrange EK Flash Exploit URI Struct"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/\/(?=[a-z0-9]{0,10}[A-Z])(?=[A-Z0-9]{0,10}[a-z])[A-Z-a-z0-9]{5,11}$/U"; pcre:"/^Referer\x3a[^\r\n]+\x3a\d{1,5}\/[^\r\n]*?[a-z]+?\.php\?[a-z]+?=\d/Hm"; classtype:exploit-kit; sid:2019543; rev:2; metadata:created_at 2014_10_28, former_category CURRENT_EVENTS, updated_at 2014_10_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java/QRat Checkin"; flow:established,to_server; content:"|73 72|"; depth:2; content:"|00 05|value"; distance:0; pcre:"/\x00\x05value$/"; classtype:command-and-control; sid:2021503; rev:1; metadata:created_at 2015_07_22, former_category MALWARE, malware_family QRat, updated_at 2018_03_06;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED SAP WAS syscmd access"; flow:to_server,established; content:"/sap/bc/BSp/sap/menu/frameset.htm"; http_uri; nocase; content:"sap-syscmd"; http_uri; nocase; reference:url,www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf; classtype:web-application-activity; sid:2100183; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Java/QRat Receiving Command 1"; flow:established,from_server; dsize:16; content:"|00 0d|giveClientMac"; offset:1; fast_pattern; classtype:trojan-activity; sid:2021504; rev:1; metadata:created_at 2015_07_22, former_category TROJAN, malware_family QRat, updated_at 2018_03_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Potential Sofacy Phishing Redirect"; flow:established,to_client; file_data; content:"|22 5c|x6C|5c|x6F|5c|x63|5c|x61|5c|x74|5c|x69|5c|x6F|5c|x6E"; nocase; content:"window[_0x"; content:"[1]][_0x"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/phresh-phishing-against-government-defence-and-energy.html; classtype:targeted-activity; sid:2019540; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_10_28, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Java/QRat Receiving No Commands"; flow:established,from_server; dsize:10; content:"|00 07|nothing"; offset:1; fast_pattern; classtype:trojan-activity; sid:2021505; rev:1; metadata:created_at 2015_07_22, former_category TROJAN, malware_family QRat, updated_at 2018_03_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MyWay Spyware Posting Activity Report - Dell Related"; flow:to_server,established; content:"/script/bzDellHpData.js?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003621; classtype:trojan-activity; sid:2003621; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK SilverLight Payload Request - May 2014"; flow:established,to_server; urilen:71<>79; content:!"/aHR0c"; depth:6; http_uri; content:!"/Uk0v"; depth:5; http_uri; content:"="; http_uri; offset:71; depth:6; pcre:"/^\/[-a-zA-Z0-9_]{70,75}==?$/U"; reference:url,blogs.cisco.com/security/angling-for-silverlight-exploits/; classtype:exploit-kit; sid:2018497; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_23, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/ZxShell Server Checkin Response"; flow:established,from_server; dsize:16; content:"|85 19 00 00 25 04 00 00|"; depth:8; reference:url,blogs.cisco.com/talos/opening-zxshell/; classtype:command-and-control; sid:2019587; rev:1; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2014_10_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NullHole URI Struct Jul 22 2015 M2"; flow:established,to_server; urilen:40; content:"/e.html"; http_uri; offset:33; depth:7; pcre:"/^\/[a-f0-9]{32}\/e\.html$/U"; classtype:exploit-kit; sid:2021507; rev:2; metadata:created_at 2015_07_22, updated_at 2015_07_22;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/ZxShell Checkin"; flow:established,from_server; dsize:16; content:"|86 19 00 00 04 01 00 00|"; depth:8; reference:url,blogs.cisco.com/talos/opening-zxshell/; classtype:command-and-control; sid:2019588; rev:1; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2014_10_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Edwards Packed proxy.pac from 724sky"; flow:established,from_server; file_data; content:"eval(function(p,a,c"; content:"|7C|FindProxyForURL|7C|"; nocase; content:"|7c|proxy|7c|"; nocase; content:"|7c|baidu|7c|"; nocase; reference:md5,50bd21aac1f57d90c54683995ec102aa; classtype:trojan-activity; sid:2021511; rev:2; metadata:created_at 2015_07_23, updated_at 2015_07_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|b6 8b ac d3 d7 e0 e7 36 f0 b5 63 65 1e 1a 31 ae|"; offset:16; depth:16; reference:md5,184a9d13616702154fb10ff9c5d67041; classtype:command-and-control; sid:2019589; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Tsukuba Banker Edwards Packed proxy.pac"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|FindProxyForURL|7C|"; nocase; content:"|7c|proxy|7c|"; nocase; content:"|7c|credicard|7c|"; nocase; reference:url,securityintelligence.com/tsukuba-banking-trojan-phishing-in-japanese-waters; classtype:social-engineering; sid:2020623; rev:3; metadata:created_at 2015_03_05, updated_at 2015_03_05;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|01 ec 7e 05 1d 5f 65 ab db 1c df 93 99 cd 06 21|"; offset:16; depth:16; reference:md5,09d4c2f1f24fbdcb1c286b2f4c5589d2; classtype:command-and-control; sid:2019590; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|06|coffee"; distance:1; within:7; content:"|55 04 0b|"; distance:0; content:"|07|it dept"; distance:1; within:8; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021512; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|52 13 34 da 18 3d 2f 45 a2 09 93 52 01 23 51 e3|"; offset:16; depth:16; reference:md5,ca22207c5441a100437b75d7ce0d3fe2; classtype:command-and-control; sid:2019591; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|eurotranstele.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021515; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|52 13 34 da 18 3d 2f 45 a2 09 93 52 01 23 51 e3|"; offset:16; depth:16; reference:md5,2b825e46ae60a9d15b5a731e57410425; classtype:command-and-control; sid:2019592; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0a|littlepony"; distance:1; within:11; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0a|just cause"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021514; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|3e 5c d1 68 e7 8c 47 8c ea 2f da 02 fe 43 62 47|"; offset:16; depth:16; reference:md5,afc4d73bde2a536d7a9b7596288ce180; classtype:command-and-control; sid:2019593; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|promotion-statistics.mobi"; distance:1; within:26; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021516; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Plugin-Detect Post"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"=0oPDPAP6Prooodj"; http_client_body; fast_pattern; classtype:exploit-kit; sid:2019594; rev:2; metadata:created_at 2014_10_30, former_category CURRENT_EVENTS, updated_at 2014_10_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|18|data-stats-collector.biz"; distance:1; within:25; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021517; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FlashPack Payload Download Oct 29"; flow:established,to_server; content:"/lofla1.php"; http_uri; classtype:trojan-activity; sid:2019595; rev:2; metadata:created_at 2014_10_30, former_category CURRENT_EVENTS, updated_at 2014_10_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Dridex SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|04|clan"; distance:1; within:5; content:"|55 04 0b|"; distance:0; content:"|06|bushes"; distance:1; within:7; fast_pattern; reference:md5,a5f7d314e2b996b69751a4e46503c644; classtype:trojan-activity; sid:2021518; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlashPack Secondary Landing Oct 29"; flow:established,from_server; file_data; content:"Windows%20"; within:10; content:"<br>|0d 0a|"; within:10; pcre:"/^\d/R"; content:"FlashVars=|22|exec="; pcre:"/^(?!687474703a2f2f)(?P<h>[a-f0-9]{2})(?P<t>[a-f0-9]{2})(?P=t)(?P<p>[a-f0-9]{2})(?P<colon>[a-f0-9]{2})(?P<slash>[a-f0-9]{2})(?P=slash)/R"; classtype:trojan-activity; sid:2019596; rev:2; metadata:created_at 2014_10_30, former_category CURRENT_EVENTS, updated_at 2014_10_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|07|dinasty"; distance:1; within:8; content:"|55 04 0b|"; distance:0; content:"|0d|klintons team"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021519; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Likely SweetOrange EK Java Exploit Struct (JNLP)"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".jnlp"; http_uri; pcre:"/\/(?=[a-z]*?[A-Z])(?=[A-Z]*?[a-z])[A-Z-a-z]{18}\.jnlp$/U"; classtype:exploit-kit; sid:2019600; rev:3; metadata:created_at 2014_10_30, former_category CURRENT_EVENTS, updated_at 2014_10_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Fake AV Phone Scam Landing July 23 2015"; flow:to_client,established; file_data; content:"navigator.sayswho"; content:"alertforSecuity"; fast_pattern; distance:0; content:"Firefox"; distance:0; content:"Chrome"; distance:0; content:"Netscape"; distance:0; classtype:social-engineering; sid:2021522; rev:2; metadata:created_at 2015_07_23, updated_at 2015_07_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a9 39 70 34 44 e2 04 31|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019603; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED KINS/ZeusVM Variant CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php/"; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^[\x20-\x7e\s]{0,20}[^\x20-\x7e\s]/P"; pcre:"/\.php\/(?:[a-zA-Z0-9]+\/)+[A-F0-9]{8}$/U"; pcre:"/^User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/Hmi"; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:command-and-control; sid:2021524; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, signature_severity Major, tag c2, updated_at 2015_07_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Ropest.H CnC - INBOUND set"; flow:established,from_server; content:"|28 00 00 00 00 01 00 00|"; depth:8; flowbits:set,ET.Zberp; flowbits:noalert; reference:md5,a0d843b52e33ba4f1dc72f5a28729806; classtype:command-and-control; sid:2025068; rev:1; metadata:created_at 2014_10_30, former_category MALWARE, updated_at 2017_11_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 27 d2 2d d7 bd cb 5c|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021525; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Ropest.H CnC - INBOUND"; flow:established,from_server; flowbits:isset,ET.Zberp; dsize:24; content:"|10 00 00 00 00 01 00 00|"; depth:8; reference:md5,a0d843b52e33ba4f1dc72f5a28729806; classtype:command-and-control; sid:2025069; rev:1; metadata:created_at 2014_10_30, former_category MALWARE, updated_at 2017_11_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Xyligan Checkin"; flow:to_server,established; dsize:16; content:"|00 00 00 11 C8 00 00 00|"; depth:8; reference:md5,2190a2c0a3775bc9c60629ec2eb6f3b9; reference:md5,bfbc0b106a440c111a42936906d36643; classtype:command-and-control; sid:2012842; rev:3; metadata:created_at 2011_05_25, former_category MALWARE, updated_at 2011_05_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Trustezeb.J SSL Cert Oct 30 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|17|bestofthebestrussia.com"; distance:1; within:24; reference:md5,2d8211ad47b36893b6e1b3fdceb00012; classtype:trojan-activity; sid:2019605; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|09|Microsoft"; distance:1; within:10; fast_pattern; content:"|55 04 0b|"; content:"|0b|Widgits pty"; distance:1; within:12; reference:md5,32230d747829dcf77841f594aa54915a; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021529; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Flash Exploit URI Struct"; flow:established,to_server; urilen:65; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^\/[a-z0-9\x2d\x5f]{62}(?:(?:[a-z0-9\x2d\x5f]|=)=|[a-z0-9\x2d\x5f]{2})$/Ui"; classtype:exploit-kit; sid:2019513; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa ad 0a 9f da 99 c2 e3|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021541; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Java Exploit URI Struct"; flow:established,to_server; urilen:65; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/^\/[a-z0-9\x2d\x5f]{62}(?:(?:[a-z0-9\x2d\x5f]|=)=|[a-z0-9\x2d\x5f]{2})$/Ui"; classtype:exploit-kit; sid:2019514; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a4 3d 09 0a 4c 60 be 70|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021546; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER WEB-IIS Remote IIS Server Name spoof attempt loopback IP"; flow:to_server,established; content:"http|3a|//127.0.0.1"; pcre:"/http\x3A\/\/127\.0\.0\.1\/.*\.asp/i"; reference:cve,2005-2678; classtype:web-application-activity; sid:2100139; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - PDF Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".pdf"; http_header; pcre:"/=\w{8}\.pdf/Hi"; content:"|0D 0A 0D 0A|%PDF"; fast_pattern; content:"/Filter/FlateDecode"; classtype:trojan-activity; sid:2014914; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-alert ip any any -> any 5060 (msg:"GPL VOIP SIP INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:2100158; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|contactcitywell.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021553; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert ip any any -> any 5060 (msg:"GPL VOIP SIP 407 Proxy Authentication Required Flood"; content:"SIP/2.0 407 Proxy Authentication Required"; depth:42; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:2100163; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 29"; flow:to_server,established; urilen:214; content:"Lzc1MTZmZDQzYWRhYTVl"; http_uri; fast_pattern; content:"=="; distance:54; http_uri; pcre:"/Host\x3a\x20a[a-z]{10}\.[a-z]{5}\./H"; classtype:exploit-kit; sid:2021559; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_31, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP MISC TFTP32 Get Format string attempt"; content:"|00 01 25 2E|"; depth:4; reference:url,www.securityfocus.com/archive/1/422405/30/0/threaded; reference:url,www.critical.lt/?vulnerabilities/200; classtype:attempted-admin; sid:2101222; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|09|democracy"; distance:1; within:10; content:"|55 04 0b|"; distance:0; content:"|09|obamacare"; distance:1; within:10; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021563; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp any any -> any 53 (msg:"GPL POLICY MISC Tunneling IP over DNS with NSTX"; byte_test: 1,>,32,12; content: "|00 10 00 01|"; offset: 12; rawbytes; threshold: type threshold, track by_src, count 50, seconds 60; reference:url,nstx.dereference.de/nstx/; reference:url,slashdot.org/articles/00/09/10/2230242.shtml; classtype:policy-violation; sid:2100208; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|srvreq.com"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021565; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth:128; reference:arachnids,181; classtype:shellcode-detect; sid:2100648; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|www.pohiola.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021566; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2100653; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d8 17 61 5f e5 c3 b3 2c|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021567; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trest1 Binary Download Attempt (multiple malware variants served)"; flow:established,to_server; content:"GET"; nocase; depth:3; http_method; content:!"Referer|3a| "; http_header; nocase; uricontent:"trest1"; fast_pattern; nocase; content:"User-Agent|3a| "; http_header; nocase; pcre:"/\/(nte|ld)\/[0-9A-Z]*trest1[0-9](\.php|\s\.asp|\.asp|\.py|\.exe|\.htm|\.html)\/[A-Z0-9]+$/Ui"; reference:url,www.malwaredomainlist.com; reference:url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on; reference:url,doc.emergingthreats.net/2010596; classtype:trojan-activity; sid:2010596; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 29 bf 95 40 97 37 f9|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021568; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"GPL VOIP EXPLOIT SIP UDP Softphone overflow attempt"; content:"|3B|branch|3D|"; content:"a|3D|"; pcre:"/^a\x3D[^\n]{1000,}/smi"; reference:bugtraq,16213; reference:cve,2006-0189; classtype:misc-attack; sid:2100223; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M1"; content:"|01 00 00 01 00 01|"; depth:6; offset:2; pcre:"/^.{4}[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021572; rev:3; metadata:created_at 2015_08_01, updated_at 2015_08_01;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Tinba DGA NXDOMAIN Responses (2)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ru|00|"; distance:15; within:4; fast_pattern; content:"|0c|"; distance:-17; within:1; pcre:"/^[a-z]{12}/R"; threshold:type both, track by_src, count 50, seconds 10; reference:md5,5808cc73c78263a8114eb205f510f6a7; reference:url,blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/; classtype:trojan-activity; sid:2019609; rev:1; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
+alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M3"; content:"|00 00 00 01 00 01|"; depth:6; offset:2; pcre:"/^.{4}[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021574; rev:3; metadata:created_at 2015_08_01, updated_at 2015_08_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible EITest Flash Redirect"; flow:established,to_client; file_data; content:"|20|name=|22|EITest|22 20|"; fast_pattern; reference:url,blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/; classtype:trojan-activity; sid:2019610; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
+alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M4"; content:"|00 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; pcre:"/^[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021575; rev:4; metadata:created_at 2015_08_01, updated_at 2015_08_01;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M1"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?B[\x0d\x0a]{0,2}w[\x0d\x0a]{0,2}d[\x0d\x0a]{0,2}C[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}J[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}G[\x0d\x0a]{0,2}R[\x0d\x0a]{0,2}p[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}d[\x0d\x0a]{0,2}z[\x0d\x0a]{0,2}L[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}s[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}U[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}i[\x0d\x0a]{0,2}a[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}j[\x0d\x0a]{0,2}d/R"; classtype:misc-activity; sid:2019406; rev:3; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
+alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M2"; content:"|01 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; pcre:"/^[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021573; rev:4; metadata:created_at 2015_08_01, updated_at 2015_08_01;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"QQB1AHQAbwBPAHAAZQBu"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019615; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Malvertising Redirection to Exploit Kit Aug 07 2014"; flow:established,to_server; content:".js?ver="; http_uri; fast_pattern:only; pcre:"/\.js\?ver=[0-9]\.[0-9]{2}\.[0-9]{4}$/U"; classtype:exploit-kit; sid:2018909; rev:4; metadata:created_at 2014_08_07, former_category EXPLOIT_KIT, updated_at 2014_08_07;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"EAdQB0AG8ATwBwAGUAb"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019616; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f0 0e 11 0a 91 e9 ea 72|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019604; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"BAHUAdABvAE8AcABlAG"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019617; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c0 15 80 14 58 47 62 12|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020961; rev:2; metadata:attack_target Client_and_Server, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"QQB1AHQAbwBFAHgAZQBj"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019618; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|uktranstele.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021530; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"EAdQB0AG8ARQB4AGUAY"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019619; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|safeboxkeyltd.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021592; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"BAHUAdABvAEUAeABlAG"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019620; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|safecitysup.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021593; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Fiesta Java Exploit/Payload URI Struct"; flow:established,to_server; urilen:68<>101; content:"Java/1."; http_user_agent; fast_pattern; content:!"="; http_uri; content:!"&"; http_uri; pcre:"/\/\??[a-f0-9]{60,}(?:\x3b\d+){1,4}$/U"; classtype:exploit-kit; sid:2019611; rev:8; metadata:created_at 2014_10_31, former_category CURRENT_EVENTS, updated_at 2014_10_31;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|89.104.95.236"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021594; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Fiesta SilverLight 4.x Exploit URI Struct"; flow:established,to_server; urilen:>68; content:"|3b|4"; http_uri; offset:60; pcre:"/\/\??[a-f0-9]{60,}\x3b4[0-1]\d{5}$/U"; classtype:exploit-kit; sid:2019623; rev:2; metadata:created_at 2014_11_03, former_category CURRENT_EVENTS, updated_at 2014_11_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HT SWF Exploit RIP"; flow:established,from_server; file_data; content:"<!-- saved from url=(0014)about|3a|internet -->"; content:"getEnvInfo"; content:"getPlatform"; content:"<embed"; pcre:"/^(?=[^>]*?\ssrc\s*?=\s*?[\x22\x27][^\x22\x27]*?\.swf[\x22\x27])(?=[^>]*?\swidth\s*?=\s*?[\x22\x27]0[\x22\x27])[^>]*?\sheight\s*?=\s*?[\x22\x27]0[\x22\x27]/Ri"; classtype:trojan-activity; sid:2021595; rev:2; metadata:created_at 2015_08_04, former_category CURRENT_EVENTS, updated_at 2015_08_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.TrojanProxy Configuration file Download"; flow:established,from_server; file_data; content:"@$@"; fast_pattern; within:3; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x40\x24\x40$/Ri"; reference:url,fireeye.com/blog/technical/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html; classtype:trojan-activity; sid:2019631; rev:2; metadata:created_at 2014_11_03, updated_at 2014_11_03;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|08|Monsanto"; distance:1; within:9; content:"|55 04 0b|"; distance:0; content:"|0b|SmartPhones"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021596; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Genome Download.php HTTP Request"; flow:established,to_server; content:"GET"; http_method; content:"/download.php?nd="; http_uri; content:"&id="; http_uri; classtype:trojan-activity; sid:2013197; rev:3; metadata:created_at 2011_07_05, updated_at 2011_07_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|enfinetoner.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021598; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing Nov 3 2014"; flow:established,to_client; file_data; content:"|61 72 73 79 6d 5b 30 5d 3d 22 65 6e 74 22 3b|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019634; rev:6; metadata:created_at 2014_11_04, former_category EXPLOIT_KIT, updated_at 2014_11_04;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|ta-portfolio.com"; distance:1; within:17; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021599; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ROM/BackOff C2 SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ed fd 42 65 de 77 35 ea|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,blog.fortinet.com/post/rom-a-new-version-of-the-backoff-pos-malware; classtype:command-and-control; sid:2019635; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|gallinj.com"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021602; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp any any -> $EXTERNAL_NET any (msg:"ET MALWARE Shellshock Backdoor.Perl.Shellbot.F C2"; flow:to_server,established; content:"JOIN #shock 777"; content:"PRIVMSG #shock|20 3a|uid="; distance:0; reference:url,pastebin.com/JpnznR3j; reference:md5,fc230c9f998c196ac6897a979e08c58d; classtype:command-and-control; sid:2019637; rev:1; metadata:created_at 2014_11_04, former_category MALWARE, updated_at 2014_11_04;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d5 e5 ff f2 10 0a 35 d0|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021603; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil EK Redirector Cookie Nov 03 2014"; flow:established,from_server; content:"ruarc="; fast_pattern:only; content:"ruarc="; depth:6; http_cookie; classtype:exploit-kit; sid:2019638; rev:4; metadata:created_at 2014_11_04, former_category CURRENT_EVENTS, updated_at 2014_11_04;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|www.enfinetoner.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021604; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32.Zbot.umpz SSL Cert Nov 4 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|16|boogermanshoptools.net"; distance:1; within:33; reference:md5,c6796076a24f35119ebe441725ec9da7; classtype:trojan-activity; sid:2019639; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Firefox PDF.js Same-Origin-Bypass CVE-2015-4495 M2"; flow:established,from_server; file_data; content:"|77 69 6e 64 6f 77 73 5f 73 65 61 72 63 68 5f 61 6e 64 5f 75 70 6c 6f 61 64 5f 69 6e 5f 61 70 70 5f 64 61 74 61 5f 62 79 5f 64 69 73 6b|"; nocase; content:"|64 71 2e 61 77 61 69 74 41 6c 6c 28 63 61 6c 6c 62 61 63 6b 29|"; nocase; reference:url,nakedsecurity.sophos.com/2015/08/07/firefox-zero-day-hole-used-against-windows-and-linux-to-steal-passwords/; reference:cve,2015-4495; classtype:attempted-user; sid:2021606; rev:2; metadata:created_at 2015_08_11, updated_at 2015_08_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange CDN Gate Sept 09 2014 Method 2"; flow:established,to_server; content:"/k?t"; http_uri; fast_pattern:only; pcre:"/\/k\?t[a-z]*=\d{5,}$/U"; classtype:exploit-kit; sid:2019146; rev:6; metadata:created_at 2014_09_10, former_category CURRENT_EVENTS, updated_at 2014_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE APT Lurker GET CnC Beacon"; flow:established,to_server; content:"GET /"; depth:5; content:".php HTTP/1."; distance:0; fast_pattern; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"HOST|3a|"; distance:3; within:5; pcre:"/^[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\n(?:\r\n)?$/Rmi"; reference:md5,c5a8e09295b852a6e32186374b66e1a7; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021585; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_08_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange redirection 19 September 2014"; flow:to_client,established; file_data; content:"var ajax_data_source"; within:20; pcre:"/^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f/Ri"; flowbits:set,et.exploitkitlanding; reference:url,malware-traffic-analysis.net/2014/10/03/index.html; classtype:exploit-kit; sid:2019352; rev:3; metadata:created_at 2014_10_03, former_category EXPLOIT_KIT, updated_at 2014_10_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Magnitude EK (formerly Popads) - Font Exploit - 32HexChar.eot"; flow:established,to_server; urilen:>36; content:".eot"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{32}\.eot$/U"; content:!"fonts.gstatic.com|0d 0a|"; http_header; content:!".fitbit.com|0d 0a|"; http_header; classtype:exploit-kit; sid:2016155; rev:7; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
 
-#alert tcp $HOME_NET any -> 195.22.26.192/26 any (msg:"ET MALWARE AnubisNetworks Sinkhole TCP Connection"; flow:to_server; classtype:trojan-activity; sid:2019629; rev:2; metadata:created_at 2014_11_03, updated_at 2014_11_03;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0d|Casino Royale"; distance:1; within:14; content:"|55 04 0b|"; distance:0; content:"|05|poker"; distance:1; within:6; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021622; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> 195.22.26.192/26 any (msg:"ET MALWARE AnubisNetworks Sinkhole UDP Connection";  classtype:trojan-activity; sid:2019632; rev:4; metadata:created_at 2014_11_03, updated_at 2020_08_20;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f6 23 8b 36 d0 72 53 df|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021623; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shellshock Backdoor.Perl.Shellbot.F retrieval"; flow:to_client,established; file_data; content:"#you got shellshocked???"; depth:24; reference:url,pastebin.com/JpnznR3j; reference:md5,fc230c9f998c196ac6897a979e08c58d; classtype:trojan-activity; sid:2019644; rev:2; metadata:created_at 2014_11_05, updated_at 2014_11_05;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|presidentjunction.org"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021633; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Bedep SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"|0b|Company Ltd"; distance:1; within:12; fast_pattern; content:"|55 04 0b|"; content:"|06|office"; distance:1; within:7; reference:url,malware-traffic-analysis.net/2014/11/02/index.html; reference:md5,11837229f834d296342b205433e9bc48; classtype:trojan-activity; sid:2019645; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|tradingdelivery.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021635; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED IBiz E-Banking Integrator V2 ActiveX Edition Insecure Method"; flow:to_client,established; content:"24445430-F789-11CE-86F8-0020AFD8C6DB"; nocase; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/i"; content:"WriteOFXDataFile"; nocase; reference:url,www.milw0rm.com/exploits/5416; reference:url,doc.emergingthreats.net/2008126; classtype:web-application-attack; sid:2008126; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 e2 af 07 71 4b 6c 75|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021636; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ff 33 b2 e5 24 44 a4 09|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019648; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Redyms CnC)"; flow:established,from_server; content:"|55 04 06|"; content:"|02|US"; distance:1; within:3; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Inc."; distance:1; within:15; content:"|55 04 03|"; content:"|02|*."; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021634; rev:3; metadata:attack_target Client_and_Server, created_at 2015_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a6 08 2f bd 75 7f 25 39|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019649; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS IRC - NICK and Possible Windows XP/7"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*(?:W(?:in(?:dows)?)?[^a-z0-9]?(XP|[7-8])|Vista)/Ri"; content:!"|20|XP/7"; classtype:bad-unknown; sid:2017321; rev:8; metadata:created_at 2013_08_13, former_category INFO, updated_at 2013_08_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Malicious Attachment With Double Extension Ending In EXE"; flow:established,to_client; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; nocase; http_header; content:".exe|0d 0a|"; distance:0; http_header; fast_pattern; pcre:"/^Content-Disposition\x3a\x20attachment\x3b\x20filename=[^\r\n]+?\.[a-z]{2,4}\.exe\r?$/Hmi"; classtype:trojan-activity; sid:2019650; rev:2; metadata:created_at 2014_11_05, updated_at 2014_11_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Secondary Landing URI Struct Aug 17 2015"; flow:established,to_server; content:"GET"; http_method; content:".html&"; http_uri; fast_pattern; content:"/"; distance:-47; http_uri; pcre:"/\/\d\/?[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\.html&[a-z]+=[^&]+&[a-z]+=\d{3}\.\d{3}\.\d{3,}(?:\.\d{3,})?$/U"; classtype:exploit-kit; sid:2021639; rev:2; metadata:created_at 2015_08_17, updated_at 2015_08_17;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 05 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 49 68 e1 31 97 48 3f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,c078788d86c653f428fc3a62dd030ede; classtype:trojan-activity; sid:2019651; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Exploit URI Struct Aug 17 2015"; flow:established,to_server; content:"GET"; http_method; content:"Referer|3a|"; http_header; content:"|3a|443/"; distance:0; http_header; fast_pattern; pcre:"/\/\d\/?[A-Z]+\/[a-f0-9]{40}\/$/U"; flowbits:set,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021640; rev:2; metadata:created_at 2015_08_17, updated_at 2015_08_17;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Trustezeb.E SSL Cert Nov 05 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|easy-access.me"; distance:1; within:15; reference:md5,b648562ee817b3635fa7725afe28577c; classtype:trojan-activity; sid:2019652; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|lastinstanse.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021686; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit Flash URI Struct"; flow:established,to_server; content:"flashhigh.swf"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?flashhigh\.swf$/U"; classtype:exploit-kit; sid:2019656; rev:2; metadata:created_at 2014_11_06, former_category CURRENT_EVENTS, updated_at 2014_11_06;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|deliverytrading.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021687; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit Flash URI Struct"; flow:established,to_server; content:"flashlow.swf"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?flashlow\.swf$/U"; classtype:exploit-kit; sid:2019657; rev:2; metadata:created_at 2014_11_06, former_category CURRENT_EVENTS, updated_at 2014_11_06;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f3 d9 2f af b4 8c 02 29|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021688; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit IE URI Struct"; flow:established,to_server; content:"iebasic.html"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?iebasic\.html$/U"; classtype:exploit-kit; sid:2019659; rev:2; metadata:created_at 2014_11_06, former_category CURRENT_EVENTS, updated_at 2014_11_06;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|contrarypresidentstspea.info"; distance:1; within:29; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021695; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert ip any 5060 -> any any (msg:"GPL VOIP SIP 401 Unauthorized Flood"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_dst, count 100, seconds 60; classtype:attempted-dos; sid:2100162; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible TDS Redirecting to EK Aug 19 2015"; flow:established,from_server; file_data; content:"|27|ad|27|+|27|dEv|27|+|27|entListe|27|+|27|ner|27|"; content:"|27|att|27|+|27|achEve|27|+|27|nt|27|"; content:"|27|DOMCo|27|+|27|ntentL|27|+|27|oad|27|+|27|ed|27|"; classtype:exploit-kit; sid:2021696; rev:2; metadata:created_at 2015_08_20, updated_at 2015_08_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX Buildpath method stack overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"BuildPath"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010746; classtype:attempted-user; sid:2010746; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET 25565 -> $HOME_NET any (msg:"ET GAMES MINECRAFT Server response inbound"; flow:established,from_server; content:"|7B 22|"; depth:10; classtype:policy-violation; sid:2021701; rev:1; metadata:created_at 2015_08_21, updated_at 2015_08_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX stack overfow Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"SoftArtisans.FileManager.1"; distance:0; nocase; pcre:"/(Buildpath|GetDriveName|DriveExists|DeleteFile)/i"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010745; classtype:attempted-user; sid:2010745; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $HOME_NET 25565 -> $EXTERNAL_NET any (msg:"ET GAMES MINECRAFT Server response outbound"; flow:established,from_server; content:"|7B 22|"; depth:10; classtype:policy-violation; sid:2021702; rev:1; metadata:created_at 2015_08_21, former_category GAMES, updated_at 2015_08_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX GetDriveName method stack overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"GetDriveName"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010747; classtype:attempted-user; sid:2010747; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0e|mojojantes.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021703; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX DriveExists method stack overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"DriveExists"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010748; classtype:attempted-user; sid:2010748; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 91 48 c0 28 b4 2b 86 c7|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021704; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX DeleteFile method stack overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"DeleteFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010749; classtype:attempted-user; sid:2010749; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ursnif CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0d|serenyefa.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021705; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt % Encoding"; flow:established,to_client; content:"%70%61%72%73%65%49%6e%74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012260; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|1a|becomesthelegislatures.org"; distance:1; within:27; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021706; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-8 Encoding"; flow:established,to_client; content:"%u70%u61%u72%u73%u65%u49%u6e%u74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012261; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HT SWF Exploit RIP M2"; flow:established,from_server; file_data; content:"<!-- saved from url=(0014)about|3a|internet -->"; content:"return navigator.appName"; content:"return navigator.platform|3b|"; content:"clsid|3a|D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; classtype:trojan-activity; sid:2021710; rev:2; metadata:created_at 2015_08_25, former_category CURRENT_EVENTS, updated_at 2015_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-16 Encoding"; flow:established,to_client; content:"%u7061%u7273%u6549%u6e74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012262; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c3 f0 c2 3d 49 5e bb 16|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021717; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag % Encoding"; flow:established,to_client; content:"%3c%73%63%72%69%70%74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012263; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EvilGrab/Vidgrab Checkin"; flow:to_server,established; content:"|7c 28|"; pcre:"/^\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/R"; content:"|29 7c|"; within:2; pcre:"/^\d{1,5}/R"; content:"|7c|Win"; within:4; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:command-and-control; sid:2017413; rev:3; metadata:created_at 2013_09_04, former_category MALWARE, updated_at 2013_09_04;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.Win32.Qhost C&C Traffic Outbound (case1)"; flow:established; dsize:>1000; content:"|00 00 00 28 0a 00 00 02 0f|Service Pack 1|00|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=142254; reference:url,doc.emergingthreats.net/2007578; classtype:trojan-activity; sid:2007578; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b6 45 0c e4 b7 4c af d5|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021722; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.Win32.Qhost C&C Traffic Outbound (case2)"; flow:established; dsize:>1000; content:"|00 00 00 28 0a 00 00 02 0f|Service Pack 2|00|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=142254; reference:url,doc.emergingthreats.net/2007579; classtype:trojan-activity; sid:2007579; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|hasselbladolsonson.com"; distance:1; within:23; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021721; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Trojan.Win32.Qhost C&C Traffic Inbound (case1)"; flow:established; dsize:>1000; content:"|00 00 00 28 0a 00 00 02 0f|Service Pack 1|00|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=142254; reference:url,doc.emergingthreats.net/2007580; classtype:trojan-activity; sid:2007580; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|ssldata.ru"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021720; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Trojan.Win32.Qhost C&C Traffic Inbound (case2)"; flow:established; dsize:>1000; content:"|00 00 00 28 0a 00 00 02 0f|Service Pack 2|00|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=142254; reference:url,doc.emergingthreats.net/2007581; classtype:trojan-activity; sid:2007581; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cryptowall docs campaign Aug 2015 encrypted binary (1)"; flow:established,to_client; file_data; content:"|65 5d d1 c6 b0 88 68 62|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021725; rev:2; metadata:created_at 2015_08_27, former_category EXPLOIT_KIT, updated_at 2015_08_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit SilverLight URI Struct"; flow:established,to_server; content:"silverapp1.xap"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?silverapp1\.xap$/U"; classtype:exploit-kit; sid:2019658; rev:4; metadata:created_at 2014_11_06, former_category CURRENT_EVENTS, updated_at 2014_11_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude/Hunter EK IE Exploit Aug 23 2015"; flow:from_server,established; file_data; content:"|22 3a 22 4d 4f 56 20 5b 45 43 58 2b 30 43 5d 2c 45 41 58 22|"; fast_pattern; content:"|22 3a 22 76 69 72 74 75 61 6c 70 72 6f 74 65 63 74 22|"; classtype:exploit-kit; sid:2021707; rev:3; metadata:created_at 2015_08_24, former_category EXPLOIT_KIT, updated_at 2015_08_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear SilverLight Exploit"; flow:established,from_server; flowbits:isset,et.Nuclear.SilverLight; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; classtype:exploit-kit; sid:2019669; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_11_07, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon Response"; flow:established,to_client; file_data; content:"---!!!INSERTED!!!---"; within:20; reference:md5,ee90ec9935c7b8e1a5dad364d4545851; classtype:command-and-control; sid:2021724; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_08_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e0 62 d9 f2 16 04 d1 be|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019670; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex SSL Cert Aug 12 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|07|Arizona"; fast_pattern; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|0a|Scottsdale"; distance:1; within:11; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}\x30/Rs"; classtype:trojan-activity; sid:2021621; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 de 17 24 ba 29 9a a6 c6|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019671; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PawnStorm Java Class Stage 1 M1 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 08 47 4f 47 4f 47 4f 47 4f|"; content:"|01 00 0c 6a 61 76 61 2f 6e 65 74 2f 55 52 4c|"; content:"|01 00 0f 53 74 61 72 74 69 6e 67 20 41 70 70 6c 65 74|"; classtype:targeted-activity; sid:2021726; rev:2; metadata:created_at 2015_08_28, former_category CURRENT_EVENTS, updated_at 2015_08_28;)
 
-#alert http $HOME_NET any -> [216.157.99.0/24,72.51.32.0/20,76.74.152.0/21] any (msg:"ET EXPLOIT_KIT Possible HanJuan EK Flash Payload DL"; flow:to_server,established; content:"/"; http_uri; content:".php"; http_uri; fast_pattern; within:11; pcre:"/\/[a-z]{3,7}\.php$/U"; content:!"User-Agent"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:"Cache-Control|3a|"; http_header; classtype:exploit-kit; sid:2019672; rev:2; metadata:created_at 2014_11_07, former_category CURRENT_EVENTS, updated_at 2014_11_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PawnStorm Java Class Stage 2 M1 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 0e 4c 50 68 61 6e 74 6f 6d 53 75 70 65 72 3b|"; fast_pattern; content:"|01 00 32 4c 6a 61 76 61 2f 75 74 69 6c 2f 63 6f 6e 63 75 72 72 65 6e 74 2f 61 74 6f 6d 69 63 2f 41 74 6f 6d 69 63 52 65 66 65 72 65 6e 63 65 41 72 72 61 79 3b|"; classtype:targeted-activity; sid:2021727; rev:2; metadata:created_at 2015_08_28, former_category CURRENT_EVENTS, updated_at 2015_08_28;)
 
-#alert http $HOME_NET any -> [216.157.99.0/24,72.51.32.0/20,76.74.152.0/21] any (msg:"ET EXPLOIT_KIT Possible HanJuan EK URI Struct Actor Specific"; flow:to_server,established; content:"?zho="; http_uri; fast_pattern:only; pcre:"/\/(?:[a-z0-9]{1,7}\.php)?\?zho=/U"; classtype:exploit-kit; sid:2019673; rev:2; metadata:created_at 2014_11_07, former_category CURRENT_EVENTS, updated_at 2014_11_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PawnStorm Java Class Stage 2 M2 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 0a 63 6f 72 6d 61 63 2e 6d 63 72|"; classtype:targeted-activity; sid:2021728; rev:2; metadata:created_at 2015_08_28, former_category CURRENT_EVENTS, updated_at 2015_08_28;)
 
-#alert http $HOME_NET any -> [216.157.99.0/24,72.51.32.0/20,76.74.152.0/21] any (msg:"ET EXPLOIT Possible HanJuan Flash Exploit"; flow:to_server,established; content:".swf"; http_uri; fast_pattern:only; pcre:"/^\/(?:[a-z0-9]{3,7}\/)?[a-z]{3,7}\.swf$/U"; classtype:trojan-activity; sid:2019674; rev:2; metadata:created_at 2014_11_07, former_category CURRENT_EVENTS, updated_at 2014_11_07;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b4 ff d7 c2 ee b9 dd f0|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021731; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible HanJuan EK Actor Specific Injected iframe"; flow:from_server,established; content:"|3c 6c 69 20 63 6c 61 73 73 3d 22 69 73 2d 6e 65 77 22 3e|"; nocase; content:"|22 20 63 6c 61 73 73 3d 22 74 6f 6f 6c 74 69 70 22 20 74 69 74 6c 65 3d 22 22 3e|"; nocase; distance:0; content:"<iframe"; nocase; distance:0; content:" vspace="; nocase; content:"0"; within:3; content:" hspace="; content:"0"; within:3; content:" marginwidth="; content:"0"; within:3; content:"|3c 6c 69 20 63 6c 61 73 73 3d 22 69 73 2d 6e 65 77 22 3e|"; nocase; distance:0; classtype:exploit-kit; sid:2019675; rev:2; metadata:created_at 2014_11_07, former_category CURRENT_EVENTS, updated_at 2014_11_07;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d7 5d 30 37 a7 6b 0d 17|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021732; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit Flash URI Struct"; flow:established,to_server; content:"prancerBlit15xa.swf"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2019677; rev:2; metadata:created_at 2014_11_07, former_category CURRENT_EVENTS, updated_at 2014_11_07;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|bri-secure.com"; distance:1; within:15; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021733; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Operation Huyao Landing Page Nov 07 2014"; flow:established,to_server; content:"/tslyphper"; fast_pattern:only; http_uri; pcre:"/\/tslyphper(?:[A-Za-z0-9+/-_]{4})*(?:[A-Za-z0-9+/-_]{2}==|[A-Za-z0-9+/-_]{3}=|[A-Za-z0-9+/-_]{4})\.html$/U"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-phishing-technique-outfoxes-site-owners-operation-huyao/; classtype:social-engineering; sid:2019681; rev:3; metadata:created_at 2014_11_08, updated_at 2014_11_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|kingddomdirect.com"; distance:1; within:19; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021734; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil EK Redirector Cookie Nov 07 2014"; flow:established,from_server; content:"usid=sid|3a 7b 27|"; fast_pattern:only; reference:url,blog.malwarebytes.org/malvertising-2/2014/11/the-proof-is-in-the-cookie/; classtype:exploit-kit; sid:2019684; rev:3; metadata:created_at 2014_11_08, former_category CURRENT_EVENTS, updated_at 2014_11_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Aug 31 2015 T2 (BizCN)"; flow:from_server,established; file_data; content:"|3d 27 44 4f 4d 43 6f 27 2b 27 6e 74 65 6e 74 4c 27 2b 27 6f 61 64 27 2b 27 65 64 27 3b 66 6b 3d 77 69 6e 64 6f 77 3b|"; classtype:exploit-kit; sid:2021740; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_01, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing URI Struct"; flow:established,to_server; urilen:15; content:"/abhgtnedg.html"; http_uri; classtype:exploit-kit; sid:2019685; rev:2; metadata:created_at 2014_11_10, former_category CURRENT_EVENTS, updated_at 2014_11_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Double-Encoded Reverse Base64/Dean Edwards Packed JavaScript Observed in Unknown EK Feb 16 2015 b64 1 M2"; flow:established,from_server; file_data; content:"CZsUGLrxyYsEGLwhibvlGdj5WdmhCbhZXZ"; classtype:exploit-kit; sid:2020426; rev:3; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing Aug 24 2014"; flow:established,from_server; file_data; content:"+payload"; fast_pattern; nocase; content:"flashLow"; nocase; classtype:exploit-kit; sid:2018998; rev:10; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Boaxxe.BR CnC Beacon"; flow:established,to_server; content:"|7c|CM01|7c|CM02|7c|CM03|7c|"; content:!">"; reference:md5,ec38ae7c35be4d7f8103bf1db692d2f8; classtype:command-and-control; sid:2021748; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_09_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a9 db 12 6f 49 21 41 f0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019691; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ef 7e c0 ae 97 cf ff 23|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021750; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Emotet DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|eu|00|"; distance:19; within:4; fast_pattern; content:"|10|"; distance:-21; within:1; pcre:"/^[a-z]{16}/R"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,3083b68cb5c2a345972a5f79e735c7b9; classtype:trojan-activity; sid:2019692; rev:1; metadata:created_at 2014_11_12, updated_at 2014_11_12;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d4 45 4d a6 49 0c f1 ed|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021751; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Dridex Campaign Download Nov 11 2014"; flow:established,to_server; content:"/get/get.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/get\/get\.php$/U"; classtype:trojan-activity; sid:2019697; rev:2; metadata:created_at 2014_11_12, former_category CURRENT_EVENTS, updated_at 2014_11_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - ROP"; flow:established,from_server; file_data; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; content:"|98 2A 00 B0 B3 38 00 B0|"; fast_pattern; content:"|00 10 00 00 07 00 00 00 03 D0 00 D0 04 D0 00 D0 44 11 00 B0|"; distance:4; within:20; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021758; rev:2; metadata:created_at 2015_09_10, updated_at 2015_09_10;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Zbot SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d1 9e 51 1d eb 97 c1 ea|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|08|Sometown"; distance:1; within:9; reference:md5,37f927437de627777c5b571fc46fb218; classtype:trojan-activity; sid:2019698; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - STSC"; flow:established,from_server; file_data; content:"stsc|00 00 00 00 C0 00 00 03|"; fast_pattern; content:!"|00 00 00 00|"; within:4; pcre:"/^(?P<addr1>.{4})(?P<addr2>.{4})(?P=addr2)(?P=addr1)/Rsi"; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021759; rev:2; metadata:created_at 2015_09_10, updated_at 2015_09_10;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a9 e0 8a 96 fb 4a 1b b6|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019699; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Waledac 2.0/Storm Worm 3.0 GET request detected"; flow:established; content:"GET"; nocase; http_method; urilen:1; content:"/"; http_uri; content:"|0d 0a|Content-Length|3a| "; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trid"; http_header; content:"ent/4.0)|0d 0a 0d 0a 01 02 01 01 01 01 02 01|"; fast_pattern; http_header; within:20; classtype:trojan-activity; sid:2012136; rev:10; metadata:created_at 2011_01_05, updated_at 2011_01_05;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e6 65 21 19 a2 a2 9e 6e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019700; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|fiopol.xyz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021767; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fa 3d b1 87 b3 12 ff 2f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019701; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|online.creditoc.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021769; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 e8 67 40 49 01 84 b1|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019702; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|static.coopsrv.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021770; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9b c4 77 4f 2c d1 50 37|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019703; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 20 1c 21 75 01 8e 93|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021771; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 12 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b0 48 5c e9 94 c7 59 03|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,31536d977dfc0e158d8f7a365c0543ec; classtype:trojan-activity; sid:2019705; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PE EXE or DLL Windows file download Text"; flow:established,from_server; file_data; content:"4D5A"; distance:0; byte_jump:8,114,relative,multiplier 2,little,string,hex; content:"50450000"; distance:-126; within:8; classtype:trojan-activity; sid:2021774; rev:2; metadata:created_at 2015_09_15, updated_at 2015_09_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OSX/WireLurker CnC Beacon"; flow:established,from_server; file_data; content:"|7b 22|result|22 3a 7b 22|version|22 3a 22|"; flowbits:isset,ET.WireLurkerUA; reference:url,paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:command-and-control; sid:2019663; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_11_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|stat.coopswiss.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021776; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b9 a5 38 e3 56 d4 39 67|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019708; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|online.centersu.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021777; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 9b 4d b2 c7 f6 6f f2|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019709; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cryptowall docs campaign Sept 2015 encrypted binary (1)"; flow:established,to_client; file_data; content:"|23 31 f9 4f 62 57 73 67|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021778; rev:2; metadata:created_at 2015_09_15, former_category EXPLOIT_KIT, updated_at 2015_09_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable base64 encoded in XML"; flow: established,from_server; file_data; content:"bin.base64"; nocase; content:"<file"; nocase; content:"<stream"; nocase; content:"<?xml"; nocase; content:"TVqQA"; fast_pattern; pcre:"/^[A-Za-z0-9\s/+]{100}/Rs"; classtype:trojan-activity; sid:2019716; rev:9; metadata:created_at 2014_11_15, updated_at 2014_11_15;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|menardgevu.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021779; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [8000,8003,9004:] (msg:"ET MALWARE W32Autorun.worm.aaeh Checkin"; flow:established,to_server; content:"Host|3a| ns1.help"; pcre:"/^Host\x3a\x20ns1\.help(?:update(?:d\.(?:com?|net?|org?)|k\.(?:at?|eu?|tw)|r\.net|s\.com)|checks\.net)/mi"; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=1607456; classtype:command-and-control; sid:2019711; rev:4; metadata:created_at 2014_11_15, former_category MALWARE, updated_at 2014_11_15;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|menardgevu.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021780; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 17 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a6 9e 89 2a 06 f4 80 5f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,b7214b7ff246175e7b6bbe2db600f98e; classtype:trojan-activity; sid:2019719; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|feedfeed.name"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021781; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ce 60 aa 87 c5 4a 56 2f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0f|fvhch6y1sszzgbh"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019720; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|my.ubscard.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021782; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ce 63 1a 95 03 94 55 2e|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0c|HAMBURG GMBH"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019721; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|disaallowmediapartners.mn"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021783; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing Nov 17 2014"; flow:established,from_server; file_data; content:"flash_run2"; nocase; content:"silver_run"; nocase; content:"msie_run"; nocase; classtype:exploit-kit; sid:2019722; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f2 49 34 bb 25 38 61 40|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021784; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing Nov 17 2014 M2"; flow:established,from_server; file_data; content:"|66 66 62 67 72 6e 74 68 35 77 65 28 61 29|"; classtype:exploit-kit; sid:2019723; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Exploit Download"; flow:established,to_server; urilen:15; content:"Java/1."; http_header; content:"/0"; depth:2; http_uri; pcre:"/^\/0[a-z0-9]{13}$/U"; classtype:exploit-kit; sid:2017570; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_08, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Flash Exploit URI Struct Nov 17 2014"; flow:established,to_server; content:"/5c5390116e606055c51b2c86340beb2bd1668f6e3bbf56240a01d43db5ac6b9d.swf"; http_uri; classtype:exploit-kit; sid:2019724; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
+alert tcp any any -> $HOME_NET 80 (msg:"ET MALWARE SYNful Knock Cisco IOS Router Implant CnC Beacon (INBOUND)"; flow:established,to_server; content:"|00 00 00 00|text|00|"; byte_jump:4,0,relative,post_offset -1; isdataat:!2,relative; reference:url,fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html; classtype:command-and-control; sid:2021785; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_09_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Flash Exploit URI Struct 2 Nov 17 2014"; flow:established,to_server; content:"/6896a114d0047db5679d5da0be7eb87d77ef59ed49ef942e7b74f60fb3df2ce3.swf"; http_uri; classtype:exploit-kit; sid:2019725; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible TDSS Base64 Encoded Command 3"; flow:established,to_server; content:"ZEV4ZWN"; http_uri; classtype:trojan-activity; sid:2012923; rev:3; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing URI Struct 2 Nov 17 2014"; flow:established,to_server; content:"/9e675626486f3804603227533ab83b26f4a95a0c4f5eebbc00507558da27edc0.html"; http_uri; classtype:exploit-kit; sid:2019726; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible TDSS Base64 Encoded Command 1"; flow:established,to_server; content:"Q21kRXhl"; http_uri; classtype:trojan-activity; sid:2012921; rev:3; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NullHole EK Exploit URI Struct"; flow:established,to_server; urilen:>34; content:"/"; offset:33; depth:1; http_uri; content:"Cookie|3a 20|nhweb="; fast_pattern; pcre:"/^\/[a-f0-9]{32}\/(?=[a-z]*?[A-Z])(?=[A-Z]*?[a-z])[A-Za-z]+\.(?:html|jar|swf)$/U"; classtype:exploit-kit; sid:2019727; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible TDSS Base64 Encoded Command 2"; flow:established,to_server; content:"bWRFeGVj"; http_uri; classtype:trojan-activity; sid:2012922; rev:3; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Percent Hex Encode"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"redim|25|"; nocase; fast_pattern; pcre:"/^(?:25)?20(?:\x25(?:25)?20|\s)*?Preserve/Rsi"; content:"redim|25|"; nocase; distance:0; pcre:"/^(?:25)?20(?:\x25(?:25)?20|\s)*?Preserve/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019732; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Iron Tiger DNSTunnel Retrieving CnC"; flow:established,from_server; file_data; content:"$$$$$$$$$$"; fast_pattern; pcre:"/^(?:#+[A-Z]+)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\${10}/R"; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:command-and-control; sid:2021789; rev:2; metadata:created_at 2015_09_17, former_category MALWARE, updated_at 2015_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct"; flow:to_client,established; file_data; content:"chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)"; reference:cve,2014-6332; classtype:attempted-user; sid:2019734; rev:3; metadata:created_at 2014_11_18, updated_at 2014_11_18;)
+alert udp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET MALWARE PlugX UDP CnC Beacon"; dsize:36; content:"|00 00 50 00 02 00 00 00 00 04 00 00 00 10 00 00 00 00 00 00|"; depth:20; content:!"|00 00|"; within:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:3; within:13; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:command-and-control; sid:2021791; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct Hex Encode"; flow:to_client,established; file_data; content:"chrw|25|"; pcre:"/^(?:25)?282176\x25(?:25)?29\x25(?:25)?26chrw\x25(?:25)?2801/Rs"; reference:cve,2014-6332; classtype:attempted-user; sid:2019735; rev:3; metadata:created_at 2014_11_18, updated_at 2014_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_test:4,&,2147483648,48,relative,little; content:!"NTLMSSP"; within:7; distance:54; asn1:double_overflow, bitstring_overflow, relative_offset 54, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103000; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT_KIT SPL2 EK JS HashLib Nov 18 2014"; flow:to_server,established; urilen:8; content:"/mdd5.js"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2019744; rev:3; metadata:created_at 2014_11_19, former_category CURRENT_EVENTS, updated_at 2014_11_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nntpdinfo.pw"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021797; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Landing Nov 18 2014"; flow:established,from_server; file_data; content:"v|3a|stroke id=|27|beg|27|"; fast_pattern:only; content:"<h1>Forbidden</h1>"; classtype:exploit-kit; sid:2019742; rev:3; metadata:created_at 2014_11_19, former_category CURRENT_EVENTS, updated_at 2014_11_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|reportingdelivery.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021798; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Flash Exploit Nov 18 2014"; flow:to_server,established; content:"/Drop2"; http_uri; fast_pattern:only; pcre:"/^\/Drop2(?:-\d+)\.swf$/U"; classtype:exploit-kit; sid:2019745; rev:2; metadata:created_at 2014_11_19, former_category CURRENT_EVENTS, updated_at 2014_11_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|localinstanse.net"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021799; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK PluginDetect Data Hash Nov 18 2014"; flow:to_server,established; content:".html?"; http_uri; fast_pattern:only; content:"-"; http_uri; pcre:"/\/[a-z]+?-[a-z]+?-[a-z]+?\.html\?[a-z]+\d*?=[a-f0-9]{32}$/U"; content:"GET "; pcre:"/^[^\r\n]*?(?P<name>\/[^\.\/]+\.html)\?[a-z]+?\d*?=[a-f0-9]{32}\sHTTP\/1\..+?\r\nReferer\x3a\x20[^\r\n]*?(?P=name)(?:\d{1,5})?\r\n/Rs"; classtype:exploit-kit; sid:2019743; rev:5; metadata:created_at 2014_11_19, former_category CURRENT_EVENTS, updated_at 2014_11_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|healthweather.name"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021801; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible FlashPack (FlashOnly) Payload Struct Nov 19 2014"; flow:established,to_server; content:"GET"; http_method; content:"/load.php"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9]+\/load\.php$/U"; content:!"User-Agent|3a|"; http_header; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2019753; rev:2; metadata:created_at 2014_11_20, updated_at 2014_11_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f0 83 4c 61 ec 09 e6 03|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021802; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bamital Checkin Response 1"; flow:established,from_server; file_data; content:"$$$$"; within:4; fast_pattern; pcre:"/^<(?P<var1>[a-z])>[a-z0-9/]+<\/(?P=var1)><(?P<var2>[a-z])>[a-z0-9/]+<\/(?P=var2)>/Ri"; classtype:command-and-control; sid:2019757; rev:2; metadata:created_at 2014_11_20, former_category MALWARE, updated_at 2014_11_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d3 1b a5 8f 1d d7 30 48|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021803; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.SWF; content:"Content-Disposition|3a|"; http_header; content:".swf"; http_header; content:"X-Powered-By|3a|"; http_header; pcre:"/^Content-Disposition\x3a[^\r\n]+\.swf/Hm"; content:"CWS"; classtype:exploit-kit; sid:2019765; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_11_21, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f1 03 f7 ce 62 9d fb 5a|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021804; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT FlashPack Flash Exploit Nov 20 2014"; flow:established,to_server; content:"/Main.swf"; http_uri; content:"/gate.php"; http_header; pcre:"/^Referer\x3a[^\r\n]+\/gate.php\r$/Hm"; classtype:trojan-activity; sid:2019766; rev:3; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2014_11_21;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Rovnix CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|cherniypoyas.ru"; distance:1; within:16; reference:md5,080db9578ea797cd231bc1160d3824f1; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021805; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (1)"; flow:established,to_server; urilen:>35; content:".php"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9A-Z]{15,35}\/((\d+[A-Z]){3}\d+|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016706; rev:20; metadata:created_at 2013_04_01, updated_at 2013_04_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|sslsecureserver.eu"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021809; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Exploit Requested - /spl/"; flow:established,to_server; content:"/spl/"; http_uri; fast_pattern:only; content:".jar"; http_uri; content:"Java/"; http_header; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018925; rev:5; metadata:created_at 2014_08_12, former_category CURRENT_EVENTS, updated_at 2014_08_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|uplinkadv.eu"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021810; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Archie EK T2 Landing Struct Nov 20 2014"; flow:established,to_server; urilen:70; content:".html"; http_uri; offset:65; depth:5; pcre:"/^\/[a-f0-9]{64}\.html$/U"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r?\n)/Hmi"; classtype:exploit-kit; sid:2019769; rev:4; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2014_11_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Meterpreter or Other Reverse Shell SSL Cert"; flow:established,from_server; content:"|0b|"; content:"|04 08 bb 00 ee|"; distance:23; within:5; fast_pattern; content:"|55 04 06 13 00|"; distance:0; content:"|55 04 08 13 00|"; distance:0; content:"|55 04 07 13 00|"; distance:0; content:"|55 04 0a 13 00|"; distance:0; content:"|55 04 0b 13 00|"; distance:0; content:"|55 04 03 13 00|"; distance:0; reference:md5,c3f76f444edf0b90b887d7979342e9f0; classtype:trojan-activity; sid:2035651; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Archie EK T2 PD Struct Nov 20 2014"; flow:established,to_server; urilen:68; content:"|2f|"; http_uri; depth:1; content:".js"; http_uri; offset:65; depth:3; pcre:"/^\/[a-f0-9]{64}\.js$/U"; pcre:"/^Referer\x3a[^\r\n]+\x3a\d{1,5}\/[a-f0-9]{64}\.html\r$/Hm"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r?\n)/Hmi"; classtype:exploit-kit; sid:2019768; rev:4; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2014_11_21;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|55 1d 11|"; content:"|10|blatnoidomen.com"; distance:5; within:22; fast_pattern; reference:url,sslbl.abuse.ch; reference:md5,8217cc4fc3d5781206becbef148154ea; classtype:domain-c2; sid:2021815; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing Nov 05 2014"; flow:from_server,established; file_data; content:"=|27|c"; pcre:"/^(?:\x27\s*?\+\s*?\x27)?h(?:\x27\s*?\+\s*?\x27)?a(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?A(?:\x27\s*?\+\s*?\x27)?/R"; content:"t|27 3b|return"; within:9; fast_pattern; content:".indexOf"; pcre:"/^\s*?\x28\s*?[a-z0-9]{4,6}\s*?\x28\s*?[a-z0-9]{1,3}\s*?,\s*?[a-z0-9]{1,3}\s*?\x29\s*?\x29\s*?\x3b\s*?(?P<var>[a-z0-9]{1,3})\s*?\x3d\s*?\x28\s*?(?P=var)\s*?\x2b\s*?[a-z0-9]{1,3}\s*?\x29\s*?\x25\s*?[a-z0-9]{1,3}\.length\x3b/R"; classtype:exploit-kit; sid:2019655; rev:6; metadata:created_at 2014_11_06, former_category EXPLOIT_KIT, updated_at 2014_11_06;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fc 56 1e 02 6c d4 e2 22|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; reference:md5,e448572aea062241c80dd2a15562e968; classtype:domain-c2; sid:2021816; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Internet Explorer CVE-2014-6332 Common Construct b64 1 (Observed in Archie EK)"; flow:established,from_server; file_data; content:"Y2hydygwMSkmY2hydygyMTc2KSZjaHJ3KDAxKSZjaHJ3KDAwK"; reference:cve,2014-6332; classtype:exploit-kit; sid:2019773; rev:2; metadata:created_at 2014_11_24, former_category EXPLOIT_KIT, updated_at 2014_11_24;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|www.fortamola.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021817; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Internet Explorer CVE-2014-6332 Common Construct b64 2 (Observed in Archie EK)"; flow:established,from_server; file_data; content:"NocncoMDEpJmNocncoMjE3NikmY2hydygwMSkmY2hydygwMC"; reference:cve,2014-6332; classtype:exploit-kit; sid:2019774; rev:3; metadata:created_at 2014_11_24, former_category EXPLOIT_KIT, updated_at 2014_11_24;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|business--testing.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021818; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Internet Explorer CVE-2014-6332 Common Construct b64 3 (Observed in Archie EK)"; flow:established,from_server; file_data; content:"jaHJ3KDAxKSZjaHJ3KDIxNzYpJmNocncoMDEpJmNocncoMDAp"; reference:cve,2014-6332; classtype:exploit-kit; sid:2019775; rev:2; metadata:created_at 2014_11_24, former_category EXPLOIT_KIT, updated_at 2014_11_24;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 96 99 38 87 d8 6a ee a7|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; reference:md5,ead31d4cbbd79466359d46694a9d56d3; classtype:domain-c2; sid:2021819; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f0 34 4a fb 16 96 9d 25|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|ewgcetiyu"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019786; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Ransomware Win32/WinPlock.A CnC Beacon 3"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:!"Referer|3a|"; http_header; content:"unit_action="; depth:12; http_client_body; fast_pattern; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:command-and-control; sid:2021823; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_23, deployment Perimeter, signature_severity Major, tag c2, updated_at 2015_09_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 90 3b 8c 56 23 94 93|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0b|1234567egeg"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019787; rev:3; metadata:attack_target Client_and_Server, created_at 2014_11_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 82 a8 3c 4c d7 28 96 34|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021824; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude Flash Payload"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; fast_pattern; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/^\/\?[a-f0-9]{32}$/U"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; classtype:exploit-kit; sid:2019800; rev:2; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|e-securepass.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021825; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing Page Nov 25 2014"; flow:established,from_server; file_data; content:"function ckl|28|"; content:"return bmw|3b|"; distance:0; classtype:exploit-kit; sid:2019807; rev:2; metadata:created_at 2014_11_26, updated_at 2014_11_26;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1a|contactexchangenetwork.biz"; distance:1; within:27; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021826; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1913 (msg:"ET MALWARE W32/DoubleTap.APT Downloader Socks5 Setup Request"; flow:established,to_server; content:"|05 01 00|"; depth:3; reference:url,www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html; classtype:targeted-activity; sid:2019809; rev:2; metadata:created_at 2014_11_26, former_category MALWARE, updated_at 2014_11_26;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|cserhtmlordi.net"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021827; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e1 d9 8a 80 b1 c5 98 08|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0f|tvd5w4gytsfheyh"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019810; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e8 06 34 93 99 f8 54 f2|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0b|Companyname"; distance:1; within:12; reference:md5,c7872508eededb17cf864886270fd3e9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021828; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|11|b85937-static.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019811; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0f|adtejoyo1377.tk"; distance:1; within:17; reference:md5,b40fc2d1f343affad7bc02ae9b37cd89; classtype:domain-c2; sid:2021842; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 b6 2a 4d 61 3d fa c6|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|09|vgergvwtd"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019812; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|00 b1 f4 fe 4c 79 ed e9 98|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,bfd8db9ed284deb64c9e4fc5bfa758bd; reference:url,www.csis.dk/da/csis/news/4726/; classtype:domain-c2; sid:2021843; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Hesperbot CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ff 02 6f 9a b5 ff c3 9c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019813; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|00 9e 0c 1c 4c 8a d4 41 f7|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,bfd8db9ed284deb64c9e4fc5bfa758bd; reference:url,www.csis.dk/da/csis/news/4726/; classtype:domain-c2; sid:2021844; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 f1 2d d7 7c 92 29 6b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019814; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|usercheck.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021845; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d9 5c 3f 2b dc 29 86 c4|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019815; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Evil JavaScript Injection Sep 29 2015"; flow:established,to_client; file_data; content:"|76 61 72 20 61 3d 22 27 31 41 71 61 70 6b 72 76 27|"; content:"|27 30 30 27 30 32 29 27 30 32 27 30 30|"; fast_pattern; distance:0; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021846; rev:2; metadata:created_at 2015_09_30, former_category CURRENT_EVENTS, updated_at 2015_09_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 73 b3 58 98 16 a7 5b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0d|cewceawf2c4ed"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019818; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Evil Redirector from iframe Sep 29 2015"; flow:established,to_server; content:"GET"; http_method; content:"/in/?|5f|BC="; depth:9; http_uri; fast_pattern; pcre:"/^\/in\/\?_BC=\d+,\d+,\d+,[0-9,-]+,$/U"; content:"Referer|3a|"; http_header; content:"/snitch?default|5f|keyword="; distance:0; http_header; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021848; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e7 df 16 fb ce 8d dc 5f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0c|wrgw4r3gwrgh"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019819; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 86 21 67 18 96 8a 67 e1|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,4568bc3e9c1a24ba792666ad1c620560; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021863; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Sakura exploit kit binary download request /out.php"; flow:established,to_server; content:"/out.php?id="; http_uri; pcre:"/\/out.php\?id=\d$/U"; classtype:exploit-kit; sid:2015677; rev:5; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 fa 10 e1 67 c6 9a 67 1b|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:md5,c55a60bb04a449eb8bc182f52124c341; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021864; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO WinHttpRequest Downloading EXE"; flow:established,from_server; flowbits:isset,et.WinHttpRequest; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2019822; rev:7; metadata:created_at 2014_12_01, former_category CURRENT_EVENTS, updated_at 2014_12_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|legallyjumps.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021865; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET EXPLOIT_KIT WinHttpRequest Downloading EXE Non-Port 80 (Likely Exploit Kit)"; flow:established,from_server; flowbits:isset,et.WinHttpRequest; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:exploit-kit; sid:2019823; rev:7; metadata:created_at 2014_12_01, former_category EXPLOIT_KIT, updated_at 2014_12_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|inbancosistems.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021866; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Microsoft Compact Office Document Format File Download"; flow:established,from_server; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; flowbits:set,et.MCOFF; flowbits:noalert; classtype:misc-activity; sid:2019834; rev:2; metadata:created_at 2014_12_02, updated_at 2014_12_02;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 d5 f9 a6 1a fa 1e 76 c6|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,0453512c8c3bb940e8c40833d1076353; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021867; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|03 15 45 cd|"; within:35; content:"|55 04 03|"; distance:0; content:"|14|static-630567398.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019839; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 eb 96 25 e5 32 57 ee 34|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,77ebe2b014baf75e45c3009b0d42fa5d; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021868; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Execute Shell Command CnC Server Message"; flow:established,to_client; content:"! SH"; depth:4; pcre:"/^[^\r\n]+?\n$/R"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019298; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 d3 1b a5 8f 1d d7 30 48|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,eeda4fa2b6f054acfce0dbc25493c366; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021869; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Hidden Embedded File"; flow:established,to_client; flowbits:isset,ET.pdf.in.http; file_data; content:"obj"; distance:0; content:"<<"; within:4; content:"/Embeddedfile"; distance:0; pcre:"/\x3C\x3C[^>]*\x2FEmbeddedfile/sm"; reference:url,blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/; classtype:bad-unknown; sid:2019850; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> 38.115.131.0/24 5534 (msg:"ET DELETED Soulseek traffic (2)"; flow: established; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001186; classtype:policy-violation; sid:2001186; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Magnitude Flash Exploit (IE)"; flow:established,to_server; urilen:31<>69; content:"x-flash-version"; http_header; fast_pattern:only; pcre:"/^\/\??[a-f0-9]{32}(?:\/[a-f0-9]{32})?\/?$/U"; pcre:"/Host\x3a\x20(?:\.*[a-f0-9]\.*){32}\./Hm"; classtype:exploit-kit; sid:2019799; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
+#alert tcp $HOME_NET any -> 38.115.131.0/24 2234 (msg:"ET DELETED Soulseek traffic (1)"; flow: established; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001185; classtype:policy-violation; sid:2001185; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Dec 03 2014"; flow:established,from_server; file_data; content:"=|22|replace|22 3b 27 29 3b|"; content:"|7b 41 3d 5b 5b 61 5d 2c 5b 65 76 61 6c 5d 5d 3b 7d 41 5b 31 5d 5b 30 5d 28 41 5b 30 5d 5b 30 5d 29 3b|"; classtype:exploit-kit; sid:2019874; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET !443 (msg:"ET GAMES Battle.net connection reset (possible IP-Ban)"; flow:to_client; flags:R,12; reference:url,doc.emergingthreats.net/bin/view/Main/2002117; classtype:policy-violation; sid:2002117; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - New PDF Exploit - Dec 18 2012"; flow:established,to_server; content:"1.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new|sale)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})1\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}1\.PDF)$/U"; classtype:exploit-kit; sid:2016058; rev:11; metadata:created_at 2012_12_19, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|protecteding.su"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021884; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE  Possible Dyre SSL Cert Dec 4 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 24 bd ca a0  48 b4 10|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|08|thfgtjyj"; distance:1; within:9; classtype:trojan-activity; sid:2019875; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|convertcodenj.net"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021885; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AlienSpy RAT Checkin Set"; flow:established,to_server; dsize:4; content:"|ac ed|"; depth:2; flowbits:set,ET.rat.alienspy; flowbits:noalert; reference:url,contagiodump.blogspot.com/2014/11/alienspy-java-rat-samples-and-traffic.html?m=1; classtype:command-and-control; sid:2019738; rev:2; metadata:created_at 2014_11_18, former_category MALWARE, updated_at 2014_11_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Likely SweetOrange EK Java Exploit Struct (JAR)"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".jar"; http_uri; pcre:"/\/(?=[a-z0-9]{0,10}[A-Z])(?=[A-Z0-9]{0,10}[a-z])[A-Z-a-z0-9]{5,20}\.jar$/U"; classtype:exploit-kit; sid:2019542; rev:7; metadata:created_at 2014_10_28, former_category CURRENT_EVENTS, updated_at 2014_10_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"ET SCADA DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow Vulnerability"; flow:established,to_server; content:"GetFlexMLangIResourceBrowser"; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,exploit-db.com/exploits/17417/; classtype:denial-of-service; sid:2013074; rev:2; metadata:created_at 2011_06_21, updated_at 2011_06_21;)
+#alert tcp $EXTERNAL_NET 31337 -> $HOME_NET 64876 (msg:"ET EXPLOIT malformed Sack - Snort DoS-by-$um$id"; seq:0; ack:0; window:65535; dsize:0; reference:url,doc.emergingthreats.net/bin/view/Main/2002656; classtype:attempted-dos; sid:2002656; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE BitCrypt site accessed via .onion SSL Proxy"; flow:established,from_server; content:"|55 04 03|"; content:"kphijmuo2x5expag."; nocase; distance:2; within:17; classtype:trojan-activity; sid:2018399; rev:2; metadata:created_at 2014_04_18, updated_at 2014_04_18;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 a2 62 91 f3 d9 eb d2 e8|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021887; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Terminate Process CnC Server Message"; flow:established,to_client; dsize:12; content:"! LOLNOGTFO|0A|"; depth:12; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019304; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 ba bc c3 80 e0 57 54 de|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021888; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot UDP Flood CnC Server Message"; flow:established,to_client; content:"! UDP "; depth:6; pcre:"/\x21\x20UDP\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019300; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Bank of America Phish 2015-10-02"; flow:to_client,established; file_data; content:"<title>Bank of America"; nocase; fast_pattern; content:"Thank you</title>"; nocase; distance:0; content:"information.Your submitted"; nocase; distance:0; content:"Accounts Management Department in 24 hours"; nocase; distance:0; classtype:credential-theft; sid:2031686; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2015_10_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot TCP Flood CnC Server Message"; flow:established,to_client; content:"! TCP "; depth:6; pcre:"/\x21\x20TCP\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019301; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP OPTIONS invalid method case"; flow:established,to_server; content:"options"; http_method; nocase; content:!"OPTIONS"; http_method; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011034; classtype:bad-unknown; sid:2011034; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot HOLD TCP Flood CnC Server Message"; flow:established,to_client; content:"! HOLD "; depth:7; pcre:"/\x21\x20HOLD\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019302; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 dc 1a a4 07 08 2a 43 10|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,eeda4fa2b6f054acfce0dbc25493c366; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021894; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Kill Attack CnC Server Message"; flow:established,to_client; dsize:11; content:"! KILLATTK|0A|"; depth:11; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019303; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c3 10 44 fc ef 4e 6d 2a|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021895; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Enchanim C2 Client Check-in"; flow:established,to_server; content:"some_magic_code1"; depth:16; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:command-and-control; sid:2016772; rev:2; metadata:created_at 2013_04_19, former_category MALWARE, updated_at 2013_04_19;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 dc 1a a4 07 08 2a 43 10|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021896; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Lookup of Known BlackEnergy DDOS Botnet CnC Server globdomain.ru"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0A|globdomain|02|ru"; nocase; distance:0; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110116; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20100913; classtype:command-and-control; sid:2012203; rev:2; metadata:created_at 2011_01_18, updated_at 2011_01_18;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 d3 01 2a 97 16 3f bd a5|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021897; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE W32/SpyBanker Infection Confirmation Email"; flow:established,to_server; content:"From|3A 20 22|Bitch Infected|22|"; reference:md5,007eb53d1b0de237f86750a239cae48e; classtype:trojan-activity; sid:2014668; rev:2; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|bannerexchangenet.pw"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021898; rev:4; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Winlock.6870 SSL Cert"; flow:from_server,established; content:"|00 cc 05 c7 80 14 cf 3f 50|"; content:"|55 04 08 13 0c|Someprovince"; distance:0; content:"|55 04 07 13 08|Sometown"; distance:0; classtype:trojan-activity; sid:2015795; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_10_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Adware/Spyware Adrotator for Rogue AV"; flow:established,to_server; content:"GET"; http_method; content:"nsi_install.php?"; http_uri; nocase; content:"aff_id="; nocase; http_uri; content:"&inst_result="; http_uri; content:"&id="; nocase; http_uri; reference:url,www.spywaredetector.net/spyware_encyclopedia/Trojan.Vapsup.htm; reference:url,www.spywaredetector.net/spyware_encyclopedia/Fake%20AntiSpyware.POWER-ANTIVIRUS-2009.htm; reference:url,www.threatexpert.com/threats/adware-agent-gen.html; reference:url,novirusthanks.org/blog/2008/11/rogue-antispyware-2009-served-through-beedlyus-ads/; reference:url,doc.emergingthreats.net/2009548; classtype:trojan-activity; sid:2009548; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP OPTIONS invalid method case outbound"; flow:established,to_server; content:"options "; depth:8; nocase; content:!"OPTIONS "; depth:8; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014382; rev:2; metadata:created_at 2012_03_15, updated_at 2012_03_15;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC"; flow:established,to_server; dsize:1; content:"|c8|"; flowbits:set,ET.inj.ajq.1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008055; classtype:command-and-control; sid:2008055; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Searchwebmobile.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0F|searchwebmobile|03|com"; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013041; rev:2; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC packet 2"; flow:established,to_server; content:"|07|F"; depth:2; flowbits:isset,ET.inj.ajq.1; reference:url,doc.emergingthreats.net/2008056; classtype:command-and-control; sid:2008056; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET MALWARE Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"Wy9GbCAvRmxd"; classtype:trojan-activity; sid:2019117; rev:2; metadata:created_at 2014_09_05, former_category CURRENT_EVENTS, updated_at 2014_09_05;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC Response"; flow:established,from_server; flowbits:isset,ET.inj.ajq.1; dsize:4; content:"|00 0e 04 00|"; reference:url,doc.emergingthreats.net/2008057; classtype:command-and-control; sid:2008057; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET MALWARE Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"IFsvRmwgL0Zs"; classtype:trojan-activity; sid:2019119; rev:2; metadata:created_at 2014_09_05, former_category CURRENT_EVENTS, updated_at 2014_09_05;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC port 443"; flow:established,to_server; dsize:1; content:"|c8|"; flowbits:set,ET.inj.ajq.1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008058; classtype:command-and-control; sid:2008058; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET MALWARE Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"L0ZsIC9GbF0g"; classtype:trojan-activity; sid:2019118; rev:3; metadata:created_at 2014_09_05, former_category CURRENT_EVENTS, updated_at 2014_09_05;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC packet 2 port 443"; flow:established,to_server; content:"|07|F"; depth:2; flowbits:isset,ET.inj.ajq.1; reference:url,doc.emergingthreats.net/2008059; classtype:command-and-control; sid:2008059; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017966; rev:3; metadata:created_at 2014_01_14, updated_at 2014_01_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC Response port 443"; flow:established,from_server; flowbits:isset,ET.inj.ajq.1; dsize:4; content:"|00 0e 04 00|"; reference:url,doc.emergingthreats.net/2008060; classtype:command-and-control; sid:2008060; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"ET INFO NetSSH SSH Version String Hardcoded in Metasploit"; flow:established,to_server; content:"SSH-2.0-OpenSSH_5.0|0d 0a|"; depth:21; reference:url,github.com/rapid7/metasploit-framework/blob/master/lib/net/ssh/transport/server_version.rb; classtype:attempted-user; sid:2014925; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_06_20, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 95 51 3e 68 35 08 62 53|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021902; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 4444 (msg:"ET SCADA Golden FTP Server PASS Command Remote Buffer Overflow Attempt"; flow:established,to_server; content:"PASS"; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:bugtraq,45957; classtype:denial-of-service; sid:2013235; rev:2; metadata:created_at 2011_07_08, updated_at 2011_07_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c6 4e a8 c7 a0 db 38 64|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021903; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Easy Printer Care Software XMLCacheMgr ActiveX Control Remote Code Execution Attempt"; flow:established,to_client; content:"ActiveXObject"; nocase; content:"HPESPRIT.XMLCacheMgr.1"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:bid,51396; reference:cve,2011-4786; classtype:attempted-user; sid:2014132; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|8192bitssl.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021904; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely GoodBye 5.2 DDoS tool"; flow:to_server,established; dsize:<50; content:"|20|HTTP/1.1Host|3a 20|"; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019350; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing Page Oct 05 2015"; flow:established,from_server; file_data; content:"function ckl"; content:"VIP*/"; nocase; classtype:exploit-kit; sid:2021908; rev:3; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Ping CnC Server Message"; flow:established,to_client; dsize:7; content:"! PING|0A|"; depth:7; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019296; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 d3 01 80 9e 81 6b f8 7c|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021909; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Scanner CnC Server Message"; flow:established,to_client; dsize:12<>15; content:"! SCANNER "; depth:10; pcre:"/\x21\x20SCANNER\x20(ON|OFF)\x0A/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019297; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|1networkgate.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021910; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Get Bot IP CnC Server Message"; flow:established,to_client; dsize:13; content:"! GETLOCALIP|0A|"; depth:13; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019295; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|golantus.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021911; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 8444 (msg:"ET POLICY Bitmessage Activity"; flow:established,to_server; content:"version"; offset:4; depth:7; content:"Bitmessage|3a|"; distance:0; reference:url,bitmessage.org; classtype:policy-violation; sid:2019746; rev:2; metadata:created_at 2014_11_19, updated_at 2014_11_19;)
+alert tcp any any -> any any (msg:"ET MALWARE ELF/muBoT IRC Activity 1"; flow:established,from_server; content:"NOTICE"; content:"|3a|muBoT|20|Priv|20|Version"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021912; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/AlienSpy RAT Checkin"; flow:established,to_server; flowbits:isset,ET.rat.alienspy; content:"|78 70|"; depth:2; content:"|1f 8b 08 00 00 00 00 00 00 00 75 54|"; distance:4; within:12; reference:url,contagiodump.blogspot.com/2014/11/alienspy-java-rat-samples-and-traffic.html?m=1; classtype:command-and-control; sid:2019740; rev:2; metadata:created_at 2014_11_18, former_category MALWARE, updated_at 2014_11_18;)
+alert tcp any any -> any any (msg:"ET MALWARE ELF/muBoT IRC Activity 2"; flow:established,from_server; content:"NOTICE"; content:"|3a|muBoT|20|says|20|"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021913; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
 
-alert tcp any 6784 -> $HOME_NET 1024: (msg:"ET POLICY Splashtop Remote Control Session Keepalive Response"; flow:established,from_server; dsize:4; content:"|31 00|"; offset:2; depth:2; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014130; rev:2; metadata:created_at 2012_01_16, updated_at 2012_01_16;)
+alert tcp any any -> any any (msg:"ET MALWARE ELF/muBoT IRC Activity 3"; flow:established,from_server; content:"NOTICE"; content:"|3a|[Apache / PHP 5.x"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021914; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected (udp) beacon"; content:"|13|QVOD protocol|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:42; reference:md5,816a02a1250d90734059ed322ace72c7; classtype:policy-violation; sid:2015966; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_11_30, deployment Perimeter, former_category P2P, signature_severity Major, tag c2, updated_at 2012_11_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp any any -> any any (msg:"ET MALWARE ELF/muBoT IRC Activity 4"; flow:established,from_server; content:"NOTICE"; content:"FLOOD <target> <port> <secs>"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021915; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 623 (msg:"ET POLICY Possible IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval RAKP message 1 with default BMC usernames (Admin|root|Administrator|USERID)"; content:"|06 12|"; offset:4; depth:2; pcre:"/((\x0d|\x05)Admin(istrator)?|\x04root|\x06USERID)/Ri"; classtype:protocol-command-decode; sid:2017120; rev:2; metadata:created_at 2013_07_09, former_category POLICY, updated_at 2013_07_09;)
+alert tcp any any -> any any (msg:"ET MALWARE ELF/muBoT IRC Activity 5"; flow:established,from_server; content:"NOTICE"; content:"|3a|Flooding with TCP"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021916; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
 
-alert udp $HOME_NET 623 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval RAKP message 2 status code Unauthorized Name"; content:"|06 13|"; offset:4; depth:2; content:"|0d|"; distance:11; within:1; classtype:protocol-command-decode; sid:2017121; rev:2; metadata:created_at 2013_07_09, former_category ATTACK_RESPONSE, updated_at 2013_07_09;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 f7 36 c4 05 31 ea 21 d3|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021920; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX J-Integra ActiveX SetIdentity Buffer Overflow"; flow:established,to_client; content:"clsid"; nocase; content:"8234E54E-20CB-4A88-9AB6-7986F99BE243"; nocase; content:"|2e|SetIdentity"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*8234E54E-20CB-4A88-9AB6-7986F99BE243\s*}?\s*(.*)(\s|>)/si"; reference:url,www.exploit-db.com/exploits/15655; classtype:attempted-user; sid:2012098; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_12_23, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 88 f8 8a 58 16 c2 f5 89|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021921; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected (udp) payload"; content:"QVOD"; depth:32; reference:md5,816a02a1250d90734059ed322ace72c7; classtype:policy-violation; sid:2015967; rev:2; metadata:created_at 2012_11_30, updated_at 2012_11_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|fidobeta.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021924; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX J-Integra Remote Code Execution"; flow:established,to_client; content:"clsid"; nocase; content:"F21507A7-530F-4A89-8FE4-9D989670FD2C"; nocase; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*F21507A7-530F-4A89-8FE4-9D989670FD2C\s*}?\s*(.*)(\s|)/si"; pcre:"/\x2e[RemoveAccessPermission|AddLaunchPermission|AddAccessPermission|RemoveLaunchPermission]/"; reference:url,www.exploit-db.com/exploits/15648; classtype:attempted-user; sid:2012095; rev:3; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|makaronypolskie.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021925; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX WMITools ActiveX Remote Code Execution"; flow:established,to_client; content:"clsid"; nocase; content:"2745E5F5-D234-11D0-847A-00C04FD7BB08"; nocase; distance:0; content:"|2e|AddContextRef"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*2745E5F5-D234-11D0-847A-00C04FD7BB08\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15809/; classtype:attempted-user; sid:2012097; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_12_23, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|crenuva.net"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021926; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate"; flow:established,from_server; content:"|7a 13 4e 00 74 5b c6 78 63 64 27 c1 2f e2 a0 5b bc 79 c5 7b|"; content:"sef1941@gmail.com"; within:250; reference:url,contagiodump.blogspot.com/2011/06/jun-22-cve-2011-0611-pdf-swf-fruits-of.html; classtype:misc-activity; sid:2013223; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_07_06, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET P2P Edonkey Search Reply"; dsize:>200; content:"|e3 0f|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003315; classtype:policy-violation; sid:2003315; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019346; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
+#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; classtype:policy-violation; sid:2003310; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS HTTP GET AAAAAAAA Likely FireFlood"; flow:to_server,established; content:"GET AAAAAAAA HTTP/1.1"; content:!"Referer|3a|"; distance:0; content:!"Accept"; distance:0; content:!"|0d 0a|"; distance:0; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019347; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
+#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule Kademlia Hello Request"; dsize:<48; content:"|e4 11|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009970; classtype:policy-violation; sid:2009970; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely AnonMafiaIC DDoS tool"; flow:to_server,established; dsize:20; content:"GET / HTTP/1.0|0d 0a 0d 0a 0d 0a|"; depth:20; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019348; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET MALWARE MSIL/Banker.M Requesting Binary from SQL"; flow:established,to_server; content:"S|00|E|00|L|00|E|00|C|00|T|00 20 00|i|00|m|00|g"; content:"F|00|R|00|O|00|M|00 20 00|d|00|b|00|o|00 2e 00|n|00|o|00|v|00|o|00|s|00|l|00|o|00|a|00|d|00 20 00|"; distance:0; reference:md5,54618b126c69b2f0a3309b7c0ac5ae26; reference:url,blogs.mcafee.com/mcafee-labs/brazilian-banking-malware-hides-in-sql-database/; classtype:trojan-activity; sid:2021930; rev:1; metadata:created_at 2015_10_08, updated_at 2015_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely AnonGhost DDoS tool"; flow:to_server,established; dsize:20; content:"GET / HTTP/1.1|0d 0a 0d 0a 0d 0a|"; depth:20; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019349; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:20; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any 2067 -> $EXTERNAL_NET any (msg:"ET EXPLOIT DLSw Information Disclosure CVE-2014-7992"; flow:established,from_server; content:"Cisco"; nocase; pcre:"/^(?: Systems|\.com\/techsupport)/Ri"; threshold:type both,count 1,seconds 60,track by_dst; reference:url,www.fishnetsecurity.com/6labs/blog/cisco-dlsw-leakage-allows-retrieval-packet-contents-remote-routers; reference:url,github.com/tatehansen/dlsw_exploit; reference:cve,2014-7992; classtype:trojan-activity; sid:2019778; rev:2; metadata:created_at 2014_11_24, updated_at 2014_11_24;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5820 (msg:"ET SCAN Potential VNC Scan 5800-5820"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2002910; classtype:attempted-recon; sid:2002910; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET 3478 (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request)"; content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2016149; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5900:5920 (msg:"ET SCAN Potential VNC Scan 5900-5920"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2002911; classtype:attempted-recon; sid:2002911; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Random Byte Flood CnC Server Message"; flow:established,to_client; content:"! JUNK "; depth:7; pcre:"/\x21\x20JUNK\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019299; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"ET SCAN Rapid POP3 Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 120; reference:url,doc.emergingthreats.net/2002992; classtype:misc-activity; sid:2002992; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET MALWARE W32/DoubleTap.APT Downloader CnC Beacon"; flow:established,to_server; content:"|05 01 00 01 c0 b8 3c e5 00 51|"; depth:10; reference:url,www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html; classtype:targeted-activity; sid:2019808; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_11_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"ET SCAN Rapid POP3S Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 120; reference:url,doc.emergingthreats.net/2002993; classtype:misc-activity; sid:2002993; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019014; rev:4; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET SCAN Rapid IMAP Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/2002994; classtype:misc-activity; sid:2002994; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019015; rev:4; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/2002995; classtype:misc-activity; sid:2002995; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019016; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg:"ET SCAN Potential SSH Scan OUTBOUND"; flow:to_server; flags:S,12; threshold: type threshold, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2003068; classtype:attempted-recon; sid:2003068; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019017; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (HTTPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{HTTPFLOOD}"; fast_pattern; nocase; content:"Started consuming data from host"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021872; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
 
-alert udp $EXTERNAL_NET 3478 -> $HOME_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Response)"; content:"|01 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2016150; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (TCPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{TCPFLOOD}"; fast_pattern; nocase; content:"Started sending tcp data to host"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021873; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
 
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019018; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (UDPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{UDPFLOOD}"; fast_pattern; nocase; content:"Started sending udp data to host"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021874; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
 
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019019; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (AUTH)"; flow:established,from_server; content:"PRIVMSG"; content:"] {AUTH} User"; fast_pattern; distance:0; nocase; content:"logged "; distance:0; pcre:"/^(?:in|out)/R"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021875; rev:5; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
 
-alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Sorbs.net Block Message"; flow:established,from_server; content:"sorbs.net"; classtype:not-suspicious; sid:2012985; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (RAW)"; flow:established,from_server; content:"PRIVMSG"; content:"{RAW}"; fast_pattern; nocase; content:"Executing command|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021876; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
 
-#alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Sophos.com Block Message"; flow:established,from_server; content:"sophos.com"; classtype:not-suspicious; sid:2012984; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (EXEC)"; flow:established,from_server; content:"PRIVMSG"; content:"{EXEC}"; fast_pattern; nocase; content:"Executing command|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021877; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"ET EXPLOIT Zollard PHP Exploit Telnet Outbound"; flow:to_server,established; content:"/var/run/.zollard/"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:attempted-user; sid:2017800; rev:2; metadata:created_at 2013_12_05, updated_at 2013_12_05;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (CHSERVER)"; flow:established,from_server; content:"PRIVMSG"; content:"{CHSERVER}"; fast_pattern; nocase; content:"Changing server|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021878; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
 
-#alert udp $HOME_NET any -> [85.255.112.0/20,67.210.0.0/20,93.188.160.0/21,77.67.83.0/24,213.109.64.0/20,64.28.176.0/20] 53 (msg:"ET DELETED Potential DNS Request from Trojan.DNSChanger infected system"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; reference:url,www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf; classtype:trojan-activity; sid:2014043; rev:2; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (RESTART)"; flow:established,from_server; content:"PRIVMSG"; content:"{RESTART}"; fast_pattern; nocase; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021880; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE W32/SCKeyLog.InfoStealer Installation Confirmation Via SMTP"; flow:established,to_server; content:"Subject|3A 20|Installation of SC-KeyLog on host"; nocase; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=910563; reference:md5,cc439073eeb244e6bcecee8b6774b672; classtype:trojan-activity; sid:2014354; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command Complete 1"; flow:established,from_server; content:"PRIVMSG"; content:"] Process finished => Total bytes read|3a|"; fast_pattern; nocase; content:"Total bytes sent|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021881; rev:4; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Zollard PHP Exploit Telnet Inbound"; flow:to_server,established; content:"/var/run/.zollard/"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:attempted-user; sid:2017799; rev:2; metadata:created_at 2013_12_05, updated_at 2013_12_05;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command Complete 2"; flow:established,from_server; content:"PRIVMSG"; content:"Total connections completed|3a|"; fast_pattern; nocase; content:"Total connections failed|3a|"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021882; rev:4; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 15525 (msg:"ET MALWARE W32/Keylogger.CI Checkin"; flow:established,to_server; dsize:5; content:"|47 00 46 00 49|"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpyWin32/Keylogger.CI#tab=2; reference:url,www.virustotal.com/en/file/95c65d44a2dd717b27c8008470f95fe46637f624b20d9e19e0c06573b94d20f9/analysis/; classtype:command-and-control; sid:2019712; rev:2; metadata:created_at 2014_11_15, former_category MALWARE, updated_at 2014_11_15;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command Complete 3"; flow:established,from_server; content:"PRIVMSG"; content:" MB|2c| Average speed|3a|"; fast_pattern; nocase; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021883; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
 
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019021; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|httpsvalidator.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021937; rev:1; metadata:attack_target Client_and_Server, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019020; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server"; flow:established,to_server; dsize:100<>300; content:"Gh0st"; depth:5; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; reference:url,www.symantec.com/connect/blogs/inside-back-door-attack; classtype:command-and-control; sid:2013214; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_07_06, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-alert udp any 123 -> any any (msg:"ET DOS Likely NTP DDoS In Progress Multiple UNSETTRAP Mode 6 Responses"; content:"|df 00 00 04 00|"; offset:1; depth:5; byte_test:1,!&,128,0; byte_test:1,!&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,!&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019022; rev:4; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|1gateway.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021940; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Code4hk.A Checkin"; flow:established,to_server; content:"ClientInfo"; content:"isWifi"; distance:0; content:"cpuInfo"; distance:0; content:"firstOnlineIp"; distance:0; content:"firstOnlineTime"; distance:0; content:"imei"; distance:0; content:"ipAddr"; distance:0; content:"phoneBrand"; distance:0; content:"phoneNumber"; distance:0; content:"simOperator"; distance:0; fast_pattern; reference:url,malware.lu/articles/2014/09/29/analysis-of-code4hk.html; classtype:trojan-activity; sid:2019318; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_09_30, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2016_07_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - OWASP Zed Attack Proxy Certificate Seen"; content:"|16|"; depth:1; content:"OWASP Zed Attack Proxy Root CA"; nocase; classtype:misc-activity; sid:2021941; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_10_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MS Office Macro Dridex Download URI Dec 5 2014"; flow:established,to_server; content:"GET"; http_method; urilen:13; content:"/stat/lld.php"; http_uri; fast_pattern:only; content:!"Referer|3A|"; http_header; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/; classtype:trojan-activity; sid:2019877; rev:2; metadata:created_at 2014_12_05, former_category CURRENT_EVENTS, updated_at 2014_12_05;)
+alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - BurpSuite PortSwigger Proxy Certificate Seen"; content:"|16|"; depth:1; content:"PortSwigger CA"; nocase; classtype:misc-activity; sid:2021942; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_10_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Destover RAT Check-in"; flow:established,to_server; content:"|17 03 01 00 0C E2 C4 Fd D9 E8 E3 F2 9F|"; reference:md5,d1c27ee7ce18675974edf42d4eea25c6; reference:url,www.symantec.com/connect/blogs/destover-destructive-malware-has-links-attacks-south-korea; classtype:trojan-activity; sid:2019878; rev:2; metadata:created_at 2014_12_06, updated_at 2014_12_06;)
+alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - Fiddler Proxy Certificate Seen"; content:"|16|"; depth:1; content:"DO_NOT_TRUST_FiddlerRoot"; nocase; classtype:misc-activity; sid:2021943; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_10_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 62 ab fb 64 b9 bc de|"; within:35; content:"|55 04 03|"; distance:0; content:"|05|USTiD"; distance:1; within:6; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019879; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|1networkpoint.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021945; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Nov 20 2014"; flow:established,from_server; file_data; content:"swfobject.embedSWF"; fast_pattern; pcre:"/^\s*?\(\s*?[\x22\x27]\/(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?[\x22\x27]/Rs"; classtype:exploit-kit; sid:2019762; rev:3; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex SSL Cert Oct 12 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|AU|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; classtype:trojan-activity; sid:2021946; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_13, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Nov 20 2014"; flow:established,from_server; file_data; content:"swfobject.embedSWF"; fast_pattern; pcre:"/^\s*?\(\s*?[\x22\x27]\/[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+\x3d(?:[a-z]+|[0-9]+)[\x22\x27]/Rs"; classtype:exploit-kit; sid:2019761; rev:4; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE Win32/Kelihos.F Checkin"; flow:to_server,established; dsize:164; content:"|6c 55 55 45 03 10 48 40|"; offset:4; depth:8; reference:md5,dc226166dfbe28eee2576ea5141bc19d; reference:md5,dadee91e0b82fc91a25a66b61bb2f2dc; classtype:command-and-control; sid:2021947; rev:3; metadata:created_at 2015_10_13, former_category MALWARE, updated_at 2015_10_13;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.cc)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|cc|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019882; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 c5 52 94 88 a7 4d 68 f4|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021950; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.ws)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ws|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019883; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme (fardh ain)"; flow: to_client,established; content:"fardh ain"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010578; classtype:policy-violation; sid:2010578; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.to)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|to|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019884; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme/Group (Takfir)"; flow: to_client,established; content:"Takfir"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010579; classtype:policy-violation; sid:2010579; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.in)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|in|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019885; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme (Al-Wala' Wal Bara)"; flow: to_client,established; content:"Al-Wala' Wal Bara"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010580; classtype:policy-violation; sid:2010580; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.hk)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|hk|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019886; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/Nemucod.M.gen downloading EXE payload"; flow:from_server,established; flowbits:isset,ET.nemucod.exerequest; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021954; rev:2; metadata:created_at 2015_10_15, updated_at 2015_10_15;)
 
-#alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.cn)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ck|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019887; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/Nemucod.M.gen downloading PDF payload"; flow:from_server,established; flowbits:isset,ET.nemucod.pdfrequest; file_data; content:"%PDF-"; within:5; fast_pattern; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021955; rev:2; metadata:created_at 2015_10_15, updated_at 2015_10_15;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.tk)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|tk|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019888; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 d3 0f 9b a5 56 a0 f7 57|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021957; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.so)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|so|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019889; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 db d0 33 6a 28 4f 39 2c|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021958; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ee 63 19 d5 6a 4c 09 cf|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|UA"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019890; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|best-apps.name"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021959; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malicious Iframe Leading to EK Dec 08 2014"; flow:established,from_server; file_data; content:"document.write(|22|<iframe name=|27|"; within:30; pcre:"/^[A-Za-z0-9]+\x27\s*?src=\x27http\x3a[^\x27]+[\x27]\s*width=1\d\s+height=1\d\s+/R"; content:"frameborder=0 marginheight=0 marginwidth=0 scrolling=no"; content:"</|22| +  |22|iframe>|22|)|3b|"; fast_pattern; isdataat:!3,relative; classtype:exploit-kit; sid:2019892; rev:2; metadata:created_at 2014_12_09, former_category CURRENT_EVENTS, updated_at 2014_12_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Versatile Bulletin Board SQL Injection Attack"; flow:to_server,established; content:"/index.php?"; http_uri; nocase; content:"select="; nocase; http_uri; fast_pattern; pcre:"/UNION\s+SELECT/URi"; reference:bugtraq,15068; reference:url,doc.emergingthreats.net/2002494; classtype:web-application-attack; sid:2002494; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (1)"; flow:established,to_client; file_data; content:"|0e c7 9d 28 8c cb ae 85|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019893; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP USER overflow attempt"; flow:to_server,established,no_stream; content:"USER|20|"; nocase; isdataat:100,relative; pcre:"/^USER\x20[^\x00\x20\x0a\x0d]{100}/smi"; reference:bugtraq,10078; reference:bugtraq,1227; reference:bugtraq,1504; reference:bugtraq,1690; reference:bugtraq,4638; reference:bugtraq,7307; reference:bugtraq,8376; reference:cve,1999-1510; reference:cve,1999-1514; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-0479; reference:cve,2000-0656; reference:cve,2000-0761; reference:cve,2000-0943; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0256; reference:cve,2001-0794; reference:cve,2001-0826; reference:cve,2002-0126; reference:cve,2002-1522; reference:cve,2003-0271; reference:cve,2004-0286; classtype:attempted-admin; sid:2101734; rev:36; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malicious Redirect Leading to EK Dec 08 2014"; flow:established,from_server; content:"Content-Type|3a 20 0d 0a|"; http_header; fast_pattern:only; pcre:"/^Last-Modified\x3a\x20[^A-Za-z]{2}/Hm"; file_data; content:"<meta http-equiv=|22|refresh|22| content=|22|0|3b| url="; classtype:exploit-kit; sid:2019895; rev:2; metadata:created_at 2014_12_09, former_category CURRENT_EVENTS, updated_at 2014_12_09;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|UK|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; classtype:domain-c2; sid:2021980; rev:1; metadata:attack_target Client_and_Server, created_at 2015_10_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Linux.Turla Download"; flow:from_server,established; flowbits:isset,ET.ELFDownload; content:"__we_are_happy__"; content:"__TREX__STOP__STRING__"; distance:0; content:"/dev/random"; distance:1; within:11; reference:url,securelist.com/blog/research/67962/the-penquin-turla-2/; reference:md5,19fbd8cbfb12482e8020a887d6427315; classtype:targeted-activity; sid:2019896; rev:2; metadata:created_at 2014_12_09, updated_at 2014_12_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible ethereum traffic"; flow:established,to_server; content:"POST"; depth:4; content:"|22|id|22 3a|"; nocase; distance:0; content:"|22|jsonrpc|22 3a|"; nocase; distance:0; content:"|22|method|22 3a|"; nocase; distance:0; pcre:"/^[^/s]*(?:eth_(?:g(?:et(?:B(?:lock(?:TransactionCountBy(?:Number|Hash)|By(?:Number|Hash))|alance)|Transaction(?:By(?:Block(?:Number|Hash)AndIndex|Hash)|(?:Receip|Coun)t)|Uncle(?:ByBlock(?:Number|Hash)AndIndex|CountByBlock(?:Number|Hash))|(?:Filter(?:Change|Log)|Log)s|Co(?:mpilers|de)|StorageAt|Work)|asPrice)|(?:(?:new(?:PendingTransaction|Block)?|uninstall)Filt|blockNumb)er|s(?:(?:end(?:Raw)?Transactio|ig)n|ubmit(?:Hashrate|Work)|yncing)|c(?:o(?:mpile(?:S(?:olidity|erpent)|LLL)|inbase)|all)|(?:estimateGa|account)s|protocolVersion|hashrate|mining)|shh_(?:new(?:Identity|Filter|Group)|get(?:FilterChan|Messa)ges|uninstallFilter|hasIdentity|addToGroup|version|post)|db_(?:get(?:String|Hex)|put(?:String|Hex))|net_(?:listening|peerCount|version)|web3_(?:clientVersion|sha3))/R"; reference:url,github.com/ethereum/wiki/wiki/JSON-RPC; classtype:policy-violation; sid:2021983; rev:2; metadata:created_at 2015_10_20, former_category POLICY, updated_at 2015_10_20;)
 
-alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Insomnia Shell Outbound CMD Banner"; flow:to_server,established; content:"Shell enroute......."; depth:20; content:"Microsoft Windows "; content:"Copyright |28|c|29| 20"; distance:0; content:"Microsoft Corp"; distance:0; reference:url,www.insomniasec.com/releases; classtype:trojan-activity; sid:2019900; rev:1; metadata:created_at 2014_12_09, updated_at 2014_12_09;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|fat.uk-fags.top"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021981; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp any any -> $HOME_NET 88 (msg:"ET EXPLOIT Possible PYKEK Priv Esc in-use"; flow:established,to_server; content:"|a4 11 18 0f|19700101000000Z|a5 11 18 0f|19700101000000Z|a6 11 18 0f|19700101000000Z"; content:"|a8 05 30 03 02 01 17|"; distance:8; within:7; threshold: type limit, track by_src, seconds 60, count 1; reference:url,github.com/bidord/pykek; reference:cve,CVE-2014-6324; classtype:attempted-admin; sid:2019897; rev:2; metadata:created_at 2014_12_09, updated_at 2014_12_09;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|default"; distance:1; within:8; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|14|support@vpn-core.net"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021982; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_20, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, malware_family Retefe, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Payload (flowbits set)"; flow:established,to_server; urilen:>32; content:"/ABs"; http_uri; fast_pattern; depth:4; pcre:"/^\/ABs[A-Za-z0-9_]+(?:\/x?[a-f0-9]+(?:\x3b\d+)+)?$/U"; content:!"Referer"; http_header; flowbits:set,et.Nuclear.Payload; flowbits:noalert; classtype:exploit-kit; sid:2019872; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible click2play bypass Oct 19 2015 B64 1"; flow:established,from_server; file_data; content:"cHJvZ3Jlc3MtY2xhc3"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021986; rev:2; metadata:created_at 2015_10_21, former_category EXPLOIT, updated_at 2015_10_21;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Cridex CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 00 83 69 b1 31 15 7b|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0b|176.99.6.57"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019906; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible click2play bypass Oct 19 2015 B64 2"; flow:established,from_server; file_data; content:"Byb2dyZXNzLWNsYXNz"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021987; rev:2; metadata:created_at 2015_10_21, former_category CURRENT_EVENTS, updated_at 2015_10_21;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Gootkit SSL Cert Dec 10 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d2 a9 3c 29 28 ec b0 b1|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,c05453a18b6dc45bc258a377d2161b1c; classtype:trojan-activity; sid:2019907; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible click2play bypass Oct 19 2015 B64 3"; flow:established,from_server; file_data; content:"wcm9ncmVzcy1jbGFzc"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021988; rev:2; metadata:created_at 2015_10_21, former_category CURRENT_EVENTS, updated_at 2015_10_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Evil Flash Redirector to Job314/Neutrino Reboot EK"; flow:established,to_server; content:"POST"; http_method; content:".php?item="; http_uri; content:"&sort="; http_uri; content:".swf?item="; http_header; fast_pattern:only; content:"photo="; http_client_body; depth:6; classtype:exploit-kit; sid:2019908; rev:2; metadata:created_at 2014_12_11, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Light Weight Calendar 'date' Arbitrary Remote Code Execution"; flow: to_server,established; content:"/index.php?"; nocase; http_uri; content:"date="; fast_pattern; http_uri; pcre:"/date=\d{8}\)\;./Ui"; reference:url,doc.emergingthreats.net/2002777; classtype:web-application-attack; sid:2002777; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Exploit Struct"; flow:established,to_server; urilen:>32; content:"/AwoVG"; http_uri; fast_pattern; depth:6; pcre:"/^\/AwoVG[A-Za-z0-9_]+$/U"; content:".html|0d 0a|"; http_header; flowbits:set,et.Nuclear.Exploit; flowbits:noalert; classtype:exploit-kit; sid:2019844; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NetWire Variant - Client Hello"; flow:established,to_server; flowbits:set,ET.NetWire; flowbits:noalert; content:"|01 00 00 00 00|"; depth:5; dsize:6; reference:url,researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic; reference:url,www.circl.lu/pub/tr-23; classtype:trojan-activity; sid:2021976; rev:2; metadata:created_at 2015_10_20, updated_at 2016_08_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malicious JS Leading to Fiesta EK"; flow:established,from_server; file_data; content:"xapLoad"; fast_pattern; content:"swfLoad"; content:"xapURL"; content:"swfURL"; content:"errURL"; content:"var id"; classtype:exploit-kit; sid:2019920; rev:2; metadata:created_at 2014_12_11, former_category CURRENT_EVENTS, updated_at 2014_12_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE NetWire Variant - Server Directory Listing Request"; flow:established,to_client; flowbits:isset,ET.NetWire; content:"|01|"; depth:1; content:"|00 00 00 06 43 3A|"; distance:1; within:6; reference:url,researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic; reference:url,www.circl.lu/pub/tr-23; classtype:trojan-activity; sid:2021979; rev:2; metadata:created_at 2015_10_20, updated_at 2015_10_20;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Dalexis.A Possible SSL Cert (smartoptionsinc.com)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|05 11 32 08 1d 81|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0d|Synology Inc."; distance:1; within:14; reference:md5,ef2f9909c76d32b51598c54d5685af7e; classtype:trojan-activity; sid:2019923; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Account Phish Landing Oct 22"; flow:established,from_server; file_data; content:"<title>Sign in</title>"; content:"name=chalbhai"; fast_pattern; nocase; distance:0; content:"required title=|22|Please Enter Right Value|22|"; nocase; distance:0; content:"required title=|22|Please Enter Right Value|22|"; nocase; distance:0; classtype:social-engineering; sid:2025692; rev:2; metadata:created_at 2015_10_22, former_category CURRENT_EVENTS, updated_at 2018_07_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Dalexis.A Possible SSL Cert (ppc.cba.pl)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|11 00 81 3d 59 00 8d f2 04 04 8c 3a d3 d0 8e 36 d4 2a|"; distance:9; within:40; content:"|55 04 03|"; distance:0; content:"|06|cba.pl"; distance:1; within:7; reference:md5,ef2f9909c76d32b51598c54d5685af7e; classtype:trojan-activity; sid:2019924; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|FR|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021993; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Dalexis.A Possible SSL Cert (cargol.cat)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 a7 5c ad 38 d2 d7 fe|"; distance:9; within:30; content:"|55 04 0a|"; distance:0; content:"|13|Tirabol Produccions"; distance:1; within:20; reference:md5,ef2f9909c76d32b51598c54d5685af7e; classtype:trojan-activity; sid:2019925; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|09|volha.xyz"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021994; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE HawkEye Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a| HawkEye Keylogger"; nocase; reference:md5,3bbd5ae250b2d912a701f8d74d85353b; classtype:trojan-activity; sid:2019926; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.DarkComet Screenshot Upload Successful"; flow:established,to_server; dsize:7; content:"ENDSNAP"; reference:md5,38abba51bdf98347fc4f91642b21b041; classtype:trojan-activity; sid:2021996; rev:1; metadata:created_at 2015_10_23, updated_at 2015_10_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Beastdoor Keylogger Report via SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a 20|Keylogger"; content:"Victim IP-"; reference:md5,ad99a0a85e1410559030464aac390969; classtype:trojan-activity; sid:2019927; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Duuzer Checkin"; flow:established,to_server; content:"|32 a3 56 bb 47 4f 32 00|"; depth:8; fast_pattern; content:"|30 b9 00 00|"; distance:3; within:4; reference:url,symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers; reference:md5,cd7a72be9c16c2ece1140bc461d6226d; classtype:command-and-control; sid:2022000; rev:1; metadata:created_at 2015_10_26, former_category MALWARE, updated_at 2015_10_26;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Probable Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a 20|Keylogger"; classtype:trojan-activity; sid:2019928; rev:2; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Oct 26 2015"; flow:established,from_server; content:"|0d 0a|Set-Cookie|3a 20|qtaho="; classtype:exploit-kit; sid:2022001; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_26, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Net Crawler SMB Share Access unicode (Operation Cleaver)"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; byte_test:1,!&,0x80,6,relative; content:"|00|_|00|A|00|u|00|t|00|o|00|S|00|h|00|a|00|r|00|e|00|$"; distance:0; reference:md5,8994e16b14cde144a9cebdff685d8676; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019929; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
+alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - Data Channel Client Request"; flow:established,to_server; content:"NO|7C|CRYPTDESK*"; depth:13; classtype:trojan-activity; sid:2022002; rev:1; metadata:created_at 2015_10_26, updated_at 2015_10_26;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Net Crawler SMB Share Access ascii (Operation Cleaver)"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; byte_test:1,&,0x80,6,relative; content:"_AutoShare$"; distance:0; reference:md5,8994e16b14cde144a9cebdff685d8676; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019930; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
+alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - Data Channel Server Response"; flow:established,to_client; content:"GO8_=_8"; dsize:7; classtype:trojan-activity; sid:2022003; rev:1; metadata:created_at 2015_10_26, updated_at 2015_10_26;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Trojan/Win32.Espy Report via SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"SUBJECT|3a| I Q - S P Y KeyLogger ["; content:"victim computer name"; reference:md5,1a9a06b11aa537734931f8098bae6b00; classtype:trojan-activity; sid:2019932; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK IE Exploit Aug 23 2015"; flow:to_server,established; urilen:>50; content:"POST"; http_method; content:"application/json"; http_header; content:"|22 67 22 3a 22|"; http_client_body; fast_pattern; content:"|22 70 22 3a 22|"; http_client_body; content:"|22 41 22 3a 22|"; http_client_body; pcre:"/\?(?=[a-z\d\x3d&\x2e]*?[A-Z])(?=[A-Z\d=&\x2e]*?[a-z])(?=[A-Za-z=&\x2e]*?\d)[A-Za-z\d=&\x2e]{50,}$/U"; classtype:exploit-kit; sid:2021708; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_08_24, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Statblaster Code Download"; flow: to_server,established; content:"/updatestats/"; nocase; http_uri; content:".exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001524; classtype:policy-violation; sid:2001524; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|LU|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022004; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Spy.Zbot.ACB SSL Cert Dec 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fe 69 db 33 70 71 2c 70|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,d271218da70d0bceb69c477e7d13dcc8; classtype:trojan-activity; sid:2019936; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+#alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LummoX Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a| LummoX Logger"; fast_pattern; nocase; classtype:trojan-activity; sid:2022005; rev:2; metadata:created_at 2015_10_28, updated_at 2015_10_28;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query SoakSoak Malware"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|soaksoak|02|ru|00|"; fast_pattern; nocase; distance:0; reference:url,blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html; classtype:trojan-activity; sid:2019940; rev:1; metadata:created_at 2014_12_16, updated_at 2014_12_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Malicious Redirect Leading to EK Oct 29"; flow:to_server,established; urilen:5; content:"/533L"; classtype:exploit-kit; sid:2022009; rev:3; metadata:created_at 2015_10_29, updated_at 2015_10_29;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 10001 (msg:"ET MALWARE Win32.Bumrat.B Checkin"; flow:established,to_server; dsize:19; content:"|0f 00 00 00|"; depth:4; content:"mconfig_10"; reference:md5,647edeb30a04eeb30b7f8921645c7369; classtype:command-and-control; sid:2019941; rev:1; metadata:created_at 2014_12_16, former_category MALWARE, updated_at 2014_12_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible WhiteLotus IE Payload"; flow:established,to_server; content:"GET"; http_method; content:"/?"; depth:2; http_uri; fast_pattern; content:" MSIE "; http_user_agent; content:!"Referer|3a|"; http_header; content:"|0d 0a 0d 0a|"; pcre:"/^\/\?[A-Za-z0-9]+=(?P<v1>[^&]+)&(?P=v1)=[A-Za-z0-9]+$/U"; classtype:trojan-activity; sid:2017743; rev:4; metadata:created_at 2013_11_22, updated_at 2013_11_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Bedep Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"Content-Length|3a 20|2"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; pcre:"/^Content-Length\x3a 2\d{2}\r?$/Hmi"; flowbits:set,ET.Trojan.Bedep; classtype:trojan-activity; sid:2019949; rev:2; metadata:created_at 2014_12_16, updated_at 2014_12_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy HTTP CnC Beacon"; flow:established,to_server; content:"|20|HTTP|3a 2f 2f|"; offset:3; depth:9; content:!"Host|3a|"; distance:0; content:!"User-Agent|3a|"; distance:0; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"HTTP/1.1|0d 0a|Cookie|3a 20|id="; fast_pattern; pcre:"/^[0-9A-F]{12}/R"; reference:md5,1aca09c5eefb37539e86ec86dd3be72f; reference:url,blog.jpcert.or.jp/2015/07/poisonivy-adapts-to-communicate-through-authentication-proxies.html; classtype:command-and-control; sid:2021523; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Major, tag PoisonIvy, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible ASPROX Download URI Struct June 19 2014"; flow:established, to_server; content:"GET"; http_method; content:".php?"; http_uri; fast_pattern:only; content:!"=aHR0cD"; http_uri; content:"User-Agent|3a|"; http_header; content:!"|0d 0a|Referer|3a|"; http_header; pcre:"/\/[a-z]{2,9}\.php\?(?:[a-z0-9]{2,4}|[cktw])=[a-zA-Z0-9\x2b\x2f\x5c]{43,56}=?$/U"; classtype:trojan-activity; sid:2018589; rev:6; metadata:created_at 2014_06_20, updated_at 2014_06_20;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 59 43 e2 96 23 5b 17|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,c0c8178b7ef2a8c067c68a7fb7dc7ecd; classtype:domain-c2; sid:2022021; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre Redirector Dec 16 2014 set"; flow:established,to_server; content:"GET"; http_method; urilen:27; content:".html"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/^\/[a-z]{10}\/[a-z]{10}\.html$/U"; flowbits:set,Upatre.Redirector; flowbits:noalert; classtype:trojan-activity; sid:2019953; rev:2; metadata:created_at 2014_12_16, former_category CURRENT_EVENTS, updated_at 2014_12_16;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP Possible Misuse Call from MERA RTU"; flow:to_server,established; content:"|22 c0 09 00 7a b7 07|MERA RTU|08|"; classtype:misc-attack; sid:2022022; rev:1; metadata:created_at 2015_11_03, updated_at 2015_11_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Upatre Redirector Dec 16 2014"; flow:established,from_server; file_data; content:"PK|03 04|"; within:4; flowbits:isset,Upatre.Redirector; classtype:trojan-activity; sid:2019954; rev:2; metadata:created_at 2014_12_17, former_category CURRENT_EVENTS, updated_at 2014_12_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP Q.931 Call Setup - Inbound"; flow:to_server,established; content:"|08|"; offset:4; depth:1; content:"|05 04|"; distance:3; within:2; classtype:misc-activity; sid:2022023; rev:1; metadata:created_at 2015_11_03, updated_at 2015_11_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Zbot SSL Cert Dec 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cc c9 0f 16 44 47 71 3d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,417a42f5e244ce2f340f16fa2fed0412; classtype:trojan-activity; sid:2019955; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP H.323 in Q.931 Call Setup - Inbound"; flow:to_server,established; content:"|08|"; offset:4; depth:1; byte_jump:1,0,relative; content:"|05 04|"; within:2; byte_jump:1,0,relative; content:"|70|"; byte_jump:1,0,relative; content:"|7E|"; within:1; byte_test:1,!&,0x0F,3,relative; isdataat:31; classtype:misc-activity; sid:2022024; rev:1; metadata:created_at 2015_11_03, updated_at 2015_11_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SoakSoak Malware GET request"; flow:established,to_server; content:"GET"; http_method; content:"/xteas/code"; http_uri; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+soaksoak\.ru/Hmi"; pcre:"/^\/xteas\/code$/U"; reference:url,blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html; classtype:trojan-activity; sid:2019939; rev:3; metadata:created_at 2014_12_16, updated_at 2014_12_16;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cybergate/Rebhip/Spyrat Backdoor Keepalive"; flow:from_server,established; dsize:<100; content:"ping|7c|"; depth:5; content:!"|7c|"; within:1; classtype:trojan-activity; sid:2017990; rev:12; metadata:created_at 2011_04_09, updated_at 2011_04_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Page Sept 17 2014"; flow:established,from_server; file_data; content:"|41 63 74 69 76 65 58 4F 62 6A 65 63 74 28 22 4D 69 63 72 6F 73 22 2B 2F 2A|"; pcre:"/^[a-z0-9]+\x2A\x2F\x22\x6F\x66\x74\x2E/R"; classtype:exploit-kit; sid:2019193; rev:3; metadata:created_at 2014_09_18, former_category CURRENT_EVENTS, updated_at 2014_09_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook WebApp Phish Landing 2015-11-05"; flow:established,from_server; file_data; content:"var translate_dict = {"; nocase; content:"VERIFICATION_CODE"; nocase; distance:0; fast_pattern; content:"VERIFICATION_CODE_REQUIRED"; nocase; distance:0; content:"NOT_BEGIN_OR_END_WITH_SPACE"; nocase; distance:0; content:"USERNAME_ALL_NUMERIC"; nocase; distance:0; content:"PASSWORDS_DONT_MATCH"; nocase; distance:0; content:"PWD_HINT_REQUIRED"; nocase; distance:0; content:"PASSWORD_MATCHES_USERNAME"; nocase; distance:0; content:"REQUEST_PASSWORD_RESET"; nocase; distance:0; content:"ENTER_VALID_VERIFICATION_CODE"; nocase; distance:0; content:"PASSWORD_MATCH_HINT"; nocase; distance:0; content:"Your work here is done"; nocase; distance:0; content:"Yikes! Something's gone wrong."; nocase; distance:0; classtype:social-engineering; sid:2031691; rev:2; metadata:created_at 2015_11_05, former_category PHISHING, updated_at 2015_11_05;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED IRC channel topic reptile commands"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"|3a|"; content:"|20|332|20|"; within: 50; content:"|2023|"; within: 20; content:"|203a|"; pcre:"/\.((testdlls|threads|netstatp|nsp|speed|uptime|installed|secure|sec|unsecure|unsec|process|ps|rand|exploitftpd|eftpd|flusharp|farp|flushdns|fdns|resolve|dns|pstore|pst|sysinfo|si|netinfo|ni|driveinfo|di|stats|currentip)\s*[\r\n]|(iestart|ies|login|l|mirccmd|system|file\s+(cat|exists|e|del|rm|rmdir|move|copy|attrib)|down|dl\x|update|reg\s+(query|delete|write))\s+\w+|(banner|ban|advscan|asc|scanall|sa|ntscan|nts)\s*[\n\r])/i"; reference:url,doc.emergingthreats.net/2002385; classtype:trojan-activity; sid:2002385; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wrapper/Gholee/Wedex Checkin"; flow:established,to_server; dsize:12; content:"nocookie"; offset:4; depth:8; reference:md5,b7de8927998f3604762096125e114042; reference:url,blog.checkpoint.com/2015/11/09/rocket-kitten-a-campaign-with-9-lives/; classtype:command-and-control; sid:2022047; rev:1; metadata:created_at 2015_11_09, former_category MALWARE, updated_at 2015_11_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c8 da 58 e3 bc 80 72 25|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019962; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.ip.request; classtype:trojan-activity; sid:2022051; rev:2; metadata:created_at 2015_11_09, former_category CURRENT_EVENTS, updated_at 2015_11_09;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/AGENT.NXNX checkin"; flow:established,to_server; content:"|24 5d 3b 30 2e 29 23 28 30 34 3b 14 1e 14 13 02 0a 54 55 59|"; reference:url,ahnlabasec.tistory.com/1007; classtype:command-and-control; sid:2019964; rev:1; metadata:created_at 2014_12_18, former_category MALWARE, updated_at 2014_12_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.no.exe.request; classtype:trojan-activity; sid:2022053; rev:2; metadata:created_at 2015_11_09, former_category CURRENT_EVENTS, updated_at 2015_11_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Malicious Referer Bulk Traffic Sometimes Leading to EKs (Possible Bedep infection) Dec 16 2014"; flow:established,to_server; content:"rowedmedia.com/search.php"; http_header; fast_pattern:only; pcre:"/^Referer\x3a[^\r\n]+?rowedmedia\.com\/search\.php\r?$/Hmi"; threshold: type limit, track by_src, count 1, seconds 60; classtype:exploit-kit; sid:2019950; rev:3; metadata:created_at 2014_12_16, former_category CURRENT_EVENTS, updated_at 2014_12_16;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Registry)"; flow:from_server,established; content:"RG|7c 27 7c 27 7c|"; depth:7; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017429; rev:4; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (2)"; flow:established,to_client; file_data; content:"|69 b8 3c 09 08 6c b1 4c|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019968; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Keylogger)"; flow:from_server,established; content:"kl|7c 27 7c 27 7c|"; depth:7; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017430; rev:7; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (3)"; flow:established,to_client; file_data; content:"|28 46 c5 83 df ef a3 2a|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019969; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command Response (Get Passwords)"; flow:to_server,established; content:"pl|7c 27 7c 27 7c|"; depth:7; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017432; rev:5; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Upatre Download Redirection Dec 18 2014"; flow:established,from_server; file_data; content:"<br><meta http-equiv=|22|refresh|22| content=|22|0|3b| url="; pcre:"/^[^\x2f\x22]+?\x22>/R"; classtype:trojan-activity; sid:2019970; rev:2; metadata:created_at 2014_12_18, former_category CURRENT_EVENTS, updated_at 2014_12_18;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Get Passwords)"; flow:from_server,established; content:"ret|7c 27 7c 27 7c|"; depth:8; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017431; rev:5; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Archie EK T2 Activity Dec 18 2014"; flow:established,to_server; content:"/landing?action="; http_uri; fast_pattern:only; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r\n)/Hmi"; classtype:exploit-kit; sid:2019973; rev:2; metadata:created_at 2014_12_18, former_category CURRENT_EVENTS, updated_at 2014_12_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PK/Compressed doc/JAR header"; flow:from_server,established; file_data; content:"|50 4B 03 04|"; depth:4; flowbits:set,ET.zipfile; flowbits:noalert; classtype:misc-activity; sid:2022055; rev:2; metadata:created_at 2015_11_10, updated_at 2015_11_10;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Syrian.Slideshow Sending Information via SMTP"; flow:established,to_server; content:"Subject|3a 20|repo|0d 0a|"; content:"filename=|22|mxtd|22|"; reference:md5,f8bfb82aa92ea6a8e4e0b378781b3859; reference:url,citizenlab.org/2014/12/malware-attack-targeting-syrian-isis-critics; classtype:trojan-activity; sid:2019975; rev:1; metadata:created_at 2014_12_18, updated_at 2014_12_18;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|nyctradersacademy.com"; distance:1; within:22; reference:md5,cb690af981b61aa4779624db5d2489e1; reference:md5,040ac83b30a9bd111d06d238f39593fb; classtype:domain-c2; sid:2022056; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Teerac.A SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf ac 1a b8 3d 7f 11 16|"; within:35; content:"|55 04 03|"; distance:0; content:"|06|debian"; distance:1; within:7; reference:md5,194a931aa49583191eedd19478396ebc; classtype:trojan-activity; sid:2019918; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0e|msupdcheck.com"; distance:1; within:16; reference:md5,4b689f711da45fb8523c95a85679f435; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022057; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dridex Distribution Campaign Dec 19 2014"; flow:established,to_server; content:"GET"; http_method; content:"stat/lldv"; http_uri; fast_pattern:only; content:".php"; offset:10; http_uri; pcre:"/\/s?stat\/lldvs?\.php$/U"; pcre:"/^Host\x3A[^\r\n]+?\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}(?:\x3a\d{1,5})?\r?$/Hmi"; reference:url,blog.dynamoo.com/2014/12/pl-remittance-details-ref844127rh.html; classtype:trojan-activity; sid:2019977; rev:3; metadata:created_at 2014_12_20, former_category CURRENT_EVENTS, updated_at 2014_12_20;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a3 c1 ae 7c 85 e8 a5 6b|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5666cb1caca3fde7dd1c8195b76eac8e; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022058; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c9 8c 5b 96 3a e7 56 95|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019987; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)"; flow:from_client,established; content:"|00|pl|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00pl\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:command-and-control; sid:2022059; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (4)"; flow:established,to_client; file_data; content:"|41 ad 58 53 4c 7f 25 9e|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019992; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)"; flow:from_client,established; content:"|00|sc~|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00sc\x7e\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:command-and-control; sid:2022060; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (5)"; flow:established,to_client; file_data; content:"|b8 67 f0 44 43 1e fe 5b|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019993; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)"; flow:from_client,established; content:"|00|scPK|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00scPK\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:command-and-control; sid:2022061; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
 
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Wiper 2"; flow:established; content:"|c9 06 d9 96 fc 37 23 5a fe f9 40 ba 4c 94 14 98|"; depth:16; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019994; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback Response (File Manager)"; flow:to_client,established; content:"|00|rn|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00rn\x7c/i"; classtype:command-and-control; sid:2022062; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
 
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 1"; flow:established; content:"|0c 1f 1f 1f 4d 5a 4c 4f 50 51 4c 5a 3f 2d 2f 2f 3f 50 54 3e 3e 3e|"; depth:22; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019995; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert tcp any any -> any any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Get Passwords)"; flow:established; content:"|00|ret|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00ret\x7c/i"; reference:md5,310c26fa0c7d07adbff32b569b1972f1; classtype:command-and-control; sid:2022063; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
 
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 2"; flow:established; content:"|d3 c4 d2 d1 ce cf d2 c4 a1 b3 b1 b1 a1 ce ca a0 a0 a0|"; depth:18; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019996; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/HideWindows.C IRC Checkin"; flow:established,to_server; content:"PASS 6667|0a|"; content:"NICK pr0n|7c 30 0a|"; distance:0; fast_pattern; content:"USER Pmx|20 22 2a 22 20 22|"; distance:0; content:"|22 20 3a|pr0n|0a|"; reference:md5,4645b7883d5c8fee6579cc79dee5f683; reference:url,thisissecurity.net/2015/11/05/low-cost-point-of-sales-pos-hacking/; classtype:command-and-control; sid:2022064; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
 
-#alert ip any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 3"; content:"|17 08 14 13 67 0f 13 13 17 67 15 02 16 12 02 14 13 78 47 47|"; depth:24; classtype:trojan-activity; sid:2019997; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 fb cd cd ff 15 b4 03|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; reference:md5,c493fbc74573c2c125ff57b1bf15e4be; classtype:domain-c2; sid:2022065; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert ip any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 4"; content:"|4f 50 4c 4b 3f 57 4b 4b 4f 3f 4d 5a 4e 4a 5a 4c 4b 20 1f|"; depth:23; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019998; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0e|systruster.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; reference:md5,efa5ea2c511b08d0f8259a10a49b27ad; classtype:domain-c2; sid:2022066; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert ip any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 5"; content:"|15 02 14 17 08 09 14 02 67 75 77 77 67 08 0c 66 66 66|"; depth:22; classtype:trojan-activity; sid:2019999; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0c|retsback.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; reference:md5,e5b7fd7eed59340027625ac39bae7c81; classtype:domain-c2; sid:2022067; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 8"; flow:established; content:"|43 47 47 47 45 67 47 47 43 47 47 47 44 67 47 47|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020002; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE KilerRAT CnC - Info Checkin"; flow:from_server,established; content:"inf|7c 4b 69 6c 65 72 7c|"; fast_pattern; content:"|7c 4b 69 6c 65 72 7c|"; distance:0; content:"|7c 4b 69 6c 65 72 7c|"; distance:0; reference:md5,51409b4216065c530a94cd7a5687c0d6; reference:url,alienvault.com/open-threat-exchange/blog/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off; classtype:command-and-control; sid:2022069; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
 
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 9"; flow:established; content:"|43 47 47 47 42 67 47 47 43 47 47 47 4f 67 47 47 43 47 47 47 43 67 47 47 43 47 47 47 4e 67 47 47|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020003; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert tcp any any -> any any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)"; flow:established; content:!"GET|20|"; content:"|FF D8 FF E0 00 10 4A 46 49 46|"; content:"|00|CAP|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00cap\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019214; rev:2; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
 
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 10"; flow:established; content:"|d1 ce d2 d5 a1 c9 d5 d5 d1 a1 d3 c4 d0 d4 c4 d2 d5 be|"; depth:18; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020004; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Keylogging)"; flow:from_client,established; content:"|00|kl|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00kl\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019222; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
 
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 11"; flow:established; content:"|17 08 14 13 67 0f 13 13 17 67 15 02 16 12 02 14 13 78|"; depth:18; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020005; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (File Manager Actions)"; flow:from_client,established; content:"|00|fm|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00fm\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019221; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
 
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 12"; flow:established; content:"|0c 1f 1f 1f 4f 50 4c 4b 3f 57 4b 4b 4f 3f 4d 5a 4e 4a 5a 4c 4b 20|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020006; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Process Listing)"; flow:from_client,established; content:"|00|proc|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00proc\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019220; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
 
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 3"; flow:established; content:"|4c 4c|"; depth:2; offset:16; content:"|75 14 2a 2a|"; distance:4; within:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020009; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Registry Listing)"; flow:from_client,established; content:"|00|RG|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00rg\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019219; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
 
-#alert tcp any [547,8080,133,117,189,159] -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 7"; flow:established,from_server; content:"|7b 08 2a 2a|"; offset:17; content:"|08 2a 2a 01 00|"; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020013; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Services Listing)"; flow:from_client,established; content:"|00|srv|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00srv\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019218; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
 
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Proxy Tool 2"; flow:established; content:!"HTTP/1"; content:"|e2 1d 49 49|"; depth:4; fast_pattern; content:"|49 49 49 49|"; distance:4; within:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020018; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Shell)"; flow:from_client,established; content:"|00|rs|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00rs\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019217; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
 
-#alert tcp any any -> any [8000,8080] (msg:"ET MALWARE US-CERT TA14-353A WIPER4"; flow:established,to_server; dsize:42; content:"|28 00|"; depth:2; content:"|04 00 00 00|"; offset:38; depth:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020020; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Microphone)"; flow:from_client,established; content:"|00|MIC|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00mic\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019215; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Operation Poisoned Helmand jar download"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"jre7u61windows/x86/Update.class"; reference:url,threatconnect.com/news/operation-poisoned-helmand/; classtype:trojan-activity; sid:2020021; rev:2; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MALWARE Possible Chimera Ransomware - Bitmessage Activity"; flow:established,to_server; content:"version"; offset:4; depth:7; content:"Bitmessage|3a|"; distance:0; reference:md5,b66a864255ad796cf1e82f973f67f556; reference:url,reaqta.com/2015/11/diving-into-chimera-ransomware/; classtype:policy-violation; sid:2022075; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2015_11_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE US-CERT TA14-353A Network Propagation Wiper"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"taskhost"; content:".exe"; distance:2; within:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020023; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|rozmatis.com"; distance:1; within:13; reference:md5,58b38122ac12b84989914623efe833be; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022076; rev:1; metadata:attack_target Client_and_Server, created_at 2015_11_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT TCP Checkin 2"; flow:established,to_server; dsize:27; content:"bestpobeda"; depth:10; pcre:"/^[a-f0-9]+$/R"; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020025; rev:2; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2014_12_23;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0d|whoreshop.xyz"; distance:1; within:14; reference:md5,218a9854b7d1ca1f417c59a566b343d9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022077; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT TCP Keep-Alive"; flow:established,to_server; dsize:24; content:"|09 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00|"; depth:20; threshold:type both, track by_src, count 1, seconds 120; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020026; rev:2; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2014_12_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Renewal Phish Landing Nov 13"; flow:established,from_server; file_data; content:"<title>Mailbox renewal"; fast_pattern; nocase; content:"autorised email address"; nocase; distance:0; content:"To complete this autorization"; nocase; distance:0; content:"Online MailBox Renewal"; nocase; distance:0; classtype:social-engineering; sid:2022083; rev:2; metadata:created_at 2015_11_13, updated_at 2015_11_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Trojan.Nurjax SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|www.njaxjs.me"; distance:1; within:14; classtype:trojan-activity; sid:2020033; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_23, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|lingeriesshop.biz"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022087; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6332 Arrays with Offset Dec 23"; flow:established,from_server; file_data; content:"For i=LBound("; pcre:"/^\s*?(?P<v1>[^\x29\s]+)\s*?\x29\s*?To Ubound\x28(?P=v1)\s*?\x29\s*?(?:dim\s*?)?(?P<v2>[^\s\x3d]+)\s*?\x3d\s*?(?P=v2)\+Cstr\x28\s*?Chr\x28(?P=v1)\x28i\x29[\+\-]\d+\x29\x29.+?Execute\s*?(?P=v2)/Rsi"; reference:md5,d2d3c212f430bff2b5f075fa083de047; reference:cve,2014-6332; classtype:trojan-activity; sid:2020067; rev:3; metadata:created_at 2014_12_24, former_category CURRENT_EVENTS, updated_at 2014_12_24;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 07|"; content:"|0a|LosAngeles"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|11|speednetlocal.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022088; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (6)"; flow:established,to_client; file_data; content:"|82 67 9f c3 f1 71 70 fc|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020071; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 07|"; content:"|02|Ny"; distance:1; within:3; content:"|55 04 03|"; distance:0; content:"|13|securityrealnet.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022089; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (7)"; flow:established,to_client; file_data; content:"|04 6e 76 82 2e 2c 2c 48|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020072; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015"; urilen:>51; flow:to_server,established; content:"_id="; http_uri; content:"_id="; distance:0; http_uri; pcre:"/^\/(?:[a-z0-9]+\/)?[^\x2f]+\?[a-z]{1,40}_id=\d{2,5}?&[a-z]{1,40}_id=\d{2,5}&[^&\x3d]+(?<!_id)=(?=[a-zA-Z0-9]+(?:[A-Z][a-z][A-Z]|\d[a-z][A-Z]|[A-Z]\d[A-Z]|[A-Z\d]{3}[a-z]))(?=[A-Fa-f0-9]*?[G-Zg-z])(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{32}\x2e{0,2}$/U"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:exploit-kit; sid:2022112; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_17, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS query for known Anunak APT Domain (ddnservice11.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|ddnservice11|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020073; rev:1; metadata:created_at 2014_12_29, updated_at 2014_12_29;)
+alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Java Object Calling Common Collection Function"; flow:to_server,established; content:"rO0ABXNyA"; content:"jb21tb25zLmNvbGxlY3Rpb25z"; fast_pattern; distance:0; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022114; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS query for known Anunak APT Domain (financialnewsonline.pw)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|financialnewsonline|02|pw|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020074; rev:1; metadata:created_at 2014_12_29, updated_at 2014_12_29;)
+alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Java Object Calling Common Collection Function"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"commons.collections"; nocase; distance:0; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022115; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d7 5e db d7 9c 6d e0 4f|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020079; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"java/io/Serializable"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022116; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 9090 (msg:"ET MALWARE Win32.Akdoor Reporting MAC Address"; flow:to_server,established; dsize:20; content:"|01 00 00 00 0c 00 00 00|"; fast_pattern; pcre:"/^[0-9A-F]{12}$/R"; reference:md5,f5ba42117dd02f50b12542131dcd8b5f; classtype:trojan-activity; sid:2020081; rev:1; metadata:created_at 2014_12_29, updated_at 2014_12_29;)
+alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Groovy Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"org.codehaus.groovy.runtime.ConversionHandler"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022117; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0d|tdmodsecur.pw"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020075; rev:3; metadata:attack_target Client_and_Server, created_at 2014_12_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Spring Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"org.springframework.core.SerializableTypeWrapper"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022118; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.Win32.Ngrbot.lof Join IRC channel"; flow:to_server,established; content:"NICK New|7B|"; nocase; pcre:"/^\S{2,3}\x2d(XP|2K3|VIS|2K8|W7|ERR)\w?\x2d\w+?\x7D\w+?\r\n?/Ri"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32/Dorkbot.AR; reference:md5,dd05fcd2368d8d410a5b85e8d504a435; classtype:trojan-activity; sid:2016849; rev:3; metadata:created_at 2013_05_14, updated_at 2013_05_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Google Android Device HTTP Request"; flow:established,to_server; content:"|3B 20|Android|20|"; http_header; classtype:policy-violation; sid:2012251; rev:9; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
 
-#alert udp any any -> 1.1.1.0 80 (msg:"ET MALWARE TROJ_WHAIM.A message"; content:"|57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 00|"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:2020069; rev:3; metadata:created_at 2014_12_26, updated_at 2014_12_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2015-11-20"; flow:established,from_server; file_data; content:"<title>Google Drive"; fast_pattern; nocase; content:"For security reasons"; nocase; distance:0; content:"select your email provider"; nocase; distance:0; content:"enter your email and password"; nocase; distance:0; content:"method=|22|POST|22|"; nocase; distance:0; classtype:social-engineering; sid:2031701; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_20, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft CScript Banner Outbound"; flow:established; content:"Windows Script Host Version"; content:"Copyright |28|C|29|"; distance:0; content:"Microsoft Corp"; distance:0; classtype:successful-admin; sid:2020085; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Webmail Phishing Landing 2015-11-21"; flow:established,from_server; file_data; content:"login.live.com"; nocase; content:"<title>Sign In"; nocase; distance:0; fast_pattern; content:"Generic Password Error Message"; nocase; distance:0; content:"enter your email address"; nocase; distance:0; content:"Microsoft account"; nocase; distance:0; classtype:social-engineering; sid:2031702; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_21, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft WMIC Prompt Outbound"; flow:established; content:"wmic|3a|root|5c|cli>"; classtype:successful-admin; sid:2020086; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Outlook Webmail Phishing 2015-11-21"; flow:established,from_server; file_data; content:"<title>Outlook"; fast_pattern; nocase; content:"http-equiv=|22|refresh"; nocase; distance:0; content:"Update successful"; nocase; distance:0; content:"your account verification information"; nocase; distance:0; content:"emailed to you shortly"; nocase; distance:0; classtype:credential-theft; sid:2031703; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_07_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Netsh Firewall Disable Output Outbound"; flow:established; content:"netsh firewall|22| is deprecated|3b|"; content:"use |22|netsh advfirewall"; distance:0; content:"Ok."; distance:0; classtype:successful-admin; sid:2020087; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|default"; distance:1; within:8; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|13|support@hsshvpn.net"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022130; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_23, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, malware_family Retefe, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SysInternals sc.exe Output Outbound"; flow:established; content:"SERVICE_NAME|3a|"; content:"TYPE"; distance:0; content:"SERVICE_EXIT_CODE"; distance:0; classtype:successful-admin; sid:2020088; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)"; flow:established,from_server; content:"|55 04 08|"; content:"|06|Zurich"; distance:1; within:7; content:"|55 04 07|"; distance:0; content:"|06|Zurich"; distance:1; within:7; content:"IT"; distance:0; content:"|55 04 03|"; distance:0; content:"|07|default"; distance:1; within:8; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|12|me@myhost.mydomain"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022129; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_23, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, malware_family Retefe, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http any any -> any any (msg:"ET WEB_SERVER ATTACKER WebShell - 1337w0rm - Landing Page"; flow:established,to_client; file_data; content:"cPanel Cracker"; classtype:trojan-activity; sid:2020096; rev:3; metadata:created_at 2015_01_06, updated_at 2015_01_06;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Evil EXE download from MSXMLHTTP non-exe extension M1"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.no.exe.request; classtype:trojan-activity; sid:2022052; rev:2; metadata:created_at 2015_11_09, updated_at 2015_11_09;)
 
-alert http any any -> any [$HTTP_PORTS,7547] (msg:"ET EXPLOIT Possible Misfortune Cookie - SET"; flow:established,to_server; content:"Cookie|3a| C"; nocase; pcre:"/^[0-9][^=]/R"; flowbits:set,ET.Misfortune_Cookie; flowbits:noalert; reference:url,mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf; classtype:trojan-activity; sid:2020100; rev:2; metadata:created_at 2015_01_06, updated_at 2015_01_06;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Rincux CnC (set)"; content:"|01 00 00 00|"; depth:4; content:"|00 00 00 00 00 00 00 00|"; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|Windows"; distance:0; content:"|20 4d 42 00 00 00 00 00|"; fast_pattern; distance:0; content:"|20 4d 48 7a 00 00 00 00 00|"; distance:0; flowbits:set,ET.Rincux; flowbits:noalert; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-082614-0727-99&tabid=2; classtype:command-and-control; sid:2022131; rev:1; metadata:created_at 2015_11_23, former_category MALWARE, updated_at 2015_11_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit 2"; flow:established,to_client; file_data; content:"execCommand"; nocase; content:"YMjf"; content:"u0c08"; distance:1; within:6; content:"u0c0cKDog"; distance:1; within:10; fast_pattern; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2020099; rev:8; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, created_at 2015_01_06, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Web_Client_Attacks, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rincux CnC"; content:"|02 00 00 00|"; fast_pattern; depth:4; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/Rs"; content:"|00 00 00 00|"; distance:0; flowbits:isset,ET.Rincux; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-082614-0727-99&tabid=2; classtype:command-and-control; sid:2022132; rev:1; metadata:created_at 2015_11_23, former_category MALWARE, updated_at 2015_11_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fd 0c f3 42 0f 46 07 68|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|xx"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020104; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 87 58 1a 93 f4 b1 c2 6b|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022133; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 86 c7 7d 23 ec c3 18 fb|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020149; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (2)"; flow:established,to_client; file_data; content:"|29 26 9a 62 39 55 b6 0d|"; distance:4; within:8; classtype:trojan-activity; sid:2022139; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET 9000:10000 -> $HOME_NET any (msg:"ET MALWARE Win32/Recslurp.D C2 Response"; flow:established,from_server; flowbits:isset,ET.Reslurp.D.Client; content:"|e8 03 00 00|"; depth:4; reference:md5,fcf364abd9c82d89f8d0b4b091276b41; classtype:command-and-control; sid:2020155; rev:2; metadata:created_at 2015_01_08, former_category MALWARE, updated_at 2015_01_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (5)"; flow:established,to_client; file_data; content:"|63 86 34 11 a3 ae 83 1e|"; distance:4; within:8; classtype:trojan-activity; sid:2022142; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Exploit Kit Delivering Executable to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:exploit-kit; sid:2013962; rev:14; metadata:created_at 2011_11_23, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (6)"; flow:established,to_client; file_data; content:"|94 ae 9f 55 3d 25 7f 7d|"; distance:4; within:8; classtype:trojan-activity; sid:2022143; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/DDoS.M distributed via CVE-2014-6271 Checkin"; flow:established,to_server; content:"BUILD "; depth:6; pcre:"/^(?:MIPS(?:EL)?|POWERPC|ARM|X86)\x0a$/R"; flowbits:set,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; classtype:command-and-control; sid:2019242; rev:2; metadata:created_at 2014_09_26, former_category MALWARE, updated_at 2014_09_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Payload URI Struct May 28 2015 M1"; flow:to_server,established; urilen:>51; content:"."; http_uri; offset:49; depth:1; content:!"/"; http_uri; offset:1; content:!"User-Agent"; http_header; nocase; content:!"Accept"; http_header; nocase; content:!"Referer"; nocase; http_header; pcre:"/^\/(?=[a-z0-9_-]{0,47}?[A-Z][a-z0-9_-]{0,46}?[A-Z])(?=[A-Z0-9_-]{0,47}?[a-z][A-Z0-9_-]{0,46}?[a-z])(?=[A-Za-z_-]{0,47}?[0-9][A-Za-z_-]{0,46}?[0-9])[A-Za-z0-9_-]{48}\.[a-z]{2,25}\d?\??/U"; classtype:exploit-kit; sid:2021158; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_28, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M JUNK command"; flow:established,to_client ; content:"JUNK "; depth:5; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020162; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/muBoT IRC Activity 6 (SOCKS)"; flow:established,to_server; content:"NOTICE "; content:"|3a|REWRITING|0a|"; fast_pattern; distance:0; content:"|0a|to|0a|"; distance:0; pcre:"/^NOTICE [^\r\n]+? \x3aREWRITING\x0a[^\r\n]+?\x0ato\x0a[^\r\n]+?\x0a/s"; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:trojan-activity; sid:2022189; rev:1; metadata:created_at 2015_11_26, updated_at 2015_11_26;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M GETLOCALIP command"; flow:established,to_client ; content:"GETLOCALIP "; depth:11; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020163; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/muBoT IRC Activity 7 (bindshell)"; flow:established,from_server; content:"|0a c2 84 c2 9f|muBoT|c2 84 c2 9f|REMOTE|c2 84 c2 9f|SHELL"; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:trojan-activity; sid:2022190; rev:1; metadata:created_at 2015_11_26, updated_at 2015_11_26;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M SCANNER command"; flow:established,to_client ; content:"SCANNER "; depth:8; pcre:"/^(?:ON|OFF)/R"; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020164; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.ip.request; classtype:trojan-activity; sid:2022050; rev:3; metadata:created_at 2015_11_09, former_category CURRENT_EVENTS, updated_at 2015_11_09;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M KILLATTK command"; flow:established,to_client ; content:"KILLATTK "; depth:9; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020165; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 27 2015"; flow:to_server,established; urilen:>55; content:"&cat_no="; http_uri; content:"&no="; http_uri; distance:0; pcre:"/&cat_no=\d{2,5}?&no=\d{2,5}&[^&\x3d]+(?<!_no)=(?=[a-zA-Z0-9]+(?:[A-Z][a-z][A-Z]|\d[a-z][A-Z]|[A-Z]\d[A-Z]|[A-Z\d]{3}[a-z]))(?=[A-Fa-f0-9]*?[G-Zg-z])(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{32}\x2e{0,2}$/U"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:exploit-kit; sid:2022193; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_30, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M LOLNOGTFO command"; flow:established,to_client ; content:"LOLNOGTFO "; depth:10; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020166; rev:2; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PHP/Mayhem Checkin via HTTP POST"; flow:established,to_server; content:"POST"; http_method; content:"Pragma|3a 20|1337|0d 0a|"; http_header; fast_pattern:only; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; content:".php HTTP/1.0|0d 0a|"; reference:url,www.blackhat.com/docs/eu-15/materials/eu-15-KA-Automating-Linux-Malware-Analysis-Using-Limon-Sandbox.pdf; classtype:trojan-activity; sid:2022195; rev:2; metadata:created_at 2015_11_30, updated_at 2015_11_30;)
 
-alert tcp any any -> any 1024: (msg:"ET MALWARE Linux/DDoS.M Admin console status"; flow:established,to_client ; content:"|1b 5d 30 3b|Bots connected|3a 20|"; content:"|7c 20|Clients connected|3a 20|"; distance:0; threshold: type both, count 1, seconds 10, track by_src; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020167; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING cPanel Phishing Landing 2015-12-01"; flow:established,to_client; file_data; content:"<title>Please wait.."; nocase; fast_pattern; content:"form id=|22|myForm|22|"; nocase; distance:0; content:"name=|22|myForm|22|"; nocase; distance:0; content:"method=|22|POST|22|"; nocase; distance:0; content:"name=|22|email|22|"; nocase; distance:0; content:"type=|22|password|22|"; nocase; distance:0; content:"name=|22|submit|22|"; nocase; distance:0; classtype:social-engineering; sid:2031704; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)"; flow:established,from_server; flowbits:isset,et.MCOFF; file_data; content:"_|00|V|00|B|00|A|00|_|00|P|00|R|00|O|00|J|00|E|00|C|00|T|00|"; nocase; flowbits:set,et.DocVBAProject; classtype:bad-unknown; sid:2019837; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Anonisma Phishing Landing 2015-12-01"; flow:established,to_client; file_data; content:"id=|22|Anonisma"; fast_pattern; nocase; content:"class=|22|Anonisma"; nocase; distance:0; classtype:social-engineering; sid:2031705; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"ET MALWARE Hong Kong SWC Attack PcClient CnC Beacon"; flow:established,to_server; content:"|BB 4E 4E BC BC BC 7E 7E|"; nocase; offset:160; depth:8; reference:url,blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html; classtype:command-and-control; sid:2020169; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_01_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Driveby bredolab hidden div served by nginx"; flow:established,to_client; content:"|0d 0a|Server|3a| nginx"; file_data; content:"<div style=|22|visibility|3a| hidden|3b 22|><"; depth:120; classtype:bad-unknown; sid:2011355; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Office Doc with Embedded VBA containing Reverse Meterpreter Shell"; flow:established,from_server; flowbits:isset,et.DocVBAProject; file_data; content:"windows/meterpreter/reverse_"; nocase; reference:url,github.com/enigma0x3/Generate-Macro/blob/master/Generate-Macro.ps1; classtype:trojan-activity; sid:2020170; rev:2; metadata:created_at 2015_01_13, former_category MALWARE, updated_at 2015_01_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MALVERTISING Alureon JavaScript IFRAME Redirect"; flow:established,to_client; file_data; content:"marginwidth=|5c 22|0|22 5c| marginheight=|5c 22|0|22 5c| hspace=|5c 22|0|22 5c| vspace=|5c 22|0|22 5c| frameborder=|5c 22|0|22 5c| scrolling=|5c 22|0|22 5c| bordercolor=|5c 22 23|000000|5c 22|></IFRAME>|22 29 3b 7d|"; classtype:bad-unknown; sid:2011978; rev:5; metadata:created_at 2010_11_24, former_category CURRENT_EVENTS, updated_at 2010_11_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Try Prototype Catch May 11 2012"; flow:from_server,established; file_data; content:"|3b|try{prototype|3b|}catch("; content:"){"; within:6; classtype:trojan-activity; sid:2014745; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_12, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Compressed Adobe Flash File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|45 57 73 09|"; distance:0; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012503; rev:5; metadata:created_at 2011_03_15, former_category CURRENT_EVENTS, updated_at 2011_03_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Eval Variable Obfuscation 3"; flow:established,to_client; file_data; content:"=|22|eva|22 3B|"; content:"+|22|l|22|"; distance:0; pcre:"/\x2B\x22l\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015027; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY ACH - Redirection"; flow:from_server,established; file_data; content:"<title>NACHA</title>"; classtype:exploit-kit; sid:2013474; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_26, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Upatre Firefox/Chrome Redirector Receiving Payload Jan 9 2015"; flow:established,from_server; file_data; content:"UEsDB"; content:"var"; pcre:"/^\s*?\w+\s*?=\s*?[\x22\x27]UEsDB/R"; flowbits:isset,ET.Upatre.Redirector; classtype:trojan-activity; sid:2020161; rev:3; metadata:created_at 2015_01_09, former_category CURRENT_EVENTS, updated_at 2015_01_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Phoenix Java MIDI Exploit Received By Vulnerable Client"; flow:established,to_client; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; classtype:bad-unknown; sid:2013484; rev:4; metadata:created_at 2011_08_29, former_category CURRENT_EVENTS, updated_at 2011_08_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Bedep Checkin Response"; flow:established,from_server; content:"Content-Type|3a 20|text/html|0d 0a|"; http_header; content:"Content-Length|3a| 108|0d 0a|"; http_header; fast_pattern:only; content:!"Keep-Alive|3a 20|"; http_header; file_data; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; classtype:trojan-activity; sid:2019952; rev:5; metadata:created_at 2014_12_16, updated_at 2014_12_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Phoenix Java MIDI Exploit Received"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; classtype:bad-unknown; sid:2013485; rev:4; metadata:created_at 2011_08_29, former_category CURRENT_EVENTS, updated_at 2011_08_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 7d f1 a1 50 bc 27 18|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020187; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Phoenix landing page JAVASMB"; flow:established,to_client; file_data; content:"JAVASMB()"; classtype:bad-unknown; sid:2013486; rev:4; metadata:created_at 2011_08_30, former_category CURRENT_EVENTS, updated_at 2011_08_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/ChinaZ DDoS Bot Checkin"; flow:established,to_server; content:"|00 00 00 00|"; depth:4; content:!"|00|"; within:1; content:"MHz|00|"; distance:0; content:"|20 2a 20|"; distance:-12; within:5; pcre:"/^\d+MHz\x00/R"; content:"|20|MB|00|"; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3682; classtype:command-and-control; sid:2020188; rev:1; metadata:created_at 2015_01_15, former_category MALWARE, updated_at 2015_01_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Crimepack Java exploit attempt(2)"; flow:from_server,established; file_data; content:"PK"; content:"META-INF/MANIFEST"; within:50; content:"PK"; within:150; nocase; content:"Exploit|24 31 24 31 2E|class"; distance:0; fast_pattern; classtype:web-application-attack; sid:2013662; rev:2; metadata:created_at 2011_09_16, former_category CURRENT_EVENTS, updated_at 2011_09_16;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9d 36 ff 20 e3 b5 4d 15|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020196; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 1"; flow:established,from_server; file_data; content:"/Subtype /U3D"; content:"<</Author (Fo) /email (fo@gmail.com) /web (fo.googlepages.com)"; distance:0; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:bad-unknown; sid:2013996; rev:4; metadata:created_at 2011_12_08, updated_at 2011_12_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (8)"; flow:established,to_client; file_data; content:"|31 90 49 ae c8 2b 73 75|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020204; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 2"; flow:established,from_server; file_data; content:"/Subtype /U3D"; content:"/Contents (a pwning u3d model) /3DI false > /3DA << /A /PO /DIS /I >> /Rect [0 0 640 480] /3DD 10 0 R /F 7 >>"; distance:0; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:bad-unknown; sid:2013997; rev:6; metadata:created_at 2011_12_08, updated_at 2011_12_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Dalexis Serial Number in SSL Cert"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|00 d7 f0 71 9c ed 67 99 74|"; within:35; fast_pattern; reference:md5,a01fdd1585dc5c8b4e09536eede5e6d4; classtype:trojan-activity; sid:2020208; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_01_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MALVERTISING Alureon Malicious IFRAME"; flow:established,to_client; file_data; content:"name=\"Twitter\" scrolling=\"auto\" frameborder=\"no\" align=\"center\" height = \"1px\" width = \"1px\"></iframe>"; classtype:bad-unknown; sid:2014039; rev:5; metadata:created_at 2011_12_22, former_category CURRENT_EVENTS, updated_at 2011_12_22;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Win32.ChinaZ.DDoSClient Checkin"; flow:established,to_server; content:"Windows "; depth:8; content:"|20|MHZ|00|"; fast_pattern; distance:0; content:"|00|Win"; distance:0; content:"|00|"; distance:2; within:2; reference:md5,8643a44febdf73159b2d5c437dc40cd3; classtype:command-and-control; sid:2020209; rev:2; metadata:created_at 2015_01_20, former_category MALWARE, updated_at 2015_01_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Version Check with hidden applet"; flow:established,from_server; file_data; content:"deployJava.versionCheck|28|"; content:"<applet"; nocase; distance:0; content:"hidden"; within:200; nocase; pcre:"/\x3capplet[^\x3e]+visibility[^\x3e]+hidden[^\x3e]/i"; classtype:exploit-kit; sid:2014136; rev:7; metadata:created_at 2012_01_19, updated_at 2012_01_19;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (URLzone CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b9 84 73 78 53 8f 36 69|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020216; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, malware_family URLZone, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2018_04_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Likely Driveby Delivered Malicious PDF"; flow:established,from_server; file_data; content:"%PDF"; depth:4; content:"/Author (yvp devo)/Creator (bub lob)"; distance:0; classtype:trojan-activity; sid:2014142; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 91 eb 37 30 e6 41 f6|"; within:35; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|CN"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|02|ST"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020217; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Unknown Landing Page Received"; flow:established,from_server; file_data; content:"<applet code="; depth:35; content:".class"; distance:0; content:".jar"; distance:0; content:".pdf"; distance:0; classtype:exploit-kit; sid:2014168; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e b5 fa 1e d4 7a 9e 36|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020218; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Java Rhino Scripting Engine Exploit Downloaded"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"com.class"; content:"edu.class"; content:"net.class"; content:"org.class"; classtype:exploit-kit; sid:2014243; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_02_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f3 1c c2 15 72 83 e3 79|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020219; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Java Atomic Exploit Downloaded"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:",CAFEBABE00000030007A0A002500300A003100320700"; distance:0; classtype:exploit-kit; sid:2014295; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_02_29, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ae 79 0b f9 9e bd 14 a1|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020220; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito libtiff PDF Exploit Recieved"; flow:established,from_server; content:"Content-Disposition|3a| inline"; nocase; content:".pdf"; distance:0; file_data; content:"%PDF-"; depth:5; content:"<</Filter/FlateDecode /Length"; within:64; classtype:exploit-kit; sid:2014316; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_06, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nitol.A Checkin 2"; flow:from_client,established; dsize:260; content:"MB|00 00|"; content:"Windows|20|"; distance:0; content:"V1.0|00 00|"; offset:180; fast_pattern; reference:md5,b9096b87cf643c5f86789d995e9e773d; classtype:command-and-control; sid:2020222; rev:1; metadata:created_at 2015_01_21, former_category MALWARE, updated_at 2015_01_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Exploit Kit Delivering JAR Archive to Client"; flow:established,to_client; flowbits:isset,et.exploitkitlanding; file_data; content:"|50 4B 03 04 14 00 08 00 08 00|"; within:10; classtype:exploit-kit; sid:2014526; rev:3; metadata:created_at 2012_04_06, former_category EXPLOIT_KIT, updated_at 2012_04_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (9)"; flow:established,to_client; file_data; content:"|0b c7 6a 1e 7c c2 43 ea|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020225; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - page redirecting to a SutraTDS"; flow:established,to_client; file_data; content:"?igc.ni/"; distance:0; classtype:exploit-kit; sid:2014549; rev:3; metadata:created_at 2012_04_12, updated_at 2012_04_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (10)"; flow:established,to_client; file_data; content:"|0b c7 6a 1e 7c c2 43 ea|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020227; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Modified Metasploit Jar"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"msf|2f|x|2f|Payload"; classtype:trojan-activity; sid:2014560; rev:7; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_13, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Webbuying.net Spyware Install User-Agent 2 (wb v1.6.4)"; flow:to_server,established; content:"User-Agent|3a|"; nocase; http_header; content:"wb v"; http_user_agent; fast_pattern; reference:url,doc.emergingthreats.net/2003449; classtype:pup-activity; sid:2003449; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT landing page with malicious Java applet"; flow:established,from_server; file_data; content:"code="; distance:0; content:"xploit.class"; distance:2; within:18; classtype:bad-unknown; sid:2014561; rev:6; metadata:created_at 2012_04_13, former_category CURRENT_EVENTS, updated_at 2012_04_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b6 24 74 c1 1f 18 de bb|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020242; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JavaScript Determining OS MAC and Serving Java Archive File"; flow:established,to_client; file_data; content:"<script"; content:"navigator.userAgent.indexOf|28 27|Mac|27 29|"; distance:0; nocase; content:"setAttribute|28 27|code|27|"; distance:0; nocase; content:".class"; nocase; distance:0; content:"setAttribute|28 27|archive|27|"; distance:0; nocase; content:".jar"; nocase; distance:0; reference:url,blog.trendmicro.com/another-tibetan-themed-malware-email-campaign-targeting-windows-and-macs/; reference:cve,2011-3544; classtype:bad-unknown; sid:2014565; rev:3; metadata:created_at 2012_04_16, updated_at 2012_04_16;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Scieron Possible SSL Cert"; flow:established,from_server; content:"|0b|"; content:"|10 6d 7a 85 10 89 c8 6f bb 41 41 46 e6 96 f2 68 cd|"; within:45; content:"|55 04 03|"; distance:0; content:"|10|RibbonLocalHTTPS"; distance:1; within:17; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020243; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Italian Spam Campaign ZIP with EXE Containing Many Underscores"; flow:from_server,established; file_data; content:"|50 4b 03 04|"; within:4; byte_test:2,>,50,22,relative; content:"|5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 2e|exe"; distance:22; within:150; classtype:trojan-activity; sid:2014577; rev:5; metadata:created_at 2012_04_16, former_category CURRENT_EVENTS, updated_at 2012_04_16;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query for Suspicious torwoman.com Domain - Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|torwoman|03|com"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020283; rev:1; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Nikjju Mass Injection Compromised Site Served To Local Client"; flow:established,from_server; file_data; content:"</title><script src="; nocase; content:"http|3a|//"; nocase; within:8; content:"/r.php"; fast_pattern; within:100; content:"></script>"; distance:1; within:10; classtype:attempted-user; sid:2014607; rev:10; metadata:created_at 2012_04_17, former_category CURRENT_EVENTS, updated_at 2012_04_17;)
 
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Jan 22 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a3 c1 47 06 dd 12 ae 21|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0f|Dniepropetrovsk"; distance:1; within:16; classtype:trojan-activity; sid:2020288; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Nikjju Mass Injection Internal WebServer Compromised"; flow:established,from_server; file_data; content:"</title><script src="; nocase; content:"http|3a|//"; nocase; within:8; content:"/r.php"; fast_pattern; within:100; content:"></script>"; distance:1; within:10; classtype:attempted-user; sid:2014608; rev:9; metadata:created_at 2012_04_17, former_category CURRENT_EVENTS, updated_at 2012_04_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange redirection Jan 22 2015"; flow:established,from_server; file_data; content:"var theme_customize"; within:19; pcre:"/^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f/Ri"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020291; rev:2; metadata:created_at 2015_01_23, former_category EXPLOIT_KIT, updated_at 2015_01_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic - Redirection to Kit - BrowserDetect with var stopit"; flow:established,from_server; file_data; content:"var stopit = BrowserDetect.browser"; distance:0; classtype:exploit-kit; sid:2014665; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_05_02, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Scieron Retrieving Information Response"; flow:established,from_server; file_data; content:"system"; within:6; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})system$/R"; flowbits:isset,ET.Trojan.Scieron.Ret; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; reference:md5,a36db258d0f6f085e8e5030d8e9a9bf4; classtype:trojan-activity; sid:2020297; rev:2; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php with eval/gzinflate/base64_decode possible webshell"; flow:to_client,established; file_data; content:"<?"; content:"eval(gzinflate(base64_decode("; distance:0; reference:url,blog.sucuri.net/2012/05/list-of-domains-hosting-webshells-for-timthumb-attacks.html; classtype:web-application-attack; sid:2014847; rev:6; metadata:created_at 2012_05_30, former_category CURRENT_EVENTS, updated_at 2012_05_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/AGENT.NXNX Checkin 2"; flow:to_server,established; dsize:200; content:"D|3a 00 00 00|"; offset:7; depth:13; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}D\x3a\x00+?$/"; reference:md5,fdcf0e3e3ad69cdd570387c4ce9aa8b3; reference:url,ahnlabasec.tistory.com/1007; reference:url,global.ahnlab.com/global/upload/download/asecreport/ASEC%20Report_Vol.58_Eng.pdf; classtype:command-and-control; sid:2020303; rev:2; metadata:created_at 2015_01_23, former_category MALWARE, updated_at 2015_01_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript redirecting to badness 21 June 2012"; flow:established,from_server; file_data; content:"javascript'>var wow="; content:"Date&&"; distance:12; within:60; classtype:bad-unknown; sid:2014930; rev:4; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2012_06_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre Redirector Jan 23 2015"; flow:established,to_server; content:"GET"; http_method; content:"/js/jquery-"; http_uri; fast_pattern:only; pcre:"/^\/js\/jquery-\d+\.\d{2}\.\d{2}\.js$/U"; content:"Referer|3a|"; pcre:"/^[^\r\n]+?\.html?\r?$/Rmi"; classtype:trojan-activity; sid:2020304; rev:2; metadata:created_at 2015_01_23, former_category CURRENT_EVENTS, updated_at 2015_01_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic - PDF with NEW PDF EXPLOIT"; flow:established,to_client; file_data; content:"%PDF"; depth:4; fast_pattern; content:"NEW PDF EXPLOIT"; classtype:trojan-activity; sid:2014966; rev:3; metadata:created_at 2012_06_26, former_category CURRENT_EVENTS, updated_at 2012_06_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9d 12 4e cf d7 61 de 81|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020307; rev:4; metadata:attack_target Client_and_Server, created_at 2015_01_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Scalaxy Jar file"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"C1.class"; fast_pattern; distance:0; content:"C2.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014983; rev:3; metadata:created_at 2012_06_29, updated_at 2012_06_29;)
 
-#alert tls $EXTERNAL_NET 1025 -> $HOME_NET any (msg:"ET MALWARE Possible Mailer Dropped by Dyre SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02 41 55|"; distance:0; content:"|55 04 08|"; distance:0; pcre:"/^.{2}(?P<var>[a-z0-9]{4,16}[01]).+?\x06\x03\x55\x04\x08.{2}(?P=var)/Rs"; reference:md5,dbcdaf617e19d2a35f763ac996cf8cd7; classtype:trojan-activity; sid:2020205; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_01_19, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*km0ae9gr6m*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*km0ae9gr6m*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014984; rev:5; metadata:created_at 2012_06_29, former_category CURRENT_EVENTS, updated_at 2012_06_29;)
 
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Regin Hopscotch Module Accessing SMB2 Named Pipe (Unicode) 1"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|6|00|6|00|f|00|b|00|e|00|8|00|7|00|a|00|-|00|4|00|3|00|7|00|2|00|-|00|1|00|f|00|5|00|1|00|-|00|1|00|0|00|1|00|d|00|-|00|1|00|a|00|a|00|f|00|0|00|0|00|4|00|3|00|1|00|2|00|7|00|a|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin; classtype:trojan-activity; sid:2020309; rev:1; metadata:created_at 2015_01_26, updated_at 2015_01_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*qhk6sa6g1c*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*qhk6sa6g1c*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014985; rev:6; metadata:created_at 2012_06_29, former_category CURRENT_EVENTS, updated_at 2012_06_29;)
 
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Regin Hopscotch Module Accessing SMB Named Pipe (Unicode) 2"; flow:to_server,established; content:"|FF|SMB"; offset:4; depth:4; content:"|00|{|00|4|00|4|00|f|00|d|00|g|00|2|00|3|00|a|00|-|00|1|00|5|00|2|00|2|00|-|00|6|00|f|00|9|00|e|00|-|00|d|00|0|00|5|00|d|00|-|00|1|00|a|00|a|00|f|00|0|00|1|00|7|00|6|00|1|00|3|00|8|00|a|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin; classtype:trojan-activity; sid:2020310; rev:1; metadata:created_at 2015_01_26, updated_at 2015_01_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Runforestrun Malware Campaign Infected Website Landing Page Obfuscated String JavaScript DGA"; flow:established,to_client; file_data; content:"*/window.eval(String.fromCharCode("; isdataat:80,relative; content:!")"; within:80; pcre:"/\x2A[a-z0-9]{10}\x2A\x2Fwindow\x2Eeval\x28String\x2EfromCharCode\x28[0-9]{1,3}\x2C[0-9]{1,3}\x2C/sm"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014998; rev:3; metadata:created_at 2012_07_03, former_category CURRENT_EVENTS, updated_at 2012_07_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 10 f0 a9 8b a2 9b 82|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020313; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Unknown_s=1 - Landing Page - 10HexChar Title and applet"; flow:established,to_client; file_data; content:"<applet"; pcre:"/<title>[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2015053; rev:6; metadata:created_at 2012_07_12, former_category CURRENT_EVENTS, updated_at 2012_07_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 99 95 bf 9b 4f 7d 85 0e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020314; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Unknown_s=1 - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; content:"value=\""; pcre:"/value=.[a-f0-9]{100}/"; classtype:trojan-activity; sid:2015054; rev:5; metadata:created_at 2012_07_12, former_category CURRENT_EVENTS, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - New PDF Exploit - Jan 24 2013"; flow:established,to_server; content:"3.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new|sale)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})3\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}3\.PDF)$/U"; classtype:exploit-kit; sid:2016278; rev:6; metadata:created_at 2013_01_25, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c3284d malware network iframe"; flow:established,to_client; file_data; content:"|22| name=|22|Twitter|22| scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|></iframe>"; classtype:trojan-activity; sid:2015057; rev:4; metadata:created_at 2012_07_12, former_category CURRENT_EVENTS, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (6)"; flow:established,to_server; content:"/mypic.dll"; http_uri; nocase; fast_pattern:only; pcre:"/\/(w(?:hite|orld)|step)\/mypic\.dll$/U"; classtype:exploit-kit; sid:2016547; rev:10; metadata:created_at 2013_03_07, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DoSWF Flash Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"CWS"; depth:3; content:"<doswf version="; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2015574; rev:5; metadata:created_at 2012_08_04, former_category EXPLOIT_KIT, updated_at 2012_08_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Font File Download (32-bit Host) Dec 11 2012"; flow:to_server,established; content:"/32s_font.eot"; http_uri; classtype:exploit-kit; sid:2015815; rev:4; metadata:created_at 2012_10_18, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments"; flow:established,to_client; file_data; content:"FoxxySF Website Copier"; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015583; rev:4; metadata:created_at 2012_08_07, updated_at 2012_08_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Font File Download (64-bit Host) Dec 11 2012"; flow:to_server,established; content:"/64s_font.eot"; http_uri; classtype:exploit-kit; sid:2015816; rev:4; metadata:created_at 2012_10_18, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|0|22| height=|22|0|22|>"; fast_pattern; within:100; classtype:exploit-kit; sid:2015605; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - PDF Exploit - pdf_new.php"; flow:established,to_server; content:"/pdf_new.php"; fast_pattern:only; http_uri; classtype:exploit-kit; sid:2015892; rev:4; metadata:created_at 2012_11_16, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SweetOrange - Java Exploit Downloaded"; flow:established,from_server; file_data; content:".classPK"; content:".mp4PK"; fast_pattern; within:80; classtype:exploit-kit; sid:2017476; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - PDF Exploit - pdf_old.php"; flow:established,to_server; content:"/pdf_old.php"; fast_pattern:only; http_uri; classtype:exploit-kit; sid:2015893; rev:5; metadata:created_at 2012_11_16, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit applet landing"; flow:established,from_server; file_data; content:"<html>|0d 0a|<body>|0d 0a|<applet archive="; content:"width=|22|0|22| height=|22|0|22|></applet>|0d 0a|</body>|0d 0a|</body></html>"; distance:0; classtype:exploit-kit; sid:2013699; rev:3; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2011_09_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Landing Pattern (1)"; flow:to_server,established; content:"/r/l/"; depth:5; http_uri; content:".php"; http_uri; pcre:"/^\/r\/l\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:exploit-kit; sid:2015915; rev:4; metadata:created_at 2012_11_21, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MALVERTISING OpenX BrowserDetect.init Download"; flow:established,to_client; content:"OAID="; http_cookie; file_data; content:"BrowserDetect.init"; classtype:bad-unknown; sid:2014038; rev:6; metadata:created_at 2011_12_22, former_category CURRENT_EVENTS, updated_at 2011_12_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED CoolEK - Landing Page - Title"; flow:established,to_client; file_data; content:"<title>Hello my friend...</title>"; classtype:exploit-kit; sid:2015891; rev:4; metadata:created_at 2012_11_16, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|licensecheck.bit"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022208; rev:1; metadata:attack_target Client_and_Server, created_at 2015_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Landing Pattern (2)"; flow:to_server,established; content:"/t/l/"; depth:5; http_uri; content:".php"; http_uri; pcre:"/^\/t\/l\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:exploit-kit; sid:2015916; rev:4; metadata:created_at 2012_11_21, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e2 81 a8 a0 05 4c c8 8b|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022212; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - Jar - Jun 05 2013"; flow:to_server,established; content:".jar"; nocase; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; pcre:"/Host\x3a[^\r\n]+?\.(pw|us)(\x3a\d{1,5})?\r$/Hmi"; pcre:"/^(\/[a-z]{3,20})?\/([a-z]{3,20}[-_])+[a-z]{3,20}\.jar$/U"; classtype:exploit-kit; sid:2016060; rev:19; metadata:created_at 2012_12_19, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Excel with Embedded .emf object downloaded"; flow:established,to_client; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"| 50 4B 03 04 |"; content:"|2F 6D 65 64 69 61 2F 69 6D 61 67 65 |"; within:64; content:"| 2E 65 6D 66 |"; within:15; classtype:bad-unknown; sid:2012504; rev:8; metadata:created_at 2011_03_15, former_category CURRENT_EVENTS, updated_at 2011_03_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download"; flow:established,to_server; content:"/pics/new.png"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/new\.png$/U"; classtype:exploit-kit; sid:2016221; rev:5; metadata:created_at 2013_01_16, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/KDefend Checkin"; flow:established,to_server; content:"c|00|h|00|i|00|n|00|a|00 00 00|"; offset:16; depth:12; fast_pattern; content:"|20|MB|00|"; within:10; content:"/proc/stat|00|cpu|00|"; within:21; reference:url,blog.malwaremustdie.org/2015/12/mmd-0045-2015-kdefend-new-elf-threat.html; classtype:command-and-control; sid:2022219; rev:3; metadata:created_at 2015_12_04, former_category MALWARE, updated_at 2015_12_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (3)"; flow:established,to_server; content:"/pics/foto.png"; fast_pattern:only; http_uri; content:!"Referer|3a|"; http_header; nocase; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/foto\.png$/U"; classtype:exploit-kit; sid:2016280; rev:7; metadata:created_at 2013_01_25, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Adware.iBryte.B Install"; flow:to_server,established; content:"GET"; http_method; content:"/impression.do"; http_uri; fast_pattern:only; content:"event="; http_uri; content:"_id="; http_uri; content:!"Referer|3a|"; http_header; reference:md5,1497c33eede2a81627c097aad762817f; classtype:trojan-activity; sid:2018194; rev:9; metadata:created_at 2012_02_13, updated_at 2012_02_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED CoolEK landing applet plus class Feb 12 2013"; flow:established,to_client; file_data; content:"<applet"; content:"SunJCE"; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016406; rev:3; metadata:created_at 2013_02_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|baknsystem.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022078; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (4)"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/\/(?:w(?:hite|orld)|step)\/\d+$/U"; classtype:exploit-kit; sid:2016408; rev:14; metadata:created_at 2013_02_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|coughweb.biz"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022226; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED CoolEK Landing Aug 29 2013"; flow:established,from_server; file_data; content:".txt?e"; nocase; fast_pattern:only; content:"value"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])((?!(?P=q)).)+?\.txt\?e=\d+(&[fh]=\d+)?(?P=q)/Ri"; classtype:exploit-kit; sid:2017396; rev:6; metadata:created_at 2013_08_29, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|www.gooodlaosadf.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022230; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Jan 27 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:" id=|22|"; distance:15; within:16; pcre:"/^[A-Za-z]{3,5}/R"; content:"|22| style=|22|display|3a|none|22|>"; within:23; pcre:"/^[a-zA-Z0-9]{9}<\/[^>]+>\s+?<[^\s]+\sid=\x22[a-zA-Z]{3,5}\x22\sstyle=\x22display\x3anone\x22>[A-Za-z0-9]{500}/Rs"; classtype:exploit-kit; sid:2020319; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_28, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 41 89 47 37 8f 56 41|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022231; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Jan 27 2015"; flow:established,from_server; file_data; content:"name=|22|movie|22|"; fast_pattern; pcre:"/^\s*?value\s*?=\s*?[\x22\x27]\/[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+\x3d(?:[a-z]+|[0-9]+)[\x22\x27]/Rs"; classtype:exploit-kit; sid:2020320; rev:5; metadata:created_at 2015_01_28, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|09|Cyxuzoidv"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022233; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Jan 27 2015"; flow:established,from_server; file_data; content:"name=|22|movie|22|"; fast_pattern; pcre:"/^\s*?value\s*?=\s*?[\x22\x27]\/(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?[\x22\x27]/Rs"; classtype:exploit-kit; sid:2020321; rev:4; metadata:created_at 2015_01_28, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 07|"; content:"|0b|los Angeles"; distance:1; within:12; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0c|*.google.com"; distance:1; within:13; content:"@google.com"; distance:0; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022235; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9d 98 f4 2b 01 ee fc d3|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020322; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Excel Online Phish Landing 2015-12-08"; flow:to_client,established; file_data; content:"id=|22|sfm_excel_body|22|"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:"name=|22|Email|22|"; nocase; distance:0; content:"name=|22|Password|22|"; nocase; distance:0; content:"type=|22|password|22|"; nocase; distance:0; content:"Keep me signed in"; nocase; distance:0; classtype:social-engineering; sid:2031692; rev:4; metadata:created_at 2015_12_08, former_category PHISHING, updated_at 2015_12_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Dridex Campaign Download Jan 28 2015"; flow:established,to_server; content:"GET"; http_method; content:"/js/bin.exe?="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/js\/bin\.exe\?=\d+$/U"; classtype:trojan-activity; sid:2020328; rev:2; metadata:created_at 2015_01_29, former_category CURRENT_EVENTS, updated_at 2015_01_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible CryptoWall encrypted download"; flow:to_client,established; file_data; byte_test:1,<,12,0; content:"|00 00 00|"; distance:1; within:3; byte_test:1,<,127,0,relative; byte_test:1,>,48,0,relative; byte_jump:1,0,from_beginning,post_offset 5; byte_test:1,=,0,0,relative; pcre:"/^[\x00-\x0c]\x00\x00\x00[a-z0-9]{6,12}\x00/s"; classtype:trojan-activity; sid:2018788; rev:3; metadata:created_at 2014_07_28, updated_at 2014_07_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 45 b9 f1 e8 a9 d8 52|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020331; rev:3; metadata:attack_target Client_and_Server, created_at 2015_01_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $HOME_NET any -> any [5060,5061,5600] (msg:"ET MALWARE Ponmocup plugin #2600 (SIP scanner)"; content:"User-Agent|3a| Zoiper for Windows rev.1812|0d0a|"; threshold: type limit, count 1, seconds 3600, track by_src; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022206; rev:2; metadata:created_at 2015_12_02, updated_at 2015_12_02;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,465,587] (msg:"ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt (HELO)"; flow:to_server,established; content:"HELO "; nocase; content:!"|0a|"; within:1024; pcre:"/^\s*?\d[\d\x2e]{255}/R"; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:attempted-admin; sid:2020325; rev:2; metadata:created_at 2015_01_28, updated_at 2015_01_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Evil Redirector Leading to EK Mar 06 2015"; flow:established,to_server; content:"/counter.php?referrer=http"; http_uri; classtype:exploit-kit; sid:2020638; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_03_07, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,465,587] (msg:"ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt (EHLO)"; flow:to_server,established; content:"EHLO "; nocase; content:!"|0a|"; within:1024; pcre:"/^\s*?\d[\d\x2e]{255}/R"; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:attempted-admin; sid:2020326; rev:4; metadata:created_at 2015_01_28, updated_at 2015_01_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|www.benvenuittopronto.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022248; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible WordpressPingbackPortScanner detected"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/xmlrpc.php"; http_uri; content:"pingback.ping"; http_client_body; nocase; threshold: type both, track by_src, seconds 60, count 5; reference:url,seclists.org/bugtraq/2012/Dec/101; reference:url,github.com/FireFart/WordpressPingbackPortScanner/; reference:url,www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability/; classtype:web-application-attack; sid:2016061; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ca a8 d2 15 e5 c6 b7 72|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022249; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Agent.PYO Receiving Config"; flow:established,from_server; file_data; content:"path = "; within:7; content:"|0a|delay = "; distance:0; pcre:"/^\d+\n/R"; content:"hash = "; within:7; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:trojan-activity; sid:2020335; rev:2; metadata:created_at 2015_01_30, updated_at 2015_01_30;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|theliveguard.net"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022250; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Flashpack Redirect Method 3"; flow:established,to_server; content:"POST"; http_method; content:!"/gateway.php"; http_uri; content:"gate"; http_uri; fast_pattern:only; content:".php"; http_uri; content:".swf"; http_header; pcre:"/^Referer\x3a[^\r\n]+\.swf/Hmi"; classtype:trojan-activity; sid:2019325; rev:9; metadata:created_at 2014_09_30, updated_at 2014_09_30;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|televcheck.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022251; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Dropper YABROD Downloading Files"; flow:from_client,established; urilen:11; content:"/Yabrod.pdf"; content:"User-Agent|3a 20|n1|0d 0a|"; fast_pattern:12,4; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; reference:md5,44df02ac28d80deb45f5c7c48b56a858; reference:url,fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf; classtype:trojan-activity; sid:2020346; rev:2; metadata:created_at 2015_02_03, former_category MALWARE, updated_at 2019_10_16;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|welcomefreinds.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022252; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT HanJuan Landing Dec 10 2014"; flow:established,from_server; file_data; content:"|27|.replace(/["; pcre:"/^[A-Za-z]{10,}/R"; content:"]/g,|27 27|).substr|28|"; fast_pattern; content:"document.write("; content:"d"; content:!"27cdb6e-ae6d-11cf-96b8-444553540000"; within:35; pcre:"/^[^\x27]*?2[^\x27]*?7[^\x27]*?c[^\x27]*?d[^\x27]*?b[^\x27]*?6[^\x27]*?e[^\x27]*?-[^\x27]*?a[^\x27]*?e[^\x27]*?6[^\x27]*?d[^\x27]*?-[^\x27]*?1[^\x27]*?1[^\x27]*?c[^\x27]*?f[^\x27]*?-[^\x27]*?9[^\x27]*?6[^\x27]*?b[^\x27]*?8[^\x27]*?-[^\x27]*?4[^\x27]*?4[^\x27]*?4[^\x27]*?5[^\x27]*?5[^\x27]*?3[^\x27]*?5[^\x27]*?4[^\x27]*?0[^\x27]*?0[^\x27]*?0[^\x27]*?0/Rsi"; classtype:trojan-activity; sid:2019916; rev:3; metadata:created_at 2014_12_11, former_category CURRENT_EVENTS, updated_at 2014_12_11;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M1"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|04|Asia"; distance:1; within:5; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022253; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BePush/Kilim Checkin response"; flow:established,from_server; file_data; content:"Server_ok"; depth:9; flowbits:isset,ET.FB.troj; reference:url,seclists.org/fulldisclosure/2015/Jan/131; reference:md5,cdcc132fad2e819e7ab94e5e564e8968; classtype:command-and-control; sid:2020349; rev:2; metadata:created_at 2015_02_03, former_category MALWARE, updated_at 2015_02_03;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M2"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|0d|North America"; distance:1; within:14; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022254; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET MALWARE Possible Dridex e-mail inbound"; flow:established,to_server; content:"<no-replay"; fast_pattern:only; content:"User-Agent|3a 20|Roundcube"; classtype:bad-unknown; sid:2020351; rev:1; metadata:created_at 2015_02_03, former_category CURRENT_EVENTS, updated_at 2015_02_03;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M3"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|06|Africa"; distance:1; within:7; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022255; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Feb 04 2015"; flow:established,from_server; content:"26 Jul 2039"; http_header; fast_pattern:only; content:"Expires|3a| Sat, 26 Jul"; http_header; pcre:"/Last-Modified\x3a\x20[A-Z][a-z]+, 26 Jul 2039/H"; classtype:exploit-kit; sid:2020355; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M4"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|06|Europe"; distance:1; within:7; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022256; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Feb 04 2015 M2"; flow:established,from_server; content:"26 Jul 2040"; http_header; fast_pattern:only; content:"Expires|3a| Sat, 26 Jul"; http_header; pcre:"/Last-Modified\x3a\x20[A-Z][a-z]+, 26 Jul 2040/H"; classtype:exploit-kit; sid:2020356; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M5"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|09|Australia"; distance:1; within:10; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022257; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Dec 24 2014"; flow:established,from_server; content:"Expires|3a| Sat, 26 Jul"; http_header; content:"Last-Modified|3a| Sat, 26 Jul 2039 "; http_header; fast_pattern:12,20; classtype:exploit-kit; sid:2020068; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M6"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|0d|South America"; distance:1; within:14; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022258; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Primer Feb 04 2014 (noalert)"; flow:established,from_server; file_data; content:"Elinor"; pcre:"/^\W/R"; flowbits:set,ET.Angler.Primer; flowbits:noalert; classtype:exploit-kit; sid:2020365; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M7"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|0a|Antarctica"; distance:1; within:11; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022259; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Primer Feb 04 2014 (noalert)"; flow:established,from_server; file_data; content:"Dashwood"; pcre:"/^\W/R"; flowbits:set,ET.Angler.Primer; flowbits:noalert; classtype:exploit-kit; sid:2020366; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|checkstat99.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022267; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Chaintor/Tordal User-Agent spotted downloading payload"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (Macintosh|3b| Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"; fast_pattern:50,20; http_header; classtype:trojan-activity; sid:2020347; rev:4; metadata:created_at 2015_02_03, updated_at 2015_02_03;)
+#alert http [$EXTERNAL_NET,!208.85.44.0/24] $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (3)"; flow:established,to_client; file_data; content:"|dc 18 02|"; distance:4; within:3; pcre:"/^(?:\x62|\x1b)/R"; classtype:trojan-activity; sid:2022140; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible HTTP GET Deep Panda C2 Activity"; flow:established,to_server; content:"GET"; http_method; content:".jpg?id="; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.jpg\?id=\d+$/U"; reference:md5,5acc539355258122f8cdc7f5c13368e1; classtype:command-and-control; sid:2020379; rev:2; metadata:created_at 2015_02_06, updated_at 2015_02_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 85 47 00 43 cf a7 86 ee|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,d90c0177437c4cf588de4e60ab233fe1; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022275; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.XOR Checkin"; flow:to_server,established; content:"BB2FA36AAA9541F0"; depth:500; reference:url,blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html; classtype:command-and-control; sid:2020381; rev:3; metadata:created_at 2015_02_07, former_category MALWARE, malware_family XorDDoS, updated_at 2015_02_07;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|lililililililili.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022276; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (ASCII)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|5c|msuta64.dll"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020173; rev:2; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|intelliadsign.net"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022277; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (ASCII)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|5c|ole64.dll"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020174; rev:2; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|boistey.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022278; rev:1; metadata:attack_target Client_and_Server, created_at 2015_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (ASCII)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|5c|ole.dll"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020175; rev:2; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|ssl-tree.ru"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022286; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (Unicode)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|5c 00|m|00|s|00|u|00|t|00|a|00|6|00|4|00|.|00|d|00|l|00|l"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020176; rev:3; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|foenglera.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022287; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (Unicode)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|5c 00|o|00|l|00|e|00|6|00|4|00|.|00|d|00|l|00|l"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020177; rev:3; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+alert tcp any any -> $HOME_NET 23 (msg:"ET EXPLOIT Juniper ScreenOS telnet Backdoor Default Password Attempt"; flow:established,to_server; content:"|3c 3c 3c 20 25 73 28 75 6e 3d 27 25 73 27 29 20 3d 20 25 75|"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:cve,2015-7755; reference:url,community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor; classtype:attempted-admin; sid:2022291; rev:1; metadata:created_at 2015_12_21, updated_at 2015_12_21;)
 
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (Unicode)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|5c 00|o|00|l|00|e|00|.|00|d|00|l|00|l"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020178; rev:3; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M8"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|0f|Central America"; distance:1; within:16; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022292; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB2 Traffic"; flow:established,to_server; content:"|FE|SMB|40|"; offset:4; depth:5; content:"|16 00|"; distance:0; content:"m|00|s|00|u|00|t|00|a|00|6|00|4|00|.|00|d|00|l|00|l"; distance:8; within:21; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020382; rev:5; metadata:created_at 2015_02_07, former_category MALWARE, updated_at 2015_02_07;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|rommen-haft.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022293; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB2 Traffic"; flow:established,to_server; content:"|FE|SMB|40|"; offset:4; depth:5; content:"|12 00|"; distance:0; content:"o|00|l|00|e|00|6|00|4|00|.|00|d|00|l|00|l"; distance:8; within:17; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020383; rev:4; metadata:created_at 2015_02_07, updated_at 2015_02_07;)
+#alert ip $HOME_NET any -> [206.72.206.74,206.72.206.75,206.72.206.76,206.72.206.77,206.72.206.78,66.45.241.130,66.45.241.131,66.45.241.132,66.45.241.133,66.45.241.134] any (msg:"ET MALWARE Kelihos CnC Server Activity"; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; reference:url,blog.malwaremustdie.org/2015/12/mmd-0046-2015-kelihos-cnc-activity-on.html; classtype:command-and-control; sid:2022294; rev:1; metadata:created_at 2015_12_22, former_category MALWARE, updated_at 2015_12_22;)
 
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB2 Traffic"; flow:established,to_server; content:"|FE|SMB|40|"; offset:4; depth:5; content:"|0e 00|"; distance:0; content:"o|00|l|00|e|00|.|00|d|00|l|00|l"; distance:8; within:13; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020384; rev:2; metadata:created_at 2015_02_07, updated_at 2015_02_07;)
+alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ET POLICY FOX-SRT - Juniper ScreenOS SSH World Reachable"; flow:to_client,established; content:"SSH-2.0-NetScreen"; reference:cve,2015-7755; reference:url,kb.juniper.net/JSA10713; classtype:policy-violation; sid:2022299; rev:2; metadata:created_at 2015_12_22, updated_at 2015_12_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (11)"; flow:established,to_client; file_data; content:"|c1 e4 07 2f 13 ad 23 2e|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020387; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mon Dec 21 2015 5"; flow:from_server,established; file_data; content:"|3f 22 5c 78|"; fast_pattern; byte_test:1,>,0x2f,-5,relative; byte_test:1,<,0x3a,-5,relative; content:"var "; pcre:"/^\s*?[a-z]+\s*?=\s*?\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b]/Rsi"; reference:url,blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html; classtype:exploit-kit; sid:2022290; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_21, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Sweet Orange Landing Nov 04 2013"; flow:from_server,established; file_data; content:"|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3e|"; fast_pattern:only; content:"|20|id=|22|"; pcre:"/^(?=[a-z]{0,7}[A-Z])(?=[A-Z]{0,7}[a-z])[A-Za-z]{8}\x22[^>]+?>[A-Za-z]{70}/Rs"; classtype:exploit-kit; sid:2019647; rev:5; metadata:created_at 2014_11_05, former_category CURRENT_EVENTS, updated_at 2014_11_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|givemyporn.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022301; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET DELETED Job314/Neutrino Reboot EK Payload Nov 20 2014"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"User-Agent|3a 20|Mozilla"; http_header; fast_pattern; content:"GET"; http_method; pcre:"/^\/(?:[a-z]+\.[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){3,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)$/U"; classtype:exploit-kit; sid:2019764; rev:9; metadata:created_at 2014_11_21, updated_at 2018_06_18;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|qiqiqiqiqiqi.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022302; rev:1; metadata:attack_target Client_and_Server, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/AlienSpy RAT Checkin"; flow:established,to_server; flowbits:isset,ET.rat.alienspy; content:"|78 70|"; depth:2; content:"|1f 8b 08 00 00 00 00 00 00 00 6d|"; distance:4; within:11; pcre:"/^[\x53\x54]/R"; reference:url,contagiodump.blogspot.com/2014/11/alienspy-java-rat-samples-and-traffic.html?m=1; classtype:command-and-control; sid:2019739; rev:3; metadata:created_at 2014_11_18, former_category MALWARE, updated_at 2014_11_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"22C83263-E4B8-4233-82CD-FB047C6BF13E"; nocase; distance:0; content:".FindCountriesByNamePattern"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*22C83263-E4B8-4233-82CD-FB047C6BF13E/si"; reference:url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html; classtype:web-application-attack; sid:2013462; rev:3; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE MSIL/Golroted.B Keylogger FTP"; flow:established,to_server; content:"STOR Logger_"; reference:md5,b2b82fd662dd0ddf53aa37bb9025bf92; classtype:trojan-activity; sid:2020411; rev:1; metadata:created_at 2015_02_12, updated_at 2015_02_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt Format String Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"SkypePNRLib.PNR"; nocase; distance:0; content:".FindCountriesByNamePattern"; nocase; reference:url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html; classtype:attempted-user; sid:2013463; rev:3; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE Predator Pain Keylogger FTP"; flow:established,to_server; content:"STOR Predator_Pain"; reference:md5,c9025c9835d1b7d6f0dd2390ea7d5e18; classtype:trojan-activity; sid:2020412; rev:1; metadata:created_at 2015_02_12, updated_at 2015_02_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Foxit PDF Reader Authentication Bypass Attempt"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:"Type/Action"; distance:0; nocase; content:"Launch"; nocase; within:40; content:"NewWindow true"; nocase; distance:0; pcre:"/Type\x2FAction.+Launch.+\x28\x2F[a-z]\x2F[a-z].+NewWindow\x20true/si"; reference:url,www.coresecurity.com/content/foxit-reader-vulnerabilities#lref.4; reference:cve,2009-0836; reference:url,doc.emergingthreats.net/2010878; classtype:attempted-user; sid:2010878; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED High Probability Blackhole Landing with catch qq"; flow:established,from_server; content:")|3b|}catch(qq"; fast_pattern:only; classtype:bad-unknown; sid:2014294; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_29, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Office Word 2007 sprmCMajority Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|47 CA FF|"; content:"|3E C6 FF|"; distance:0; isdataat:84,relative; content:!"|0A|"; within:84; reference:url,www.exploit-db.com/moaub11-microsoft-office-word-sprmcmajority-buffer-overflow/; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-056.mspx; reference:bid,42136; reference:cve,2010-1900; classtype:attempted-user; sid:2011478; rev:6; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - IP - 161.69.13.44"; content:"|00 01 00 01|"; content:"|00 04 A1 45 0D 2C|"; distance:4; within:6; content:!"|07|sa-live|03|com"; classtype:trojan-activity; sid:2019508; rev:3; metadata:created_at 2014_10_27, updated_at 2014_10_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Windows Common Control Library Heap Buffer Overflow"; flow:established,from_server; content:"Content-Type|3a| image/svg|2b|xml"; nocase; file_data; content:"|3c|svg xmlns="; nocase; distance:0; content:"style|3d 22|fill|3a 20 23|ffffff|22|"; nocase; distance:0; content:"transform"; nocase; distance:0; pcre:"/^=\s*\x22\s*[^\s\x22\x28]{1000}/iR"; reference:bugtraq,43717; reference:url,www.microsoft.com/technet/security/bulletin/MS10-081.mspx; classtype:attempted-admin; sid:2012174; rev:9; metadata:created_at 2011_01_12, updated_at 2011_01_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY I2P Seeds File Download"; flow:established,to_client; file_data; content:"I2Psu3"; within:6; reference:url,phishme.com/dyre-attackers-shift-tactics/; classtype:policy-violation; sid:2020416; rev:2; metadata:created_at 2015_02_12, updated_at 2015_02_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ASCII Executable Inside of MSCOFF File DL Over HTTP"; flow:established,from_server; flowbits:isset,et.MCOFF; file_data; content:"|34 64 35 61|"; content:"|35 34 36 38 36 39 37 33 32 30 37 30 37 32 36 66 36 37 37 32 36 31 36 64 32 30|"; distance:38; reference:md5,f4ee917a481e1718ccc749d2d4ceaa0e; classtype:trojan-activity; sid:2022303; rev:3; metadata:created_at 2015_12_23, updated_at 2015_12_23;)
 
-alert udp $HOME_NET 1434 -> $EXTERNAL_NET any (msg:"ET DOS MC-SQLR Response Outbound Possible DDoS Participation"; content:"|05|"; depth:1; content:"ServerName|3b|"; nocase; content:"InstanceName|3b|"; distance:0; content:"IsClustered|3b|"; distance:0; content:"Version|3b|"; distance:0; threshold:type both,track by_src,count 30,seconds 60; reference:url,kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html; classtype:attempted-dos; sid:2020305; rev:4; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 97 ae 20 7e 61 5f 58 15|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022305; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp $EXTERNAL_NET 1434 -> $HOME_NET any (msg:"ET DOS MC-SQLR Response Inbound Possible DDoS Target"; content:"|05|"; depth:1; content:"ServerName|3b|"; nocase; content:"InstanceName|3b|"; distance:0; content:"IsClustered|3b|"; distance:0; content:"Version|3b|"; distance:0; threshold:type both,track by_dst,count 30,seconds 60; reference:url,kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html; classtype:attempted-dos; sid:2020306; rev:3; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 a6 75 8f 19 30 3e 46 58|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022307; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Gulcrypt.B Downloading components"; flow:established,from_server; flowbits:isset,ET.Gulcrypt; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,6c41449d6c3efd4c9f98374a0d132ff6; classtype:trojan-activity; sid:2020421; rev:2; metadata:created_at 2015_02_13, updated_at 2015_02_13;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|monosuflex.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022308; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1"; flow:established,from_server; file_data; content:"lRXdjVGeFxGblh2U"; classtype:exploit-kit; sid:2020423; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powersploit Framework Script Downloaded"; flow:to_client,established; file_data; content:"function Invoke-"; depth:16; content:"|0a 7b 0a 3c 23 0a 2e 53 59 4e 4f 50 53 49 53 0a|"; distance:0; content:"|0a|PowerSploit Function|3a 20|"; distance:0; reference:md5,0aa391dc6d9ebec2f5d0ee6b4a4ba1fa; classtype:trojan-activity; sid:2022309; rev:2; metadata:created_at 2015_12_24, updated_at 2015_12_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1"; flow:established,from_server; file_data; content:"Z0V3YlhXRsxWZoN"; classtype:exploit-kit; sid:2020424; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Lets Encrypt Free SSL Cert Observed"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2022218; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_04, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2017_10_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1"; flow:established,from_server; file_data; content:"Gd1NWZ4VEbsVGaT"; classtype:exploit-kit; sid:2020425; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mon Dec 26 2015"; flow:to_server,established; content:"/st1.phtml"; http_uri; classtype:exploit-kit; sid:2022312; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M2"; flow:established,from_server; file_data; content:"KkxSZssGLjxSYsAHKu9Wa0Nmb1ZGKsFmdl"; classtype:exploit-kit; sid:2020428; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mon Dec 26 2015 2"; flow:to_server,established; content:"/lobo.phtml"; http_uri; classtype:exploit-kit; sid:2022313; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Uknown EK Java Exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"DFE42z.class"; classtype:exploit-kit; sid:2020429; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Anonisma Paypal Phishing Loading Page 2015-12-29"; flow:from_server,established; file_data; content:"<title>Logging in"; nocase; fast_pattern; content:".php?cmd=_"; nocase; distance:0; content:"Hold a while"; nocase; distance:0; content:"Still loading after a few seconds"; nocase; distance:0; classtype:social-engineering; sid:2031706; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carbanak APT CnC Beacon 2"; flow:established,to_server; content:"|00 00|OS|3a 20|"; offset:10; depth:6; fast_pattern; content:"|2c 20|Domain|3a 20|"; distance:0; content:"|2c 20|User|3a 20|"; distance:0; content:"|00|"; distance:0; reference:url,securelist.com/files/2015/02/Carbanak_APT_eng.pdf; classtype:targeted-activity; sid:2020456; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_02_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PHOEN!X Apple Phish Landing Page 2015-12-29"; flow:from_server,established; file_data; content:"<title>iTunes"; nocase; fast_pattern; content:"Enter Your Password"; nocase; distance:0; content:"<!-- PHOEN!X -->"; nocase; distance:0; classtype:social-engineering; sid:2031693; rev:2; metadata:created_at 2015_12_29, former_category PHISHING, updated_at 2015_12_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Flash Exploit URI Structure Jan 21 2015"; flow:established,to_server; urilen:>48; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^\/(?:[A-Za-z0-9-_]{4}){11,}(?:[A-Za-z0-9-_]{2}==|[A-Za-z0-9-_]{3}=)?$/U"; pcre:"/^Referer\x3a[^\r\n]+\/(?:[a-z0-9]+\.php|\d+)\r$/Hm"; classtype:exploit-kit; sid:2020234; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PHOEN!X Phish Loading Page 2015-12-29"; flow:from_server,established; file_data; content:"<title>Checking Informations"; content:"http-equiv=|22|refresh|22|"; classtype:social-engineering; sid:2031694; rev:2; metadata:created_at 2015_12_29, former_category PHISHING, updated_at 2015_12_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Payload DL M2 Feb 06 2015"; flow:to_server,established; urilen:>48; content:"HTTP/1.1|0d 0a|Host|3a|"; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"Connection|3a 20|Keep-Alive|0d 0a|"; http_header; pcre:"/^\/(?:[A-Za-z0-9-_]{4}){11,}(?:[A-Za-z0-9-_]{2}==|[A-Za-z0-9-_]{3}=)?$/U"; content:"GET"; http_method; classtype:exploit-kit; sid:2020399; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|1terabitbit.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022321; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Jan 27 2015 M1"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:"|5b 2f 2a|"; fast_pattern; pcre:"/^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f[a-zA-Z]{3,5}\W/Rs"; content:"|2f 2a|"; distance:0; pcre:"/^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f/Rs"; content:"|2f 2a|"; distance:0; pcre:"/^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f/Rs"; classtype:exploit-kit; sid:2020318; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_28, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|gatecheck.info"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022322; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6332 DECS2"; flow:established,from_server; file_data; content:"102,117,110,99,116,105,111,110,32,114,117,110,109,117,109,97,97"; classtype:trojan-activity; sid:2020460; rev:4; metadata:created_at 2015_02_18, former_category CURRENT_EVENTS, updated_at 2015_02_18;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (BlackEnergy CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 85 9e 1d 11 4a f9 72 62|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021624; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin EK Possible Jar Download"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"=Yes"; http_cookie; content:"cck_lasttime="; http_cookie; content:"cck_count="; http_cookie; classtype:exploit-kit; sid:2020477; rev:3; metadata:created_at 2015_02_19, updated_at 2015_02_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BlackEnergy SSL Cert"; flow:from_server,established; content:"|09 00 e3 6e 25 fe 3f fa 53 80|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/; classtype:trojan-activity; sid:2022327; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin EK Possible Jar Download"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"=Yes"; http_cookie; pcre:"/nb[\d+]=Yes/C"; classtype:exploit-kit; sid:2020478; rev:3; metadata:created_at 2015_02_19, updated_at 2015_02_19;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|ibsecurity.info"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022328; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY GENERIC CollectGarbage in Hex String No Seps"; flow:to_client,established; file_data; content:"436f6c6c6563744761726261676528"; nocase; classtype:trojan-activity; sid:2020481; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|ibcsec.xyz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022329; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in Hex No Seps"; flow:to_client,established; file_data; content:"5368656c6c45786563757465"; nocase; classtype:trojan-activity; sid:2020482; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NanoLocker Check-in (ICMP) M2"; itype:8; icode:0; dsize:26<>35; content:"|33|"; depth:1; pcre:"/^(?=[A-F1-9]*?[a-km-zGHJ-NP-Z])[a-km-zA-HJ-NP-Z1-9]{25,34}(?:64)?$/R"; reference:md5,24273ce5ca8e84c52b270b52659304a8; reference:url,blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/; classtype:trojan-activity; sid:2022330; rev:2; metadata:created_at 2016_01_05, updated_at 2016_01_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in URLENCODE"; flow:to_client,established; file_data; content:"%53%68%65%6c%6c%45%78%65%63%75%74%65"; nocase; classtype:trojan-activity; sid:2020483; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NanoLocker Check-in (ICMP) M1"; itype:8; icode:0; dsize:26<>35; content:"|31|"; depth:1; pcre:"/^(?=[A-F1-9]*?[a-km-zGHJ-NP-Z])[a-km-zA-HJ-NP-Z1-9]{25,34}(?:64)?$/R"; reference:md5,24273ce5ca8e84c52b270b52659304a8; reference:url,blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/; classtype:trojan-activity; sid:2022331; rev:3; metadata:created_at 2016_01_05, updated_at 2016_01_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Comment in Body"; flow:to_client,established; file_data; content:"|3c 21 2d 2d 20 30 39 38 30 32 33 37 36 34 32 20 2d 2d 3e|"; classtype:exploit-kit; sid:2020484; rev:2; metadata:created_at 2015_02_19, updated_at 2015_02_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE ELF.MrBlack DOS.TF Variant"; flow:established,to_server; content:"Linux_"; offset:8; depth:6; content:"TF-"; distance:58; within:3; fast_pattern; reference:url,blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html; classtype:trojan-activity; sid:2022336; rev:2; metadata:created_at 2016_01_07, updated_at 2016_01_07;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SuperFish Possible SSL Cert CnC Traffic"; flow:established,from_server; content:"|55 04 0a|"; content:"|0e|Superfish Inc."; distance:1; within:15; content:"|55 04 03|"; distance:0; content:"|19|*.best-deals-products.com"; distance:1; within:26; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:command-and-control; sid:2020492; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_02_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jan 6th 2016 M1"; flow:established,to_server; urilen:18; content:"GET"; http_method; content:"/switch/cookie.php"; depth:18; http_uri; fast_pattern; classtype:exploit-kit; sid:2022338; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_07, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing Page M2"; flow:from_server,established; file_data; content:"deconcept.SWFObjectUtil.getPlayerVersion"; fast_pattern; content:"navigator.userAgent.toLowerCase()|3b|"; content:"if|28|document.cookie"; content:"var "; pcre:"/^(?P<vname>[A-Za-z0-9]+)\s*?=\s*?navigator.userAgent.toLowerCase\x28\x29\x3b.+?if\(document.cookie[^\r\n]+\([^\r\n]+(?P=vname)[\x2e\x5b\x22\x27+\s]+i[\x22\x27+\s]*n[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*x[\x22\x27+\s]*O[\x22\x27+\s]*f[\x22\x27+\s]*\x5d?\(\s*?[\x22\x27]b[\x22\x27+\s]*o[\x22\x27+\s]*t[\x22\x27+\s]*[\x22\x27][^\r\n]+(?P=vname)[\x2e\x5b\x22\x27+\s]+i[\x22\x27+\s]*n[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*x[\x22\x27+\s]*O[\x22\x27+\s]*f[\x22\x27+\s]*\x5d?\(\s*?[\x22\x27]s[\x22\x27+\s]*p[\x22\x27+\s]*i[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*r[\x22\x27+\s]*[\x22\x27]/Rs"; classtype:exploit-kit; sid:2020407; rev:5; metadata:created_at 2015_02_12, updated_at 2015_02_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jan 6th 2016 M2"; flow:established,from_server; content:"Content-Type|3a 20|application/javascript|3b|"; http_header; file_data; content:"var iframe"; within:13; pcre:"/^\s*?=\s*?[\x22\x27]<iframe\s*?src\s*?=/R"; content:":-"; pcre:"/^\d{3,}/R"; content:"</iframe>"; pcre:"/^\s*?/Rs"; content:"document.write(iframe)|3b|"; isdataat:!2,relative; classtype:exploit-kit; sid:2022341; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page M2"; flow:established,from_server; file_data; content:"function llll|28|"; content:"return bmw|3b|"; distance:0; classtype:exploit-kit; sid:2020494; rev:3; metadata:created_at 2015_02_20, updated_at 2015_02_20;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bulta CnC Beacon"; flow:established,to_server; content:"|1f 93 97 d3 94 01 69 49 4d 7b a7 ac f6 7a|"; depth:14; reference:md5,8dd612b14a2a448e8b1b6f3d09909e45; classtype:command-and-control; sid:2022345; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2016_01_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M3"; flow:established,from_server; file_data; content:"|2a|0xffffffff|2a|"; content:"|2a|str2long|2a|"; content:"|2a|long2str|2a|"; classtype:exploit-kit; sid:2020495; rev:3; metadata:created_at 2015_02_20, updated_at 2015_02_20;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Malicious Authline Seen in JAR Backdoor"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|CGX2U2oeocN3DTJhyPG2cPg7xpRRTzNZkz|22 2c 20 22|"; distance:0; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html; classtype:coin-mining; sid:2022349; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_01_12, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2016_01_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carbanak APT CnC Beacon 1"; flow:established,to_server; dsize:24; content:"|08|"; depth:1; byte_extract:1,1,Carbanak.Pivot,relative; byte_test:1,!=,Carbanak.Pivot,0,relative; byte_test:1,=,Carbanak.Pivot,3,relative; content:"|00 00 00 02 00 00 00 00 00 00 00 00 00|"; distance:4; within:13; fast_pattern; content:!"|00 00 00|"; within:3; reference:md5,6ae1bb06d10f253116925371c8e3e74b; reference:url,securelist.com/files/2015/02/Carbanak_APT_eng.pdf; classtype:targeted-activity; sid:2020455; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_02_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Loading Gif Inline Image"; flow:established,from_server; content:"background|3a|url(data|3a|image/gif|3b|base64,R0lGODlhEAAQAAAAACH/C05FVFNDQVBFMi4wAwH//"; classtype:trojan-activity; sid:2014842; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_01, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Post-infection HTTP Request Feb 20 2015"; flow:established,to_server; urilen:13; content:"GET"; http_method; content:"?"; http_uri; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; fast_pattern:2,20; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/^\/[a-z]{3}\?[A-F0-9]{8}$/U"; classtype:exploit-kit; sid:2020496; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeM RAT CnC Beacon"; flow:established,to_server; content:"<html><title>"; depth:13; content:"</title><body>"; within:48; content:!"</body>"; content:"|f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6|"; distance:0; reference:md5,3e008471eaa5e788c41c2a0dff3d1a89; classtype:command-and-control; sid:2014636; rev:5; metadata:attack_target Client_Endpoint, created_at 2012_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_04_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Feb 04 2014 T1"; flow:established,from_server; flowbits:isset,ET.Angler.Primer; file_data; content:"|76 61 72 20 6b 3d 30 3b 20 6b 3c 31 3b 6b 2b 2b 29 7b 3b 7d 7d|"; classtype:exploit-kit; sid:2020367; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF.STD.ddos Checkin"; flow:established,to_server; dsize:28; content:"2-1Q3@@4V-9-W$p#=A#9c=#W~,|0d 0a|"; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=2747&start=20#p27639; classtype:command-and-control; sid:2022367; rev:2; metadata:created_at 2016_01_14, former_category MALWARE, updated_at 2016_01_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible Unknown EK HFS CVE-2014-6332"; flow:established,from_server; content:"Server|3a 20|HFS|20|"; http_header; fast_pattern; file_data; content:"Wscript.Shell"; content:"Microsoft.XMLHTTP"; content:"ADODB.Stream"; content:"cmd.exe"; classtype:exploit-kit; sid:2020498; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_23, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert ssh any $SSH_PORTS -> any any (msg:"ET EXPLOIT Possible CVE-2016-0777 Server Advertises Suspicious Roaming Support"; flow:established,to_client; content:"|14|"; offset:6; content:"resume@appgate.com"; distance:0; content:!"AppGateSSH_5.2"; reference:cve,2016-0777; reference:url,www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt; classtype:attempted-user; sid:2022369; rev:2; metadata:created_at 2016_01_15, updated_at 2016_01_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Unknown EK Landing"; flow:established,from_server; content:"|64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 2e 6c 65 6e 67 74 68 3e 30 29 7b|"; content:"|3d 22 31 22 2b 22 31 22 3b 64 65 6c 65 74 65|"; distance:0; content:"|2b 3d 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22|"; distance:0; classtype:exploit-kit; sid:2020501; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_23, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !7680 (msg:"ET P2P BitTorrent peer sync"; flow:established; content:"|00 00 00 0d 06 00|"; depth:6; threshold: type limit, track by_dst, seconds 300, count 1; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000334; classtype:policy-violation; sid:2000334; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET DELETED Microsoft Access database error in HTTP response, possible SQL injection point"; flow:from_server,established; content:"JET Database Engine"; fast_pattern:only; classtype:web-application-attack; sid:2020502; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_23, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 7680 (msg:"ET P2P MS WUDO Peer Sync"; flow:established; content:"|00 00 00 0d 06 00|"; depth:6; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,windows.microsoft.com/en-us/windows-10/windows-update-delivery-optimization-faq; classtype:policy-violation; sid:2022371; rev:1; metadata:created_at 2016_01_15, updated_at 2016_01_15;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"mysql_"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020507; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tcp any any -> any $SSH_PORTS (msg:"ET EXPLOIT Possible CVE-2016-0777 Client Sent Roaming Resume Request"; flow:established,to_server; content:"|14|"; offset:6; content:"roaming@appgate.com"; distance:0; content:!"AppGateSSH_5.2"; reference:cve,2016-0777; reference:url,www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt; classtype:attempted-user; sid:2022370; rev:2; metadata:created_at 2016_01_15, updated_at 2016_01_15;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQL syntax"; fast_pattern; content:"MySQL"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020506; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|PA|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022385; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"MySqlException (0x"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020508; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|relaxsaz.com"; distance:1; within:13; reference:md5,9b8fed949202b860d49f326d5e33bb35; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022386; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"valid MySQL result"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020509; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|contora24.com"; distance:1; within:14; reference:md5,9b8fed949202b860d49f326d5e33bb35; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022387; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"MySqlClient."; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020510; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|websecuranalitic.com"; distance:1; within:21; reference:md5,105213be0a168d5e3eb0e4ff0262cf12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022388; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"com.mysql.jdbc.exceptions"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020511; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|moneyclass24.com"; distance:1; within:17; reference:md5,105213be0a168d5e3eb0e4ff0262cf12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022389; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"PostgreSQL"; fast_pattern; content:"ERROR"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020512; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|vle.cli"; distance:1; within:8; reference:md5,678129a67898174fdb7e8c70ebcca6c3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022390; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"Wpg_"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020513; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1E|www.nonewhateverplanred.juegos"; distance:1; within:31; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022391; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"valid PostgreSQL result"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020514; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1E|www.removenationalstiff.taipei"; distance:1; within:31; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022392; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Npgsql."; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020515; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|20|www.fightingmotioncertainly.page"; distance:1; within:33; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022393; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"org.postgresql.util.PSQLException"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020516; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0D|dinuspuka.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022394; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"ERROR|3a 20 20|syntax error at or near"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020517; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0D|popredrak.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022395; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Driver"; fast_pattern; pcre:"/^ SQL[-_ ]Server/R"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020518; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|vorlager.ru"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022396; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"OLEDB"; fast_pattern; content:"|20|SQL Server"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020519; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|IR|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022397; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"mssql_"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020521; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|kuklovodw.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022404; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception"; fast_pattern; content:"System.Data.SqlClient."; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020523; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|BW|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022408; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception"; fast_pattern; content:"Roadhouse.Cms"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020524; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CenterPOS User Agent Observed"; flow:established,to_server; content:"User-Agent|3a 20|IDOSJNDX|0d 0a|"; fast_pattern; flowbits:set,ET.centerpos; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022468; rev:2; metadata:created_at 2016_01_29, updated_at 2019_10_23;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Access error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Microsoft Access"; fast_pattern; pcre:"/^ \d+ Driver/R"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020525; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|buhzgalter.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022474; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Access error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"JET Database Engine"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020526; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ursnif Injects)"; flow:from_server,established; content:"|55 04 03|"; content:"|0f|docknetwork.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022475; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Access error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Access Database Engine"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020527; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|macroflex.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022476; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"ORA-"; fast_pattern:only; pcre:"/ORA-\d{4}/"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020528; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET SCAN Possible WordPress xmlrpc.php BruteForce in Progress - Response"; flow:established,from_server; flowbits:isset,ET.XMLRPC.PHP; file_data; content:"<name>faultCode</name>"; content:"<int>403</int>"; content:"<string>Incorrect username or password.</string>"; threshold:type both, track by_src, count 5, seconds 120; reference:url,isc.sans.edu/diary/+WordPress+brute+force+attack+via+wp.getUsersBlogs/18427; classtype:attempted-admin; sid:2018755; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_07_23, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Oracle error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020529; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|13|ashirimi-critism.kz"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022478; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"oci_"; distance:0; fast_pattern; pcre:"/Warning.*\Woci_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020531; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI"; flow:established,to_server; content:"POST"; http_method; content:"imei="; nocase; http_uri; pcre:"/imei=\d{2}-?\d{6}-?\d{6,}-?\d{1,}/Ui"; content:!"Host|3a 20|iphone-wu.apple.com"; http_header; reference:url,www.met.police.uk/mobilephone/imei.htm; classtype:trojan-activity; sid:2012848; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"ora_"; fast_pattern; distance:0; pcre:"/Warning.*\Wora_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020532; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/ChinaZ 2.0 DDoS Bot Checkin 3"; flow:established,to_server; content:"*"; pcre:"/^\d+/R"; content:"MHZ|00 00 00 00|"; within:7; content:"MB|00 00 00 00|"; distance:0; content:"|28|null|29 00 00 00 00|"; fast_pattern; distance:0; reference:url,blog.malwaremustdie.org/2015/06/the-elf-chinaz-reloaded.html; classtype:command-and-control; sid:2021526; rev:2; metadata:created_at 2015_07_23, former_category MALWARE, updated_at 2015_07_23;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE DB2 error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"CLI Driver"; fast_pattern:only; pcre:"/CLI Driver.*DB2/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020533; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|KM|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022489; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE DB2 error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"DB2 SQL error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020534; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED APT.Fexel Checkin"; flow:established,to_server; content:"agtid="; http_header; content:"08x"; http_client_body; reference:md5,70e87b2898333e11344b16a72183f8e9; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html; classtype:targeted-activity; sid:2019469; rev:6; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE DB2 error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"bdb2_"; fast_pattern:only; pcre:"/bdb2_\w+\(/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020535; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 07 2016"; flow:established,to_server; content:"/QrQ8Gr"; http_uri; urilen:7; classtype:exploit-kit; sid:2022496; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_09, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Informix error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception"; content:"Informix"; fast_pattern; pcre:"/Exception.*Informix/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020536; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY RDP disconnect request"; flow: to_server,established; content:"|03|"; offset: 0; depth: 1; content:"|80|"; offset: 5; depth: 1; reference:url,doc.emergingthreats.net/2001331; classtype:misc-activity; sid:2001331; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Firebird error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Dynamic SQL Error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020537; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY RDP connection request"; flow: to_server,established; content:"|03|"; offset: 0; depth: 1; content:"|E0|"; offset: 5; depth: 1; reference:url,doc.emergingthreats.net/2001329; classtype:misc-activity; sid:2001329; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Firebird error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Dynamic SQL Error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020538; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 03|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020630; rev:6; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQLite/JDBCDriver"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020539; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020668; rev:2; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQLite.Exception"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020540; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 28|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020664; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"System.Data.SQLite.SQLiteException"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020541; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 14|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020660; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"SQLite3|3a 3a|"; fast_pattern; distance:0; pcre:"/Warning.*SQLite3::/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020543; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 06|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020631; rev:6; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"[SQLITE_ERROR]"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020544; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 17|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020669; rev:2; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SAP MaxDB error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQL error"; fast_pattern; content:"POS("; distance:0; pcre:"/SQL error.*POS\([0-9]+\)/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020545; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 29|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020665; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SAP MaxDB error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"maxdb"; fast_pattern; distance:0; pcre:"/Warning.*maxdb/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020546; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0E|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020633; rev:6; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Sybase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"sybase"; fast_pattern; distance:0; pcre:"/i?Warning.*sybase/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020547; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 08|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020632; rev:5; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Sybase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Sybase message"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020548; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 11|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020659; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Sybase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Sybase Server message"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020549; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 27|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020663; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ingres error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"ingres_"; fast_pattern; distance:0; pcre:"/Warning.*ingres_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020550; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 2A|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020666; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"sqlite_"; fast_pattern; distance:0; pcre:"/Warning.*sqlite_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020542; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 2B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020667; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ingres error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Ingres SQLSTATE"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020551; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M3"; flow:established,to_server; urilen:40<>65; content:"3"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])3(?:(?P=sep)|\d)*?$/U"; content:!"computerwoche.de|0d 0a|"; http_header; classtype:exploit-kit; sid:2020998; rev:5; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ingres error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Ingres"; fast_pattern; content:"Driver"; distance:0; pcre:"/Ingres\W.*Driver/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020552; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M4"; flow:established,to_server; urilen:40<>65; content:"4"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])4(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2020999; rev:4; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Frontbase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception (condition )"; content:". Transaction rollback."; fast_pattern; distance:0; pcre:"/Exception (condition )\d+\. Transaction rollback\./m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020553; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 26|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020662; rev:5; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE HSQLDB error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"org.hsqldb.jdbc"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020554; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 63|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,weakdh.org; classtype:bad-unknown; sid:2021124; rev:2; metadata:created_at 2015_05_20, updated_at 2015_05_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - Weevely - Downloaded"; flow:established,to_client; file_data; content:"<?php|0A|$"; content:"="; distance:4; within:2; content:" str_replace("; distance:0; classtype:trojan-activity; sid:2020555; rev:2; metadata:created_at 2015_02_24, updated_at 2015_02_24;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 65|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,weakdh.org; classtype:bad-unknown; sid:2021125; rev:2; metadata:created_at 2015_05_20, updated_at 2015_05_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox Watering Hole Content form tag appended to head"; flow:established,from_server; file_data; content:"document.getElementsByTagName('head').item(0).appendChild(form_tag)|3b|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020561; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_25, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Heap based buffer overrun Exploit Specific"; flow:to_server,established; byte_test:3,>,10000,0,little; content:"|00 03|"; offset:3; depth:2; pcre:"/^(USE|PASS|SELECT|UPDATE|INSERT|ASCII|SHOW|CREATE|DESCRIBE|DROP|ALTER)\s+?(.{1})\2{300}/Ri"; reference:url,archives.neohapsis.com/archives/fulldisclosure/2012-12/0006.html; classtype:attempted-user; sid:2015987; rev:3; metadata:created_at 2012_12_05, updated_at 2012_12_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox Watering Hole function return value"; flow:established,from_server; file_data; content:"return ((!a) ? 'x-'|3a| a) + Math.floor(Math.random() * 99999|29 3b|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020562; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_25, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102413; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox Watering Hole iframe"; flow:established,from_server; file_data; content:".item(0).appendChild(iframe_tag)"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020559; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Probable Nuclear exploit kit landing page"; flow:established,to_server; content:".html"; http_uri; content:"GET"; http_method; pcre:"/^\/[0-9a-f]{32}\.html$/U"; content:"Referer|3a|"; http_header; classtype:exploit-kit; sid:2016952; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_31, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox and Targetted Watering Holes ActiveX Call"; flow:established,from_server; file_data; content:"var version|3b|var ax|3b|var e|3b|try{axo=new ActiveXObject"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020560; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, signature_severity Major, tag ActiveX, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"ET EXPLOIT Computer Associates BrightStor ARCserve Backup for Laptops LGServer.exe DoS"; flow:established,to_server; content:"|ff ff ff ff|"; offset:16; depth:4; reference:url,www.securityfocus.com/archive/1/archive/1/458650/100/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003379; classtype:attempted-dos; sid:2003379; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox and Targetted Watering Holes PDF"; flow:established,from_server; file_data; content:"plugin_pdf_ie()"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanboxframework-whos-affected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020558; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful WZ-REKLAMA Phish 2016-01-08"; flow:to_client,established; file_data; content:"<!--WZ-REKLAMA"; nocase; fast_pattern; content:"http-equiv="; nocase; distance:0; content:"refresh"; nocase; distance:1; within:8; classtype:credential-theft; sid:2031952; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_01_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 94 65 e5 77 66 3b be 2b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020564; rev:2; metadata:attack_target Client_and_Server, created_at 2015_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|CO|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022508; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Client HeartBeat"; flow:established,to_server; dsize:5; content:"|01 00 00 00|"; depth:4; byte_test:1,>,0,0,relative; byte_test:1,<,3,0,relative; flowbits:isset,ET.NetwireRAT.Client; threshold: type both,track by_src, count 3, seconds 300; reference:md5,495eef9238282e8f69f2284ca75d2ddc; classtype:trojan-activity; sid:2020566; rev:1; metadata:created_at 2015_02_25, former_category TROJAN, updated_at 2017_12_11;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|CR|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022509; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 94 65 e5 77 66 3b be 2b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020567; rev:2; metadata:attack_target Client_and_Server, created_at 2015_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|susana24.com"; distance:1; within:13; reference:md5,23cfdb9896cadd54f935ed4e2df2e0a4; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022510; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET !1433 (msg:"ET MALWARE Unknown Trojan Downloading PE via MSSQL Connection to Non-Standard Port"; flow:from_server,established; flowbits:isset,ET.MSSQL; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,754b48c57a00b7c9f0e0640166ac7bb5; classtype:trojan-activity; sid:2020569; rev:1; metadata:created_at 2015_02_25, updated_at 2015_02_25;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|wartan24.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022511; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; content:"500 Internal Server Error"; file_data; content:"OLE DB Provider for SQL Server"; fast_pattern:only; pcre:"/SQL Server.*?error \x27[0-9a-f]{8}/mi"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020522; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|kitoboyka.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022512; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET [1024:7989,7991:] -> $HOME_NET any (msg:"ET DELETED Dropper-497 (Yumato) Status Reply from server"; flow:established,from_server; dsize:4; content:"|32 31 0d 0a|"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:trojan-activity; sid:2007920; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|vestostnord.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022513; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoLocker CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c5 a5 39 20 2d fb d7 22|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020582; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 bf f2 e1 26 c5 4c 2c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022514; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Sweet Orange EK Flash Exploit IE March 03 2015"; flow:established,to_server; urilen:>12; content:!".swf"; nocase; http_uri; content:"x-flash-version|3a|"; http_header; fast_pattern; content:".php?"; http_header; pcre:"/\/(?=[a-z0-9]{0,20}[A-Z])(?=[A-Z0-9]{0,20}[a-z])(?=[A-Za-z]{0,20}[0-9])[A-Za-z0-9]{12,20}$/U"; pcre:"/^Referer\x3a[^\r\n]+?\x3a\d+[^\r\n]*?\/[a-z0-9]+\.php\?[a-z0-9]+=\d+(?:\r\n|&)/Hm"; classtype:exploit-kit; sid:2020584; rev:3; metadata:created_at 2015_03_03, former_category EXPLOIT_KIT, updated_at 2015_03_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange encrypted payload"; flow:established,to_client; flowbits:isset,et.SweetOrangeURI; file_data; byte_test:1,>,95,0,relative; byte_test:1,<,128,0,relative; content:"|00 00 00|"; distance:1; within:3; content:!"|00|"; within:1; content:"|00 00 00|"; distance:1; within:3; classtype:exploit-kit; sid:2017649; rev:6; metadata:created_at 2013_10_31, former_category CURRENT_EVENTS, updated_at 2013_10_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Scam - FakeAV Alert Request March 2 2015"; flow:established,to_server; content:"afid="; http_uri; content:"&sid="; distance:0; http_uri; content:"&Expires="; distance:0; http_uri; content:"&Signature="; distance:0; http_uri; content:"&Key-Pair-Id="; distance:0; http_uri; classtype:social-engineering; sid:2020587; rev:2; metadata:created_at 2015_03_03, updated_at 2015_03_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; pcre:"/^\/[a-z\_\-]{4,20}\.php\?(?:[a-z\_\-]{4,20}=\d+?&){3,}[a-z\_\-]{4,20}=-?\d+$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,et.SweetOrangeURI; classtype:exploit-kit; sid:2017648; rev:7; metadata:created_at 2013_10_31, former_category CURRENT_EVENTS, updated_at 2013_10_31;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (12)"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020591; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange IE Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:" MSIE "; http_header; pcre:"/^\/[a-z\_\-]{4,10}\.php\?([a-z\_\-]{4,10}=\d{1,3}&){7,}[a-z\_\-]{4,10}=-?\d+$/U"; flowbits:set,et.SweetOrangeURI; classtype:exploit-kit; sid:2017706; rev:6; metadata:created_at 2013_11_12, former_category CURRENT_EVENTS, updated_at 2013_11_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (13)"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020592; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Possible Sweet Orange Flash/IE Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; fast_pattern:only; pcre:"/^\/[a-z\_\-]{4,10}\.php\?([a-z\_\-]{0,10}=\d{1,3}&){3,}[a-z\_\-]{4,10}=-?\d+$/U"; content:!"Accept"; http_header; content:!"User-Agent"; http_header; content:!"Referer"; http_header; flowbits:set,et.SweetOrangeURI; flowbits:noalert; classtype:exploit-kit; sid:2019544; rev:6; metadata:created_at 2014_10_28, former_category CURRENT_EVENTS, updated_at 2014_10_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (14)"; flow:established,to_client; file_data; content:"|c5 91 b0 40 ed d9 90 e2|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020593; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT Possible Sweet Orange CVE-2014-6332 Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; pcre:"/^\/[a-z\_\-]{4,10}\.php\?(?:[a-z\_\-]{0,10}=\d+?&){3,}[a-z\_\-]{4,10}=-?[a-z0-9]+$/U"; content:"WinHttp.WinHttpRequest"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; flowbits:set,et.SweetOrangeURI; classtype:exploit-kit; sid:2019752; rev:9; metadata:created_at 2014_11_20, former_category CURRENT_EVENTS, updated_at 2014_11_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (15)"; flow:established,to_client; file_data; content:"|c5 91 b0 40 ed d9 90 e2|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020594; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|YU|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022521; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (16)"; flow:established,to_client; file_data; content:"|71 37 53 d7 19 3c 44 ac|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020595; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|SA|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022522; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (17)"; flow:established,to_client; file_data; content:"|71 37 53 d7 19 3c 44 ac|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020596; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2016-0063)"; flow:established,to_client; file_data; content:"prototype"; nocase; content:"DOMImplementation"; fast_pattern; pcre:"/^\s*\([^\)]*\)\s*\.\s*prototype\s*\.\s*(?:hasFeature|isPrototypeOf)/Rsi"; reference:cve,2016-0063; classtype:trojan-activity; sid:2022523; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_02_16, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (18)"; flow:established,to_client; file_data; content:"|ff be d1 79 e8 64 54 d1|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020597; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS16-009 IE MSHTML Form Element Type Confusion (CVE-2016-0061)"; flow:from_server,established; file_data; content:"opener"; nocase; fast_pattern; pcre:"/^\s*\[\s*[\x22\x27]\\u[a-f0-9]{4}\\u[a-f0-9]{4}/Rsi"; reference:cve,2016-0061; classtype:attempted-user; sid:2022524; rev:4; metadata:created_at 2016_02_16, updated_at 2016_02_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (19)"; flow:established,to_client; file_data; content:"|ff be d1 79 e8 64 54 d1|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020598; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible 2015-7547 Malformed Server response"; flow:from_server; content:"|00 01 00 00 00 00 00 00|"; offset:4; depth:8; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^[^\x00]+\x00\x00\x01/R"; reference:cve,2015-7547; classtype:attempted-user; sid:2022531; rev:1; metadata:created_at 2016_02_17, updated_at 2016_02_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (20)"; flow:established,to_client; file_data; content:"|64 4e 63 0d 03 30 d6 a5|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020599; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|02|NY"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|08|New York"; distance:1; within:9; fast_pattern; content:"|55 04 03|"; byte_test:1,>,27,1,relative; byte_test:1,<,30,1,relative; pcre:"/^.{2}[a-z]{25}\.[a-z]{2,3}[01]/Rs"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022488; rev:3; metadata:attack_target Client_and_Server, created_at 2016_02_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Blackhole eval haha"; flow:established,from_server; content:"eval(haha"; fast_pattern:only; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:2020604; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|tatar28.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022536; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (21)"; flow:established,to_client; file_data; content:"|64 4e 63 0d 03 30 d6 a5|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020600; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|giviklorted.at"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022537; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"[Microsoft]"; content:"[ODBC SQL Server Driver]"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020520; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET P2P BitTorrent - Torrent File Downloaded"; flow:established,to_client; file_data; content:"d8|3a|announce"; within:11; content:!"mapfactor.com"; classtype:policy-violation; sid:2014734; rev:5; metadata:created_at 2012_05_11, updated_at 2012_05_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert www.eshaalfoundation.org"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 06 49 5e 75 fb 3f 44|"; within:35; fast_pattern; content:"|55 04 03|"; content:"|18|www.eshaalfoundation.org"; distance:1; within:25; reference:md5,e36073ba13e2df22348cd624ab0a9fbc; classtype:trojan-activity; sid:2020624; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible OceanLotus Time Check to Microsoft.com"; flow:to_server,established; content:"GET|20 20|HTTP/1.0|0d 0a|"; depth:15; content:"www.microsoft.com"; distance:6; within:23; reference:url,www.alienvault.com/open-threat-exchange/blog/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:targeted-activity; sid:2022539; rev:2; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cd 0b f5 0a 93 34 88 77|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020625; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible OceanLotus CnC Heartbeat"; flow:to_client,established; dsize:14; content:"|75 7a 76 7e 1a 1b 1b 1b 1b 1b 11 1b 1b 1b|"; fast_pattern; threshold: type limit, count 1, track by_src, seconds 60; reference:url,www.alienvault.com/open-threat-exchange/blog/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:command-and-control; sid:2022540; rev:1; metadata:created_at 2016_02_18, former_category MALWARE, updated_at 2016_02_18;)
 
-#alert tcp !$SMTP_SERVERS any -> !$HOME_NET 587 (msg:"ET POLICY Outbound SMTP on port 587"; flow:established; content:"mail from|3a|"; nocase; threshold: type limit, track by_src, count 1, seconds 60; reference:url,doc.emergingthreats.net/2003864; classtype:misc-activity; sid:2003864; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible 2015-7547 PoC Server Response"; flow:from_server; content:"|83 80 00 01 00 00 00 00 00 00|"; offset:2; depth:10; isdataat:2049; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; reference:cve,2015-7547; classtype:attempted-user; sid:2022542; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED WhenUClick.com Desktop Bar App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=desktop"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2001443; classtype:policy-violation; sid:2001443; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Long Response to A lookup"; flow:from_server; content:"|00 01|"; offset:4; depth:2; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^.{6}[^\x00]+/Rs"; content:"|00 00 01 00 01|"; within:5; reference:cve,2015-7547; classtype:attempted-user; sid:2022543; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b0 11 9a 92 44 f0 ee 1a|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020647; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Long Response to AAAA lookup"; flow:from_server; content:"|00 01|"; offset:4; depth:2; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^.{6}[^\x00]+/Rs"; content:"|00 00 1c 00 01|"; within:5; reference:cve,2015-7547; classtype:attempted-user; sid:2022544; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible malicious Office doc hidden in XML file"; flow:established,from_server; file_data; content:"<?xml"; within:5; content:"<?mso-application progid=|22|Word.Document|22|?>"; nocase; distance:0; content:"macrosPresent=|22|yes|22|"; distance:0; fast_pattern; reference:url,trustwave.com/Resources/SpiderLabs-Blog/Attackers-concealing-malicious-macros-in-XML-files/; classtype:trojan-activity; sid:2020657; rev:2; metadata:created_at 2015_03_10, updated_at 2015_03_10;)
+alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Malformed Server Response A/AAAA"; flow:from_server; content:"|00 01 00 00 00 00 00 00|"; offset:4; depth:10; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; reference:cve,2015-7547; classtype:attempted-user; sid:2022545; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Firefox Plug-In Download"; flow:to_client,established; file_data; content:"PK|03 04|"; distance:0; content:"/addon-sdk/"; content:"|00 00|resources|2f|numberchangerfirefox|2f|PK"; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020653; rev:3; metadata:created_at 2015_03_09, updated_at 2015_03_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET EXPLOIT Possible CVE-2015-7547 A/AAAA Record Lookup Possible Forced FallBack(fb set)"; flow:established,to_server; byte_test:2,<,513,0; byte_test:1,!&,128,4; byte_test:1,!&,64,4; byte_test:1,!&,32,4; byte_test:1,!&,16,4; byte_test:1,!&,8,4; content:"|00 01 00 00 00 00 00 00|"; offset:6; depth:8; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; flowbits:set,ET.CVE20157547.primer; flowbits:noalert; reference:cve,2015-7547; classtype:attempted-user; sid:2022546; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Redkit URI Struct Flowbit"; flow:established,to_server; content:".htm"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]{4}\.html?(\?[h-j]=\d+)?$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:exploit-kit; sid:2016589; rev:8; metadata:created_at 2013_03_19, updated_at 2013_03_19;)
+alert tcp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Large Response to A/AAAA query"; flow:established,from_server; flowbits:isset,ET.CVE20157547.primer; byte_test:2,>,2048,0; byte_test:1,&,128,4; byte_test:1,!&,64,4; byte_test:1,!&,32,4; byte_test:1,!&,16,4; byte_test:1,!&,8,4; content:"|00 01|"; offset:6; depth:2; reference:cve,2015-7547; classtype:attempted-user; sid:2022547; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RedKit /h***.htm(l) Landing Page - Set"; flow:established,to_server; urilen:8<>11; content:"/h"; depth:2; http_uri; pcre:"/^\/h[a-z]{3}\.html?$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:exploit-kit; sid:2015927; rev:4; metadata:created_at 2012_11_27, updated_at 2012_11_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FrameworkPOS CnC Server Reporting IP Address To Agent"; flow:established,to_client; file_data; content:"=="; depth:2; content:"=="; within:17; fast_pattern; file_data; content:"=="; depth:2; pcre:"/^(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})(?:={2})/R"; reference:url,threatstream.com/blog/three-month-frameworkpos-malware-campaign-nabs-43000-credits-cards-from-point-of-sale-systems; reference:md5,591e820591e10500fe939d6bd50e6776; classtype:command-and-control; sid:2022552; rev:2; metadata:created_at 2016_02_22, former_category MALWARE, updated_at 2016_02_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED RedKit - Landing Page Received - applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.redkit.uri; file_data; content:"<applet"; classtype:exploit-kit; sid:2014917; rev:4; metadata:created_at 2012_06_19, updated_at 2012_06_19;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fa 85 d0 ad 8b ad f1 59|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022553; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RedKit - Landing Page Requested - 8Digit.html"; flow:established,to_server; urilen:14; content:".html"; http_uri; pcre:"/^\/[0-9]{8}\.html$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:exploit-kit; sid:2014916; rev:3; metadata:created_at 2012_06_19, updated_at 2012_06_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Exploit Kit Java jpg download"; flow:established,to_server; content:".jpg"; http_uri; pcre:"/\.jpg$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016371; rev:5; metadata:created_at 2013_02_08, former_category EXPLOIT_KIT, updated_at 2013_02_08;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 03|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020634; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (4)"; flow:established,to_client; file_data; content:"|f4 ec 9a|"; distance:4; within:4; pcre:"/^(?:\x8b|\xf2)/R"; classtype:trojan-activity; sid:2022141; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 06|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020635; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (1)"; flow:established,to_client; file_data; content:"|01 d2 02 8b e7 98 09 18|"; distance:4; within:8; classtype:trojan-activity; sid:2022138; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 08|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020636; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Feb 23 2016"; flow:established,from_server; file_data; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; distance:0; content:"|3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e|"; pcre:"/^\s+\d+\x3b\s*\}/R"; content:"|5d 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65|"; fast_pattern; classtype:exploit-kit; sid:2022565; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_25, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 0E|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020637; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Feb 25 2016"; flow:established,from_server; file_data; content:"|36 31 2c 39 31 2c 33 34 2c 31 31 34 2c 31 31 38 2c 35 38 2c 34 39 2c 34 39 2c 33 34 2c 34 34 2c 33 34 2c 37 37 2c 38 33 2c 37 33 2c 36 39 2c 33 34 2c 34 34 2c 39 33 2c 35 39|"; content:"|39 39 2c 31 30 34 2c 39 37 2c 31 31 34 2c 36 37 2c 31 31 31 2c 31 30 30 2c 31 30 31 2c 36 35 2c 31 31 36|"; classtype:exploit-kit; sid:2022567; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_26, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET DELETED FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020658; rev:3; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|09 00 a7 ed 6e 63 0f d0 e1 f9|"; content:"|55 04 03|"; content:"|06|server"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022571; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 19|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020661; rev:3; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andromeda Download (set)"; flow:to_server,established; content:"GET"; http_method; content:".pw|0d 0a|"; http_header; fast_pattern; pcre:"/\/\?[A-Z]{10,}$/U"; flowbits:set,ET.andromeda; flowbits:noalert; classtype:trojan-activity; sid:2022572; rev:2; metadata:created_at 2016_02_29, former_category MALWARE, updated_at 2016_02_29;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 11|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020673; rev:3; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson CnC Server Command (info) M1"; flow:established,from_server; dsize:17; content:"|0c 00 00 00 00|info=command"; reference:md5,50eb7ae1d3c075dfc9c9e82a9fa9caf5; reference:md5,40c9031ee6bbf2b2306420e9330727a6; classtype:command-and-control; sid:2035903; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_07, deployment Perimeter, former_category MALWARE, malware_family Crimson, performance_impact Low, signature_severity Major, updated_at 2015_10_07;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 17|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020675; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (dirs list)"; flow:established,from_server; content:"dirs=list"; offset:5; byte_jump:4,0,little,from_beginning,post_offset 4; isdataat:!2,relative; reference:md5,94d29dded4dfd920fc4153f18e82fc6c; classtype:trojan-activity; sid:2036283; rev:3; metadata:created_at 2016_02_17, former_category MALWARE, updated_at 2016_02_17;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 19|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020676; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (folders list)"; flow:established,from_server; content:"fldr="; offset:5; byte_jump:4,0,little,from_beginning,post_offset 4; isdataat:!2,relative; reference:md5,94d29dded4dfd920fc4153f18e82fc6c; classtype:trojan-activity; sid:2036284; rev:3; metadata:created_at 2016_02_17, former_category MALWARE, updated_at 2016_02_17;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 26|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020677; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (files list)"; flow:established,from_server; content:"fles="; offset:5; byte_jump:4,0,little,from_beginning,post_offset 4; isdataat:!2,relative; reference:md5,94d29dded4dfd920fc4153f18e82fc6c; classtype:trojan-activity; sid:2036285; rev:3; metadata:created_at 2016_02_17, former_category MALWARE, updated_at 2016_02_17;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 27|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020678; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (ping) M1"; flow:established,from_server; content:"clping=Ping"; offset:5; byte_jump:4,0,little,from_beginning,post_offset 4; isdataat:!2,relative; reference:md5,94d29dded4dfd920fc4153f18e82fc6c; reference:md5,40c9031ee6bbf2b2306420e9330727a6; classtype:trojan-activity; sid:2035904; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, malware_family Crimson, performance_impact Low, signature_severity Major, updated_at 2016_02_17;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 28|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020679; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Fake AV Phone Scam Long Domain M3 Feb 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"yourcomputerhave"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:social-engineering; sid:2022577; rev:1; metadata:created_at 2016_03_01, updated_at 2016_03_01;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 29|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020680; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN MySQL Malicious Scanning 3"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"select unhex("; fast_pattern; distance:0; content:"into dumpfile|20 27|"; distance:0; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022581; rev:1; metadata:created_at 2016_03_01, former_category CURRENT_EVENTS, updated_at 2016_03_01;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 2A|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020681; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Spam/Phish Campaign Feb 25 2016"; flow:established,to_server; content:".pw|0d 0a|"; http_header; nocase; fast_pattern:only; pcre:"/\/[a-z]\/\?[A-Z]{10}$/U"; pcre:"/^Host\x3a\x20[^\r\n]+\.pw\r?$/Hmi"; classtype:trojan-activity; sid:2022570; rev:3; metadata:created_at 2016_02_27, updated_at 2016_02_27;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 2B|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020682; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Server Hello"; flow:from_server,established; content:"|04 00 01 00 02|"; offset:2; depth:5; byte_test:2,>,15,4,relative; byte_test:2,<,33,4,relative; flowbits:set,SSlv2.ServerHello; flowbits:noalert; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022583; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 0B|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020672; rev:5; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_RC4_128_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 01 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022584; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 14|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020674; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_RC2_128_CBC_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 03 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022585; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c5 a3 08 37 22 97 2f 50|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020687; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_RC2_128_CBC_EXPORT40_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 04 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022586; rev:1; metadata:created_at 2016_03_02, former_category POLICY, updated_at 2016_03_02;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d7 2b 72 5e 83 81 97 47|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020688; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress ClientMaster Key SSL2_IDEA_128_CBC_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|0205 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022587; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a7 90 ac fd cd 02 3c 0d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020689; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_DES_64_CBC_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 06 00 40|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022588; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible AnglerEK Java Exploit/Payload Structure Jan 16 2014"; flow:established,to_server; urilen:49; content:" Java/1."; http_header; pcre:"/^\/[a-z0-9_\-]{48}$/Ui"; classtype:exploit-kit; sid:2017976; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PDF With Embedded File"; flow:established,to_client; file_data; content:"obj"; content:"<<"; within:4; content:"/EmbeddedFile"; distance:0; pcre:"/\x3C\x3C[^>]*\x2FEmbeddedFile/sm"; reference:url,blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/; classtype:bad-unknown; sid:2011507; rev:8; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 8F|"; fast_pattern:only; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012089; rev:2; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2017_09_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Generic HeapSpray Construct"; flow:established,to_client; file_data; content:"<script"; nocase; content:"CollectGarbage"; distance:0; fast_pattern; content:"while"; pcre:"/^\s*?\([^\)]*?(?P<var>[^\.]+)\s*?\.\s*?length\s*<\s*(?:0?[0-9]{5,}|0x[a-z0-9]{3,})[^)]+\)\s*?\{\s*?(?P=var)\s*?=\s*?(?P=var)\s*?\+\s*?(?P=var)\s*?\}/Rsi"; content:"getElementsByClassName"; distance:0; content:"CollectGarbage"; distance:0; classtype:bad-unknown; sid:2018146; rev:4; metadata:created_at 2014_02_15, former_category CURRENT_EVENTS, updated_at 2014_02_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c9 a9 58 45 25 d7 de 84|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020697; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Syndicasec.Backdoor Client POST CMD result"; flow:established,to_server; content:"POST"; http_method; content:".php?cstype="; http_uri; content:"&authname="; distance:0; http_uri; content:"&authpass="; distance:0; http_uri; content:"&hostname="; distance:0; http_uri; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2014795; rev:3; metadata:created_at 2012_05_22, updated_at 2012_05_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK March 16 2015"; flow:established,to_server; urilen:51<>61; content:"/a"; http_uri; depth:2; pcre:"/^\/a[a-z]{9,}\/[a-f0-9]{40}$/U"; pcre:"/^GET \/(?P<name>a[a-z]{9,})\/.+?\r\nHost\x3a\x20(?P=name)\./sm"; classtype:exploit-kit; sid:2020698; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_03_16, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Ursnif Injects)"; flow:from_server,established; content:"|55 04 03|"; content:"|0c|dolbyfck.com"; distance:1; within:13; classtype:domain-c2; sid:2022613; rev:2; metadata:attack_target Client_and_Server, created_at 2016_03_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Office RTF Stack Buffer Overflow"; flow:from_server,established; file_data; content:"|7b 5c|rt"; within:4; flowbits:set,ETPRO.RTF; flowbits:noalert; reference:cve,2010-3333; classtype:misc-activity; sid:2020699; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_03_16, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 15 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; isdataat:!10,relative; classtype:exploit-kit; sid:2022620; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_16, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT MWI Maldoc Exploit Kit Stats Callout"; flow:established,from_server; flowbits:isset,ETPRO.RTF; file_data; content:"INCLUDEPICTURE "; pcre:"/^\s*?[\x22\x27][^\x22\x27]+\.php\?id=\d+[\x22\x27]/Rs"; classtype:exploit-kit; sid:2020700; rev:2; metadata:created_at 2015_03_16, former_category EXPLOIT_KIT, updated_at 2015_03_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 15 2016 M2"; flow:established,to_server; content:"/track/k.track?wd="; http_uri; depth:18; content:"fid="; http_uri; content:"rds="; http_uri; classtype:exploit-kit; sid:2022621; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_16, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query Sinkhole Domain Various Families (Possible Infected Host)"; content:"|00 01 00 00 00 00 00 00|"; depth:8; offset:4; content:"|0f|torpig-sinkhole|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.sysenter-honeynet.org/?p=269; classtype:bad-unknown; sid:2015813; rev:7; metadata:created_at 2012_10_18, updated_at 2012_10_18;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|marinova.am"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022623; rev:2; metadata:attack_target Client_and_Server, created_at 2016_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [9200,9292] (msg:"ET WEB_SERVER Possible CVE-2015-1427 Elastic Search Sandbox Escape Remote Code Execution Attempt"; flow:established,to_server; content:"POST /"; depth:6; content:"search"; distance:0; content:"script_fields"; distance:0; nocase; content:".class.forName"; nocase; distance:0; content:"java.lang.Runtime"; nocase; distance:0; reference:url,jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427; classtype:attempted-admin; sid:2020648; rev:2; metadata:created_at 2015_03_09, updated_at 2015_03_09;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Kasidet CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e2 62 fd fd 41 2d 9c a4|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022624; rev:2; metadata:attack_target Client_and_Server, created_at 2016_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Exploit Kit Delivering Office File to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; fast_pattern; content:!".msi"; content:!".img"; content:!"This program cannot"; classtype:exploit-kit; sid:2014099; rev:6; metadata:created_at 2012_01_04, former_category EXPLOIT_KIT, updated_at 2012_01_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message"; flow:established,to_server; content:"|22|id|22 3A|"; content:"|22|method|22 3A|"; content:"|22|mining."; within:9; content:"|22|params|22|"; within:50; pcre:"/\x22mining\x2E(subscribe|authorize)\x22/"; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2017871; rev:7; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing March 20 2015"; flow:established,from_server; file_data; content:"function iu7("; content:"ji2"; within:100; pcre:"/^\W/R"; content:"hu2"; pcre:"/^\W/R"; classtype:exploit-kit; sid:2020725; rev:2; metadata:created_at 2015_03_21, updated_at 2015_03_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Mar 18 2016"; flow:from_server,established; file_data; content:"|52 65 67 45 78 70 28 27|"; content:"|27 2b 27 3d 28 5b 5e 3b 5d 29 7b 31 2c 7d 27 29 3b|"; distance:32; within:17; content:"|3b 64 2e 73 65 74 44 61 74 65 28 64 2e 67 65 74 44 61 74 65 28 29 2b 31 29 3b|"; content:"|3c 69 66 72 61 6d 65|"; distance:0; classtype:exploit-kit; sid:2022628; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_19, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing March 20 2015 M2"; flow:established,from_server; file_data; content:"|22 29 3b 2f 2a|"; pcre:"/^[^\x2a]+\x2a\x2f(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?(?P<arg>[a-z0-9]{3,})(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?\x28[^\x29]+\x29\x3b\x2f\x2a[^\x2a]+\x2a\x2f(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?(?P=arg)(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?\x28/R"; classtype:exploit-kit; sid:2020726; rev:2; metadata:created_at 2015_03_23, updated_at 2015_03_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 19 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f|"; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; distance:0; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; classtype:exploit-kit; sid:2022629; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_19, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux.DDoS Checkin"; flow:established,to_server; dsize:1024; content:"VERSONEX|3a|"; depth:9; content:"|7c|Hacker|00 00 00|"; distance:0; reference:md5,0eab12cebbf1c8f25d82c65f34aab9d7; classtype:command-and-control; sid:2019172; rev:4; metadata:created_at 2014_08_19, former_category MALWARE, updated_at 2014_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 19 2016 M2"; flow:established,to_server; content:"/imp/one.trk?wid="; http_uri; classtype:exploit-kit; sid:2022630; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_19, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (22)"; flow:established,to_client; file_data; content:"|c5 91 b0 40 ed d9 90 e2|"; distance:1728; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020730; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading To EK Mar 22 2016"; flow:established,from_server; file_data; content:"|6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 2e 55 41 20 3d 20 55 41|"; content:"|2e 73 70 6c 69 74 28 22 2c 22 29 2c 20 69 3d 30 2c 20 6b 3b 20 66 6f 72 20 28 3b 20 6b 20 3d 20 61 5b 69 5d 2c 20 69 20 3c 20 61 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 72 2e 70 75 73 68 28|"; content:"|2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 7b 20 74 72 79 20 7b 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28|"; classtype:exploit-kit; sid:2022635; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf 74 65 6a f0 91 13 26|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020735; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible Locky Ransomware Writing Encrypted File over - SMB and SMB-DS v1 ASCII"; flow:to_server,established; content:"|ff|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:".locky|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022638; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_03_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Win32.Hyteod.acox Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|su|00|"; distance:53; within:4; content:"|32|"; distance:-55; within:1; pcre:"/^[a-z0-9]{50}/R"; threshold: type both, track by_src, count 3, seconds 60; classtype:trojan-activity; sid:2020741; rev:1; metadata:created_at 2015_03_25, updated_at 2015_03_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PE EXE or DLL Windows file download Text M2"; flow:established,from_server; file_data; content:"4D5A"; nocase; within:4; content:"50450000"; distance:0; content:"21546869732070726f6772616d"; nocase; fast_pattern; classtype:trojan-activity; sid:2022640; rev:2; metadata:created_at 2016_03_23, updated_at 2016_03_23;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Win32.Hyteod.acox Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ru|00|"; distance:53; within:4; content:"|32|"; distance:-55; within:1; pcre:"/^[a-z0-9]{50}/R"; threshold: type both, track by_src, count 3, seconds 60; classtype:trojan-activity; sid:2020742; rev:1; metadata:created_at 2015_03_25, updated_at 2015_03_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible Locky Ransomware Writing Encrypted File over - SMB and SMB-DS v1 Unicode"; flow:to_server,established; content:"|ff|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|00|.|00|l|00|o|00|c|00|k|00|y|00 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022637; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_03_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HanJuan EK Landing March 24 2015 M1"; flow:established,from_server; file_data; content:"document.createElement|28|"; pcre:"/^\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]/R"; content:"/g,|27 27|).substr|28|"; fast_pattern; within:14; pcre:"/^\s*?\d+,\s*?\d/R"; classtype:exploit-kit; sid:2020743; rev:3; metadata:created_at 2015_03_25, updated_at 2015_03_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Evil EXE download from WinHttpRequest non-exe extension"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.WinHttpRequest.no.exe.request; classtype:trojan-activity; sid:2022653; rev:2; metadata:created_at 2016_03_24, former_category CURRENT_EVENTS, updated_at 2016_03_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HanJuan EK Landing March 24 2015 M2"; flow:established,from_server; file_data; content:"document.createElement|28|"; pcre:"/^\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]/R"; content:"/g,|22 22|).substr|28|"; fast_pattern; within:14; pcre:"/^\s*?\d+,\s*?\d/R"; classtype:exploit-kit; sid:2020744; rev:3; metadata:created_at 2015_03_25, updated_at 2015_03_25;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE IrcBot Downloading Files via FTP"; flow:established,to_server; content:"RETR scrypt13"; depth:13; content:".cl"; distance:2; within:6; reference:md5,ca6208a4dd3f1f846aaaf4a6cbcc66ea; classtype:trojan-activity; sid:2022656; rev:1; metadata:created_at 2016_03_24, updated_at 2016_03_24;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unauthorized SSL Cert for Google Domains"; flow:established,from_server; content:"|55 04 0a|"; content:"|0a|MCSHOLDING"; distance:1; within:11; reference:url,googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html; classtype:trojan-activity; sid:2020736; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_03_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK EITest Mar 27"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"Cookie|3a|"; content:!"[DYNAMIC]"; http_header; pcre:"/^\/(?=[a-z][a-z\x2f]*\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d)[a-z0-9\x2f]+\/$/U"; classtype:exploit-kit; sid:2022666; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d5 72 08 75 83 27 6f ba|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020745; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK EITest Mar 27 M2"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"Cookie|3a|"; pcre:"/^\/(?=[a-z][a-z\x2f]*-[a-z\x2f]+-)[a-z\x2f-]+\/$/U"; classtype:exploit-kit; sid:2022682; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Browser Exploit Server Plugin Detect"; flow:from_server,established; file_data; content:"misc_addons_detect.hasSilverlight"; classtype:trojan-activity; sid:2017810; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_06, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|whaovxeynxctdrvzn.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022685; rev:2; metadata:attack_target Client_and_Server, created_at 2016_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Browser Exploit Server Plugin Detect 2"; flow:from_server,established; file_data; content:"var os_name|3b|"; content:"var os_vendor|3b|"; content:"var os_device|3b|"; content:"var os_flavor|3b|"; classtype:trojan-activity; sid:2020755; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_26, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware Locky .onion Payment Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|32kl2rwsjvqjeui7"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022659; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_03_26, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2016_03_26, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Proxy Prototype RCE Attempt (CVE-2014-8636)"; flow:from_server,established; file_data; content:"chrome|3a 2f 2f|"; nocase; content:"open"; nocase; pcre:"/^\s*?\(\s*?[\x22\x27]chrome\x3a\/\//Ri"; content:"messageManager.loadFrameScript"; nocase; content:"Proxy.create"; nocase; reference:url,community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636; reference:cve,2014-8636; classtype:attempted-user; sid:2020756; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_03_26, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js (Remote Debugger)"; flow:from_server,established; file_data; content:"/json/new/"; content:"javascript|3a|require"; distance:0; content:"child_process"; fast_pattern; distance:0; content:"spawnSync"; distance:0; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=773; classtype:trojan-activity; sid:2022693; rev:2; metadata:created_at 2016_03_31, updated_at 2016_03_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBA Office Document Dridex Binary Download User-Agent"; flow:established,to_server; content:"User-Agent|3A| KAII"; http_header; fast_pattern:only; reference:md5,cb2903c89d60947fa4badec41e065d71; classtype:trojan-activity; sid:2020758; rev:2; metadata:created_at 2015_03_26, former_category CURRENT_EVENTS, updated_at 2015_03_26;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 39889 (msg:"ET EXPLOIT Quanta LTE Router UDP Backdoor Activation Attempt"; flow:to_server; content:"HELODBG"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022699; rev:1; metadata:created_at 2016_04_05, updated_at 2016_04_05;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ac 19 e6 fb 11 28 a2 20|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020802; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET ![25,465,587] (msg:"ET MALWARE HOMEUNIX/9002 CnC Beacon"; flow:established,to_server; dsize:48; content:!"|00 00 00|"; offset:1; depth:3; byte_extract:3,1,xor_key; byte_test:3,=,xor_key,9; byte_test:3,=,xor_key,13; byte_extract:1,1,same_test; byte_test:1,!=,same_test,8; byte_test:1,!=,same_test,33; pcre:!"/^[\x20-\x7e\r\n]+$/"; reference:md5,256438747bae78c9101c9a0d4efe5572; classtype:command-and-control; sid:2020714; rev:8; metadata:attack_target Client_Endpoint, created_at 2015_03_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_03_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK JAR URI Struct Nov 05 2013"; flow:established,to_server; content:"/14"; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; pcre:"/\/14\d{8}(?:\.jar)?$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017666; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert tcp any any -> any 6129 (msg:"ET EXPLOIT Dameware DMRC Buffer Overflow Attempt (CVE-2016-2345)"; flow:established,to_server; content:"|44 9c 00 00|"; depth:4; content:"|90 90 90 90 90 90 90 90|"; distance:0; content:"|eb 06 ff ff 61 11 40 00 90 90 90 e9 6b fa ff ff|"; distance:0; reference:cve,2016-2345; reference:url,www.securifera.com/blog/2016/04/03/fun-with-remote-controllers-dameware-mini-remote-control-cve-2016-2345; classtype:attempted-admin; sid:2022712; rev:1; metadata:created_at 2016_04_06, updated_at 2016_04_06;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive CnC Beacon 1"; flow:established,to_server; content:"==gKg5XI+BmK"; depth:12; reference:md5,11657162940dcc1c124e607b0f248039; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020807; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_03_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"Internet Widgits Pty Ltd"; within:50; content:"|09 00 e6 7b 40 4f 24 b8 2a f9|"; reference:url,sslbl.abuse.ch; reference:md5,3d8d1a65ce53c6ac2e43523e82a6d471; classtype:domain-c2; sid:2022713; rev:2; metadata:attack_target Client_and_Server, created_at 2016_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive CnC Beacon 2"; flow:established,to_server; content:"|3C 2A 60|"; depth:3; fast_pattern; content:"|60 2A 3E|"; distance:0; pcre:"/^\x3c\x2a\x60[\x20-\x7e]+\x60\x2a\x3e$/"; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020808; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_03_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $HOME_NET any -> !$SQL_SERVERS 3306 (msg:"ET WORM Potential MySQL bot scanning for SQL server"; flow:to_server; flags:S,12; reference:url,isc.sans.org/diary.php?date=2005-01-27; reference:url,doc.emergingthreats.net/2001689; classtype:trojan-activity; sid:2001689; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive CnC Beacon 3"; flow:established,to_server; content:">Explosive"; offset:4; depth:10; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020809; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_03_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Locky JS Downloading Payload"; flow:to_server,established; urilen:<12; content:"GET"; http_method; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; fast_pattern; pcre:"/^\/(?=[a-z]{0,9}?\d)(?=\d{0,9}?[a-z])[a-z0-9]{6,10}$/U"; pcre:"/^User-Agent\x3a[^\r\n]+?(?:MSIE|rv\x3a11)/Hm"; flowbits:set,ET.Locky; flowbits:noalert; reference:md5,c6896184db5c07ebadf40115138b2f4c; reference:md5,cb8f78317622f8ae855ac25ef4cf3688; classtype:trojan-activity; sid:2026460; rev:3; metadata:created_at 2016_03_16, former_category MALWARE, updated_at 2018_10_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 2 2015"; flow:established,to_server; content:"GET"; http_method; urilen:12; content:"/8u5_cb06/?"; depth:11; http_uri; classtype:exploit-kit; sid:2020832; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_04_02, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK April 12 2016 M1"; flow:established,to_server; content:"/2016/less/ing/frame.html"; http_uri; classtype:exploit-kit; sid:2022724; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"ET MALWARE IRC Bot dropped by Mikey Variant CnC Beacon"; flow:established,to_server; content:"["; content:"]"; distance:0; content:"["; distance:0; content:"]"; distance:0; content:"|0d 0a|NICK|20|"; pcre:"/^[a-z0-9]+\[\d+\]/R"; content:"-"; distance:0; content:"["; distance:0; pcre:"/^\d+\]\r\n$/R"; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:command-and-control; sid:2020836; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_04_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK April 12 2016 M2"; flow:established,from_server; file_data; content:"|3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 76 61 72 20 6c 3d 27 68 74 74 70 3a|"; content:"|3b 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 27 2b 27 73 63 72 69 70 74 20 74 79 70 65 3d 5c 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 5c 27 20 73 72 63 3d 5c 27 27 2b 6c 2b 27 5c 27 3e 3c 27 2b 27 2f 73 63 72 69 70 74 3e 27 29 3b 3c 2f 73 63 72 69 70 74 3e|"; distance:0; classtype:exploit-kit; sid:2022725; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.Exploit; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/^[a-z0-9]*\r\n/HR"; file_data; content:"ZWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2019845; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> [64.34.106.33,64.94.18.67] 12975 (msg:"ET POLICY Outbound Hamachi VPN Connection Attempt"; flags:S,12; flow:to_server; threshold:type limit, track by_src, count 1, seconds 120; reference:url,www.hamachi.cc; reference:url,doc.emergingthreats.net/2002729; classtype:policy-violation; sid:2002729; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.Exploit; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/^[a-z0-9]*\r\n/HR"; file_data; content:"CWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2019846; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"ET SCAN Possible SSL Brute Force attack or Site Crawl"; flow: established,to_server; flags: S; threshold: type threshold, track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2001553; classtype:attempted-dos; sid:2001553; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Payload"; flow:established,from_server; flowbits:isset,et.Nuclear.Payload; content:"application/octet-stream"; http_header; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/filename=[a-z0-9]*\r\n/H"; classtype:exploit-kit; sid:2019873; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 10000: -> $HOME_NET 0:1023 (msg:"ET DOS Potential Tsunami SYN Flood Denial Of Service Attempt"; flags:S; flow:to_server; dsize:>900; threshold: type both, count 20, seconds 120, track by_src; reference:url,security.radware.com/uploadedFiles/Resources_and_Content/Threat/TsunamiSYNFloodAttack.pdf; classtype:attempted-dos; sid:2019404; rev:3; metadata:created_at 2014_10_15, updated_at 2014_10_15;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Java Web Start Command Injection (.jar)"; flow:established,from_server; content:"http|3a| -J-jar -J|5C 5C 5C 5C|"; nocase; content:".launch("; nocase; pcre:"/http\x3a -J-jar -J\x5C\x5C\x5C\x5C\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x5C\x5C[^\n]*\.jar/i"; reference:url,seclists.org/fulldisclosure/2010/Apr/119; reference:url,doc.emergingthreats.net/2011698; classtype:web-application-attack; sid:2011698; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 08|"; content:"|02|FL"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|05|Tampa"; distance:1; within:6; content:"|55 04 0a|"; distance:0; content:"|1b|Realtek Semiconductor Corp."; distance:1; within:28; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022714; rev:3; metadata:attack_target Client_and_Server, created_at 2016_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL (Linux) Database Privilege Elevation (Exploit Specific)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"select |27|TYPE=TRIGGERS|27| into outfile|27|"; nocase; pcre:"/\s*?\/.+?\.TRG\x27\s*?LINES TERMINATED BY \x27\x5fntriggers=/Ri"; content:"CREATE DEFINER=|60|root|60|@|60|localhost|60|"; nocase; distance:0; pcre:"/\s+?trigger\s+?[^\x20]+?\s+?after\s+?insert\s+?on\s+?/Ri"; content:"UPDATE mysql.user"; nocase; fast_pattern:only; reference:cve,2012-5613; reference:url,seclists.org/fulldisclosure/2012/Dec/6; classtype:attempted-user; sid:2015992; rev:7; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|www.huevo.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022733; rev:2; metadata:attack_target Client_and_Server, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3460 (msg:"ET MALWARE PoisonIvy Key Exchange with CnC Init"; flow:established,to_server; dsize:256; flowbits:set,ET.Poison1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008380; classtype:command-and-control; sid:2008380; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 c4 2f d3 44 ed 20 a4 ab|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022734; rev:2; metadata:attack_target Client_and_Server, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET 3460 -> $HOME_NET any (msg:"ET MALWARE PoisonIvy Key Exchange with CnC Response"; flow:established,from_server; dsize:256; flowbits:isset,ET.Poison1; reference:url,doc.emergingthreats.net/2008381; classtype:command-and-control; sid:2008381; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 dd b5 a0 63 d6 36 a8 89|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022735; rev:2; metadata:attack_target Client_and_Server, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PoisonIvy RAT/Backdoor follow on POST Data PUSH Packet"; flow:established,to_server; flags:AP,12; content:"op="; nocase; content:"&servidor="; nocase; content:"&senha="; nocase; content:"&usuario="; nocase; content:"&base="; nocase; content:"&sgdb="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPoisonivy.I&ThreatID=-2147363597; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=133781; reference:url,doc.emergingthreats.net/2009806; classtype:trojan-activity; sid:2009806; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Exploit Struct Jan 23 2015"; flow:established,to_server; urilen:50<>151; content:"GET /"; byte_test:1,>,64,0,relative; byte_test:1,<,91,0,relative; pcre:"/^\/[A-Z](?=[A-Za-z]{0,148}\d)[A-Za-z0-9]{49,148}$/U"; content:".htm"; http_header; fast_pattern:only; content:"Referer|3a 20|"; http_header; pcre:"/^http\x3a\/\/[^\x2f]+\/[A-Z](?=[a-z0-9]+[A-Z])(?=[A-Z0-9]+[a-z])[A-Za-z0-9]{9,}\.html?\r?$/RHmi"; classtype:exploit-kit; sid:2020300; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Chorns/PoisonIvy related Backdoor Initial Connection"; flow:established; dsize:12; content:"/FIRSTINF/|0d0a|"; reference:url,doc.emergingthreats.net/2010344; reference:md5,9fbd691ffdb797cebe8761006b26b572; classtype:trojan-activity; sid:2010344; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess HTTP GET request"; flow:established,to_server; content:"GET"; http_method; nocase; content:"?w="; fast_pattern:only; http_uri; content:"&i="; http_uri; content:"&v="; http_uri; content:"Host|3a 20|"; depth:6; http_header; content:"Connection|3a 20|close|0d 0a|Cookie|3a 20|"; http_raw_header; content:!"Accept"; http_header; pcre:"/\/\d{10}\?w=\d{3}&i=\d{6,10}&v=\d\.\d$/U"; classtype:trojan-activity; sid:2015535; rev:4; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Chorns/PoisonIvy related Backdoor Keep Alive"; flow:established; dsize:12; content:"/AVAILABL/|0d0a|"; reference:url,doc.emergingthreats.net/2010345; reference:md5,9fbd691ffdb797cebe8761006b26b572; classtype:trojan-activity; sid:2010345; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FAKEAV CryptMEN - 302 Redirect"; flow:established,from_server; content:"Cookie|3a| Hello-friend="; http_raw_header; classtype:bad-unknown; sid:2011920; rev:5; metadata:created_at 2010_11_11, updated_at 2010_11_11;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.2013Jan04 victim beacon"; flow:established,to_server; dsize:48; content:"|1e de 5c f1 1f f6 94 12 d1 fa f1 42 8c fe 8d f7|"; offset:16; depth:16; reference:md5,62f20326e0f08c0786df6886f0427ea7; classtype:trojan-activity; sid:2016167; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_05, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Major, tag PoisonIvy, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp any !80 -> $HOME_NET any (msg:"ET EXPLOIT Open MGate Device"; flow:established,from_server; content:"Model name|20|"; pcre:"/^\x20+\x3a\x20MGate/R"; content:"|0d 00 0a|MAC address|20|"; distance:0; pcre:"/^\x20+\x3a\x20(?:[0-9A-F]{2}\x3a){5}[0-9A-F]{2}\x0d\x00\x0a/R"; classtype:successful-admin; sid:2022732; rev:2; metadata:created_at 2016_04_14, former_category CURRENT_EVENTS, updated_at 2016_04_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PoisonIvy.2013Jan04 server response"; flow:established,from_server; dsize:48; content:"|48 3A E9 78 C0 B9 2E 3F 9A 49 C5 56 65 5F CE 22|"; offset:16; depth:16; reference:md5,62f20326e0f08c0786df6886f0427ea7; classtype:trojan-activity; sid:2016168; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_05, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 20 2016"; flow:established,to_server; urilen:5; content:"/get2"; http_uri; content:"bc3ad="; http_cookie; classtype:exploit-kit; sid:2022751; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_20, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PoisonIvy Variant Jan 24 2013"; flow:established,from_server; dsize:48; content:"|52 13 34 da 18 3d 2f 45 a2 09 93 52 01 23 51 e3|"; offset: 16; depth:16; reference:url,blog.avast.com/2013/01/22/reporters-without-borders-website-misused-in-wateringhole-attack/; classtype:trojan-activity; sid:2016270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_25, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 21 2016 M2"; flow:established,to_server; content:"/idx.aspx?sid="; http_uri; content:"&bcOrigin="; http_uri; content:"&rnd="; http_uri; distance:0; classtype:exploit-kit; sid:2022752; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_21, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy Variant Jan 24 2013"; flow:established,to_server; dsize:48; content:"|84 a5 f0 be 11 da ce 7e c9 4a 9a af 40 24 8a f5|"; offset:16; depth:16; reference:url,blog.avast.com/2013/01/22/reporters-without-borders-website-misused-in-wateringhole-attack/; classtype:trojan-activity; sid:2016271; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_25, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED Possible GRANT TO SQL Injection Attempt"; flow:established,to_server; content:"GRANT"; nocase; http_uri; content:"TO"; nocase; http_uri; pcre:"/GRANT.{1,5}TO/Ui"; reference:url,beginner-sql-tutorial.com/sql-grant-revoke-privileges-roles.htm; classtype:web-application-attack; sid:2013068; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED [CrowdStrike] ANCHOR PANDA - PoisonIvy Keep-Alive - From Controller"; dsize:48; flow:established, from_server; content:"|54 90 1d b0 18 1b 7c ce f4 5b 24 2f ec c7 d2 21|"; depth:16; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016657; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object Instantiation Memory Corruption Vulnerability MS05-054"; flow:established,from_server; pcre:"/000(2(042[1-5]|1401|000D)|6F071)-0000-0000-C000-000000000046|6E2271(FB|0[9A-F])-F799-11CF-9227-00AA00A1EB95|ECAB(AFC0|B0AB)-7F19-11D2-978E-0000F8757E2A|3050F4F5-98B5-11CF-BB82-00AA00BDCE0B|DF0B3D60-548F-101B-8E65-08002B2BD119|2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64|51B4ABF3-748F-4E3B-A276-C828330E926A|E4979309-7A32-495E-8A92-7B014AAD4961|62EC9F22-5E30-11D2-97A1-00C04FB6DD9A|B1D4ED44-EE64-11D0-97E6-00C04FC30B4A|D675E22B-CAE9-11D2-AF7B-00C04F99179F/i"; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx; reference:url,doc.emergingthreats.net/2002725; classtype:web-application-attack; sid:2002725; rev:14; metadata:created_at 2010_07_30, updated_at 2016_04_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED [CrowdStrike] ANCHOR PANDA - PoisonIvy Keep-Alive - From Victim"; dsize:48; flow: established, to_server; content: "|af c0 bb 65 5d 07 e0 0d bf ab 75 2f 82 79 ae 26|"; depth:16; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016658; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET HUNTING Suspicious User-Agent Beginning with digits - Likely spyware/trojan"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| "; content:!"|0d 0a|User-Agent|3a| Mozilla/"; pcre:"/^\d+/V"; content:!"liveupdate.symantecliveupdate.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2010697; classtype:trojan-activity; sid:2010697; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy [victim beacon]"; flow:established; dsize:48; content:"|a160339a8a1b3bc0d1ab956cf98855a8|"; offset: 16; depth:16; classtype:trojan-activity; sid:2017052; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_22, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Major, tag PoisonIvy, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 27 2016"; flow:established,from_server; flowbits:isset,ET.WordJS; content:"Content-Type|3a 20|text/html|3b 20|charset=utf-8|0d 0a|"; http_header; file_data; content:"<iframe"; within:7; fast_pattern; reference:url,research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html; classtype:exploit-kit; sid:2022771; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_27, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PoisonIvy [server response]"; flow:established; dsize:48; content:"|b8abf415033717b74132d503b6ea381d|"; offset:16; depth:16; classtype:trojan-activity; sid:2017053; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_22, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NeoSploit - TDS"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:attempted-user; sid:2015665; rev:3; metadata:created_at 2012_08_29, updated_at 2016_04_29;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miniduke variant FTP upload"; flow:to_server,established; content:"USER "; pcre:"/^(?:(?:menelao|ho[mr]u)s|adair|johan|kweku)\r\n/R"; reference:md5,e175be029dd2b78c059278a567b3ada1; reference:url,www.f-secure.com/static/doc/labs_global/Whitepapers/cosmicduke_whitepaper.pdf; classtype:targeted-activity; sid:2023911; rev:4; metadata:created_at 2014_07_03, former_category MALWARE, updated_at 2017_02_16;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blizzard Downloader"; flow: established,to_server; content: "User-Agent|3a| Blizzard Downloader"; nocase; reference:url,www.worldofwarcraft.com/info/faq/blizzarddownloader.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002855; classtype:policy-violation; sid:2002855; rev:8; metadata:created_at 2010_07_30, updated_at 2016_04_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Malicious Redirect Leading to EK Apr 03 2015"; flow:established,to_server; content:"/wordpress/?bf7N&utm_source="; http_uri; classtype:exploit-kit; sid:2020840; rev:2; metadata:created_at 2015_04_03, updated_at 2015_04_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED String Replace in PDF File, Likely Hostile"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:".replace|28|"; nocase; reference:url,www.w3schools.com/jsref/jsref_replace.asp; classtype:bad-unknown; sid:2011504; rev:6; metadata:created_at 2010_09_27, updated_at 2016_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a1 b6 29 6e e4 aa ec fe|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020843; rev:2; metadata:attack_target Client_and_Server, created_at 2015_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED server negative Content-Length attempt"; flow:from_server,established; content:"Content-Length|3A| -"; nocase; http_header; reference:cve,2004-0492; reference:url,www.guninski.com/modproxy1.html; classtype:attempted-admin; sid:2102580; rev:13; metadata:created_at 2010_09_23, updated_at 2016_05_04;)
 
-#alert tcp $HOME_NET 50002 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Successful Etrust Secure Transaction Platform Identification and Entitlements Server File Disclosure Attempt"; flowbits:isset,ET.etrust.fieldis; flow:established,from_server; content:"<soap|3A|faultstring>Unknown user"; reference:url,shh.thathost.com/secadv/2009-06-15-entrust-ies.txt; reference:url,securitytracker.com/alerts/2010/Sep/1024391.html; classtype:misc-attack; sid:2011503; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED FedEX Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|FedEX_"; nocase; classtype:trojan-activity; sid:2011979; rev:3; metadata:created_at 2010_11_24, updated_at 2016_05_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Freeze.com Spyware/Adware (Pulling Ads)"; flow: to_server,established; content:"/ToastMessage/"; nocase; http_uri; content:"/Toast.asp?ysaid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003362; classtype:pup-activity; sid:2003362; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 0b|"; content:"|16|SomeOrganizationalUnit"; distance:1; within:23; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|0c|root@ua7.com"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022795; rev:2; metadata:attack_target Client_and_Server, created_at 2016_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Partner Checkin"; flow: to_server,established; content:"/partners/"; nocase; http_uri; content:"partners.xip"; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000925; classtype:pup-activity; sid:2000925; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|microurl.bit"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022796; rev:2; metadata:attack_target Client_and_Server, created_at 2016_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Subscription POST"; flow: to_server,established; content:"/hotbar/"; nocase; http_uri; content:"Subscription.dll?"; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002820; classtype:pup-activity; sid:2002820; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Ursnif Injects)"; flow:from_server,established; content:"|55 04 03|"; content:"|16|allowherebarbclient.me"; distance:1; within:23; classtype:domain-c2; sid:2022799; rev:2; metadata:attack_target Client_and_Server, created_at 2016_05_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Keywords Download"; flow: to_server,established; content:"/keywords/kyfb."; nocase; http_uri; content:"partner_id="; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003388; classtype:pup-activity; sid:2003388; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Router DNS Changer Apr 07 2015 M2"; flow:established,from_server; file_data; content:"|22 5c 78 35 32 5c 78 35 34 5c 78 34 33 5c 78 35 30 5c 78 36 35 5c 78 36 35 5c 78 37 32 5c 78 34 33 5c 78 36 46 5c 78 36 45 5c 78 36 45 5c 78 36 35 5c 78 36 33 5c 78 37 34 5c 78 36 39 5c 78 36 46 5c 78 36 45 22|"; content:!"vidzi.tv|0d 0a|"; reference:url,malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html; classtype:exploit-kit; sid:2020896; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_13, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ICQ-Update.biz Reporting Install"; flow: to_server,established; content:"log.php?"; nocase; http_uri; content: "IP="; nocase; http_uri; content:"Port1="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001490; classtype:pup-activity; sid:2001490; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> any !6666:7000 (msg:"ET POLICY IRC DCC file transfer request on non-std port"; flow:to_server,established; content:"PRIVMSG "; depth:8; content:" |3a|.DCC SEND"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000349; classtype:non-standard-protocol; sid:2000349; rev:13; metadata:created_at 2010_07_30, updated_at 2016_05_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ISearchTech Toolbar Data Submission"; flow: to_server,established; content:"/ist/scripts/istsvc_ads_data.php?"; nocase; http_uri; content: "version="; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001697; classtype:pup-activity; sid:2001697; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK May 13 2016"; flow:established,from_server; file_data; content:"|3c 74 69 74 6c 65 3e 53 65 61 72 63 68 3c 2f 74 69 74 6c 65 3e|"; content:"|23 6c 6c 6c 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d|"; fast_pattern; content:"|3c 64 69 76 20 69 64 3d 22 6c 6c 6c 22 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; classtype:exploit-kit; sid:2022805; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_05_13, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet Optimizer Spyware Install"; flow: to_server,established; content:"/internet-optimizer/"; nocase; http_uri; content:"/optimize"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001396; classtype:pup-activity; sid:2001396; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)"; flow:from_server,established; content:"|60 89 e5 31|"; content:"|64 8b|"; distance:1; within:2; content:"|30 8b|"; distance:1; within:2; content:"|0c 8b 52 14 8b 72 28 0f b7 4a 26 31 ff|"; distance:1; within:13; content:"|ac 3c 61 7c 02 2c 20 c1 cf 0d 01 c7 e2|"; within:15; content:"|52 57 8b 52 10|"; distance:1; within:5; classtype:trojan-activity; sid:2025644; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_05_16, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category TROJAN, signature_severity Critical, tag Metasploit, updated_at 2018_07_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MySearchNow.com Spyware"; flow: to_server,established; content:"exe/dns.html"; nocase; http_uri; content:"User-Agent|3a| TPSystem"; nocase; http_header; reference:url,www.mysearchnow.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003221; classtype:pup-activity; sid:2003221; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Upatre SSL Cert venturesonsite.com"; flow:established,from_server; content:"|55 04 03|"; content:"|12|venturesonsite.com"; distance:1; within:19; reference:md5,ef88df67a0bcb872143543ebad0ba91d; classtype:trojan-activity; sid:2019077; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyWebSearch Toolbar Traffic (bar config download)"; flow: to_server,established; content:"/barcfg.jsp?"; nocase; http_uri; content:"MyWebSearchWB"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002836; classtype:pup-activity; sid:2002836; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|17|private@sysprivpop.lkdd"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022736; rev:4; metadata:attack_target Client_and_Server, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Enchanim C2 Injection Download"; flow:established,to_client; content:"set_url "; content:"|0d 0a|data_before|0d 0a|"; distance:0; content:"|0d 0a|data_end|0d 0a|"; distance:0; content:"|0d 0a|data_inject|0d 0a|"; distance:0; fast_pattern; content:"|0d 0a|data_end|0d 0a|"; distance:0; content:"|0d 0a|data_after|0d 0a|"; distance:0; content:"|0d 0a|data_end|0d 0a|"; distance:0; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:command-and-control; sid:2016771; rev:5; metadata:created_at 2013_04_19, former_category MALWARE, updated_at 2013_04_19;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET ATTACK_RESPONSE Possible CVE-2016-1287 Inbound Reverse CLI Shellcode"; flow:to_server; content:"|ff ff ff|tcp/CONNECT/3/"; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}\/\d+\x00$/Ri"; reference:url,raw.githubusercontent.com/exodusintel/disclosures/master/CVE_2016_1287_PoC; classtype:attempted-admin; sid:2022819; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Possible Upatre DNS Query (jamco.com.pk)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|jamco|03|com|02|pk|00|"; fast_pattern:only; reference:md5,407cce4873bc8af9077dbb21a8762f37; classtype:bad-unknown; sid:2020846; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2015_04_07, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT CVE-2016-1287 Public Exploit ShellCode"; content:"|60 c7 02 90 67 b9 09 8b 45 f8 8b 40 5c 8b 40 04 8b 40 08 8b 40 04 8b 00 85 c0 74 3b 50 8b 40 08 8b 40 04 8d 98 d8 00 00 00 58 81 3b d0 d4 00 e1 75 e4 83 7b 04 31 74 de 89 d8 2d 00 01 00 00 c7 40 04 03 01 00 00 c7 40 0c d0 00 00 00 c7 80 f8|"; reference:url,github.com/exodusintel/disclosures/blob/master/CVE_2016_1287_PoC; classtype:attempted-admin; sid:2022820; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.A Sending UUID and Processes x86"; content:"|00 00 00 02 00 00 00 00 00 00 32 32|"; depth:12; content:"|7b|"; distance:0; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\x7d/R"; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:trojan-activity; sid:2020152; rev:2; metadata:created_at 2015_01_07, updated_at 2015_01_07;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ZeuS CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|basey.ru"; distance:1; within:10; classtype:domain-c2; sid:2022833; rev:2; metadata:attack_target Client_and_Server, created_at 2016_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.A Sending UUID and Processes x64"; content:"|00 00 00 02 00 00 00 00 00 00 64 32|"; depth:12; content:"|7b|"; distance:0; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\x7d/R"; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:trojan-activity; sid:2020153; rev:3; metadata:created_at 2015_01_07, updated_at 2015_01_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.Win32.Agent.bay Variant Covert Channel (VERSONEX)"; flow:established,to_server; content:"VERSONEX|3a|"; depth:9; fast_pattern; byte_test:1,>=,0x30,0,relative; byte_test:1,<=,0x39,0,relative; content:"|7c|"; distance:1; within:1; reference:md5,f80af2735fdad5fe14defc4f1df1cc30; classtype:trojan-activity; sid:2020978; rev:2; metadata:created_at 2015_04_23, updated_at 2015_04_23;)
 
-alert tcp any any -> $HOME_NET 1720 (msg:"ET SCAN H.323 Scanning device"; flow:established,to_server; content:"|40 04 00 63 00 69 00 73 00 63 00 6f|"; fast_pattern; offset:55; depth:12; threshold: type limit, track by_src, count 1, seconds 60; reference:url,videonationsltd.co.uk/2014/11/h-323-cisco-spam-calls/; classtype:network-scan; sid:2020853; rev:2; metadata:created_at 2015_04_08, updated_at 2015_04_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible CryptXXX Ransomware Renaming Encrypted File SMB v1 Unicode"; flow:to_server,established; content:"|ff|SMB|07|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|00|.|00|c|00|r|00|y|00|p|00|t|00 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022838; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_05_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Router DNS Changer Apr 07 2015"; flow:established,from_server; file_data; content:"|69 66 28 75 72 6c 2e 69 6e 64 65 78 4f 66 28 27 3c 65 6f 70 6c 3e 27 29 3e 30 29 7b|"; reference:url,malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html; classtype:exploit-kit; sid:2020854; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_08, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible CryptXXX Ransomware Renaming Encrypted File SMB v1 ASCII"; flow:to_server,established; content:"|ff|SMB|07|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:".crypt|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022839; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_05_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|04|gu2m"; distance:1; within:5; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020864; rev:2; metadata:attack_target Client_and_Server, created_at 2015_04_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Hawkeye Keylogger SMTP Beacon"; flow:established,to_server; content:"Subject|3a 20|"; content:"SGF3a0V5ZSBLZXlsb2dnZXIg"; within:45; reference:md5,dfc2c23663122ac9fc25b708f278c147; classtype:trojan-activity; sid:2021871; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Install (1)"; flow: to_server,established; content:"/install/startInstallprocess.asp?"; nocase; http_uri; content: "Defau"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000920; classtype:pup-activity; sid:2000920; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Kovter Client CnC Traffic"; flow:established,to_server; dsize:4<>256; content:!"HTTP"; content:"|00 00 00|"; offset:1; depth:3; pcre:"/^[\x11\x21-\x26\x41\x45\x70-\x79]/R"; content:!"|00 00|"; distance:0; byte_jump:1,0,from_beginning,post_offset 3; isdataat:!2,relative; pcre:!"/\x00$/"; reference:url,symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update; classtype:command-and-control; sid:2022861; rev:1; metadata:created_at 2016_06_06, former_category MALWARE, updated_at 2016_06_06;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex downloader SSL Certificate srv1.mainsftdomain.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|srv1.mainsftdomain.com"; distance:1; within:23; content:"|55 04 03|"; distance:0; content:"|16|srv1.mainsftdomain.com"; distance:1; within:23; classtype:trojan-activity; sid:2020866; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 20222 (msg:"ET SCADA CitectSCADA ODBC Overflow Attempt"; flow:established,to_server; dsize:4; byte_test:4,>,399,0; reference:cve,2008-2639; reference:url,www.digitalbond.com/index.php/2008/09/08/ids-signature-for-citect-vuln/; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; classtype:attempted-user; sid:2008542; rev:8; metadata:created_at 2010_07_30, updated_at 2016_06_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,465,587] (msg:"ET MALWARE Kriptovor SMTP Traffic"; flow:established,to_server; content:"|0d 0a|PC|3a 20|"; content:"|0d 0a|Text|3a 20|"; distance:0; content:"|0d 0a|IP|3a 20|"; distance:0; content:"|0d 0a|TS|3a 20|"; distance:0; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,c3ab87f85ca07a7d026d3cbd54029bbe; classtype:trojan-activity; sid:2020884; rev:1; metadata:created_at 2015_04_09, updated_at 2015_04_09;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|tda-au.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022877; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Vobus/Beebone Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 2E F4 15 04|"; distance:4; within:6; reference:url,trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/operation-source-botnet-takedown-trend-micro-solutions; classtype:trojan-activity; sid:2020889; rev:1; metadata:created_at 2015_04_11, updated_at 2015_04_11;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|forevery0ung.bit"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022878; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY EXE Embeded in Page Likely Evil M1"; flow:established,from_server; file_data; content:"vbscript"; nocase; content:"|22|4D5A90"; fast_pattern; nocase; content:!"|22|"; within:500; pcre:"/^[a-f0-9]{500}/Rsi"; classtype:trojan-activity; sid:2020893; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 9e 99 a3 02 bc 7d 3f 4e|"; fast_pattern; content:"|55 04 03|"; distance:0; content:"|10|www.undernet.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022879; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY EXE Embeded in Page Likely Evil M2"; flow:established,from_server; file_data; content:"vbscript"; nocase; content:"|27|4D5A90"; fast_pattern; nocase; content:!"|27|"; within:500; pcre:"/^[a-f0-9]{500}/Rsi"; classtype:trojan-activity; sid:2020894; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e5 51 a8 51 66 e3 5c 7d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022880; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 19 2015"; flow:established,to_server; content:"GET"; http_method; content:"4c2H"; nocase; http_uri; pcre:"/\/\??4c2H(?:$|[&?]utm_source=)/U"; classtype:exploit-kit; sid:2020715; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_03_20, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1714 (msg:"ET MALWARE Qarallax RAT Keepalive C2 (set)"; flow:to_server,established; content:"|00 00 09 00 00 00 00 00 00 00|"; depth:10; threshold:type both, track by_src, count 5, seconds 30; flowbits:set,ET.qarallax; flowbits:noalert; reference:md5,cf178c55c0572d8fea89137c62afdc98; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; classtype:command-and-control; sid:2022882; rev:1; metadata:created_at 2016_06_08, former_category MALWARE, updated_at 2016_06_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Check-in"; flow:established,to_server; dsize:>68; content:"|41 00 00 00 03|"; depth:5; flowbits:set,ET.NetwireRAT.Client; flowbits:noalert; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:2018426; rev:2; metadata:created_at 2014_04_28, updated_at 2014_04_28;)
+alert tcp $EXTERNAL_NET 1714 -> $HOME_NET any (msg:"ET MALWARE Qarallax RAT Keepalive C2"; flow:from_server,established; flowbits:isset,ET.qarallax; content:"|00 00 0c 00 00 00 00 00 00 00|"; depth:10; threshold:type both, track by_src, count 5, seconds 30; reference:md5,cf178c55c0572d8fea89137c62afdc98; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; classtype:command-and-control; sid:2022883; rev:1; metadata:created_at 2016_06_08, former_category MALWARE, updated_at 2016_06_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Post-Compromise Data Dump M1"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"QWRtaW5SaWdodHMy"; http_client_body; pcre:"/(?:Byb2NMaXN0|Qcm9jTGlzd|UHJvY0xpc3)/P"; classtype:exploit-kit; sid:2020903; rev:2; metadata:created_at 2015_04_14, updated_at 2015_04_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M0"; flow:established,to_server; urilen:40<>65; content:"0"; http_uri; offset:40; depth:15; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])0(?:(?P=sep)|\d)*?$/Ui"; classtype:exploit-kit; sid:2020995; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Post-Compromise Data Dump M2"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"FkbWluUmlnaHRzM"; http_client_body; pcre:"/(?:Byb2NMaXN0|Qcm9jTGlzd|UHJvY0xpc3)/P"; classtype:exploit-kit; sid:2020904; rev:2; metadata:created_at 2015_04_14, updated_at 2015_04_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M1"; flow:established,to_server; urilen:40<>65; content:"1"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])1(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2020996; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Post-Compromise Data Dump M3"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"BZG1pblJpZ2h0cz"; http_client_body; pcre:"/(?:Byb2NMaXN0|Qcm9jTGlzd|UHJvY0xpc3)/P"; classtype:exploit-kit; sid:2020905; rev:2; metadata:created_at 2015_04_14, updated_at 2015_04_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M2"; flow:established,to_server; urilen:40<>65; content:"2"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])2(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2020997; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CoinVault CnC Beacon Response"; flow:established,from_server; file_data; content:"eyJrbm9ja3RpbWUiOj"; within:18; reference:md5,c7e34daa9e9160ce433a6cae74867711; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:command-and-control; sid:2020909; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_04_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M5"; flow:established,to_server; urilen:40<>65; content:"5"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])5(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2021000; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP =XXXXXXXX Likely Precursor to Scan"; itype:8; icode:0; content:"=XXXXXXXX"; reference:url,doc.emergingthreats.net/2010686; classtype:network-scan; sid:2010686; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M6"; flow:established,to_server; urilen:40<>65; content:"6"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])6(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2021001; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (linux style)"; flow:established,from_server; file_data; content:"root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002034; classtype:successful-recon-limited; sid:2002034; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M7"; flow:established,to_server; urilen:40<>65; content:"7"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])7(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2021002; rev:4; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via SMTP (linux style)"; flow:established,to_server; content:"root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003149; classtype:successful-recon-limited; sid:2003149; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M8"; flow:established,to_server; urilen:40<>65; content:"8"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])8(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2021003; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via SMTP (BSD style)"; flow:established,to_server; content:"root|3a|*|3a|0|3a|0|3a|"; nocase; content:"|3a|/root|3a|/bin"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003150; classtype:successful-recon-limited; sid:2003150; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M9"; flow:established,to_server; urilen:40<>65; content:"9"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])9(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2021004; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
 
-alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET TELNET External Telnet Attempt To Cisco Device With No Telnet Password Set (Automatically Dissalowed Until Password Set)"; flow:from_server; content:"Password required, but none set"; depth:31; reference:url,doc.emergingthreats.net/bin/view/Main/2008860; classtype:attempted-admin; sid:2008860; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Redkit Java Exploit request to .class file"; flow:established,to_server; content:".class"; http_uri; pcre:"/\/\w{1,2}\/\w{1,2}\.class$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014830; rev:3; metadata:created_at 2012_05_30, updated_at 2016_06_10;)
 
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Nessus Vulnerability Scanner Plugins Update"; flow:to_client,established; content:"plugins.nessus.org"; content:"https|3a|//www.thawte.com/repository/index.html"; offset:432; depth:88; reference:url,www.nessus.org/nessus/; reference:url,www.nessus.org/plugins/; reference:url,doc.emergingthreats.net/2009706; classtype:policy-violation; sid:2009706; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Google Chrome Pdfium JPEG2000 Heap Overflow"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"stream"; content:"|00 00 00 0c 6a 50 20 20 0d 0a 87 0a|"; distance:0; content:"|00 00 00 00 6a 70 32 63 ff 4f|"; distance:0; content:"|ff 51|"; within:200; content:"|00 00 ff|"; distance:36; within:3; byte_test:1,>,0x51,0,relative; byte_test:1,<,0x94,0,relative; pcre:"/^[\x52\x5c\x64\x65\x90\x93]/R"; classtype:bad-unknown; sid:2022890; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_06_13, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert ssh $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; threshold: type both, count 5, seconds 30, track by_src; reference:url,doc.emergingthreats.net/2006546; classtype:attempted-admin; sid:2006546; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Botnet Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; content:!"Referer|3a|"; http_header; content:"data="; nocase; http_client_body; depth:5; content:"ew0KCSJhZGRyZXNzIiA6"; fast_pattern; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; classtype:command-and-control; sid:2022891; rev:2; metadata:created_at 2016_06_13, former_category MALWARE, updated_at 2016_06_13;)
 
-alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP Brute-Force attempt response"; flow:from_server,established; dsize:<100; content:"530 "; depth:4; pcre:"/530\s+(Login|User|Failed|Not)/smi"; threshold: type threshold, track by_dst, count 5, seconds 300; reference:url,doc.emergingthreats.net/2002383; classtype:unsuccessful-user; sid:2002383; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Veritas backupexec_agent exploit"; flow:to_server,established; content:"|00 00 00 00 00 00 09 01|"; offset:12; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; byte_jump: 4, 32; byte_test: 4,>,3000,0,relative; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,doc.emergingthreats.net/bin/view/Main/2002065; reference:cve,2004-1172; classtype:misc-attack; sid:2002065; rev:8; metadata:created_at 2010_07_30, updated_at 2016_06_14;)
 
-#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET TELNET External Telnet Login Prompt from Cisco Device"; flow:from_server,established; pcre:"/^(\r\n)*/"; content:"User Access Verification"; within:24; reference:url,doc.emergingthreats.net/bin/view/Main/2008861; classtype:attempted-admin; sid:2008861; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL DELETED WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; reference:bugtraq,11763; reference:cve,2004-1080; reference:url,www.immunitysec.com/downloads/instantanea.pdf; reference:url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx; classtype:misc-attack; sid:2103017; rev:8; metadata:created_at 2010_09_23, updated_at 2016_06_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Exe32Pack Packed Executable Download"; flow:established,to_client; file_data; content:"Packed by exe32pack"; content:"SteelBytes All rights reserved"; distance:0; reference:md5,93be88ad3816c19d74155f8cd3aae1d2; classtype:policy-violation; sid:2020914; rev:2; metadata:created_at 2015_04_15, updated_at 2015_04_15;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE JKDDOS Bot CnC Phone Home Message"; dsize:<510; flow:established,to_server; content:"|10 00 00 00|Windows|20|"; depth:12; reference:md5,d6b3baae9fb476f0cf3196e556cab348; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry/; classtype:command-and-control; sid:2012892; rev:3; metadata:created_at 2011_05_31, former_category MALWARE, updated_at 2011_05_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unit42 PoisonIvy Keepalive to CnC"; flow:established,to_server; dsize:48; content:"|b8 98 30 04 e8 10 e5 8c e4 06 39 1b e0 51 96 40|"; offset:16; depth:16; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET [443,465,993,995,25] -> $HOME_NET any (msg:"ET CURRENT_EVENTS excessive fatal alerts (possible POODLE attack against client)"; flow:from_server,established; ssl_version:sslv3; content:"|15 03 00 00|"; depth:4; byte_jump:2,3,post_offset -1; isdataat:!2,relative; threshold:type both, track by_dst, count 50, seconds 300; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019417; rev:4; metadata:created_at 2014_10_15, updated_at 2016_06_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dalexis downloader encrypted binary (1)"; flow:established,to_client; file_data; content:"|fc 6e 8e d1 0a 7a be 86|"; within:2048; classtype:trojan-activity; sid:2020929; rev:2; metadata:created_at 2015_04_16, updated_at 2015_04_16;)
+alert udp any 67 -> any 68 (msg:"ET INFO Web Proxy Auto Discovery Protocol WPAD DHCP 252 option Possible BadTunnel"; content:"|02|"; depth:1; content:"|fc|"; byte_jump:1,0,relative,post_offset -9; content:"/wpad.dat"; within:9; fast_pattern; classtype:protocol-command-decode; sid:2022915; rev:1; metadata:created_at 2016_06_24, updated_at 2016_06_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dalexis downloader encrypted binary (2)"; flow:established,to_client; file_data; content:"|35 8c 0c 43 e2 1c f7 e4|"; distance:40; within:8; classtype:trojan-activity; sid:2020930; rev:2; metadata:created_at 2015_04_16, updated_at 2015_04_16;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 d9 0c 85 30 1c bb ac a0|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022920; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dalexis downloader encrypted binary (3)"; flow:established,to_client; file_data; content:"|fc 6e 8e d1 0a 7a be 86|"; distance:32; within:8; classtype:trojan-activity; sid:2020931; rev:2; metadata:created_at 2015_04_16, updated_at 2015_04_16;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|lobemaintaty.space"; fast_pattern; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022921; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|10 58 85 8a 21 5a 27 a4 1f be 8f a1 3a f0 13 c5 94|"; within:40; content:"|55 04 03|"; distance:0; content:"|13|www.tennomewerto.ru"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020932; rev:2; metadata:attack_target Client_and_Server, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2209 Symantec PowerPoint Parsing Buffer Overflow M1"; flow:established,from_server; file_data; content:"|C8 6A CD E5 F1 2C B0 16 E6 F2 36 7B 41 2E 7F 4B C4 27 13 CF F3 1F FF 2B A8 2B 3A FE 09 77 BE CE 29 00 00 BA 0F 91 03 00 00|"; content:!"|00 00|"; distance:503; within:2; content:"|00 00 BA 0F 16 01 00 00|"; distance:913; within:8; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022923; rev:2; metadata:created_at 2016_06_29, updated_at 2016_06_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be ef 3b e8 9f 06 3c 8d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; content:"|55 04 03|"; distance:0; content:"|0b|example.com"; distance:1; within:12; classtype:trojan-activity; sid:2020943; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2209 Symantec PowerPoint Parsing Buffer Overflow M2"; flow:established,from_server; file_data; content:"|C8 6A CD E5 F1 2C B0 16 E6 F2 36 7B 41 2E 7F 4B C4 27 13 CF F3 1F FF 2B A8 2B 3A FE 09 77 BE CE 29 00 00 BA 0F A9 03 00 00|"; content:!"|00 00|"; distance:50; within:2; content:"|00 00 BA 0F 2E 01 00 00|"; distance:937; within:8; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022924; rev:2; metadata:created_at 2016_06_29, updated_at 2016_06_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows nbtstat -s Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Connection Table"; fast_pattern; content:"Local Name"; distance:0; content:"State"; distance:0; content:"In/Out"; distance:0; content:"Remote Host"; distance:0; content:"Input"; distance:0; content:"Output"; distance:0; classtype:trojan-activity; sid:2020957; rev:2; metadata:created_at 2015_04_21, updated_at 2015_04_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow"; flow:established,from_server; file_data; content:"|4d 53 43 46|"; depth:4; byte_jump:4,8,little; isdataat:1; reference:cve,2016-2211; reference:cve,CVE-2014-9732; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022930; rev:2; metadata:created_at 2016_06_30, updated_at 2016_06_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Windows nbtstat -r Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Names Resolution and Registration Statistics"; fast_pattern; content:"Name"; distance:0; content:"Type"; distance:0; content:"Status"; distance:0; classtype:trojan-activity; sid:2020956; rev:2; metadata:created_at 2015_04_21, former_category MALWARE, updated_at 2015_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M2"; flow:established,to_client; file_data; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022932; rev:2; metadata:created_at 2016_06_30, updated_at 2016_06_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows nbtstat -a Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Remote Machine Name Table"; fast_pattern; content:"Name"; distance:0; content:"Type"; content:"Status"; distance:0; classtype:trojan-activity; sid:2020954; rev:2; metadata:created_at 2015_04_21, updated_at 2015_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M1"; flow:established,to_client; file_data; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022933; rev:2; metadata:created_at 2016_06_30, updated_at 2016_06_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows nbtstat -n Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Local Name Table"; fast_pattern; content:"Name"; distance:0; content:"Type"; content:"Status"; distance:0; classtype:trojan-activity; sid:2020955; rev:2; metadata:created_at 2015_04_21, updated_at 2015_04_21;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 cf 74 72 c9 4e 72 20 e4|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|AU"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022943; rev:2; metadata:attack_target Client_and_Server, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT HTTP CnC Beacon Response"; flow:established,from_server; file_data; content:"<--"; within:3; pcre:"/^[A-F0-9]{8,12}/R"; content:"-->|0a|<"; fast_pattern; within:5; flowbits:isset,ET.CozyDuke.HTTP; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:targeted-activity; sid:2020965; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_04_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,from_server; content:"|09 00 f8 f1 74 46 04 c2 a4 42|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022944; rev:2; metadata:attack_target Client_and_Server, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body"; flow:established,to_server; content:"|0d 0a|X-Library|3a| Indy "; content:"Nome do Computador.."; nocase; distance:0; reference:url,doc.emergingthreats.net/2007950; classtype:trojan-activity; sid:2007950; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Rockloader)"; flow:established,from_server; content:"|55 04 03|"; content:"|55 04 03|"; content:"|08|server29"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022945; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Petite Packed Binary Download"; flow:to_client,established; flowbits:isnotset,ET.http.binary; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|43 6F 6D 70 72 65 73 73 65 64 20 62 79 20 50 65 74 69 74 65 20 28 63 29 31 39 39 39 20 49 61 6E 20 4C 75 63 6B 2E 00 00|"; distance:-44; flowbits:set,ET.http.binary; reference:md5,fa2c0e8b486c879f4baee1d5bebdf0a2; classtype:trojan-activity; sid:2020973; rev:5; metadata:created_at 2015_04_22, updated_at 2015_04_22;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Zeus C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1e|7yh0mdze6ztr7erew835im3w8.info"; fast_pattern; distance:1; within:31; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022946; rev:2; metadata:attack_target Client_and_Server, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK PDF Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".pdf"; http_header; fast_pattern:only; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{7,8}\d{2,3}\.pdf\r\n/Hm"; file_data; content:"PDF-"; within:500; classtype:exploit-kit; sid:2020984; rev:2; metadata:created_at 2015_04_23, former_category CURRENT_EVENTS, updated_at 2017_04_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Payload Jul 05 2016"; flow:established,from_server; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; classtype:exploit-kit; sid:2022949; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2016_07_05;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex Downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be ef 3b e8 9f 06 3c 8d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; content:"|55 04 03|"; distance:0; content:"|0b|example.com"; distance:1; within:12; classtype:trojan-activity; sid:2020986; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_04_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (H1N1 C2 or Zeus Panda C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|huhu.com"; fast_pattern; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022922; rev:3; metadata:attack_target Client_and_Server, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Download file with Powershell via LNK file (observed in Sundown EK)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"c|00|m|00|d|00|.|00|e|00|x|00|e"; nocase; content:"P|00|o|00|w|00|e|00|r|00|S|00|h|00|e|00|l|00|l"; nocase; content:"D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00|F|00|i|00|l|00|e"; nocase; classtype:exploit-kit; sid:2020987; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jul 7"; flow:to_server,established; content:"GET"; http_method; content:".dill/?ip="; fast_pattern; nocase; http_uri; content:"&os="; http_uri; nocase; distance:0; content:"&browser="; http_uri; nocase; distance:0; content:"&isp="; http_uri; nocase; distance:0; classtype:social-engineering; sid:2022954; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_07, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Secondary Landing T1 M2 Apr 24 2015"; flow:established,from_server; file_data; content:"System.Net.WebClient"; nocase; content:"Powershell"; nocase; content:"DownloadFile"; nocase; content:"|3b|d=unescape(m)|3b|document.write(d)|3b|"; classtype:exploit-kit; sid:2020990; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate Detected (Bancos C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|US"; distance:1; within:4; content:"|55 04 08|"; content:"|02|FL"; distance:1; within:4; content:"|55 04 07|"; content:"|05|Miami"; distance:1; within:7; fast_pattern; content:"|55 04 0a|"; content:"|08|Business"; distance:1; within:10; reference:md5,e89ff40a8832cd27d2aae48ff7cd67d2; reference:url,malware-traffic-analysis.net/2016/06/09/index2.html; classtype:domain-c2; sid:2022888; rev:3; metadata:attack_target Client_and_Server, created_at 2016_06_10, deployment Perimeter, former_category MALWARE, malware_family Bancos, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2018_04_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS IonCube Encoded Page (no alert)"; flow:established,from_server; file_data; content:"javascript>c=|22|"; content:"|3b|eval(unescape("; flowbits:noalert; flowbits:set,ET.IonCube; classtype:trojan-activity; sid:2020993; rev:2; metadata:created_at 2015_04_24, former_category CURRENT_EVENTS, updated_at 2015_04_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zango-Hotbar User-Agent (zb-hb)"; flow:to_server,established; content:"zb-hb-"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+zb-hb-/Hi"; reference:url,doc.emergingthreats.net/2003223; classtype:trojan-activity; sid:2003223; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK Flash Exploit Struct T2 Apr 24 2015"; flow:established,to_server; flowbits:isset,ET.IonCube; content:"/"; http_uri; content:".swf"; http_uri; distance:4; within:4; pcre:"/\/(?=[A-Za-z]{0,3}\d)(?=\d{0,3}[A-Za-z])[A-Za-z0-9]{4,5}\.swf$/U"; content:".php"; http_header; classtype:exploit-kit; sid:2020994; rev:3; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Halberd Load Balanced Webserver Detection Scan"; flow:to_server,established; content:"Pragma|3a| no-cache"; http_header; content:"Firefox/1.0.3"; http_header; fast_pattern; offset:40; depth:40; threshold: type threshold, track by_src, count 40, seconds 15; reference:url,www.halberd.superadditive.com; reference:url,doc.emergingthreats.net/2008536; classtype:attempted-recon; sid:2008536; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains InternetOpen WinInet API Call - Potentially Dridex MalDoc 1"; flow:established,to_server; content:"SW50ZXJuZXRPcGVu"; fast_pattern; classtype:trojan-activity; sid:2021006; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED SQLCheck Database Scan Detected"; flow:to_server,established; content:"%20FROM%20customers"; fast_pattern:only; content:"User-Agent|3a| Lynx/2.8.6rel.4 libwww-FM/2.14"; http_header; threshold: type threshold, track by_dst, count 10, seconds 20; reference:url,wiki.remote-exploit.org/backtrack/wiki/SQLcheck; reference:url,doc.emergingthreats.net/2009478; classtype:attempted-recon; sid:2009478; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains InternetOpen WinInet API Call - Potentially Dridex MalDoc 2"; flow:established,to_server; content:"ludGVybmV0T3Blb"; fast_pattern; classtype:trojan-activity; sid:2021007; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"GPL DELETED IRC nick change"; flow:to_server,established; content:"NICK "; depth:5; fast_pattern; classtype:policy-violation; sid:2100542; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains InternetOpen WinInet API Call - Potentially Dridex MalDoc 3"; flow:established,to_server; content:"JbnRlcm5ldE9wZW"; fast_pattern; classtype:trojan-activity; sid:2021008; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 10 M2"; flow:established,from_server; file_data; content:"|76 61 72 20 66 72 61 67 6d 65 6e 74 20 3d 20 63 72 65 61 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70 3a|"; classtype:exploit-kit; sid:2022956; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_07_11;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains wininet.dll Call - Potentially Dridex MalDoc 1"; flow:established,to_server; content:"d2luaW5ldC5kbG"; fast_pattern; classtype:trojan-activity; sid:2021009; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading To EK Jul 10 M1"; flow:established,to_server; content:".js?chebstr=0."; http_uri; pcre:"/\.js\?chebstr=0\.\d+$/U"; classtype:exploit-kit; sid:2022957; rev:2; metadata:created_at 2016_07_11, updated_at 2016_07_11;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains wininet.dll Call - Potentially Dridex MalDoc 2"; flow:established,to_server; content:"dpbmluZXQuZGxs"; fast_pattern; classtype:trojan-activity; sid:2021010; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (H1N1 CnC)"; flow:established,from_server; content:"|09 00 cc e5 16 49 2c 1e 96 57|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022959; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains wininet.dll Call - Potentially Dridex MalDoc 3"; flow:established,to_server; content:"3aW5pbmV0LmRsb"; fast_pattern; classtype:trojan-activity; sid:2021011; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email Account Exceeded Quota Phishing Landing 2016-07-11"; flow:from_server,established; file_data; content:"<title>WebMail"; nocase; fast_pattern; content:"E-Mail account has exceeded"; nocase; distance:0; content:"upgrade your mailbox"; nocase; distance:0; content:"avoid disrupt and lost"; nocase; distance:0; content:"Password"; nocase; distance:0; classtype:social-engineering; sid:2031954; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CORESHELL Malware Response from server"; flow:from_server,established; file_data; content:"O|00|K|00 00 00|"; within:6; pcre:"/^(?:(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))?$/R"; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019584; rev:3; metadata:created_at 2014_10_29, updated_at 2014_10_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Potential Sofacy Phishing Redirect"; flow:established,to_client; file_data; content:"// stop for sometime if needed"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/phresh-phishing-against-government-defence-and-energy.html; classtype:targeted-activity; sid:2019541; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_28, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TorrentLocker SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea a3 3c b6 6e 62 16 33|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,8b2b618a463b906a1005ff1ed7d5f875; classtype:trojan-activity; sid:2021014; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_27, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|www.__RANDOM_STR_.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022961; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_07_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Ruckguv.A SSL Cert"; flow:established,from_server; content:"|10 05 86 8b f3 dc 2c ad 1f 00 dd ad fa 27 3c ea d0|"; content:"|55 04 03|"; distance:0; content:"|12|thewinesteward.com"; distance:1; within:19; reference:md5,331bec58cb113999f83c866de4976b62; classtype:trojan-activity; sid:2021015; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_27, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan-Downloader.Win32.Small.hkp Checkin via HTTP"; flow:established,to_server; dsize:96; content:"GET /"; depth:5; pcre:"/^[^\r\n]*\/[0-9a-f]{78}\sHTTP/Ri"; reference:url,doc.emergingthreats.net/2007755; classtype:trojan-activity; sid:2007755; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Landing Apr 20 2015"; flow:established,from_server; file_data; content:"|27 3b|d=unescape(m)|3b|document.write(d|29 3b|</script>"; content:".swf"; nocase; content:".swf"; nocase; content:"vbscript"; nocase; content:"System.Net.WebClient"; nocase; content:".exe"; nocase; classtype:exploit-kit; sid:2020950; rev:3; metadata:created_at 2015_04_21, updated_at 2015_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 13 2016 2"; flow:established,to_server; content:"POST"; http_method; content:".swf"; nocase; http_header; content:"|4d 61 6e 75 66 75 63 6b|"; nocase; http_client_body; content:"|4d 61 63 72 6f 77 69 6e|"; nocase; http_client_body; classtype:exploit-kit; sid:2022964; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_13, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_07_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Apr 22 2015"; flow:established,from_server; content:"nginx"; http_header; file_data; content:"|0d 0a|<textarea "; fast_pattern; content:!">"; within:21; content:!"</textarea>"; within:500; content:!"|0d|"; within:500; pcre:"/^\s*[^>]*?[a-zA-Z]+\s*?=\s*?[\x22\x27](?=[a-z]{0,20}[A-Z])(?=[A-Z]{0,20}[a-z])[A-Za-z]{15,21}[\x22\x27][^>]*?>(?=[A-Za-z_]{0,200}[0-9])(?=[0-9a-z_]{0,200}[A-Z])(?=[0-9A-Z_]{0,200}[a-z])[A-Za-z0-9_]{200}/R"; classtype:exploit-kit; sid:2020975; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_23, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible malicious zipped-executable"; flow:established,from_server; file_data; content:"PK|01 02|"; within:4; content:".xla"; nocase; content:"PK|05 06|"; within:52; content:"|01 00 01 00|"; distance:4; within:4; classtype:trojan-activity; sid:2018086; rev:5; metadata:created_at 2014_02_07, former_category CURRENT_EVENTS, updated_at 2016_07_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET DELETED Job314/Neutrino Reboot EK Payload Nov 20 2014"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"Windows NT"; fast_pattern:only; http_header; content:"User-Agent|3a 20|Mozilla"; content:"GET"; http_method; pcre:"/^\/(?:[a-z]+\.[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)$/U"; classtype:exploit-kit; sid:2020388; rev:8; metadata:created_at 2015_02_10, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware Bart .onion Payment Domain (khh5cmzh5q7yp7th)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|khh5cmzh5q7yp7th"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022958; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, malware_family Ransomware, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2016_07_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf 88 cb e4 d5 79 99 98|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021016; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"GPL MISC Source Port 20 to <1024"; flow:to_server; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:2100503; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp any 53 -> $HOME_NET any (msg:"ET DELETED Team Cymru Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 26 E5 46 04|"; distance:4; within:6; classtype:trojan-activity; sid:2021020; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)
+#alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"GPL MISC source port 53 to <1024"; flow:to_server; flags:S,12; reference:arachnids,07; classtype:bad-unknown; sid:2100504; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Kaspersky Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 5F D3 AC 8F|"; distance:4; within:6; classtype:trojan-activity; sid:2021021; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"GPL POLICY SOCKS Proxy attempt"; flags:S,12; flow:to_server; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:2100615; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Wapack Labs Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 17 FD 2E 40|"; distance:4; within:6; classtype:trojan-activity; sid:2021022; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET SCAN Behavioral Unusually fast inbound Telnet Connections, Potential Scan or Brute Force"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,www.rapid7.com/nexpose-faq-answer2.htm; reference:url,doc.emergingthreats.net/2001904; classtype:misc-activity; sid:2001904; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|terriblekira.su"; distance:1; within:16; reference:md5,f752cfdc6aa1d3eac013201357ada0f6; classtype:domain-c2; sid:2021031; rev:1; metadata:attack_target Client_and_Server, created_at 2015_04_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3127 (msg:"ET SCAN Behavioral Unusual Port 3127 traffic, Potential Scan or Backdoor"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 10 , seconds 60; reference:url,doc.emergingthreats.net/2002973; classtype:misc-activity; sid:2002973; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|lidline.com"; distance:1; within:112; reference:md5,f752cfdc6aa1d3eac013201357ada0f6; classtype:domain-c2; sid:2021032; rev:1; metadata:attack_target Client_and_Server, created_at 2015_04_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"ET SCAN Behavioral Unusually fast outbound Telnet Connections, Potential Scan or Brute Force"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,www.rapid7.com/nexpose-faq-answer2.htm; reference:url,doc.emergingthreats.net/2008230; classtype:misc-activity; sid:2008230; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing URI Struct April 29 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:"/5/"; http_uri; fast_pattern; content:"http|3a|/"; distance:0; http_uri; pcre:"/\/5\/[a-f0-9]{32}\/\x20*http\x3a\x2f/U"; classtype:exploit-kit; sid:2021034; rev:2; metadata:created_at 2015_04_30, updated_at 2015_04_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Landing URI Struct June 13 M1"; flow:established,to_server; urilen:27<>114; content:"/index.php?"; depth:11; http_uri; pcre:"/^\/index\.php\?[a-z]{8,80}=(?:\d{10,13}|\d{15,20})$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+).*?\r\nHost\x3a\x20(?!(?P=refhost))/Hsi"; classtype:exploit-kit; sid:2021263; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_13, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing April 29 2015"; flow:established,from_server; file_data; content:"lortnoCgA.lortnoCgA"; content:"reverse"; classtype:exploit-kit; sid:2021039; rev:2; metadata:created_at 2015_04_30, updated_at 2015_04_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Landing URI Struct June 13 M2"; flow:established,to_server; urilen:27<>114; content:"/index.php?"; depth:11; http_uri; pcre:"/^\/index\.php\?[a-z]{8,80}=(?:\d{10,13}|\d{15,20})$/U"; pcre:"/Host\x3a\x20(?P<refhost>[^\x3a\r\n]+).*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?!(?P=refhost))/Hsi"; classtype:exploit-kit; sid:2021264; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_13, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Response)"; content:"|01 01 00 44|"; depth:4; content:"|00 01 00 08|"; distance:16; within:4; threshold:type limit, track by_src, count 1, seconds 60; reference:url,tools.ietf.org/html/rfc5389; classtype:protocol-command-decode; sid:2018908; rev:2; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Landing URI Struct June 13 M3"; flow:established,to_server; urilen:27<>114; content:"/index.php?"; depth:11; http_uri; pcre:"/^\/index\.php\?[a-z]{8,80}=(?:\d{10,13}|\d{15,20})$/U"; content:!"Referer|3a|"; http_header; classtype:exploit-kit; sid:2021265; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_13, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Page May 01 2015"; flow:from_server,established; file_data; content:"CM|3a 20|u.indexOf(|27|NT 5.1|27|) > -1"; content:"PS|3a 20|u.indexOf(|27|NT 6.|27|) > -1"; classtype:exploit-kit; sid:2021046; rev:2; metadata:created_at 2015_05_02, updated_at 2015_05_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Nuclear EK Landing URI Struct T1"; flow:to_server,established; urilen:>14; content:"GET /"; byte_test:1,>,64,0,relative; byte_test:1,<,91,0,relative; content:".html"; http_uri; fast_pattern; offset:11; pcre:"/^\/[A-Z](?=[a-z0-9]*?[A-Z][a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z][A-Z0-9]*?[a-z])[A-Za-z0-9]{9,}\.html$/U"; pcre:"/Host\x3a\x20(?=[0-9]{0,22}[a-z])(?=[a-z]*?[0-9][a-z]{0,22}[0-9])[a-z0-9]{23}\x2e[^\x2e\r\n]+\x2e[^\x2e\r\n]/H"; classtype:exploit-kit; sid:2021040; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_30, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Secondary Landing Page May 01 2015 M1"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=Y21kIC9jIGVjaG8g"; classtype:exploit-kit; sid:2021047; rev:2; metadata:created_at 2015_05_02, updated_at 2015_05_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Nuclear EK Landing URI Struct Oct 26 2015"; flow:to_server,established; content:".php?option=com_"; http_uri; content:"&itemid="; http_uri; content:"&id="; http_uri; pcre:"/&id=\d+(?:\x3a(?:[a-z0-9]*?[A-Z])(?:[A-Z0-9]*?[a-z])[A-Za-z0-9]{10,}\.{0,2})?&catid=\d+&itemid=\d+$/U"; classtype:exploit-kit; sid:2021999; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_26, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Secondary Landing Page May 01 2015 M2"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=cG93ZXJzaGVsbC5leGUg"; classtype:exploit-kit; sid:2021048; rev:2; metadata:created_at 2015_05_02, updated_at 2015_05_02;)
+alert udp any 68 -> any 67 (msg:"ET POLICY Possible Kali Linux hostname in DHCP Request Packet"; content:"|63 82 53 63 35 01 03|"; content:"|0c 04|kali"; distance:0; nocase; reference:url,www.kali.org; classtype:policy-violation; sid:2022973; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_07_18, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2017_10_12;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux.Trojan.IptabLex Variant Checkin"; flow:to_server,established; dsize:157; content:"|77|"; depth:1; pcre:"/^[\x01\x03\x08\x09\x0b]\x00/R"; content:"|20 40 20|"; distance:0; content:"Hz"; nocase; within:15; reference:md5,019765009f7142a89af15aaaac7400cc; reference:url,blog.malwaremustdie.org/2014/06/mmd-0025-2014-itw-infection-of-elf.html; classtype:command-and-control; sid:2021050; rev:1; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2015_05_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jul 21 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Google Security"; nocase; fast_pattern; content:"beep.mp3"; nocase; distance:0; content:"function alertCall"; nocase; distance:0; content:"function alertTimed"; nocase; distance:0; content:"function alertLoop"; nocase; distance:0; classtype:social-engineering; sid:2022981; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_21;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Linux.Mumblehard Spam Command CnC"; flow:to_server,established; content:"POST / HTTP/1."; depth:14; content:"|0d 0a 0d 0a 0f 0f|"; pcre:"/^\d{1,3}[0-2]/R"; reference:url,www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf; reference:md5,86f0b0b74fe8b95b163a1b31d76f7917; classtype:command-and-control; sid:2021053; rev:1; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2015_05_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lethic - Client Alive"; flow:established,to_server; dsize:6; content:"|01 00 21 01|"; offset:2; depth:4; classtype:trojan-activity; sid:2015522; rev:3; metadata:created_at 2012_07_25, updated_at 2016_07_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Flash Payload ShellCode Apr 23 2015"; flow:established,from_server; file_data; content:"urlmon.dll|00|http|3a 2f|"; pcre:"/^\x2f+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x2f\??[a-f0-9]+\x7chttp\x3a\x2f/Rs"; classtype:exploit-kit; sid:2021054; rev:2; metadata:created_at 2015_05_04, former_category EXPLOIT_KIT, updated_at 2015_05_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Mar 30 M3"; flow:established,to_client; file_data; content:"try "; content:"= new ActiveXObject"; distance:0; content:"catch"; distance:0; content:"=|20 22|Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi|22|,"; content:"=|20 22|Kaspersky.IeVirtualKeyboardPluginSm.JavascriptApi|22|,"; content:".location="; distance:0; classtype:exploit-kit; sid:2022984; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_26, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_07_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyre Downloading Mailer 2"; flow:established,to_server; content:"GET"; http_method; content:".tar"; http_uri; content:!"Accept"; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|.NET4.0E|3b 20|.NET4.0C|3b 20|rv|3a|11.0) like Gecko|0d 0a|Host|3a|"; http_header; depth:195; pcre:"/^[^\r\n]+\r\n(?:\r\n)?$/RHi"; pcre:"/\.tar$/U"; reference:url,www.seculert.com/blog/2015/04/new-dyre-version-evades-sandboxes.html; reference:md5,999bc5e16312db6abff5f6c9e54c546f; classtype:trojan-activity; sid:2021056; rev:5; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2015_05_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jul 29 M1"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>errorx"; nocase; fast_pattern; content:"<audio autoplay"; nocase; distance:0; content:"setInterval"; nocase; pcre:"/^\s*\(\s*function\s*\(\s*\)\s*\{\s*alert/Ri"; classtype:social-engineering; sid:2022991; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_29, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (23)"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; distance:1728; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021059; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jul 29 M4"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function loadNumber"; nocase; fast_pattern; content:"function doRedirect"; nocase; distance:0; content:"function randomString"; nocase; distance:0; content:"function leavebehind"; nocase; distance:0; content:"function myFunction"; nocase; distance:0; content:"function confirmExit"; nocase; distance:0; classtype:social-engineering; sid:2022994; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_29, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ursnif SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|16|athereforeencourage.pw"; distance:1; within:23; classtype:trojan-activity; sid:2021061; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_06, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jul 7"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"default_number|3b|"; nocase; distance:0; content:"default_plain_number|3b|"; fast_pattern; nocase; distance:0; content:"plain_number|3b|"; nocase; distance:0; content:"loco_params|3b|"; nocase; distance:0; content:"loco|3b|"; nocase; distance:0; classtype:social-engineering; sid:2022955; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_07, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_07;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8d 3d d5 97 44 08 33 d8|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021063; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Base64 Data URI Javascript Refresh - Possible Phishing Landing"; flow:from_server,established; file_data; content:"<script"; nocase; content:"window.location="; distance:0; content:"data|3a|text/html|3b|base64,"; distance:1; within:22; fast_pattern; classtype:social-engineering; sid:2031955; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response"; flow:established,to_client; flowbits:isset,http.dottedquadhost; file_data; content:"MZ"; within:2; content:"PE|00 00|"; distance:0; classtype:bad-unknown; sid:2021076; rev:2; metadata:created_at 2015_05_08, former_category INFO, updated_at 2015_05_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading To EK Jul 30 M1"; flow:established,to_server; content:".js?chbstr=0."; http_uri; pcre:"/\.js\?chbstr=0\.\d+$/U"; classtype:exploit-kit; sid:2022995; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_30, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Trojan Multi-part Macro Download M1"; flow:established,from_server; file_data; content:"PAB0AGUAeAB0ADEAMAA+ACQA"; within:24; classtype:trojan-activity; sid:2020911; rev:3; metadata:created_at 2015_04_15, former_category CURRENT_EVENTS, updated_at 2015_04_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Aug1 2016"; flow:established,from_server; file_data; content:"|76 61 72 20 68 65 61 64 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 62 6f 64 79 27 29 5b 30 5d 3b 20 76 61 72 20 73 63 72 69 70 74 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 73 63 72 69 70 74 2e 73 72 63 3d 20 22 2f 2f|"; pcre:"/^[^\r\n\x22\?]+[&?][^=\r\n\x22]+=[a-f0-9]+[^\r\n\x22\?]*[&?][^=\r\n\x22]+=[a-f0-9]+\x22\s*\x3b\s*head\.appendChild\(\s*script\s*\)\x3b/R"; classtype:exploit-kit; sid:2022998; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_08_01;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Cryptolocker .onion Proxy Domain (24u4jf7s4regu6hn)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|24u4jf7s4regu6hn"; fast_pattern; distance:0; nocase; reference:md5,36095572717aee2399b6bdacef936e22; classtype:trojan-activity; sid:2021085; rev:1; metadata:created_at 2015_05_09, updated_at 2015_05_09;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ZeuS CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|taxreclaim.am"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023005; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Zeus_SSL, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 3"; flow:established,to_server; content:".php?hash="; http_uri; fast_pattern:only; pcre:"/\/(?:java(?:byte|db)|o(?:utput|ther)|r(?:hino|otat)|msie\d|load)\.php\?hash=/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017024; rev:4; metadata:created_at 2013_06_18, former_category CURRENT_EVENTS, updated_at 2013_06_18;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 08|"; content:"|04|Atak"; distance:1; within:5; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023006; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|10 62 16 fe 1e af 85 65 68 82 0d d7 6f 8e 27 33 02|"; content:"|55 04 03|"; distance:0; content:"|0d|mainbytes.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021086; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 95 9d ed 5e 9f 95 7f b4|"; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023007; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a5 12 0c 27 cc 24 bb ef|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021087; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 9c 26 67 04 e7 9a e0 56|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023008; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Possible Office Doc with Embedded VBA Project"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"/vbaProject"; nocase; pcre:"/\d*?\.bin/Ri"; flowbits:set,et.DocVBAProject; classtype:bad-unknown; sid:2019835; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|secureit.pw"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023009; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Possible Office Doc with Embedded VBA Project"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"_VBA_PROJECT"; nocase; flowbits:set,et.DocVBAProject; classtype:bad-unknown; sid:2019836; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 da e8 83 5e e4 0a d0 5c|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023010; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Download file with BITS via LNK file (Likely Malicious)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"|00|b|00|i|00|t|00|s|00|a|00|d|00|m|00|i|00|n|00|"; nocase; content:"|00|t|00|r|00|a|00|n|00|s|00|f|00|e|00|r|00|"; nocase; classtype:trojan-activity; sid:2021092; rev:2; metadata:created_at 2015_05_13, former_category MALWARE, updated_at 2015_05_13;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader.Pony CnC)"; flow:from_server,established; content:"|09 00 a7 26 cd 4c 62 32 35 26|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023011; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex Remote Macro Download"; flow:established,from_server; file_data; content:"(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80)"; nocase; classtype:trojan-activity; sid:2021093; rev:2; metadata:created_at 2015_05_13, former_category CURRENT_EVENTS, updated_at 2015_05_13;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|09 00 b8 a4 f2 db af 86 f7 53|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023012; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|roobox.info"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021096; rev:3; metadata:attack_target Client_and_Server, created_at 2015_05_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|04 26 98 61 57|"; fast_pattern; content:"|55 04 03|"; distance:0; content:"|25|ASA Temporary Self Signed Certificate"; distance:1; within:38; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023013; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Ruckguv.A SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|11 21 e9 a1 69 3a 6e e9 a8 fb a3 ba 5b ee 9d 6e 60 02|"; fast_pattern; content:"|55 04 03|"; content:"|15|elyseeinvestments.com"; distance:1; within:22; reference:md5,1225b8c9b52d4828b9031267939e8260; classtype:trojan-activity; sid:2021097; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_14, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware Locky .onion Payment Domain (zjfq4lnfbs7pncr5)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zjfq4lnfbs7pncr5"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022997; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2016_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Troldesh.A SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 bf 81 b3 c2 61 36 e4 9d|"; fast_pattern; content:"|55 04 03|"; content:"|16|www.jyxc3nn7eu2iqd.net"; distance:1; within:23; reference:md5,3358793e79042faa2298856373e644dc; classtype:trojan-activity; sid:2021098; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"GPL EXPLOIT WEB-MISC JBoss RMI class download service directory listing attempt"; flow:to_server,established; content:"GET %. HTTP/1."; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2; classtype:web-application-attack; sid:2103461; rev:1; metadata:created_at 2016_08_04, updated_at 2016_08_04;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rofin.A CnC traffic (OUTBOUND)"; flow:to_server,established; dsize:>11; content:"|dd aa 99 66|"; depth:4; byte_jump:4,4,relative,little,from_beginning, post_offset -2; isdataat:!2,relative; reference:md5,6b71398418c7c6b01cf8abb105bc884d; classtype:command-and-control; sid:2020671; rev:3; metadata:created_at 2015_03_11, former_category MALWARE, updated_at 2015_03_11;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Safe/CritX/FlashPack URI with Windows Plugin-Detect Data"; flow:established,to_server; content:"/pd.php?id="; http_uri; fast_pattern:only; pcre:"/\/pd\.php\?id=[a-f0-9]+$/U"; classtype:exploit-kit; sid:2017812; rev:5; metadata:created_at 2013_12_06, updated_at 2016_08_05;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|55 04 08|"; content:"|07|Glasgow"; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|06|Glasgo"; distance:1; within:7; content:"|55 04 0a|"; distance:0; content:"|0b|Green Peace"; distance:1; within:12; reference:md5,3cecc935eb92ed03dc9908fc96b0f795; classtype:domain-c2; sid:2021102; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RAMNIT.A M1"; flow:established,from_server; file_data; content:"|43 72 65 61 74 65 54 65 78 74 46 69 6c 65 28 44 72 6f 70 50 61 74 68|"; nocase; content:"|57 53 48 73 68 65 6c 6c 2e 52 75 6e 20 44 72 6f 70 50 61 74 68 2c 20 30|"; nocase; reference:url,www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A; classtype:trojan-activity; sid:2023028; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_09, deployment Perimeter, malware_family Ramnit, performance_impact Moderate, signature_severity Major, updated_at 2016_08_09;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea 29 4d 2c d5 53 a8 8e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021109; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RAMNIT.A M2"; flow:established,from_server; file_data; content:"|6c 61 6e 67 75 61 67 65 3d 56 42 53 63 72 69 70 74|"; nocase; content:"|57 72 69 74 65 44 61 74 61 20 3d|"; nocase; content:"|22 34 44 35 41 39 30 30|"; nocase; distance:0; content:"|44 72 6f 70 46 69 6c 65 4e 61 6d 65 20 3d 20|"; reference:url,www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A; classtype:trojan-activity; sid:2023029; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, malware_family Ramnit, performance_impact Low, signature_severity Major, updated_at 2016_08_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TROJ_NAIKON.A SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|04|donc"; fast_pattern; distance:1; within:5; content:"|55 04 0b|"; content:"|03|abc"; distance:1; within:4; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:2016795; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_04_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|www.endeverllcandjohns13.com"; distance:1; within:29; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023030; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_09, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DNSChanger EK Secondary Landing May 12 2015 M2"; flow:established,from_server; file_data; content:"&|22|+DetectRTC.isWebSocketsSupported+|22|&|22|+"; nocase; content:"CryptoJSAesJson"; nocase; classtype:exploit-kit; sid:2021110; rev:2; metadata:created_at 2015_05_16, updated_at 2015_05_16;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|16 03 01 00|"; depth:4; content:"|09 00 8e b6 50 28 b2 eb aa d8|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023031; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_09, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|13|Widgets Numbers PTY"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021112; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Outgoing Chromoting Session Response"; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; depth:170; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; distance:39; reference:url,xinn.org/Chromoting.html; classtype:not-suspicious; sid:2013800; rev:3; metadata:created_at 2011_10_26, updated_at 2016_08_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|srv2415.domain.local"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021113; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Incoming Chromoting Session Response"; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; depth:170; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; distance:39; reference:url,xinn.org/Chromoting.html; classtype:not-suspicious; sid:2013801; rev:4; metadata:created_at 2011_10_26, updated_at 2016_08_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|11|Facebook Porn PTY"; distance:1; within:18; classtype:domain-c2; sid:2021106; rev:3; metadata:attack_target Client_and_Server, created_at 2015_05_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Mozila Error"; fast_pattern; nocase; content:"<audio autoplay"; nocase; distance:0; content:"data|3a|image/png|3b|base64,"; nocase; classtype:social-engineering; sid:2023038; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_10;)
 
-#alert ip $HOME_NET any -> [199.2.137.0/24,207.46.90.0/24] any (msg:"ET MALWARE Connection to Microsoft Sinkhole IP (Possbile Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016999; rev:4; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M4"; flow:to_server,established; content:"GET"; http_method; content:".php?num="; fast_pattern; nocase; http_uri; content:"&country="; nocase; distance:0; http_uri; content:"&city="; nocase; distance:0; http_uri; content:"&os="; nocase; distance:0; http_uri; content:"&ip="; nocase; distance:0; http_uri; classtype:social-engineering; sid:2023040; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_10;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Microsoft - 131.253.18.11-12"; content:"|00 01 00 01|"; content:"|00 04 83 fd 12|"; distance:4; within:5; byte_test:1,>,10,0,relative; byte_test:1,<,13,0,relative; threshold: type limit, count 1, seconds 120, track by_src; classtype:trojan-activity; sid:2016101; rev:6; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M5"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Hacking Attack"; nocase; fast_pattern; content:"mozfullscreenerror"; nocase; distance:0; content:"toggleFullScreen"; distance:0; content:"addEventListener"; distance:0; content:"countdown"; nocase; classtype:social-engineering; sid:2023041; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible APT17 CnC Content in Public Website"; flow:from_server,established; file_data; content:"@MICR0S0FT"; pcre:"/^[a-zA-Z0-9]{8}/R"; content:"C0RP0RATI0N"; within:11; reference:url,github.com/fireeye/iocs/tree/master/APT17; classtype:targeted-activity; sid:2021116; rev:2; metadata:created_at 2015_05_19, former_category MALWARE, updated_at 2015_05_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxy.Win32.Agent.mx (2)"; flow:established,to_server; content:"q.php"; fast_pattern; nocase; http_uri; content:!".chartbeat.net"; nocase; http_header; content:"&p="; nocase; http_uri; content:"&x="; nocase; http_uri; content:"&i="; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&o="; nocase; http_uri; content:"&v="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006406; classtype:trojan-activity; sid:2006406; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 19 ef 92 11 51 27 f3|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021121; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 12 M2"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"#foxboxmsg"; fast_pattern; nocase; content:"getURLParameter"; nocase; distance:0; content:"default_number"; nocase; distance:0; content:"default_plain_number"; nocase; distance:0; content:"loco_params"; nocase; distance:0; classtype:social-engineering; sid:2023052; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_12, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (24)"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021126; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert udp $HOME_NET 53 -> $EXTERNAL_NET 1:1023 (msg:"ET DOS DNS Amplification Attack Possible Outbound Windows Non-Recursive Root Hint Reserved Port"; content:"|81 00 00 01 00 00|"; depth:6; offset:2; byte_test:2,>,10,0,relative; byte_test:2,>,10,2,relative; content:"|0c|root-servers|03|net|00|"; distance:0; content:"|0c|root-servers|03|net|00|"; distance:0; threshold: type both, track by_dst, seconds 60, count 5; reference:url,twitter.com/sempersecurus/status/763749835421941760; reference:url,pastebin.com/LzubgtVb; classtype:bad-unknown; sid:2023054; rev:2; metadata:attack_target Server, created_at 2016_08_12, deployment Datacenter, performance_impact Low, updated_at 2016_08_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (25)"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021127; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET 1:1023 (msg:"ET DOS DNS Amplification Attack Possible Inbound Windows Non-Recursive Root Hint Reserved Port"; content:"|81 00 00 01 00 00|"; depth:6; offset:2; byte_test:2,>,10,0,relative; byte_test:2,>,10,2,relative; content:"|0c|root-servers|03|net|00|"; distance:0; content:"|0c|root-servers|03|net|00|"; distance:0; threshold: type both, track by_dst, seconds 60, count 5; reference:url,twitter.com/sempersecurus/status/763749835421941760; reference:url,pastebin.com/LzubgtVb; classtype:bad-unknown; sid:2023053; rev:2; metadata:attack_target Server, created_at 2016_08_12, deployment Datacenter, performance_impact Low, updated_at 2016_08_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaScriptBackdoor SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b7 2f ae e8 e2 55 b5 bf|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,2a63b3a621d8e555734582d83b5e06a5; classtype:trojan-activity; sid:2021134; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Payload Jun 26 2016"; flow:established,from_server; file_data; content:"|2c 2d dd 4b 40 44 77 41|"; within:9; classtype:exploit-kit; sid:2022916; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_06_26, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2016_08_16;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Dridex SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 08|"; distance:0; content:"|07|Montana"; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|09|Liverpool"; distance:1; within:10; content:"|55 04 03|"; distance:0; content:"|0e|southnorth.org"; distance:1; within:15; fast_pattern; reference:md5,440e5c0aee33cba3c4707ada0856ff6d; classtype:trojan-activity; sid:2021145; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SMS Fake Mobile Virus Scam Aug 16 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Protect your Computer"; nocase; fast_pattern; content:"Your Computer"; nocase; distance:0; content:"INFECTED"; distance:0; content:"Enter Your Number"; nocase; distance:0; content:"SCAN NOW</button>"; nocase; distance:0; classtype:social-engineering; sid:2023069; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_16;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Linux/Moose Telnet CnC Beacon"; flow:established,to_server; dsize:40; content:"|0e 00 00 00|"; offset:4; depth:4; fast_pattern; content:!"|00|"; within:1; content:!"|00|"; distance:3; within:1; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:4; within:28; content:!"|00 00 00 00|"; depth:4; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021149; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_05_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert udp any any -> any 161 (msg:"ET EXPLOIT Equation Group ExtraBacon Cisco ASA PMCHECK Disable"; content:"|bf a5 a5 a5 a5 b8 d8 a5 a5 a5 31 f8 bb a5|"; content:"|ac 31 fb b9 a5 b5 a5 a5 31 f9 ba a2 a5 a5 a5 31 fa cd 80 eb 14 bf|"; distance:2; within:22; content:"|31 c9 b1 04 fc f3 a4 e9 0c 00 00 00 5e eb ec e8 f8 ff ff ff 31 c0 40 c3|"; distance:4; within:24; reference:url,xorcatt.wordpress.com/2016/08/16/equationgroup-tool-leak-extrabacon-demo/; classtype:attempted-admin; sid:2023070; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, created_at 2016_08_17, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_08_17;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Malicious Redirect SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|14|formationtraffic.com"; distance:1; within:21; classtype:trojan-activity; sid:2021146; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SUSPICIOUS Grey Advertising Often Leading to EK"; flow:established,from_server; file_data; content:"|69 66 20 28 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 20 26 26 20 74 79 70 65 6f 66 20 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 20 3d 3d 3d 20 27 73 74 72 69 6e 67 27 29|"; content:"|66 75 6e 63 74 69 6f 6e 20 28 73 72 63 2c 20 61 73 79 6e 63 2c 20 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 2c 20 63 61 6c 6c 62 61 63 6b 29|"; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=854; classtype:exploit-kit; sid:2021763; rev:3; metadata:created_at 2015_09_12, updated_at 2016_08_17;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|17|ns343677.ip-94-23-16.eu"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021154; rev:3; metadata:attack_target Client_and_Server, created_at 2015_05_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp any any -> any 161 (msg:"ET EXPLOIT Equation Group ExtraBacon Cisco ASA AAAADMINAUTH Disable"; content:"|bf a5 a5 a5 a5 b8 d8 a5 a5 a5 31 f8 bb a5|"; content:"|ad 31 fb b9 a5 b5 a5 a5 31 f9 ba a2 a5 a5 a5 31 fa cd 80 eb 14 bf|"; distance:2; within:22; content:"|31 c9 b1 04 fc f3 a4 e9 0c 00 00 00 5e eb ec e8 f8 ff ff ff 31 c0 40 c3|"; distance:4; within:24; reference:url,xorcatt.wordpress.com/2016/08/16/equationgroup-tool-leak-extrabacon-demo/; classtype:attempted-admin; sid:2023071; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, created_at 2016_08_17, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_08_17;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Yakes CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bd 4b 4b 98 c9 8b 2f 20|"; within:35; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|13|webmaster@localhost"; distance:1; within:20; reference:md5,6cdd93dcb1c54a4e2b036d2e13b51216; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021155; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Mobile Virus Scam M1 Aug 18 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Virus Detected"; nocase; fast_pattern; content:"#loading-bar"; nocase; distance:0; content:"navigator.vibrate"; nocase; distance:0; content:"Download Now"; nocase; distance:0; content:"Download Now"; nocase; distance:0; classtype:social-engineering; sid:2023079; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil JS iframe Embedded In GIF"; flow:established,from_server; file_data; content:"GIF89a="; nocase; within:8; content:"|3b|url="; nocase; distance:0; content:"iframe"; nocase; distance:0; content:"|3b|tail="; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2021156; rev:2; metadata:created_at 2015_05_28, updated_at 2015_05_28;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET EXPLOIT CISCO FIREWALL SNMP Buffer Overflow Extrabacon (CVE-2016-6366)"; content:"|06 01 04 01 09 09 83 6B|"; pcre:"/^(?:\x01(?:(?:\x01(?:(?:\x04(?:(?:\x03(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x04(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x01(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a])?)?|\x02(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a])?)?))?|\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c])?|\x02(?:[\x01\x02\x03\x04])?|\x03(?:[\x01\x02])?))?|\x03(?:(?:\x03(?:\x01(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e])?)?)?|\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13])?|\x02(?:[\x01\x02])?))?|\x05(?:(?:\x02(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07])?)?|\x01(?:[\x01\x02\x03])?))?|\x02(?:(?:[\x01\x02]|\x03(?:\x01(?:[\x01\x02\x03])?)?))?|\x06(?:\x01(?:[\x01\x02\x03\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x07(?:[\x01\x02])?|\x04))?|\x02(?:(?:\x02(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c])?|(?:\x01)?\x01))?)/Rsi"; content:"|81 10 81 10 81 10 81 10 81 10 81 10 81 10 81 10|"; within:160; fast_pattern; reference:cve,2016-6366; classtype:misc-attack; sid:2023086; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, created_at 2016_08_25, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_08_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED External IP Lookup - whoer.net"; flow:established,to_server; content:"Host|3a 20|whoer.net|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; classtype:external-ip-check; sid:2021161; rev:2; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.DarkComet Keepalive Outbound"; flow:to_server,established; content:"KEEPALIVE"; depth:9; pcre:"/^KEEPALIVE\d+$/"; reference:md5,d4f949f268d00522cfbae5d18cbce933; classtype:trojan-activity; sid:2023091; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2016_08_25;)
 
-alert udp $HOME_NET 5093 -> $EXTERNAL_NET any (msg:"ET DOS Possible Sentinal LM  Application attack in progress Outbound (Response)"; dsize:>1390; content:"|7a 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; threshold: type both,track by_src,count 10,seconds 60; classtype:attempted-dos; sid:2021170; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Landing Feb 26"; flow:to_server,established; content:"GET"; http_method; content:".html"; http_uri; content:"rackcdn.com|0d 0a|"; http_header; fast_pattern; pcre:"/^\/[a-zA-Z0-9]+\.html$/U"; pcre:"/\x0d\x0aHost\x3a\x20[a-f0-9]{20}-[a-f0-9]{32}\.r[0-9]{1,2}\.cf[0-9]\.rackcdn\.com\x0d\x0a/H"; classtype:social-engineering; sid:2022574; rev:3; metadata:created_at 2016_03_01, former_category CURRENT_EVENTS, updated_at 2016_08_26;)
 
-alert udp $EXTERNAL_NET 5093 -> $HOME_NET any (msg:"ET DOS Possible Sentinal LM Amplification attack (Response) Inbound"; dsize:>1390; content:"|7a 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; threshold: type both,track by_src,count 10,seconds 60; classtype:attempted-dos; sid:2021171; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt"; flow:established,to_client; file_data; content:"Heap|2E|"; nocase; content:"Heap|2E|"; nocase; distance:0; content:"Heap|2E|"; nocase; distance:0; classtype:shellcode-detect; sid:2013222; rev:4; metadata:created_at 2011_07_06, updated_at 2016_08_29;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"ET DOS Possible Sentinal LM Amplification attack (Request) Inbound"; dsize:6; content:"|7a 00 00 00 00 00|"; threshold: type both,track by_dst,count 10,seconds 60; classtype:attempted-dos; sid:2021172; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Challack Tool in use"; flow:no_stream,to_server; flags:R; dsize:1; content:"x"; threshold: type both, track by_dst, seconds 1, count 90; reference:url,www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf; reference:cve,2016-5696; classtype:misc-attack; sid:2023140; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2016_08_29, deployment Datacenter, performance_impact Significant, signature_severity Major, updated_at 2016_08_29;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea d4 96 1c 0a 8b 6f a4|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021175; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT RST Flood With Window"; flow:no_stream,to_server; flags:R; window:!0; threshold: type both, track by_dst, seconds 1, count 101; reference:url,www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf; reference:cve,2016-5696; classtype:misc-attack; sid:2023141; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2016_08_29, deployment Perimeter, performance_impact Significant, signature_severity Major, updated_at 2016_08_29;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible BlackEnergy Accessing SMB/SMB2 Named Pipe (ASCII)"; flow:to_server,established; content:"SMB"; offset:5; depth:4; content:"{AA0EED25-4167-4CBB-BDA8-9A0F5FF93EA8}"; distance:0; nocase; reference:url,cyberx-labs.com/wp-content/uploads/2015/05/BlackEnergy-CyberX-Report_27_May_2015_FINAL.pdf; classtype:trojan-activity; sid:2021179; rev:1; metadata:created_at 2015_06_04, updated_at 2015_06_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE NetWire / Ozone / Darktrack Alien RAT - Client KeepAlive"; flow:established,to_server; flowbits:isset,ET.NetWire; content:"|01 00 00 00 00|"; depth:5; dsize:6; reference:url,researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic; reference:url,www.circl.lu/pub/tr-23; classtype:trojan-activity; sid:2021978; rev:6; metadata:created_at 2015_10_20, updated_at 2016_08_30;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible BlackEnergy Accessing SMB/SMB2 Named Pipe (Unicode)"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{|00|A|00|A|00|0|00|E|00|E|00|D|00|2|00|5|00|-|00|4|00|1|00|6|00|7|00|-|00|4|00|C|00|B|00|B|00|-|00|B|00|D|00|A|00|8|00|-|00|9|00|A|00|0|00|F|00|5|00|F|00|F|00|9|00|3|00|E|00|A|00|8|00|}"; distance:0; nocase; reference:url,cyberx-labs.com/wp-content/uploads/2015/05/BlackEnergy-CyberX-Report_27_May_2015_FINAL.pdf; classtype:trojan-activity; sid:2021180; rev:1; metadata:created_at 2015_06_04, updated_at 2015_06_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER AnonGhost PHP Webshell"; flow:from_server,established; file_data; content:"base64_decode("; content:"Bbm9uR2hvc3Qg"; fast_pattern; classtype:trojan-activity; sid:2023143; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2016_09_01, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2016_09_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0b|YouPorn Ltd"; distance:1; within:12; content:"|55 04 03|"; distance:0; content:"|0b|pornhub.xxx"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021186; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2014-6332 Sep 01 2016 (HFS Actor) M1"; flow:established,from_server; file_data; content:"|26 63 68 72 77 28 32 31 37 36 29 26 63 68 72 77 28 30 31 29 26|"; nocase; content:"|26 63 68 72 77 28 33 32 37 36 37 29|"; nocase; content:"|73 65 74 6e 6f 74 73 61 66 65 6d 6f 64 65 28 29|"; nocase; content:"|72 75 6e 73 68 65 6c 6c 63 6f 64 65 28 29|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023145; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family IEiExploit, performance_impact Low, signature_severity Major, updated_at 2016_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Exploit URI Struct May 28 2015 M1"; flow:to_server,established; urilen:>51; content:"."; http_uri; offset:49; depth:1; content:!"/"; http_uri; offset:1; pcre:"/^\/(?=[a-z0-9_-]{0,47}?[A-Z][a-z0-9_-]{0,46}?[A-Z])(?=[A-Z0-9_-]{0,47}?[a-z][A-Z0-9_-]{0,46}?[a-z])(?=[A-Za-z_-]{0,47}?[0-9][A-Za-z_-]{0,46}?[0-9])[A-Za-z0-9_-]{48}\.[a-z]{2,25}\d?\??/U"; pcre:"/^Referer\x3a\x20http\x3a\x2f\x2f?[^\x2f]+\/[a-z]{3,20}((?P<sep>[_-]?)[a-z]{3,20}(?P=sep)(?:[a-z]{3,20}(?P=sep))?)?[a-z]{3,20}\/\d{10,20}(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,AnglerEK.Struct; classtype:exploit-kit; sid:2021157; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Locky Ransomware Renaming File via SMB"; flow:to_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|11 00|"; distance:8; within:2; content:"|00|.|00|z|00|e|00|p|00|t|00|o|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2023147; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2017_04_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|povawfas.us"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021192; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Locky Ransomware Writing Instructions via SMB"; flow:to_server,established; content:"|FE|SMB|40 00|"; offset:4; depth:6; content:"|05 00|"; distance:6; within:2; content:"_|00|H|00|E|00|L|00|P|00|_|00|i|00|n|00|s|00|t|00|r|00|u|00|c|00|t|00|i|00|o|00|n|00|s|00|.|00|h|00|t|00|m|00|l"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2023148; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2017_04_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb 01 dc 12 42 31 23 93|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021193; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $HOME_NET [445,139] (msg:"ET MALWARE Zlader Ransomware Worm Propagating Over SMB v1 ASCII"; flow:to_server,established; content:"|FF|SMB|A2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|24|RECYCLE|2E|BIN|2E 7B|"; nocase; distance:0; fast_pattern; pcre:"/\x24RECYCLE\.BIN\.\x7B[0-9A-F]{8}\x2D(?:[0-9A-F]{4}\x2D){3}[0-9A-F]{12}\x7D\x5C\x7B[0-9A-F]{8}\x2D(?:[0-9A-F]{4}\x2D){3}[0-9A-F]{12}\x7D\.(?:scr|pif|cmd)/i"; threshold:type limit, track by_src, count 10, seconds 60; reference:url,www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_zlader.b; classtype:trojan-activity; sid:2023149; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Qadars WebInject SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|1e|www.freechristmasgifts2014.com"; distance:1; within:31; reference:md5,06588acf0112a84fe5f684bbafd7dc00; classtype:trojan-activity; sid:2021194; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Encoded CVE-2014-6332 (As Observed in SunDown EK) M1"; flow:established,to_client; file_data; content:"|43 68 72 28 39 39 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 34 29 20 26 20 43 68 72 28 31 31 39 29 20 26 20 43 68 72 28 34 30 29 20 26 20 43 68 72 28 35 31 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 35 34 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 34 31 29|"; classtype:exploit-kit; sid:2023151; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, signature_severity Major, updated_at 2016_09_02;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|01 01|"; distance:18; within:2; content:"|55 04 03|"; distance:0; content:"|0d|web.gibnos.pw"; distance:1; within:14; reference:md5,c8131a48e834291be6c7402647250e73; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021196; rev:3; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Encoded CVE-2014-6332 (As Observed in SunDown EK) M2"; flow:established,to_client; file_data; content:"|43 68 72 28 39 39 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 34 29 20 26 20 43 68 72 28 31 31 39 29 20 26 20 43 68 72 28 34 30 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 34 39 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 35 34 29|"; classtype:exploit-kit; sid:2023152; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, signature_severity Major, updated_at 2016_09_02;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|povawer.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021197; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Encoded CVE-2014-6332 (As Observed in SunDown EK) M3"; flow:established,to_client; file_data; content:"|43 68 72 28 33 32 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 30 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 39 37 29 20 26 20 43 68 72 28 31 30 32 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 30 39 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 30 30 29 20 26 20 43 68 72 28 31 30 31 29|"; classtype:exploit-kit; sid:2023153; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, signature_severity Major, updated_at 2016_09_02;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|laxitr.biz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021198; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/LuaBot CnC Beacon Response"; flow:established,from_server; file_data; content:"script|7c|"; within:7; content:"|7c|endscript"; distance:0; fast_pattern; content:"script|7c|"; distance:0; reference:url,blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html; classtype:command-and-control; sid:2023156; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family Linux_LuaBot, signature_severity Major, tag c2, updated_at 2016_09_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|dazopla.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021199; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 58|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012086; rev:3; metadata:created_at 2010_12_23, updated_at 2016_09_06;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|gipladfe.us"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021208; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|vuinuzhz.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023157; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|lazeca.biz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021209; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|18|certificatestatistic.com"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023158; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|zolaxap.us"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021210; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|careersnetworks.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023159; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0c|babapoti.biz"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021211; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|microsoftstore.local"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023160; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|09|poknop.us"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021212; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|fxpsjcklcqf.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023162; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Executable Downloaded from Google Cloud Storage"; flow:established,to_client; content:"x-goog-generation|3a 20|"; http_header; fast_pattern; content:"x-goog-metageneration|3a 20|"; http_header; content:"x-goog-stored-content-encoding|3a 20|"; http_header; content:"x-goog-stored-content-length|3a 20|"; http_header; content:"x-goog-hash|3a 20|"; http_header; file_data; content:"MZ"; within:2; reference:md5,e742e844d0ea55ef9f1c68491c702120; classtype:trojan-activity; sid:2021216; rev:3; metadata:created_at 2015_06_09, updated_at 2015_06_09;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|ywxozojqmcd.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023163; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"|74 3d 75 74 66 38 74 6f 31 36 28 78 78 74 65 61 5f 64 65 63 72 79 70 74 28 62 61 73 65 36 34 64 65 63 6f 64 65 28 74 29 2c|"; nocase; classtype:exploit-kit; sid:2021217; rev:2; metadata:created_at 2015_06_09, updated_at 2015_06_09;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|06|fwafdw"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023164; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|10|www.carinsup.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021220; rev:3; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|business-swiss.online"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023165; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|polasde.us"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021221; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|pro-access.cn"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023166; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|paxerba.us"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021222; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|securefreeonly.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023167; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|molared.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021223; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Hancitor CnC)"; flow:established,from_server; content:"|09 00 ce 75 ce f8 84 a5 7e e5|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023168; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|halowsin.us"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021224; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1d|ntracking.sys-optimatic.cloud"; distance:1; within:30; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023169; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 1"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021230; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|secureinishman.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023170; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 2"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{AB6172ED-8105-4996-9D2A-597B5F827501}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021231; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|systemresystem.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023171; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 3"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{0710880F-3A55-4A2D-AA67-1123384FD859}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021232; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|secureinterrr100.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023172; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 4"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{6C51A4DB-E3DE-4FEB-86A4-32F7F8E73B99}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021233; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|supergoodvin888.pw"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023173; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 5"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{7F9BCFC0-B36B-45EC-B377-D88597BE5D78}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021234; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|statuscheck.online"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023174; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 6"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{57D2DE92-CE17-4A57-BFD7-CD3C6E965C6A}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021235; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|Otakkibigytu"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023175; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 1"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|A|00|A|00|F|00|F|00|C|00|4|00|F|00|0|00|-|00|E|00|0|00|4|00|B|00|-|00|4|00|C|00|7|00|C|00|-|00|B|00|4|00|0|00|A|00|-|00|B|00|4|00|5|00|D|00|E|00|9|00|7|00|1|00|E|00|8|00|1|00|E|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021236; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (RockLoader CnC)"; flow:established,from_server; content:"|09 00 cb 68 d8 f0 41 2b 87 4c|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023176; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 2"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|A|00|B|00|6|00|1|00|7|00|2|00|E|00|D|00|-|00|8|00|1|00|0|00|5|00|-|00|4|00|9|00|9|00|6|00|-|00|9|00|D|00|2|00|A|00|-|00|5|00|9|00|7|00|B|00|5|00|F|00|8|00|2|00|7|00|5|00|0|00|1|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021237; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|host-ui.ru"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023177; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 3"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|0|00|7|00|1|00|0|00|8|00|8|00|0|00|F|00|-|00|3|00|A|00|5|00|5|00|-|00|4|00|A|00|2|00|D|00|-|00|A|00|A|00|6|00|7|00|-|00|1|00|1|00|2|00|3|00|3|00|8|00|4|00|F|00|D|00|8|00|5|00|9|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021238; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OSX/Mokes.A CnC Heartbeat"; flow:established,to_client; dsize:<300; content:"200"; offset:9; depth:3; content:"Content-Type|3a 20|text/html"; content:"Connection|3a 20|close|0d 0a|"; content:"Content-Encoding|3a 20|gzip|0d 0a|"; flowbits:isset,ET.OSX.Mokes; reference:url,securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered; classtype:command-and-control; sid:2023183; rev:2; metadata:affected_product Mac_OSX, created_at 2016_09_08, deployment Perimeter, former_category MALWARE, tag OSX_Malware, updated_at 2016_09_08;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 4"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|6|00|C|00|5|00|1|00|A|00|4|00|D|00|B|00|-|00|E|00|3|00|D|00|E|00|-|00|4|00|F|00|E|00|B|00|-|00|8|00|6|00|A|00|4|00|-|00|3|00|2|00|F|00|7|00|F|00|8|00|E|00|7|00|3|00|B|00|9|00|9|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021239; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2102314; rev:4; metadata:created_at 2010_09_23, updated_at 2016_09_09;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 5"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|7|00|F|00|9|00|B|00|C|00|F|00|C|00|0|00|-|00|B|00|3|00|6|00|B|00|-|00|4|00|5|00|E|00|C|00|-|00|B|00|3|00|7|00|7|00|-|00|D|00|8|00|8|00|5|00|9|00|7|00|B|00|E|00|5|00|D|00|7|00|8|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021240; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Kaaza Media desktop p2pnetworking.exe Activity"; content:"|e30cb0|"; depth:6; threshold: type limit, track by_dst, count 1 , seconds 600; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000340; classtype:policy-violation; sid:2000340; rev:11; metadata:created_at 2010_07_30, updated_at 2016_09_12;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 6"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|5|00|7|00|D|00|2|00|D|00|E|00|9|00|2|00|-|00|C|00|E|00|1|00|7|00|-|00|4|00|A|00|5|00|7|00|-|00|B|00|F|00|D|00|7|00|-|00|C|00|D|00|3|00|C|00|6|00|E|00|9|00|6|00|5|00|C|00|6|00|A|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021241; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 4242 (msg:"GPL DELETED eDonkey transfer"; flow:to_server,established; content:"|E3|"; depth:1; reference:url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html; classtype:policy-violation; sid:2102586; rev:4; metadata:created_at 2010_09_23, updated_at 2016_09_12;)
 
-#alert tcp any any -> any [139,445] (msg:"ET DELETED Possible Duqu 2.0 Accessing SMB/SMB2 backdoor"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"tttttttt"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021243; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 (CVE 2016-3861) Set"; flow:established,from_server; file_data; content:"ftyp"; fast_pattern; offset:4; depth:4; content:"|00|"; distance:5; within:1; flowbits:set,ET.MP4Stagefright; flowbits:noalert; reference:cve,2016-3861; reference:url,googleprojectzero.blogspot.com.br/2016/09/return-to-libstagefright-exploiting.html; classtype:attempted-user; sid:2023184; rev:2; metadata:created_at 2016_09_12, tag Android_Exploit, updated_at 2016_09_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex Download June 10 2015"; flow:established,from_server; content:"filename=|22|crypted.120.exe|22|"; http_header; nocase; classtype:trojan-activity; sid:2021244; rev:2; metadata:created_at 2015_06_11, updated_at 2015_06_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 (CVE 2016-3861) ROP"; flow:established,from_server; content:"ID3"; content:!"|FF|"; within:1; content:"|41 d8 41 d8 41 dc 41 d8 41 d8 41 dc|"; fast_pattern; within:800; pcre:"/^(\x41\xd8\x41\xd8\x41\xdc){2,}\x41\x00/R"; flowbits:isset,ET.MP4Stagefright; reference:cve,2016-3861; reference:url,googleprojectzero.blogspot.com.br/2016/09/return-to-libstagefright-exploiting.html; classtype:attempted-user; sid:2023185; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, performance_impact Low, signature_severity Major, tag Android_Exploit, updated_at 2016_09_12;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Cryptolocker C2 SSL cert serial"; flow:established,to_client; content:"|b3 b2 82 08 58 32 5e 8e|"; fast_pattern:only; reference:url,www.hybrid-analysis.com/sample/3ebc6999da89eaf44d94195b588cb869d894ca754a248b074893d11f6dd19188?environmentId=4; reference:md5,2c339dbb40b3b19ee275e4c7c1c17a18; classtype:command-and-control; sid:2021253; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data; content:"|25 32 32 25 37 30 25 36 66 25 37 33 25 36 39 25 37 34 25 36 39 25 36 66 25 36 65 25 33 61 25 32 30 25 36 31 25 36 32 25 37 33 25 36 66 25 36 63 25 37 35 25 37 34 25 33 62|"; nocase; classtype:exploit-kit; sid:2023188; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, tag Redirector, updated_at 2016_09_12;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Torrentlocker C2 SSL cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b3 b2 82 08 58 32 5e 8e|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; threshold: type limit, track by_src, count 1, seconds 60; reference:md5,77c99b6f06fe443b72a0efaf8f285e4d; classtype:command-and-control; sid:2021260; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest Inject (compromised site) M2 Sep 12 2016"; flow:established,from_server; file_data; content:"|25 33 62 25 36 36 25 36 39 25 36 63 25 37 34 25 36 35 25 37 32 25 33 61 25 36 31 25 36 63 25 37 30 25 36 38 25 36 31 25 32 38 25 36 66 25 37 30 25 36 31 25 36 33 25 36 39 25 37 34 25 37 39 25 33 64 25 33 30 25 32 39 25 33 62 25 32 30 25 32 64 25 36 64 25 36 66 25 37 61 25 32 64 25 36 66 25 37 30 25 36 31 25 36 33 25 36 39 25 37 34 25 37 39 25 33 61 25 33 30 25 33 62 25 32 32 25 33 65|"; nocase; classtype:exploit-kit; sid:2023189; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, tag Redirector, updated_at 2016_09_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing URI Struct Feb 21"; flow:established,to_server; urilen:<28; content:"/lists/"; depth:7; http_uri; pcre:"/^\/lists\/\d{15}(?:\d{5})?$/U"; classtype:exploit-kit; sid:2020497; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_22, deployment Perimeter, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK EITest Sep 02 M2"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"Cookie|3a|"; pcre:"/^\/(?=[a-z\d]+[+-][a-z\d]+[+-][a-z\d]+[+-])[a-z\d+-]*\/$/U"; classtype:exploit-kit; sid:2023150; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Redkit Jar Naming Pattern March 03 2013"; flow:established,to_server; content:".jar"; http_uri; nocase; content:"Java/1."; http_user_agent; pcre:"/^\/[a-z0-9]{2}\.jar$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016588; rev:15; metadata:created_at 2013_03_15, updated_at 2013_03_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b641)"; flow:established,from_server; file_data; content:"RnVuY3Rpb24gbGVha01lbS"; classtype:exploit-kit; sid:2023190; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 11"; flow:to_server,established; urilen:>22; content:"/?"; offset:12; depth:86; fast_pattern; pcre:"/^\/[a-z]{3,20}(?P<sep>[_-])[a-z]{3,20}(?P=sep)[a-z]{3,20}(?:(?P=sep)[a-z]{3,20}\/\?[a-z]{6,}=\d{15,20}|(?:(?P=sep)[a-z]{3,20})?\/\?[a-z]{6,}=\d{10,13})$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+).*?\r\nHost\x3a\x20(?!(?:(?P=refhost)|www\.))/Hsi"; flowbits:set,AnglerEK; classtype:exploit-kit; sid:2021248; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b642)"; flow:established,from_server; file_data; content:"Z1bmN0aW9uIGxlYWtNZW0g"; classtype:exploit-kit; sid:2023191; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 11 M2"; flow:to_server,established; urilen:>22; content:"/?"; offset:12; depth:86; fast_pattern; pcre:"/^\/[a-z]{3,20}(?P<sep>[_-])[a-z]{3,20}(?P=sep)[a-z]{3,20}(?:(?P=sep)[a-z]{3,20}\/\?[a-z]{6,}=\d{15,20}|(?:(?P=sep)[a-z]{3,20})?\/\?[a-z]{6,}=\d{10,13})$/U"; pcre:"/Host\x3a\x20(?!www\.)(?P<refhost>[^\x3a\r\n]+).*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?!(?P=refhost))/Hsi"; flowbits:set,AnglerEK; classtype:exploit-kit; sid:2021266; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b643)"; flow:established,from_server; file_data; content:"GdW5jdGlvbiBsZWFrTWVtI"; classtype:exploit-kit; sid:2023192; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 11 M3"; flow:to_server,established; urilen:>22; content:"/?"; offset:12; depth:86; fast_pattern; pcre:"/^\/[a-z]{3,20}(?P<sep>[_-])[a-z]{3,20}(?P=sep)[a-z]{3,20}(?:(?P=sep)[a-z]{3,20}\/\?[a-z]{6,}=\d{15,20}|(?:(?P=sep)[a-z]{3,20})?\/\?[a-z]{6,}=\d{10,13})$/U"; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20(?!www\.)[^\x2e]+(?:\.[^\x2e\r\n]+){2,}\r$/Hmi"; flowbits:set,AnglerEK; classtype:exploit-kit; sid:2021267; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b644)"; flow:established,from_server; file_data; content:"cHJlZml4ICYgIiV1MDAxNiV1NDE0MSV1NDE0MSV1NDE0MSV1NDI0MiV1NDI0Mi"; classtype:exploit-kit; sid:2023193; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TeslaCrypt MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12 2a 2e|pillspharm24.com"; distance:1; within:19; reference:md5,1b4e97af9f327126146338b8cd21dd86; classtype:domain-c2; sid:2021273; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b645)"; flow:established,from_server; file_data; content:"ByZWZpeCAmICIldTAwMTYldTQxNDEldTQxNDEldTQxNDEldTQyNDIldTQyNDIi"; classtype:exploit-kit; sid:2023194; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Elise SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 03|"; distance:0; content:"|0b|eric-office"; distance:1; within:12; reference:md5,8334f346585aa27ac6ae86e5adcaefa2; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:trojan-activity; sid:2021279; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b646)"; flow:established,from_server; file_data; content:"wcmVmaXggJiAiJXUwMDE2JXU0MTQxJXU0MTQxJXU0MTQxJXU0MjQyJXU0MjQyI"; classtype:exploit-kit; sid:2023195; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (16) M2"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; within:2048; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021280; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Sep 12 2016 T2"; flow:established,from_server; file_data; content:".split"; nocase; pcre:"/^\s*\(\s*[\x22\x27][\x00-\x09\x80-\xff][\x22\x27]\s*\)\s*\x3b\s*[A-Za-z0-9]+\s*=\s*[\x22\x27]/Rsi"; content:"|01 2e 02 3c 03 3e 04 3d 05 5c 22 06 5c 27 07 29|"; fast_pattern; within:16; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2023196; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family RIG, performance_impact Low, signature_severity Major, updated_at 2016_09_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (11) M2"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; within:2048; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021281; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert tcp any any -> $HOME_NET 3306 (msg:"ET EXPLOIT Possible MySQL CVE-2016-6662 Attempt"; flow:established,to_server; content:"|03|"; offset:4; content:"unhex"; nocase; distance:0; content:"67656e6572616c5f6c6f675f66696c65"; distance:0; nocase; content:"2e636e66"; nocase; content:"6e6d616c6c6f635f6c6962"; reference:cve,2016-6662; reference:url,legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html; classtype:attempted-admin; sid:2023201; rev:1; metadata:affected_product MySQL, attack_target Server, created_at 2016_09_13, deployment Datacenter, updated_at 2016_09_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Fake AV Phone Scam Landing June 16 2015 M3"; flow:established,to_client; file_data; content:"<title>Virus Firewall Alert!</title>"; nocase; fast_pattern:16,20; content:"myFunction|28 29|"; distance:0; content:"popup-mac-warning.png"; nocase; distance:0; classtype:social-engineering; sid:2021287; rev:2; metadata:created_at 2015_06_17, updated_at 2015_06_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"<DIR>"; content:"File(s)"; distance:0; content:"Dir(s)"; content:"bytes free"; fast_pattern; distance:0; classtype:trojan-activity; sid:2023205; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2016_09_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Client Check-in 2"; flow:established,to_server; dsize:5; content:"|01 00 00 00 02|"; flowbits:isset,ET.NetwireRAT.Client; reference:md5,acccfa6107c712a63b1473d524461163; classtype:trojan-activity; sid:2021290; rev:1; metadata:created_at 2015_06_17, former_category TROJAN, updated_at 2017_12_11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows Microsoft Windows DOS prompt command Error Invalid Argument"; flow:established,to_server; content:"ERROR|3a| Invalid Argument/Option"; fast_pattern; classtype:trojan-activity; sid:2023206; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M4"; flow:established,from_server; file_data; content:"|76 68 7a 32 7a 3d 27 27 3b 74 72 79 7b 77 69 6e 64 6f 77|"; classtype:exploit-kit; sid:2021291; rev:4; metadata:created_at 2015_06_18, updated_at 2015_06_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows Microsoft Windows DOS prompt command Error not recognized"; flow:established,to_server; content:"|27| is not recognized as an internal or external command|2c|"; content:"operable program or batch file."; fast_pattern; classtype:trojan-activity; sid:2023207; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely CottonCastle/Niteris EK Response June 19 2015"; flow:established,from_server; content:"Refresh|3a 20|"; http_header; content:"|3b 20|url"; distance:0; http_header; content:"/999/00000/|0d 0a|"; distance:0; http_header; fast_pattern; pcre:"/^Refresh\x3a\x20\d+\x3b\x20url[^\r\n]+\/999\/00000\/\r?$/Hm"; classtype:exploit-kit; sid:2021306; rev:2; metadata:created_at 2015_06_19, updated_at 2015_06_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows Microsoft Windows DOS prompt command Error not found"; flow:established,to_server; content:"The following command was not found|3a 20|"; classtype:trojan-activity; sid:2023208; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious wininet UA Downloading EXE"; flow:established,from_server; flowbits:isset,ET.wininet.UA; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2021312; rev:2; metadata:created_at 2015_06_19, former_category CURRENT_EVENTS, updated_at 2015_06_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows net statistics workstation Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Workstation Statistics for |5c 5c|"; fast_pattern; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][A-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}/Rsi"; classtype:trojan-activity; sid:2023209; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious JS Observed in Unknown EK Landing"; flow:established,from_server; file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 58 4f 52 28 75 6e 65 73 63 61 70 65 28 73 74 72 48 54 4d 4c 29|"; nocase; classtype:exploit-kit; sid:2021313; rev:2; metadata:created_at 2015_06_19, updated_at 2015_06_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows net statistics server Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Server Statistics for |5c 5c|"; fast_pattern; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][A-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}/Rsi"; classtype:trojan-activity; sid:2023210; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Adload (KaiXin Payload) Checkin Response"; flow:established,from_server; file_data; content:"[Config]|0d 0a|"; within:10; content:"[Process]|0d 0a|1="; distance:0; reference:md5,c45810710617f0149678cc1c6cbec7a6; classtype:command-and-control; sid:2021301; rev:4; metadata:created_at 2015_06_18, former_category MALWARE, updated_at 2015_06_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows driverquery -v Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Module Name"; content:"Display Name"; content:"Description"; content:"Driver Type"; fast_pattern; classtype:trojan-activity; sid:2023211; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|09|howtoe.pw"; distance:1; within:14; reference:md5,40368db3a68f2db17853750e68cfc662; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021314; rev:3; metadata:attack_target Client_and_Server, created_at 2015_06_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows driverquery -si Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"DeviceName"; fast_pattern; content:"InfName"; content:"IsSigned"; content:"Manufacturer"; classtype:trojan-activity; sid:2023212; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Possible Sinkhole)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ef ee 78 a7 ef c6 52 20|"; within:35; content:"|55 04 03|"; distance:0; content:"|0c|mainsinkhole"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021315; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows qwinsta Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"SESSIONNAME"; fast_pattern; content:"USERNAME"; content:"ID"; content:"STATE"; content:"TYPE"; content:"DEVICE"; classtype:trojan-activity; sid:2023213; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/ChinaZ DDoS Bot Checkin 2"; flow:established,to_server; content:"*"; pcre:"/^\d+/R"; content:"MHZ|00 00 00 00|"; fast_pattern; within:7; content:"MB|00 00 00 00|"; distance:0; content:"M|00 00 00 00|"; distance:0; content:"|3b|"; distance:0; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/R"; reference:url,blog.malwaremustdie.org/2015/06/the-elf-chinaz-reloaded.html; classtype:command-and-control; sid:2021316; rev:1; metadata:created_at 2015_06_22, former_category MALWARE, updated_at 2015_06_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows quser Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"USERNAME"; fast_pattern; content:"SESSIONNAME"; content:"ID"; content:"STATE"; content:"IDLE TIME"; content:"LOGON TIME"; classtype:trojan-activity; sid:2023214; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page June 22 2015"; flow:established,from_server; file_data; content:"return binary_to_base64|28|"; content:"return "; pcre:"/^\s*?[\x22\x27][^\x22\x27a-f0-9]68[^\x22\x27a-f0-9]74[^\x22\x27a-f0-9]74[^\x22\x27a-f0-9]70[^\x22\x27a-f0-9]3a[^\x22\x27a-f0-9]2f[^\x22\x27a-f0-9]2f[^\x22\x27]+?[^\x22\x27a-f0-9]00[\x22\x27]/Ri"; classtype:exploit-kit; sid:2021320; rev:2; metadata:created_at 2015_06_23, updated_at 2015_06_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows gpresult Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Operating System Group Policy Result tool v"; fast_pattern; classtype:trojan-activity; sid:2023215; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert tcp $HOME_NET any -> [88.53.215.64,217.96.33.164,203.131.222.102,208.105.226.235,212.31.102.100,58.185.154.99,200.87.126.116] any (msg:"ET MALWARE Sony Breach Wiper Callout"; flow:established; threshold:type limit,count 2,track by_src,seconds 300; reference:url,krebsonsecurity.com/2014/12/sony-breach-may-have-exposed-employee-healthcare-salary-data; classtype:trojan-activity; sid:2019848; rev:3; metadata:created_at 2014_12_03, updated_at 2014_12_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC OS get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Boot Device"; fast_pattern; content:"Build Number"; content:"Build Type"; classtype:trojan-activity; sid:2023217; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT suspicious VBE-encoded script (seen in Sundown EK)"; flow:established,from_server; file_data; content:"Script.Encode"; content:"<!--"; within:8; content:"#@~"; within:5; flowbits:set,et.exploitkitlanding; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2021169; rev:3; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC COMPUTERSYSTEM get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AdminPasswordStatus"; fast_pattern; content:"AutomaticManagedPagefile"; content:"Build Type"; classtype:trojan-activity; sid:2023218; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Archie.EK IE Exploit URI Struct"; flow:to_server,established; content:"/ie7.html"; http_uri; classtype:exploit-kit; sid:2018932; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC NETLOGIN get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AccountExpires"; fast_pattern; content:"AuthorizationFlags"; content:"BadPasswordCount"; classtype:trojan-activity; sid:2023219; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|13|1024sslsecurity.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021339; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC NIC get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AdapterType"; fast_pattern; content:"AdapterTypeId"; content:"AutoSense"; classtype:trojan-activity; sid:2023220; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0e|typeofways.com"; distance:1; within:15; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021340; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC PROCESS get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"CSCreationClassName"; fast_pattern; content:"CSName"; content:"Description"; content:"ExecutablePath"; classtype:trojan-activity; sid:2023221; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0f|digination.info"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021341; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC SERVER get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"BlockingRequestsRejected"; fast_pattern; content:"BytesReceivedPersec"; content:"BytesTotalPersec"; content:"ExecutablePath"; classtype:trojan-activity; sid:2023222; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|12|ssl.savingscore.pw"; distance:1; within:19; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021342; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC SHARE get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AccessMask"; fast_pattern; content:"AllowMaximum"; content:"Caption"; content:"Description"; classtype:trojan-activity; sid:2023224; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|12|supportupdate.info"; distance:1; within:19; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021343; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC SYSACCOUNT get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Caption"; content:"Description"; content:"Domain"; content:"InstallDate"; content:"LocalAccount"; fast_pattern; classtype:trojan-activity; sid:2023225; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|17|patient-advertising.com"; distance:1; within:24; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021344; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC STARTUP get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Caption"; content:"Command"; content:"Description"; content:"Location"; content:"UserSID"; fast_pattern; classtype:trojan-activity; sid:2023226; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0c|pdata-next.ru"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021345; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PC Support Tech Support Scam Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>PC Support"; nocase; fast_pattern; content:"getParameterByName"; nocase; distance:0; content:"decodeURIComponent"; nocase; distance:0; content:"FormattedNumber"; nocase; distance:0; content:"showRecurringPop"; nocase; distance:0; classtype:social-engineering; sid:2023238; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2016_09_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0f|live-advert.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021346; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp any any -> any any (msg:"ET DELETED LuminosityLink - Data Channel Server Response 2"; flow:established,to_client; content:"8_=_8"; isdataat:!1,relative; dsize:<25; classtype:trojan-activity; sid:2022708; rev:2; metadata:created_at 2016_04_06, updated_at 2016_09_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0a|can-ip.com"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021347; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|curenasriense.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023243; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b|pandolin.ru"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021348; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|transadvert.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023244; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0c|securebnk.eu"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021349; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|glob-marketing.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023245; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b|fuxaloba.com"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021350; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows sc query Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"SERVICE_NAME|3A|"; content:"DISPLAY_NAME|3A|"; content:"TYPE"; content:"STATE"; classtype:trojan-activity; sid:2023246; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_16, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Payload DL M1 Feb 06 2015"; flow:to_server,established; urilen:>48; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; fast_pattern:2,20; offset:49; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"|0d 0a|Host|3a|"; http_header; pcre:"/^\/(?:[A-Za-z0-9-_]{4}){11,}(?:[A-Za-z0-9-_]{2}==|[A-Za-z0-9-_]{3}=)?$/U"; content:"GET"; http_method; classtype:exploit-kit; sid:2020385; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_07, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 19 2016"; flow:established,from_server; file_data; content:"|29 2b 22 2e 49 65 56 22 2b|"; fast_pattern; content:"|29 2b 22 58 4f 22 2b|"; content:"|6e 65 77 20 77 69 6e 64 6f 77 5b 22 41 22 2b|"; content:"|29 7b 72 65 74 75 72 6e|"; content:"|2e 74 6f 53 74 72 69 6e 67|"; classtype:exploit-kit; sid:2023248; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family EvilRedirector, malware_family Magnitude, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_19;)
 
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET DELETED Possible Upatre or Dyre SSL Cert June 9 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021225; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_10, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 19 2016 (EItest Inject)"; flow:established,from_server; file_data; content:"3a-20-61-62-73-6f-6c-75-74-65-3b-7a-2d-69-6e-64-65-78-3a-2d-31-3b"; nocase; classtype:exploit-kit; sid:2023250; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family EvilTDS, malware_family EITest, signature_severity Major, tag Redirector, updated_at 2016_09_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Elasticsearch CVE-2015-1427 Exploit Campaign SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 08|"; distance:0; content:"|06|hacked"; distance:1; within:7; content:"|01 09 01|"; distance:0; content:"|10|hackking@126.com"; distance:1; within:17; reference:url,blog.malwaremustdie.org/2015/06/mmd-0034-2015-new-elf.html; classtype:trojan-activity; sid:2021351; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 19 2016 (EItest Inject) M2"; flow:established,from_server; file_data; content:"|32 32 2d 36 66 2d 37 30 2d 36 31 2d 37 31 2d 37 35 2d 36 35 2d 32 32 2d 32 66 2d 33 65 2d 33 63 2d 32 66 2d 36 66 2d 36 32 2d 36 61 2d 36 35 2d 36 33 2d 37 34 2d 33 65 2d 30 64 2d 30 61 2d 33 63 2d 32 66 2d 36 34 2d 36 39 2d 37 36 2d 33 65 22 2e 72 65 70 6c 61 63 65 28 2f 2d 2f 67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65|"; nocase; classtype:exploit-kit; sid:2023251; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family EvilTDS, malware_family EITest, signature_severity Major, tag Redirector, updated_at 2016_09_19;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 08|"; distance:0; content:"|07|Indiana"; distance:1; within:8; content:"|55 04 03|"; distance:0; content:"|0d|koalashelp.au"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021353; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 2"; flow:established,to_server; content:"/search/?"; http_uri; depth:10; pcre:"/^\x2Fsearch\x2F\x3F[a-z]{2,5}\x3D/U"; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019391; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8f e3 5b c8 ea 55 d6 4a|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021354; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 3"; flow:established,to_server; content:"GET"; http_method; content:"/results/?text="; http_uri; depth:15; content:"&utm="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019392; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b|tsescase.tk"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021355; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 4"; flow:established,to_server; content:"GET"; http_method; content:"/find/?utm="; http_uri; depth:11; content:"&oprnd="; http_uri; content:"&channel="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019393; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (26)"; flow:established,from_server; file_data; content:"|51 CB 7B FC 19 9B 77 FB|"; distance:40; within:8; classtype:exploit-kit; sid:2021360; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 5"; flow:established,to_server; content:"GET"; http_method; content:"/watch/?"; http_uri; depth:8; content:"channel="; http_uri; content:"&utm="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; reference:md5,ee64d3273f9b4d80020c24edcbbf961e; classtype:command-and-control; sid:2019394; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (27)"; flow:established,from_server; file_data; content:"|51 CB 7B FC 19 9B 77 FB|"; distance:1424; within:8; classtype:exploit-kit; sid:2021361; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:"/close/?channel="; http_uri; depth:16; content:"&ags="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019390; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET DELETED Possible Upatre or Dyre SSL Cert June 29 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,8,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-zA-Z]{0,119}[0-9])[a-zA-Z0-9]{9,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-zA-Z]{0,119}[0-9])[a-zA-Z0-9]{9,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-zA-Z]{0,119}[0-9])(?P<var>[a-zA-Z0-9]{9,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021369; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_29, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2015-2419 As observed in Magnitude EK"; flow:established,from_server; file_data; content:"|5b 30 78 35 33 2c 20 30 78 35 35 2c 20 30 78 35 36 2c 20 30 78 65 38 2c 20 30 78 30 39 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 35 65 2c 20 30 78 35 64 2c 20 30 78 35 62 2c 20 30 78 38 62 2c 20 30 78 36 33 2c 20 30 78 30 63 2c 20 30 78 63 32 2c 20 30 78 30 63 2c 20 30 78 30 30 2c 20 30 78 39 30 5d|"; nocase; content:"|30 78 31 32 38 65 30 30 32 30|"; nocase; content:"|4a 53 4f 4e|"; nocase; content:"|73 74 72 69 6e 67 69 66 79|"; nocase; classtype:exploit-kit; sid:2023253; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_21, deployment Perimeter, former_category EXPLOIT, malware_family Magnitude, signature_severity Major, tag Magnitude_EK, updated_at 2016_09_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SPL Landing Page Requested"; flow:established,to_server; content:"/?"; http_uri; content:"YWZmaWQ9"; http_uri; classtype:trojan-activity; sid:2015698; rev:3; metadata:created_at 2012_09_12, updated_at 2012_09_12;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|ns-cheap.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023262; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 95 12 ee 90 e8 0f 66|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,22b0d4ff64d3cb3080feb47ce52988e9; classtype:domain-c2; sid:2021375; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|gl-markt.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023263; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Mocelpa Client Hello CnC Beacon"; flow:established,to_server; content:"|16 03 01|"; depth:3; content:"|54 b4 c9 7b|"; distance:0; content:"|00 00 00 12 00 10 00 00 0d|www.apple.com"; distance:0; reference:url,blog.dragonthreatlabs.com/2015/07/dtl-06282015-01-apt-on-taiwan-insight.html; classtype:command-and-control; sid:2021379; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_07_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|hoonietospeed.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023264; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dridex SSL Cert July 6 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 0e 34 be 9a f3 1e d7|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|07|pace.eu"; distance:1; within:8; reference:md5,0facc32fc6f9c67650575c8a8298bef2; classtype:trojan-activity; sid:2021380; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_06, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|dnbcheck.pw"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023265; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Denisca.A CnC Beacon"; content:"|7c 2a 26|"; depth:3; fast_pattern; content:"|7c|"; distance:0; content:"|7c|"; distance:16; within:1; content:"|7c|"; distance:0; pcre:"/\x7c[a-f0-9]{16}\x7c\d+\x7c$/"; reference:md5,0075c4d976984436443b30926ad818dd; classtype:command-and-control; sid:2021385; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_07_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_07_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|statway.online"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023266; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex SSL Cert 30 June 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|0a|Passio dpt"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0b|romantik.it"; distance:1; within:12; reference:md5,0a977dfcb93301f1841dbe2272d3102b; classtype:trojan-activity; sid:2021370; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_06_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|petetongtt.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023267; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex SSL Cert 1 July 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|0a|gay rights"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|07|pace.eu"; distance:1; within:12; reference:md5,865164ef97c50bdd8e8740621234a3cf; classtype:trojan-activity; sid:2021372; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_02, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|09 00 e4 52 b4 b2 9e 40 bd 86|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0d|Synology Inc."; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023268; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Dridex SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|08|portable"; distance:1; within:9; content:"|55 04 03|"; distance:0; content:"|0b|nintendo.jp"; distance:1; within:12; classtype:trojan-activity; sid:2021388; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|verifybyamexcards.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023269; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Denisca.A CnC Beacon 2"; dsize:37; content:"|2a 26|"; depth:2; content:"|26 5e|"; distance:22; fast_pattern; reference:md5,aaa4304dd5f22a017930a9eeebc8898f; classtype:command-and-control; sid:2021389; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_07_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_07_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT SUSPICIOUS DTLS Pre 1.0 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 01 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018559; rev:2; metadata:created_at 2014_06_13, former_category CURRENT_EVENTS, updated_at 2014_06_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|disaronnoterrace.es"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021391; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT SUSPICIOUS DTLS 1.2 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 fe fd 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018561; rev:3; metadata:created_at 2014_06_13, former_category CURRENT_EVENTS, updated_at 2014_06_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Styx Exploit Kit Landing"; flow:established,to_server; urilen:7; content:"/i.html"; http_uri; depth:7; fast_pattern; content:"Referer|3a| "; http_header; content:!"|0d 0a|"; http_header; within:100; content:"|0d 0a|"; distance:0; http_header; classtype:exploit-kit; sid:2014171; rev:5; metadata:created_at 2012_01_31, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|dnbcheck.site"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023286; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wekby PCRat/Gh0st CnC Beacon (Outbound)"; flow:to_server,established; content:"HTTP|5c|1.1 Sycmentec"; depth:18; reference:md5,cfbcb83f8515bd169afd0b22488b4430; reference:url,www.volexity.com/blog/?p=158; classtype:command-and-control; sid:2021395; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Major, tag PCRAT, tag Gh0st, tag RAT, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|mainmar.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023287; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Wekby PCRat/Gh0st CnC Beacon (Inbound)"; flow:established,to_client; content:"HTTP|5c|1.1 Sycmentec"; depth:18; reference:md5,cfbcb83f8515bd169afd0b22488b4430; reference:url,www.volexity.com/blog/?p=158; classtype:command-and-control; sid:2021396; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Major, tag PCRAT, tag Gh0st, tag RAT, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BleedingLife EK Payload Request"; flow:to_server,established; content:"GET"; http_method; content:".php?e="; http_uri; fast_pattern; content:"&h="; content:!"Referer|3a|"; http_header; pcre:"/\.php\?e=\d{4}\-\d{4}&h=[a-f0-9]{32}$/Ui"; flowbits:set,ET.BleedingLife.Payload; classtype:exploit-kit; sid:2023290; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Exploit_Kit, malware_family BleedingLife, signature_severity Major, tag BleedingLifeEK, updated_at 2016_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK SilverLight Exploit"; flow:established,to_server; urilen:15; content:"/0"; depth:2; http_uri; fast_pattern; pcre:"/^\/0[a-z0-9]{13}$/U"; content:!"Referer|3a|"; http_header; content:"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:exploit-kit; sid:2017715; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_14, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET busybox MIRAI hackers - Possible Brute Force Attack"; flow:to_server,established; content:"MIRAI"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023019; rev:2; metadata:attack_target Server, created_at 2016_08_08, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2016_09_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HiMan EK - Payload Requested"; flow:established,to_server; content:".php?e="; http_uri; content:"&ver="; http_uri; distance:0; classtype:exploit-kit; sid:2017793; rev:4; metadata:created_at 2013_12_05, updated_at 2013_12_05;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|secursitenot.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023294; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoLocker CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 84 d3 15 4c 18 a1 18 9f|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021397; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|gtldsfs.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023295; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED External IP Lookup ip-api.com"; flow:established,to_server; content:"GET"; http_method; content:"/xml"; http_uri; content:"ip-api.com"; fast_pattern:only; http_header; classtype:external-ip-check; sid:2021406; rev:3; metadata:created_at 2015_07_13, updated_at 2015_07_13;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|cdnfastnetwork.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023296; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0e|protectthegays"; distance:1; within:15; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|08|gay team"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021393; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 26 2016 T2"; flow:established,from_server; file_data; content:"|6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 20 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; pcre:"/^\s*\x27[^\x27]+\x27width=\x27250\x27\sheight=\x27250\x27>\s*<\/iframe>\s*<\/div>/R"; classtype:exploit-kit; sid:2023303; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_27, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c6 89 56 e5 bd 59 77 67|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,40368db3a68f2db17853750e68cfc662; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021411; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET busybox ECCHI hackers - Possible Brute Force Attack"; flow:to_server,established; content:"ECCHI"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023304; rev:1; metadata:attack_target Server, created_at 2016_09_27, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2016_09_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Likely Malicious Redirect SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|10|mixticmotion.com"; distance:1; within:17; classtype:trojan-activity; sid:2021415; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|arcnetcdn.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023308; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_28, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e5 d3 05 ec 6a a7 12 c5|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021417; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|sdpvss.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023309; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_28, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED APT CozyCar SSL Cert 4"; flow:established,from_server; content:"|55 04 03|"; content:"|19|www.illuminatistudios.net"; distance:1; within:26; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021421; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2018_03_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 20 2016"; flow:established,from_server; file_data; content:"Base64.encode(rc4("; nocase; fast_pattern; content:"+|22 3a|timeDelta|2c 22|+"; nocase; content:"cfg.key|29 29|"; nocase; distance:0; pcre:"/^[\x3b\x2c]postRequest\x28cfg\.urlSoftDetectorCallback/Ri"; classtype:exploit-kit; sid:2023252; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, deployment Perimeter, malware_family EvilTDS, malware_family Malvertising, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_29;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:35; content:"|55 04 03|"; distance:0; content:"|0c|cowsgirlz.es"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021426; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible Cisco IKEv1 Information Disclosure Vulnerability CVE-2016-6415"; dsize:>828; content:"|00 00 00 00 00 00 00 00 01 10|"; offset:8; depth:10; content:"|80 02 00|"; distance:30; byte_test:1,<,3,0,relative; byte_test:1,>,0,0,relative; content:"|80 04 00 01 00 06|"; distance:1; within:6; fast_pattern; byte_test:2,>,768,0,relative; reference:cve,2016-6415; classtype:attempted-user; sid:2023311; rev:1; metadata:affected_product Cisco_PIX, attack_target Networking_Equipment, created_at 2016_09_29, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2016_09_29;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|16|Ubiquiti Networks Inc."; distance:1; within:23; content:"|55 04 03|"; distance:0; content:"|04|UBNT"; distance:1; within:5; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021427; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Eval With Base64.decode seen in DOL Watering Hole Attack 05/01/13"; flow:established,from_server; content:"Base64.decode"; nocase; fast_pattern:only; content:"eval("; nocase; pcre:"/^[\r\n\s]*?Base64\.decode[\r\n\s]*?\x28[\r\n\s]*?[\x22\x27]/Ri"; content:!"|22|J0RVREFPTkUn|22|"; content:!"|22|J01PQklMRSc|3D 22|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016807; rev:6; metadata:created_at 2013_05_02, former_category CURRENT_EVENTS, updated_at 2013_05_02;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (HTTPBrowser CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 d3 99 b4 6f 4e 77 43|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021428; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Flash Exploit Likely SunDown EK"; flow:established,from_server; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"9090909090909090909090909090909090909090EB"; classtype:exploit-kit; sid:2023313; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, malware_family SunDown, performance_impact Low, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_10_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 4"; flow:to_server,established; content:"|28 28|"; offset:2; depth:2; content:!"|28 28|"; within:2; content:"|28 28|"; distance:2; within:2; content:!"|28 28|"; within:2; content:"|28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28|"; pcre:"/[^\x28][^\x76\x74\x02\x03\x15\x54\x12\x13\x0a\x17\x14\x16\x04\x0b\x22][\x05\x09\x0b\x0e\x08\x06\x1a-\x1f\x10\x11\x18\x19\x40-\x47\x48-\x4f\x50-\x53\x55\x56\x58-\x5e\x60-\x68\x6a-\x6f\x70\x72\x76-\x7e]{1,14}\x28/R"; reference:md5,0c2cb38062e0fb6b040518a384418b7b; classtype:command-and-control; sid:2019601; rev:6; metadata:created_at 2014_10_30, former_category MALWARE, updated_at 2014_10_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK Landing Oct 03 2016"; flow:from_server,established; file_data; content:"|28 65 78 70 6c 6f 69 74 29|"; content:"|2e 65 78 65 63 28 69 6e 70 75 74 29 29 7b 72 65 74 75 72 6e 2d 31 7d 69 6e 70 75 74 3d 69 6e 70 75 74 2e 72 65 70 6c 61 63 65|"; content:"|6b 65 79 53 74 72|"; classtype:exploit-kit; sid:2023314; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, malware_family SunDown, performance_impact Low, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_10_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Archie.EK IE CVE-2013-2551 Payload Struct"; flow:to_server,established; urilen:3; content:"/dd"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:" MSIE "; http_header; classtype:exploit-kit; sid:2018934; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|allenia.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023319; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible CVE-2015-2424 RTF Dropping Sofacy"; flow:established,from_server; file_data; content:"D0CF11E0A1B11AE1"; nocase; content:"ffffffffff74303074"; nocase; distance:0; fast_pattern; reference:md5,112c64f7c07a959a1cbff6621850a4ad; reference:url,isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/; classtype:targeted-activity; sid:2021431; rev:2; metadata:created_at 2015_07_17, former_category MALWARE, updated_at 2015_07_17;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|ssltrustcontrol.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023320; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download"; flow:to_client,established; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|fb ff ff ff|"; content:"|0b 00 00 00 01 00 00 00|"; content:"|25 00 00 00 01 00 00 00|"; content:"|8b 00 00 00 01 00 00 00|"; fast_pattern; reference:url,blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/; reference:cve,2014-4141; classtype:attempted-user; sid:2019420; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|usgivememoney.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023321; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|httpsgatevalidator.com"; distance:1; within:23; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021436; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|p.scgreencharter.org"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023322; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Tsyrval Panda CnC Beacon"; flow:established,to_server; content:"|75 1C 11 10 75 01 14 07 12 58 5F|"; offset:3; depth:14; classtype:command-and-control; sid:2021437; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_07_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_07_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|fastsvpsd.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023323; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|expresstrevel.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021445; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|csos.brycepeterson.net"; distance:1; within:23; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023324; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d9 07 45 6b c2 ad 90 a1|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021446; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|mgudoor.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023325; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Fake AV Phone Scam Landing July 20 2015 M3"; flow:to_client,established; file_data; content:"html class=|22|js js sessionstorage|22|"; fast_pattern:13,20; content:"getURLParameter"; distance:0; content:"Toll Free"; nocase; distance:0; content:"myFunction|28 29|"; nocase; distance:0; classtype:social-engineering; sid:2021448; rev:2; metadata:created_at 2015_07_20, updated_at 2015_07_20;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|zigerds.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023326; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/DDoS.Sotdas/IptabLex Checkin"; flow:to_server,established; dsize:296; content:"|72 8D 90 89 7E D6|"; offset:224; depth:6; fast_pattern; content:"|b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6|"; reference:md5,f7556d9ede5d988400b1edbb1a172634; classtype:command-and-control; sid:2021049; rev:2; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2015_05_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK (EITest Inject) Oct 03 2016"; flow:established,from_server; file_data; content:"|25 75 30 30 33 64 25 75 30 30 36 63 25 75 30 30 33 33 25 75 30 30 35 33|"; content:"|73 72 63 20 3d 20 75 6e 65 73 63 61 70 65|"; classtype:exploit-kit; sid:2023312; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_06;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SunDown EK Flash Exploit Sep 22 2016"; flow:established,to_server; content:".swf"; http_uri; content:"/index.php?"; http_header; pcre:"/^\/\d+\/\d+\.swf$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f\x2f[^\r\n\x2f]+\/index\.php\?[^\x3d&]+=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=)?\r\n/H"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023270; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_10_06;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java/QRat Checkin"; flow:established,to_server; content:"|73 72|"; depth:2; content:"|00 05|value"; distance:0; pcre:"/\x00\x05value$/"; classtype:command-and-control; sid:2021503; rev:1; metadata:created_at 2015_07_22, former_category MALWARE, malware_family QRat, updated_at 2018_03_06;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|geernabys.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023336; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_12, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Java/QRat Receiving Command 1"; flow:established,from_server; dsize:16; content:"|00 0d|giveClientMac"; offset:1; fast_pattern; classtype:trojan-activity; sid:2021504; rev:1; metadata:created_at 2015_07_22, former_category TROJAN, malware_family QRat, updated_at 2018_03_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c7 b5 8a 8d d7 e8 44 b0|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023347; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Java/QRat Receiving No Commands"; flow:established,from_server; dsize:10; content:"|00 07|nothing"; offset:1; fast_pattern; classtype:trojan-activity; sid:2021505; rev:1; metadata:created_at 2015_07_22, former_category TROJAN, malware_family QRat, updated_at 2018_03_06;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|facenoplays.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023348; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK SilverLight Payload Request - May 2014"; flow:established,to_server; urilen:71<>79; content:!"/aHR0c"; depth:6; http_uri; content:!"/Uk0v"; depth:5; http_uri; content:"="; http_uri; offset:71; depth:6; pcre:"/^\/[-a-zA-Z0-9_]{70,75}==?$/U"; reference:url,blogs.cisco.com/security/angling-for-silverlight-exploits/; classtype:exploit-kit; sid:2018497; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_23, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Potentially Malicious Traffic 1"; flow:established,to_server; content:"285d7b6cf94d8fdc657edaa73c2f07f3"; classtype:trojan-activity; sid:2023339; rev:3; metadata:created_at 2016_10_18, updated_at 2016_10_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NullHole URI Struct Jul 22 2015 M2"; flow:established,to_server; urilen:40; content:"/e.html"; http_uri; offset:33; depth:7; pcre:"/^\/[a-f0-9]{32}\/e\.html$/U"; classtype:exploit-kit; sid:2021507; rev:2; metadata:created_at 2015_07_22, updated_at 2015_07_22;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 97 21 dd 62 8b bc 65 25|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023350; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (28)"; flow:established,from_server; file_data; content:"|EB BD 89 F5 C0 3B 7A 3E|"; distance:42; within:8; classtype:exploit-kit; sid:2021509; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Oct 19 2016"; flow:established,from_server; content:"nginx"; http_header; pcre:"/^Content-Length\x3a\x20\d{2,3}\r?$/Hmi"; file_data; content:"document.write|28|"; within:15; pcre:"/^(?=[^\n>]*position\x3aabsolute)(?=[^\n>]*top\x3a\x20-\d+px\x3b)[^\n]*<iframe(?=[^\n>]*width=\d{3})(?=[^\n>]*height=\d{3})[^\n>]*src=[\x22\x27]http[^\n>]+\s*>\s*/R"; content:"</|27|+|27|iframe>"; within:12; fast_pattern; pcre:"/^[^\n]*\x29\x3b$/R"; classtype:exploit-kit; sid:2023352; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (29)"; flow:established,from_server; file_data; content:"|EB BD 89 F5 C0 3B 7A 3E|"; distance:746; within:8; classtype:exploit-kit; sid:2021510; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Oct 19 2016 T2"; flow:established,from_server; content:"Content-Type|3a 20|text/javascript|0d 0a|"; http_header; content:"nginx"; http_header; file_data; content:"var"; within:3; pcre:"/^\s*(?P<var>[^\r\n\s\x3d\x2c\x3b]+)\s*=[^\n]*<iframe(?=[^\n>]*top\x3a-\d+px\x3b)[^\n>]+src\s*=\s*\x5c?[\x22\x27]http[^\n>]+>\s*<\/iframe>\x22\x3bdocument\.write\((?P=var)\)\x3b\s*$/R"; content:"</iframe>|22 3b|document.write"; fast_pattern; classtype:exploit-kit; sid:2023353; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Edwards Packed proxy.pac from 724sky"; flow:established,from_server; file_data; content:"eval(function(p,a,c"; content:"|7C|FindProxyForURL|7C|"; nocase; content:"|7c|proxy|7c|"; nocase; content:"|7c|baidu|7c|"; nocase; reference:md5,50bd21aac1f57d90c54683995ec102aa; classtype:trojan-activity; sid:2021511; rev:2; metadata:created_at 2015_07_23, updated_at 2015_07_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bitter RAT TCP CnC Beacon"; flow:established,from_server; content:"BITTER1234"; depth:10; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; reference:md5,6e855944d171a3acbb64635dbe7a9c62; classtype:command-and-control; sid:2023399; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category MALWARE, malware_family Bitter_implant, signature_severity Major, tag c2, updated_at 2016_10_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Tsukuba Banker Edwards Packed proxy.pac"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|FindProxyForURL|7C|"; nocase; content:"|7c|proxy|7c|"; nocase; content:"|7c|credicard|7c|"; nocase; reference:url,securityintelligence.com/tsukuba-banking-trojan-phishing-in-japanese-waters; classtype:social-engineering; sid:2020623; rev:3; metadata:created_at 2015_03_05, updated_at 2015_03_05;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|hlaprise.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023402; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|06|coffee"; distance:1; within:7; content:"|55 04 0b|"; distance:0; content:"|07|it dept"; distance:1; within:8; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021512; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|calmiinity.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023403; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|eurotranstele.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021515; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|rootenplay.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023404; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0a|littlepony"; distance:1; within:11; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0a|just cause"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021514; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 89 f7 85 18 43 70 17 d1|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023405; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|promotion-statistics.mobi"; distance:1; within:26; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021516; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|statuscheck.site"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023406; rev:2; metadata:attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|18|data-stats-collector.biz"; distance:1; within:25; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021517; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware/Cerber Checkin 2"; dsize:<11; content:"hi"; depth:2; fast_pattern; pcre:"/^[a-f0-9]{7,}$/R"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,ac4d7fb5739862e9914556ed5d50f84f; classtype:command-and-control; sid:2023453; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_10_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Dridex SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|04|clan"; distance:1; within:5; content:"|55 04 0b|"; distance:0; content:"|06|bushes"; distance:1; within:7; fast_pattern; reference:md5,a5f7d314e2b996b69751a4e46503c644; classtype:trojan-activity; sid:2021518; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,ET.SuspExeTLDs; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023464; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2017_10_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|07|dinasty"; distance:1; within:8; content:"|55 04 0b|"; distance:0; content:"|0d|klintons team"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021519; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK EITest Inject Oct 17 2016"; flow:established,from_server; file_data; content:"=l3S"; fast_pattern; content:"|22|frameBorder|22 2c 20 22|0|22|"; nocase; content:"document.createElement|28 22|iframe|22 29 3b|"; nocase; content:" document.body.appendChild"; nocase; content:"http|3a 2f 2f|"; nocase; pcre:"/^[^\x2f\x22\x27]+\/\?[^=&\x22\x27]+=l3S/Ri"; classtype:exploit-kit; sid:2023343; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_17, deployment Perimeter, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Fake AV Phone Scam Landing July 23 2015"; flow:to_client,established; file_data; content:"navigator.sayswho"; content:"alertforSecuity"; fast_pattern; distance:0; content:"Firefox"; distance:0; content:"Chrome"; distance:0; content:"Netscape"; distance:0; classtype:social-engineering; sid:2021522; rev:2; metadata:created_at 2015_07_23, updated_at 2015_07_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible CryptoWall download from e-mail link March 9 2015"; flow:established,to_server; content:"GET"; http_method; content:".zip"; http_uri; fast_pattern:only; content:".html"; http_header; pcre:"/\.zip$/U"; content:"Referer|3a|"; http_header; pcre:"/^Referer\x3a\x20http\x3a\/\/[^\x2f]+\/[a-z0-9]{6}\/[a-z0-9]{5}\.html\r?$/Hm"; classtype:trojan-activity; sid:2020649; rev:3; metadata:created_at 2015_03_09, updated_at 2016_11_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED KINS/ZeusVM Variant CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php/"; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^[\x20-\x7e\s]{0,20}[^\x20-\x7e\s]/P"; pcre:"/\.php\/(?:[a-zA-Z0-9]+\/)+[A-F0-9]{8}$/U"; pcre:"/^User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/Hmi"; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:command-and-control; sid:2021524; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, signature_severity Major, tag c2, updated_at 2015_07_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024: (msg:"ET P2P Vuze BT UDP Connection"; dsize:<80; content:!"|00 22 02 00|"; depth: 4; content:"|00 00 04|"; distance:8; within:3; content:"|00 00 00 00 00|"; distance:6; within:5; threshold: type limit, count 1, seconds 120, track by_src; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010140; classtype:policy-violation; sid:2010140; rev:7; metadata:created_at 2010_07_30, updated_at 2016_11_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 27 d2 2d d7 bd cb 5c|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021525; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Nov 01 2016"; flow:established,from_server; file_data; content:"|5c 78 35 63 5c 78 36 62 5c 78 36 31 5c 78 37 33 5c 78 35 66 5c 78 36 35 5c 78 36 65 5c 78 36 37 5c 78 36 39 5c 78 36 65 5c 78 36 35 5c 78 32 65 5c 78 36 34 5c 78 36 63 5c 78 36 63 5c 78 32 66 5c 78 32 33 5c 78 33 32 5c 78 33 34 5c 78 32 66 5c 78 33 32 5c 78 32 32 5c 78 37 64|"; nocase; classtype:exploit-kit; sid:2023474; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_11_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Xyligan Checkin"; flow:to_server,established; dsize:16; content:"|00 00 00 11 C8 00 00 00|"; depth:8; reference:md5,2190a2c0a3775bc9c60629ec2eb6f3b9; reference:md5,bfbc0b106a440c111a42936906d36643; classtype:command-and-control; sid:2012842; rev:3; metadata:created_at 2011_05_25, former_category MALWARE, updated_at 2011_05_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|03 02 01 02 02 09 00|"; fast_pattern; content:"|30 09 06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:!"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[A-Z][a-z]{3,}\s(?:[A-Z][a-z]{3,}\s)?(?:[A-Z](?:[A-Za-z]{0,4}?[A-Z]|(?:\.[A-Za-z]){1,3})|[A-Z]?[a-z]+|[a-z](?:\.[A-Za-z]){1,3})\.?[01]/Rs"; content:"|55 04 03|"; distance:0; byte_test:1,>,7,1,relative; pcre:"/^.{2}(?!www)\d?[A-Z]?(?:[a-z]{3,20}\.)?[a-z]{5,}(?:\d[a-z]{5,})?\.[a-z]{2,5}[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022535; rev:11; metadata:attack_target Client_and_Server, created_at 2016_02_17, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|09|Microsoft"; distance:1; within:10; fast_pattern; content:"|55 04 0b|"; content:"|0b|Widgits pty"; distance:1; within:12; reference:md5,32230d747829dcf77841f594aa54915a; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021529; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zberp/ZeusVM receiving config via image file (steganography)"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"|ff fe 3f 10 00 00|"; distance:0; byte_test:4,>,100,4,relative,little; byte_extract:4,4,config_len,relative,little; content:!"|00|"; within:config_len; pcre:"/^[^\x00]+(\xff\xd9)?$/R"; reference:md5,1e1f44f8a403c4ebc6943eb2dcf731ff; reference:url,securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/#.U5Xgpyh4l8u; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021382; rev:11; metadata:created_at 2015_07_06, updated_at 2016_11_03;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa ad 0a 9f da 99 c2 e3|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021541; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zberp/ZeusVM receiving config via image file (steganography) 2"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"0103F|00|"; distance:0; content:"|ff fe|"; distance:-10; within:2; byte_test:2,>,100,0,relative,little; byte_extract:2,0,config_len,relative,little; content:!"|00|"; distance:6; within:config_len; pcre:"/^0103F\x00[^\x00]+(\xff\xd9)?$/R"; reference:md5,7ba76b0ec1249b19a46e1603e5ab0a90; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021383; rev:3; metadata:created_at 2015_07_06, updated_at 2016_11_03;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a4 3d 09 0a 4c 60 be 70|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021546; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zberp/ZeusVM receiving config via image file (steganography) 3"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"0103F|00|"; distance:0; content:"|ff fe ff ff|"; distance:-10; within:4; pcre:"/^0103F\x00[^\x00]+(\xff\xd9)?$/R"; reference:md5,7ba76b0ec1249b19a46e1603e5ab0a90; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021527; rev:5; metadata:created_at 2015_07_23, updated_at 2016_11_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - PDF Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".pdf"; http_header; pcre:"/=\w{8}\.pdf/Hi"; content:"|0D 0A 0D 0A|%PDF"; fast_pattern; content:"/Filter/FlateDecode"; classtype:trojan-activity; sid:2014914; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Linux.Mirai Login Attempt (xc3511)"; flow:to_server,established; content:"xc3511|0d 0a|"; dsize:8; reference:url,www.flashpoint-intel.com/when-vulnerabilities-travel-downstream; classtype:trojan-activity; sid:2023333; rev:4; metadata:affected_product DVR, attack_target IoT, created_at 2016_10_10, deployment Datacenter, malware_family ddos_bot, performance_impact Low, signature_severity Major, updated_at 2016_11_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|contactcitywell.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021553; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (1111111)"; flow:to_server,established; content:"1111111|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023430; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 29"; flow:to_server,established; urilen:214; content:"Lzc1MTZmZDQzYWRhYTVl"; http_uri; fast_pattern; content:"=="; distance:54; http_uri; pcre:"/Host\x3a\x20a[a-z]{10}\.[a-z]{5}\./H"; classtype:exploit-kit; sid:2021559; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_31, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (54321)"; flow:to_server,established; content:"54321|0d 0a|"; nocase; dsize:7; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023431; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|09|democracy"; distance:1; within:10; content:"|55 04 0b|"; distance:0; content:"|09|obamacare"; distance:1; within:10; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021563; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (666666)"; flow:to_server,established; content:"666666|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023432; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|srvreq.com"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021565; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (7ujMko0admin)"; flow:to_server,established; content:"7ujMko0admin|0d 0a|"; nocase; dsize:14; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023433; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|www.pohiola.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021566; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (7ujMko0vizxv)"; flow:to_server,established; content:"7ujMko0vizxv|0d 0a|"; nocase; dsize:14; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023434; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d8 17 61 5f e5 c3 b3 2c|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021567; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (888888)"; flow:to_server,established; content:"888888|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023435; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 29 bf 95 40 97 37 f9|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021568; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (anko)"; flow:to_server,established; content:"anko|0d 0a|"; nocase; dsize:6; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023436; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M1"; content:"|01 00 00 01 00 01|"; depth:6; offset:2; pcre:"/^.{4}[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021572; rev:3; metadata:created_at 2015_08_01, updated_at 2015_08_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (dreambox)"; flow:to_server,established; content:"dreambox|0d 0a|"; nocase; dsize:10; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023437; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M3"; content:"|00 00 00 01 00 01|"; depth:6; offset:2; pcre:"/^.{4}[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021574; rev:3; metadata:created_at 2015_08_01, updated_at 2015_08_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (fucker)"; flow:to_server,established; content:"fucker|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023438; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M4"; content:"|00 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; pcre:"/^[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021575; rev:4; metadata:created_at 2015_08_01, updated_at 2015_08_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (hi3518)"; flow:to_server,established; content:"hi3518|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023439; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
 
-alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M2"; content:"|01 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; pcre:"/^[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021573; rev:4; metadata:created_at 2015_08_01, updated_at 2015_08_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (ikwb)"; flow:to_server,established; content:"ikwb|0d 0a|"; nocase; dsize:6; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023440; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Malvertising Redirection to Exploit Kit Aug 07 2014"; flow:established,to_server; content:".js?ver="; http_uri; fast_pattern:only; pcre:"/\.js\?ver=[0-9]\.[0-9]{2}\.[0-9]{4}$/U"; classtype:exploit-kit; sid:2018909; rev:4; metadata:created_at 2014_08_07, former_category EXPLOIT_KIT, updated_at 2014_08_07;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (juantech)"; flow:to_server,established; content:"juantech|0d 0a|"; nocase; dsize:10; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023441; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f0 0e 11 0a 91 e9 ea 72|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019604; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (jvbzd)"; flow:to_server,established; content:"jvbzd|0d 0a|"; nocase; dsize:7; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023442; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c0 15 80 14 58 47 62 12|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020961; rev:2; metadata:attack_target Client_and_Server, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (klv123)"; flow:to_server,established; content:"klv123|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023443; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|uktranstele.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021530; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (klv1234)"; flow:to_server,established; content:"klv1234|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023444; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|contactcitywell.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021562; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (meinsm)"; flow:to_server,established; content:"meinsm|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023445; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert (non-ASCII) Jul 21 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/Rs"; content:!"|06 03 55 04 0b|"; distance:0; content:"|06 03 55 04 07 0c|"; within:10; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 0a 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 03 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])(?P<var>.{10,120}?[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021586; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (realtek)"; flow:to_server,established; content:"realtek|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023446; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|safeboxkeyltd.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021592; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (service)"; flow:to_server,established; content:"service|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023447; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|safecitysup.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021593; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (ubnt)"; flow:to_server,established; content:"ubnt|0d 0a|"; nocase; dsize:6; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023448; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|89.104.95.236"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021594; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (vizxv)"; flow:to_server,established; content:"vizxv|0d 0a|"; nocase; dsize:7; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023449; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HT SWF Exploit RIP"; flow:established,from_server; file_data; content:"<!-- saved from url=(0014)about|3a|internet -->"; content:"getEnvInfo"; content:"getPlatform"; content:"<embed"; pcre:"/^(?=[^>]*?\ssrc\s*?=\s*?[\x22\x27][^\x22\x27]*?\.swf[\x22\x27])(?=[^>]*?\swidth\s*?=\s*?[\x22\x27]0[\x22\x27])[^>]*?\sheight\s*?=\s*?[\x22\x27]0[\x22\x27]/Ri"; classtype:trojan-activity; sid:2021595; rev:2; metadata:created_at 2015_08_04, former_category CURRENT_EVENTS, updated_at 2015_08_04;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (xmhdipc)"; flow:to_server,established; content:"xmhdipc|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023450; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|08|Monsanto"; distance:1; within:9; content:"|55 04 0b|"; distance:0; content:"|0b|SmartPhones"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021596; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (zlxx)"; flow:to_server,established; content:"zlxx|0d 0a|"; nocase; dsize:6; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023451; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|enfinetoner.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021598; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (Zte521)"; flow:to_server,established; content:"Zte521|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023452; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|ta-portfolio.com"; distance:1; within:17; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021599; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|heeriekupman.com"; distance:1; within:17; classtype:domain-c2; sid:2023489; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Styx Exploit Kit - HTML"; flow:to_server,established; urilen:>300; content:".htm"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.html?$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:exploit-kit; sid:2017841; rev:4; metadata:created_at 2013_12_12, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|infosec256bit.com"; distance:1; within:18; classtype:domain-c2; sid:2023491; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|gallinj.com"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021602; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|sslsecure777.com"; distance:1; within:17; classtype:domain-c2; sid:2023492; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d5 e5 ff f2 10 0a 35 d0|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021603; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|dodstersystem.com"; distance:1; within:18; classtype:domain-c2; sid:2023493; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|www.enfinetoner.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021604; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|whatissslnow.com"; distance:1; within:17; classtype:domain-c2; sid:2023494; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Firefox PDF.js Same-Origin-Bypass CVE-2015-4495 M2"; flow:established,from_server; file_data; content:"|77 69 6e 64 6f 77 73 5f 73 65 61 72 63 68 5f 61 6e 64 5f 75 70 6c 6f 61 64 5f 69 6e 5f 61 70 70 5f 64 61 74 61 5f 62 79 5f 64 69 73 6b|"; nocase; content:"|64 71 2e 61 77 61 69 74 41 6c 6c 28 63 61 6c 6c 62 61 63 6b 29|"; nocase; reference:url,nakedsecurity.sophos.com/2015/08/07/firefox-zero-day-hole-used-against-windows-and-linux-to-steal-passwords/; reference:cve,2015-4495; classtype:attempted-user; sid:2021606; rev:2; metadata:created_at 2015_08_11, updated_at 2015_08_11;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|getifourl.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023498; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE APT Lurker GET CnC Beacon"; flow:established,to_server; content:"GET /"; depth:5; content:".php HTTP/1."; distance:0; fast_pattern; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"HOST|3a|"; distance:3; within:5; pcre:"/^[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\n(?:\r\n)?$/Rmi"; reference:md5,c5a8e09295b852a6e32186374b66e1a7; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021585; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_08_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 d1 c2 e8 fc aa 20 b5 6d|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023499; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|ghheranon.ad"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021613; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 1"; flow:established,from_server; file_data; content:"URL=tel|3a|"; nocase; fast_pattern; pcre:"/^\+?[0-9-]{10,}[\x22\x27]/Rsi"; content:"sms|3a|"; nocase; content:"setTimeout"; nocase; content:"window"; nocase; pcre:"/^\s*?\.\s*?location\s*?\.\s*?href/Rsi"; content:"for"; nocase; pcre:"/^\s*?\(\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b\s*?(?P=var)\s*?\<\s*?(?:0x)?\d{4,}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b\s*?(?P<var2>[^\x3d\x3b\)\s]+)\s*?=\s*?(?P=var2)\s*?\+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"; reference:url,www.mulliner.org/blog/blosxom.cgi/security/ios_WebView_auto_dialer.html; classtype:trojan-activity; sid:2023500; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2016_11_11, deployment Perimeter, updated_at 2016_11_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|idcythef.tj"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021614; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 2"; flow:established,from_server; file_data; content:"URL=tel|3a|"; nocase; fast_pattern; pcre:"/^\+?[0-9-]{10,}[\x22\x27]/Rsi"; content:"itms-apps|3a|"; nocase; content:"setTimeout"; nocase; content:"window"; nocase; pcre:"/^\s*?\.\s*?location\s*?\.\s*?href/Rsi"; content:"for"; nocase; pcre:"/^\s*?\(\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b\s*?(?P=var)\s*?\<\s*?(?:0x)?\d{4,}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b\s*?(?P<var2>[^\x3d\x3b\)\s]+)\s*?=\s*?(?P=var2)\s*?\+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"; reference:url,www.mulliner.org/blog/blosxom.cgi/security/ios_WebView_auto_dialer.html; classtype:trojan-activity; sid:2023501; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2016_11_11, deployment Perimeter, updated_at 2016_11_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex Downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 92 14 63 ad 72 a8 8a 36|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0d|Casino Royale"; distance:1; within:14; classtype:trojan-activity; sid:2021615; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Base64 HTTP URL Refresh - Common Phish Landing Obfuscation 2016-01-01"; flow:to_client,established; file_data; content:"<meta http-equiv="; nocase; content:"refresh"; distance:1; nocase; content:"data|3a|text/html|3b|base64,"; distance:0; fast_pattern; nocase; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x22|\x27/Rsi"; content:!"cGFnZV9ub3RfZm91bmQuaHRtb"; classtype:social-engineering; sid:2031695; rev:3; metadata:created_at 2016_01_01, former_category PHISHING, updated_at 2016_11_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Magnitude EK (formerly Popads) - Font Exploit - 32HexChar.eot"; flow:established,to_server; urilen:>36; content:".eot"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{32}\.eot$/U"; content:!"fonts.gstatic.com|0d 0a|"; http_header; content:!".fitbit.com|0d 0a|"; http_header; classtype:exploit-kit; sid:2016155; rev:7; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:from_server,established; content:"|16|"; content:"|55 04 03|"; content:"|09|localhost"; distance:1; within:11; content:"|09 00 ff 41 25 0a bf 95 6d 71|"; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0b|domzino org"; distance:1; within:13; reference:md5,f6e81ae634bbcc309a4a5e01f20e4136; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023502; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0d|Casino Royale"; distance:1; within:14; content:"|55 04 0b|"; distance:0; content:"|05|poker"; distance:1; within:6; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021622; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET PHISHING Chrome Extension Phishing DNS Request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"chrome-extension"; nocase; distance:0; fast_pattern; reference:url,www.seancassidy.me/lostpass.html; classtype:social-engineering; sid:2022372; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_19, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_11_11;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f6 23 8b 36 d0 72 53 df|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021623; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU SSL CnC Cert"; flow:established,from_server; content:"|02|IT"; content:"|03|AAA"; distance:0; content:"|02|BB"; distance:0; content:"|03|EEE"; distance:0; content:"|0d|IT Department"; distance:0; content:"|0a|SASDS_Srv0"; fast_pattern; distance:0; reference:md5,cbd1c2db9ffc6b67cea46d271594c2ae; classtype:command-and-control; sid:2023509; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_15, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, updated_at 2016_11_15;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|presidentjunction.org"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021633; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET SCAN Redis SSH Key Overwrite Probing"; flow:to_server,established; content:"*"; depth:1; content:"config"; content:"set"; distance:0; content:"dir"; distance:0; content:"/.ssh"; distance:0; isdataat:!5,relative; reference:url,antirez.com/news/96; classtype:misc-attack; sid:2023510; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_07, deployment Datacenter, performance_impact Low, signature_severity Minor, tag SCAN_Redis_SSH, updated_at 2016_11_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|tradingdelivery.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021635; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET EXPLOIT REDIS Attemted SSH Authorized Key Writing Attempt"; flow:established,to_server; content:"*"; depth:1; content:"config"; content:"set"; distance:0; content:"|0D 0A|dbfilename|0D 0A|"; distance:0; content:"|0D 0A|authorized_keys|0D 0A|"; distance:0; reference:url,antirez.com/news/96; classtype:attempted-admin; sid:2023511; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_11_15, deployment Datacenter, signature_severity Major, tag SCAN_Redis_SSH, updated_at 2016_11_15;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 e2 af 07 71 4b 6c 75|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021636; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET EXPLOIT REDIS Attempted SSH Key Upload"; flow:established,to_server; content:"*"; depth:1; content:"|0D 0A|set|0D 0A|"; content:"ssh-rsa "; distance:0; reference:url,antirez.com/news/96; classtype:attempted-admin; sid:2023512; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_11_15, deployment Datacenter, signature_severity Major, tag SCAN_Redis_SSH, updated_at 2016_11_15;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Redyms CnC)"; flow:established,from_server; content:"|55 04 06|"; content:"|02|US"; distance:1; within:3; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Inc."; distance:1; within:15; content:"|55 04 03|"; content:"|02|*."; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021634; rev:3; metadata:attack_target Client_and_Server, created_at 2015_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 eb 14 76 ac 55 37 6b 52|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023521; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS IRC - NICK and Possible Windows XP/7"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*(?:W(?:in(?:dows)?)?[^a-z0-9]?(XP|[7-8])|Vista)/Ri"; content:!"|20|XP/7"; classtype:bad-unknown; sid:2017321; rev:8; metadata:created_at 2013_08_13, former_category INFO, updated_at 2013_08_13;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 82 eb e4 e6 d5 39 9c 05|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023522; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing Aug 17 2015"; flow:established,from_server; file_data; content:"ScriptEngineMajorVersion"; nocase; content:"ScriptEngineMinorVersion"; nocase; content:"ScriptEngineBuildVersion"; nocase; fast_pattern; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; nocase; classtype:exploit-kit; sid:2021638; rev:2; metadata:created_at 2015_08_17, former_category CURRENT_EVENTS, updated_at 2018_04_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy CnC Beacon"; flow:established,to_server; content:"|8a 00 d1 00 8a 00 6a 00|"; depth:8; reference:url,citizenlab.org/2016/11/parliament-keyboy/; reference:md5,8846d109b457a2ee44ddbf54d1cf7944; classtype:command-and-control; sid:2023527; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category MALWARE, malware_family KeyBoy, signature_severity Major, tag c2, updated_at 2016_11_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Secondary Landing URI Struct Aug 17 2015"; flow:established,to_server; content:"GET"; http_method; content:".html&"; http_uri; fast_pattern; content:"/"; distance:-47; http_uri; pcre:"/\/\d\/?[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\.html&[a-z]+=[^&]+&[a-z]+=\d{3}\.\d{3}\.\d{3,}(?:\.\d{3,})?$/U"; classtype:exploit-kit; sid:2021639; rev:2; metadata:created_at 2015_08_17, updated_at 2015_08_17;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Chthonic CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|res1allenia.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023528; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Exploit URI Struct Aug 17 2015"; flow:established,to_server; content:"GET"; http_method; content:"Referer|3a|"; http_header; content:"|3a|443/"; distance:0; http_header; fast_pattern; pcre:"/\/\d\/?[A-Z]+\/[a-f0-9]{40}\/$/U"; flowbits:set,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021640; rev:2; metadata:created_at 2015_08_17, updated_at 2015_08_17;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Chthonic MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|digtheromb.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023530; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (euro-rafting.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|euro-rafting|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021646; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Unknown Redirector Nov 17 2016"; flow:from_server,established; file_data; content:"<script>"; content:".indexOf(|22|_mauthtoken|22|)=="; distance:0; content:"|22|ooglebot|22|"; content:"|7c|fennec|7c|"; content:"|22|_mauthtoken=1|3b| path=/|3b|expires=|22|"; fast_pattern; reference:url,labs.sucuri.net/?note=2016-11-17; classtype:trojan-activity; sid:2023531; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_18, deployment Perimeter, signature_severity Major, tag Android, updated_at 2016_11_18;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (holidayapartments-Paris.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|17|holidayapartments-Paris|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021647; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Unknown Landing URI Nov 17 2016"; flow:to_server,established; content:"/kt/JpNx9n"; http_uri; pcre:"/\/kt\/JpNx9n$/U"; reference:url,labs.sucuri.net/?note=2016-11-17; classtype:trojan-activity; sid:2023532; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_18, deployment Perimeter, signature_severity Major, tag Android, updated_at 2016_11_18;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (paris-holidayapartments.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|17|paris-holidayapartments|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021648; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sweatmeat.pw"; distance:1; within:13; classtype:domain-c2; sid:2023537; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (franceholidayapartments.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|17|franceholidayapartments|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021649; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:established,from_server; content:"|09 00 b8 d7 6d 5b 44 1a 9f 0a|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023542; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (apartmentsin-paris.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|apartmentsin-paris|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021650; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Tuhkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|biszweater.pw"; distance:1; within:14; classtype:domain-c2; sid:2023538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (raftingholiday.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|raftingholiday|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021651; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|coinf333.info"; distance:1; within:14; classtype:domain-c2; sid:2023539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (eurorafting-tr.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|eurorafting-tr|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021652; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 bc 7c af f0 e8 ee 0f e8|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023540; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (turkeyextremerafting.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|turkeyextremerafting|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021653; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC)"; flow:established,from_server; content:"|09 00 e7 1f b0 eb b2 ae 21 70|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023541; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (raftingtours-turkey.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|raftingtours-turkey|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021654; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FlokiBot CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; content:"|55 04 03|"; distance:0; content:"|08|uspal.cf"; distance:1; within:9; reference:md5,3ddf657800e60a57b884b87e1e8a987c; classtype:domain-c2; sid:2023536; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (divextreme-ar.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|divextreme-ar|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021655; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 a7 15 36 3b e0 82 35 9b|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023543; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (crazy-jump.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|crazy-jump|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021656; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/VB.SDB CnC Beacon"; flow:established,to_server; content:"Auth"; depth:4; content:"|20 40 20|"; distance:0; content:"|5c 23 2f|Microsoft|20|"; distance:0; fast_pattern; reference:md5,5a9a8502b87ce1a6a608debd10761957; reference:url,securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/; classtype:command-and-control; sid:2023544; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2016_11_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (dive-extreme.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|dive-extreme|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021657; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate Detected (Gootkit CnC)"; flow:from_server,established; content:"|09 00 c7 52 05 4b 9d 0e f6 96|"; content:"|55 04 03|"; content:"|09|localhost"; distance:1; within:10; reference:md5,fa224c69088cc331a6b30bc5069fa9d5; classtype:domain-c2; sid:2023550; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (tandemskydive-ar.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tandemskydive-ar|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021658; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing M5"; flow:to_server,established; content:"POST"; http_method; content:"/wp-"; http_uri; depth:4; content:".php"; http_uri; content:"usr="; nocase; depth:4; http_client_body; fast_pattern; content:"&pss="; nocase; http_client_body; distance:0; classtype:credential-theft; sid:2031561; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_11_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (skydivelessons.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|skydivelessons|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021660; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Flokibot CnC)"; flow:from_server,established; content:"|09 00 9c 56 80 8c 3d 64 03 c6|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023554; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_29, deployment Perimeter, former_category MALWARE, malware_family Flokibot, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (bungee4you-br.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|bungee4you-br|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021661; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|dnsapis.net"; distance:1; within:12; classtype:domain-c2; sid:2023555; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_29, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (brazil-crazybungee.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|brazil-crazybungee|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021662; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|msg.capital"; distance:1; within:12; classtype:domain-c2; sid:2023556; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_29, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (bungeejumping-br.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bungeejumping-br|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021663; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Check-in 2"; flow:established,to_server; dsize:69; content:"|41 00 00 00 83|"; depth:5; flowbits:set,ET.NetwireRAT.Client; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:2025035; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category TROJAN, malware_family Netwire_RAT, signature_severity Major, updated_at 2017_11_27;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (groupbungee-br.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|groupbungee-br|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021664; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Netwire RAT Check-in 2"; flow:established,to_client; dsize:69; content:"|41 00 00 00 85|"; depth:5; flowbits:isset,ET.NetwireRAT.Client; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:2025036; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category TROJAN, malware_family Netwire_RAT, signature_severity Major, updated_at 2017_11_27;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (divextreme-au.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|divextreme-au|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021665; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Firefox 0-day used against TOR browser Nov 29 2016 M1"; flow:established,from_server; file_data; content:"|66 69 6e 64 50 6f 70 52 65 74|"; nocase; content:"|66 69 6e 64 53 74 61 63 6b 50 69 76 6f 74|"; nocase; content:"|56 69 72 74 75 61 6c 41 6c 6c 6f 63|"; nocase; content:"|72 6f 70 43 68 61 69 6e|"; nocase; content:"|6b 65 72 6e 65 6c 33 32 2e 64 6c 6c|"; nocase; reference:url,arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/; classtype:attempted-admin; sid:2023559; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Firefox, attack_target Client_Endpoint, created_at 2016_11_30, deployment Perimeter, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_11_30;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (crazyjump-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|crazyjump-uy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021666; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Firefox 0-day used against TOR browser Nov 29 2016 M2"; flow:established,from_server; file_data; content:"|72 6f 70 43 68 61 69 6e 28 72 6f 70 42 61 73 65 2c 76 74 61 62 6c 65 5f 6f 66 66 73 65 74 2c 31 30 2c 72 6f 70 41 72 72 42 75 66 29 3b|"; nocase; reference:url,arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/; classtype:attempted-admin; sid:2023560; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Firefox, attack_target Client_Endpoint, created_at 2016_11_30, deployment Perimeter, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_11_30;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (stuntjumps.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|stuntjumps|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021667; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30"; flow:established,from_server; file_data; content:"|43 6f 6c 6c 65 63 74 47 61 72 62 61 67 65|"; nocase; content:"|73 70 72 61 79 48 65 61 70|"; nocase; content:"|73 65 74 41 64 64 72 65 73 73|"; nocase; content:"|30 78 63 36 62 65 63|"; nocase; content:"|30 78 46 46 46 46 30 30 30 30|"; nocase; classtype:attempted-admin; sid:2023568; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_30, deployment Perimeter, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_11_30;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (tandemskydive-au.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tandemskydive-au|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021668; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30"; flow:established,from_server; file_data; content:"|77 72 69 74 65 4e 28 72 6f 70 61 64 64 72 20 2b 20 69 20 2a 20 34 2c 20 72 6f 70 5b 69 5d 2c 20 34 29 3b|"; classtype:attempted-admin; sid:2023569; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_30, deployment Perimeter, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_11_30;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (groupdive-au.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|groupdive-au|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021669; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zeus OPENSSL Banker Malicious SSL Certificate Detected"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a0 c9 ee 35 a4 1c 6f 74|"; distance:0; content:"|55 04 06|"; distance:0; content:"|02|AU"; distance:1; within:3; reference:md5,a8139f8c2547f11522c3d7d58b90c422; classtype:domain-c2; sid:2023590; rev:2; metadata:attack_target Client_and_Server, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (au-skydivelessons.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|au-skydivelessons|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021670; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zeus OPENSSL Banker Malicious SSL Certificate Detected"; flow:from_server,established; content:"|55 04 03|"; content:"|0B|fleil42.com"; distance:1; within:12; reference:md5,50ede75eb74a0a795500cc7b8c6c9f54; classtype:domain-c2; sid:2023591; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (bungee4you-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|bungee4you-uy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021671; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Tepfer.InfoStealer CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/scan.php"; fast_pattern:only; http_uri; content:!"Referer|3A|"; http_header; content:"="; http_client_body; depth:10; reference:md5,6e715fe727f927bc76e923d2e524d1e3; classtype:command-and-control; sid:2018415; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_04_24, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_12_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (uruguay-crazybungee.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|uruguay-crazybungee|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021672; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ISearchTech.com XXXPornToolbar Activity (MyApp)"; flow: to_server,established; content:" MyApp|0d 0a|"; http_header; fast_pattern:only; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/2001492; classtype:trojan-activity; sid:2001492; rev:39; metadata:created_at 2010_07_30, updated_at 2016_12_07;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (bungeejumping-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bungeejumping-uy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021673; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|izaberiauto.com"; distance:1; within:16; classtype:domain-c2; sid:2023593; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_12_08, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (groupbungee-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|groupbungee-uy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021674; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"redim "; nocase; fast_pattern; pcre:"/^\s*?Preserve/Rsi"; content:"<script "; nocase; pcre:"/^[^>]*?(?:language\s*?=\s*?[\x22\x27]vbscript[\x22\x27]|type\s*?=\s*?[\x22\x27]text\/vbscript[\x22\x27])/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019706; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_14, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_12_12;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (circlesofourlives-ir.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|circlesofourlives-ir|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021675; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert tcp any 443 -> any any (msg:"ET MALWARE Potential Sefnit C2 traffic (from server)"; flow: from_server,established; content:"SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1"; classtype:command-and-control; sid:2018449; rev:8; metadata:created_at 2014_05_05, former_category MALWARE, updated_at 2016_12_12;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (clickflowers-hk.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|clickflowers-hk|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021676; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 98 ea a6 c4 99 a7 b3 f7|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023639; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (cropcirclestours.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cropcirclestours|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021677; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 33434 (msg:"ET INFO Noction IRP Probe"; flow:stateless; flags:SP; content:"|4E 4F 43 54 49 4F 4E 20 49 52 50|"; reference:url,www.noction.com/faq; classtype:bad-unknown; sid:2023640; rev:1; metadata:created_at 2016_12_14, deployment Perimeter, performance_impact Low, signature_severity Minor, updated_at 2016_12_14;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (irelancropcircles.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|irelancropcircles|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021678; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .pif"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset 2; content:".pif"; distance:-4; within:4; reference:url,doc.emergingthreats.net/2001407; classtype:suspicious-filename-detect; sid:2001407; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (ir-cool.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|ir-cool|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021679; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .scr"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset 2; content:".scr"; distance:-4; within:4; reference:url,doc.emergingthreats.net/2001408; classtype:suspicious-filename-detect; sid:2001408; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (magnificentcircles.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|magnificentcircles|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021680; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Edge SmartScreen Page Spoof Attempt Dec 16 2016"; flow:from_server,established; file_data; content:"ms-appx-web|3a|//"; fast_pattern; nocase; content:"microsoftedge"; nocase; distance:0; content:"/assets/errorpages/"; nocase; distance:0; content:"BlockedDomain="; nocase; distance:0; reference:url,www.brokenbrowser.com/spoof-addressbar-malware/; classtype:social-engineering; sid:2023657; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2016_12_16, deployment Perimeter, former_category PHISHING, malware_family Tech_Support_Scam, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_12_16;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (china-flowershop.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|china-flowershop|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021681; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET DELETED Butterfly/Mariposa Bot client init connection"; dsize:21; content:"|18|"; depth:1; content:"|00 00|"; distance:16; flowbits:set,ET.ButterflyJoin; flowbits:noalert; classtype:trojan-activity; sid:2011295; rev:9; metadata:created_at 2010_09_28, updated_at 2016_12_20;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (hongkong-bouquets.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|hongkong-bouquets|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021682; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|03 02 01 02 02 09 00|"; fast_pattern; content:"|30 09 06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:!"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; pcre:"/^.{2}[A-Z][a-z]+(?:\x27[a-z]+|(?:\x20[A-Z][a-z]+){1,2})?[01]/Rs"; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[A-Z][a-z]{3,}\s(?:[A-Z][a-z]{3,}\s)?(?:[A-Z](?:[A-Za-z]{0,4}?[A-Z]|(?:\.[A-Za-z]){1,3})|[A-Z]?[a-z]+)\.?[01]/Rs"; content:"|55 04 03|"; distance:0; byte_test:1,>,7,1,relative; pcre:"/^.{2}(?:(?:\d[A-Z]?|[A-Z]\d?)[a-z]{6,20}|[A-Z]?[a-z]{3,7}\d[a-z]{3,7})\.(?:(?:\d[A-Z]?|[A-Z]\d?)[a-z]{6,20}|[A-Z]?[a-z]{3,7}\d[a-z]{3,7})\.(?!(?:com|net|org)[01])[a-z]{2,}[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022627; rev:12; metadata:attack_target Client_and_Server, created_at 2016_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (beautifuldaisies.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|beautifuldaisies|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021683; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [6789] (msg:"ET MALWARE Possible Linux.Mirai DaHua Default Credentials Login"; flow:to_server,established; content:"888888|0d 0a|888888"; depth:14; content:"busybox telnetd -p"; distance:0; reference:url,isc.sans.edu/diary/21833; classtype:attempted-admin; sid:2023674; rev:1; metadata:attack_target IoT, created_at 2016_12_20, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2016_12_20;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (rosesinchina.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|rosesinchina|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021684; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M5"; flow:from_server,established; flowbits:isset,et.IE7.NoRef.NoCookie; content:"Content-Type|3a 20|text/javascript"; file_data; pcre:"/^(?P<v1>\S{1,100})\s+(?P<v2>\S{1,100})\s+=\s+\x22\x22\x3b\s+(?P=v2)\s+\+\=\s+\x27(?P=v1).+?(?P=v1)\x27\x3b.+?(?P=v2)\s\+=\s[\x22\x27].+?(?P=v2)\s\+=\s[\x22\x27].+?(?P=v2)\s\+=\s[\x22\x27].+?(?P=v2)\s\+=\s[\x22\x27]/R"; classtype:trojan-activity; sid:2023673; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, malware_family Trojan_Kwampirs, signature_severity Major, updated_at 2016_12_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|lastinstanse.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021686; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Ransomware Checkin"; flow:established,to_server; content:"/index.html"; http_uri; content:"POST"; http_method; content:!"User-Agent|3a| "; http_header; content:"application/octet-stream|0d 0a 0d 0a|"; http_client_body; content:"/"; http_client_body; distance:2; within:1; pcre:"/filename=\x22\d+?\x22/P"; classtype:trojan-activity; sid:2016185; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2016_12_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|deliverytrading.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021687; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Tinba DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|03|com"; distance:15; within:4; fast_pattern; content:"|0c|"; distance:-17; within:1; pcre:"/^[a-z]{12}/R"; threshold: type both, track by_src, count 50, seconds 10; content:!"|08|sophosxl|03|"; reference:md5,1044af21a7c4cbc291ab418a47de52b4; reference:url,seculert.com/blog/2014/09/tiny-tinba-trojan-could-pose-big-threat.html; reference:url,garage4hackers.com/entry.php?b=3086; classtype:trojan-activity; sid:2019230; rev:2; metadata:created_at 2014_09_24, updated_at 2014_09_24;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f3 d9 2f af b4 8c 02 29|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021688; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 b9 dc 45 b2 1c 85 40 25|"; content:"|55 04 03|"; distance:0; content:"|04|host"; distance:1; within:5; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023689; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_12_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|contrarypresidentstspea.info"; distance:1; within:29; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021695; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET ![25,587,6666:7000,8076] (msg:"ET POLICY IRC Channel JOIN on non-standard port"; flow:to_server,established; dsize:<64; content:"JOIN "; nocase; depth:5; pcre:"/&|#|\+|!/R"; reference:url,doc.emergingthreats.net/bin/view/Main/2000348; classtype:trojan-activity; sid:2000348; rev:15; metadata:created_at 2010_07_30, updated_at 2017_01_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible TDS Redirecting to EK Aug 19 2015"; flow:established,from_server; file_data; content:"|27|ad|27|+|27|dEv|27|+|27|entListe|27|+|27|ner|27|"; content:"|27|att|27|+|27|achEve|27|+|27|nt|27|"; content:"|27|DOMCo|27|+|27|ntentL|27|+|27|oad|27|+|27|ed|27|"; classtype:exploit-kit; sid:2021696; rev:2; metadata:created_at 2015_08_20, updated_at 2015_08_20;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 6892 (msg:"ET MALWARE W32/Cerber.Ransomware CnC Checkin M4"; dsize:14; pcre:"/^[a-f0-9]{14}$/"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,1f41be13d5d19e1a5c76b6d7256a8df4; reference:md5,6707e861e377409bd1037452c7c5fa74; classtype:command-and-control; sid:2023695; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, former_category MALWARE, malware_family Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_01_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp $EXTERNAL_NET 25565 -> $HOME_NET any (msg:"ET GAMES MINECRAFT Server response inbound"; flow:established,from_server; content:"|7B 22|"; depth:10; classtype:policy-violation; sid:2021701; rev:1; metadata:created_at 2015_08_21, updated_at 2015_08_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoreFlooder.Q Data Posting"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/upload"; nocase; http_uri; content:"file="; nocase; http_uri; content:"&id="; http_uri; nocase; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FCOREFLOOD%2EQ; reference:url,doc.emergingthreats.net/2008352; classtype:trojan-activity; sid:2008352; rev:10; metadata:created_at 2010_07_30, updated_at 2017_01_05;)
 
-#alert tcp $HOME_NET 25565 -> $EXTERNAL_NET any (msg:"ET GAMES MINECRAFT Server response outbound"; flow:established,from_server; content:"|7B 22|"; depth:10; classtype:policy-violation; sid:2021702; rev:1; metadata:created_at 2015_08_21, former_category GAMES, updated_at 2015_08_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) Observed in SunDown EK 1"; flow:established,to_client; file_data; content:"0x1DA2F5"; fast_pattern; nocase; content:"0x1DA2CB"; nocase; distance:0; content:"getPrototypeOf"; nocase; content:".__proto__"; nocase; content:"Symbol.species"; reference:cve,2016-7200; reference:url,malware.dontneedcoffee.com/2017/01/CVE-2016-7200-7201.html; classtype:attempted-user; sid:2023700; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2017_01_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET ![80,8080,3128,3129] (msg:"ET DELETED Job314/Neutrino Reboot EK Payload Aug 19 2015"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"Windows NT"; fast_pattern:only; http_header; content:"User-Agent|3a 20|Mozilla"; content:"GET"; http_method; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?:[a-z\d+]*?[A-Z])(?:[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$/U"; pcre:"/^Host\x3a[^\r\n]*?\x3a(?!(80(?:80)|312[89]))\d+\r$/Hm"; classtype:exploit-kit; sid:2021694; rev:5; metadata:created_at 2015_08_19, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) Observed in SunDown EK 2"; flow:established,to_client; file_data; content:"rop.length"; fast_pattern; nocase; content:"Write64"; nocase; distance:0; pcre:"/^\s*\x28\s*retPtrAddr\.add\s*\x28\s*i\s*\*\s*8\s*\x29\s*,\s*rop\s*\x5b/Rsi"; reference:cve,2016-7200; reference:url,malware.dontneedcoffee.com/2017/01/CVE-2016-7200-7201.html; classtype:attempted-user; sid:2023701; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2017_01_06;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0e|mojojantes.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021703; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B642"; flow:established,from_server; file_data; content:"RyaWdnZXJGaWxsRnJvbVByb3RvdHlwZXNCdW"; classtype:trojan-activity; sid:2023703; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2017_01_06;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 91 48 c0 28 b4 2b 86 c7|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021704; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B643"; flow:established,from_server; file_data; content:"UcmlnZ2VyRmlsbEZyb21Qcm90b3R5cGVzQnVn"; classtype:trojan-activity; sid:2023704; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2017_01_06;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ursnif CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0d|serenyefa.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021705; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET 5351 -> [!224.0.0.1,$EXTERNAL_NET] any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response to External Network"; dsize:12; content:"|80 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019490; rev:3; metadata:created_at 2014_10_22, updated_at 2017_01_06;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|1a|becomesthelegislatures.org"; distance:1; within:27; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021706; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING PDF Containing Subform with JavaScript"; flow:established,to_client; file_data; content:"%PDF"; within:4; content:"subform"; nocase; distance:0; fast_pattern; content:"script"; nocase; distance:0; reference:cve,2017-2962; classtype:attempted-user; sid:2014154; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag DriveBy, updated_at 2017_01_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HT SWF Exploit RIP M2"; flow:established,from_server; file_data; content:"<!-- saved from url=(0014)about|3a|internet -->"; content:"return navigator.appName"; content:"return navigator.platform|3b|"; content:"clsid|3a|D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; classtype:trojan-activity; sid:2021710; rev:2; metadata:created_at 2015_08_25, former_category CURRENT_EVENTS, updated_at 2015_08_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) Observed in SunDown EK 3"; flow:established,from_server; file_data; content:"|66 75 6e 63 74 69 6f 6e 20 54 72 69 67 67 65 72 46 69 6c 6c 46 72 6f 6d 50 72 6f 74 6f 74 79 70 65 73 42 75 67 28 6c 6f 2c 20 68 69 29|"; nocase; content:"|63 68 61 6b 72 61 42 61 73 65 2e 61 64 64|"; nocase; content:"|73 68 63 6f 64 65 41 64 64 72 2e 61 6e 64|"; nocase; classtype:exploit-kit; sid:2023699; rev:3; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, former_category EXPLOIT, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2017_01_06;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c3 f0 c2 3d 49 5e bb 16|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021717; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert"; flow:established,from_server; content:"|00 dd 45 ec 3f 08 74 58 6a|"; content:"|0a|Department"; distance:0; content:"|55 04 03|"; distance:0; content:"|0f|www.example.com"; distance:1; within:16; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:command-and-control; sid:2023708; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_01_09, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2017_01_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EvilGrab/Vidgrab Checkin"; flow:to_server,established; content:"|7c 28|"; pcre:"/^\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/R"; content:"|29 7c|"; within:2; pcre:"/^\d{1,5}/R"; content:"|7c|Win"; within:4; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:command-and-control; sid:2017413; rev:3; metadata:created_at 2013_09_04, former_category MALWARE, updated_at 2013_09_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO ATF file in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"|41 54 46|"; within:3; flowbits:set,ET.atf.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023714; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_01_10, deployment Perimeter, updated_at 2017_01_10;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b6 45 0c e4 b7 4c af d5|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021722; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe FDF in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"%FDF-"; within:5; flowbits:set,ET.fdf.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023715; rev:2; metadata:affected_product Adobe_Reader, attack_target Client_Endpoint, created_at 2017_01_10, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_01_10;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|hasselbladolsonson.com"; distance:1; within:23; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021721; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible Locky Ransomware Writing Encrypted File over - SMB and SMB-DS v2"; flow:to_server,established; content:"|FE|SMB|40 00|"; offset:4; depth:6; content:"|05 00|"; distance:6; within:2; content:"|00|.|00|l|00|o|00|c|00|k|00|y|00 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022639; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2017_01_10, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|ssldata.ru"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021720; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Venom CnC Beacon"; flow:established,to_server; content:"|9e ab 49 31 08 53 b5 d4|"; depth:8; reference:url,security.web.cern.ch/security/venom.shtml; classtype:command-and-control; sid:2023716; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family Linux_Venom, signature_severity Major, tag c2, updated_at 2017_01_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cryptowall docs campaign Aug 2015 encrypted binary (1)"; flow:established,to_client; file_data; content:"|65 5d d1 c6 b0 88 68 62|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021725; rev:2; metadata:created_at 2015_08_27, former_category EXPLOIT_KIT, updated_at 2015_08_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|specadv.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023717; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude/Hunter EK IE Exploit Aug 23 2015"; flow:from_server,established; file_data; content:"|22 3a 22 4d 4f 56 20 5b 45 43 58 2b 30 43 5d 2c 45 41 58 22|"; fast_pattern; content:"|22 3a 22 76 69 72 74 75 61 6c 70 72 6f 74 65 63 74 22|"; classtype:exploit-kit; sid:2021707; rev:3; metadata:created_at 2015_08_24, former_category EXPLOIT_KIT, updated_at 2015_08_24;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|p.fmsacademy.it"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023718; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon Response"; flow:established,to_client; file_data; content:"---!!!INSERTED!!!---"; within:20; reference:md5,ee90ec9935c7b8e1a5dad364d4545851; classtype:command-and-control; sid:2021724; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_08_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|17|sc.jacksburgershack.com"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023719; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex SSL Cert Aug 12 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|07|Arizona"; fast_pattern; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|0a|Scottsdale"; distance:1; within:11; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}\x30/Rs"; classtype:trojan-activity; sid:2021621; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|m.williamdegel.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023720; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PawnStorm Java Class Stage 1 M1 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 08 47 4f 47 4f 47 4f 47 4f|"; content:"|01 00 0c 6a 61 76 61 2f 6e 65 74 2f 55 52 4c|"; content:"|01 00 0f 53 74 61 72 74 69 6e 67 20 41 70 70 6c 65 74|"; classtype:targeted-activity; sid:2021726; rev:2; metadata:created_at 2015_08_28, former_category CURRENT_EVENTS, updated_at 2015_08_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|cdn.ui-data.cc"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023721; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PawnStorm Java Class Stage 2 M1 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 0e 4c 50 68 61 6e 74 6f 6d 53 75 70 65 72 3b|"; fast_pattern; content:"|01 00 32 4c 6a 61 76 61 2f 75 74 69 6c 2f 63 6f 6e 63 75 72 72 65 6e 74 2f 61 74 6f 6d 69 63 2f 41 74 6f 6d 69 63 52 65 66 65 72 65 6e 63 65 41 72 72 61 79 3b|"; classtype:targeted-activity; sid:2021727; rev:2; metadata:created_at 2015_08_28, former_category CURRENT_EVENTS, updated_at 2015_08_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|baikalsecret.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023722; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PawnStorm Java Class Stage 2 M2 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 0a 63 6f 72 6d 61 63 2e 6d 63 72|"; classtype:targeted-activity; sid:2021728; rev:2; metadata:created_at 2015_08_28, former_category CURRENT_EVENTS, updated_at 2015_08_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|disaaxpalallow.me"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023723; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b4 ff d7 c2 ee b9 dd f0|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021731; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|aucom.pw"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023724; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d7 5d 30 37 a7 6b 0d 17|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021732; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|publicstats.tk"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023725; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|bri-secure.com"; distance:1; within:15; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021733; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Chthonic CnC)"; flow:established,from_server; content:"|09 00 e6 0c cf da 58 8f a7 b2|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023726; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|kingddomdirect.com"; distance:1; within:19; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021734; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET any -> [$EXTERNAL_NET,!255.255.255.255] 69 (msg:"ET TFTP Outbound TFTP Read Request"; content:"|00 01|"; depth:2; reference:url,doc.emergingthreats.net/2008120; classtype:policy-violation; sid:2008120; rev:4; metadata:created_at 2010_07_30, updated_at 2017_01_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Aug 31 2015 T2 (BizCN)"; flow:from_server,established; file_data; content:"|3d 27 44 4f 4d 43 6f 27 2b 27 6e 74 65 6e 74 4c 27 2b 27 6f 61 64 27 2b 27 65 64 27 3b 66 6b 3d 77 69 6e 64 6f 77 3b|"; classtype:exploit-kit; sid:2021740; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_01, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Andromeda download with fake Zip header (1)"; flow:to_client,established; file_data; content:"PK|03 04|"; within:4; byte_test:1,>,64,0,relative; classtype:trojan-activity; sid:2018575; rev:3; metadata:created_at 2014_06_17, updated_at 2014_06_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Double-Encoded Reverse Base64/Dean Edwards Packed JavaScript Observed in Unknown EK Feb 16 2015 b64 1 M2"; flow:established,from_server; file_data; content:"CZsUGLrxyYsEGLwhibvlGdj5WdmhCbhZXZ"; classtype:exploit-kit; sid:2020426; rev:3; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Andromeda download with fake Zip header (2)"; flow:to_client,established; file_data; content:"PK|03 04|"; within:4; byte_test:1,>,20,1,relative; classtype:trojan-activity; sid:2018576; rev:4; metadata:created_at 2014_06_17, updated_at 2017_01_13;)
 
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Aug 31 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|55 04 08|"; distance:0; byte_test:1,>,9,1,relative; byte_test:1,<,121,1,relative; pcre:"/^.{2}[A-Z]{10,120}/R"; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|55 04 03|"; byte_extract:1,1,cnlength,relative; content:!"|2e|"; within:cnlength; content:"|55 04 0b|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; distance:0; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; reference:md5,26e83fa8b2f3eccfe975cd451933ae63; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021736; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pony DLL Download M2"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|59 55 49 50 57 44 46 49 4c 45 30 59 55 49 50 4b 44 46 49 4c 45 30 59 55 49 43 52 59 50 54 45 44 30 59 55 49|"; classtype:trojan-activity; sid:2023741; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_13, deployment Perimeter, malware_family Pony, signature_severity Major, updated_at 2017_01_13;)
 
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Aug 31 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 08|"; distance:0; pcre:"/^.{2}(?P<state>[A-Z][a-z]+).*?\x55\x04\x07.{2}(?P=state)\x0a/Rsi"; content:"|55 04 0a|"; distance:0; content:"|55 04 03|"; byte_extract:1,1,cnlength,relative; content:!"|2e|"; within:cnlength; content:"|55 04 0b|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; fast_pattern; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; reference:md5,26e83fa8b2f3eccfe975cd451933ae63; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021735; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic.KD.291903/Win32.TrojanClicker.Agent.NII Nconfirm Checkin"; flow:to_server,established; content:"/nconfirm.php?rev="; http_uri; content:"&code="; http_uri; content:"&param="; http_uri; content:"&num="; http_uri; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544; classtype:trojan-activity; sid:2014398; rev:4; metadata:created_at 2011_08_04, updated_at 2017_01_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Boaxxe.BR CnC Beacon"; flow:established,to_server; content:"|7c|CM01|7c|CM02|7c|CM03|7c|"; content:!">"; reference:md5,ec38ae7c35be4d7f8103bf1db692d2f8; classtype:command-and-control; sid:2021748; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_09_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Evil JS Ransomware"; flow:from_server,established; file_data; content:"|5c|u006d|5c|u0065|5c|u0073|5c|u0073|5c|u0061|5c|u0067|5c|u0065"; content:"<html><body|20|bgcolor=|22|#F78181|22|>"; nocase; within:100; content:"Hello.|20|Your|20|UID|3a|"; within:100; content:"|65 76 69 6c 20 72 61 6e 73 6f 6d 77 61 72 65|"; fast_pattern; within:100; content:"|75 6e 69 71 75 65 20 73 74 72 6f 6e 67 65 73 74 20 41 45 53 20 6b 65 79|"; distance:0; content:"|73 65 6e 64 20 6d 65 20 79 6f 75 72 20 55 49 44 20 74 6f|"; distance:0; content:"|4c 69 73 74 20 6f 66 20 65 6e 63 72 79 70 74 65 64 20 66 69 6c 65 73|"; distance:0; reference:md5,b9d81c51c10abd64107edc5e73a26aea; reference:url,www.cert.pl/en/news/single/evil-a-poor-mans-ransomware-in-javascript/; classtype:trojan-activity; sid:2023747; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_18, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2017_01_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ef 7e c0 ae 97 cf ff 23|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021750; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Nemucod Downloader Oct 04"; flow:established,to_server; content:"/log.php?f="; http_uri; depth:11; fast_pattern; pcre:"/^\/log\.php\?f=[0-1](?:\.[a-z]+)?$/U"; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a 20|"; classtype:trojan-activity; sid:2023318; rev:3; metadata:created_at 2016_10_05, updated_at 2017_01_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d4 45 4d a6 49 0c f1 ed|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021751; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft RDP Client for Mac RCE"; flow:established,to_client; content:"rdp|3a 2f 2f|"; nocase; content:"drivestoredirect"; fast_pattern; nocase; distance:0; content:"rdp|3a 2f 2f|"; nocase; pcre:"/^\S+?drivestoredirect/Ri"; reference:url,www.wearesegment.com/research/Microsoft-Remote-Desktop-Client-for-Mac-Remote-Code-Execution; classtype:attempted-admin; sid:2023755; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_01_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_01_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED possible Sofacy encrypted binary (1)"; flow:established,to_client; file_data; content:"|57 46 e8 67 27 3d 66 1a|"; within:8; flowbits:set,et.exploitkitlanding; reference:url,labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/; reference:url,www.isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/; classtype:targeted-activity; sid:2021755; rev:2; metadata:created_at 2015_09_09, former_category EXPLOIT_KIT, updated_at 2019_09_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Jan 24"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title> Windows Official Support"; fast_pattern; nocase; content:"This Is A Critical Warning"; nocase; distance:0; classtype:social-engineering; sid:2023757; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_24, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2017_01_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - ROP"; flow:established,from_server; file_data; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; content:"|98 2A 00 B0 B3 38 00 B0|"; fast_pattern; content:"|00 10 00 00 07 00 00 00 03 D0 00 D0 04 D0 00 D0 44 11 00 B0|"; distance:4; within:20; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021758; rev:2; metadata:created_at 2015_09_10, updated_at 2015_09_10;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|j24ojpexpgaorlxj"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2023738; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, tag dupe, updated_at 2017_01_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - STSC"; flow:established,from_server; file_data; content:"stsc|00 00 00 00 C0 00 00 03|"; fast_pattern; content:!"|00 00 00 00|"; within:4; pcre:"/^(?P<addr1>.{4})(?P<addr2>.{4})(?P=addr2)(?P=addr1)/Rsi"; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021759; rev:2; metadata:created_at 2015_09_10, updated_at 2015_09_10;)
+alert udp $HOME_NET any -> [$EXTERNAL_NET,!255.255.255.255] 69 (msg:"ET TFTP Outbound TFTP Write Request"; content:"|00 02|"; depth:2; reference:url,doc.emergingthreats.net/2008116; classtype:policy-violation; sid:2008116; rev:4; metadata:created_at 2010_07_30, updated_at 2017_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Waledac 2.0/Storm Worm 3.0 GET request detected"; flow:established; content:"GET"; nocase; http_method; urilen:1; content:"/"; http_uri; content:"|0d 0a|Content-Length|3a| "; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trid"; http_header; content:"ent/4.0)|0d 0a 0d 0a 01 02 01 01 01 01 02 01|"; fast_pattern; http_header; within:20; classtype:trojan-activity; sid:2012136; rev:10; metadata:created_at 2011_01_05, updated_at 2011_01_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; file_data; content:"|5C|x0a|5C|x0a|5C|x0a|5C|x0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013267; rev:5; metadata:created_at 2011_07_14, updated_at 2017_01_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|fiopol.xyz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021767; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal"; flow:established,from_server; file_data; content:"mCharCode"; pcre:"/(?P<p>[0-9a-f]{2,4})(?P<sep>[\x2e\x2c\x3b\x3a])(?P<d>(?!(?P=p))[0-9a-f]{2,4})(?P=sep)(?P=p)(?P=sep)(?P=d)(?P=sep)([0-9a-f]{2,4}(?P=sep)){10}(?P<q>(?!((?P=p)|(?P=d)))[0-9a-f]{2,4})(?P=sep)[0-9a-f]{2,4}(?P=sep)(?P<dot>(?!((?P=p)|(?P=d)|(?P=q)))[0-9a-f]{2,4})(?P=sep)[0-9a-f]{2,4}(?P=sep)(?P=dot)(?P=sep)[0-9a-f]{2,4}(?P=sep)(?P=q)/R"; classtype:trojan-activity; sid:2016730; rev:14; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|online.creditoc.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021769; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DustySky PoisonIvy CnC Beacon"; flow:established,to_server; dsize:48; content:"|75 f0 01 ef 23 bf db 30 19 9f 56 74 01 f7 30 a0|"; offset:16; depth:16; reference:md5,2cd8c27bdc88ebba3e36114a1b55cef6; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:command-and-control; sid:2023812; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family DustSky_related_Implant, signature_severity Major, tag c2, updated_at 2017_01_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|static.coopsrv.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021770; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DustySky QuasarRAT CnC Beacon"; flow:established,from_server; content:"|10 00 00 00 99 9a c7 b8|"; depth:8; reference:md5,a19d4ff89a3f699a6f8237a7905e80e1; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:command-and-control; sid:2023813; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family DustSky_related_Implant, signature_severity Major, tag c2, updated_at 2017_01_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 20 1c 21 75 01 8e 93|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021771; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FAKEIE 11.0 Minimal Headers (flowbit set)"; flow:to_server,established; content:" rv|3a|11.0"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^User-Agent\x3a[^\r\n]+rv\x3a11\.0[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/H"; flowbits:set,FakeIEMinimal; flowbits:noalert; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019343; rev:3; metadata:created_at 2014_10_03, updated_at 2017_02_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PE EXE or DLL Windows file download Text"; flow:established,from_server; file_data; content:"4D5A"; distance:0; byte_jump:8,114,relative,multiplier 2,little,string,hex; content:"50450000"; distance:-126; within:8; classtype:trojan-activity; sid:2021774; rev:2; metadata:created_at 2015_09_15, updated_at 2015_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable and linking format (ELF) file download Over HTTP"; flow:established; flowbits:isnotset,ET.ELFDownload; file_data; content:"|7F|ELF"; within:4; flowbits:set,ET.ELFDownload; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000418; classtype:policy-violation; sid:2019240; rev:14; metadata:created_at 2014_09_25, updated_at 2017_02_03;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|stat.coopswiss.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021776; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any 445 -> $HOME_NET any (msg:"ET DOS SMB Tree_Connect Stack Overflow Attempt (CVE-2017-0016)"; flow:from_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|03 00|"; distance:8; within:2; byte_test:1,&,1,2,relative; byte_jump:2,8,little,from_beginning; byte_jump:2,4,relative,little; isdataat:1000,relative; content:!"|FE|SMB"; within:1000; reference:cve,2017-0016; classtype:attempted-dos; sid:2023832; rev:3; metadata:affected_product SMBv3, attack_target Client_and_Server, created_at 2017_02_03, deployment Datacenter, signature_severity Major, updated_at 2017_02_07;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|online.centersu.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021777; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Mobile Phish M1 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"iden="; depth:5; nocase; http_client_body; content:"&AG="; nocase; distance:0; http_client_body; content:"&CC="; nocase; distance:0; http_client_body; content:"&CCDIG="; nocase; distance:0; http_client_body; content:"&PASSNET="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023890; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_02_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cryptowall docs campaign Sept 2015 encrypted binary (1)"; flow:established,to_client; file_data; content:"|23 31 f9 4f 62 57 73 67|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021778; rev:2; metadata:created_at 2015_09_15, former_category EXPLOIT_KIT, updated_at 2015_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Mobile Phish M2 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"DDD="; depth:4; nocase; http_client_body; content:"&CELLULAR="; nocase; distance:0; http_client_body; fast_pattern; content:"&SDESEIS="; nocase; distance:0; http_client_body; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023891; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_02_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|menardgevu.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021779; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO MP4 in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"|66 74 79 70 6D|"; offset:4; depth:5; content:"mp4"; within:12; flowbits:set,ET.mp4.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023713; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_01_10, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_02_10;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|menardgevu.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021780; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO MP4 in HTTP Flowbit Set M2"; flow:from_server,established; file_data; content:"|66 74 79 70 69 73 6f 6d|"; offset:4; depth:8; flowbits:set,ET.mp4.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023892; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_02_10, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_02_10;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|feedfeed.name"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021781; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Ticketbleed Client Hello (CVE-2016-9244)"; flow:established,from_client; content:"|16 03|"; depth:2; content:"|01|"; distance:3; within:1; content:"|03 03|"; distance:3; within:2; byte_test:1,<,32,32,relative; byte_test:1,>,1,32,relative; flowbits:set,ET.ticketbleed; flowbits:noalert; reference:cve,2016-9244; reference:url,filippo.io/Ticketbleed; classtype:misc-attack; sid:2023896; rev:3; metadata:affected_product HTTP_Server, attack_target Server, created_at 2017_02_10, deployment Datacenter, performance_impact Moderate, signature_severity Major, updated_at 2017_02_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|my.ubscard.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021782; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Ticketbleed Server Hello (CVE-2016-9244)"; flow:established,to_client; content:"|16 03|"; depth:2; content:"|02|"; distance:3; within:1; content:"|03 03|"; distance:3; within:2; content:"|20|"; distance:32; within:1; flowbits:isset,ET.ticketbleed; reference:url,filippo.io/Ticketbleed; reference:cve,2016-9244; classtype:misc-attack; sid:2023897; rev:3; metadata:affected_product HTTP_Server, attack_target Server, created_at 2017_02_10, deployment Datacenter, performance_impact Moderate, signature_severity Major, updated_at 2017_02_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|disaallowmediapartners.mn"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021783; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO MP4 in HTTP Flowbit Set M3"; flow:from_server,established; file_data; content:"|66 74 79 70 71 74 20 20|"; offset:4; depth:8; flowbits:set,ET.mp4.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023900; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_02_14, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_02_14;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f2 49 34 bb 25 38 61 40|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021784; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Craigslist Phishing Domain Feb 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"craigslist.org"; http_header; fast_pattern; content:!"craigslist.org|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+craigslist\.org[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023881; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, signature_severity Major, tag Phishing, tag dupe, updated_at 2017_02_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Exploit Download"; flow:established,to_server; urilen:15; content:"Java/1."; http_header; content:"/0"; depth:2; http_uri; pcre:"/^\/0[a-z0-9]{13}$/U"; classtype:exploit-kit; sid:2017570; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_08, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET busybox MEMES Hackers - Possible Brute Force Attack"; flow:to_server,established; content:"MEMES"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023901; rev:1; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_02_14, deployment Perimeter, malware_family Mirai, performance_impact Moderate, signature_severity Major, updated_at 2017_02_14;)
 
-alert tcp any any -> $HOME_NET 80 (msg:"ET MALWARE SYNful Knock Cisco IOS Router Implant CnC Beacon (INBOUND)"; flow:established,to_server; content:"|00 00 00 00|text|00|"; byte_jump:4,0,relative,post_offset -1; isdataat:!2,relative; reference:url,fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html; classtype:command-and-control; sid:2021785; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_09_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 1"; flow:established,from_server; content:"|55 04 03|"; content:"|14|giftshop.mefound.com"; distance:1; within:21; classtype:domain-c2; sid:2023902; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible TDSS Base64 Encoded Command 3"; flow:established,to_server; content:"ZEV4ZWN"; http_uri; classtype:trojan-activity; sid:2012923; rev:3; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 2"; flow:established,from_server; content:"|55 04 03|"; content:"|14|estimate.mefound.com"; distance:1; within:21; classtype:domain-c2; sid:2023903; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible TDSS Base64 Encoded Command 1"; flow:established,to_server; content:"Q21kRXhl"; http_uri; classtype:trojan-activity; sid:2012921; rev:3; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 3"; flow:established,from_server; content:"|55 04 03|"; content:"|16|tradeboard.mefound.com"; distance:1; within:23; classtype:domain-c2; sid:2023904; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible TDSS Base64 Encoded Command 2"; flow:established,to_server; content:"bWRFeGVj"; http_uri; classtype:trojan-activity; sid:2012922; rev:3; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 4"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|referenceblog.ignorelist.com"; distance:1; within:29; classtype:domain-c2; sid:2023905; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Iron Tiger DNSTunnel Retrieving CnC"; flow:established,from_server; file_data; content:"$$$$$$$$$$"; fast_pattern; pcre:"/^(?:#+[A-Z]+)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\${10}/R"; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:command-and-control; sid:2021789; rev:2; metadata:created_at 2015_09_17, former_category MALWARE, updated_at 2015_09_17;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 5"; flow:established,from_server; content:"|07|Makeups"; content:"|55 04 03|"; distance:0; content:"|12|www.ignorelist.com"; distance:1; within:19; classtype:domain-c2; sid:2023906; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET MALWARE PlugX UDP CnC Beacon"; dsize:36; content:"|00 00 50 00 02 00 00 00 00 04 00 00 00 10 00 00 00 00 00 00|"; depth:20; content:!"|00 00|"; within:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:3; within:13; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:command-and-control; sid:2021791; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 6"; flow:established,from_server; content:"|55 04 03|"; content:"|15|latest.ignorelist.com"; distance:1; within:22; classtype:domain-c2; sid:2023907; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_test:4,&,2147483648,48,relative,little; content:!"NTLMSSP"; within:7; distance:54; asn1:double_overflow, bitstring_overflow, relative_offset 54, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103000; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 7"; flow:established,from_server; content:"|55 04 03|"; content:"|15|tipnews.longmusic.com"; distance:1; within:22; classtype:domain-c2; sid:2023908; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nntpdinfo.pw"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021797; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_1_1)"; flow:established,to_server; content:"IUgyYll"; content:"t"; within:3; content:"L"; within:3; content:"l"; within:3; content:"N"; within:3; content:"3"; within:3; content:"Q"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023918; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|reportingdelivery.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021798; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_1_2)"; flow:established,to_server; content:"I"; content:"U"; within:3; content:"g"; within:3; content:"y"; within:3; content:"Y"; within:3; content:"l"; within:3; content:"ltLlN3Q"; within:9; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023919; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|localinstanse.net"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021799; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_2_1)"; flow:established,to_server; content:"FIMmJZ"; content:"b"; within:3; content:"S"; within:3; content:"5"; within:3; content:"T"; within:3; content:"d"; within:3; content:"0"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023920; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|healthweather.name"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021801; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_2_2)"; flow:established,to_server; content:"F"; content:"I"; within:3; content:"M"; within:3; content:"m"; within:3; content:"J"; within:3; content:"Z"; within:3; content:"bS5Td0"; within:8; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023921; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f0 83 4c 61 ec 09 e6 03|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021802; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_3_1)"; flow:established,to_server; content:"hSDJiWW"; content:"0"; within:3; content:"u"; within:3; content:"U"; within:3; content:"3"; within:3; content:"d"; within:3; content:"A"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d3 1b a5 8f 1d d7 30 48|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021803; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_3_2)"; flow:established,to_server; content:"h"; content:"S"; within:3; content:"D"; within:3; content:"J"; within:3; content:"i"; within:3; content:"W"; within:3; content:"W0uU3dA"; within:9; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f1 03 f7 ce 62 9d fb 5a|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021804; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_1_1)"; flow:established,to_server; content:"QDM0Zlo"; content:"3"; within:3; content:"R"; within:3; content:"V"; within:3; content:"t"; within:3; content:"w"; within:3; content:"X"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023924; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Rovnix CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|cherniypoyas.ru"; distance:1; within:16; reference:md5,080db9578ea797cd231bc1160d3824f1; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021805; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_1_2)"; flow:established,to_server; content:"Q"; content:"D"; within:3; content:"M"; within:3; content:"0"; within:3; content:"Z"; within:3; content:"l"; within:3; content:"o3RVtwX"; within:9; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|sslsecureserver.eu"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021809; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_2_1)"; flow:established,to_server; content:"AzNGZa"; content:"N"; within:3; content:"0"; within:3; content:"V"; within:3; content:"b"; within:3; content:"c"; within:3; content:"F"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023926; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|uplinkadv.eu"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021810; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_2_2)"; flow:established,to_server; content:"A"; content:"z"; within:3; content:"N"; within:3; content:"G"; within:3; content:"Z"; within:3; content:"a"; within:3; content:"N0VbcF"; within:8; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023927; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Meterpreter or Other Reverse Shell SSL Cert"; flow:established,from_server; content:"|0b|"; content:"|04 08 bb 00 ee|"; distance:23; within:5; fast_pattern; content:"|55 04 06 13 00|"; distance:0; content:"|55 04 08 13 00|"; distance:0; content:"|55 04 07 13 00|"; distance:0; content:"|55 04 0a 13 00|"; distance:0; content:"|55 04 0b 13 00|"; distance:0; content:"|55 04 03 13 00|"; distance:0; reference:md5,c3f76f444edf0b90b887d7979342e9f0; classtype:trojan-activity; sid:2035651; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_3_1)"; flow:established,to_server; content:"AMzRmWj"; content:"d"; within:3; content:"F"; within:3; content:"W"; within:3; content:"3"; within:3; content:"B"; within:3; content:"c"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023928; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|55 1d 11|"; content:"|10|blatnoidomen.com"; distance:5; within:22; fast_pattern; reference:url,sslbl.abuse.ch; reference:md5,8217cc4fc3d5781206becbef148154ea; classtype:domain-c2; sid:2021815; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_3_2)"; flow:established,to_server; content:"A"; content:"M"; within:3; content:"z"; within:3; content:"R"; within:3; content:"m"; within:3; content:"W"; within:3; content:"jdFW3Bc"; within:10; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023929; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fc 56 1e 02 6c d4 e2 22|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; reference:md5,e448572aea062241c80dd2a15562e968; classtype:domain-c2; sid:2021816; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"ET MALWARE MAGICHOUND.MPK Activity via IRC"; flow:established,to_server; content:"PRIVMSG mpk|20 3a|"; content:"!MpkPing|20|<<mpk>>"; fast_pattern; distance:0; pcre:"/^\d{5}/R"; content:"<<mpk>>|20|<<mpk>>"; distance:0; pcre:"/^\d/R"; content:"<<mpk>>"; distance:0; reference:md5,ece5b62a4ed4e88dab4f1b5451f54794; classtype:trojan-activity; sid:2023940; rev:2; metadata:created_at 2015_10_14, cve url_researchcenter_paloaltonetworks_com_2017_02_unit42_magic_hound_campaign_attacks_saudi_targets_, updated_at 2017_02_16;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|www.fortamola.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021817; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Malicious PowerSploit PowerShell Script Observed over HTTP"; flow:established,from_server; file_data; content:"CmdletBinding()"; content:"$DoNotZeroMZ"; distance:0; fast_pattern; reference:url,github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1; classtype:trojan-activity; sid:2023947; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, updated_at 2017_02_16;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|business--testing.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021818; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely MAGICHOUND.FETCH Receiving PowerSploit PowerShell over HTTP"; flow:established,from_server; content:"$PEBytes"; content:"$PEBytes0=|22|TV"; distance:0; fast_pattern; reference:url,github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1; classtype:trojan-activity; sid:2023949; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND_FETCH, signature_severity Major, updated_at 2017_02_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 96 99 38 87 d8 6a ee a7|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; reference:md5,ead31d4cbbd79466359d46694a9d56d3; classtype:domain-c2; sid:2021819; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE MAGICHOUND.FETCH SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|16|service.chrome-up.date"; distance:1; within:27; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023952; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND_related, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Ransomware Win32/WinPlock.A CnC Beacon 3"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:!"Referer|3a|"; http_header; content:"unit_action="; depth:12; http_client_body; fast_pattern; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:command-and-control; sid:2021823; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_23, deployment Perimeter, signature_severity Major, tag c2, updated_at 2015_09_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MAGICHOUND.LEASH IRC CnC Beacon"; flow:established,to_server; content:"USER AS_a # # |3a|des|0d 0a|"; depth:20; reference:md5,3c8a142d2e3b84fb0d210250af77cc9b; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:command-and-control; sid:2023963; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family MAGICHOUND_LEASH, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 82 a8 3c 4c d7 28 96 34|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021824; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful California Bank & Trust Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"AccountNo="; depth:10; nocase; http_client_body; fast_pattern; content:"&token="; nocase; distance:0; http_client_body; content:"&check=Login"; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024001; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_02_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|e-securepass.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021825; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Shared Document Phishing Landing Feb 21 2017"; flow:from_server,established; file_data; content:"<title>Dropbox"; nocase; fast_pattern; content:"openOffersDialog"; nocase; distance:0; classtype:social-engineering; sid:2025688; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1a|contactexchangenetwork.biz"; distance:1; within:27; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021826; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET !3389 (msg:"ET SCAN MS Terminal Server Traffic on Non-standard Port"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash="; fast_pattern; classtype:attempted-recon; sid:2023753; rev:2; metadata:affected_product Microsoft_Terminal_Server_RDP, attack_target Server, created_at 2017_01_23, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_02_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|cserhtmlordi.net"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021827; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Redirect M2 Feb 24 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; file_data; content:"<meta http-equiv="; nocase; within:50; content:"refresh"; nocase; distance:1; within:7; content:"/webapps/"; nocase; distance:0; content:"/websrc"; distance:5; within:7; fast_pattern; classtype:social-engineering; sid:2024017; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, tag Phishing, updated_at 2017_02_24;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e8 06 34 93 99 f8 54 f2|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0b|Companyname"; distance:1; within:12; reference:md5,c7872508eededb17cf864886270fd3e9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021828; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Feb 26 2016"; flow:established,from_server; file_data; content:"|3d 20 28 2f 2a 67 66 2a 2f 22 73 5c 78 37 35 62 73 22 29 2b 2f 2a 67 66 2a 2f 22 74 72 22 3b|"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2024021; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2017_02_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Angler EK Redirector Sept 25 2015"; flow:to_client,established; file_data; content:"<body>"; pcre:"/^(?:(?!<\/body).)+?Content\s*?loading.*?Please wait.*?<iframe/Rsi"; content:"Content loading"; nocase; content:"Please wait"; nocase; distance:0; content:"<iframe s1=|22|off|22|"; fast_pattern; distance:0; content:"mask=true"; distance:0; classtype:exploit-kit; sid:2021840; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing Feb 27 2017"; flow:from_server,established; file_data; content:"<title>Dropbox"; nocase; fast_pattern; content:"app.png"; nocase; distance:0; content:"live.png"; nocase; distance:0; content:"off.png"; nocase; distance:0; classtype:social-engineering; sid:2025689; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0f|adtejoyo1377.tk"; distance:1; within:17; reference:md5,b40fc2d1f343affad7bc02ae9b37cd89; classtype:domain-c2; sid:2021842; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5500 (msg:"ET HUNTING Suspicious VNC Remote Admin Request"; flow:to_server,established; content:"|49 44 3a|"; depth:3; content:"temp"; nocase; fast_pattern; distance:0; content:"|52 46 42 20 30 30 33 2e 30 30 38 0a|"; distance:0; reference:md5,2faf3040e8286d506144a0585d8f4162; classtype:trojan-activity; sid:2024029; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_01, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2017_03_01;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|00 b1 f4 fe 4c 79 ed e9 98|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,bfd8db9ed284deb64c9e4fc5bfa758bd; reference:url,www.csis.dk/da/csis/news/4726/; classtype:domain-c2; sid:2021843; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Tags Remote Code Execution Attempt"; flow:established,to_client; content:"table"; nocase; content:"position|3A|absolute"; nocase; within:30; content:"clip|3A|rect"; fast_pattern; nocase; within:15; reference:bid,44536; reference:cve,2010-3962; classtype:attempted-user; sid:2011891; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_11_05, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_03_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|00 9e 0c 1c 4c 8a d4 41 f7|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,bfd8db9ed284deb64c9e4fc5bfa758bd; reference:url,www.csis.dk/da/csis/news/4726/; classtype:domain-c2; sid:2021844; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp any any -> any [139,445] (msg:"ET INFO Potentially unsafe SMBv1 protocol in use"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; content:!"r"; within:1; threshold: type limit, count 1, track by_src, seconds 1200; reference:url,www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices; reference:url,blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/; classtype:not-suspicious; sid:2023997; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2017_03_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|usercheck.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021845; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Microsoft-Edge protocol in use (Observed in Magnitude EK)"; flow:established,to_client; file_data; content:"microsoft-edge|3a|http"; nocase; fast_pattern; byte_test:1,>,0x21,-20,relative; byte_test:1,<,0x28,-20,relative; byte_test:1,!=,0x23,-20,relative; byte_test:1,!=,0x24,-20,relative; byte_test:1,!=,0x25,-20,relative; byte_test:1,!=,0x26,-20,relative; content:"location"; nocase; content:"iframe"; nocase; content:"contentWindow"; nocase; reference:url,www.brokenbrowser.com/abusing-of-protocols/; classtype:exploit-kit; sid:2024030; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_03_06, former_category WEB_CLIENT, malware_family BrokenBrowser, signature_severity Major, updated_at 2017_03_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Evil JavaScript Injection Sep 29 2015"; flow:established,to_client; file_data; content:"|76 61 72 20 61 3d 22 27 31 41 71 61 70 6b 72 76 27|"; content:"|27 30 30 27 30 32 29 27 30 32 27 30 30|"; fast_pattern; distance:0; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021846; rev:2; metadata:created_at 2015_09_30, former_category CURRENT_EVENTS, updated_at 2015_09_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Local file read using read protocol"; flow:established,to_client; file_data; content:"read|3a|"; nocase; fast_pattern; byte_test:1,>,0x21,-6,relative; byte_test:1,<,0x28,-6,relative; byte_test:1,!=,0x23,-6,relative; byte_test:1,!=,0x24,-6,relative; byte_test:1,!=,0x25,-6,relative; byte_test:1,!=,0x26,-6,relative; pcre:"/^\s*,\s*[a-zA-Z]\x3a[\x2f\x5c]/Ri"; reference:url,www.brokenbrowser.com/abusing-of-protocols/; classtype:misc-activity; sid:2024031; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_03_06, former_category WEB_CLIENT, malware_family BrokenBrowser, signature_severity Major, updated_at 2017_03_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Evil Redirector from iframe Sep 29 2015"; flow:established,to_server; content:"GET"; http_method; content:"/in/?|5f|BC="; depth:9; http_uri; fast_pattern; pcre:"/^\/in\/\?_BC=\d+,\d+,\d+,[0-9,-]+,$/U"; content:"Referer|3a|"; http_header; content:"/snitch?default|5f|keyword="; distance:0; http_header; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021848; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible MacOSX HelpViewer 10.12.1 XSS Arbitrary File Execution and Arbitrary File Read (CVE-2017-2361)"; flow:established,from_server; file_data; content:"%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f"; content:"javascript%253aeval"; fast_pattern; content:"help|3a 2f 2f|"; pcre:"/document\s*\.\s*location\s*?\x3d\s*?[\x27\x22]help\x3a\/\/\/[^\x3b]+?\%25252f\.\.\%25252f\.\.\%25252f\.\.\%25252f/"; reference:url,exploit-db.com/exploits/41443/; classtype:attempted-user; sid:2024034; rev:2; metadata:affected_product Mac_OSX, affected_product Safari, attack_target Client_Endpoint, created_at 2017_03_08, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2017_03_08;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 86 21 67 18 96 8a 67 e1|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,4568bc3e9c1a24ba792666ad1c620560; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021863; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Icoo CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/tUrl.xml?num="; http_uri; fast_pattern:only; content:"Accept-Language|3A| de-at"; http_header; reference:md5,1d2ddece4cd5cff3658c59e20d40dd8b; classtype:command-and-control; sid:2015019; rev:2; metadata:created_at 2012_07_04, former_category MALWARE, updated_at 2012_07_04;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 fa 10 e1 67 c6 9a 67 1b|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:md5,c55a60bb04a449eb8bc182f52124c341; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021864; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Gimemo/Aldibot CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"ukashcode="; http_client_body; depth:10; content:"&euro="; http_client_body; distance:0; content:"&submitukash="; http_client_body; distance:0; reference:url,www.evild3ad.com/?p=1693; classtype:command-and-control; sid:2014864; rev:2; metadata:created_at 2012_06_06, former_category MALWARE, updated_at 2012_06_06;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|legallyjumps.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021865; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SubmitToTDWTF.asmx DailyWTF Potential Source Code Leakage"; flow:established,to_server; content:"/SubmitWTF.asmx"; http_uri; content:"codeSubmission"; reference:url,thedailywtf.com/Articles/Submit-WTF-Code-Directly-From-Your-IDE.aspx; reference:url,code.google.com/p/submittotdwtf/source/browse/trunk/; classtype:policy-violation; sid:2011871; rev:2; metadata:created_at 2010_10_29, former_category POLICY, updated_at 2010_10_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|inbancosistems.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021866; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shiz/Rohimafo Binary Download Request"; flow:established,to_server; content:".php?id="; nocase; http_uri; content:"&magic="; http_uri; nocase; fast_pattern; pcre:"/\.php\?id=\d+&magic=(-)?\d+$/U"; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:url,doc.emergingthreats.net/2010793; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:trojan-activity; sid:2011769; rev:6; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 d5 f9 a6 1a fa 1e 76 c6|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,0453512c8c3bb940e8c40833d1076353; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021867; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; byte_test:3,<,1200,0,relative; content:"|03 02 01 02 02 09 00|"; fast_pattern; content:"|30 09 06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[A-Z][a-z]{3,}\s(?:[A-Z][a-z]{3,}\s)?(?:[A-Z](?:[A-Za-z]{0,4}?[A-Z]|(?:\.[A-Za-z]){1,3})|[A-Z]?[a-z]+|[a-z](?:\.[A-Za-z]){1,3})\.?[01]/Rs"; content:"|55 04 03|"; distance:0; byte_test:1,>,13,1,relative; content:!"www."; distance:2; within:4; pcre:"/^.{2}(?P<CN>(?:(?:\d?[A-Z]?|[A-Z]?\d?)(?:[a-z]{3,20}|[a-z]{3,6}[0-9_][a-z]{3,6})\.){0,2}?(?:\d?[A-Z]?|[A-Z]?\d?)[a-z]{3,}(?:[0-9_-][a-z]{3,})?\.(?!com|org|net|tv)[a-z]{2,9})[01].*?(?P=CN)[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; content:!"GoDaddy"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023476; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 eb 96 25 e5 32 57 ee 34|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,77ebe2b014baf75e45c3009b0d42fa5d; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021868; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Mar 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"yass_email="; depth:11; nocase; http_client_body; content:"&yass_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024046; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_03_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 d3 1b a5 8f 1d d7 30 48|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,eeda4fa2b6f054acfce0dbc25493c366; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021869; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload Download M1 Mar 14 2017"; flow:established,from_server; file_data; content:"|2e de 08 bb 99 8a 7b 6c|"; within:8; classtype:exploit-kit; sid:2024053; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_03_14;)
 
-#alert tcp $HOME_NET any -> 38.115.131.0/24 5534 (msg:"ET DELETED Soulseek traffic (2)"; flow: established; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001186; classtype:policy-violation; sid:2001186; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload Download M2 Mar 14 2017"; flow:established,from_server; file_data; content:"|5e 5a a3 90 b9 31 7b 54|"; within:8; classtype:exploit-kit; sid:2024054; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_03_14;)
 
-#alert tcp $HOME_NET any -> 38.115.131.0/24 2234 (msg:"ET DELETED Soulseek traffic (1)"; flow: established; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001185; classtype:policy-violation; sid:2001185; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful iCloud Phish Mar 15 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta http-equiv=|22|Content-Type|22|"; nocase; content:"alert"; content:"|41 70 70 6c 65 20 49 44|"; nocase; within:20; fast_pattern; content:"|68 69 73 74 6f 72 79 2e 62 61 63 6b|"; nocase; distance:0; classtype:credential-theft; sid:2024059; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_03_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET !443 (msg:"ET GAMES Battle.net connection reset (possible IP-Ban)"; flow:to_client; flags:R,12; reference:url,doc.emergingthreats.net/bin/view/Main/2002117; classtype:policy-violation; sid:2002117; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2381 (msg:"ET EXPLOIT HP Smart Storage Administrator Remote Command Injection"; flow:to_server,established; content:"echo -n|20|"; pcre:"/^\s*(?:f0VMR|9FTE|\/RUxG)/R"; reference:cve,2016-8523; classtype:attempted-user; sid:2024063; rev:2; metadata:affected_product HP_Smart_Storage_Administrator, attack_target Server, created_at 2017_03_15, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2017_03_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|protecteding.su"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021884; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|nopassworddomaine.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024068; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|convertcodenj.net"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021885; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|asdallls.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Likely SweetOrange EK Java Exploit Struct (JAR)"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".jar"; http_uri; pcre:"/\/(?=[a-z0-9]{0,10}[A-Z])(?=[A-Z0-9]{0,10}[a-z])[A-Z-a-z0-9]{5,20}\.jar$/U"; classtype:exploit-kit; sid:2019542; rev:7; metadata:created_at 2014_10_28, former_category CURRENT_EVENTS, updated_at 2014_10_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|treesaboutword.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024070; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET 31337 -> $HOME_NET 64876 (msg:"ET EXPLOIT malformed Sack - Snort DoS-by-$um$id"; seq:0; ack:0; window:65535; dsize:0; reference:url,doc.emergingthreats.net/bin/view/Main/2002656; classtype:attempted-dos; sid:2002656; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Android Marcher C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|randfservices.co.uk"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024071; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 a2 62 91 f3 d9 eb d2 e8|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021887; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|radomir.tk"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024072; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 ba bc c3 80 e0 57 54 de|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021888; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|ui-images.ru"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024073; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Bank of America Phish 2015-10-02"; flow:to_client,established; file_data; content:"<title>Bank of America"; nocase; fast_pattern; content:"Thank you</title>"; nocase; distance:0; content:"information.Your submitted"; nocase; distance:0; content:"Accounts Management Department in 24 hours"; nocase; distance:0; classtype:credential-theft; sid:2031686; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2015_10_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|sopelnas.co"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024074; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP OPTIONS invalid method case"; flow:established,to_server; content:"options"; http_method; nocase; content:!"OPTIONS"; http_method; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011034; classtype:bad-unknown; sid:2011034; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|nesiron.co"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024075; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 dc 1a a4 07 08 2a 43 10|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,eeda4fa2b6f054acfce0dbc25493c366; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021894; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|securityupdate.at"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024076; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c3 10 44 fc ef 4e 6d 2a|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021895; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Chthonic MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|Anyverizozovali"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024077; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 dc 1a a4 07 08 2a 43 10|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021896; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; pcre:"/^.[\x0e\x0f](?!(?:www|ns))[a-z0-9]{2,3}/R"; content:".faisrl.net"; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024078; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 d3 01 2a 97 16 3f bd a5|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021897; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; pcre:"/^.[\x0a\x0b](?!(?:www|ns))[a-z0-9]{1,2}/R"; content:".kjaro.it"; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024079; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|bannerexchangenet.pw"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021898; rev:4; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|24brb.tk"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024080; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Adware/Spyware Adrotator for Rogue AV"; flow:established,to_server; content:"GET"; http_method; content:"nsi_install.php?"; http_uri; nocase; content:"aff_id="; nocase; http_uri; content:"&inst_result="; http_uri; content:"&id="; nocase; http_uri; reference:url,www.spywaredetector.net/spyware_encyclopedia/Trojan.Vapsup.htm; reference:url,www.spywaredetector.net/spyware_encyclopedia/Fake%20AntiSpyware.POWER-ANTIVIRUS-2009.htm; reference:url,www.threatexpert.com/threats/adware-agent-gen.html; reference:url,novirusthanks.org/blog/2008/11/rogue-antispyware-2009-served-through-beedlyus-ads/; reference:url,doc.emergingthreats.net/2009548; classtype:trojan-activity; sid:2009548; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|interface-ui.ru"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024081; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC"; flow:established,to_server; dsize:1; content:"|c8|"; flowbits:set,ET.inj.ajq.1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008055; classtype:command-and-control; sid:2008055; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sogelfeld.ws"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024082; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC packet 2"; flow:established,to_server; content:"|07|F"; depth:2; flowbits:isset,ET.inj.ajq.1; reference:url,doc.emergingthreats.net/2008056; classtype:command-and-control; sid:2008056; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|kmeses.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024084; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC Response"; flow:established,from_server; flowbits:isset,ET.inj.ajq.1; dsize:4; content:"|00 0e 04 00|"; reference:url,doc.emergingthreats.net/2008057; classtype:command-and-control; sid:2008057; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sklaaaor.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024085; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC port 443"; flow:established,to_server; dsize:1; content:"|c8|"; flowbits:set,ET.inj.ajq.1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008058; classtype:command-and-control; sid:2008058; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|securessl.info"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024086; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC packet 2 port 443"; flow:established,to_server; content:"|07|F"; depth:2; flowbits:isset,ET.inj.ajq.1; reference:url,doc.emergingthreats.net/2008059; classtype:command-and-control; sid:2008059; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|gamagrjoba.at"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024087; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC Response port 443"; flow:established,from_server; flowbits:isset,ET.inj.ajq.1; dsize:4; content:"|00 0e 04 00|"; reference:url,doc.emergingthreats.net/2008060; classtype:command-and-control; sid:2008060; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|c.beccaccechepassione.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024088; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 95 51 3e 68 35 08 62 53|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021902; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|shanycuusenetscape.xyz"; distance:1; within:23; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024089; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c6 4e a8 c7 a0 db 38 64|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021903; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|userlicensenon.club"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024090; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|8192bitssl.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021904; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|w4ait0.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024091; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing Page Oct 05 2015"; flow:established,from_server; file_data; content:"function ckl"; content:"VIP*/"; nocase; classtype:exploit-kit; sid:2021908; rev:3; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DustySky Checkin"; flow:established,to_server; urilen:10; content:"GET"; http_method; content:"/index.php"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"uvnc.com|0d 0a|"; http_header; nocase; content:"Host|3a|"; depth:5; http_header; content:"Connection|3a 20|Keep-Alive"; distance:0; http_header; pcre:"/^Host\x3a[^\r\n]+\r\nConnection\x3a\x20Keep-Alive\r\n(?:\r\n)?$/H"; content:!"Cookie|3a|"; reference:md5,07fd870e4ea8dd6b9503a956b5bb47f3; classtype:trojan-activity; sid:2021918; rev:7; metadata:created_at 2015_10_06, former_category TROJAN, updated_at 2017_03_21;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 d3 01 80 9e 81 6b f8 7c|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021909; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP STAT * dos attempt"; flow:to_server,established; content:"STAT"; nocase; pcre:"/^STAT\s+[^\n]*\x2a/smi"; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:attempted-dos; sid:2101777; rev:12; metadata:created_at 2010_09_23, former_category FTP, updated_at 2020_08_20;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|1networkgate.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021910; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"/billwebsvr.dll?Buy?user="; http_uri; content:"&key="; http_uri; content:"&channel="; http_uri; content:"&corp="; http_uri; content:"&product="; http_uri; content:"&phone="; http_uri; content:"&private="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012862; rev:4; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|golantus.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021911; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Length) M1"; flow:to_server,established; content:"Content-Length|3a|"; nocase; content:"{"; content:"}"; content:"java|2e|"; nocase; content:"|2e|ognl"; fast_pattern:only; pcre:"/^Content-Length\x3a[^\r\n]*?\{(?=[^\r\n]*java\.)[^\r\n]*\.ognl[^\r\n]*\}/mi"; classtype:web-application-attack; sid:2024094; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_03_20, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2017_03_21;)
 
-alert tcp any any -> any any (msg:"ET MALWARE ELF/muBoT IRC Activity 1"; flow:established,from_server; content:"NOTICE"; content:"|3a|muBoT|20|Priv|20|Version"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021912; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Length) M2"; flow:to_server,established; content:"Content-Length|3a 20 25 7b 28|"; nocase; content:"{"; content:"}"; classtype:web-application-attack; sid:2024095; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_03_20, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2017_03_21;)
 
-alert tcp any any -> any any (msg:"ET MALWARE ELF/muBoT IRC Activity 2"; flow:established,from_server; content:"NOTICE"; content:"|3a|muBoT|20|says|20|"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021913; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Disposition) M2"; flow:to_server,established; content:"Content-Disposition|3a 20 25 7b 28|"; nocase; content:"{"; content:"}"; classtype:web-application-attack; sid:2024097; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_03_20, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2017_03_21;)
 
-alert tcp any any -> any any (msg:"ET MALWARE ELF/muBoT IRC Activity 3"; flow:established,from_server; content:"NOTICE"; content:"|3a|[Apache / PHP 5.x"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021914; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.Banker.AAD CnC Communication"; flow:established,to_server; content:"filename=|22|C|3A 5C|WINDOWS|5C|system32"; nocase; http_header; content:"Content-Type|3A| C|3A 5C|WINDOWS|5C|system32"; nocase; http_header; reference:md5,8556aec7ff96824e2da9d1b948ed7029; classtype:command-and-control; sid:2012300; rev:4; metadata:created_at 2011_02_07, former_category TROJAN, updated_at 2017_03_22;)
 
-alert tcp any any -> any any (msg:"ET MALWARE ELF/muBoT IRC Activity 4"; flow:established,from_server; content:"NOTICE"; content:"FLOOD <target> <port> <secs>"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021915; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET DOS Microsoft Windows LSASS Remote Memory Corruption (CVE-2017-0004)"; flow:established,to_server; content:"|FF|SMB|73|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; byte_test:1,&,0x08,6,relative; byte_test:1,&,0x10,5,relative; byte_test:1,&,0x04,5,relative; byte_test:1,&,0x02,5,relative; byte_test:1,&,0x01,5,relative; content:"|ff 00|"; distance:28; within:2; content:"|84|"; distance:25; within:1; content:"NTLMSSP"; fast_pattern; within:64; reference:url,github.com/lgandx/PoC/tree/master/LSASS; reference:url,support.microsoft.com/en-us/kb/3216771; reference:url,support.microsoft.com/en-us/kb/3199173; reference:cve,2017-0004; reference:url,technet.microsoft.com/library/security/MS17-004; classtype:attempted-dos; sid:2023497; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_11, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2017_01_12;)
 
-alert tcp any any -> any any (msg:"ET MALWARE ELF/muBoT IRC Activity 5"; flow:established,from_server; content:"NOTICE"; content:"|3a|Flooding with TCP"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021916; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/j"; http_uri; content:"?l"; http_uri; distance:0; pcre:"/\/j[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017179; rev:5; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 f7 36 c4 05 31 ea 21 d3|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021920; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download 2"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/j"; http_uri; pcre:"/\/j[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017180; rev:5; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 88 f8 8a 58 16 c2 f5 89|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021921; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Exploit Download Sep 30 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/j"; http_uri; content:"?f"; http_uri; distance:0; pcre:"/\/j[a-z]+?\?f[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017267; rev:8; metadata:created_at 2013_08_01, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nntpdinfo.pw"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021899; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download Sep 30 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/f"; http_uri; content:"?f"; http_uri; distance:0; pcre:"/\/f[a-z]+?\?f[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017268; rev:8; metadata:created_at 2013_08_01, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|fidobeta.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021924; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Neutrino/Fiesta EK SilverLight Exploit Jan 13 2014 DLL Naming Convention"; flow:established,from_server; file_data; content:"PK|01 02|"; content:"|10 00|"; distance:24; within:2; content:"AppManifest.xaml"; distance:16; within:16; content:"PK|01 02|"; within:36; content:"|07 00|"; distance:24; within:2; pcre:"/^.{16}[a-z]{3}\.dll/Rs"; content:"PK|05 06|"; within:36; content:"|02 00 02 00|"; distance:4; within:4; classtype:exploit-kit; sid:2017963; rev:3; metadata:created_at 2014_01_14, former_category CURRENT_EVENTS, updated_at 2017_03_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|makaronypolskie.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021925; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Neutrino/Fiesta EK SilverLight Exploit March 05 2014 DLL Naming Convention"; flow:established,from_server; file_data; content:"PK|01 02|"; content:"|10 00|"; distance:24; within:2; content:"AppManifest.xaml"; distance:16; within:16; content:"PK|01 02|"; within:36; content:"|08 00|"; distance:24; within:2; pcre:"/^.{16}[a-z]{4}\.dll/Rs"; content:"PK|05 06|"; within:36; content:"|02 00 02 00|"; distance:4; within:4; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018226; rev:3; metadata:created_at 2014_03_06, former_category CURRENT_EVENTS, updated_at 2017_03_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|crenuva.net"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021926; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0|0d 0a|"; nocase; http_header; content:!"autodesk.com"; http_header; reference:url,doc.emergingthreats.net/2010908; classtype:trojan-activity; sid:2010908; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_04_03;)
 
-#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET P2P Edonkey Search Reply"; dsize:>200; content:"|e3 0f|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003315; classtype:policy-violation; sid:2003315; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mail.ru Phish Apr 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"new_auth_form="; depth:14; nocase; http_client_body; fast_pattern; content:"&page="; nocase; distance:0; http_client_body; content:"&back="; nocase; distance:0; http_client_body; content:"&FromAccount="; nocase; distance:0; http_client_body; content:"&Login="; nocase; distance:0; http_client_body; content:"&selector="; nocase; distance:0; http_client_body; content:"&Username="; nocase; distance:0; http_client_body; content:"&Password="; nocase; distance:0; http_client_body; content:"&saveauth="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024167; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; classtype:policy-violation; sid:2003310; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK PDF Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".pdf"; http_header; fast_pattern:only; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{7,8}\d{2,3}\.pdf\r\n/Hm"; file_data; content:"PDF-"; within:500; classtype:exploit-kit; sid:2020984; rev:3; metadata:created_at 2015_04_23, former_category CURRENT_EVENTS, updated_at 2017_04_04;)
 
-#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule Kademlia Hello Request"; dsize:<48; content:"|e4 11|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009970; classtype:policy-violation; sid:2009970; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sogou.com Spyware User-Agent (SogouIMEMiniSetup)"; flow:established,to_server; content:"User-Agent|3a| SogouIME"; http_header; reference:url,doc.emergingthreats.net/2008500; classtype:pup-activity; sid:2008500; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2017_04_04;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET MALWARE MSIL/Banker.M Requesting Binary from SQL"; flow:established,to_server; content:"S|00|E|00|L|00|E|00|C|00|T|00 20 00|i|00|m|00|g"; content:"F|00|R|00|O|00|M|00 20 00|d|00|b|00|o|00 2e 00|n|00|o|00|v|00|o|00|s|00|l|00|o|00|a|00|d|00 20 00|"; distance:0; reference:md5,54618b126c69b2f0a3309b7c0ac5ae26; reference:url,blogs.mcafee.com/mcafee-labs/brazilian-banking-malware-hides-in-sql-database/; classtype:trojan-activity; sid:2021930; rev:1; metadata:created_at 2015_10_08, updated_at 2015_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK CVE-2016-0189 Exploit M2"; flow:established,from_server; file_data; content:"|73 74 72 54 6f 49 6e 74 28 4d 69 64 28 6d 65 6d 2c 20 31 2c 20 32 29 29|"; content:"|2b 20 26 48 31 37 34|"; reference:cve,2016-0189; classtype:exploit-kit; sid:2024169; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_04_04;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:20; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK CVE-2015-2419 Exploit"; flow:established,from_server; file_data; content:"EB125831C966B9"; nocase; content:"05498034088485C975F7FFE0E8E9FFFFFFD10D61074028D7D5D3B544E0"; distance:2; within:58; nocase; reference:cve,2016-0189; classtype:exploit-kit; sid:2024170; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_04_04;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5820 (msg:"ET SCAN Potential VNC Scan 5800-5820"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2002910; classtype:attempted-recon; sid:2002910; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-LINK DIR-615 Cross-Site Request Forgery (CVE-2017-7398)"; flow:from_server,established; file_data; content:"/form2WlanBasicSetup.cgi"; fast_pattern; nocase; content:"method"; nocase; distance:0; pcre:"/^\s*=\s*[\x27\x22]\s*POST/Rsi"; content:"ssid"; nocase; content:"save"; nocase; content:"Apply"; nocase; distance:0; reference:cve,CVE-2017-7398; classtype:attempted-user; sid:2024181; rev:2; metadata:affected_product D_Link_DIR_615, attack_target Client_Endpoint, created_at 2017_04_05, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2017_04_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5900:5920 (msg:"ET SCAN Potential VNC Scan 5900-5920"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2002911; classtype:attempted-recon; sid:2002911; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M1 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"cpf="; depth:4; nocase; http_client_body; fast_pattern; content:"&next_pag="; nocase; distance:0; http_client_body; content:"&entrar="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024186; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"ET SCAN Rapid POP3 Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 120; reference:url,doc.emergingthreats.net/2002992; classtype:misc-activity; sid:2002992; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M2 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_net="; depth:8; nocase; http_client_body; fast_pattern; content:"&cpf="; nocase; distance:0; http_client_body; content:"&continuar_acess="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024187; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"ET SCAN Rapid POP3S Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 120; reference:url,doc.emergingthreats.net/2002993; classtype:misc-activity; sid:2002993; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M3 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_4="; depth:6; nocase; http_client_body; fast_pattern; content:"&psw_net="; nocase; distance:0; http_client_body; content:"&cpf="; nocase; distance:0; http_client_body; content:"&proseguir="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024188; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET SCAN Rapid IMAP Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/2002994; classtype:misc-activity; sid:2002994; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE W32/Kegotip CnC Beacon"; flow:established,to_server; content:"QXNka"; depth:5; reference:url,www.soleranetworks.com/blogs/cryptolocker-kegotip-medfos-malware-triple-threat/; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FKegotip.C; classtype:command-and-control; sid:2017627; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_10_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2017_04_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/2002995; classtype:misc-activity; sid:2002995; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any any -> $HOME_NET 23 (msg:"ET EXPLOIT Cisco Catalyst Remote Code Execution (CVE-2017-3881)"; flow:to_server,established; content:"|ff fa 24 00 03|CISCO_KITS"; content:"|3a|"; distance:2; within:1; isdataat:160,relative; content:!"|3a|"; within:160; reference:url,artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/; classtype:attempted-user; sid:2024194; rev:1; metadata:affected_product CISCO_Catalyst, attack_target IoT, created_at 2017_04_10, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2017_04_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg:"ET SCAN Potential SSH Scan OUTBOUND"; flow:to_server; flags:S,12; threshold: type threshold, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2003068; classtype:attempted-recon; sid:2003068; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit Newplayer.pdf"; flow:established,to_server; content:"/newplayer.pdf"; http_uri; reference:cve,2009-4324; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:exploit-kit; sid:2012941; rev:8; metadata:created_at 2011_06_07, former_category EXPLOIT_KIT, updated_at 2017_04_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (HTTPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{HTTPFLOOD}"; fast_pattern; nocase; content:"Started consuming data from host"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021872; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Win32.DarkComet Keepalive Inbound"; flow:from_server,established; dsize:<30; content:"KEEPALIVE"; nocase; depth:9; pcre:"/^KEEPALIVE\x7c?\d/i"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; classtype:trojan-activity; sid:2013091; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_06_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2017_04_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (TCPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{TCPFLOOD}"; fast_pattern; nocase; content:"Started sending tcp data to host"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021873; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocENG Inject M3"; flow:established,from_server; file_data; content:"|69 64 3d 22 62 62 62 31 22 3e 43 6c 69 63 6b 20 6f 6e 20 74 68 65 20 43 68 72 6f 6d 65 5f 46 6f 6e 74 2e 65 78 65|"; classtype:social-engineering; sid:2024200; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, signature_severity Major, updated_at 2017_04_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (UDPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{UDPFLOOD}"; fast_pattern; nocase; content:"Started sending udp data to host"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021874; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Response"; flow:from_server,established; file_data; content:"[{|22|id|22 3a 22|0|22|,|22|command|22 3a 22|OK|22|}"; depth:26; fast_pattern; reference:md5,bc76d516a66e4002461128f62896c6dd; classtype:trojan-activity; sid:2024202; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_04_11, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Ewind, signature_severity Major, tag Android, updated_at 2017_04_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (AUTH)"; flow:established,from_server; content:"PRIVMSG"; content:"] {AUTH} User"; fast_pattern; distance:0; nocase; content:"logged "; distance:0; pcre:"/^(?:in|out)/R"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021875; rev:5; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Setup"; flow:established,to_server; content:".php?setup=d&s="; http_uri; content:"&r="; pcre:"/\.php\?setup=d&s=\d+&r=\d+$/U"; classtype:exploit-kit; sid:2015946; rev:3; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2017_04_12;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (RAW)"; flow:established,from_server; content:"PRIVMSG"; content:"{RAW}"; fast_pattern; nocase; content:"Executing command|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021876; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SEO Exploit Kit - Landing Page"; flow:established,to_client; content:"<div id=\"obj\"></div><div id=\"pdf\"></div><div id=\"hcp\">"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2011812; rev:5; metadata:created_at 2010_10_13, former_category EXPLOIT_KIT, updated_at 2017_04_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (EXEC)"; flow:established,from_server; content:"PRIVMSG"; content:"{EXEC}"; fast_pattern; nocase; content:"Executing command|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021877; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix-style Exploit Kit Java Request with semicolon in URI"; flow:established,to_server; content:"/?"; http_uri; content:"|3b| 1|3b| "; http_uri; content:"|29| Java/1."; http_header; pcre:"/\/\?[a-z0-9]{65,}\x3b \d\x3b \d/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2011988; rev:6; metadata:created_at 2010_12_01, former_category EXPLOIT_KIT, updated_at 2017_04_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (CHSERVER)"; flow:established,from_server; content:"PRIVMSG"; content:"{CHSERVER}"; fast_pattern; nocase; content:"Changing server|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021878; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (11)"; dsize:13<>32; content:"a"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023622; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (RESTART)"; flow:established,from_server; content:"PRIVMSG"; content:"{RESTART}"; fast_pattern; nocase; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021880; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (1)"; dsize:13<>32; content:"0"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023612; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command Complete 1"; flow:established,from_server; content:"PRIVMSG"; content:"] Process finished => Total bytes read|3a|"; fast_pattern; nocase; content:"Total bytes sent|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021881; rev:4; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (10)"; dsize:13<>32; content:"9"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023621; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command Complete 2"; flow:established,from_server; content:"PRIVMSG"; content:"Total connections completed|3a|"; fast_pattern; nocase; content:"Total connections failed|3a|"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021882; rev:4; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (12)"; dsize:13<>32; content:"b"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023623; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command Complete 3"; flow:established,from_server; content:"PRIVMSG"; content:" MB|2c| Average speed|3a|"; fast_pattern; nocase; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021883; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (13)"; dsize:13<>32; content:"c"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023624; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|httpsvalidator.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021937; rev:1; metadata:attack_target Client_and_Server, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (14)"; dsize:13<>32; content:"d"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023625; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|fidobeta.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021932; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (15)"; dsize:13<>32; content:"e"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023626; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|makaronypolskie.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021933; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (16)"; dsize:13<>32; content:"f"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023627; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|crenuva.net"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021934; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (2)"; dsize:13<>32; content:"1"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023613; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server"; flow:established,to_server; dsize:100<>300; content:"Gh0st"; depth:5; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; reference:url,www.symantec.com/connect/blogs/inside-back-door-attack; classtype:command-and-control; sid:2013214; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_07_06, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (3)"; dsize:13<>32; content:"2"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023614; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|1gateway.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021940; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (4)"; dsize:13<>32; content:"3"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023615; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - OWASP Zed Attack Proxy Certificate Seen"; content:"|16|"; depth:1; content:"OWASP Zed Attack Proxy Root CA"; nocase; classtype:misc-activity; sid:2021941; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_10_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (5)"; dsize:13<>32; content:"4"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023616; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - BurpSuite PortSwigger Proxy Certificate Seen"; content:"|16|"; depth:1; content:"PortSwigger CA"; nocase; classtype:misc-activity; sid:2021942; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_10_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (6)"; dsize:13<>32; content:"5"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023617; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - Fiddler Proxy Certificate Seen"; content:"|16|"; depth:1; content:"DO_NOT_TRUST_FiddlerRoot"; nocase; classtype:misc-activity; sid:2021943; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_10_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (7)"; dsize:13<>32; content:"6"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023618; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|1networkpoint.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021945; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (8)"; dsize:13<>32; content:"7"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023619; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex SSL Cert Oct 12 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|AU|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; classtype:trojan-activity; sid:2021946; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_13, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (9)"; dsize:13<>32; content:"8"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE Win32/Kelihos.F Checkin"; flow:to_server,established; dsize:164; content:"|6c 55 55 45 03 10 48 40|"; offset:4; depth:8; reference:md5,dc226166dfbe28eee2576ea5141bc19d; reference:md5,dadee91e0b82fc91a25a66b61bb2f2dc; classtype:command-and-control; sid:2021947; rev:3; metadata:created_at 2015_10_13, former_category MALWARE, updated_at 2015_10_13;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO http string in hex Possible Obfuscated Exploit Redirect"; flow:established,to_client; content:"=[|22 5c|x68|5c|x74|5c|x74|5c|x70|5c|x3A|5c|x2F|5c|x2F|5c|"; classtype:bad-unknown; sid:2012118; rev:3; metadata:created_at 2010_12_30, former_category CURRENT_EVENTS, updated_at 2017_04_14;)
 
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Upatre/Dyre/Kegotip SSL Cert Sept 8 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|0b 30 09 06 03 55 04 06 13 02 55 53|"; distance:0; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; byte_extract:1,1,olength,relative; content:!"|2e|"; within:olength; content:!"|20|"; within:olength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:!"support@"; distance:0; pcre:"/^.{2}[A-Za-z][a-z]*?@[a-z]+\.com0/R"; content:".com0"; fast_pattern:only; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021749; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2018_11_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Redirection to driveby Page Home index.php"; flow:established,from_server; content:"/Home/index.php|22| width=1 height=1 scrolling=no></iframe>"; classtype:exploit-kit; sid:2013436; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_19, deployment Perimeter, former_category INFO, signature_severity Major, tag DriveBy, updated_at 2017_04_14;)
 
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Upatre/Dyre/Kegotip SSL Cert Oct 12 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|0b 30 09 06 03 55 04 06 13 02 43 41 31|"; distance:0; fast_pattern; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; byte_extract:1,1,olength,relative; content:!"|2e|"; within:olength; content:!"|20|"; within:olength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:!"support@"; distance:0; pcre:"/^.{2}[A-Za-z][a-z]*?@[a-z]+\.com[01]/R"; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021948; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALROMANCE MS17-010"; flow:from_server,established; content:"|FF|SMB|25 05 00 00 80|"; offset:4; depth:9; content:"LSbfLScnLSepLSlfLSmf"; distance:0; fast_pattern; content:"LSrfLSsrLSscLSblLSss"; within:20; content:"LSshLStrLStcLSopLScd"; within:20; flowbits:set,ETPRO.ETERNALROMANCE; classtype:trojan-activity; sid:2024208; rev:1; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_04_17;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 c5 52 94 88 a7 4d 68 f4|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021950; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ECLIPSEDWING MS08-067"; flow:to_server,established; content:"|ff|SMB|2f 00 00 00 00|"; offset:4; depth:9; content:"|00 00 00 00 ff ff ff ff 08 00|"; distance:30; within:10; content:"|2e 00 00 00 00 00 00 00 2e 00 00 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; within:12; fast_pattern; content:"|2e 00 00 00 00 00 00 00 2e 00 00 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; within:12; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; distance:0; isdataat:800,relative; classtype:trojan-activity; sid:2024215; rev:1; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_04_17;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme (fardh ain)"; flow: to_client,established; content:"fardh ain"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010578; classtype:policy-violation; sid:2010578; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALCHAMPION MS17-010 Sync Request (set)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18 03 c0 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:4; depth:24; content:"|00 00 00 00 ff ff ff ff 00 00|"; distance:17; within:10; content:"|5c 00 50 00 49 00 50 00 45 00 5c 00 4c 00 41 00 4e 00 4d 00 41 00 4e 00 00 00|"; distance:13; within:26; content:"|82 00|zb12g12DWrLehig24"; within:19; fast_pattern; flowbits:set,ET.ETERNALCHAMPIONsync; flowbits:noalert; classtype:trojan-activity; sid:2024212; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_04_17;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme/Group (Takfir)"; flow: to_client,established; content:"Takfir"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010579; classtype:policy-violation; sid:2010579; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Malicious Gzip PowerShell over HTTP"; flow:established,from_server; file_data; content:"FromBase64String"; content:"H4sIAI"; distance:0; fast_pattern; content:"GzipStream"; nocase; distance:0; classtype:trojan-activity; sid:2024221; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_18, deployment Perimeter, former_category TROJAN, malware_family PowerShell, performance_impact Moderate, signature_severity Major, tag PowerShell, updated_at 2017_04_18;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme (Al-Wala' Wal Bara)"; flow: to_client,established; content:"Al-Wala' Wal Bara"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010580; classtype:policy-violation; sid:2010580; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"ET MALWARE IRC Nick change on non-standard port"; flow:to_server,established; dsize:<64; content:"NICK "; depth:5; content:!"twitch.tv|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; classtype:trojan-activity; sid:2000345; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/Nemucod.M.gen downloading EXE payload"; flow:from_server,established; flowbits:isset,ET.nemucod.exerequest; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021954; rev:2; metadata:created_at 2015_10_15, updated_at 2015_10_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iCloud Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"ip="; depth:3; nocase; http_client_body; content:"&city="; nocase; distance:0; http_client_body; content:"&country="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; fast_pattern; content:"&sbBtn="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024231; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/Nemucod.M.gen downloading PDF payload"; flow:from_server,established; flowbits:isset,ET.nemucod.pdfrequest; file_data; content:"%PDF-"; within:5; fast_pattern; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021955; rev:2; metadata:created_at 2015_10_15, updated_at 2015_10_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alitalia Airline Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"carta="; depth:6; nocase; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; content:"&imageField"; nocase; distance:0; http_client_body; content:"&nome="; nocase; distance:0; http_client_body; content:"&VBV="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024232; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 d3 0f 9b a5 56 a0 f7 57|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021957; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET POLICY Radmin Remote Control Session Authentication Initiate"; flow:established,to_server; dsize:<20; content:"|01 00 00 00 05 00 00 02 27 27 02 00 00 00|"; flowbits:set,BE.Radmin.Auth.Challenge; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003481; classtype:not-suspicious; sid:2003481; rev:5; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 db d0 33 6a 28 4f 39 2c|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021958; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Authentication Response"; flowbits:isset,BE.Radmin.Auth.Challenge; flow:established,from_server; dsize:<20; content:"|01 00 00 00 05 00 00 00 27 27 00 00 00 00|"; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003482; classtype:not-suspicious; sid:2003482; rev:6; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|best-apps.name"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021959; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert ftp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET HUNTING Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; classtype:non-standard-protocol; sid:2003055; rev:13; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2021_12_16;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Versatile Bulletin Board SQL Injection Attack"; flow:to_server,established; content:"/index.php?"; http_uri; nocase; content:"select="; nocase; http_uri; fast_pattern; pcre:"/UNION\s+SELECT/URi"; reference:bugtraq,15068; reference:url,doc.emergingthreats.net/2002494; classtype:web-application-attack; sid:2002494; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Baidu.com Spyware Bar Reporting"; flow:to_server,established; content:"/update/barcab/"; nocase; http_uri; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003340; classtype:pup-activity; sid:2003340; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_04_21;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP USER overflow attempt"; flow:to_server,established,no_stream; content:"USER|20|"; nocase; isdataat:100,relative; pcre:"/^USER\x20[^\x00\x20\x0a\x0d]{100}/smi"; reference:bugtraq,10078; reference:bugtraq,1227; reference:bugtraq,1504; reference:bugtraq,1690; reference:bugtraq,4638; reference:bugtraq,7307; reference:bugtraq,8376; reference:cve,1999-1510; reference:cve,1999-1514; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-0479; reference:cve,2000-0656; reference:cve,2000-0761; reference:cve,2000-0943; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0256; reference:cve,2001-0794; reference:cve,2001-0826; reference:cve,2002-0126; reference:cve,2002-1522; reference:cve,2003-0271; reference:cve,2004-0286; classtype:attempted-admin; sid:2101734; rev:36; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Baidu.com Spyware Bar Pulling Content"; flow:to_server,established; content:"/update/cab/loadmovie.swf"; nocase; http_uri; content:"bar.baidu.com"; nocase; http_header; fast_pattern; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003341; classtype:pup-activity; sid:2003341; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_04_21;)
 
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Oct 19 2015"; flow:established,from_server; file_data; content:!".swf"; content:"<html>"; pcre:"/^\s*?\r?\n\s*?<body>\s*?\r?\n\s*?<script>\s*\r?\n\s*?<\/script>/Rs"; content:"value=|22|#ffffff|22|"; content:"<object"; pcre:"/^(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22(?![^\x22]+\.[Ss][Ww][Ff])[^\x22]*?\x22/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2021969; rev:3; metadata:created_at 2015_10_19, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Baidu.com Spyware Bar Pulling Data"; flow:to_server,established; content:"/cpro/ui/ui"; nocase; http_uri; content:"baidu.com"; nocase; http_header; content:!"Referer|3a| "; nocase; http_header; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003578; classtype:pup-activity; sid:2003578; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_04_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (1)"; flow:established,to_client; file_data; content:"|d8 57 45 e6 17 f8 ec bb|"; distance:4; within:8; classtype:exploit-kit; sid:2021970; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Baidu.com Agent User-Agent (Desktop Web System)"; flow:to_server,established; content:"User-Agent|3a| Desktop Web System"; nocase; http_header; reference:url,doc.emergingthreats.net/2003604; classtype:trojan-activity; sid:2003604; rev:9; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (2)"; flow:established,to_client; file_data; content:"|d5 88 7d dc 8a 95 4b be|"; distance:4; within:8; classtype:exploit-kit; sid:2021971; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Baidu.com Related Agent User-Agent (iexp)"; flow:to_server,established; content:"User-Agent|3a| iexp|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2003608; classtype:trojan-activity; sid:2003608; rev:13; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (3)"; flow:established,to_client; file_data; content:"|08 42 7d|"; distance:4; within:3; pcre:"/^(?:\x4c|\x35)/R"; classtype:exploit-kit; sid:2021972; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT ElTest Exploit Kit Redirection Script"; flow:established,to_client; file_data; content:"<script"; nocase; content:"text/javascript"; within:50; nocase; content:"|22|iframe|22|"; within:100; nocase; content:".style.border= |22|0px|22|"; within:200; fast_pattern; nocase; content:"frameborder"; within:100; nocase; content:".setAttribute("; within:50; nocase; content:"document.body.appendChild("; within:100; nocase; content:"= |22|http"; within:100; nocase; content:".src="; distance:0; nocase; content:"<|2F|script>"; within:50; nocase; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-campaign-evolution-eitest-october-december-2016/; classtype:exploit-kit; sid:2024237; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_24, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Moderate, signature_severity Major, updated_at 2017_04_24;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|UK|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; classtype:domain-c2; sid:2021980; rev:1; metadata:attack_target Client_and_Server, created_at 2015_10_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING ARM Binary Downloaded via WGET Containing Suspicious Netcat Command - Possible IoT Malware"; flow:from_server,established; flowbits:isset,ET.armwget; content:"|25|24|25|28nc+"; content:"+-e+|25|2Fbin|25|2Fsh|25|29"; within:50; fast_pattern; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; classtype:trojan-activity; sid:2024241; rev:2; metadata:attack_target IoT, created_at 2017_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2017_04_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible ethereum traffic"; flow:established,to_server; content:"POST"; depth:4; content:"|22|id|22 3a|"; nocase; distance:0; content:"|22|jsonrpc|22 3a|"; nocase; distance:0; content:"|22|method|22 3a|"; nocase; distance:0; pcre:"/^[^/s]*(?:eth_(?:g(?:et(?:B(?:lock(?:TransactionCountBy(?:Number|Hash)|By(?:Number|Hash))|alance)|Transaction(?:By(?:Block(?:Number|Hash)AndIndex|Hash)|(?:Receip|Coun)t)|Uncle(?:ByBlock(?:Number|Hash)AndIndex|CountByBlock(?:Number|Hash))|(?:Filter(?:Change|Log)|Log)s|Co(?:mpilers|de)|StorageAt|Work)|asPrice)|(?:(?:new(?:PendingTransaction|Block)?|uninstall)Filt|blockNumb)er|s(?:(?:end(?:Raw)?Transactio|ig)n|ubmit(?:Hashrate|Work)|yncing)|c(?:o(?:mpile(?:S(?:olidity|erpent)|LLL)|inbase)|all)|(?:estimateGa|account)s|protocolVersion|hashrate|mining)|shh_(?:new(?:Identity|Filter|Group)|get(?:FilterChan|Messa)ges|uninstallFilter|hasIdentity|addToGroup|version|post)|db_(?:get(?:String|Hex)|put(?:String|Hex))|net_(?:listening|peerCount|version)|web3_(?:clientVersion|sha3))/R"; reference:url,github.com/ethereum/wiki/wiki/JSON-RPC; classtype:policy-violation; sid:2021983; rev:2; metadata:created_at 2015_10_20, former_category POLICY, updated_at 2015_10_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ARM Binary Downloaded via WGET Containing GoAhead and Multiple Camera RCE 0Day Vulnerabilities"; flow:from_server,established; flowbits:isset,ET.armwget; content:"/set_ftp.cgi"; fast_pattern; content:"&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr="; distance:0; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; reference:url,pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html; classtype:trojan-activity; sid:2024242; rev:2; metadata:attack_target IoT, created_at 2017_04_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_04_25;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|fat.uk-fags.top"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021981; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL cert (pyteHole Ransomware)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|services.pasmik.net"; distance:1; within:20; reference:md5,f652968bfe0861b56c8bdc111d902512; classtype:trojan-activity; sid:2024246; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_25, deployment Perimeter, former_category MALWARE, malware_family pyteHole, signature_severity Major, tag Ransomware, updated_at 2017_04_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|default"; distance:1; within:8; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|14|support@vpn-core.net"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021982; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_20, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, malware_family Retefe, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32.LoadMoney User Agent"; flow:established,to_server; content:"Downloader "; http_user_agent; fast_pattern:only; pcre:"/^User-Agent\x3a Downloader \d\.\d\r?$/Hm"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024260; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_27, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2017_04_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible click2play bypass Oct 19 2015 B64 1"; flow:established,from_server; file_data; content:"cHJvZ3Jlc3MtY2xhc3"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021986; rev:2; metadata:created_at 2015_10_21, former_category EXPLOIT, updated_at 2015_10_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LoadMoney User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|Downloader 18.7|0d 0a|"; http_header; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2022911; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category MALWARE, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2017_04_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible click2play bypass Oct 19 2015 B64 2"; flow:established,from_server; file_data; content:"Byb2dyZXNzLWNsYXNz"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021987; rev:2; metadata:created_at 2015_10_21, former_category CURRENT_EVENTS, updated_at 2015_10_21;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Red Leaves magic packet response detected (APT10 implant)"; flowbits:isset,ncc.apt10.beacon_send; flow:established,to_client; dsize:12; content:"|7a 8d 9b dc|"; offset:4; depth:4; threshold:type limit, track by_dst, count 1, seconds 600; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; reference:url,blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html; classtype:targeted-activity; sid:2024174; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family RedLeaves, malware_family Red_Leaves, performance_impact Low, signature_severity Major, tag APT, tag APT10, tag RedLeaves, updated_at 2017_04_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible click2play bypass Oct 19 2015 B64 3"; flow:established,from_server; file_data; content:"wcm9ncmVzcy1jbGFzc"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021988; rev:2; metadata:created_at 2015_10_21, former_category CURRENT_EVENTS, updated_at 2015_10_21;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red Leaves magic packet detected (APT10 implant)"; flow:established,to_server; dsize:12; content:"|7a 8d 9b dc|"; offset:4; depth:4; flowbits:set,ncc.apt10.beacon_send; threshold:type limit, track by_src, count 1, seconds 600; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; reference:url,blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html; classtype:targeted-activity; sid:2024173; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family RedLeaves, malware_family Red_Leaves, performance_impact Low, signature_severity Major, tag APT10, tag RedLeaves, updated_at 2017_04_28;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Light Weight Calendar 'date' Arbitrary Remote Code Execution"; flow: to_server,established; content:"/index.php?"; nocase; http_uri; content:"date="; fast_pattern; http_uri; pcre:"/date=\d{8}\)\;./Ui"; reference:url,doc.emergingthreats.net/2002777; classtype:web-application-attack; sid:2002777; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FoxxySoftware - Landing Page"; flow:established,to_client; content:"eval(function(p,a,c,"; content:"|7C|zzz|7C|"; distance:0; classtype:trojan-activity; sid:2014934; rev:3; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2017_04_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (5)"; flow:established,to_client; file_data; content:"|91 29 83 25 66 1e be fb|"; distance:4; within:8; classtype:exploit-kit; sid:2021989; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.Downloader.pgp Checkin"; flow:established,to_server; content:"?id="; http_uri; content:"&e="; http_uri; content:"&err="; http_uri;content:"&c="; http_uri; reference:url,doc.emergingthreats.net/2008492; classtype:trojan-activity; sid:2008492; rev:6; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_05_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (6)"; flow:established,to_client; file_data; content:"|57 05 11 53 6c d2 02 f9|"; distance:4; within:8; classtype:exploit-kit; sid:2021990; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound"; flow:to_server; content:"|84 00 00|"; byte_test:1,<,9,0,relative; byte_jump:1,0,relative,post_offset -4; content:"|00 00 00|"; within:3; byte_test:1,<,8,0,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022506; rev:3; metadata:created_at 2016_02_12, former_category EXPLOIT, updated_at 2017_05_02;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NetWire Variant - Client Hello"; flow:established,to_server; flowbits:set,ET.NetWire; flowbits:noalert; content:"|01 00 00 00 00|"; depth:5; dsize:6; reference:url,researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic; reference:url,www.circl.lu/pub/tr-23; classtype:trojan-activity; sid:2021976; rev:2; metadata:created_at 2015_10_20, updated_at 2016_08_30;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 2"; flow:to_server; content:"|84 20|"; depth:2; offset:16; byte_test:2,<,9,12,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022515; rev:2; metadata:created_at 2016_02_12, former_category EXPLOIT, updated_at 2017_05_02;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE NetWire Variant - Server Directory Listing Request"; flow:established,to_client; flowbits:isset,ET.NetWire; content:"|01|"; depth:1; content:"|00 00 00 06 43 3A|"; distance:1; within:6; reference:url,researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic; reference:url,www.circl.lu/pub/tr-23; classtype:trojan-activity; sid:2021979; rev:2; metadata:created_at 2015_10_20, updated_at 2015_10_20;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 3"; flow:to_server; content:"|84 10|"; depth:2; offset:16; byte_test:2,<,9,12,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022516; rev:2; metadata:created_at 2016_02_12, former_category EXPLOIT, updated_at 2017_05_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Account Phish Landing Oct 22"; flow:established,from_server; file_data; content:"<title>Sign in</title>"; content:"name=chalbhai"; fast_pattern; nocase; distance:0; content:"required title=|22|Please Enter Right Value|22|"; nocase; distance:0; content:"required title=|22|Please Enter Right Value|22|"; nocase; distance:0; classtype:social-engineering; sid:2025692; rev:2; metadata:created_at 2015_10_22, former_category CURRENT_EVENTS, updated_at 2018_07_12;)
+alert tcp $HOME_NET any -> any any (msg:"ET MALWARE SuperCMD CnC Beacon"; flow:established,to_server; content:"windows update "; depth:15; pcre:"/^[A-F0-9]+\x00/R"; reference:md5,816db8a1916201309d2a24b4a745305b; reference:url,blogs.rsa.com/supercmd-rat/; classtype:command-and-control; sid:2024273; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, tag c2, updated_at 2017_05_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|FR|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021993; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M1"; flow:to_server,established; content:"Host|3a|"; http_header; nocase; content:"("; http_header; nocase; content:")"; http_header; pcre:"/^Host\x3a[^\r\n]+?[\x28\x29\x27\x22\x7b\x7d]/Hmi"; reference:url,exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html; classtype:web-application-attack; sid:2024277; rev:3; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2017_05_05, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2017_05_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|09|volha.xyz"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021994; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Known Hostile Domain ant.trenz .pl Lookup"; content:"|03|ant|05|trenz|02|pl|00|"; nocase; classtype:trojan-activity; sid:2024281; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_08, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2017_05_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.DarkComet Screenshot Upload Successful"; flow:established,to_server; dsize:7; content:"ENDSNAP"; reference:md5,38abba51bdf98347fc4f91642b21b041; classtype:trojan-activity; sid:2021996; rev:1; metadata:created_at 2015_10_23, updated_at 2015_10_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX winhlp32 ActiveX control attack - phase 1"; flowbits:noalert; flow: to_client,established; file_data; content:"|3C|OBJECT"; nocase; content:"application/x-oleobject"; nocase; within:64; content:"codebase="; nocase; content:"hhctrl.ocx"; nocase; within:15; flowbits:set,winhlp32; reference:url,doc.emergingthreats.net/bin/view/Main/2001622; classtype:web-application-attack; sid:2001622; rev:16; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2017_05_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Aug 02 2015"; flow:established,from_server; file_data; content:"value=|22|#ffffff|22|"; content:!".swf"; nocase; content:"<html>"; pcre:"/^\s*?<body>\s*?<script>(?:\s*var\s+[a-z]+\s*?=\s*?\d+\s*?\x3b\s*?)*?\s*?<\/script>/Rs"; content:"<object"; pcre:"/^(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22(?![^\x22]+\.[Ss][Ww][Ff])[^\x22]*?\x22/Rs"; content:"</object>"; distance:0; pcre:"/^\s*?<\/body>\s*?\s*?<\/html>\s*?$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2021587; rev:5; metadata:created_at 2015_08_04, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX winhlp32 ActiveX control attack - phase 2"; flow:to_client,established; flowbits:isset,winhlp32; file_data; content:"|3C|PARAM"; nocase; content:"value="; nocase; content:"command|3B|"; nocase; pcre:"/(javascript|http|ftp|vbscript)/iR"; reference:url,doc.emergingthreats.net/bin/view/Main/2001623; classtype:web-application-attack; sid:2001623; rev:15; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2017_05_08;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Duuzer Checkin"; flow:established,to_server; content:"|32 a3 56 bb 47 4f 32 00|"; depth:8; fast_pattern; content:"|30 b9 00 00|"; distance:3; within:4; reference:url,symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers; reference:md5,cd7a72be9c16c2ece1140bc461d6226d; classtype:command-and-control; sid:2022000; rev:1; metadata:created_at 2015_10_26, former_category MALWARE, updated_at 2015_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX winhlp32 ActiveX control attack - phase 3"; flow:to_client, established; flowbits:isset,winhlp32; file_data; content:".HHClick|2829|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001624; classtype:web-application-attack; sid:2001624; rev:15; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2017_05_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Oct 26 2015"; flow:established,from_server; content:"|0d 0a|Set-Cookie|3a 20|qtaho="; classtype:exploit-kit; sid:2022001; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_26, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jun 03 2016"; flow:established,to_server; content:"/wordpress/?"; http_uri; depth:12; pcre:"/^\/wordpress\/\?[A-Za-z0-9]{4}(?:&utm_source=le)?$/U"; classtype:exploit-kit; sid:2022859; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2017_05_08;)
 
-alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - Data Channel Client Request"; flow:established,to_server; content:"NO|7C|CRYPTDESK*"; depth:13; classtype:trojan-activity; sid:2022002; rev:1; metadata:created_at 2015_10_26, updated_at 2015_10_26;)
+#alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT Foofus.net Password dumping dll injection"; flow:to_server,established; content:"|6c 00 73 00 72 00 65 00 6d 00 6f 00 72 00 61|"; reference:url,xinn.org/Snort-fgdump.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008476; classtype:suspicious-filename-detect; sid:2008476; rev:4; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2017_05_08;)
 
-alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - Data Channel Server Response"; flow:established,to_client; content:"GO8_=_8"; dsize:7; classtype:trojan-activity; sid:2022003; rev:1; metadata:created_at 2015_10_26, updated_at 2015_10_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Probable FlimKit Redirect July 10 2013"; flow:established,to_server; content:"/b.swf|0d 0a|"; http_header; fast_pattern:only; content:!"revolvermaps.com"; http_header; pcre:"/^Referer\x3a[^\r\n]+\/b.swf\r$/Hm"; flowbits:set,FlimKit.SWF.Redirect; classtype:trojan-activity; sid:2017125; rev:5; metadata:created_at 2013_07_11, former_category CURRENT_EVENTS, updated_at 2017_05_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK IE Exploit Aug 23 2015"; flow:to_server,established; urilen:>50; content:"POST"; http_method; content:"application/json"; http_header; content:"|22 67 22 3a 22|"; http_client_body; fast_pattern; content:"|22 70 22 3a 22|"; http_client_body; content:"|22 41 22 3a 22|"; http_client_body; pcre:"/\?(?=[a-z\d\x3d&\x2e]*?[A-Z])(?=[A-Z\d=&\x2e]*?[a-z])(?=[A-Za-z=&\x2e]*?\d)[A-Za-z\d=&\x2e]{50,}$/U"; classtype:exploit-kit; sid:2021708; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_08_24, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing July 10 2013"; flow:established,from_server; file_data; flowbits:isset,FlimKit.SWF.Redirect; content:".substring("; fast_pattern:only; nocase; content:"document.write("; nocase; content:".substring("; distance:0; nocase; content:".substring("; distance:0; nocase; content:".substring("; distance:0; nocase; classtype:trojan-activity; sid:2017126; rev:3; metadata:created_at 2013_07_11, former_category CURRENT_EVENTS, updated_at 2017_05_10;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|LU|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022004; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyspotter.com Access Likely Spyware"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:".oemji.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001539; classtype:pup-activity; sid:2001539; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_05_11;)
 
-#alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LummoX Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a| LummoX Logger"; fast_pattern; nocase; classtype:trojan-activity; sid:2022005; rev:2; metadata:created_at 2015_10_28, updated_at 2015_10_28;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP Delphi Likely Precursor to Scan"; itype:8; icode:0; content:"Pinging from Delphi code written"; reference:url,www.koders.com/delphi/fid942A4EAF946B244BD3CD9BC83FEAAC35BA1F38AB.aspx; reference:url,doc.emergingthreats.net/2010681; classtype:misc-activity; sid:2010681; rev:3; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Malicious Redirect Leading to EK Oct 29"; flow:to_server,established; urilen:5; content:"/533L"; classtype:exploit-kit; sid:2022009; rev:3; metadata:created_at 2015_10_29, updated_at 2015_10_29;)
+alert tcp $HOME_NET 3306 -> $EXTERNAL_NET any (msg:"ET SCAN Multiple MySQL Login Failures Possible Brute Force Attempt"; flow:from_server,established; dsize:<251; byte_test:1,<,0xfb,0,little; content:"|ff 15 04 23 32 38 30 30 30|"; offset:4; threshold: type threshold, track by_src, count 5, seconds 120; reference:url,doc.emergingthreats.net/2010494; classtype:attempted-recon; sid:2010494; rev:4; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible WhiteLotus IE Payload"; flow:established,to_server; content:"GET"; http_method; content:"/?"; depth:2; http_uri; fast_pattern; content:" MSIE "; http_user_agent; content:!"Referer|3a|"; http_header; content:"|0d 0a 0d 0a|"; pcre:"/^\/\?[A-Za-z0-9]+=(?P<v1>[^&]+)&(?P=v1)=[A-Za-z0-9]+$/U"; classtype:trojan-activity; sid:2017743; rev:4; metadata:created_at 2013_11_22, updated_at 2013_11_22;)
+alert tcp $HOME_NET any -> any 445 (msg:"ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001569; classtype:misc-activity; sid:2001569; rev:15; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy HTTP CnC Beacon"; flow:established,to_server; content:"|20|HTTP|3a 2f 2f|"; offset:3; depth:9; content:!"Host|3a|"; distance:0; content:!"User-Agent|3a|"; distance:0; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"HTTP/1.1|0d 0a|Cookie|3a 20|id="; fast_pattern; pcre:"/^[0-9A-F]{12}/R"; reference:md5,1aca09c5eefb37539e86ec86dd3be72f; reference:url,blog.jpcert.or.jp/2015/07/poisonivy-adapts-to-communicate-through-authentication-proxies.html; classtype:command-and-control; sid:2021523; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Major, tag PoisonIvy, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $HOME_NET any -> any 139 (msg:"ET SCAN Behavioral Unusual Port 139 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001579; classtype:misc-activity; sid:2001579; rev:15; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 59 43 e2 96 23 5b 17|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,c0c8178b7ef2a8c067c68a7fb7dc7ecd; classtype:domain-c2; sid:2022021; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> any 137 (msg:"ET SCAN Behavioral Unusual Port 137 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001580; classtype:misc-activity; sid:2001580; rev:15; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP Possible Misuse Call from MERA RTU"; flow:to_server,established; content:"|22 c0 09 00 7a b7 07|MERA RTU|08|"; classtype:misc-attack; sid:2022022; rev:1; metadata:created_at 2015_11_03, updated_at 2015_11_03;)
+alert tcp $HOME_NET any -> any 135 (msg:"ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001581; classtype:misc-activity; sid:2001581; rev:15; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP Q.931 Call Setup - Inbound"; flow:to_server,established; content:"|08|"; offset:4; depth:1; content:"|05 04|"; distance:3; within:2; classtype:misc-activity; sid:2022023; rev:1; metadata:created_at 2015_11_03, updated_at 2015_11_03;)
+alert tcp $HOME_NET any -> any 1434 (msg:"ET SCAN Behavioral Unusual Port 1434 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 40 , seconds 60; reference:url,doc.emergingthreats.net/2001582; classtype:misc-activity; sid:2001582; rev:15; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP H.323 in Q.931 Call Setup - Inbound"; flow:to_server,established; content:"|08|"; offset:4; depth:1; byte_jump:1,0,relative; content:"|05 04|"; within:2; byte_jump:1,0,relative; content:"|70|"; byte_jump:1,0,relative; content:"|7E|"; within:1; byte_test:1,!&,0x0F,3,relative; isdataat:31; classtype:misc-activity; sid:2022024; rev:1; metadata:created_at 2015_11_03, updated_at 2015_11_03;)
+alert tcp $HOME_NET any -> any 1433 (msg:"ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 40 , seconds 60; reference:url,doc.emergingthreats.net/2001583; classtype:misc-activity; sid:2001583; rev:16; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Jimdo.com Phishing PDF via HTTP"; flow:established,from_server; file_data; content:"/Subtype/Link/Rect"; content:"/BS<</W 0>>/F 4/A<</Type/Action/S/URI/URI (http|3a|//"; distance:0; content:".jimdo.com/)>"; distance:0; fast_pattern; content:"www.Neevia.com"; distance:0; content:"Neevia Document Converter"; distance:0; reference:md5,70eaba2ab6410e3541a2e24a482ddddd; classtype:social-engineering; sid:2022029; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_10_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Inbound)"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; reference:url,doc.emergingthreats.net/2001972; classtype:network-scan; sid:2001972; rev:20; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cybergate/Rebhip/Spyrat Backdoor Keepalive"; flow:from_server,established; dsize:<100; content:"ping|7c|"; depth:5; content:!"|7c|"; within:1; classtype:trojan-activity; sid:2017990; rev:12; metadata:created_at 2011_04_09, updated_at 2011_04_09;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP @hello request Likely Precursor to Scan"; itype:8; icode:0; content:"@hello ???"; reference:url,doc.emergingthreats.net/2010641; classtype:misc-activity; sid:2010641; rev:3; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive (Remax) Phish Landing Nov 4"; flow:established,from_server; file_data; content:"#MyRemax_Password"; nocase; fast_pattern; content:"#MyRemax_Email"; nocase; distance:0; content:"<title>Meet Google Drive"; nocase; distance:0; classtype:social-engineering; sid:2022035; rev:2; metadata:created_at 2015_11_04, former_category CURRENT_EVENTS, updated_at 2017_08_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Outbound)"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; reference:url,threatpost.com/en_us/blogs/new-worm-morto-using-rdp-infect-windows-pcs-082811; classtype:misc-activity; sid:2013479; rev:5; metadata:created_at 2011_08_29, former_category SCAN, updated_at 2017_05_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Google Drive (Remax) Phish Nov 4"; flow:to_server,established; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary=---------"; http_header; content:"form-data|3b 20|name=|22|server|22|"; nocase; http_client_body; fast_pattern; content:"form-data|3b 20|name=|22|ipLists|22|"; nocase; http_client_body; distance:0; content:"form-data|3b 20|name=|22|ipEmpty|22|"; nocase; http_client_body; distance:0; content:"form-data|3b 20|name=|22|MyRemax_Email|22|"; nocase; http_client_body; distance:0; content:"form-data|3b 20|name=|22|MyRemax_Password|22|"; nocase; http_client_body; distance:0; classtype:credential-theft; sid:2022036; rev:2; metadata:created_at 2015_11_04, former_category PHISHING, updated_at 2019_09_06;)
+alert icmp any any -> any any (msg:"ET MALWARE Philis.J ICMP Sweep (Payload Hello World)"; icode:0; itype:0; dsize:11; content:"Hello,World"; reference:url,vil.nai.com/vil/content/v_141203.htm; reference:url,doc.emergingthreats.net/2008017; classtype:trojan-activity; sid:2008017; rev:4; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_05_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook WebApp Phish Landing 2015-11-05"; flow:established,from_server; file_data; content:"var translate_dict = {"; nocase; content:"VERIFICATION_CODE"; nocase; distance:0; fast_pattern; content:"VERIFICATION_CODE_REQUIRED"; nocase; distance:0; content:"NOT_BEGIN_OR_END_WITH_SPACE"; nocase; distance:0; content:"USERNAME_ALL_NUMERIC"; nocase; distance:0; content:"PASSWORDS_DONT_MATCH"; nocase; distance:0; content:"PWD_HINT_REQUIRED"; nocase; distance:0; content:"PASSWORD_MATCHES_USERNAME"; nocase; distance:0; content:"REQUEST_PASSWORD_RESET"; nocase; distance:0; content:"ENTER_VALID_VERIFICATION_CODE"; nocase; distance:0; content:"PASSWORD_MATCH_HINT"; nocase; distance:0; content:"Your work here is done"; nocase; distance:0; content:"Yikes! Something's gone wrong."; nocase; distance:0; classtype:social-engineering; sid:2031691; rev:2; metadata:created_at 2015_11_05, former_category PHISHING, updated_at 2015_11_05;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET MALWARE MS Terminal Server Single Character Login possible Morto inbound"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash="; content:"|0d 0a|"; distance:1; within:2; nocase; pcre:"/Cookie\x3a mstshash=[a-zA-Z]\r\n/"; flowbits:set,ET.RDP.Morto; reference:cve,CAN-2001-0540; classtype:trojan-activity; sid:2021630; rev:2; metadata:created_at 2015_08_14, former_category TROJAN, updated_at 2017_05_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE GoonEK Jan 21 2013"; flow:established,from_server; file_data; content:"#default#VML"; fast_pattern:only; content:"|5c 5c 3a|"; content:"|5c 5c 3a|"; distance:0; content:".namespaces.add"; nocase; pcre:"/^[\r\n\s]*?\([^\)]*?[\x22\x27]#/Ri"; content:!"default#VML"; within:12; pcre:"/^d(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?e(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?f(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?a(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?u(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?l(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?t(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?#(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?V(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?M(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?L[\x22\x27]/Rs"; classtype:exploit-kit; sid:2017993; rev:9; metadata:created_at 2014_01_22, former_category MALWARE, updated_at 2014_01_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded Adobe Shockwave Flash Possibly Related to Remote Code Execution Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:".swf"; fast_pattern; nocase; distance:0; flowbits:set,ET.flash.pdf; flowbits:noalert; reference:url,feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/; reference:cve,2010-1297; reference:cve,2010-2201; classtype:bad-unknown; sid:2011499; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_05_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wrapper/Gholee/Wedex Checkin"; flow:established,to_server; dsize:12; content:"nocookie"; offset:4; depth:8; reference:md5,b7de8927998f3604762096125e114042; reference:url,blog.checkpoint.com/2015/11/09/rocket-kitten-a-campaign-with-9-lives/; classtype:command-and-control; sid:2022047; rev:1; metadata:created_at 2015_11_09, former_category MALWARE, updated_at 2015_11_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded Flash Possible Remote Code Execution Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"/SubType"; distance:0; content:"flash"; nocase; within:100; reference:url,feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/; reference:cve,2010-1297; classtype:bad-unknown; sid:2011505; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_05_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.ip.request; classtype:trojan-activity; sid:2022051; rev:2; metadata:created_at 2015_11_09, former_category CURRENT_EVENTS, updated_at 2015_11_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 CMS backdoor access admin-access cookie and HTTP POST"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"|0d 0a|Cookie\: "; nocase; content:"admin-access="; content:"e107language_"; pcre:"/Cookie: .*admin-access=/i"; reference:url,seclists.org/fulldisclosure/2010/Jan/480; reference:url,www.e107.org/news.php; reference:url,doc.emergingthreats.net/2010719; classtype:attempted-admin; sid:2010719; rev:3; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2017_05_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.no.exe.request; classtype:trojan-activity; sid:2022053; rev:2; metadata:created_at 2015_11_09, former_category CURRENT_EVENTS, updated_at 2015_11_09;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE MSIL/May Ransomware SSL Cert Observed"; flow:established,from_server; content:"|55 04 03|"; content:"|13|mayofware.solutions"; distance:1; within:20; reference:md5,9bee9fbe8c87f491ed31e94bb0c2e06f; classtype:trojan-activity; sid:2024304; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family May, signature_severity Major, tag Ransomware, updated_at 2017_05_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Registry)"; flow:from_server,established; content:"RG|7c 27 7c 27 7c|"; depth:7; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017429; rev:4; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+alert tcp any any -> $HOME_NET 1556 (msg:"ET EXPLOIT NB8-01 - Unauthed RCE via bprd"; flow:established,to_server; content:"ack="; depth:4; content:"extension=bprd"; distance:0; fast_pattern; pcre:"/^.*?[\x24\x60]/R"; reference:url,seclists.org/fulldisclosure/2017/May/27; classtype:web-application-attack; sid:2024308; rev:1; metadata:attack_target Server, created_at 2017_05_17, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_05_17;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Keylogger)"; flow:from_server,established; content:"kl|7c 27 7c 27 7c|"; depth:7; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017430; rev:7; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+alert tcp any any -> $HOME_NET 1556 (msg:"ET EXPLOIT NB8-02 - Possible Unauthed RCE via nbbsdtar"; flow:established,to_server; content:"ack="; depth:4; content:"extension=bprd"; distance:0; fast_pattern; content:"/bin/"; distance:0; reference:url,seclists.org/fulldisclosure/2017/May/27; classtype:web-application-attack; sid:2024309; rev:1; metadata:attack_target Server, created_at 2017_05_17, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_05_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command Response (Get Passwords)"; flow:to_server,established; content:"pl|7c 27 7c 27 7c|"; depth:7; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017432; rev:5; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+alert tcp any any -> $HOME_NET 1556 (msg:"ET EXPLOIT NB8-04 - Possible Unauthed RCE via whitelist bypass"; flow:established,to_server; content:"ack="; depth:4; content:"extension=bprd"; distance:0; fast_pattern; content:"BPCD_WHITELIST_PATH"; distance:0; reference:url,seclists.org/fulldisclosure/2017/May/27; classtype:web-application-attack; sid:2024310; rev:1; metadata:attack_target Server, created_at 2017_05_17, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_05_17;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Get Passwords)"; flow:from_server,established; content:"ret|7c 27 7c 27 7c|"; depth:8; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017431; rev:5; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Agent Tesla Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a| "; nocase; content:"|5b|Agent Tesla"; fast_pattern; nocase; classtype:trojan-activity; sid:2022006; rev:3; metadata:created_at 2015_10_28, former_category TROJAN, updated_at 2017_05_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PK/Compressed doc/JAR header"; flow:from_server,established; file_data; content:"|50 4B 03 04|"; depth:4; flowbits:set,ET.zipfile; flowbits:noalert; classtype:misc-activity; sid:2022055; rev:2; metadata:created_at 2015_11_10, updated_at 2015_11_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Samsung Galaxy Knox Android Browser RCE smdm attempt"; flow:to_client,established; file_data; content:"smdm|3a|//"; nocase; distance:0; reference:url,blog.quarkslab.com/abusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerability.html; reference:url,cxsecurity.com/issue/WLB-2014110124; classtype:web-application-activity; sid:2019750; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_19, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_05_24;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|nyctradersacademy.com"; distance:1; within:22; reference:md5,cb690af981b61aa4779624db5d2489e1; reference:md5,040ac83b30a9bd111d06d238f39593fb; classtype:domain-c2; sid:2022056; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Scotiabank Phish M2 May 24 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?Step=Account"; nocase; http_uri; content:"mmn="; depth:4; nocase; http_client_body; content:"&seccode="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024327; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_05_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0e|msupdcheck.com"; distance:1; within:16; reference:md5,4b689f711da45fb8523c95a85679f435; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022057; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (.so file write to share) (CVE-2017-7494)"; flow:to_server,established; content:"SMB|2d 00|"; offset:5; depth:5; content:"|00 00|"; distance:1; within:2; content:"|12 00|"; distance:40; within:2; content:"|2e|so|00|"; fast_pattern; distance:16; reference:cve,2017-7494; reference:url,github.com/rapid7/metasploit-framework/pull/8450; classtype:attempted-admin; sid:2024335; rev:1; metadata:attack_target SMB_Server, created_at 2017_05_25, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2017_05_25;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a3 c1 ae 7c 85 e8 a5 6b|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5666cb1caca3fde7dd1c8195b76eac8e; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022058; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (NT Create AndX .so) (CVE-2017-7494)"; flow:to_server,established; content:"SMB|a2 00|"; offset:5; depth:5; content:"|00 00|"; distance:1; within:2; content:"|2e|so|00|"; fast_pattern; distance:16; reference:cve,2017-7494; reference:url,github.com/rapid7/metasploit-framework/pull/8450; classtype:attempted-admin; sid:2024336; rev:1; metadata:attack_target SMB_Server, created_at 2017_05_25, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2017_05_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)"; flow:from_client,established; content:"|00|pl|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00pl\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:command-and-control; sid:2022059; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible $MFT NTFS Device Access in HTTP Response"; flow:from_server,established; content:"file://"; content:"/$MFT/"; distance:0; fast_pattern; content:"src"; pcre:"/^\s*=\s*[^>]*file\x3a[^>]*\/\x24MFT\//Ris"; reference:url,www.securitytracker.com/id/1038575; classtype:trojan-activity; sid:2024337; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_30, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_05_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)"; flow:from_client,established; content:"|00|sc~|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00sc\x7e\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:command-and-control; sid:2022060; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible CryptXXX Ransomware Renaming Encrypted File SMB v2"; flow:to_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|11 00|"; distance:8; within:2; content:"|00|.|00|c|00|r|00|y|00|p|00|t|00|"; nocase; distance:0; fast_pattern; pcre:"/^[^A-Za-z0-9]/R"; classtype:trojan-activity; sid:2022840; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_05_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)"; flow:from_client,established; content:"|00|scPK|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00scPK\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:command-and-control; sid:2022061; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PDF Using CCITTFax Filter"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/CCITTFaxDecode"; distance:0; reference:url,nakedsecurity.sophos.com/2012/04/05/ccittfax-pdf-malware/; reference:url,blog.fireeye.com/research/2012/07/analysis-of-a-different-pdf-malware.html#more; classtype:bad-unknown; sid:2015561; rev:3; metadata:created_at 2012_08_02, former_category INFO, updated_at 2017_06_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback Response (File Manager)"; flow:to_client,established; content:"|00|rn|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00rn\x7c/i"; classtype:command-and-control; sid:2022062; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing URI T1 Jun 02 2017"; flow:established,to_server; content:"/e71cac9dd645d92189c49e2b30ec627a/dcb4c6c6149b2208fbcf7c9d8c59548e"; http_uri; classtype:exploit-kit; sid:2024343; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_06_02;)
 
-alert tcp any any -> any any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Get Passwords)"; flow:established; content:"|00|ret|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00ret\x7c/i"; reference:md5,310c26fa0c7d07adbff32b569b1972f1; classtype:command-and-control; sid:2022063; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing T1 Jun 02 2017 M1"; flow:established,from_server; file_data; content:"|3c 70 61 72 61 6d 20 6e 61 6d 65 3d 46 6c 61 73 68 56 61 72 73 20 76 61 6c 75 65 3d 22 69 64 64 71 64 3d 27|"; classtype:exploit-kit; sid:2024346; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_06_02;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/HideWindows.C IRC Checkin"; flow:established,to_server; content:"PASS 6667|0a|"; content:"NICK pr0n|7c 30 0a|"; distance:0; fast_pattern; content:"USER Pmx|20 22 2a 22 20 22|"; distance:0; content:"|22 20 3a|pr0n|0a|"; reference:md5,4645b7883d5c8fee6579cc79dee5f683; reference:url,thisissecurity.net/2015/11/05/low-cost-point-of-sales-pos-hacking/; classtype:command-and-control; sid:2022064; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing T1 Jun 02 2017 M2"; flow:established,from_server; file_data; content:"|25 37 37 25 37 33 25 36 33 25 37 32 25 36 39 25 37 30 25 37 34 25 32 45 25 36 35 25 37 38 25 36 35|"; content:"|2e 53 74 61 72 74 52 65 6d 6f 74 65 44 65 73 6b 74 6f 70|"; classtype:exploit-kit; sid:2024347; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_06_02;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 fb cd cd ff 15 b4 03|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; reference:md5,c493fbc74573c2c125ff57b1bf15e4be; classtype:domain-c2; sid:2022065; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,2525,587] (msg:"ET MALWARE Executioner Ransomware Reporting Infection via SMTP"; flow:established,to_server; dsize:<40; content:"DECRYPT CODE|20 3a 20 20 20 20 20 20 20|"; fast_pattern; depth:21; reference:md5,eec4f84d12139add6d6ebf3b8c72fff7; classtype:trojan-activity; sid:2024351; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_06, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Executioner, signature_severity Major, tag Ransomware, updated_at 2017_06_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0e|systruster.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; reference:md5,efa5ea2c511b08d0f8259a10a49b27ad; classtype:domain-c2; sid:2022066; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M1 B641"; flow:established,from_server; file_data; content:"|4a694270626e525562314e30636968685a4752794b|"; classtype:exploit-kit; sid:2024353; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0c|retsback.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; reference:md5,e5b7fd7eed59340027625ac39bae7c81; classtype:domain-c2; sid:2022067; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M1 B642"; flow:established,from_server; file_data; content:"|596761573530564739546448496f5957526b6369|"; classtype:exploit-kit; sid:2024354; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE KilerRAT CnC - Info Checkin"; flow:from_server,established; content:"inf|7c 4b 69 6c 65 72 7c|"; fast_pattern; content:"|7c 4b 69 6c 65 72 7c|"; distance:0; content:"|7c 4b 69 6c 65 72 7c|"; distance:0; reference:md5,51409b4216065c530a94cd7a5687c0d6; reference:url,alienvault.com/open-threat-exchange/blog/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off; classtype:command-and-control; sid:2022069; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M1 B643"; flow:established,from_server; file_data; content:"|6d49476c7564465276553352794b47466b5a484970|"; classtype:exploit-kit; sid:2024355; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
 
-alert tcp any any -> any any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)"; flow:established; content:!"GET|20|"; content:"|FF D8 FF E0 00 10 4A 46 49 46|"; content:"|00|CAP|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00cap\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019214; rev:2; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M2 B641"; flow:established,from_server; file_data; content:"|496d784a62477873496a6f69646d6c7964485668624842796233526c5933|"; classtype:exploit-kit; sid:2024356; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Keylogging)"; flow:from_client,established; content:"|00|kl|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00kl\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019222; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M2 B642"; flow:established,from_server; file_data; content:"|4a735357787362434936496e5a70636e523159577877636d39305a574e30|"; classtype:exploit-kit; sid:2024357; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (File Manager Actions)"; flow:from_client,established; content:"|00|fm|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00fm\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019221; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M2 B643"; flow:established,from_server; file_data; content:"|6962456c73624777694f694a3261584a306457467363484a766447566a64|"; classtype:exploit-kit; sid:2024358; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Process Listing)"; flow:from_client,established; content:"|00|proc|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00proc\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019220; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M3 B641"; flow:established,from_server; file_data; content:"|593268796479677a4d6a63324e79|"; pcre:"/(?:NocncoMjE3Ni|Y2hydygyMTc2K|jaHJ3KDIxNzYp)/"; classtype:exploit-kit; sid:2024359; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Registry Listing)"; flow:from_client,established; content:"|00|RG|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00rg\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019219; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M3 B642"; flow:established,from_server; file_data; content:"|6a61484a334b444d794e7a59334b|"; pcre:"/(?:NocncoMjE3Ni|Y2hydygyMTc2K|jaHJ3KDIxNzYp)/"; classtype:exploit-kit; sid:2024360; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Services Listing)"; flow:from_client,established; content:"|00|srv|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00srv\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019218; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M4 B641"; flow:established,from_server; file_data; content:"|657949784e7a51784e6949364e4441344d44597a4e6977694d5463304f5459694f6a51774f4441324d7a5973496a45334e6a4d78496a6f304d4467304e7a51344c4349784e7a59304d43|"; classtype:exploit-kit; sid:2024362; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Shell)"; flow:from_client,established; content:"|00|rs|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00rs\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019217; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M4 B642"; flow:established,from_server; file_data; content:"|73694d5463304d5459694f6a51774f4441324d7a5973496a45334e446b32496a6f304d4467774e6a4d324c4349784e7a597a4d5349364e4441344e4463304f4377694d5463324e444169|"; classtype:exploit-kit; sid:2024363; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Microphone)"; flow:from_client,established; content:"|00|MIC|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00mic\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019215; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING PHISH Bank - York - Creds Phished"; flow:established,to_server; content:"POST"; http_method; content:"/secured/private/login.php"; http_uri; classtype:social-engineering; sid:2015983; rev:3; metadata:created_at 2012_12_05, former_category CURRENT_EVENTS, updated_at 2017_06_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MALWARE Possible Chimera Ransomware - Bitmessage Activity"; flow:established,to_server; content:"version"; offset:4; depth:7; content:"Bitmessage|3a|"; distance:0; reference:md5,b66a864255ad796cf1e82f973f67f556; reference:url,reaqta.com/2015/11/diving-into-chimera-ransomware/; classtype:policy-violation; sid:2022075; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2015_11_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert icmp any any -> any any (msg:"ET MALWARE OpenSSH in ICMP Payload - Possible Covert Channel"; itype:8; icode:0; content:"openssh"; nocase; classtype:trojan-activity; sid:2024366; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_06_08, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2017_06_08;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|rozmatis.com"; distance:1; within:13; reference:md5,58b38122ac12b84989914623efe833be; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022076; rev:1; metadata:attack_target Client_and_Server, created_at 2015_11_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible iTunes Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>iTunes Connect</TITLE>"; classtype:social-engineering; sid:2018303; rev:4; metadata:created_at 2014_03_21, former_category CURRENT_EVENTS, updated_at 2017_06_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0d|whoreshop.xyz"; distance:1; within:14; reference:md5,218a9854b7d1ca1f417c59a566b343d9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022077; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Dropbox - Sign in</title>"; classtype:social-engineering; sid:2020332; rev:3; metadata:created_at 2015_01_30, former_category CURRENT_EVENTS, updated_at 2017_06_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Renewal Phish Landing Nov 13"; flow:established,from_server; file_data; content:"<title>Mailbox renewal"; fast_pattern; nocase; content:"autorised email address"; nocase; distance:0; content:"To complete this autorization"; nocase; distance:0; content:"Online MailBox Renewal"; nocase; distance:0; classtype:social-engineering; sid:2022083; rev:2; metadata:created_at 2015_11_13, updated_at 2015_11_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Alibaba Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Alibaba&nbsp|3b|Manufacturer&nbsp|3b|Directory"; nocase; classtype:social-engineering; sid:2024389; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Revalidation Phish Nov 13 M1"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"user="; depth:5; nocase; http_client_body; fast_pattern; content:"&email_address="; nocase; http_client_body; distance:0; content:"&pass"; nocase; http_client_body; distance:0; content:"&captcha="; nocase; http_client_body; distance:0; content:"&submitbutton="; nocase; http_client_body; distance:0; classtype:credential-theft; sid:2022084; rev:2; metadata:created_at 2015_11_13, former_category PHISHING, updated_at 2019_09_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Free Mobile Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Free Mobile - Bienvenue dans votre Espace"; nocase; classtype:social-engineering; sid:2024393; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Successful Revalidation Phish Nov 13 M2"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"<META HTTP-EQUIV=|22|REFRESH|22|"; nocase; content:"Revalidation</title>"; fast_pattern; nocase; distance:0; content:"Account Revalidated"; nocase; distance:0; content:"you have sucessfully revalidated"; nocase; distance:0; classtype:credential-theft; sid:2022085; rev:2; metadata:created_at 2015_11_13, former_category PHISHING, updated_at 2019_09_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible AOL Mail Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>AOL Mail|3a 20|Simple, Free, Fun</title>"; nocase; classtype:social-engineering; sid:2024394; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|lingeriesshop.biz"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022087; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible OWA Mail Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Outlook Web Access</title>"; nocase; classtype:social-engineering; sid:2024395; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 07|"; content:"|0a|LosAngeles"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|11|speednetlocal.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022088; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible OWA Mail Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Outlook Web App</title>"; nocase; classtype:social-engineering; sid:2024396; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 07|"; content:"|02|Ny"; distance:1; within:3; content:"|55 04 03|"; distance:0; content:"|13|securityrealnet.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022089; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Facebook Help Center Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Facebook Help Center</title>"; nocase; classtype:social-engineering; sid:2024397; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential W32/Dridex Alphanumeric Download Pattern"; flow:established,to_server; urilen:9<>47; content:"GET"; http_method; content:".exe"; http_uri; offset:6; fast_pattern; content:!"Referer|3A|"; http_header; content:"Accept|3a|"; http_header; pcre:"/^\/(?=[a-z\d]{0,18}(?:[a-z]\d|\d[a-z]|~[a-z])[a-z\d]{0,18}(?:\/[a-z\d]{0,18}(?:[a-z]\d|\d[a-z])[a-z\d]{0,18}){1,2}\.exe$)(?=[a-f\d\x2f\x7e]{0,40}[g-z])[a-z0-9~]{2,20}(?:\/[a-z0-9]{2,20}){1,2}\.exe$/U"; pcre:"/^User-Agent\x3a\x20[^\r\n]+?(?:MSIE|rv\x3a11\.0)/Hmi"; reference:md5,03c5bfb5c0c7a936ad62ebe03019edd0; classtype:trojan-activity; sid:2021607; rev:6; metadata:created_at 2015_08_11, former_category CURRENT_EVENTS, updated_at 2015_08_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Adobe PDF Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Adobe PDF</title>"; nocase; classtype:social-engineering; sid:2024399; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015"; urilen:>51; flow:to_server,established; content:"_id="; http_uri; content:"_id="; distance:0; http_uri; pcre:"/^\/(?:[a-z0-9]+\/)?[^\x2f]+\?[a-z]{1,40}_id=\d{2,5}?&[a-z]{1,40}_id=\d{2,5}&[^&\x3d]+(?<!_id)=(?=[a-zA-Z0-9]+(?:[A-Z][a-z][A-Z]|\d[a-z][A-Z]|[A-Z]\d[A-Z]|[A-Z\d]{3}[a-z]))(?=[A-Fa-f0-9]*?[G-Zg-z])(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{32}\x2e{0,2}$/U"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:exploit-kit; sid:2022112; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_17, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible DHL Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>DHL |7c| Tracking</TITLE>"; nocase; classtype:social-engineering; sid:2024400; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackHole EK Landing Nov 17 2015"; flow:from_server,established; file_data; content:"|2e 73 74 79 6c 65 2e 6c 65 66 74 3d 3d 3d 22 22 29 7b 67 67 3d 22 67 65 74 41 22 3b 7d 71 71 3d 22 71 22 3b 67 67 2b 3d 22 74 74 72 69 22 3b 66 75 6e 63 74 69 6f 6e 20 63 78 7a 28 29|"; fast_pattern:17,20; classtype:exploit-kit; sid:2022113; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Adobe ID Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>Sign In - Adobe ID</TITLE>"; nocase; classtype:social-engineering; sid:2024401; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Java Object Calling Common Collection Function"; flow:to_server,established; content:"rO0ABXNyA"; content:"jb21tb25zLmNvbGxlY3Rpb25z"; fast_pattern; distance:0; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022114; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BeEF Module in use"; flow:established,from_server; file_data; content:"beef.websocket.send"; pcre:"/^\s*?\(/Rs"; content:"beef.encode.base64.encode"; pcre:"/^\s*?\(/Rs"; classtype:attempted-user; sid:2024415; rev:2; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category WEB_CLIENT, performance_impact Moderate, signature_severity Major, updated_at 2017_06_19;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Java Object Calling Common Collection Function"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"commons.collections"; nocase; distance:0; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022115; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2017-0199 Common Obfus Stage 2 DL"; flow:established,from_server; file_data; content:"|7b 5c 72 74|"; within:4; content:!"|66|"; within:1; content:"|5C 6F 62 6A 61 75 74 6C 69 6E 6B|"; nocase; distance:0; reference:md5,8168b2305289ecc778216405d1fd7984; reference:cve,2017-0199; classtype:trojan-activity; sid:2024413; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_06_19;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"java/io/Serializable"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022116; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DragonOK KHRAT Downloader Receiving Payload"; flow:established,from_server; file_data; content:".DAT,K1|22 0d 0a|fso"; reference:md5,404518f469a0ca85017136b6b5166ae3; classtype:trojan-activity; sid:2024418; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_20, deployment Perimeter, former_category TROJAN, malware_family DragonOK, malware_family KHRAT, performance_impact Low, signature_severity Major, tag Targeted, tag APT, tag CNAPT, updated_at 2017_06_20;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Groovy Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"org.codehaus.groovy.runtime.ConversionHandler"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022117; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE x0Proto File Contents Exfil Request"; flow:established,from_server; dsize:9; content:"DLOAD|0c|1|0c|1"; depth:9; reference:md5,3d5a4b51ff4ad8534873e02720aeff34; classtype:trojan-activity; sid:2024423; rev:1; metadata:created_at 2017_06_23, updated_at 2017_06_23;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Spring Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"org.springframework.core.SerializableTypeWrapper"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022118; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE x0Proto File Info Request"; flow:established,from_server; dsize:8; content:"REQF|0c|1|0c|1"; depth:8; reference:md5,3d5a4b51ff4ad8534873e02720aeff34; classtype:trojan-activity; sid:2024424; rev:1; metadata:created_at 2017_06_23, updated_at 2017_06_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Google Android Device HTTP Request"; flow:established,to_server; content:"|3B 20|Android|20|"; http_header; classtype:policy-violation; sid:2012251; rev:9; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/OceanLotus / ELF/RotaJakario CnC Checkin"; flow:established,to_server; content:"|41 61 54 03|"; offset:1; depth:4; fast_pattern; content:"|63 63 63 63 63 63 63 63|"; distance:0; reference:url,researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/; reference:url,blog.netlab.360.com/stealth_rotajakiro_backdoor_en; classtype:targeted-activity; sid:2024425; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_06_26, deployment Perimeter, former_category MALWARE, malware_family OceanLotus, performance_impact Low, tag Targeted, tag APT, tag OceanLotus, tag OSX, updated_at 2017_06_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Jimdo Outlook Web App Phishing Landing Nov 16"; flow:established,from_server; file_data; content:"Outlook"; nocase; content:"jimdo.com"; nocase; distance:0; content:"Email"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Confirm Password"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2022093; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Watering Hole Redirect Inject Jun 28 2017"; flow:established,from_server; file_data; content:"REMOTE_URL"; content:"C_TIMEOUT"; distance:0; content:"apply_payload"; distance:0; fast_pattern; content:"execute_request"; distance:0; classtype:trojan-activity; sid:2024431; rev:2; metadata:created_at 2017_06_28, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_06_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2015-11-20"; flow:established,from_server; file_data; content:"<title>Google Drive"; fast_pattern; nocase; content:"For security reasons"; nocase; distance:0; content:"select your email provider"; nocase; distance:0; content:"enter your email and password"; nocase; distance:0; content:"method=|22|POST|22|"; nocase; distance:0; classtype:social-engineering; sid:2031701; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_20, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (HiddenTear Variant CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|wwecuador.com"; distance:1; within:14; reference:md5,02c1da1c668ac71995f56c2c198d7d73; classtype:domain-c2; sid:2024433; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_06_28, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Hidden_Tear, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_06_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Webmail Phishing Landing 2015-11-21"; flow:established,from_server; file_data; content:"login.live.com"; nocase; content:"<title>Sign In"; nocase; distance:0; fast_pattern; content:"Generic Password Error Message"; nocase; distance:0; content:"enter your email address"; nocase; distance:0; content:"Microsoft account"; nocase; distance:0; classtype:social-engineering; sid:2031702; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_21, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT ttdbserv solaris overflow"; dsize:>999; flow:to_server,established; content:"|C0 22|?|FC A2 02| |09 C0|,|7F FF E2 22|?|F4|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:2100570; rev:12; metadata:created_at 2010_09_23, former_category EXPLOIT, updated_at 2017_06_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Outlook Webmail Phishing 2015-11-21"; flow:established,from_server; file_data; content:"<title>Outlook"; fast_pattern; nocase; content:"http-equiv=|22|refresh"; nocase; distance:0; content:"Update successful"; nocase; distance:0; content:"your account verification information"; nocase; distance:0; content:"emailed to you shortly"; nocase; distance:0; classtype:credential-theft; sid:2031703; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_07_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tcp $HOME_NET any -> $HOME_NET 42 (msg:"ET EXPLOIT Possible WINS Server Remote Memory Corruption Vulnerability"; flow:to_server,established; dsize:48; content:"|00 00 78 00|"; offset:4; depth:4; content:"|00 00 00 05|"; offset:16; depth:4; fast_pattern; threshold: type both, count 3, seconds 1, track by_src; reference:url,blog.fortinet.com/2017/06/14/wins-server-remote-memory-corruption-vulnerability-in-microsoft-windows-server; classtype:attempted-user; sid:2024435; rev:1; metadata:affected_product Windows_DNS_server, attack_target DNS_Server, created_at 2017_06_29, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2017_06_29;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|default"; distance:1; within:8; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|13|support@hsshvpn.net"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022130; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_23, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, malware_family Retefe, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (CVE-2009-3103)"; flow:to_server,established; content:"|FF 53 4d 42 72|"; offset:4; depth:5; content:"|00 26|"; distance:7; within:2; reference:url,www.exploit-db.com/exploits/14674/; reference:url,www.microsoft.com/technet/security/bulletin/ms09-050.mspx; reference:cve,2009-3103; classtype:attempted-user; sid:2012063; rev:3; metadata:created_at 2010_12_17, former_category NETBIOS, updated_at 2017_06_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)"; flow:established,from_server; content:"|55 04 08|"; content:"|06|Zurich"; distance:1; within:7; content:"|55 04 07|"; distance:0; content:"|06|Zurich"; distance:1; within:7; content:"IT"; distance:0; content:"|55 04 03|"; distance:0; content:"|07|default"; distance:1; within:8; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|12|me@myhost.mydomain"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022129; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_23, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, malware_family Retefe, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tinba CnC Checkin"; flow:to_server,established; content:"POST"; http_method; urilen:7; content:"tinba/"; http_uri; fast_pattern; content:"User-Agent|3a 20|Mozilla/5.0|28|compatible|3b| MSIE 10.0|3b| Windows NT 6.1|3b| Trident|2f|6.0|29|"; http_header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; reference:md5,d360ee49950e7da3978379494667260c; classtype:command-and-control; sid:2024441; rev:2; metadata:created_at 2017_07_05, former_category MALWARE, updated_at 2019_10_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Evil EXE download from MSXMLHTTP non-exe extension M1"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.no.exe.request; classtype:trojan-activity; sid:2022052; rev:2; metadata:created_at 2015_11_09, updated_at 2015_11_09;)
+alert tcp any any -> any 445 (msg:"ET EXPLOIT ETERNALBLUE Exploit M2 MS17-010"; flow:established,to_server; content:"|8000a80000000000000000000000000000000000ffff000000000000ffff0000000000000000000000000000000000000000000000f1dfff000000000000000020f0dfff00f1dfffffffffff600004100000000080efdfff|"; reference:cve,CVE-2017-0143; classtype:attempted-admin; sid:2024297; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_07_06;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Rincux CnC (set)"; content:"|01 00 00 00|"; depth:4; content:"|00 00 00 00 00 00 00 00|"; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|Windows"; distance:0; content:"|20 4d 42 00 00 00 00 00|"; fast_pattern; distance:0; content:"|20 4d 48 7a 00 00 00 00 00|"; distance:0; flowbits:set,ET.Rincux; flowbits:noalert; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-082614-0727-99&tabid=2; classtype:command-and-control; sid:2022131; rev:1; metadata:created_at 2015_11_23, former_category MALWARE, updated_at 2015_11_23;)
+alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE Exploit M3 MS17-010"; flow:to_server,established; content:"|ff|SMB|32 00 00 00 00 18 07 c0|"; offset:4; depth:12; content:"|00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|"; distance:2; within:16; fast_pattern; content:"|0f 0c 00 00 10 01 00 00 00 00 00 00 00 f2 00 00 00 00 00 0c 00 42 00 00 10 4e 00 01 00 0e 00 0d 10 00|"; distance:2; within:34; isdataat:1000,relative; threshold: type both, track by_src, count 10, seconds 1; classtype:trojan-activity; sid:2024430; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_27, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_07_06;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rincux CnC"; content:"|02 00 00 00|"; fast_pattern; depth:4; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/Rs"; content:"|00 00 00 00|"; distance:0; flowbits:isset,ET.Rincux; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-082614-0727-99&tabid=2; classtype:command-and-control; sid:2022132; rev:1; metadata:created_at 2015_11_23, former_category MALWARE, updated_at 2015_11_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Cerber Bitcoin Address Check"; flow:to_server,established; content:"/api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_="; http_uri; nocase; fast_pattern:20,20; content:!"Referer"; http_header; content:!"|0d 0a|Cookie|3a 20|"; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; http_header; reference:url,www.bleepingcomputer.com/news/security/cerber-ransomware-4-10-now-shows-the-version-number-in-ransom-notes/; classtype:trojan-activity; sid:2023676; rev:3; metadata:created_at 2016_12_20, former_category TROJAN, updated_at 2017_07_10;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 87 58 1a 93 f4 b1 c2 6b|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022133; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY MOBILE Apple device leaking UDID from SpringBoard"; flow:established,to_server; content:" CFNetwork/"; http_user_agent; content:" Darwin/"; http_user_agent; content:"UDID"; nocase; http_client_body; pcre:"/[0-9a-f]{40}[^0-9a-f]/P"; reference:url,www.innerfence.com/howto/find-iphone-unique-device-identifier-udid; reference:url,support.apple.com/kb/HT4061; classtype:attempted-recon; sid:2013289; rev:7; metadata:created_at 2011_07_19, former_category POLICY, updated_at 2017_07_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (2)"; flow:established,to_client; file_data; content:"|29 26 9a 62 39 55 b6 0d|"; distance:4; within:8; classtype:trojan-activity; sid:2022139; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Capitech Internet Banking Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Capitec Internet Banking</title>"; nocase; classtype:social-engineering; sid:2024453; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_07_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (5)"; flow:established,to_client; file_data; content:"|63 86 34 11 a3 ae 83 1e|"; distance:4; within:8; classtype:trojan-activity; sid:2022142; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Generic Excel Online Phish Aug 9"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Excel; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023046; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (6)"; flow:established,to_client; file_data; content:"|94 ae 9f 55 3d 25 7f 7d|"; distance:4; within:8; classtype:trojan-activity; sid:2022143; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Adobe Shared Document Phish Aug 11 2016"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Adobe; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023048; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Payload URI Struct May 28 2015 M1"; flow:to_server,established; urilen:>51; content:"."; http_uri; offset:49; depth:1; content:!"/"; http_uri; offset:1; content:!"User-Agent"; http_header; nocase; content:!"Accept"; http_header; nocase; content:!"Referer"; nocase; http_header; pcre:"/^\/(?=[a-z0-9_-]{0,47}?[A-Z][a-z0-9_-]{0,46}?[A-Z])(?=[A-Z0-9_-]{0,47}?[a-z][A-Z0-9_-]{0,46}?[a-z])(?=[A-Za-z_-]{0,47}?[0-9][A-Za-z_-]{0,46}?[0-9])[A-Za-z0-9_-]{48}\.[a-z]{2,25}\d?\??/U"; classtype:exploit-kit; sid:2021158; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_28, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credit Agricole Phish Aug 15 2016 M1"; flow:to_server,established; content:"POST"; http_method; content:"ident="; fast_pattern; depth:6; nocase; http_client_body; content:"&ReadOut="; nocase; distance:0; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&nuum="; nocase; distance:0; http_client_body; content:"&xrypt="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023063; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/muBoT IRC Activity 6 (SOCKS)"; flow:established,to_server; content:"NOTICE "; content:"|3a|REWRITING|0a|"; fast_pattern; distance:0; content:"|0a|to|0a|"; distance:0; pcre:"/^NOTICE [^\r\n]+? \x3aREWRITING\x0a[^\r\n]+?\x0ato\x0a[^\r\n]+?\x0a/s"; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:trojan-activity; sid:2022189; rev:1; metadata:created_at 2015_11_26, updated_at 2015_11_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credit Agricole Phish Aug 15 2016 M2"; flow:to_server,established; content:"POST"; http_method; content:"nom="; depth:4; nocase; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pemail="; fast_pattern; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023064; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/muBoT IRC Activity 7 (bindshell)"; flow:established,from_server; content:"|0a c2 84 c2 9f|muBoT|c2 84 c2 9f|REMOTE|c2 84 c2 9f|SHELL"; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:trojan-activity; sid:2022190; rev:1; metadata:created_at 2015_11_26, updated_at 2015_11_26;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET PHISHING DNS Query to Ebay Phishing Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|107sbtd9cbhsbtd5d80"; fast_pattern; distance:0; nocase; threshold:type limit, track by_src, count 1, seconds 30; classtype:social-engineering; sid:2023180; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing_07012016, updated_at 2017_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.ip.request; classtype:trojan-activity; sid:2022050; rev:3; metadata:created_at 2015_11_09, former_category CURRENT_EVENTS, updated_at 2015_11_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Ebay Phish Sept 8 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Host|3a 20|107SbTd9CBhSbT"; http_header; nocase; fast_pattern; content:"Referer|3a 20|http|3a 2f 2f|107sbtd9cbhsbt"; http_header; distance:0; content:"email"; nocase; http_client_body; content:"pass"; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023181; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 27 2015"; flow:to_server,established; urilen:>55; content:"&cat_no="; http_uri; content:"&no="; http_uri; distance:0; pcre:"/&cat_no=\d{2,5}?&no=\d{2,5}&[^&\x3d]+(?<!_no)=(?=[a-zA-Z0-9]+(?:[A-Z][a-z][A-Z]|\d[a-z][A-Z]|[A-Z]\d[A-Z]|[A-Z\d]{3}[a-z]))(?=[A-Fa-f0-9]*?[G-Zg-z])(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{32}\x2e{0,2}$/U"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:exploit-kit; sid:2022193; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_30, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Netflix Phish Aug 17 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"firstName="; depth:10; nocase; fast_pattern; http_client_body; content:"&lastName="; nocase; http_client_body; distance:0; content:"&cardNumber="; nocase; http_client_body; distance:0; content:"&authURL="; nocase; http_client_body; distance:0; content:"&encryptedOaepLen="; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023072; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PHP/Mayhem Checkin via HTTP POST"; flow:established,to_server; content:"POST"; http_method; content:"Pragma|3a 20|1337|0d 0a|"; http_header; fast_pattern:only; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; content:".php HTTP/1.0|0d 0a|"; reference:url,www.blackhat.com/docs/eu-15/materials/eu-15-KA-Automating-Linux-Malware-Analysis-Using-Limon-Sandbox.pdf; classtype:trojan-activity; sid:2022195; rev:2; metadata:created_at 2015_11_30, updated_at 2015_11_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Bank Phish M2 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:"1="; depth:2; nocase; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&cvv1="; nocase; distance:0; http_client_body; fast_pattern; content:"&mobile1="; nocase; distance:0; http_client_body; content:"&next"; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023488; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_11_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 15"; flow:to_server,established; urilen:>26; content:"/search?"; http_uri; depth:8; content:!"."; http_uri; content:!"+"; http_uri; content:!"|20|"; http_uri; pcre:"/^\/search\?[a-z0-9]{1,5}=[a-z0-9]{1,5}(?:&[a-z0-9]{1,5}=[a-z0-9]{1,5}){4,}$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+).*?\r\nHost\x3a\x20(?!(?:(?P=refhost)|www\.))/Hsi"; content:!"|2e 73 70 6f 72 74 73 61 75 74 68 6f 72 69 74 79 2e 63 6f 6d 0d 0a|"; http_header; content:!"Cookie|3a 20|"; flowbits:set,AnglerEK; classtype:exploit-kit; sid:2021269; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Striked Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; depth:4; content:".php|20|HTTP/1.1|0d 0a|Host|3a 20|"; distance:0; content:"|0d 0a|User-Agent|3a 20|python"; distance:0; fast_pattern; content:"|0d 0a 0d 0a|crid="; distance:0; content:"&dta="; distance:0; content:!"Referer|3a|"; reference:md5,80317e3194d8f7fd495b0bf06cae2295; classtype:command-and-control; sid:2024465; rev:1; metadata:attack_target Client_Endpoint, created_at 2017_07_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2017_07_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING cPanel Phishing Landing 2015-12-01"; flow:established,to_client; file_data; content:"<title>Please wait.."; nocase; fast_pattern; content:"form id=|22|myForm|22|"; nocase; distance:0; content:"name=|22|myForm|22|"; nocase; distance:0; content:"method=|22|POST|22|"; nocase; distance:0; content:"name=|22|email|22|"; nocase; distance:0; content:"type=|22|password|22|"; nocase; distance:0; content:"name=|22|submit|22|"; nocase; distance:0; classtype:social-engineering; sid:2031704; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Excel Online Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Excel Online"; nocase; content:!"Training"; nocase; within:25; classtype:social-engineering; sid:2024392; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_07_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Anonisma Phishing Landing 2015-12-01"; flow:established,to_client; file_data; content:"id=|22|Anonisma"; fast_pattern; nocase; content:"class=|22|Anonisma"; nocase; distance:0; classtype:social-engineering; sid:2031705; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Known Malicious Stratum Authline (2017-07-11 1)"; flow:established,to_server; dsize:<120; content:"|22|login|22 3a|"; content:"|22|slavf1@yandex.ru|22|"; distance:0; fast_pattern; content:"|22|pass|22|"; distance:0; content:"|22|XMRig/"; reference:md5,4bc4b071d9a7e482f3ecf8b2cbe10873; classtype:coin-mining; sid:2024454; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_11, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2017_07_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Driveby bredolab hidden div served by nginx"; flow:established,to_client; content:"|0d 0a|Server|3a| nginx"; file_data; content:"<div style=|22|visibility|3a| hidden|3b 22|><"; depth:120; classtype:bad-unknown; sid:2011355; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Bank Phish M1 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"username="; depth:9; nocase; http_client_body; content:"&login.x="; nocase; distance:0; http_client_body; content:"&login.y="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023487; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MALVERTISING Alureon JavaScript IFRAME Redirect"; flow:established,to_client; file_data; content:"marginwidth=|5c 22|0|22 5c| marginheight=|5c 22|0|22 5c| hspace=|5c 22|0|22 5c| vspace=|5c 22|0|22 5c| frameborder=|5c 22|0|22 5c| scrolling=|5c 22|0|22 5c| bordercolor=|5c 22 23|000000|5c 22|></IFRAME>|22 29 3b 7d|"; classtype:bad-unknown; sid:2011978; rev:5; metadata:created_at 2010_11_24, former_category CURRENT_EVENTS, updated_at 2010_11_24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Parite.B Checkin 3"; flow:to_server,established; dsize:>1000; content:"|00 00 00 00 9c 00 00 00 06 00 00 00 01 00 00 00|"; offset:0; depth:16; content:"|b1 1d 00 00 02 00 00 00|"; distance:0; reference:md5,d10d6d2a29dd27b44e015dd6bf4cb346; classtype:command-and-control; sid:2024429; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_27, deployment Perimeter, deployment Internet, former_category MALWARE, malware_family Parite, performance_impact Moderate, signature_severity Major, updated_at 2017_07_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Compressed Adobe Flash File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|45 57 73 09|"; distance:0; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012503; rev:5; metadata:created_at 2011_03_15, former_category CURRENT_EVENTS, updated_at 2011_03_15;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Known Malicious Stratum Authline (2017-07-17 7)"; flow:established,to_server; dsize:<120; content:"|22|login|22 3a|"; content:"|22|ownyaga@gmail.com|22|"; distance:0; fast_pattern; content:"|22|pass|22|"; distance:0; content:"|22|XMRig/"; reference:md5,3b24a327e60ee77668d09e5b96e27dc8; classtype:coin-mining; sid:2024471; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, deployment Internet, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2017_07_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY ACH - Redirection"; flow:from_server,established; file_data; content:"<title>NACHA</title>"; classtype:exploit-kit; sid:2013474; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_26, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Data Transfer with Cisco config"; content:"|00 03|"; depth:2; content:"|0a 21 20|version|20|"; distance:2; within:12; classtype:policy-violation; sid:2015857; rev:5; metadata:created_at 2012_11_01, former_category TFTP, updated_at 2017_07_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Phoenix Java MIDI Exploit Received By Vulnerable Client"; flow:established,to_client; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; classtype:bad-unknown; sid:2013484; rev:4; metadata:created_at 2011_08_29, former_category CURRENT_EVENTS, updated_at 2011_08_29;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Data Transfer With Cisco Config 2"; content:"|00 03|"; depth:2; content:"NVRAM config last update"; distance:0; classtype:policy-violation; sid:2024481; rev:2; metadata:affected_product Cisco_ASA, affected_product Cisco_PIX, affected_product CISCO_Catalyst, attack_target Networking_Equipment, created_at 2017_07_19, deployment Perimeter, former_category TFTP, performance_impact Moderate, signature_severity Major, updated_at 2017_07_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Phoenix Java MIDI Exploit Received"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; classtype:bad-unknown; sid:2013485; rev:4; metadata:created_at 2011_08_29, former_category CURRENT_EVENTS, updated_at 2011_08_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [442,443,446,447,8001] (msg:"ET MALWARE Win32/Ramnit Checkin"; flow:established,to_server; dsize:6; content:"|00 ff|"; depth:2; content:"|00 00|"; distance:1; within:2; reference:md5,3fc81e102825a74b27faabbcd9408993; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; reference:md5,5740a73856128270b37ec4afae870d12; classtype:command-and-control; sid:2018558; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_06, deployment Perimeter, former_category MALWARE, malware_family Ramnit, performance_impact Low, signature_severity Major, updated_at 2017_07_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Phoenix landing page JAVASMB"; flow:established,to_client; file_data; content:"JAVASMB()"; classtype:bad-unknown; sid:2013486; rev:4; metadata:created_at 2011_08_30, former_category CURRENT_EVENTS, updated_at 2011_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT EITest Keitaro Evil Redirect Leading to SocENG July 25 2017"; flow:established,to_server; content:"/?nbVykj"; pcre:"/\/\?nbVykj$/U"; classtype:social-engineering; sid:2024494; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2017_07_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Crimepack Java exploit attempt(2)"; flow:from_server,established; file_data; content:"PK"; content:"META-INF/MANIFEST"; within:50; content:"PK"; within:150; nocase; content:"Exploit|24 31 24 31 2E|class"; distance:0; fast_pattern; classtype:web-application-attack; sid:2013662; rev:2; metadata:created_at 2011_09_16, former_category CURRENT_EVENTS, updated_at 2011_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishery Phishing Tool - Default SSL Certificate Observed"; flow:established,from_server; content:"|55 04 03|"; content:"|08|go-phish"; fast_pattern; distance:1; within:9; reference:url,github.com/ryhanson/phishery; classtype:trojan-activity; sid:2024505; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_28, deployment Perimeter, former_category INFO, signature_severity Major, tag Phishing, updated_at 2017_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole landing page with malicious Java applet"; flow:established,from_server; file_data; content:"<applet"; content:"code="; content:".jar"; content:"e00oMDD"; fast_pattern; content:"</applet>"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013700; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ISMAgent Receiving Commands from CnC Server"; flow:from_server,established; content:"|23|command|23 23|systeminfo"; offset:36; fast_pattern; content:"&&"; distance:0; reference:md5,a70a08a1e17b820c7dc8ee1247d6bfa2; reference:url,researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/; classtype:command-and-control; sid:2024503; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_28, deployment Perimeter, former_category MALWARE, malware_family Ismdoor, performance_impact Moderate, signature_severity Major, updated_at 2017_07_31;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 1"; flow:established,from_server; file_data; content:"/Subtype /U3D"; content:"<</Author (Fo) /email (fo@gmail.com) /web (fo.googlepages.com)"; distance:0; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:bad-unknown; sid:2013996; rev:4; metadata:created_at 2011_12_08, updated_at 2011_12_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG encrypted payload M1 Feb 02 2016"; flow:established,to_client; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; classtype:exploit-kit; sid:2022484; rev:3; metadata:created_at 2016_02_03, former_category CURRENT_EVENTS, updated_at 2017_08_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 2"; flow:established,from_server; file_data; content:"/Subtype /U3D"; content:"/Contents (a pwning u3d model) /3DI false > /3DA << /A /PO /DIS /I >> /Rect [0 0 640 480] /3DD 10 0 R /F 7 >>"; distance:0; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:bad-unknown; sid:2013997; rev:6; metadata:created_at 2011_12_08, updated_at 2011_12_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG encrypted payload M1 Aug 01 2017"; flow:established,to_client; file_data; content:"|73 29 88 ff e0 d1 0e 74|"; within:8; reference:md5,263a2cf88f340b2a755db749be1371ea; classtype:exploit-kit; sid:2024507; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, signature_severity Major, tag RigEK, updated_at 2017_08_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MALVERTISING Alureon Malicious IFRAME"; flow:established,to_client; file_data; content:"name=\"Twitter\" scrolling=\"auto\" frameborder=\"no\" align=\"center\" height = \"1px\" width = \"1px\"></iframe>"; classtype:bad-unknown; sid:2014039; rev:5; metadata:created_at 2011_12_22, former_category CURRENT_EVENTS, updated_at 2011_12_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest Inject July 25 2017"; flow:established,from_server; file_data; content:"var a=a|7c 7c|window.event|3b|doOpen|28 22|http"; nocase; pcre:"/^s?\x3a\x2f\x2f[^\x22\x27]+\/\?[A-Za-z0-9]{5,6}(?:=[^&\x22\x27]+)?[\x22\x27]\x29\x3bsetCookie\(\x22popundr\x22,1,864e5\)\}/Ri"; classtype:exploit-kit; sid:2024493; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2017_07_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Version Check with hidden applet"; flow:established,from_server; file_data; content:"deployJava.versionCheck|28|"; content:"<applet"; nocase; distance:0; content:"hidden"; within:200; nocase; pcre:"/\x3capplet[^\x3e]+visibility[^\x3e]+hidden[^\x3e]/i"; classtype:exploit-kit; sid:2014136; rev:7; metadata:created_at 2012_01_19, updated_at 2012_01_19;)
+#alert tcp any any -> $HOME_NET [139,445] (msg:"ET DOS Possible SMBLoris NBSS Length Mem Exhaustion Vuln Inbound"; flow:established,to_server; content:"|00 01|"; depth:2; threshold:type both,track by_dst,count 3, seconds 90; reference:url,isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/; classtype:trojan-activity; sid:2024510; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_08_02, deployment Internal, former_category DOS, performance_impact Significant, signature_severity Major, updated_at 2017_08_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Likely Driveby Delivered Malicious PDF"; flow:established,from_server; file_data; content:"%PDF"; depth:4; content:"/Author (yvp devo)/Creator (bub lob)"; distance:0; classtype:trojan-activity; sid:2014142; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious Domain SSL Cert in SNI (JS_POWMET)"; flow:established,to_server; content:"|16|"; depth:1; content:"|01|"; distance:4; content:"|00 00 0c|bogerando.ru"; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware; reference:md5,31f83bf81b139bcc69e51df2c76a0bf2; classtype:trojan-activity; sid:2024512; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_02, deployment Perimeter, former_category TROJAN, malware_family JS_POWMET, performance_impact Low, signature_severity Major, updated_at 2017_08_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Unknown Landing Page Received"; flow:established,from_server; file_data; content:"<applet code="; depth:35; content:".class"; distance:0; content:".jar"; distance:0; content:".pdf"; distance:0; classtype:exploit-kit; sid:2014168; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp any any -> $HOME_NET [139,445] (msg:"ET DOS SMBLoris NBSS Length Mem Exhaustion Attempt (PoC Based)"; flow:established,to_server; content:"|00 01 ff ff|"; depth:4; threshold:type both,track by_dst,count 30, seconds 300; reference:url,isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/; classtype:trojan-activity; sid:2024511; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_08_02, deployment Internal, former_category DOS, performance_impact Significant, signature_severity Major, updated_at 2017_08_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Java Rhino Scripting Engine Exploit Downloaded"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"com.class"; content:"edu.class"; content:"net.class"; content:"org.class"; classtype:exploit-kit; sid:2014243; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_02_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Landing M1 Aug 05 2017"; flow:established,from_server; file_data; content:"|5b 30 5d 5b 22 41 22 2b|"; content:"|29 2b 22 58 22 2b 22 4f 22 2b|"; distance:0; fast_pattern; content:"|72 65 74 75 72 6e 20 28 22 22 2b|"; content:"|29 2b 22 41 74 22 5d|"; distance:0; classtype:exploit-kit; sid:2024514; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_08_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Magnitude, updated_at 2017_08_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Java Atomic Exploit Downloaded"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:",CAFEBABE00000030007A0A002500300A003100320700"; distance:0; classtype:exploit-kit; sid:2014295; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_02_29, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Landing M2 Aug 05 2017"; flow:established,from_server; file_data; content:"|43 72 65 61 74 65 4f 62 6a 65 63 74 28|"; pcre:"/^(?P<var>[A-Z0-9a-z]{1,20})\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29/Rsi"; content:"|45 78 65 63 75 74 65 28|"; pcre:"/^(?P<var>[A-Z0-9a-z]{1,20})\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29/Ri"; content:"|52 65 44 69 6d|"; content:"|50 72 65 73 65 72 76 65|"; content:"|55 6e 45 73 63 61 70 65|"; classtype:exploit-kit; sid:2024515; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Magnitude, updated_at 2017_08_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito libtiff PDF Exploit Recieved"; flow:established,from_server; content:"Content-Disposition|3a| inline"; nocase; content:".pdf"; distance:0; file_data; content:"%PDF-"; depth:5; content:"<</Filter/FlateDecode /Length"; within:64; classtype:exploit-kit; sid:2014316; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_06, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT HTA File containing Wscript.Shell Call - Potential CVE-2017-0199"; flow:established,to_client; flowbits:isset,et.http.hta; content:"Wscript.Shell"; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html; reference:url,securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/; classtype:attempted-user; sid:2024196; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_10, cve 2017_0199, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2017_08_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole qwe123 PDF"; flow:established,from_server; file_data; content:"%PDF-1.6"; depth:8; content:"|20 28|qwe123"; classtype:trojan-activity; sid:2014368; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mail.ru Phish Aug 10 2017"; flow:to_server,established; content:"POST"; http_method; content:"1login="; depth:7; nocase; http_client_body; fast_pattern; content:"&login="; nocase; distance:0; http_client_body; content:"&Domain="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024532; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Exploit Kit Delivering JAR Archive to Client"; flow:established,to_client; flowbits:isset,et.exploitkitlanding; file_data; content:"|50 4B 03 04 14 00 08 00 08 00|"; within:10; classtype:exploit-kit; sid:2014526; rev:3; metadata:created_at 2012_04_06, former_category EXPLOIT_KIT, updated_at 2012_04_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible AMSI Powershell Bypass Attempt B641"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBk"; fast_pattern; classtype:trojan-activity; sid:2024534; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - page redirecting to a SutraTDS"; flow:established,to_client; file_data; content:"?igc.ni/"; distance:0; classtype:exploit-kit; sid:2014549; rev:3; metadata:created_at 2012_04_12, updated_at 2012_04_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible AMSI Powershell Bypass Attempt B642"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"EAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZ"; fast_pattern; classtype:trojan-activity; sid:2024535; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Modified Metasploit Jar"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"msf|2f|x|2f|Payload"; classtype:trojan-activity; sid:2014560; rev:7; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_13, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible AMSI Powershell Bypass Attempt B643"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"hAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAG"; fast_pattern; classtype:trojan-activity; sid:2024536; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT landing page with malicious Java applet"; flow:established,from_server; file_data; content:"code="; distance:0; content:"xploit.class"; distance:2; within:18; classtype:bad-unknown; sid:2014561; rev:6; metadata:created_at 2012_04_13, former_category CURRENT_EVENTS, updated_at 2012_04_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible AMSI Powershell Bypass Attempt"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"System.Management.Automation.AmsiUtils"; fast_pattern; nocase; content:"amsiInitFailed"; nocase; content:"setvalue"; nocase; content:"$null"; nocase; distance:0; content:"$true"; nocase; distance:0; classtype:trojan-activity; sid:2024537; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JavaScript Determining OS MAC and Serving Java Archive File"; flow:established,to_client; file_data; content:"<script"; content:"navigator.userAgent.indexOf|28 27|Mac|27 29|"; distance:0; nocase; content:"setAttribute|28 27|code|27|"; distance:0; nocase; content:".class"; nocase; distance:0; content:"setAttribute|28 27|archive|27|"; distance:0; nocase; content:".jar"; nocase; distance:0; reference:url,blog.trendmicro.com/another-tibetan-themed-malware-email-campaign-targeting-windows-and-macs/; reference:cve,2011-3544; classtype:bad-unknown; sid:2014565; rev:3; metadata:created_at 2012_04_16, updated_at 2012_04_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Veil Powershell Encoder B641"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"KAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAo"; classtype:trojan-activity; sid:2024538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Italian Spam Campaign ZIP with EXE Containing Many Underscores"; flow:from_server,established; file_data; content:"|50 4b 03 04|"; within:4; byte_test:2,>,50,22,relative; content:"|5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 2e|exe"; distance:22; within:150; classtype:trojan-activity; sid:2014577; rev:5; metadata:created_at 2012_04_16, former_category CURRENT_EVENTS, updated_at 2012_04_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Veil Powershell Encoder B642"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"gALAAkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAK"; classtype:trojan-activity; sid:2024539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Nikjju Mass Injection Compromised Site Served To Local Client"; flow:established,from_server; file_data; content:"</title><script src="; nocase; content:"http|3a|//"; nocase; within:8; content:"/r.php"; fast_pattern; within:100; content:"></script>"; distance:1; within:10; classtype:attempted-user; sid:2014607; rev:10; metadata:created_at 2012_04_17, former_category CURRENT_EVENTS, updated_at 2012_04_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Veil Powershell Encoder B643"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"oACwAJAAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnAC"; classtype:trojan-activity; sid:2024540; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
 
-#alert http $HOME_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Nikjju Mass Injection Internal WebServer Compromised"; flow:established,from_server; file_data; content:"</title><script src="; nocase; content:"http|3a|//"; nocase; within:8; content:"/r.php"; fast_pattern; within:100; content:"></script>"; distance:1; within:10; classtype:attempted-user; sid:2014608; rev:9; metadata:created_at 2012_04_17, former_category CURRENT_EVENTS, updated_at 2012_04_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Phish - Verify Email Error Message M1 Aug 14 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"PASSWORD NOT MATCHED"; nocase; depth:20; fast_pattern; classtype:credential-theft; sid:2024541; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Obfuscated Please wait Message"; flow:established,to_client; file_data; content:"Please|3A|wait|3A|page|3A|is|3A|loading"; flowbits:set,et.exploitkitlanding; reference:url,isc.sans.edu/diary.html?storyid=13051; classtype:trojan-activity; sid:2014659; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M3 Aug 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"country="; depth:8; nocase; http_client_body; content:"&cc_holder="; nocase; distance:0; http_client_body; content:"&cc_number="; nocase; distance:0; http_client_body; fast_pattern; content:"&expdate_month="; nocase; distance:0; http_client_body; content:"&expdate_year="; nocase; distance:0; http_client_body; content:"&cvv2_number="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024546; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole - Jar File Naming Algorithm"; flow:established,to_client; content:"Content-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; pcre:"/=[0-9a-f]{8}\.jar/H"; file_data; content:"PK"; depth:2; classtype:trojan-activity; sid:2014664; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Chase Phish M1 Aug 15 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; content:"<title>"; nocase; content:"Chase Online"; nocase; within:50; fast_pattern; classtype:credential-theft; sid:2031575; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic - Redirection to Kit - BrowserDetect with var stopit"; flow:established,from_server; file_data; content:"var stopit = BrowserDetect.browser"; distance:0; classtype:exploit-kit; sid:2014665; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_05_02, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious Windows SCT Download MSXMLHTTP AX"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; file_data; content:"<registration"; nocase; distance:0; content:"progid"; distance:0; nocase; content:"<script"; nocase; distance:0; content:"<![CDATA["; nocase; content:"ActiveXObject"; nocase; distance:0; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024553; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, signature_severity Major, tag PowerShell_Downloader, updated_at 2017_08_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Injected Page Leading To Driveby"; flow:established,to_client; file_data; content:"/images.php?t="; distance:0; fast_pattern; content:"width=\"1\" height=\"1\""; within:100; classtype:trojan-activity; sid:2014666; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_05_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert udp $EXTERNAL_NET 389 -> $HOME_NET 389 (msg:"ET DOS CLDAP Amplification Reflection (PoC based)"; dsize:52; content:"|30 84 00 00 00 2d 02 01 01 63 84 00 00 00 24 04 00 0a 01 00|"; fast_pattern; threshold:type both, count 100, seconds 60, track by_src; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; reference:url,packetstormsecurity.com/files/139561/LDAP-Amplication-Denial-Of-Service.html; classtype:attempted-dos; sid:2024584; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Server, created_at 2017_08_16, deployment Perimeter, former_category DOS, performance_impact Significant, signature_severity Major, updated_at 2017_08_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Try App.title Catch - May 22nd 2012"; flow:established,to_client; file_data; content:"try{app.title}catch("; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014801; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"ET DOS Potential CLDAP Amplification Reflection"; content:"objectclass0"; fast_pattern; threshold:type both, count 200, seconds 60, track by_src; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; reference:url,packetstormsecurity.com/files/139561/LDAP-Amplication-Denial-Of-Service.html; classtype:attempted-dos; sid:2024585; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2017_08_16, deployment Perimeter, former_category DOS, performance_impact Significant, signature_severity Major, updated_at 2017_08_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Obfuscated Javascript Blob"; flow:established,to_client; file_data; content:"<pre id=|22|"; content:"style=|22|display|3A|none|3B 22 3E|"; within:100; isdataat:400,relative; content:!"|20|"; within:400; content:!"pre|3E|"; within:400; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|3C 2F|pre|3E|3Cscript|3E|"; fast_pattern; distance:400; pcre:"/display\x3Anone\x3B\x22\x3E[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}[^\r\n]*\x3C\x2Fpre\x3E\x3Cscript\x3E/sm"; classtype:trojan-activity; sid:2014820; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert tcp [$EXTERNAL_NET,!199.30.201.192/29] any -> $HOME_NET any (msg:"ET MALWARE NetWire / Ozone / Darktrack Alien RAT - Server Hello"; flow:established,to_client; flowbits:isset,ET.NetWire; content:"|01 00 00 00 00|"; depth:5; dsize:6; reference:url,researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic; reference:url,www.circl.lu/pub/tr-23; classtype:trojan-activity; sid:2021977; rev:6; metadata:created_at 2015_10_20, former_category TROJAN, updated_at 2017_08_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole RawValue Specific Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; depth:5; content:"|2E|rawValue|5D 5B|0|5D 2E|split|28 27 2D 27 29 3B|"; distance:0; reference:cve,2010-0188; classtype:trojan-activity; sid:2014821; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2015-07-28"; flow:established,to_client; file_data; content:"<title>Google Documents Email Verification</title>"; content:"emailID"; distance:0; content:"document.other.email"; distance:0; fast_pattern; content:"emailPASS"; distance:0; content:"document.other.phone"; distance:0; classtype:social-engineering; sid:2031712; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Malicious PDF asdvsa"; flow:established,from_server; file_data; content:"obj"; content:"<<"; within:4; content:"(asdvsa"; within:80; classtype:trojan-activity; sid:2014823; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing Jul 10 2015"; flow:to_client,established; file_data; content:".php|22 20|method=|22|POST|22|"; fast_pattern; content:"Sign in with Gmail"; distance:0; content:"Sign in with Yahoo"; distance:0; content:"Sign in with Hotmail"; distance:0; content:"Sign in with AOL"; distance:0; content:"Sign in with Others"; distance:0; classtype:social-engineering; sid:2025683; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Script Profile ASD"; flow:established,to_client; file_data; content:"pre id=|22|asd|22|"; classtype:trojan-activity; sid:2014825; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Google Drive/Dropbox Phishing Landing Jul 10 2015"; flow:to_client,established; file_data; content:"openOffersDialog|28 29 3b|"; content:"dropboxmaincontent"; fast_pattern; distance:0; content:"Verification Required"; nocase; distance:0; classtype:social-engineering; sid:2021400; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php with eval/gzinflate/base64_decode possible webshell"; flow:to_client,established; file_data; content:"<?"; content:"eval(gzinflate(base64_decode("; distance:0; reference:url,blog.sucuri.net/2012/05/list-of-domains-hosting-webshells-for-timthumb-attacks.html; classtype:web-application-attack; sid:2014847; rev:6; metadata:created_at 2012_05_30, former_category CURRENT_EVENTS, updated_at 2012_05_30;)
+alert http $EXTERNAL_NET !2095 -> $HOME_NET any (msg:"ET PHISHING Possible Successful Phish - Generic Status Messages Sept 11 2015"; flow:established,to_client; file_data; content:"|22|ajax_timeout|22 20 3A 20 22|"; content:"Authenticating|20 E2 80 A6 22 2C|"; fast_pattern; distance:0; content:"|22|expired_session|22 20 3A 20 22|Your"; distance:0; content:"|22|prevented_xfer|22 20 3A 20 22|The session"; distance:0; content:"successful. Redirecting|20 E2 80 A6 22 2C|"; distance:0; content:"|22|token_incorrect|22 20 3A 20 22|The security"; distance:0; classtype:credential-theft; sid:2021761; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Obfuscated Javascript redirecting to Blackhole June 7 2012"; flow:established,from_server; file_data; content:"st=\"no3"; content:"3rxtc\"\;Date"; distance:12; within:60; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014873; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Google Drive Phishing Landing 2015-07-13"; flow:to_client,established; file_data; content:"UPLOADED FILE"; fast_pattern; content:"Sign in with your existing Email Service"; distance:0; content:"Email Service Provider"; distance:0; content:"select.com"; distance:0; content:"VIEW DOCUMENT"; distance:0; classtype:social-engineering; sid:2031707; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_13, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript redirecting to badness 21 June 2012"; flow:established,from_server; file_data; content:"javascript'>var wow="; content:"Date&&"; distance:12; within:60; classtype:bad-unknown; sid:2014930; rev:4; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2012_06_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2015-07-28"; flow:established,to_client; file_data; content:"<title>Google Documents Email Verification</title>"; content:"emailID.value"; distance:0; content:"emailPASS.value"; distance:0; classtype:social-engineering; sid:2031713; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Please wait a moment Jun 20 2012"; flow:established,to_client; file_data; content:"Please wait a moment. You will be forwarded..."; classtype:trojan-activity; sid:2014931; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive (Remax) Phish Landing Nov 4"; flow:established,from_server; file_data; content:"#MyRemax_Password"; nocase; fast_pattern; content:"#MyRemax_Email"; nocase; distance:0; content:"<title>Meet Google Drive"; nocase; distance:0; classtype:social-engineering; sid:2022035; rev:3; metadata:created_at 2015_11_04, former_category CURRENT_EVENTS, updated_at 2017_08_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic - PDF with NEW PDF EXPLOIT"; flow:established,to_client; file_data; content:"%PDF"; depth:4; fast_pattern; content:"NEW PDF EXPLOIT"; classtype:trojan-activity; sid:2014966; rev:3; metadata:created_at 2012_06_26, former_category CURRENT_EVENTS, updated_at 2012_06_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Google Drive (Remax) Phish Nov 4"; flow:to_server,established; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary=---------"; http_header; content:"form-data|3b 20|name=|22|server|22|"; nocase; http_client_body; fast_pattern; content:"form-data|3b 20|name=|22|ipLists|22|"; nocase; http_client_body; distance:0; content:"form-data|3b 20|name=|22|ipEmpty|22|"; nocase; http_client_body; distance:0; content:"form-data|3b 20|name=|22|MyRemax_Email|22|"; nocase; http_client_body; distance:0; content:"form-data|3b 20|name=|22|MyRemax_Password|22|"; nocase; http_client_body; distance:0; classtype:credential-theft; sid:2022036; rev:3; metadata:created_at 2015_11_04, former_category PHISHING, updated_at 2019_09_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Scalaxy Jar file"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"C1.class"; fast_pattern; distance:0; content:"C2.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014983; rev:3; metadata:created_at 2012_06_29, updated_at 2012_06_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE LURK Trojan Communication Protocol detected"; flow:established,to_server; content:"LURK|30|"; depth:5; content:"|78 9c|"; distance:8; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014225; rev:3; metadata:created_at 2012_02_14, former_category TROJAN, updated_at 2017_08_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*km0ae9gr6m*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*km0ae9gr6m*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014984; rev:5; metadata:created_at 2012_06_29, former_category CURRENT_EVENTS, updated_at 2012_06_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious Windows SCT Download MSXMLHTTP AX M2"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; file_data; content:"<package"; nocase; distance:0; content:"<component"; distance:0; nocase; content:"<script"; nocase; distance:0; content:"<![CDATA["; nocase; content:"ActiveXObject"; nocase; distance:0; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024602; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell_Downloader, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2017_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*qhk6sa6g1c*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*qhk6sa6g1c*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014985; rev:6; metadata:created_at 2012_06_29, former_category CURRENT_EVENTS, updated_at 2012_06_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Disdain EK Payload Aug 23 2017"; flow:established,from_server; file_data; content:"|30 26 e2 3d 9d f5 5b 16|"; within:8; flowbits:set,ET.DisDain.EK; classtype:exploit-kit; sid:2024608; rev:2; metadata:created_at 2017_08_23, updated_at 2017_08_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Runforestrun Malware Campaign Infected Website Landing Page Obfuscated String JavaScript DGA"; flow:established,to_client; file_data; content:"*/window.eval(String.fromCharCode("; isdataat:80,relative; content:!")"; within:80; pcre:"/\x2A[a-z0-9]{10}\x2A\x2Fwindow\x2Eeval\x28String\x2EfromCharCode\x28[0-9]{1,3}\x2C[0-9]{1,3}\x2C/sm"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014998; rev:3; metadata:created_at 2012_07_03, former_category CURRENT_EVENTS, updated_at 2012_07_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Disdain EK Flash Exploit M1 Aug 23 2017"; flow:established,from_server; flowbits:isset,ET.DisDain.EK; file_data; content:"CWS"; within:3; classtype:exploit-kit; sid:2024609; rev:2; metadata:created_at 2017_08_23, updated_at 2017_08_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Split String Obfuscation of Eval 1"; flow:established,to_client; file_data; content:"e|22|+|22|va"; pcre:"/(\x3D|\x5B\x22])e\x22\x2B\x22va/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015012; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Disdain EK Flash Exploit M2 Aug 23 2017"; flow:established,from_server; flowbits:isset,ET.DisDain.EK; file_data; content:"ZWS"; within:3; classtype:exploit-kit; sid:2024610; rev:2; metadata:created_at 2017_08_23, updated_at 2017_08_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Split String Obfuscation of Eval 2"; flow:established,to_client; file_data; content:"e|22|+|22|v|22|+|22|a"; pcre:"/(\x3D|\x5B\x22])e\x22\x2B\x22v\x22\x2B\x22a/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015013; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Disdain EK Flash Exploit M3 Aug 23 2017"; flow:established,from_server; flowbits:isset,ET.DisDain.EK; file_data; content:"FWS"; within:3; classtype:exploit-kit; sid:2024611; rev:2; metadata:created_at 2017_08_23, updated_at 2017_08_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Eval Variable Obfuscation 1"; flow:established,to_client; file_data; content:"=|22|ev|22 3B|"; content:"+|22|al|22|"; distance:0; pcre:"/\x2B\x22al\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015025; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OSX.Pwnet.A Certificate Observed"; flow:established,from_server; content:"|55 04 03|"; content:"|08|vlone.cc"; distance:1; within:9; reference:url,sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/; classtype:trojan-activity; sid:2024613; rev:1; metadata:created_at 2017_08_23, updated_at 2017_08_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Eval Variable Obfuscation 2"; flow:established,to_client; file_data; content:"=|22|e|22 3B|"; content:"+|22|val|22|"; distance:0; pcre:"/\x2B\x22val\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015026; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 3"; content:"|30|"; depth:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|02|"; distance:-129; within:1; byte_test:1,!&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016180; rev:3; metadata:created_at 2013_01_09, former_category SNMP, updated_at 2017_08_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED 09 July 2012 Blackhole Landing Page - Please Wait Loading"; flow:established,from_server; file_data; content:"Please wait, the page is loading..."; nocase; content:"x-java-applet"; distance:0; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015048; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert udp $EXTERNAL_NET 137 -> $HOME_NET any (msg:"GPL NETBIOS NS lookup response name overflow attempt"; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; reference:bugtraq,10333; reference:bugtraq,10334; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2102563; rev:7; metadata:created_at 2010_09_23, former_category NETBIOS, updated_at 2017_08_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Unknown_s=1 - Landing Page - 10HexChar Title and applet"; flow:established,to_client; file_data; content:"<applet"; pcre:"/<title>[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2015053; rev:6; metadata:created_at 2012_07_12, former_category CURRENT_EVENTS, updated_at 2012_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>NatWest Online Banking</title>"; nocase; classtype:social-engineering; sid:2024622; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Unknown_s=1 - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; content:"value=\""; pcre:"/value=.[a-f0-9]{100}/"; classtype:trojan-activity; sid:2015054; rev:5; metadata:created_at 2012_07_12, former_category CURRENT_EVENTS, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Pin and Password - NWOLB</title>"; nocase; classtype:social-engineering; sid:2024623; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c3284d malware network iframe"; flow:established,to_client; file_data; content:"|22| name=|22|Twitter|22| scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|></iframe>"; classtype:trojan-activity; sid:2015057; rev:4; metadata:created_at 2012_07_12, former_category CURRENT_EVENTS, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Security Details - NWOLB</title>"; nocase; classtype:social-engineering; sid:2024624; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DoSWF Flash Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"CWS"; depth:3; content:"<doswf version="; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2015574; rev:5; metadata:created_at 2012_08_04, former_category EXPLOIT_KIT, updated_at 2012_08_04;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE CobianRAT Receiving Additional Commands From CnC"; flow:from_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"more|7c 2d 7c|"; within:30; fast_pattern; pcre:"/^(?:FM|SM|CP|CM|MC|NF|CH|PS|PT)/R"; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:command-and-control; sid:2024653; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category MALWARE, malware_family CobianRAT, performance_impact Low, signature_severity Major, updated_at 2017_09_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments"; flow:established,to_client; file_data; content:"FoxxySF Website Copier"; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015583; rev:4; metadata:created_at 2012_08_07, updated_at 2012_08_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Dropbox - Verify Email</title>"; fast_pattern; classtype:social-engineering; sid:2024656; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_09_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Redirection Page Try Math.Round Catch - 7th August 2012"; flow:established,to_client; file_data; content:"try{"; content:"=Math.round|3B|}catch("; distance:0; classtype:trojan-activity; sid:2015586; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE CobianRAT Checkin to CnC"; flow:to_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"|02|LOGIN|7c 2d 7c|"; within:30; fast_pattern; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:command-and-control; sid:2024651; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category MALWARE, malware_family CobianRAT, performance_impact Low, signature_severity Major, updated_at 2017_09_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|0|22| height=|22|0|22|>"; fast_pattern; within:100; classtype:exploit-kit; sid:2015605; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE CobianRAT Receiving Commands From CnC"; flow:from_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; fast_pattern; content:"|00 00 02|"; within:30; pcre:"/^(?:Lg|Execute|FLD|Sc)\x7c\x2d\x7c/R"; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:command-and-control; sid:2024652; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category MALWARE, malware_family CobianRAT, performance_impact Low, signature_severity Major, updated_at 2017_09_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Hwehes String - August 13th 2012"; flow:established,to_client; file_data; content:"hwehes"; content:"hwehes"; distance:0; content:"hwehes"; distance:0; content:"hwehes"; distance:0; classtype:trojan-activity; sid:2015622; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE CobianRAT Receiving Config Commands from CnC"; flow:from_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"Svr|7c 2d 7c|"; within:100; fast_pattern; pcre:"/^(?:\x40|\x21|\x23|\x7e|\x24)/R"; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:command-and-control; sid:2024654; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category MALWARE, malware_family CobianRAT, performance_impact Low, signature_severity Major, updated_at 2017_09_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SweetOrange - Java Exploit Downloaded"; flow:established,from_server; file_data; content:".classPK"; content:".mp4PK"; fast_pattern; within:80; classtype:exploit-kit; sid:2017476; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE CobianRAT Screenshot Exfil to CnC"; flow:to_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"|02|Sc|7c 2d 7c|"; within:30; fast_pattern; content:"JFIF"; within:10; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:command-and-control; sid:2024655; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category MALWARE, malware_family CobianRAT, performance_impact Low, signature_severity Major, updated_at 2017_09_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit applet landing"; flow:established,from_server; file_data; content:"<html>|0d 0a|<body>|0d 0a|<applet archive="; content:"width=|22|0|22| height=|22|0|22|></applet>|0d 0a|</body>|0d 0a|</body></html>"; distance:0; classtype:exploit-kit; sid:2013699; rev:3; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2011_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP InstallCore Variant CnC Checkin"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; content:"|7c|"; http_client_body; depth:40; content:"POST|20|/|20|HTTP/1.1|0d 0a|Accept|3a 20 2a 2f 2a 0d 0a|Host|3a|"; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x7c/P"; reference:md5,42374945061c7941d6690793ae393d3a; classtype:pup-activity; sid:2024428; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Moderate, signature_severity Major, updated_at 2017_09_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MALVERTISING OpenX BrowserDetect.init Download"; flow:established,to_client; content:"OAID="; http_cookie; file_data; content:"BrowserDetect.init"; classtype:bad-unknown; sid:2014038; rev:6; metadata:created_at 2011_12_22, former_category CURRENT_EVENTS, updated_at 2011_12_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Exploit"; flow:established,from_server; file_data; content:"triggerBug"; nocase; fast_pattern; pcre:"/^\s*(?:\x28|\%28)/Rs"; content:"exploit"; nocase; pcre:"/^\s*(?:\x28|\%28)o/Rs"; content:"intToStr"; nocase; pcre:"/^\s*(?:\x28|\%28)x/Rs"; content:"strToInt"; nocase; pcre:"/^\s*(?:\x28|\%28)s/Rs"; classtype:trojan-activity; sid:2024676; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Critical, updated_at 2017_09_07;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|licensecheck.bit"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022208; rev:1; metadata:attack_target Client_and_Server, created_at 2015_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.Bot CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?hwid="; http_uri; fast_pattern; content:"&os="; http_uri; distance:0; content:"&build="; http_uri; distance:0; content:"&cpu="; http_uri; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,92c3157d76c67668ca815541c6bb3ba8; classtype:command-and-control; sid:2024679; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2017_09_08;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e2 81 a8 a0 05 4c c8 8b|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022212; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Adwind)"; flow:established,from_server; content:"|55 04 03|"; content:"|18|www.svx2id6wmwgfxela.net"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024682; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Adwind, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Excel with Embedded .emf object downloaded"; flow:established,to_client; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"| 50 4B 03 04 |"; content:"|2F 6D 65 64 69 61 2F 69 6D 61 67 65 |"; within:64; content:"| 2E 65 6D 66 |"; within:15; classtype:bad-unknown; sid:2012504; rev:8; metadata:created_at 2011_03_15, former_category CURRENT_EVENTS, updated_at 2011_03_15;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (URLzone)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|dicco.at"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024681; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family URLZone, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2018_04_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/KDefend Checkin"; flow:established,to_server; content:"c|00|h|00|i|00|n|00|a|00 00 00|"; offset:16; depth:12; fast_pattern; content:"|20|MB|00|"; within:10; content:"/proc/stat|00|cpu|00|"; within:21; reference:url,blog.malwaremustdie.org/2015/12/mmd-0045-2015-kdefend-new-elf-threat.html; classtype:command-and-control; sid:2022219; rev:3; metadata:created_at 2015_12_04, former_category MALWARE, updated_at 2015_12_04;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|sslstatsita.info"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024685; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Adware.iBryte.B Install"; flow:to_server,established; content:"GET"; http_method; content:"/impression.do"; http_uri; fast_pattern:only; content:"event="; http_uri; content:"_id="; http_uri; content:!"Referer|3a|"; http_header; reference:md5,1497c33eede2a81627c097aad762817f; classtype:trojan-activity; sid:2018194; rev:9; metadata:created_at 2012_02_13, updated_at 2012_02_13;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|fiftyflorston.win"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024683; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Blank User-Agent (descriptor but no string)"; flow:to_server,established; content:"User-Agent|3a 0d 0a|"; http_header; content:!"check.googlezip.net|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008066; classtype:pup-activity; sid:2008066; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|09|lio.party"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024684; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|baknsystem.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022078; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|115f697a1698.bid"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024686; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|coughweb.biz"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022226; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|7193a37d9d98.bid"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024687; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|www.gooodlaosadf.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022230; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BegOp Exploit Kit Payload"; flow:established,from_server; content:"Content-Type|3a| image/"; http_header; fast_pattern:only; file_data; content:"M"; within:1; content:!"Z"; within:1; content:"Z"; distance:1; within:1; classtype:exploit-kit; sid:2015783; rev:6; metadata:created_at 2012_10_06, former_category EXPLOIT_KIT, updated_at 2017_09_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 41 89 47 37 8f 56 41|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022231; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 8F|"; fast_pattern:only; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012089; rev:3; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2017_09_08;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|09|Cyxuzoidv"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022233; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C|x41|5C|x41|5C|x41|5C|x41"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013273; rev:3; metadata:created_at 2011_07_14, former_category SHELLCODE, updated_at 2017_09_08;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 07|"; content:"|0b|los Angeles"; distance:1; within:12; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0c|*.google.com"; distance:1; within:13; content:"@google.com"; distance:0; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022235; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-16 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c0c"; nocase; distance:0; classtype:bad-unknown; sid:2016715; rev:3; metadata:created_at 2013_04_04, former_category SHELLCODE, updated_at 2017_09_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Excel Online Phish Landing 2015-12-08"; flow:to_client,established; file_data; content:"id=|22|sfm_excel_body|22|"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:"name=|22|Email|22|"; nocase; distance:0; content:"name=|22|Password|22|"; nocase; distance:0; content:"type=|22|password|22|"; nocase; distance:0; content:"Keep me signed in"; nocase; distance:0; classtype:social-engineering; sid:2031692; rev:4; metadata:created_at 2015_12_08, former_category PHISHING, updated_at 2015_12_08;)
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 stealth NOOP"; content:"|EB 02 EB 02 EB 02|"; reference:arachnids,291; classtype:shellcode-detect; sid:2100651; rev:10; metadata:created_at 2010_09_23, former_category SHELLCODE, updated_at 2017_09_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED EXE Download Request To Wordpress Folder Likely Malicious"; flow:established,to_server; content:"GET"; http_method; content:"/wp-"; http_uri; content:".exe"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\.exe(?:\?[0-9])?$/U"; pcre:"/\/wp-(?:content|admin|includes)\//U"; reference:md5,1828f7090d0ad2844d3d665d2f41f911; classtype:trojan-activity; sid:2022239; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2015_12_09, deployment Datacenter, former_category TROJAN, signature_severity Major, tag Wordpress, updated_at 2018_07_18;)
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:2101390; rev:7; metadata:created_at 2010_09_23, former_category SHELLCODE, updated_at 2017_09_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible CryptoWall encrypted download"; flow:to_client,established; file_data; byte_test:1,<,12,0; content:"|00 00 00|"; distance:1; within:3; byte_test:1,<,127,0,relative; byte_test:1,>,48,0,relative; byte_jump:1,0,from_beginning,post_offset 5; byte_test:1,=,0,0,relative; pcre:"/^[\x00-\x0c]\x00\x00\x00[a-z0-9]{6,12}\x00/s"; classtype:trojan-activity; sid:2018788; rev:3; metadata:created_at 2014_07_28, updated_at 2014_07_28;)
+#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 404 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 404 Not Found|0d 0a|"; depth:24; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010517; classtype:web-application-attack; sid:2010517; rev:4; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2017_09_08;)
 
-#alert udp $HOME_NET any -> any [5060,5061,5600] (msg:"ET MALWARE Ponmocup plugin #2600 (SIP scanner)"; content:"User-Agent|3a| Zoiper for Windows rev.1812|0d0a|"; threshold: type limit, count 1, seconds 3600, track by_src; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022206; rev:2; metadata:created_at 2015_12_02, updated_at 2015_12_02;)
+#alert ftp $HOME_NET ![21,25,110,119,139,445,465,475,587,902,1433,2525] -> any any (msg:"ET HUNTING Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"SMTP"; within:20; reference:url,doc.emergingthreats.net/2011124; classtype:pup-activity; sid:2011124; rev:20; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_09_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Evil Redirector Leading to EK Mar 06 2015"; flow:established,to_server; content:"/counter.php?referrer=http"; http_uri; classtype:exploit-kit; sid:2020638; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_03_07, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] Backdoor.Win32/Remcos RAT pkt checker 4"; flow:established, to_server; stream_size:server,<,70; stream_size:client,<,696; stream_size:client,>,0; stream_size:server,>,35; flowbits:isset,FB180732_3; flowbits:unset,FB180732_3; threshold:type limit,track by_src,count 1, seconds 30; reference:url,blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2; classtype:trojan-activity; sid:2024698; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Moderate, signature_severity Major, updated_at 2020_11_06;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|www.benvenuittopronto.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022248; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] pkt checker 3"; flow:established, to_client; dsize:30<>33; stream_size:server, <,70; stream_size:client, <,610; stream_size:client, >,0; stream_size:server, >,35; flowbits:noalert; flowbits:isset, FB180732_2; flowbits:unset, FB180732_2; flowbits:set, FB180732_3; classtype:trojan-activity; sid:2024697; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Moderate, signature_severity Major, updated_at 2017_09_11;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ca a8 d2 15 e5 c6 b7 72|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022249; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] pkt checker 2"; flow:established, to_server; dsize:50<>101; stream_size:server, <,35; stream_size:client, <,610; stream_size:server, >,0; stream_size:client, >,30; flowbits:noalert; flowbits:isset, FB180732_1; flowbits:unset,FB180732_1; flowbits:set,FB180732_2; classtype:trojan-activity; sid:2024696; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Significant, signature_severity Major, updated_at 2017_10_02;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|theliveguard.net"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022250; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] pkt checker 1"; flow:established, to_client; dsize:30<>33; stream_size:server,<,35; stream_size:client,<,513; stream_size:server,>,0; stream_size:client,>,30; flowbits:noalert; flowbits:isset,FB180732_0; flowbits:unset, FB180732_0; flowbits:set,FB180732_1; classtype:trojan-activity; sid:2024695; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Moderate, signature_severity Major, updated_at 2017_09_11;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|televcheck.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022251; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] pkt checker 0"; flow:established, to_server; dsize:200<>513; stream_size:client,>,0; stream_size:server,=,1; stream_size:client, <,513; flowbits:noalert; flowbits:set,FB180732_0; classtype:trojan-activity; sid:2024694; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Moderate, signature_severity Major, updated_at 2017_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|welcomefreinds.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022252; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HoeflerText Chrome Popup DriveBy Download Attempt 1"; flow:established,to_client; file_data; content:"The |22|HoeflerText|22| font wasn't found"; nocase; fast_pattern; content:"you have to update the |22|Chrome Font Pack|22|"; distance:0; nocase; content:"Click on the Chrome_Font.exe"; distance:0; nocase; content:"Latest version"; distance:0; nocase; content:"href=|22|http"; distance:0; nocase; content:"window.chrome"; distance:0; nocase; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; classtype:exploit-kit; sid:2024238; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2017_09_12;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M1"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|04|Asia"; distance:1; within:5; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022253; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HoeflerText Chrome Popup DriveBy Download Attempt 2"; flow:established,to_client; file_data; content:"The |22|HoeflerText|22| font was not found"; nocase; fast_pattern; content:"you have to update the |22|Chrome Font Pack|22|"; distance:0; nocase; content:"To install |22|HoeflerText|22| font for your PC"; distance:0; nocase; content:"Download the .js"; distance:0; nocase; content:".attr('href',"; distance:0; nocase; metadata: former_category CURRENT_EVENTS; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; classtype:exploit-kit; sid:2024700; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_12, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_09_12;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M2"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|0d|North America"; distance:1; within:14; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022254; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK encrypted payload Sept 11 (1)"; flow:established,to_client; file_data; content:"|8d b1 8a d0 36 8d 5d bf|"; within:8; classtype:exploit-kit; sid:2024691; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2017_09_12;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M3"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|06|Africa"; distance:1; within:7; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022255; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent|3a| unknown"; http_header; content:!".real.com|0d 0a|"; http_header; content:!".rhapsody.com|0D 0A|"; http_header; reference:url,doc.emergingthreats.net/2007567; classtype:trojan-activity; sid:2007567; rev:11; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_09_13;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M4"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|06|Europe"; distance:1; within:7; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022256; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Emotet Post Drop C2 Comms"; flow:established,from_server; file_data; content:"|502163174a9069e5f28277c59da7fb141ee82f8e|"; classtype:command-and-control; sid:2035042; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2017_09_19;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M5"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|09|Australia"; distance:1; within:10; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022257; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SPL2 PluginDetect Data Hash"; flow:to_server,established; content:".html?id"; http_uri; fast_pattern:only; pcre:"/\.html\?id\d*?=[a-f0-9]{32}$/U"; pcre:"/GET\s[^\r\n]*?(?P<name>\/[^\.\/]+\.html)\?id\d*?=[a-f0-9]{32}\sHTTP\/1\..+?\r\nReferer\x3a\x20[^\r\n]*?(?P=name)(:?\d{1,5})?\r\n/s"; classtype:trojan-activity; sid:2017850; rev:3; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2017_09_20;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M6"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|0d|South America"; distance:1; within:14; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022258; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu Certificate flowbit set 1"; flow:established, to_client; content:"|30 82 04|"; depth:300; content:"|30 82 03|"; distance:1; within:3; content:"|a0 03 02 01 02 02 04|"; distance:1; within:7; content:"|30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 81|"; distance:4; within:17; flowbits:set,FB332502_; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 30; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024751; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_21;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M7"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|0a|Antarctica"; distance:1; within:11; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022259; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [:32768] (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 2"; flow:established, to_server; content:"|17 03|"; depth:2; content:"|00 40|"; distance:1; within:2; fast_pattern; stream_size:server, >,1789; stream_size:server, <,2124; stream_size:client, >,447; stream_size:client, <,1722; flowbits:isset, FB332502_; flowbits:set, FB332502_0; flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024752; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_21;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|checkstat99.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022267; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 5"; flow:established,to_client; content:"|17 03|"; depth:2; content:"|00 50|"; distance:1; within:2; fast_pattern; stream_size:server, >,1889; stream_size:server, <,2224; stream_size:client, >,1476; stream_size:client, <,8722; flowbits:isset, FB332502_2; flowbits:unset, FB332502_2; flowbits:set, FB332502_3; flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024755; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_21;)
 
-#alert http [$EXTERNAL_NET,!208.85.44.0/24] $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (3)"; flow:established,to_client; file_data; content:"|dc 18 02|"; distance:4; within:3; pcre:"/^(?:\x62|\x1b)/R"; classtype:trojan-activity; sid:2022140; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|vinci-energie.co"; distance:1; within:17; reference:md5,69f8181bfe4a53d9e0b73c81a4ae4587; classtype:domain-c2; sid:2024757; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_and_Server, created_at 2017_09_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag MalDoc, updated_at 2017_09_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 85 47 00 43 cf a7 86 ee|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,d90c0177437c4cf588de4e60ab233fe1; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022275; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED Possible OptionsBleed (CVE-2017-9798)"; flow:established,to_server; content:"OPTIONS"; http_method; flowbits:set,ET.2017-9798; threshold: type both, count 30, seconds 30, track by_src; classtype:misc-activity; sid:2024759; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_19, cve 2017_9798, deployment Perimeter, former_category WEB_SERVER, performance_impact Moderate, signature_severity Major, updated_at 2019_12_20;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|lililililililili.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022276; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Suspicious Darkwave Popads Pop Under Redirect"; flow:established,to_client; file_data; content:"|2f 2a 20 50 72 69 76 65 74 20 64 61 72 6b 76 2e 20 45 61 63 68 20 64 6f 6d 61 69 6e 20 69 73 20 32 68 20 66 6f 78 20 64 65 61 64 20 2a 2f|"; classtype:policy-violation; sid:2024764; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_23, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2017_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|intelliadsign.net"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022277; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Possible Zip DL containing single VBS script"; flow:established,from_server; file_data; content:"|50 4b 01 02|"; content:".vbs"; nocase; distance:0; pcre:"/^(?:(?!PK).)*?\x50\x4b\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00/Rs"; classtype:bad-unknown; sid:2024769; rev:2; metadata:created_at 2017_09_26, former_category WEB_CLIENT, updated_at 2017_09_26;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|boistey.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022278; rev:1; metadata:attack_target Client_and_Server, created_at 2015_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2015-11-06"; flow:established,from_server; file_data; content:"Sign in with your email address"; nocase; content:"view or download attachment"; nocase; distance:0; content:"Select your email provider"; nocase; distance:0; content:"Sign in with Gmail"; nocase; distance:0; fast_pattern; content:"Sign in with Yahoo"; nocase; distance:0; content:"Sign in with Hotmail"; nocase; distance:0; content:"Sign in with AOL"; nocase; distance:0; content:"Sign in with Others"; nocase; distance:0; classtype:social-engineering; sid:2031736; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2017_09_27;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|ssl-tree.ru"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022286; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu"; flow:established, to_client; content:"|17 03|"; depth:2; content:"|00 50|"; distance:1; within:2; fast_pattern; stream_size:server, >,1889; stream_size:server, <,2436; stream_size:client, >,1476; stream_size:client, <,8834; flowbits:isset, FB332502_3; flowbits:unset, FB332502_3; threshold:type limit, track by_src, count 1, seconds 30; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024756; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|foenglera.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022287; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 1"; flow:established,to_server; content:"|17 03|"; depth:2; content:"|00 b0|"; distance:1; within:2; fast_pattern; stream_size:client,>,424; stream_size:client,<,685; flowbits:isset,FB346039_0; flowbits:unset,FB346039_0; flowbits:set,FB346039_1; flowbits:set,FB346039_2; flowbits:noalert; classtype:command-and-control; sid:2024774; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
 
-alert tcp any any -> $HOME_NET 23 (msg:"ET EXPLOIT Juniper ScreenOS telnet Backdoor Default Password Attempt"; flow:established,to_server; content:"|3c 3c 3c 20 25 73 28 75 6e 3d 27 25 73 27 29 20 3d 20 25 75|"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:cve,2015-7755; reference:url,community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor; classtype:attempted-admin; sid:2022291; rev:1; metadata:created_at 2015_12_21, updated_at 2015_12_21;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 0"; flow:established,to_server; content:"|17 03|"; depth:2; content:"|00 a0|"; distance:1; within:2; fast_pattern; stream_size:server,>,4868; stream_size:server,<,5949; stream_size:client,>,424; stream_size:client,<,685; flowbits:isset,FB346039_0; flowbits:unset,FB346039_0; flowbits:set,FB346039_1; flowbits:noalert; classtype:command-and-control; sid:2024773; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M8"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|0f|Central America"; distance:1; within:16; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022292; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 2"; flow:established,to_client; content:"|1703|"; depth:2; content:"|0140|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,10069; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_1; flowbits:unset,FB346039_1; flowbits:unset,FB346039_2; flowbits:set,FB346039_3; flowbits:noalert; classtype:command-and-control; sid:2024775; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|rommen-haft.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022293; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 3"; flow:established,to_client; content:"|1703|"; depth:2; content:"|04A0|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,10069; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_3; flowbits:unset,FB346039_3; flowbits:set,FB346039_4; classtype:command-and-control; sid:2024776; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
 
-#alert ip $HOME_NET any -> [206.72.206.74,206.72.206.75,206.72.206.76,206.72.206.77,206.72.206.78,66.45.241.130,66.45.241.131,66.45.241.132,66.45.241.133,66.45.241.134] any (msg:"ET MALWARE Kelihos CnC Server Activity"; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; reference:url,blog.malwaremustdie.org/2015/12/mmd-0046-2015-kelihos-cnc-activity-on.html; classtype:command-and-control; sid:2022294; rev:1; metadata:created_at 2015_12_22, former_category MALWARE, updated_at 2015_12_22;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 5"; flow:established,to_client; content:"|1503|"; depth:2; content:"|0020|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,10069; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_4; flowbits:unset,FB346039_4; classtype:command-and-control; sid:2024778; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
 
-alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ET POLICY FOX-SRT - Juniper ScreenOS SSH World Reachable"; flow:to_client,established; content:"SSH-2.0-NetScreen"; reference:cve,2015-7755; reference:url,kb.juniper.net/JSA10713; classtype:policy-violation; sid:2022299; rev:2; metadata:created_at 2015_12_22, updated_at 2015_12_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ZeuS - ICE-IX cid= in cookie"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Cookie|3a| cid="; http_raw_header; pcre:"/^\d{4}\r$/RDm"; content:!"mowersdirect.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2014198; rev:14; metadata:created_at 2012_02_07, former_category TROJAN, updated_at 2017_09_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mon Dec 21 2015 5"; flow:from_server,established; file_data; content:"|3f 22 5c 78|"; fast_pattern; byte_test:1,>,0x2f,-5,relative; byte_test:1,<,0x3a,-5,relative; content:"var "; pcre:"/^\s*?[a-z]+\s*?=\s*?\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b]/Rsi"; reference:url,blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html; classtype:exploit-kit; sid:2022290; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_21, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Windows Media Player parsing BMP file with 0 size offset to start of image"; flow:established,from_server; content:"BM"; depth:400; byte_test:8,=,0,4,relative; reference:url,www.milw0rm.com/id.php?id=1500; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; reference:url,doc.emergingthreats.net/bin/view/Main/2002802; classtype:attempted-user; sid:2002802; rev:9; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2017_09_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|givemyporn.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022301; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT [PTsecurity] DoublePulsar Backdoor installation communication"; flow: to_server, established; content:"|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test:2,!=,0x0000,52,relative,little; pcre: "/^.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/R"; reference:url,github.com/ptresearch/AttackDetection; classtype:attempted-admin; sid:2024766; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Server, created_at 2017_09_25, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2017_09_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|qiqiqiqiqiqi.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022302; rev:1; metadata:attack_target Client_and_Server, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 4"; flow:established,to_client; content:"|17 03|"; depth:2; content:"|02 00|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,6500; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_2; flowbits:unset,FB346039_2; classtype:command-and-control; sid:2024777; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"22C83263-E4B8-4233-82CD-FB047C6BF13E"; nocase; distance:0; content:".FindCountriesByNamePattern"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*22C83263-E4B8-4233-82CD-FB047C6BF13E/si"; reference:url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html; classtype:web-application-attack; sid:2013462; rev:3; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE [PTsecurity] Black Stealer Exfil FTP STOR"; flow:established,to_server; content:"STOR Black Stealer"; depth:18; nocase; fast_pattern; classtype:trojan-activity; sid:2024791; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2017_10_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt Format String Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"SkypePNRLib.PNR"; nocase; distance:0; content:".FindCountriesByNamePattern"; nocase; reference:url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html; classtype:attempted-user; sid:2013463; rev:3; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
+#alert tls $HOME_NET any  -> $EXTERNAL_NET any (msg:"ET POLICY Request for Coinhive Browser Monero Miner M1"; flow:established,to_server; tls_sni; content:"coinhive.com"; classtype:policy-violation; sid:2024785; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2017_10_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Foxit PDF Reader Authentication Bypass Attempt"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:"Type/Action"; distance:0; nocase; content:"Launch"; nocase; within:40; content:"NewWindow true"; nocase; distance:0; pcre:"/Type\x2FAction.+Launch.+\x28\x2F[a-z]\x2F[a-z].+NewWindow\x20true/si"; reference:url,www.coresecurity.com/content/foxit-reader-vulnerabilities#lref.4; reference:cve,2009-0836; reference:url,doc.emergingthreats.net/2010878; classtype:attempted-user; sid:2010878; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $HOME_NET any  -> $EXTERNAL_NET any (msg:"ET POLICY Request for Jsecoin Browser Miner M1"; flow:established,to_server; tls_sni; content:"jsecoin.com"; classtype:policy-violation; sid:2024787; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2017_10_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Office Word 2007 sprmCMajority Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|47 CA FF|"; content:"|3E C6 FF|"; distance:0; isdataat:84,relative; content:!"|0A|"; within:84; reference:url,www.exploit-db.com/moaub11-microsoft-office-word-sprmcmajority-buffer-overflow/; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-056.mspx; reference:bid,42136; reference:cve,2010-1900; classtype:attempted-user; sid:2011478; rev:6; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Scotiabank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Sign in to Scotiabank"; nocase; classtype:social-engineering; sid:2024795; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Windows Common Control Library Heap Buffer Overflow"; flow:established,from_server; content:"Content-Type|3a| image/svg|2b|xml"; nocase; file_data; content:"|3c|svg xmlns="; nocase; distance:0; content:"style|3d 22|fill|3a 20 23|ffffff|22|"; nocase; distance:0; content:"transform"; nocase; distance:0; pcre:"/^=\s*\x22\s*[^\s\x22\x28]{1000}/iR"; reference:bugtraq,43717; reference:url,www.microsoft.com/technet/security/bulletin/MS10-081.mspx; classtype:attempted-admin; sid:2012174; rev:9; metadata:created_at 2011_01_12, updated_at 2011_01_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Desjardins Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Log on|20 7c 20|Desjardins"; nocase; classtype:social-engineering; sid:2024796; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_10_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ASCII Executable Inside of MSCOFF File DL Over HTTP"; flow:established,from_server; flowbits:isset,et.MCOFF; file_data; content:"|34 64 35 61|"; content:"|35 34 36 38 36 39 37 33 32 30 37 30 37 32 36 66 36 37 37 32 36 31 36 64 32 30|"; distance:38; reference:md5,f4ee917a481e1718ccc749d2d4ceaa0e; classtype:trojan-activity; sid:2022303; rev:3; metadata:created_at 2015_12_23, updated_at 2015_12_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible BMO Bank of Montreal Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>BMO Bank of Montreal Online Banking</title>"; nocase; classtype:social-engineering; sid:2024798; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_10_03;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 97 ae 20 7e 61 5f 58 15|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022305; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M3 Oct 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"as_cpf="; depth:7; nocase; http_client_body; content:"&as_pass="; nocase; distance:0; http_client_body; fast_pattern; content:"&sender="; nocase; distance:0; http_client_body; content:"&as_continue="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024801; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 a6 75 8f 19 30 3e 46 58|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022307; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PayPal Phishing Landing Nov 24 2014"; flow:established,to_client; file_data; content:"<title>Login - PayPal</title>"; classtype:social-engineering; sid:2019785; rev:4; metadata:created_at 2014_11_24, former_category CURRENT_EVENTS, updated_at 2017_10_05;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|monosuflex.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022308; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Revalidation Phish Nov 13 M1"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"user="; depth:5; nocase; http_client_body; fast_pattern; content:"&email_address="; nocase; http_client_body; distance:0; content:"&pass"; nocase; http_client_body; distance:0; content:"&captcha="; nocase; http_client_body; distance:0; content:"&submitbutton="; nocase; http_client_body; distance:0; classtype:credential-theft; sid:2022084; rev:3; metadata:created_at 2015_11_13, former_category PHISHING, updated_at 2019_09_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powersploit Framework Script Downloaded"; flow:to_client,established; file_data; content:"function Invoke-"; depth:16; content:"|0a 7b 0a 3c 23 0a 2e 53 59 4e 4f 50 53 49 53 0a|"; distance:0; content:"|0a|PowerSploit Function|3a 20|"; distance:0; reference:md5,0aa391dc6d9ebec2f5d0ee6b4a4ba1fa; classtype:trojan-activity; sid:2022309; rev:2; metadata:created_at 2015_12_24, updated_at 2015_12_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Suspended Account Phish M1 Aug 09 2016"; flow:to_server,established; content:"POST"; http_method; content:"name-re="; nocase; depth:8; fast_pattern; http_client_body; content:"&dob"; nocase; distance:0; http_client_body; content:"&donnee"; nocase; distance:0; http_client_body; content:"&is_valid_email"; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023042; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Lets Encrypt Free SSL Cert Observed"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2022218; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_04, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2017_10_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Landing Uri Nov 25 2015"; flow:to_server,established; content:"GET"; http_method; content:".php?usernms="; http_uri; fast_pattern; pcre:"/\.php\?usernms=[^@]+@[^\r\n]+$/Ui"; classtype:social-engineering; sid:2022187; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mon Dec 26 2015"; flow:to_server,established; content:"/st1.phtml"; http_uri; classtype:exploit-kit; sid:2022312; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Generic 107 Phish Jul 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"-login.id-107sbtd9cbhsbt"; nocase; http_header; fast_pattern:4,20; pcre:"/^Host\x3a\x20[^\r\n]+\-login\.id\-107sbtd9cbhsbt[^\r]+$/Hmi"; classtype:credential-theft; sid:2024463; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_12, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mon Dec 26 2015 2"; flow:to_server,established; content:"/lobo.phtml"; http_uri; classtype:exploit-kit; sid:2022313; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Download of Embedded OpenType (EOT) File flowbit set"; flow:established,to_client; file_data; content:"|4c 50|"; offset:34; depth:2; flowbits:set,ET.EOT.Download; flowbits:noalert; reference:url,www.w3.org/Submission/EOT/#FileFormat; classtype:misc-activity; sid:2024829; rev:2; metadata:affected_product Internet_Explorer, affected_product Mac_OSX, affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2017_10_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Anonisma Paypal Phishing Loading Page 2015-12-29"; flow:from_server,established; file_data; content:"<title>Logging in"; nocase; fast_pattern; content:".php?cmd=_"; nocase; distance:0; content:"Hold a while"; nocase; distance:0; content:"Still loading after a few seconds"; nocase; distance:0; classtype:social-engineering; sid:2031706; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY PsExec service created"; flow:to_server,established; content:"P|00|S|00|E|00|X|00|E|00|S|00|V|00|C"; nocase; reference:url,xinn.org/Snort-psexec.html; reference:url,doc.emergingthreats.net/2010781; classtype:suspicious-filename-detect; sid:2010781; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PHOEN!X Apple Phish Landing Page 2015-12-29"; flow:from_server,established; file_data; content:"<title>iTunes"; nocase; fast_pattern; content:"Enter Your Password"; nocase; distance:0; content:"<!-- PHOEN!X -->"; nocase; distance:0; classtype:social-engineering; sid:2031693; rev:2; metadata:created_at 2015_12_29, former_category PHISHING, updated_at 2015_12_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2015-07-27"; flow:to_client,established; file_data; content:"<title>Secure Login</title>"; content:"action=|22|emsg1.php|22|"; fast_pattern; distance:0; content:"valid Apple ID"; distance:0; content:"valid Password"; distance:0; classtype:social-engineering; sid:2031708; rev:3; metadata:created_at 2015_07_27, former_category PHISHING, updated_at 2017_10_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PHOEN!X Phish Loading Page 2015-12-29"; flow:from_server,established; file_data; content:"<title>Checking Informations"; content:"http-equiv=|22|refresh|22|"; classtype:social-engineering; sid:2031694; rev:2; metadata:created_at 2015_12_29, former_category PHISHING, updated_at 2015_12_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing Jan 30 2014"; flow:established,to_client; file_data; content:"<title>Apple - Update Your Information</title>"; classtype:social-engineering; sid:2018042; rev:3; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2017_10_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|1terabitbit.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022321; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PHISH Visa - Landing Page"; flow:established,to_client; file_data; content:"Enter your password Verified by Visa / MasterCard SecureCode"; classtype:social-engineering; sid:2018043; rev:3; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2017_10_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|gatecheck.info"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022322; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful GoogleFile Phish"; flow:established,to_server; content:"g2-choseyouremailprovider="; http_client_body; content:"g2-password="; http_client_body; classtype:credential-theft; sid:2020803; rev:4; metadata:created_at 2015_03_30, former_category PHISHING, updated_at 2019_09_06;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (BlackEnergy CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 85 9e 1d 11 4a f9 72 62|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021624; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing M2 July 24 2015"; flow:to_client,established; file_data; content:"invoicetoptables"; nocase; fast_pattern; content:"invoicecontent"; nocase; distance:0; content:"displayTextgmail"; nocase; distance:0; content:"displayTexthotmail"; nocase; distance:0; content:"displayTextaol"; nocase; distance:0; classtype:social-engineering; sid:2021536; rev:3; metadata:created_at 2015_07_27, former_category CURRENT_EVENTS, updated_at 2017_10_13;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Malicious SSL certificate detected (Possible Sinkhole)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; distance:0; content:"|0a|infosec.jp"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0e|www.infosec.jp"; distance:1; within:15; content:"snowyowl@jpnsec.com"; distance:0; reference:md5,ef5fa2378307338d4e75dece88158d77; classtype:domain-c2; sid:2022324; rev:3; metadata:attack_target Client_and_Server, created_at 2016_01_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Potential Data URI Phishing Oct 02 2015"; flow:established,to_client; file_data; content:"<script type=|22|text/javascript|22|>"; nocase; content:"window.location="; nocase; within:17; content:"PCFET0NUWVBFIGh0bWw+DQo"; fast_pattern; distance:0; reference:url,blog.malwarebytes.org/online-security/2015/10/this-pdf-version-is-not-supported-data-uri-phish; classtype:social-engineering; sid:2021893; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2017_10_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BlackEnergy SSL Cert"; flow:from_server,established; content:"|09 00 e3 6e 25 fe 3f fa 53 80|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/; classtype:trojan-activity; sid:2022327; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE DNSMessenger Payload (TXT base64 gzip header)"; content:"|00 10 00 01|"; content:"H4sIA"; distance:7; within:5; fast_pattern; reference:url,blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html; classtype:trojan-activity; sid:2024840; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_13, deployment Perimeter, former_category TROJAN, malware_family DNSMessenger, performance_impact Moderate, signature_severity Major, updated_at 2017_10_13;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|ibsecurity.info"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022328; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Jimdo.com Phishing PDF via HTTP"; flow:established,from_server; file_data; content:"/Subtype/Link/Rect"; content:"/BS<</W 0>>/F 4/A<</Type/Action/S/URI/URI (http|3a|//"; distance:0; content:".jimdo.com/)>"; distance:0; fast_pattern; content:"www.Neevia.com"; distance:0; content:"Neevia Document Converter"; distance:0; reference:md5,70eaba2ab6410e3541a2e24a482ddddd; classtype:social-engineering; sid:2022029; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_10_13;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|ibcsec.xyz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022329; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Successful Revalidation Phish Nov 13 M2"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"<META HTTP-EQUIV=|22|REFRESH|22|"; nocase; content:"Revalidation</title>"; fast_pattern; nocase; distance:0; content:"Account Revalidated"; nocase; distance:0; content:"you have sucessfully revalidated"; nocase; distance:0; classtype:credential-theft; sid:2022085; rev:3; metadata:created_at 2015_11_13, former_category PHISHING, updated_at 2019_09_06;)
 
-#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NanoLocker Check-in (ICMP) M2"; itype:8; icode:0; dsize:26<>35; content:"|33|"; depth:1; pcre:"/^(?=[A-F1-9]*?[a-km-zGHJ-NP-Z])[a-km-zA-HJ-NP-Z1-9]{25,34}(?:64)?$/R"; reference:md5,24273ce5ca8e84c52b270b52659304a8; reference:url,blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/; classtype:trojan-activity; sid:2022330; rev:2; metadata:created_at 2016_01_05, updated_at 2016_01_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Jimdo Outlook Web App Phishing Landing Nov 16"; flow:established,from_server; file_data; content:"Outlook"; nocase; content:"jimdo.com"; nocase; distance:0; content:"Email"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Confirm Password"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2022093; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_10_13;)
 
-alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NanoLocker Check-in (ICMP) M1"; itype:8; icode:0; dsize:26<>35; content:"|31|"; depth:1; pcre:"/^(?=[A-F1-9]*?[a-km-zGHJ-NP-Z])[a-km-zA-HJ-NP-Z1-9]{25,34}(?:64)?$/R"; reference:md5,24273ce5ca8e84c52b270b52659304a8; reference:url,blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/; classtype:trojan-activity; sid:2022331; rev:3; metadata:created_at 2016_01_05, updated_at 2016_01_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Jimdo Outlook Web App Phishing Nov 16 2105"; flow:to_server,established; content:"POST"; http_method; content:"|2f 66 6f 72 6d 2f 73 75  62 6d 69 74 2f|"; http_uri; content:"|6a 69 6d 64 6f 2e 63 6f 6d 0d 0a|"; http_header; fast_pattern; content:"|6d 6f 64 75 6c 65 49 64 3d|"; nocase; http_client_body; depth:9; content:"|26 64 61 74 61 3b 3d|"; nocase; distance:0; http_client_body; content:"|45 6d 61 69 6c|"; nocase; distance:0; http_client_body; content:"|50 61 73 73 77 6f 72 64|"; nocase; distance:0; http_client_body; content:"|43 6f 6e 66 69 72 6d 2b  50 61 73 73 77 6f 72 64|"; nocase; distance:0; http_client_body; pcre:"/\/form\/submit\/$/U"; classtype:credential-theft; sid:2022094; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_16, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE ELF.MrBlack DOS.TF Variant"; flow:established,to_server; content:"Linux_"; offset:8; depth:6; content:"TF-"; distance:58; within:3; fast_pattern; reference:url,blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html; classtype:trojan-activity; sid:2022336; rev:2; metadata:created_at 2016_01_07, updated_at 2016_01_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Enom Phish Mar 08 2016"; flow:to_server,established; content:"POST"; http_method; content:"enom"; http_header; nocase; content:"ctl00_ScriptManager"; depth:19; nocase; fast_pattern; http_client_body; content:"user="; nocase; http_client_body; distance:0; content:"pass"; nocase; distance:0; http_client_body; content:"Login=Login"; nocase; distance:0; http_client_body; reference:url,welivesecurity.com/2016/03/07/beware-spear-phishers-hijack-website/; classtype:credential-theft; sid:2022604; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jan 6th 2016 M1"; flow:established,to_server; urilen:18; content:"GET"; http_method; content:"/switch/cookie.php"; depth:18; http_uri; fast_pattern; classtype:exploit-kit; sid:2022338; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_07, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Hidden Javascript Redirect - Possible Phishing Jun 17"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/x-javascript"; http_header; file_data; content:"data_receiver_url"; fast_pattern; nocase; content:"redirect_url"; nocase; distance:0; content:"current_page"; nocase; distance:0; content:"cc_data"; nocase; distance:0; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*location\s*\.\s*href\s*=\s*redirect_url/Rsi"; reference:url,myonlinesecurity.co.uk/very-unusual-paypal-phishing-attack/; classtype:social-engineering; sid:2022905; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex Download 6th Jan 2016 Flowbit"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; content:"Content-Length|3a 20|0|0d 0a|"; content:"MSIE 7.0"; http_header; fast_pattern:only; content:!"Referer|3A|"; http_header; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; flowbits:set,et.dridexdoc; flowbits:noalert; classtype:trojan-activity; sid:2022339; rev:2; metadata:created_at 2016_01_07, former_category CURRENT_EVENTS, updated_at 2016_01_07;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET HUNTING Suspicious SMTP Settings in XLS - Possible Phishing Document"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-type|3a 20|application/vnd.ms-excel"; http_header; file_data; content:"/configuration/sendusing"; nocase; fast_pattern; content:"/configuration/smtpserver"; nocase; distance:0; content:"/configuration/smtpauthenticate"; nocase; distance:0; content:"/configuration/sendusername"; nocase; distance:0; content:"/configuration/sendpassword"; nocase; distance:0; reference:md5,710ea2ed2c4aefe70bf082b06b82818a; reference:url,symantec.com/connect/blogs/malicious-macros-arrive-phishing-emails-steal-banking-information; classtype:social-engineering; sid:2022974; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_18, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/Dridex Binary Download 6th Jan 2016"; flowbits:isset,et.dridexdoc; flow:established,to_client; content:"Content-Disposition|3A| attachment|3B| filename="; http_header; content:".exe"; http_header; fast_pattern; file_data; content:"MZ"; within:2; content:"This program"; within:100; classtype:trojan-activity; sid:2022340; rev:4; metadata:created_at 2016_01_07, former_category CURRENT_EVENTS, updated_at 2016_01_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Apple Phish 2015-07-27"; flow:to_client,established; file_data; content:"<title>Confirm your account</title>"; content:"action=|22|msg2.php|22|"; distance:0; fast_pattern; content:"Adress Line"; distance:0; content:"Zip/Postal Code"; distance:0; classtype:credential-theft; sid:2031709; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jan 6th 2016 M2"; flow:established,from_server; content:"Content-Type|3a 20|application/javascript|3b|"; http_header; file_data; content:"var iframe"; within:13; pcre:"/^\s*?=\s*?[\x22\x27]<iframe\s*?src\s*?=/R"; content:":-"; pcre:"/^\d{3,}/R"; content:"</iframe>"; pcre:"/^\s*?/Rs"; content:"document.write(iframe)|3b|"; isdataat:!2,relative; classtype:exploit-kit; sid:2022341; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Apple Phish 2015-07-27"; flow:to_client,established; file_data; content:"Question Of Security"; fast_pattern; content:"nom de votre meilleur"; distance:0; content:"What is your mother maiden name ?"; distance:0; content:"rue avez-vous grandi"; distance:0; content:"What is your favourite show ?"; distance:0; classtype:credential-theft; sid:2031710; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Jan 07 2015"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"value=|22|#ffffff|22|"; nocase; content:"<html>"; pcre:"/^\s*?<body>\s*?<script>(?:\s*var\s+[a-z]+\s*?=\s*?\d+\s*?\x3b\s*?){3,}\s*?<\/script>/Rs"; content:"<object"; pcre:"/^(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)\x22/Rsi"; content:"</object>"; distance:0; pcre:"/^\s*?<\/body>\s*?\s*?<\/html>\s*?$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025040; rev:3; metadata:created_at 2016_01_08, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Apple Phish 2015-07-27"; flow:to_client,established; file_data; content:"<title>Confirm your account</title>"; content:"action=|22|msg1.php|22|"; fast_pattern; distance:0; content:"Cardholder's Name"; distance:0; content:"Credit Card Number"; distance:0; content:"CVC (CVV)"; distance:0; content:"3D Secure/VBV"; distance:0; classtype:credential-theft; sid:2031711; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Job314/Neutrino Reboot EK Flash Exploit Jan 07 2015 M1"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern; content:!"|0d 0a|Cookie|3a|"; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)$/U"; pcre:"/Host\x3a\x20(?P<host>[^\x3a\r\n]+)(?:\x3a\d{1,5})?\r\n.*?Referer\x3a\x20http\x3a\x2f\x2f(?P=host)\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)\r\n/Hsi"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025041; rev:2; metadata:created_at 2016_01_08, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Apple Store Phish Landing 2015-07-30"; flow:to_client,established; file_data; content:"<title>Apple Store - Verification</title>"; nocase; content:"/* VODKA */"; nocase; fast_pattern; classtype:social-engineering; sid:2031716; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bulta CnC Beacon"; flow:established,to_server; content:"|1f 93 97 d3 94 01 69 49 4d 7b a7 ac f6 7a|"; depth:14; reference:md5,8dd612b14a2a448e8b1b6f3d09909e45; classtype:command-and-control; sid:2022345; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2016_01_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Apple Store Phish Landing 2015-07-30"; flow:to_client,established; file_data; content:"fancyConfirm|28|"; nocase; fast_pattern; content:"checkcvv|28 29|"; nocase; distance:0; content:"checkexm|28 29|"; nocase; distance:0; content:"isvalidcc|28 29|"; nocase; distance:0; content:"imready|28 29|"; nocase; distance:0; classtype:social-engineering; sid:2031717; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Malicious Authline Seen in JAR Backdoor"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|CGX2U2oeocN3DTJhyPG2cPg7xpRRTzNZkz|22 2c 20 22|"; distance:0; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html; classtype:coin-mining; sid:2022349; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_01_12, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2016_01_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Apple Store Phish Landing 2015-07-30"; flow:to_client,established; file_data; content:"Verification</title>"; nocase; fast_pattern; content:"chosed your country."; nocase; content:"chosed an expiration month."; nocase; distance:0; content:"chosed an expiration year."; nocase; distance:0; classtype:social-engineering; sid:2031718; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Loading Gif Inline Image"; flow:established,from_server; content:"background|3a|url(data|3a|image/gif|3b|base64,R0lGODlhEAAQAAAAACH/C05FVFNDQVBFMi4wAwH//"; classtype:trojan-activity; sid:2014842; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_01, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Google Docs Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Google Secure Docs</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2024842; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeM RAT CnC Beacon"; flow:established,to_server; content:"<html><title>"; depth:13; content:"</title><body>"; within:48; content:!"</body>"; content:"|f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6|"; distance:0; reference:md5,3e008471eaa5e788c41c2a0dff3d1a89; classtype:command-and-control; sid:2014636; rev:5; metadata:attack_target Client_Endpoint, created_at 2012_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_04_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloud Drive Phish Landing 2015-08-12"; flow:to_client,established; file_data; content:"<title>Cloud Drive</title>"; nocase; fast_pattern; content:"reqired to view this document"; nocase; distance:0; classtype:social-engineering; sid:2031721; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF.STD.ddos Checkin"; flow:established,to_server; dsize:28; content:"2-1Q3@@4V-9-W$p#=A#9c=#W~,|0d 0a|"; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=2747&start=20#p27639; classtype:command-and-control; sid:2022367; rev:2; metadata:created_at 2016_01_14, former_category MALWARE, updated_at 2016_01_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Anonisma AES Crypto Observed in Javascript - Possible Phishing Landing 2015-12-29"; flow:established,from_server; file_data; content:"Encriptado por Anonisma"; nocase; fast_pattern; content:"Aes.cipher"; nocase; distance:0; content:"Aes.keyExpansion"; nocase; distance:0; classtype:social-engineering; sid:2031741; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert ssh any $SSH_PORTS -> any any (msg:"ET EXPLOIT Possible CVE-2016-0777 Server Advertises Suspicious Roaming Support"; flow:established,to_client; content:"|14|"; offset:6; content:"resume@appgate.com"; distance:0; content:!"AppGateSSH_5.2"; reference:cve,2016-0777; reference:url,www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt; classtype:attempted-user; sid:2022369; rev:2; metadata:created_at 2016_01_15, updated_at 2016_01_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phishing Landing 2016-07-11"; flow:from_server,established; file_data; content:"<title>DHL GLOBAL"; nocase; fast_pattern; content:"MM_validateForm"; nocase; distance:0; content:"E-mail Address or Member ID"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Phone Number"; nocase; distance:0; classtype:social-engineering; sid:2031998; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2017_10_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !7680 (msg:"ET P2P BitTorrent peer sync"; flow:established; content:"|00 00 00 0d 06 00|"; depth:6; threshold: type limit, track by_dst, seconds 300, count 1; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000334; classtype:policy-violation; sid:2000334; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Mozilla UA with no Space after colon"; flow:established,to_server; content:"User-Agent|3a|Mozilla"; http_header; nocase; fast_pattern:only; threshold: type limit,track by_src,count 2,seconds 60; classtype:trojan-activity; sid:2016921; rev:6; metadata:created_at 2013_05_24, former_category INFO, updated_at 2017_10_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 7680 (msg:"ET P2P MS WUDO Peer Sync"; flow:established; content:"|00 00 00 0d 06 00|"; depth:6; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,windows.microsoft.com/en-us/windows-10/windows-update-delivery-optimization-faq; classtype:policy-violation; sid:2022371; rev:1; metadata:created_at 2016_01_15, updated_at 2016_01_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B645W Oct 19 2017"; flow:established,from_server; file_data; content:"TAHQAYQByAHQALQBQAHIAbwBjAGUAcwBz"; pcre:"/(?:RABvAHcAbgBsAG8AYQBkAEYAaQBsAG|QAbwB3AG4AbABvAGEAZABGAGkAbABl|EAG8AdwBuAGwAbwBhAGQARgBpAGwAZ)/"; pcre:"/(?:VwByAGkAdABlAC0ASABvAHMAd|cAcgBpAHQAZQAtAEgAbwBzAH|XAHIAaQB0AGUALQBIAG8AcwB0)/"; pcre:"/(?:UwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0|MAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4Ad|TAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAH)/"; classtype:trojan-activity; sid:2024883; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
 
-alert tcp any any -> any $SSH_PORTS (msg:"ET EXPLOIT Possible CVE-2016-0777 Client Sent Roaming Resume Request"; flow:established,to_server; content:"|14|"; offset:6; content:"roaming@appgate.com"; distance:0; content:!"AppGateSSH_5.2"; reference:cve,2016-0777; reference:url,www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt; classtype:attempted-user; sid:2022370; rev:2; metadata:created_at 2016_01_15, updated_at 2016_01_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B641 Oct 19 2017"; flow:established,from_server; file_data; content:"U3RhcnQtUHJvY2Vzc"; pcre:"/(?:RG93bmxvYWRGaWxl|Rvd25sb2FkRmlsZ|Eb3dubG9hZEZpbG)/"; pcre:"/(?:V3JpdGUtSG9zd|dyaXRlLUhvc3|Xcml0ZS1Ib3N0)/"; pcre:"/U3lzdGVtLk5ldC5XZWJDbGllbn|N5c3RlbS5OZXQuV2ViQ2xpZW50|TeXN0ZW0uTmV0LldlYkNsaWVud/"; classtype:trojan-activity; sid:2024878; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|PA|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022385; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B642 Oct 19 2017"; flow:established,from_server; file_data; content:"N0YXJ0LVByb2Nlc3"; pcre:"/(?:RG93bmxvYWRGaWxl|Rvd25sb2FkRmlsZ|Eb3dubG9hZEZpbG)/"; pcre:"/(?:V3JpdGUtSG9zd|dyaXRlLUhvc3|Xcml0ZS1Ib3N0)/"; pcre:"/U3lzdGVtLk5ldC5XZWJDbGllbn|N5c3RlbS5OZXQuV2ViQ2xpZW50|TeXN0ZW0uTmV0LldlYkNsaWVud/"; classtype:trojan-activity; sid:2024879; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|relaxsaz.com"; distance:1; within:13; reference:md5,9b8fed949202b860d49f326d5e33bb35; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022386; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B643 Oct 19 2017"; flow:established,from_server; file_data; content:"TdGFydC1Qcm9jZXNz"; pcre:"/(?:RG93bmxvYWRGaWxl|Rvd25sb2FkRmlsZ|Eb3dubG9hZEZpbG)/"; pcre:"/(?:V3JpdGUtSG9zd|dyaXRlLUhvc3|Xcml0ZS1Ib3N0)/"; pcre:"/U3lzdGVtLk5ldC5XZWJDbGllbn|N5c3RlbS5OZXQuV2ViQ2xpZW50|TeXN0ZW0uTmV0LldlYkNsaWVud/"; classtype:trojan-activity; sid:2024880; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|contora24.com"; distance:1; within:14; reference:md5,9b8fed949202b860d49f326d5e33bb35; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022387; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B644W Oct 19 2017"; flow:established,from_server; file_data; content:"UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAc"; pcre:"/(?:RABvAHcAbgBsAG8AYQBkAEYAaQBsAG|QAbwB3AG4AbABvAGEAZABGAGkAbABl|EAG8AdwBuAGwAbwBhAGQARgBpAGwAZ)/"; pcre:"/(?:VwByAGkAdABlAC0ASABvAHMAd|cAcgBpAHQAZQAtAEgAbwBzAH|XAHIAaQB0AGUALQBIAG8AcwB0)/"; pcre:"/(?:UwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0|MAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4Ad|TAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAH)/"; classtype:trojan-activity; sid:2024881; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|websecuranalitic.com"; distance:1; within:21; reference:md5,105213be0a168d5e3eb0e4ff0262cf12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022388; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B645W Oct 19 2017"; flow:established,from_server; file_data; content:"MAdABhAHIAdAAtAFAAcgBvAGMAZQBzAH"; pcre:"/(?:RABvAHcAbgBsAG8AYQBkAEYAaQBsAG|QAbwB3AG4AbABvAGEAZABGAGkAbABl|EAG8AdwBuAGwAbwBhAGQARgBpAGwAZ)/"; pcre:"/(?:VwByAGkAdABlAC0ASABvAHMAd|cAcgBpAHQAZQAtAEgAbwBzAH|XAHIAaQB0AGUALQBIAG8AcwB0)/"; pcre:"/(?:UwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0|MAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4Ad|TAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAH)/"; classtype:trojan-activity; sid:2024882; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|moneyclass24.com"; distance:1; within:17; reference:md5,105213be0a168d5e3eb0e4ff0262cf12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022389; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android JadeRAT CnC Beacon 2"; flow:to_server,established; dsize:22; content:"@!hi|3a|"; depth:5; fast_pattern; pcre:"/^\d{15}\r\n$/R"; reference:md5,9027f111377598362972745478e40311; reference:url,blog.lookout.com/mobile-threat-jaderat; classtype:command-and-control; sid:2024896; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_JadeRAT, signature_severity Major, tag Android, tag c2, updated_at 2017_10_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|vle.cli"; distance:1; within:8; reference:md5,678129a67898174fdb7e8c70ebcca6c3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022390; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> any 445 (msg:"ET MALWARE Possible Dragonfly APT Activity - SMB credential harvesting"; flow:established,to_server; content:"|FF|SMB|75 00 00 00 00|"; offset:4; depth:9; content:"|08 00 01 00|"; distance:3; content:"|00 5c 5c|"; distance:2; within:3; content:"|5c|AME_ICON.PNG"; distance:7; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA17-293A; reference:url,www.us-cert.gov/sites/default/files/publications/MIFR-10128883_TLP_WHITE.pdf; classtype:targeted-activity; sid:2024898; rev:1; metadata:attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2017_10_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1E|www.nonewhateverplanred.juegos"; distance:1; within:31; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022391; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Snatch CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|salegrutboy.eu"; distance:1; within:15; reference:md5,3b79f06be1f6909149bcadfaacfad2d0; classtype:domain-c2; sid:2024902; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, malware_family Snatch, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_10_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1E|www.removenationalstiff.taipei"; distance:1; within:31; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022392; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Snatch CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|lookmans.eu"; distance:1; within:12; reference:md5,aa50e2ce1fc07ccfbc6b916ccdbfd19b; classtype:domain-c2; sid:2024903; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, malware_family Snatch, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_10_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|20|www.fightingmotioncertainly.page"; distance:1; within:33; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022393; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BadRabbit Driveby Download M2 Oct 24 2017"; flow:established,from_server; file_data; content:"Msxml2.XMLHTTP.6.0"; fast_pattern; content:"InjectionString"; nocase; distance:0; content:"hasOwnProperty"; nocase; distance:0; content:"navigator"; nocase; distance:0; pcre:"/^\s*\.\s*userAgent/Ri"; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*referrer/Ri"; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*cookie/Ri"; content:"window"; nocase; distance:0; pcre:"/^\s*\.\s*location\s*\.\s*hostname/Ri"; content:"!!document"; nocase; distance:0; pcre:"/^\s*\.\s*cookie/Ri"; reference:url,www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/; classtype:trojan-activity; sid:2024912; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2017_10_24;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0D|dinuspuka.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022394; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; content:"dnslog.mobi"; http_header; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024864; rev:3; metadata:created_at 2017_10_18, former_category TROJAN, updated_at 2017_10_24;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0D|popredrak.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022395; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [!9997,1024:] (msg:"ET MALWARE Dropper-497 (Yumato) Initial Checkin"; flow:established,to_server; dsize:5; content:"|30 30 30 0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:command-and-control; sid:2007917; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|vorlager.ru"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022396; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IoT_reaper ELF Binary Download"; flow:established,from_server; flowbits:isset,ET.iotreaper; file_data; content:"|7f 45 4c 46|"; depth:4; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024929; rev:1; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_10_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|IR|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022397; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5050 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 13 ba|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003281; classtype:protocol-command-decode; sid:2003281; rev:6; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|kuklovodw.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022404; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 443 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 01 bb|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003268; classtype:protocol-command-decode; sid:2003268; rev:6; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|BW|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022408; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 443 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 01 bb|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003269; classtype:protocol-command-decode; sid:2003269; rev:6; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CenterPOS User Agent Observed"; flow:established,to_server; content:"User-Agent|3a 20|IDOSJNDX|0d 0a|"; fast_pattern; flowbits:set,ET.centerpos; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022468; rev:2; metadata:created_at 2016_01_29, updated_at 2019_10_23;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 25 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 19|"; depth:4; threshold:type both, track by_src, count 2, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003256; classtype:protocol-command-decode; sid:2003256; rev:6; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|buhzgalter.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022474; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 25 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 19|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003254; classtype:protocol-command-decode; sid:2003254; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ursnif Injects)"; flow:from_server,established; content:"|55 04 03|"; content:"|0f|docknetwork.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022475; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 25 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 19|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003255; classtype:protocol-command-decode; sid:2003255; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (4)"; flow:established,to_client; file_data; content:"|05 9d 45|"; distance:4; within:4; pcre:"/^(?:\x76|\x0f)/R"; classtype:exploit-kit; sid:2021973; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 25 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 19|"; depth:4; threshold:type both, track by_src, count 2, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003257; classtype:protocol-command-decode; sid:2003257; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|macroflex.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022476; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 DNS Inbound Request (Windows Source)"; dsize:10<>40; flow:established,to_server; content:"|05 01 00 03|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003258; classtype:protocol-command-decode; sid:2003258; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET SCAN Possible WordPress xmlrpc.php BruteForce in Progress - Response"; flow:established,from_server; flowbits:isset,ET.XMLRPC.PHP; file_data; content:"<name>faultCode</name>"; content:"<int>403</int>"; content:"<string>Incorrect username or password.</string>"; threshold:type both, track by_src, count 5, seconds 120; reference:url,isc.sans.edu/diary/+WordPress+brute+force+attack+via+wp.getUsersBlogs/18427; classtype:attempted-admin; sid:2018755; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_07_23, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 DNS Inbound Request (Linux Source)"; dsize:10<>40; flow:established,to_server; content:"|05 01 00 03|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003259; classtype:protocol-command-decode; sid:2003259; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|13|ashirimi-critism.kz"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022478; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 HTTP Proxy Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 50|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003260; classtype:protocol-command-decode; sid:2003260; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI"; flow:established,to_server; content:"POST"; http_method; content:"imei="; nocase; http_uri; pcre:"/imei=\d{2}-?\d{6}-?\d{6,}-?\d{1,}/Ui"; content:!"Host|3a 20|iphone-wu.apple.com"; http_header; reference:url,www.met.police.uk/mobilephone/imei.htm; classtype:trojan-activity; sid:2012848; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 HTTP Proxy Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 50|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003261; classtype:protocol-command-decode; sid:2003261; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/ChinaZ 2.0 DDoS Bot Checkin 3"; flow:established,to_server; content:"*"; pcre:"/^\d+/R"; content:"MHZ|00 00 00 00|"; within:7; content:"MB|00 00 00 00|"; distance:0; content:"|28|null|29 00 00 00 00|"; fast_pattern; distance:0; reference:url,blog.malwaremustdie.org/2015/06/the-elf-chinaz-reloaded.html; classtype:command-and-control; sid:2021526; rev:2; metadata:created_at 2015_07_23, former_category MALWARE, updated_at 2015_07_23;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 HTTP Proxy Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 50|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003262; classtype:protocol-command-decode; sid:2003262; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|KM|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022489; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 HTTP Proxy Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 50|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003263; classtype:protocol-command-decode; sid:2003263; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED APT.Fexel Checkin"; flow:established,to_server; content:"agtid="; http_header; content:"08x"; http_client_body; reference:md5,70e87b2898333e11344b16a72183f8e9; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html; classtype:targeted-activity; sid:2019469; rev:6; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 443 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|01 bb|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003266; classtype:protocol-command-decode; sid:2003266; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 07 2016"; flow:established,to_server; content:"/QrQ8Gr"; http_uri; urilen:7; classtype:exploit-kit; sid:2022496; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_09, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 443 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|01 bb|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003267; classtype:protocol-command-decode; sid:2003267; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY RDP disconnect request"; flow: to_server,established; content:"|03|"; offset: 0; depth: 1; content:"|80|"; offset: 5; depth: 1; reference:url,doc.emergingthreats.net/2001331; classtype:misc-activity; sid:2001331; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5190 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|14 46|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003270; classtype:protocol-command-decode; sid:2003270; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY RDP connection request"; flow: to_server,established; content:"|03|"; offset: 0; depth: 1; content:"|E0|"; offset: 5; depth: 1; reference:url,doc.emergingthreats.net/2001329; classtype:misc-activity; sid:2001329; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5190 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|14 46|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003271; classtype:protocol-command-decode; sid:2003271; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 03|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020630; rev:6; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5190 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 14 46|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003272; classtype:protocol-command-decode; sid:2003272; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020668; rev:2; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5190 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 14 46|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003273; classtype:protocol-command-decode; sid:2003273; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 28|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020664; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 1863 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|07 47|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003274; classtype:protocol-command-decode; sid:2003274; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 14|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020660; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 1863 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|07 47|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003275; classtype:protocol-command-decode; sid:2003275; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 06|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020631; rev:6; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 1863 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 07 47|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003276; classtype:protocol-command-decode; sid:2003276; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 17|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020669; rev:2; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 1863 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 07 47|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003277; classtype:protocol-command-decode; sid:2003277; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 29|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020665; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5050 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|13 ba|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003278; classtype:protocol-command-decode; sid:2003278; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0E|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020633; rev:6; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5050 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|13 ba|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003279; classtype:protocol-command-decode; sid:2003279; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 08|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020632; rev:5; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5050 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 13 ba|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003280; classtype:protocol-command-decode; sid:2003280; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 11|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020659; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+#alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 IPv6 Inbound Connect Request (Windows Source)"; dsize:10<>23; flow:established,to_server; content:"|05 01 00 04|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003284; classtype:protocol-command-decode; sid:2003284; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 27|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020663; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+#alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 IPv6 Inbound Connect Request (Linux Source)"; dsize:10<>23; flow:established,to_server; content:"|05 01 00 04|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003285; classtype:protocol-command-decode; sid:2003285; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert udp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 UDP Proxy Inbound Connect Request (Linux Source)"; content:"|00 00|"; depth:2; content:"|01|"; offset:3; depth:1; threshold:type both, track by_dst, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003287; classtype:protocol-command-decode; sid:2003287; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+#alert udp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source)"; content:"|00 00|"; depth:2; content:"|01|"; offset:3; depth:1; threshold:type both, track by_dst, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003286; classtype:protocol-command-decode; sid:2003286; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 2A|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020666; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+#alert udp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 UDP Proxy Inbound Connect Request (Linux Source)"; content:"|00 00|"; depth:2; content:"|01|"; offset:3; depth:1; threshold:type both, track by_dst, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003287; classtype:protocol-command-decode; sid:2003287; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 2B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020667; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+#alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Bind Inbound (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 02|"; depth:2; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003288; classtype:protocol-command-decode; sid:2003288; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert udp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source)"; content:"|00 00|"; depth:2; content:"|01|"; offset:3; depth:1; threshold:type both, track by_dst, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003286; classtype:protocol-command-decode; sid:2003286; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+#alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Bind Inbound (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 02|"; depth:2; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003289; classtype:protocol-command-decode; sid:2003289; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M3"; flow:established,to_server; urilen:40<>65; content:"3"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])3(?:(?P=sep)|\d)*?$/U"; content:!"computerwoche.de|0d 0a|"; http_header; classtype:exploit-kit; sid:2020998; rev:5; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
+#alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Bind Inbound (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 02 00 01|"; depth:4; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003290; classtype:protocol-command-decode; sid:2003290; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M4"; flow:established,to_server; urilen:40<>65; content:"4"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])4(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2020999; rev:4; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
+#alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Bind Inbound (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 02 00 01|"; depth:4; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003291; classtype:protocol-command-decode; sid:2003291; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 26|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020662; rev:5; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| M|4f|zilla/"; http_header; reference:url,doc.emergingthreats.net/2003513; classtype:trojan-activity; sid:2003513; rev:12; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 63|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,weakdh.org; classtype:bad-unknown; sid:2021124; rev:2; metadata:created_at 2015_05_20, updated_at 2015_05_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET HUNTING Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Mozilla/5.0|0d 0a|"; nocase; content:!"|0d 0a|Host|3a| download.releasenotes.nokia.com"; content:!"Mozilla/5.0|0d 0a|Connection|3a| Close|0d 0a 0d 0a|"; reference:url,doc.emergingthreats.net/2009295; classtype:trojan-activity; sid:2009295; rev:10; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 65|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,weakdh.org; classtype:bad-unknown; sid:2021125; rev:2; metadata:created_at 2015_05_20, updated_at 2015_05_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple ID Phishing Landing 2015-08-19"; flow:to_client,established; file_data; content:"<title>"; nocase; content:"My Apple ID"; fast_pattern; nocase; within:35; classtype:social-engineering; sid:2031723; rev:3; metadata:created_at 2015_08_19, former_category PHISHING, updated_at 2017_10_29;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Heap based buffer overrun Exploit Specific"; flow:to_server,established; byte_test:3,>,10000,0,little; content:"|00 03|"; offset:3; depth:2; pcre:"/^(USE|PASS|SELECT|UPDATE|INSERT|ASCII|SHOW|CREATE|DESCRIBE|DROP|ALTER)\s+?(.{1})\2{300}/Ri"; reference:url,archives.neohapsis.com/archives/fulldisclosure/2012-12/0006.html; classtype:attempted-user; sid:2015987; rev:3; metadata:created_at 2012_12_05, updated_at 2012_12_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN BankSnif/Nethelper User-Agent (nethelper)"; flow:to_server,established; content:"nethelper"; http_user_agent; fast_pattern:only; pcre:"/\bnethelper\b/Vi"; reference:url,doc.emergingthreats.net/2002877; classtype:trojan-activity; sid:2002877; rev:16; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2022_05_03;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102413; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diazom Trojan User-Agent in Use (cv_v2.0.1)"; flow:established,to_server; content:"User-agent|3a| cv_v"; http_header; reference:url,ww.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-032316-0426-99&tabid=2; reference:url,doc.emergingthreats.net/2003598; classtype:trojan-activity; sid:2003598; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2017_10_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Probable Nuclear exploit kit landing page"; flow:established,to_server; content:".html"; http_uri; content:"GET"; http_method; pcre:"/^\/[0-9a-f]{32}\.html$/U"; content:"Referer|3a|"; http_header; classtype:exploit-kit; sid:2016952; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_31, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.Delf User-Agent (Varlok_11000)"; flow:established,to_server; content:"User-Agent|3a| Varlok_"; http_header; nocase; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2003931; classtype:trojan-activity; sid:2003931; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2017_10_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"ET EXPLOIT Computer Associates BrightStor ARCserve Backup for Laptops LGServer.exe DoS"; flow:established,to_server; content:"|ff ff ff ff|"; offset:16; depth:4; reference:url,www.securityfocus.com/archive/1/archive/1/458650/100/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003379; classtype:attempted-dos; sid:2003379; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Cashpoint.com Related checkin User-Agent (inetinst)"; flow:established,to_server; content:"User-Agent|3a| inetinst|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007808; classtype:trojan-activity; sid:2007808; rev:7; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_10_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful WZ-REKLAMA Phish 2016-01-08"; flow:to_client,established; file_data; content:"<!--WZ-REKLAMA"; nocase; fast_pattern; content:"http-equiv="; nocase; distance:0; content:"refresh"; nocase; distance:1; within:8; classtype:credential-theft; sid:2031952; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_01_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Cashpoint.com Related checkin User-Agent (okcpmgr)"; flow:established,to_server; content:"User-Agent|3a| okcpmgr|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007810; classtype:trojan-activity; sid:2007810; rev:7; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_10_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|CO|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022508; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Rf-cheats.ru Trojan Related User-Agent (RFRudokop v.1.1 account verification)"; flow:to_server,established; content:"RFRudokop"; http_user_agent; depth:9; reference:url,doc.emergingthreats.net/2008046; classtype:trojan-activity; sid:2008046; rev:8; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_10_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|CR|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022509; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload User-Agent Detected (WebUpdate)"; flow:established,to_server; content:"User-Agent|3a| WebUpdate|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008074; classtype:trojan-activity; sid:2008074; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2017_10_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|susana24.com"; distance:1; within:13; reference:md5,23cfdb9896cadd54f935ed4e2df2e0a4; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022510; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Vapsup User-Agent (doshowmeanad loader v2.1)"; flow:to_server,established; content:"User-Agent|3a| doshowmeanad "; http_header; reference:url,doc.emergingthreats.net/2008142; classtype:trojan-activity; sid:2008142; rev:6; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_10_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|wartan24.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022511; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS WinFixer Trojan Related User-Agent (ElectroSun)"; flow:established,to_server; content:"User-Agent|3a| ElectroSun "; http_header; reference:url,doc.emergingthreats.net/2008608; classtype:trojan-activity; sid:2008608; rev:9; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_10_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|kitoboyka.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022512; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unkown Trojan User-Agent (5.1 ...)"; flow:established,to_server; content:"User-Agent|3a| 5.1 "; http_header; reference:url,doc.emergingthreats.net/2009685; classtype:trojan-activity; sid:2009685; rev:6; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2017_10_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|vestostnord.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022513; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IMDDOS Botnet User-Agent i am ddos"; flow: established,to_server; content:"User-Agent|3A| i am ddos"; nocase; depth:300; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011484; rev:5; metadata:created_at 2010_09_29, former_category USER_AGENTS, updated_at 2017_10_30;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 bf f2 e1 26 c5 4c 2c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022514; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Win32/OnLineGames User-Agent (Revolution Win32)"; flow:established,to_server; content:"User-Agent|3A 20|Revolution|20 28|Win32|29|"; http_header; classtype:trojan-activity; sid:2013725; rev:3; metadata:created_at 2011_10_01, former_category TROJAN, updated_at 2017_10_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange encrypted payload"; flow:established,to_client; flowbits:isset,et.SweetOrangeURI; file_data; byte_test:1,>,95,0,relative; byte_test:1,<,128,0,relative; content:"|00 00 00|"; distance:1; within:3; content:!"|00|"; within:1; content:"|00 00 00|"; distance:1; within:3; classtype:exploit-kit; sid:2017649; rev:6; metadata:created_at 2013_10_31, former_category CURRENT_EVENTS, updated_at 2013_10_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Asprox.FakeAV Affiliate Download Location Response - Likely Pay-Per-Install For W32/Papras.Spy or W32/ZeroAccess"; flowbits:isset,ET.asproxfakeav; flow:established,to_client; file_data; content:"http|3A|//"; within:50; content:".exe?ts="; fast_pattern; distance:0; content:"&affid="; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016531; rev:3; metadata:created_at 2013_03_05, former_category TROJAN, updated_at 2017_11_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; pcre:"/^\/[a-z\_\-]{4,20}\.php\?(?:[a-z\_\-]{4,20}=\d+?&){3,}[a-z\_\-]{4,20}=-?\d+$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,et.SweetOrangeURI; classtype:exploit-kit; sid:2017648; rev:7; metadata:created_at 2013_10_31, former_category CURRENT_EVENTS, updated_at 2013_10_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share Possible DLL Preloading Exploit Attempt"; flowbits:isset,ET.PROPFIND; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html; reference:url,www.us-cert.gov/cas/techalerts/TA10-238A.html; reference:url,www.microsoft.com/technet/security/advisory/2269637.mspx; reference:url,blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx; reference:url,blog.metasploit.com/2010/08/better-faster-stronger.html; reference:url,blog.rapid7.com/?p=5325; classtype:attempted-user; sid:2011457; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_05_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange IE Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:" MSIE "; http_header; pcre:"/^\/[a-z\_\-]{4,10}\.php\?([a-z\_\-]{4,10}=\d{1,3}&){7,}[a-z\_\-]{4,10}=-?\d+$/U"; flowbits:set,et.SweetOrangeURI; classtype:exploit-kit; sid:2017706; rev:6; metadata:created_at 2013_11_12, former_category CURRENT_EVENTS, updated_at 2013_11_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Exploit URI Struct June 19 2015"; flow:established,to_server; content:"?time="; http_uri; fast_pattern; content:"&stamp="; distance:0; http_uri; content:"."; distance:0; http_uri; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\.[a-z]+\?time=[^&]+&stamp=[a-z]*\d+(?:\.[a-z]*\d+)+$/U"; classtype:exploit-kit; sid:2021307; rev:3; metadata:created_at 2015_06_19, former_category CURRENT_EVENTS, updated_at 2015_06_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Possible Sweet Orange Flash/IE Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; fast_pattern:only; pcre:"/^\/[a-z\_\-]{4,10}\.php\?([a-z\_\-]{0,10}=\d{1,3}&){3,}[a-z\_\-]{4,10}=-?\d+$/U"; content:!"Accept"; http_header; content:!"User-Agent"; http_header; content:!"Referer"; http_header; flowbits:set,et.SweetOrangeURI; flowbits:noalert; classtype:exploit-kit; sid:2019544; rev:6; metadata:created_at 2014_10_28, former_category CURRENT_EVENTS, updated_at 2014_10_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Flash Exploit URI Struct June 19 2015"; flow:established,to_server; content:"GET"; http_method; content:"/%"; http_header; content:"http%3A%2F%2F"; distance:2; within:13; nocase; http_header; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\//U"; content:"Referer|3a 20|http"; http_header; pcre:"/^[^\r\n]+\/%(?:3A|20)http%3A%2F%2F/Hmi"; classtype:exploit-kit; sid:2021309; rev:3; metadata:created_at 2015_06_19, former_category CURRENT_EVENTS, updated_at 2015_06_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT Possible Sweet Orange CVE-2014-6332 Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; pcre:"/^\/[a-z\_\-]{4,10}\.php\?(?:[a-z\_\-]{0,10}=\d+?&){3,}[a-z\_\-]{4,10}=-?[a-z0-9]+$/U"; content:"WinHttp.WinHttpRequest"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; flowbits:set,et.SweetOrangeURI; classtype:exploit-kit; sid:2019752; rev:9; metadata:created_at 2014_11_20, former_category CURRENT_EVENTS, updated_at 2014_11_20;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET POLICY Radmin Remote Control Session Setup Initiate"; flow:established,to_server; content:"|01 00 00 00 01 00 00 00 08 08|"; flowbits:set,ET.BE.Radmin.Challenge; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003479; classtype:not-suspicious; sid:2003479; rev:6; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|YU|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022521; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,ET.BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003480; classtype:not-suspicious; sid:2003480; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|SA|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022522; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSH Server Banner Detected on Expected Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,ET.is_ssh_server_banner; reference:url,doc.emergingthreats.net/2001973; classtype:misc-activity; sid:2001973; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2016-0063)"; flow:established,to_client; file_data; content:"prototype"; nocase; content:"DOMImplementation"; fast_pattern; pcre:"/^\s*\([^\)]*\)\s*\.\s*prototype\s*\.\s*(?:hasFeature|isPrototypeOf)/Rsi"; reference:cve,2016-0063; classtype:trojan-activity; sid:2022523; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_02_16, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSH Client Banner Detected on Expected Port"; flowbits:isset,ET.is_ssh_server_banner; flowbits:noalert; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001974; classtype:misc-activity; sid:2001974; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS16-009 IE MSHTML Form Element Type Confusion (CVE-2016-0061)"; flow:from_server,established; file_data; content:"opener"; nocase; fast_pattern; pcre:"/^\s*\[\s*[\x22\x27]\\u[a-f0-9]{4}\\u[a-f0-9]{4}/Rsi"; reference:cve,2016-0061; classtype:attempted-user; sid:2022524; rev:4; metadata:created_at 2016_02_16, updated_at 2016_02_16;)
+#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSH Server Banner Detected on Unusual Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,ET.is_ssh_server_banner; reference:url,doc.emergingthreats.net/2001979; classtype:misc-activity; sid:2001979; rev:8; metadata:created_at 2010_07_30, updated_at 2017_02_01;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible 2015-7547 Malformed Server response"; flow:from_server; content:"|00 01 00 00 00 00 00 00|"; offset:4; depth:8; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^[^\x00]+\x00\x00\x01/R"; reference:cve,2015-7547; classtype:attempted-user; sid:2022531; rev:1; metadata:created_at 2016_02_17, updated_at 2016_02_17;)
+#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSH Client Banner Detected on Unusual Port"; flowbits:isset,is_ssh_server_banner; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,ET.is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001980; classtype:misc-activity; sid:2001980; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|02|NY"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|08|New York"; distance:1; within:9; fast_pattern; content:"|55 04 03|"; byte_test:1,>,27,1,relative; byte_test:1,<,30,1,relative; pcre:"/^.{2}[a-z]{25}\.[a-z]{2,3}[01]/Rs"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022488; rev:3; metadata:attack_target Client_and_Server, created_at 2016_02_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY SSH banner detected on TCP 443 likely proxy evasion"; flow:established,from_server; content:"SSH-"; depth:4; flowbits:set,ET.is_ssh_server_banner; classtype:bad-unknown; sid:2013936; rev:6; metadata:created_at 2011_11_21, updated_at 2011_11_21;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|tatar28.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022536; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected within Banner on Expected Port"; flow: from_server,established; flowbits:noalert; content:"SSH-"; offset:0; depth:4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; content:"|0d 0a|"; offset: 4; depth: 255; byte_test:1,=,20,5,relative; flowbits: set,ET.is_ssh_server_banner; flowbits: set,ET.is_ssh_server_kex; reference:url,www.proftpd.org/docs/contrib/mod_sftp.html; classtype:misc-activity; sid:2022325; rev:3; metadata:created_at 2016_01_01, updated_at 2016_01_01;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|giviklorted.at"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022537; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected within Banner on Unusual Port"; flow: from_server,established; flowbits:noalert; content:"SSH-"; offset:0; depth:4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; content:"|0d 0a|"; offset: 4; depth: 255; byte_test:1,=,20,5,relative; flowbits: set,ET.is_ssh_server_banner; flowbits: set,ET.is_ssh_server_kex; reference:url,www.proftpd.org/docs/contrib/mod_sftp.html; classtype:misc-activity; sid:2022326; rev:2; metadata:created_at 2016_01_01, updated_at 2016_01_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET P2P BitTorrent - Torrent File Downloaded"; flow:established,to_client; file_data; content:"d8|3a|announce"; within:11; content:!"mapfactor.com"; classtype:policy-violation; sid:2014734; rev:5; metadata:created_at 2012_05_11, updated_at 2012_05_11;)
+#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected on Expected Port"; flowbits:isset,ET.is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5; flowbits: set,is_ssh_server_kex; reference:url,doc.emergingthreats.net/2001975; classtype:misc-activity; sid:2001975; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible OceanLotus Time Check to Microsoft.com"; flow:to_server,established; content:"GET|20 20|HTTP/1.0|0d 0a|"; depth:15; content:"www.microsoft.com"; distance:6; within:23; reference:url,www.alienvault.com/open-threat-exchange/blog/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:targeted-activity; sid:2022539; rev:2; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
+#alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSHv2 Client KEX Detected on Expected Port"; flowbits:isset,is_ssh_server_kex; flowbits:noalert; flow: from_client,established; byte_test:1,=,20,5; flowbits: set,ET.is_ssh_client_kex; reference:url,doc.emergingthreats.net/2001976; classtype:misc-activity; sid:2001976; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible OceanLotus CnC Heartbeat"; flow:to_client,established; dsize:14; content:"|75 7a 76 7e 1a 1b 1b 1b 1b 1b 11 1b 1b 1b|"; fast_pattern; threshold: type limit, count 1, track by_src, seconds 60; reference:url,www.alienvault.com/open-threat-exchange/blog/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:command-and-control; sid:2022540; rev:1; metadata:created_at 2016_02_18, former_category MALWARE, updated_at 2016_02_18;)
+#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected on Unusual Port"; flowbits:isset,ET.is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5; flowbits: set,is_ssh_server_kex; reference:url,doc.emergingthreats.net/2001981; classtype:misc-activity; sid:2001981; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible 2015-7547 PoC Server Response"; flow:from_server; content:"|83 80 00 01 00 00 00 00 00 00|"; offset:2; depth:10; isdataat:2049; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; reference:cve,2015-7547; classtype:attempted-user; sid:2022542; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
+#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSHv2 Client KEX Detected on Unusual Port"; flowbits:noalert; flowbits:isset,is_ssh_server_kex; flow: from_client,established; byte_test:1,=,20,5; flowbits: set,ET.is_ssh_client_kex; reference:url,doc.emergingthreats.net/2001982; classtype:misc-activity; sid:2001982; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Long Response to A lookup"; flow:from_server; content:"|00 01|"; offset:4; depth:2; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^.{6}[^\x00]+/Rs"; content:"|00 00 01 00 01|"; within:5; reference:cve,2015-7547; classtype:attempted-user; sid:2022543; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET HUNTING SUSPICIOUS busybox shell"; flow:to_server,established; content:"shell"; fast_pattern:only; pcre:"/\bshell\b/"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023017; rev:3; metadata:attack_target Server, created_at 2016_08_08, deployment Datacenter, former_category TELNET, performance_impact Low, signature_severity Major, updated_at 2016_08_23;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Long Response to AAAA lookup"; flow:from_server; content:"|00 01|"; offset:4; depth:2; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^.{6}[^\x00]+/Rs"; content:"|00 00 1c 00 01|"; within:5; reference:cve,2015-7547; classtype:attempted-user; sid:2022544; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET HUNTING SUSPICIOUS busybox enable"; flow:to_server,established; content:"enable"; fast_pattern:only; pcre:"/\benable\b/"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023018; rev:4; metadata:attack_target Server, created_at 2016_08_08, deployment Datacenter, former_category TELNET, performance_impact Low, signature_severity Major, updated_at 2016_08_23;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Malformed Server Response A/AAAA"; flow:from_server; content:"|00 01 00 00 00 00 00 00|"; offset:4; depth:10; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; reference:cve,2015-7547; classtype:attempted-user; sid:2022545; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED PE EXE Install Windows file download"; flow:established; content:"MZ"; isdataat:76,relative; content:"This program must be "; distance:0; isdataat:140,relative; content:"PE"; distance:0; reference:url,www.program-transformation.org/Transform/PcExeFormat; reference:url,doc.emergingthreats.net/bin/view/Main/2000427; classtype:policy-violation; sid:2000427; rev:16; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_11_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET EXPLOIT Possible CVE-2015-7547 A/AAAA Record Lookup Possible Forced FallBack(fb set)"; flow:established,to_server; byte_test:2,<,513,0; byte_test:1,!&,128,4; byte_test:1,!&,64,4; byte_test:1,!&,32,4; byte_test:1,!&,16,4; byte_test:1,!&,8,4; content:"|00 01 00 00 00 00 00 00|"; offset:6; depth:8; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; flowbits:set,ET.CVE20157547.primer; flowbits:noalert; reference:cve,2015-7547; classtype:attempted-user; sid:2022546; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED PE EXE or DLL Windows file download (2)"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"Windows Program"; distance:0; isdataat:10,relative; content:"PE"; distance:0; reference:url,doc.emergingthreats.net/2010869; classtype:policy-violation; sid:2010869; rev:5; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_11_01;)
 
-alert tcp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Large Response to A/AAAA query"; flow:established,from_server; flowbits:isset,ET.CVE20157547.primer; byte_test:2,>,2048,0; byte_test:1,&,128,4; byte_test:1,!&,64,4; byte_test:1,!&,32,4; byte_test:1,!&,16,4; byte_test:1,!&,8,4; content:"|00 01|"; offset:6; depth:2; reference:cve,2015-7547; classtype:attempted-user; sid:2022547; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Binary in HTTP by Type Flowbit"; flow:established,from_server; content:"HTTP/1"; depth:6; content:"|0d 0a|Content-Type|3a| application/"; nocase; reference:url,doc.emergingthreats.net/2007670; classtype:not-suspicious; sid:2007670; rev:11; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_11_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FrameworkPOS CnC Server Reporting IP Address To Agent"; flow:established,to_client; file_data; content:"=="; depth:2; content:"=="; within:17; fast_pattern; file_data; content:"=="; depth:2; pcre:"/^(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})(?:={2})/R"; reference:url,threatstream.com/blog/three-month-frameworkpos-malware-campaign-nabs-43000-credits-cards-from-point-of-sale-systems; reference:md5,591e820591e10500fe939d6bd50e6776; classtype:command-and-control; sid:2022552; rev:2; metadata:created_at 2016_02_22, former_category MALWARE, updated_at 2016_02_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Update/Installer ForceDL Template Nov 03 2017"; flow:established,from_server; file_data; content:"addDownloadHint"; nocase; pcre:"/^\s*\x28\s*[\x22\x27][^\x22\x27]*[\x22\x27]\s*,\s*[\x22\x27][^\x22\x27]+\.exe[\x22\x27]/Rsi"; content:"doDownload(force)"; nocase; content:"userConversion(true)"; nocase; distance:0; content:"trigger_dl"; nocase; pcre:"/^\s*\(\s*force\s*\?\s*true\s*\x3a\s*false\s*,\s*\d+\s*,\s*\d+\s*,\s*[\x22\x27][^\x22\x27]+\.exe[\x22\x27]/Ri"; classtype:social-engineering; sid:2024945; rev:1; metadata:created_at 2017_11_03, former_category CURRENT_EVENTS, updated_at 2017_11_03;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fa 85 d0 ad 8b ad f1 59|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022553; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> [31.184.192.0/19] 80 (msg:"ET EXPLOIT_KIT Possible EITest Flash Redirect Sep 19 2016"; flow:established,to_server; urilen:1; content:"x-flash-version|3a 20|"; http_header; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"|0d 0a|Cookie|3a|"; classtype:exploit-kit; sid:2023249; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector_07012016, updated_at 2016_09_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Exploit Kit Java gif download"; flow:established,to_server; content:".gif"; http_uri; pcre:"/\.gif$/U"; content:"Java/1."; http_user_agent; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016320; rev:6; metadata:created_at 2013_01_31, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Volex - OceanLotus JavaScript Fake Page URL Builder Response"; flow:to_client,established; file_data; content:"|7b 22|link|22 3a 22|http"; depth:13; content:"|22|load|22|"; reference:url,volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/; classtype:targeted-activity; sid:2024967; rev:3; metadata:created_at 2017_11_06, former_category TROJAN, updated_at 2017_11_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Exploit Kit Java jpg download"; flow:established,to_server; content:".jpg"; http_uri; pcre:"/\.jpg$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016371; rev:5; metadata:created_at 2013_02_08, former_category EXPLOIT_KIT, updated_at 2013_02_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Volex - OceanLotus System Profiling JavaScript (linkStorage.x00SOCKET)"; flow:to_client,established; file_data; content:"linkStorage.x00SOCKET"; reference:url,volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/; classtype:targeted-activity; sid:2024968; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_11_06, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2017_11_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Exploit Kit Java png download"; flow:established,to_server; content:".png"; http_uri; pcre:"/\.png$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016402; rev:4; metadata:created_at 2013_02_12, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Excel/Adobe Online Phishing Landing Nov 25 2015"; flow:to_client,established; file_data; content:"<title>"; nocase; content:"Online - 09KSJDJR4843984NF98738UNFD843"; within:100; nocase; fast_pattern; classtype:social-engineering; sid:2025686; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Exploit Kit Java .psd download"; flow:established,to_server; content:".psd"; http_uri; pcre:"/\.psd$/U"; content:"Java/1."; http_user_agent; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016495; rev:8; metadata:created_at 2013_02_25, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dinwod.Dropper Win32/Xtrat.B CnC Beacon"; flow:established,to_server; dsize:<30; content:"myversion|7C|"; depth:10; pcre:"/^\d/R"; reference:md5,dd6a13ba9177a18a8cf16b52ff643abc; classtype:command-and-control; sid:2018101; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2017_11_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Exploit Kit Java jpeg download"; flow:established,to_server; content:".jpeg"; http_uri; pcre:"/\.jpeg$/U"; content:" Java/1."; http_header; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016506; rev:6; metadata:created_at 2013_02_26, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 1"; flow:established,to_client; file_data; content:"U3RhcnQtUHJvY2Vzc"; content:"cnVuZGxsMz"; content:"VXNlckluaXRNcHJMb2dvblNjcmlwd"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024971; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (4)"; flow:established,to_client; file_data; content:"|f4 ec 9a|"; distance:4; within:4; pcre:"/^(?:\x8b|\xf2)/R"; classtype:trojan-activity; sid:2022141; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 2"; flow:established,to_client; file_data; content:"N0YXJ0LVByb2Nlc3"; content:"J1bmRsbDMy"; content:"VzZXJJbml0TXByTG9nb25TY3JpcH"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024972; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (1)"; flow:established,to_client; file_data; content:"|01 d2 02 8b e7 98 09 18|"; distance:4; within:8; classtype:trojan-activity; sid:2022138; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 3"; flow:established,to_client; file_data; content:"TdGFydC1Qcm9jZXNz"; content:"ydW5kbGwzM"; content:"Vc2VySW5pdE1wckxvZ29uU2NyaXB0"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024973; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Feb 23 2016"; flow:established,from_server; file_data; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; distance:0; content:"|3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e|"; pcre:"/^\s+\d+\x3b\s*\}/R"; content:"|5d 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65|"; fast_pattern; classtype:exploit-kit; sid:2022565; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_25, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 4"; flow:established,to_client; file_data; content:"U3RhcnQtUHJvY2Vzc"; content:"RG93bmxvYWRGaWxl"; content:"V2ViQ2xpZW50"; content:"aW8uRmlsZ"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024974; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Feb 25 2016"; flow:established,from_server; file_data; content:"|36 31 2c 39 31 2c 33 34 2c 31 31 34 2c 31 31 38 2c 35 38 2c 34 39 2c 34 39 2c 33 34 2c 34 34 2c 33 34 2c 37 37 2c 38 33 2c 37 33 2c 36 39 2c 33 34 2c 34 34 2c 39 33 2c 35 39|"; content:"|39 39 2c 31 30 34 2c 39 37 2c 31 31 34 2c 36 37 2c 31 31 31 2c 31 30 30 2c 31 30 31 2c 36 35 2c 31 31 36|"; classtype:exploit-kit; sid:2022567; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_26, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 5"; flow:established,to_client; file_data; content:"N0YXJ0LVByb2Nlc3"; content:"Rvd25sb2FkRmlsZ"; content:"dlYkNsaWVud"; content:"lvLkZpbG"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024975; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|09 00 a7 ed 6e 63 0f d0 e1 f9|"; content:"|55 04 03|"; content:"|06|server"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022571; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 6"; flow:established,to_client; file_data; content:"TdGFydC1Qcm9jZXNz"; content:"Eb3dubG9hZEZpbG"; content:"XZWJDbGllbn"; content:"pby5GaWxl"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024976; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andromeda Download (set)"; flow:to_server,established; content:"GET"; http_method; content:".pw|0d 0a|"; http_header; fast_pattern; pcre:"/\/\?[A-Z]{10,}$/U"; flowbits:set,ET.andromeda; flowbits:noalert; classtype:trojan-activity; sid:2022572; rev:2; metadata:created_at 2016_02_29, former_category MALWARE, updated_at 2016_02_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ATTACK_RESPONSE 401TRG Perl DDoS IRCBot File Download"; flow:established,from_server; content:"|6d 79 20 24 70 72 6f 63 65 73 73 20 3d 20 24 72 70 73 5b 72 61 6e 64 20 73 63 61 6c 61 72 20 40 72 70 73 5d 3b|"; classtype:trojan-activity; sid:2024977; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2017_11_07, deployment Datacenter, former_category ATTACK_RESPONSE, malware_family webshell, performance_impact Moderate, signature_severity Major, updated_at 2017_11_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson CnC Server Command (info) M1"; flow:established,from_server; dsize:17; content:"|0c 00 00 00 00|info=command"; reference:md5,50eb7ae1d3c075dfc9c9e82a9fa9caf5; reference:md5,40c9031ee6bbf2b2306420e9330727a6; classtype:command-and-control; sid:2035903; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_07, deployment Perimeter, former_category MALWARE, malware_family Crimson, performance_impact Low, signature_severity Major, updated_at 2015_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing Nov 10 2017"; flow:established,to_client; file_data; content:"<label class=|22|MobMenHol"; nocase; fast_pattern; content:"<span class=|22|MobMenIcon"; nocase; distance:0; content:"MobMenIcon"; nocase; distance:0; content:"MobMenIcon"; nocase; distance:0; content:"MobMenIcon"; nocase; distance:0; classtype:social-engineering; sid:2025693; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (dirs list)"; flow:established,from_server; content:"dirs=list"; offset:5; byte_jump:4,0,little,from_beginning,post_offset 4; isdataat:!2,relative; reference:md5,94d29dded4dfd920fc4153f18e82fc6c; classtype:trojan-activity; sid:2036283; rev:3; metadata:created_at 2016_02_17, former_category MALWARE, updated_at 2016_02_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"GPL NETBIOS name query overflow attempt TCP"; flow:to_server,established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; classtype:attempted-admin; sid:2103195; rev:6; metadata:created_at 2010_09_23, former_category NETBIOS, updated_at 2017_11_10;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (folders list)"; flow:established,from_server; content:"fldr="; offset:5; byte_jump:4,0,little,from_beginning,post_offset 4; isdataat:!2,relative; reference:md5,94d29dded4dfd920fc4153f18e82fc6c; classtype:trojan-activity; sid:2036284; rev:3; metadata:created_at 2016_02_17, former_category MALWARE, updated_at 2016_02_17;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (IcedID CnC)"; flow:established,from_server; content:"|09 00 b9 5a 68 02 24 e5 3e 2e|"; fast_pattern; content:"|55 04 03|"; content:"|06|Server"; distance:1; within:7; reference:url,securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research; reference:md5,de4ef2e24306b35d29891b45c1e3fbfd; classtype:domain-c2; sid:2024979; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_11_13, deployment Perimeter, former_category MALWARE, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_11_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (files list)"; flow:established,from_server; content:"fles="; offset:5; byte_jump:4,0,little,from_beginning,post_offset 4; isdataat:!2,relative; reference:md5,94d29dded4dfd920fc4153f18e82fc6c; classtype:trojan-activity; sid:2036285; rev:3; metadata:created_at 2016_02_17, former_category MALWARE, updated_at 2016_02_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SocEng Fake Font Download Template Nov 14 2017"; flow:established,from_server; file_data; content:"|63 6c 69 63 6b 5f 75 70 64|"; nocase; content:"|46 6f 6e 74 20 50 61 63 6b|"; nocase; content:"|2e 6a 73 20 66 69 6c 65 20 74 6f 20 73 74 61 72 74 20 74 68 65 20 69 6e 73 74 61 6c 6c 61 74 69 6f 6e 20 70 72 6f 63 65 73 73 2e|"; nocase; reference:url,malware-traffic-analysis.net/2017/11/12/index.html; classtype:social-engineering; sid:2024985; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family SocEng, performance_impact Low, signature_severity Major, updated_at 2017_11_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (ping) M1"; flow:established,from_server; content:"clping=Ping"; offset:5; byte_jump:4,0,little,from_beginning,post_offset 4; isdataat:!2,relative; reference:md5,94d29dded4dfd920fc4153f18e82fc6c; reference:md5,40c9031ee6bbf2b2306420e9330727a6; classtype:trojan-activity; sid:2035904; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, malware_family Crimson, performance_impact Low, signature_severity Major, updated_at 2016_02_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lazarus FALLCHILL Fake SSL Checkin 1"; flow:established; dsize:13; content:"|17 03 01 00 08|"; depth:5; content:"|88 4d 76|"; distance:5; within:3; fast_pattern; pcre:"/[\x04\x06]\x88\x4d\x76$/"; reference:url,www.us-cert.gov/ncas/alerts/TA17-318A; classtype:command-and-control; sid:2024990; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_13, deployment Perimeter, former_category MALWARE, malware_family FALLCHILL, performance_impact Low, signature_severity Critical, tag Lazarus, updated_at 2017_11_14;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Fake AV Phone Scam Long Domain M3 Feb 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"yourcomputerhave"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:social-engineering; sid:2022577; rev:1; metadata:created_at 2016_03_01, updated_at 2016_03_01;)
+alert tcp any any -> any any (msg:"ET MALWARE Lazarus FALLCHILL Fake SSL Checkin 2"; flow:established; dsize:13; content:"|17 03 01 00 08|"; depth:5; content:"|63 70 7b|"; distance:5; within:3; fast_pattern; pcre:"/[\xb0\xb2]\x63\x70\x7b$/"; reference:url,www.us-cert.gov/ncas/alerts/TA17-318A; classtype:command-and-control; sid:2024992; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category MALWARE, malware_family FALLCHILL, performance_impact Low, signature_severity Critical, tag Lazarus, updated_at 2017_11_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN MySQL Malicious Scanning 3"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"select unhex("; fast_pattern; distance:0; content:"into dumpfile|20 27|"; distance:0; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022581; rev:1; metadata:created_at 2016_03_01, former_category CURRENT_EVENTS, updated_at 2016_03_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Type Confusion Microsoft Edge (CVE-2017-11873)"; flow:established,from_server; file_data; content:"[1.1, 2.2"; fast_pattern; pcre:"/^(?:\]|, 3\.3\])\x3b/R"; content:"Array(100)"; content:"i = 0|3b| i < 100"; content:"function opt("; reference:url,raw.githubusercontent.com/theori-io/pwnjs/master/examples/CVE-2017-11873.js; reference:cve,2017-11873; classtype:attempted-user; sid:2024993; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_15, deployment Perimeter, former_category WEB_CLIENT, performance_impact Significant, signature_severity Major, updated_at 2017_11_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Spam/Phish Campaign Feb 25 2016"; flow:established,to_server; content:".pw|0d 0a|"; http_header; nocase; fast_pattern:only; pcre:"/\/[a-z]\/\?[A-Z]{10}$/U"; pcre:"/^Host\x3a\x20[^\r\n]+\.pw\r?$/Hmi"; classtype:trojan-activity; sid:2022570; rev:3; metadata:created_at 2016_02_27, updated_at 2016_02_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PWNJS JS Constructs"; flow:established,from_server; file_data; content:"base_lo"; content:"base_hi"; content:"fake_object"; fast_pattern; pcre:"/^\s*?\[\s*?\d/Rs"; content:"i32"; pcre:"/^\s*?\[\s*?\d/Rs"; content:"f64"; pcre:"/^\s*?\[\s*?\d/Rs"; content:"array_addr"; reference:url,raw.githubusercontent.com/theori-io/pwnjs/; classtype:attempted-user; sid:2024994; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_15, deployment Perimeter, former_category WEB_CLIENT, performance_impact Moderate, signature_severity Major, updated_at 2017_11_15;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Server Hello"; flow:from_server,established; content:"|04 00 01 00 02|"; offset:2; depth:5; byte_test:2,>,15,4,relative; byte_test:2,<,33,4,relative; flowbits:set,SSlv2.ServerHello; flowbits:noalert; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022583; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Double Base64 Unicode Net.ServicePointManager M1"; flow:established,from_server; file_data; content:"VwB3AEIATwBBAEcAVQBBAGQAQQBBAHUAQQBGAE0AQQBaAFEAQgB5AEEASABZAEEAYQBRAEIAagBBAEcAVQBBAFUAQQBCAHYAQQBHAGsAQQBiAGcAQgAw"; reference:md5,45b0e5a457222455384713905f886bd4; classtype:trojan-activity; sid:2023944; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_RC4_128_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 01 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022584; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Double Base64 Unicode Net.ServicePointManager M2"; flow:established,from_server; file_data; content:"cAdwBCAE8AQQBHAFUAQQBkAEEAQQB1AEEARgBNAEEAWgBRAEIAeQBBAEgAWQBBAGEAUQBCAGoAQQBHAFUAQQBVAEEAQgB2AEEARwBrAEEAYgBnAEIAM"; reference:md5,45b0e5a457222455384713905f886bd4; classtype:trojan-activity; sid:2023945; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_RC2_128_CBC_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 03 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022585; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Double Base64 Unicode Net.ServicePointManager M3"; flow:established,from_server; file_data; content:"XAHcAQgBPAEEARwBVAEEAZABBAEEAdQBBAEYATQBBAFoAUQBCAHkAQQBIAFkAQQBhAFEAQgBqAEEARwBVAEEAVQBBAEIAdgBBAEcAawBBAGIAZwBCAD"; reference:md5,45b0e5a457222455384713905f886bd4; classtype:trojan-activity; sid:2023946; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_RC2_128_CBC_EXPORT40_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 04 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022586; rev:1; metadata:created_at 2016_03_02, former_category POLICY, updated_at 2016_03_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Base64 Unicode WebClient DownloadString M1"; flow:established,from_server; file_data; content:"VwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZ"; reference:md5,2a0df97277ddb361cecf8726df6d78ac; classtype:trojan-activity; sid:2023941; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress ClientMaster Key SSL2_IDEA_128_CBC_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|0205 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022587; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Base64 Unicode WebClient DownloadString M2"; flow:established,from_server; file_data; content:"VwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZ"; reference:md5,2a0df97277ddb361cecf8726df6d78ac; classtype:trojan-activity; sid:2023942; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_DES_64_CBC_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 06 00 40|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022588; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Base64 Unicode WebClient DownloadString M3"; flow:established,from_server; file_data; content:"XAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBn"; reference:md5,2a0df97277ddb361cecf8726df6d78ac; classtype:trojan-activity; sid:2023943; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PDF With Embedded File"; flow:established,to_client; file_data; content:"obj"; content:"<<"; within:4; content:"/EmbeddedFile"; distance:0; pcre:"/\x3C\x3C[^>]*\x2FEmbeddedFile/sm"; reference:url,blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/; classtype:bad-unknown; sid:2011507; rev:8; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY PTsecurity Remote Desktop AeroAdmin Server Hello"; flow:established,to_client; dsize:9; stream_size:client,=,1; stream_size:server,=,10; content:"|05 00 00 00 00 ff ff ff ff|"; depth:9; fast_pattern; classtype:policy-violation; sid:2025008; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2017_11_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Generic HeapSpray Construct"; flow:established,to_client; file_data; content:"<script"; nocase; content:"CollectGarbage"; distance:0; fast_pattern; content:"while"; pcre:"/^\s*?\([^\)]*?(?P<var>[^\.]+)\s*?\.\s*?length\s*<\s*(?:0?[0-9]{5,}|0x[a-z0-9]{3,})[^)]+\)\s*?\{\s*?(?P=var)\s*?=\s*?(?P=var)\s*?\+\s*?(?P=var)\s*?\}/Rsi"; content:"getElementsByClassName"; distance:0; content:"CollectGarbage"; distance:0; classtype:bad-unknown; sid:2018146; rev:4; metadata:created_at 2014_02_15, former_category CURRENT_EVENTS, updated_at 2014_02_15;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY PTsecurity Remote Desktop AeroAdmin handshake"; flow:established,to_server; content:"|e1 00 00 00 00|"; depth:5; content:"|0b 00 00 d8 00 00 00 4d 49 47 64 4d 41|"; distance:1; within:13; fast_pattern; threshold: type limit, track by_src, count 1, seconds 30; classtype:policy-violation; sid:2025009; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2017_11_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Syndicasec.Backdoor Client POST CMD result"; flow:established,to_server; content:"POST"; http_method; content:".php?cstype="; http_uri; content:"&authname="; distance:0; http_uri; content:"&authpass="; distance:0; http_uri; content:"&hostname="; distance:0; http_uri; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2014795; rev:3; metadata:created_at 2012_05_22, updated_at 2012_05_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iCloud (CN) Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"Host|3a 20 31 31 32 32 33 33 68 74 2e 70 77|"; fast_pattern:only; classtype:credential-theft; sid:2024000; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Ursnif Injects)"; flow:from_server,established; content:"|55 04 03|"; content:"|0c|dolbyfck.com"; distance:1; within:13; classtype:domain-c2; sid:2022613; rev:2; metadata:attack_target Client_and_Server, created_at 2016_03_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Possible NanoCore C2 60B"; flow:established,to_server; dsize:60; content:"|38 00 00 00|"; depth:5; pcre:"/^(?!.{0,56}\x00.{0,55}\x00.{0,54}\x00.{0,53}\x00)(?!.{0,54}\x00{2})(?!.{0,50}[A-Za-z0-9]{5})(?!(?P<b1>.).{0,53}(?P=b1).{0,52}(?P=b1).{0,51}(?P=b1).{0,50}(?P=b1))(?!.(?P<b2>.).{0,52}(?P=b2).{0,51}(?P=b2).{0,50}(?P=b2).{0,49}(?P=b2))(?!..(?P<b3>.).{0,51}(?P=b3).{0,50}(?P=b3).{0,49}(?P=b3).{0,48}(?P=b3))(?!...(?P<b4>.).{0,50}(?P=b4).{0,49}(?P=b4).{0,48}(?P=b4).{0,47}(?P=b4))(?!....(?P<b5>.).{0,49}(?P=b5).{0,48}(?P=b5).{0,47}(?P=b5).{0,46}(?P=b5))(?!.....(?P<b6>.).{0,48}(?P=b6).{0,47}(?P=b6).{0,46}(?P=b6).{0,45}(?P=b6))(?!......(?P<b7>.).{0,47}(?P=b7).{0,46}(?P=b7).{0,45}(?P=b7).{0,44}(?P=b7))(?!.......(?P<b8>.).{0,46}(?P=b8).{0,45}(?P=b8).{0,44}(?P=b8).{0,43}(?P=b8))(?!........(?P<b9>.).{0,45}(?P=b9).{0,44}(?P=b9).{0,43}(?P=b9).{0,42}(?P=b9))(?!.........(?P<b10>.).{0,44}(?P=b10).{0,43}(?P=b10).{0,42}(?P=b10).{0,41}(?P=b10))/Rs"; classtype:command-and-control; sid:2025019; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MALWARE, malware_family NanoCore, tag Nanocore, updated_at 2017_11_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 15 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; isdataat:!10,relative; classtype:exploit-kit; sid:2022620; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_16, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Upatre Header Structure"; flow:to_server,established; content:"GET"; http_method; content:"Accept|3a 20|text/*,|20|application/*|0d 0a|User-Agent|3a 20|"; http_header; depth:44; fast_pattern; content:!"Mozilla"; within:7; http_header; content:"|0d 0a|Host|3a 20|"; distance:0; http_header; content:!"Taitus"; http_header; content:!"Sling/"; http_header; pcre:"/\r\nHost\x3a[^\r\n]+\r\n(?:Pragma|Cache-Control)\x3a\x20no-cache\r\n(?:Connection\x3a Keep-Alive\r\n)?(?:\r\n)?$/H"; classtype:trojan-activity; sid:2018394; rev:8; metadata:created_at 2014_04_16, former_category TROJAN, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 15 2016 M2"; flow:established,to_server; content:"/track/k.track?wd="; http_uri; depth:18; content:"fid="; http_uri; content:"rds="; http_uri; classtype:exploit-kit; sid:2022621; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_16, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE Possible VirLock Connectivity Check"; flow:established,to_server; dsize:36; content:"GET / HTTP/1.1|0d 0a|Host|3a 20|google.com|0d 0a 0d 0a|"; fast_pattern; threshold:type both,track by_src,count 2,seconds 10; reference:md5,94c9c2fddc99217e310d5c687adfc2f7; classtype:trojan-activity; sid:2020022; rev:3; metadata:created_at 2014_12_23, former_category TROJAN, updated_at 2022_03_17;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|marinova.am"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022623; rev:2; metadata:attack_target Client_and_Server, created_at 2016_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Webprefix checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?email="; fast_pattern:only; http_uri; content:!"User-Agent|3a| "; http_header; content:!"Referer"; http_header; content:!"Accept-"; http_header; content:"|0d 0a 0d 0a|"; pcre:"/^Accept\x3a\x20\*\/\*\r\nConnection\x3a\x20close\r\nHost\x3a\x20[^\r\n\x2e]+\x2e[^\r\n\x2e]+(?:\x3a\d{1,5})?\r\n(?:\r\n)?$/H"; reference:md5,8284c2202342102000ae9a04dd07bb76; classtype:command-and-control; sid:2018481; rev:9; metadata:created_at 2012_01_23, former_category MALWARE, updated_at 2017_11_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Kasidet CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e2 62 fd fd 41 2d 9c a4|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022624; rev:2; metadata:attack_target Client_and_Server, created_at 2016_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Email Attachment Possibly Related to Mydoom.L@mm"; flow:established,to_server; content:"Subject|3a 20|"; nocase; content:"mail"; nocase; within:34; content:"name|3d 22|"; pcre:"/name\x3d\x22(message|letter|.*lebanon\x2donline\x2ecom\x2elb)?\x2ezip\x22\x0d\x0a/"; reference:md5,28110a8ea5c13859ddf026db5a8a864a; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-071915-0829-99&tabid=2; classtype:trojan-activity; sid:2012932; rev:8; metadata:created_at 2011_06_06, updated_at 2011_06_06;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message"; flow:established,to_server; content:"|22|id|22 3A|"; content:"|22|method|22 3A|"; content:"|22|mining."; within:9; content:"|22|params|22|"; within:50; pcre:"/\x22mining\x2E(subscribe|authorize)\x22/"; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2017871; rev:7; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Signed TLS Certificate with md5WithRSAEncryption"; flow:established,from_server; content:"|16 03 01|"; depth:3; content:"|02|"; distance:2; within:1; byte_jump:3,0,relative,big; content:"|16 03 01|"; within:3; content:"|0b|"; distance:2; within:2; content:"|30 82|"; distance:9; within:2; content:"|30 82|"; distance:2; within:2; content:"|a0 03 02 01 02 02|"; distance:2; within:6; byte_jump:1,0,relative,big; content:"|30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00|"; within:15; reference:url,www.win.tue.nl/hashclash/rogue-ca/; reference:url,ietf.org/rfc/rfc3280.txt; reference:url,jensign.com/JavaScience/GetTBSCert/index.html; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; reference:url,news.netcraft.com/archives/2012/08/31/governments-and-banks-still-using-weak-md5-signed-ssl-certificates.html; classtype:misc-activity; sid:2015686; rev:3; metadata:created_at 2012_09_07, updated_at 2012_09_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Mar 18 2016"; flow:from_server,established; file_data; content:"|52 65 67 45 78 70 28 27|"; content:"|27 2b 27 3d 28 5b 5e 3b 5d 29 7b 31 2c 7d 27 29 3b|"; distance:32; within:17; content:"|3b 64 2e 73 65 74 44 61 74 65 28 64 2e 67 65 74 44 61 74 65 28 29 2b 31 29 3b|"; content:"|3c 69 66 72 61 6d 65|"; distance:0; classtype:exploit-kit; sid:2022628; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_19, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response"; flow:from_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:isset,ET.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_11_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 19 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f|"; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; distance:0; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; classtype:exploit-kit; sid:2022629; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_19, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)"; flow:to_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:set,ET.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_11_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 19 2016 M2"; flow:established,to_server; content:"/imp/one.trk?wid="; http_uri; classtype:exploit-kit; sid:2022630; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_19, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jan 27 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:>5; content:"/?3b"; http_uri; depth:4; pcre:"/^\/\?3b[A-Z0-9a-z]{2}(&subid=[^&]*)?$/U"; flowbits:set,ET.Keitaro; flowbits:noalert; classtype:exploit-kit; sid:2022464; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading To EK Mar 22 2016"; flow:established,from_server; file_data; content:"|6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 2e 55 41 20 3d 20 55 41|"; content:"|2e 73 70 6c 69 74 28 22 2c 22 29 2c 20 69 3d 30 2c 20 6b 3b 20 66 6f 72 20 28 3b 20 6b 20 3d 20 61 5b 69 5d 2c 20 69 20 3c 20 61 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 72 2e 70 75 73 68 28|"; content:"|2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 7b 20 74 72 79 20 7b 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28|"; classtype:exploit-kit; sid:2022635; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 24 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:7; content:"/xLMCJ4"; http_uri; flowbits:set,ET.Keitaro; flowbits:noalert; classtype:exploit-kit; sid:2025038; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_26, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2017_11_27;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible Locky Ransomware Writing Encrypted File over - SMB and SMB-DS v1 ASCII"; flow:to_server,established; content:"|ff|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:".locky|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022638; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_03_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 29 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:5; content:"/5c2C"; http_uri; flowbits:set,ET.Keitaro; flowbits:noalert; classtype:exploit-kit; sid:2025039; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2017_11_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PE EXE or DLL Windows file download Text M2"; flow:established,from_server; file_data; content:"4D5A"; nocase; within:4; content:"50450000"; distance:0; content:"21546869732070726f6772616d"; nocase; fast_pattern; classtype:trojan-activity; sid:2022640; rev:2; metadata:created_at 2016_03_23, updated_at 2016_03_23;)
+alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Exim4 UAF Attempt (BDAT with non-printable chars)"; flow:established,to_server; content:"BDAT"; depth:5; pcre:"/^\s*\d*[^\x20-\x7e\r\n\t]/R"; reference:url,lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html; classtype:attempted-admin; sid:2025063; rev:3; metadata:attack_target SMTP_Server, created_at 2017_11_27, deployment Internal, deployment Datacenter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_11_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible Locky Ransomware Writing Encrypted File over - SMB and SMB-DS v1 Unicode"; flow:to_server,established; content:"|ff|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|00|.|00|l|00|o|00|c|00|k|00|y|00 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022637; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_03_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SMTP Abuseat.org Block Message"; flow:established,from_server; content:"abuseat.org"; classtype:not-suspicious; sid:2012982; rev:4; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Evil EXE download from WinHttpRequest non-exe extension"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.WinHttpRequest.no.exe.request; classtype:trojan-activity; sid:2022653; rev:2; metadata:created_at 2016_03_24, former_category CURRENT_EVENTS, updated_at 2016_03_24;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Brazilian Banker SSL Cert"; flow:established,from_server; tls_cert_subject; content:"CN=robervalmotores.com.br"; fast_pattern; nocase; classtype:trojan-activity; sid:2025076; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_11_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE IrcBot Downloading Files via FTP"; flow:established,to_server; content:"RETR scrypt13"; depth:13; content:".cl"; distance:2; within:6; reference:md5,ca6208a4dd3f1f846aaaf4a6cbcc66ea; classtype:trojan-activity; sid:2022656; rev:1; metadata:created_at 2016_03_24, updated_at 2016_03_24;)
+#alert tcp any any -> any [139,445] (msg:"ET NETBIOS Tree Connect AndX Request IPC$ Unicode"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; content:"| 00 5c 00 69 00 70 00 63 00 24 00 00 00|"; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; reference:cve,2006-4691; classtype:protocol-command-decode; sid:2025090; rev:2; metadata:created_at 2016_06_14, former_category NETBIOS, updated_at 2020_08_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/SmartTab PUP Install Activity"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| tabtoolbarup"; http_header; content:"/ins_proc.asp?kind="; http_uri; content:"&ist_yn="; http_uri; content:"&ptn_name="; http_uri; reference:url,camas.comodo.com/cgi-bin/submit?file=31c027c13105e23af64b1b02882fb2b8300fdf7f511bb4c63c71f9b09c75dd6c; reference:md5,8eaf3b7b72a9af5a85d01b674653ccac; classtype:pup-activity; sid:2014117; rev:4; metadata:created_at 2012_01_12, former_category ADWARE_PUP, updated_at 2012_01_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Bladabindi/njRAT (Dd19271927)"; flow:established,to_server; content:"|00|llDd19271927"; fast_pattern; offset:2; depth:14; dsize:<512; reference:md5,18fcc5f04f74737ca8a3fcf65a45629c; classtype:trojan-activity; sid:2025077; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family njrat, performance_impact Moderate, signature_severity Major, updated_at 2017_11_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK EITest Mar 27"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"Cookie|3a|"; content:!"[DYNAMIC]"; http_header; pcre:"/^\/(?=[a-z][a-z\x2f]*\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d)[a-z0-9\x2f]+\/$/U"; classtype:exploit-kit; sid:2022666; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious Doc Downloading EXE"; flow:established,from_server; flowbits:isset,ET.MalDocEXEPrimer; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2020838; rev:3; metadata:created_at 2015_04_03, former_category CURRENT_EVENTS, updated_at 2015_04_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK EITest Mar 27 M2"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"Cookie|3a|"; pcre:"/^\/(?=[a-z][a-z\x2f]*-[a-z\x2f]+-)[a-z\x2f-]+\/$/U"; classtype:exploit-kit; sid:2022682; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Linksys Router Returning Device Settings To External Source"; flow:established,from_server; file_data; content:"<GetDeviceSettingsResponse>"; content:"<GetDeviceSettingsResult>"; content:"<ModelName>"; reference:url,isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Summary+What+we+know+so+far/17633; classtype:attempted-admin; sid:2018136; rev:3; metadata:created_at 2014_02_14, former_category CURRENT_EVENTS, updated_at 2017_11_28;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|whaovxeynxctdrvzn.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022685; rev:2; metadata:attack_target Client_and_Server, created_at 2016_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS MtGox Leak wallet stealer UA"; flow:established,to_server; content:"MtGoxBackOffice"; depth:15; http_user_agent; reference:url,www.securelist.com/en/blog/8196/Analysis_of_Malware_from_the_MtGox_leak_archive; reference:md5,c4e99fdcd40bee6eb6ce85167969348d; classtype:trojan-activity; sid:2018279; rev:4; metadata:created_at 2014_03_14, former_category CURRENT_EVENTS, updated_at 2017_11_28;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware Locky .onion Payment Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|32kl2rwsjvqjeui7"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022659; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_03_26, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2016_03_26, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp any any -> $HOME_NET [23,2323] (msg:"ET EXPLOIT Actiontec C1000A backdoor account M1"; flow:established,to_server; content:"QwestM0dem"; fast_pattern; metadata: former_category EXPLOIT; classtype:attempted-admin; sid:2025080; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2017_11_28, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2017_11_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js (Remote Debugger)"; flow:from_server,established; file_data; content:"/json/new/"; content:"javascript|3a|require"; distance:0; content:"child_process"; fast_pattern; distance:0; content:"spawnSync"; distance:0; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=773; classtype:trojan-activity; sid:2022693; rev:2; metadata:created_at 2016_03_31, updated_at 2016_03_31;)
+alert tcp any any -> $HOME_NET [23,2323] (msg:"ET EXPLOIT Actiontec C1000A backdoor account M2"; flow:established,to_server; content:"CenturyL1nk"; fast_pattern; classtype:attempted-admin; sid:2024980; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2017_11_13, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Critical, updated_at 2017_11_29;)
 
-#alert ftp $HOME_NET ![21,25,110,119,139,445,465,475,587,902,1433,2525] -> any any (msg:"ET HUNTING Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"SMTP"; within:20; reference:url,doc.emergingthreats.net/2011124; classtype:pup-activity; sid:2011124; rev:19; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_09_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent GeneralDownloadApplication"; flow:established,to_server; content:"User-Agent|3A 20|GeneralDownloadApplication"; http_header; classtype:trojan-activity; sid:2013901; rev:3; metadata:created_at 2011_11_11, former_category TROJAN, updated_at 2017_11_29;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 39889 (msg:"ET EXPLOIT Quanta LTE Router UDP Backdoor Activation Attempt"; flow:to_server; content:"HELODBG"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022699; rev:1; metadata:created_at 2016_04_05, updated_at 2016_04_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Atraps Receiving Config via Image File (steganography)"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"|FF D9 23|"; distance:0; content:"$|3a|1|3a|$"; distance:0; fast_pattern; pcre:"/^[A-Za-z0-9+/=]+\x24\x3a\d+\x3a\x24$/R"; reference:md5,3dce01df285b3570738051672664068d; classtype:trojan-activity; sid:2025070; rev:3; metadata:created_at 2016_04_06, former_category TROJAN, updated_at 2017_11_29;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET ![25,465,587] (msg:"ET MALWARE HOMEUNIX/9002 CnC Beacon"; flow:established,to_server; dsize:48; content:!"|00 00 00|"; offset:1; depth:3; byte_extract:3,1,xor_key; byte_test:3,=,xor_key,9; byte_test:3,=,xor_key,13; byte_extract:1,1,same_test; byte_test:1,!=,same_test,8; byte_test:1,!=,same_test,33; pcre:!"/^[\x20-\x7e\r\n]+$/"; reference:md5,256438747bae78c9101c9a0d4efe5572; classtype:command-and-control; sid:2020714; rev:8; metadata:attack_target Client_Endpoint, created_at 2015_03_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_03_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SMTP Spamcop.net Block Message"; flow:established,from_server; content:"spamcop.net"; classtype:not-suspicious; sid:2012983; rev:3; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
 
-alert tcp any any -> any 6129 (msg:"ET EXPLOIT Dameware DMRC Buffer Overflow Attempt (CVE-2016-2345)"; flow:established,to_server; content:"|44 9c 00 00|"; depth:4; content:"|90 90 90 90 90 90 90 90|"; distance:0; content:"|eb 06 ff ff 61 11 40 00 90 90 90 e9 6b fa ff ff|"; distance:0; reference:cve,2016-2345; reference:url,www.securifera.com/blog/2016/04/03/fun-with-remote-controllers-dameware-mini-remote-control-cve-2016-2345; classtype:attempted-admin; sid:2022712; rev:1; metadata:created_at 2016_04_06, updated_at 2016_04_06;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain"; dns_query; content:"6dtxgqam4crv6rr6"; nocase; depth:16; reference:md5,b06d9dd17c69ed2ae75d9e40b2631b42; classtype:trojan-activity; sid:2022548; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|velodrivve|03|biz|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; distance:0; within:4; pcre:"/[a-z]{4,10}\x08velodrivve\x03biz\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022703; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2020_08_20, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to Pseudo Random Domain for Web Malware (.mynumber.org)"; dns_query; content:".mynumber.org"; nocase; isdataat:!1,relative; pcre:"/^[acdefghijlmopqrtwz]{16}\.mynumber\.org$/"; reference:url,blog.lab69.com/2012/12/another-implementation-of-pseudo-random.html; classtype:bad-unknown; sid:2018766; rev:3; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"Internet Widgits Pty Ltd"; within:50; content:"|09 00 e6 7b 40 4f 24 b8 2a f9|"; reference:url,sslbl.abuse.ch; reference:md5,3d8d1a65ce53c6ac2e43523e82a6d471; classtype:domain-c2; sid:2022713; rev:2; metadata:attack_target Client_and_Server, created_at 2016_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Archive Download By Vulnerable Client"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"PK"; depth:2; classtype:trojan-activity; sid:2014473; rev:5; metadata:created_at 2012_04_04, updated_at 2022_05_03;)
 
-#alert tcp $HOME_NET any -> !$SQL_SERVERS 3306 (msg:"ET WORM Potential MySQL bot scanning for SQL server"; flow:to_server; flags:S,12; reference:url,isc.sans.org/diary.php?date=2005-01-27; reference:url,doc.emergingthreats.net/2001689; classtype:trojan-activity; sid:2001689; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UBoatRAT CnC Check-in"; flow:established,to_server; dsize:>48; content:"|bc b0 b0 88 88 88 88 88 88 88 88 88|"; depth:12; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/; classtype:command-and-control; sid:2025093; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_01, deployment Perimeter, former_category MALWARE, malware_family UBoatRAT, performance_impact Low, signature_severity Major, updated_at 2017_12_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Locky JS Downloading Payload"; flow:to_server,established; urilen:<12; content:"GET"; http_method; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; fast_pattern; pcre:"/^\/(?=[a-z]{0,9}?\d)(?=\d{0,9}?[a-z])[a-z0-9]{6,10}$/U"; pcre:"/^User-Agent\x3a[^\r\n]+?(?:MSIE|rv\x3a11)/Hm"; flowbits:set,ET.Locky; flowbits:noalert; reference:md5,c6896184db5c07ebadf40115138b2f4c; reference:md5,cb8f78317622f8ae855ac25ef4cf3688; classtype:trojan-activity; sid:2026460; rev:3; metadata:created_at 2016_03_16, former_category MALWARE, updated_at 2018_10_09;)
+alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN SSH BruteForce Tool with fake PUTTY version"; flow:established,to_server; ssh_proto; content:"PUTTY"; threshold: type limit, track by_src, count 1, seconds 30; classtype:network-scan; sid:2019876; rev:6; metadata:created_at 2014_12_05, former_category SCAN, updated_at 2017_12_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK April 12 2016 M1"; flow:established,to_server; content:"/2016/less/ing/frame.html"; http_uri; classtype:exploit-kit; sid:2022724; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible MyEtherWallet Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>"; nocase; content:"MyEtherWallet.com"; within:30; nocase; fast_pattern; classtype:social-engineering; sid:2025140; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK April 12 2016 M2"; flow:established,from_server; file_data; content:"|3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 76 61 72 20 6c 3d 27 68 74 74 70 3a|"; content:"|3b 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 27 2b 27 73 63 72 69 70 74 20 74 79 70 65 3d 5c 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 5c 27 20 73 72 63 3d 5c 27 27 2b 6c 2b 27 5c 27 3e 3c 27 2b 27 2f 73 63 72 69 70 74 3e 27 29 3b 3c 2f 73 63 72 69 70 74 3e|"; distance:0; classtype:exploit-kit; sid:2022725; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Netwire RAT Client HeartBeat C1 (no alert)"; flow:established,to_server; dsize:5; content:"|01 00 00 00|"; depth:4; flowbits:set,ET.Netwire.HB; flowbits:noalert; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,9475f91a426ac45d1f074373034cbea6; classtype:trojan-activity; sid:2018281; rev:4; metadata:created_at 2014_03_14, updated_at 2014_03_14;)
 
-#alert tcp $HOME_NET any -> [64.34.106.33,64.94.18.67] 12975 (msg:"ET POLICY Outbound Hamachi VPN Connection Attempt"; flags:S,12; flow:to_server; threshold:type limit, track by_src, count 1, seconds 120; reference:url,www.hamachi.cc; reference:url,doc.emergingthreats.net/2002729; classtype:policy-violation; sid:2002729; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Netwire RAT Client HeartBeat S1 (no alert)"; flow:established,from_server; dsize:5; content:"|01 00 00 00 01|"; flowbits:isset,ET.Netwire.HB.1; flowbits:isnotset,ET.Netwire.HB.2; flowbits:unset,ET.Netwire.HB.1; flowbits:set,ET.Netwire.HB.2; flowbits:noalert; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,9475f91a426ac45d1f074373034cbea6; classtype:trojan-activity; sid:2018282; rev:4; metadata:created_at 2014_03_14, former_category TROJAN, updated_at 2017_12_11;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"ET SCAN Possible SSL Brute Force attack or Site Crawl"; flow: established,to_server; flags: S; threshold: type threshold, track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2001553; classtype:attempted-dos; sid:2001553; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Client Check-in 2"; flow:established,to_server; dsize:5; content:"|01 00 00 00 02|"; flowbits:isset,ET.NetwireRAT.Client; reference:md5,acccfa6107c712a63b1473d524461163; classtype:trojan-activity; sid:2021290; rev:2; metadata:created_at 2015_06_17, former_category TROJAN, updated_at 2017_12_11;)
 
-#alert tcp $EXTERNAL_NET 10000: -> $HOME_NET 0:1023 (msg:"ET DOS Potential Tsunami SYN Flood Denial Of Service Attempt"; flags:S; flow:to_server; dsize:>900; threshold: type both, count 20, seconds 120, track by_src; reference:url,security.radware.com/uploadedFiles/Resources_and_Content/Threat/TsunamiSYNFloodAttack.pdf; classtype:attempted-dos; sid:2019404; rev:3; metadata:created_at 2014_10_15, updated_at 2014_10_15;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Client HeartBeat"; flow:established,to_server; dsize:5; content:"|01 00 00 00|"; depth:4; byte_test:1,>,0,0,relative; byte_test:1,<,3,0,relative; flowbits:isset,ET.NetwireRAT.Client; threshold: type both,track by_src, count 3, seconds 300; reference:md5,495eef9238282e8f69f2284ca75d2ddc; classtype:trojan-activity; sid:2020566; rev:2; metadata:created_at 2015_02_25, former_category TROJAN, updated_at 2017_12_11;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 08|"; content:"|02|FL"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|05|Tampa"; distance:1; within:6; content:"|55 04 0a|"; distance:0; content:"|1b|Realtek Semiconductor Corp."; distance:1; within:28; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022714; rev:3; metadata:attack_target Client_and_Server, created_at 2016_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Server Welcome Packet"; flow:established,from_server; dsize:12; content:"|01 00 00 00|"; depth:4; flowbits:set,ET.gadu.welcome; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008297; classtype:policy-violation; sid:2008297; rev:5; metadata:created_at 2010_07_30, former_category CHAT, updated_at 2017_12_11;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|www.huevo.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022733; rev:2; metadata:attack_target Client_and_Server, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip"; flow:established,to_server; content:"setup."; fast_pattern:only; http_uri; content:".in|0d 0a|"; http_header; pcre:"/\/[a-f0-9]{16}\/([a-z0-9]{1,3}\/)?setup\.(exe|zip)$/U"; pcre:"/^Host\x3a\s.+\.in\r?$/Hmi"; reference:url,isc.sans.edu/diary/+Vulnerabilityqueerprocessbrittleness/13501; classtype:trojan-activity; sid:2014929; rev:4; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2017_12_11;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 c4 2f d3 44 ed 20 a4 ab|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022734; rev:2; metadata:attack_target Client_and_Server, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS UPS Spam Inbound"; flow:established,to_server; content:"name=|22|"; nocase; content:"UPS"; nocase; within:11; content:".zip|22|"; within:74; nocase; pcre:"/name=\x22([a-z_]{0,8})?UPS(\s|_|\-)?[a-z0-9\-_\.\s]{0,69}\.zip\x22/i"; classtype:trojan-activity; sid:2014828; rev:3; metadata:created_at 2012_05_30, former_category CURRENT_EVENTS, updated_at 2017_12_11;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 dd b5 a0 63 d6 36 a8 89|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022735; rev:2; metadata:attack_target Client_and_Server, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY IP Check Response (rl. ammyy. com)"; flow:to_client,established; file_data; content:"Your IP="; depth:8; content:", country = "; distance:0; isdataat:!3,relative; classtype:policy-violation; sid:2025150; rev:1; metadata:created_at 2017_12_13, updated_at 2017_12_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Exploit Struct Jan 23 2015"; flow:established,to_server; urilen:50<>151; content:"GET /"; byte_test:1,>,64,0,relative; byte_test:1,<,91,0,relative; pcre:"/^\/[A-Z](?=[A-Za-z]{0,148}\d)[A-Za-z0-9]{49,148}$/U"; content:".htm"; http_header; fast_pattern:only; content:"Referer|3a 20|"; http_header; pcre:"/^http\x3a\/\/[^\x2f]+\/[A-Z](?=[a-z0-9]+[A-Z])(?=[A-Z0-9]+[a-z])[A-Za-z0-9]{9,}\.html?\r?$/RHmi"; classtype:exploit-kit; sid:2020300; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious Fake JS Lib Inject"; flow:established,from_server; file_data; content:".min.php"; nocase; pcre:"/^(?P<q>[\x22\x27])\+(?P=q)\?(?P=q)\+(?P=q)/R"; content:"default_keyword="; within:2500; fast_pattern; content:"<"; within:2500; content:!"/script>"; within:8; pcre:"/^[\x22\x27+\s]*\/[\x22\x27+\s]*s[\x22\x27+\s]*c[\x22\x27+\s]*r[\x22\x27+\s]*i[\x22\x27+\s]*p[\x22\x27+\s]*t[\x22\x27+\s]*>/Rsi"; classtype:trojan-activity; sid:2025151; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_12_15, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_12_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Unknown - news=1 in http_cookie"; flow:established,to_client; content:"Set-Cookie|3a| news=1"; http_raw_header; classtype:exploit-kit; sid:2014438; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC)"; flow:established,to_client; tls_cert_subject; content:"C=AU, ST=f2tee4, L=gf23et65adt, O=tg4r6tds, OU=rst, CN=rvgvtfdf"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2025155; rev:1; metadata:attack_target Client_and_Server, created_at 2017_12_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_12_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess HTTP GET request"; flow:established,to_server; content:"GET"; http_method; nocase; content:"?w="; fast_pattern:only; http_uri; content:"&i="; http_uri; content:"&v="; http_uri; content:"Host|3a 20|"; depth:6; http_header; content:"Connection|3a 20|close|0d 0a|Cookie|3a 20|"; http_raw_header; content:!"Accept"; http_header; pcre:"/\/\d{10}\?w=\d{3}&i=\d{6,10}&v=\d\.\d$/U"; classtype:trojan-activity; sid:2015535; rev:4; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Trickbot/Dyre Serial Number in SSL Cert"; flow:established,to_client; tls_cert_serial; content:"89:BF:80:13:42:0A:2E:F5"; classtype:trojan-activity; sid:2025156; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Trickbot, updated_at 2017_12_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FAKEAV CryptMEN - 302 Redirect"; flow:established,from_server; content:"Cookie|3a| Hello-friend="; http_raw_header; classtype:bad-unknown; sid:2011920; rev:5; metadata:created_at 2010_11_11, updated_at 2010_11_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Fedex Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>FEDEX|20 7c 20|Tracking</TITLE>"; fast_pattern; nocase; classtype:social-engineering; sid:2025158; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_20;)
 
-alert tcp any !80 -> $HOME_NET any (msg:"ET EXPLOIT Open MGate Device"; flow:established,from_server; content:"Model name|20|"; pcre:"/^\x20+\x3a\x20MGate/R"; content:"|0d 00 0a|MAC address|20|"; distance:0; pcre:"/^\x20+\x3a\x20(?:[0-9A-F]{2}\x3a){5}[0-9A-F]{2}\x0d\x00\x0a/R"; classtype:successful-admin; sid:2022732; rev:2; metadata:created_at 2016_04_14, former_category CURRENT_EVENTS, updated_at 2016_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Halkbank (TK) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>|48 61 6c 6b 62 61 6e 6b 20 c4 b0 6e 74 65 72 6e 65 74 20 c5 9e 75 62 65 73 69|</title>"; nocase; classtype:social-engineering; sid:2025159; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 20 2016"; flow:established,to_server; urilen:5; content:"/get2"; http_uri; content:"bc3ad="; http_cookie; classtype:exploit-kit; sid:2022751; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_20, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Ziraat Bank (TK) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>|20 48 6f c5 9f 67 65 6c 64 69 6e 69 7a 20 7c 20 5a 69 72 61 61 74 20 42 61 6e 6b 61 73 c4 b1|"; nocase; classtype:social-engineering; sid:2025160; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 21 2016 M2"; flow:established,to_server; content:"/idx.aspx?sid="; http_uri; content:"&bcOrigin="; http_uri; content:"&rnd="; http_uri; distance:0; classtype:exploit-kit; sid:2022752; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_21, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ADWARE_PUP Windows executable sent when remote host claims to send an image M3"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| image/png"; pcre:"/^(?:(?!\r?\n\r?\n).)*?\r?\n\r?\nMZ/Rs"; content:"!This program"; distance:0; fast_pattern; classtype:pup-activity; sid:2023750; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2017_12_21;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED Possible GRANT TO SQL Injection Attempt"; flow:established,to_server; content:"GRANT"; nocase; http_uri; content:"TO"; nocase; http_uri; pcre:"/GRANT.{1,5}TO/Ui"; reference:url,beginner-sql-tutorial.com/sql-grant-revoke-privileges-roles.htm; classtype:web-application-attack; sid:2013068; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image M4"; flow:established,from_server; http_content_type; content:"image/jpeg"; depth:10; isdataat:!1,relative; file_data; content:"This program must be run under Win"; within:125; fast_pattern; classtype:trojan-activity; sid:2025161; rev:2; metadata:created_at 2017_12_21, former_category TROJAN, updated_at 2017_12_21;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object Instantiation Memory Corruption Vulnerability MS05-054"; flow:established,from_server; pcre:"/000(2(042[1-5]|1401|000D)|6F071)-0000-0000-C000-000000000046|6E2271(FB|0[9A-F])-F799-11CF-9227-00AA00A1EB95|ECAB(AFC0|B0AB)-7F19-11D2-978E-0000F8757E2A|3050F4F5-98B5-11CF-BB82-00AA00BDCE0B|DF0B3D60-548F-101B-8E65-08002B2BD119|2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64|51B4ABF3-748F-4E3B-A276-C828330E926A|E4979309-7A32-495E-8A92-7B014AAD4961|62EC9F22-5E30-11D2-97A1-00C04FB6DD9A|B1D4ED44-EE64-11D0-97E6-00C04FC30B4A|D675E22B-CAE9-11D2-AF7B-00C04F99179F/i"; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx; reference:url,doc.emergingthreats.net/2002725; classtype:web-application-attack; sid:2002725; rev:14; metadata:created_at 2010_07_30, updated_at 2016_04_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2017-12-26"; flow:established,to_client; file_data; content:"&Rho|3b|ay&Rho|3b|aI</title>"; within:200; classtype:social-engineering; sid:2025173; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET HUNTING Suspicious User-Agent Beginning with digits - Likely spyware/trojan"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| "; content:!"|0d 0a|User-Agent|3a| Mozilla/"; pcre:"/^\d+/V"; content:!"liveupdate.symantecliveupdate.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2010697; classtype:trojan-activity; sid:2010697; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible YapiKredi Bank (TR) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Bireysel|20 c4 b0|nternet|20 c5 9e|ubesi|20 7c 20|Yap|c4 b1 20|Kredi</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2024583; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_16, deployment Internet, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 27 2016"; flow:established,from_server; flowbits:isset,ET.WordJS; content:"Content-Type|3a 20|text/html|3b 20|charset=utf-8|0d 0a|"; http_header; file_data; content:"<iframe"; within:7; fast_pattern; reference:url,research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html; classtype:exploit-kit; sid:2022771; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_27, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a a known malware domain (sektori. org)"; flow: to_server,established; content:"sektori.org|0D 0A|"; http_header; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014571; rev:7; metadata:created_at 2012_04_16, former_category TROJAN, updated_at 2018_01_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NeoSploit - TDS"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:attempted-user; sid:2015665; rev:3; metadata:created_at 2012_08_29, updated_at 2016_04_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-03"; flow:from_server,established; file_data; content:"L&#959|3b|g|20|in|20|t&#959|3b 20|y&#959|3b|ur|20|&Rho|3b|ay&Rho|3b|aI|20|acc&#959|3b|unt"; nocase; depth:300; classtype:social-engineering; sid:2025181; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_03;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blizzard Downloader"; flow: established,to_server; content: "User-Agent|3a| Blizzard Downloader"; nocase; reference:url,www.worldofwarcraft.com/info/faq/blizzarddownloader.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002855; classtype:policy-violation; sid:2002855; rev:8; metadata:created_at 2010_07_30, updated_at 2016_04_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Malicious Authline Seen After CVE-2017-10271 Exploit"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|4AQe5sAFWZKECiaeNTt59LG7kVtqRoSRJMjrmQ6GiMFAeUvoL3MFeTE6zwwHkFPrAyNw2JHDxUSWL82RiZThPpk4SEg7Vqe|22 2c 20 22|"; distance:0; reference:url,otx.alienvault.com/pulse/5a4e1c4993199b299f90a212; classtype:coin-mining; sid:2025186; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_01_04, deployment Perimeter, deployment Datacenter, former_category COINMINER, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2018_01_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED String Replace in PDF File, Likely Hostile"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:".replace|28|"; nocase; reference:url,www.w3schools.com/jsref/jsref_replace.asp; classtype:bad-unknown; sid:2011504; rev:6; metadata:created_at 2010_09_27, updated_at 2016_05_03;)
+alert tcp $EXTERNAL_NET 20000: -> $HOME_NET 1024: (msg:"ET MALWARE Sourtoff Receiving Simda Payload"; flow:established,from_server; flowbits:isset,ET.TROJAN.Sourtoff; dsize:1300<>1500; content:"|0a c0|"; depth:2; reference:md5,5469af0daa10f8acbe552cd2f1f6a6bb; classtype:trojan-activity; sid:2019313; rev:3; metadata:created_at 2014_09_29, former_category TROJAN, updated_at 2018_01_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED server negative Content-Length attempt"; flow:from_server,established; content:"Content-Length|3A| -"; nocase; http_header; reference:cve,2004-0492; reference:url,www.guninski.com/modproxy1.html; classtype:attempted-admin; sid:2102580; rev:13; metadata:created_at 2010_09_23, updated_at 2016_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE WSO - WebShell Activity - WSO Title"; flow:established,to_client; file_data; content:"<title>"; content:" - WSO "; fast_pattern; distance:0; content:"</title>"; distance:0; classtype:attempted-user; sid:2015905; rev:3; metadata:created_at 2012_11_21, former_category CURRENT_EVENTS, updated_at 2018_01_08;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED FedEX Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|FedEX_"; nocase; classtype:trojan-activity; sid:2011979; rev:3; metadata:created_at 2010_11_24, updated_at 2016_05_04;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_enumerrorlogs access"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|e|00|r|00|r|00|o|00|r|00|l|00|o|00|g|00|s|00|"; nocase; reference:url,doc.emergingthreats.net/2010001; classtype:attempted-user; sid:2010001; rev:4; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2018_01_09;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 0b|"; content:"|16|SomeOrganizationalUnit"; distance:1; within:23; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|0c|root@ua7.com"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022795; rev:2; metadata:attack_target Client_and_Server, created_at 2016_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_readerrorlogs access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|a|00|d|00|e|00|r|00|r|00|o|00|r|00|l|00|o|00|g|00|s|00|"; nocase; reference:url,doc.emergingthreats.net/2010002; classtype:attempted-user; sid:2010002; rev:5; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2018_01_09;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|microurl.bit"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022796; rev:2; metadata:attack_target Client_and_Server, created_at 2016_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_enumdsn access"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|d|00|s|00|n|00|"; nocase; reference:url,doc.emergingthreats.net/2010003; classtype:attempted-user; sid:2010003; rev:5; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2018_01_09;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Ursnif Injects)"; flow:from_server,established; content:"|55 04 03|"; content:"|16|allowherebarbclient.me"; distance:1; within:23; classtype:domain-c2; sid:2022799; rev:2; metadata:attack_target Client_and_Server, created_at 2016_05_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download Non-HTTP"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; app-layer-protocol:!http; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2000419; rev:24; metadata:created_at 2010_07_30, former_category POLICY, performance_impact Significant, updated_at 2018_01_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Router DNS Changer Apr 07 2015 M2"; flow:established,from_server; file_data; content:"|22 5c 78 35 32 5c 78 35 34 5c 78 34 33 5c 78 35 30 5c 78 36 35 5c 78 36 35 5c 78 37 32 5c 78 34 33 5c 78 36 46 5c 78 36 45 5c 78 36 45 5c 78 36 35 5c 78 36 33 5c 78 37 34 5c 78 36 39 5c 78 36 46 5c 78 36 45 22|"; content:!"vidzi.tv|0d 0a|"; reference:url,malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html; classtype:exploit-kit; sid:2020896; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_13, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (holidayapartments4you. com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|15|holidayapartments4you|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021645; rev:3; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-alert tcp $HOME_NET any -> any !6666:7000 (msg:"ET POLICY IRC DCC file transfer request on non-std port"; flow:to_server,established; content:"PRIVMSG "; depth:8; content:" |3a|.DCC SEND"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000349; classtype:non-standard-protocol; sid:2000349; rev:13; metadata:created_at 2010_07_30, updated_at 2016_05_12;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (euro-rafting.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|euro-rafting|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021646; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK May 13 2016"; flow:established,from_server; file_data; content:"|3c 74 69 74 6c 65 3e 53 65 61 72 63 68 3c 2f 74 69 74 6c 65 3e|"; content:"|23 6c 6c 6c 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d|"; fast_pattern; content:"|3c 64 69 76 20 69 64 3d 22 6c 6c 6c 22 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; classtype:exploit-kit; sid:2022805; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_05_13, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (holidayapartments-Paris.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|17|holidayapartments-Paris|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021647; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)"; flow:from_server,established; content:"|60 89 e5 31|"; content:"|64 8b|"; distance:1; within:2; content:"|30 8b|"; distance:1; within:2; content:"|0c 8b 52 14 8b 72 28 0f b7 4a 26 31 ff|"; distance:1; within:13; content:"|ac 3c 61 7c 02 2c 20 c1 cf 0d 01 c7 e2|"; within:15; content:"|52 57 8b 52 10|"; distance:1; within:5; classtype:trojan-activity; sid:2025644; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_05_16, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category TROJAN, signature_severity Critical, tag Metasploit, updated_at 2018_07_10;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (paris-holidayapartments.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|17|paris-holidayapartments|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021648; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Taplika Browser Hijacker Status Messages"; flow:established,to_server; content:".php?context="; fast_pattern; http_uri; content:"&status="; http_uri; distance:0; content:"&sesid="; http_uri; distance:0; content:"&iid="; http_uri; distance:0; content:"&cd="; http_uri; distance:0; content:"&cr="; http_uri; distance:0; reference:md5,02aa7a5e3a78f1a50ae5f72519787bb9; reference:url,malwaretips.com/blogs/remove-taplika-virus/; classtype:trojan-activity; sid:2022808; rev:2; metadata:created_at 2016_05_16, former_category MALWARE, updated_at 2018_03_14;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (franceholidayapartments.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|17|franceholidayapartments|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021649; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Taplika Browser Hijacker Checkin M1"; flow:established,to_server; content:".php?a="; fast_pattern; http_uri; content:"&cd="; http_uri; distance:0; content:"&cr="; http_uri; distance:0; content:"&ir="; http_uri; distance:0; reference:md5,02aa7a5e3a78f1a50ae5f72519787bb9; reference:url,malwaretips.com/blogs/remove-taplika-virus/; classtype:trojan-activity; sid:2022809; rev:2; metadata:created_at 2016_05_16, former_category MALWARE, updated_at 2018_03_14;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (apartmentsin-paris.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|apartmentsin-paris|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021650; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Taplika Browser Hijacker Checkin M2"; flow:established,to_server; content:"/?f="; depth:4; http_uri; fast_pattern; content:"&a="; http_uri; distance:0; content:"&cd="; http_uri; distance:0; content:"&cr="; http_uri; distance:0; content:"&ir="; http_uri; distance:0; reference:md5,02aa7a5e3a78f1a50ae5f72519787bb9; reference:url,malwaretips.com/blogs/remove-taplika-virus/; classtype:trojan-activity; sid:2022810; rev:2; metadata:created_at 2016_05_16, former_category MALWARE, updated_at 2018_03_14;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (raftingholiday.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|raftingholiday|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021651; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Upatre SSL Cert venturesonsite.com"; flow:established,from_server; content:"|55 04 03|"; content:"|12|venturesonsite.com"; distance:1; within:19; reference:md5,ef88df67a0bcb872143543ebad0ba91d; classtype:trojan-activity; sid:2019077; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (eurorafting-tr.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|eurorafting-tr|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021652; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|17|private@sysprivpop.lkdd"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022736; rev:4; metadata:attack_target Client_and_Server, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (turkeyextremerafting.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|turkeyextremerafting|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021653; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET ATTACK_RESPONSE Possible CVE-2016-1287 Inbound Reverse CLI Shellcode"; flow:to_server; content:"|ff ff ff|tcp/CONNECT/3/"; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}\/\d+\x00$/Ri"; reference:url,raw.githubusercontent.com/exodusintel/disclosures/master/CVE_2016_1287_PoC; classtype:attempted-admin; sid:2022819; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (raftingtours-turkey.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|raftingtours-turkey|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021654; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT CVE-2016-1287 Public Exploit ShellCode"; content:"|60 c7 02 90 67 b9 09 8b 45 f8 8b 40 5c 8b 40 04 8b 40 08 8b 40 04 8b 00 85 c0 74 3b 50 8b 40 08 8b 40 04 8d 98 d8 00 00 00 58 81 3b d0 d4 00 e1 75 e4 83 7b 04 31 74 de 89 d8 2d 00 01 00 00 c7 40 04 03 01 00 00 c7 40 0c d0 00 00 00 c7 80 f8|"; reference:url,github.com/exodusintel/disclosures/blob/master/CVE_2016_1287_PoC; classtype:attempted-admin; sid:2022820; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (divextreme-ar.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|divextreme-ar|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021655; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ZeuS CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|basey.ru"; distance:1; within:10; classtype:domain-c2; sid:2022833; rev:2; metadata:attack_target Client_and_Server, created_at 2016_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (crazy-jump.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|crazy-jump|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021656; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.Win32.Agent.bay Variant Covert Channel (VERSONEX)"; flow:established,to_server; content:"VERSONEX|3a|"; depth:9; fast_pattern; byte_test:1,>=,0x30,0,relative; byte_test:1,<=,0x39,0,relative; content:"|7c|"; distance:1; within:1; reference:md5,f80af2735fdad5fe14defc4f1df1cc30; classtype:trojan-activity; sid:2020978; rev:2; metadata:created_at 2015_04_23, updated_at 2015_04_23;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (dive-extreme.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|dive-extreme|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021657; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible CryptXXX Ransomware Renaming Encrypted File SMB v1 Unicode"; flow:to_server,established; content:"|ff|SMB|07|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|00|.|00|c|00|r|00|y|00|p|00|t|00 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022838; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_05_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (tandemskydive-ar.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tandemskydive-ar|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021658; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible CryptXXX Ransomware Renaming Encrypted File SMB v1 ASCII"; flow:to_server,established; content:"|ff|SMB|07|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:".crypt|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022839; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_05_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (groupdive. com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|groupdive|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021659; rev:3; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Hawkeye Keylogger SMTP Beacon"; flow:established,to_server; content:"Subject|3a 20|"; content:"SGF3a0V5ZSBLZXlsb2dnZXIg"; within:45; reference:md5,dfc2c23663122ac9fc25b708f278c147; classtype:trojan-activity; sid:2021871; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (skydivelessons.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|skydivelessons|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021660; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing May 31 2016"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"value=|22|#ffffff|22|"; nocase; content:"<html>"; pcre:"/^\s*?<body>\s*?<object(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)\x22/Rsi"; content:"</object>"; distance:0; pcre:"/^\s*?<\/body>\s*?\s*?<\/html>\s*?$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025043; rev:2; metadata:created_at 2016_05_31, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (bungee4you-br.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|bungee4you-br|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021661; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Kovter Client CnC Traffic"; flow:established,to_server; dsize:4<>256; content:!"HTTP"; content:"|00 00 00|"; offset:1; depth:3; pcre:"/^[\x11\x21-\x26\x41\x45\x70-\x79]/R"; content:!"|00 00|"; distance:0; byte_jump:1,0,from_beginning,post_offset 3; isdataat:!2,relative; pcre:!"/\x00$/"; reference:url,symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update; classtype:command-and-control; sid:2022861; rev:1; metadata:created_at 2016_06_06, former_category MALWARE, updated_at 2016_06_06;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (brazil-crazybungee.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|brazil-crazybungee|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021662; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 20222 (msg:"ET SCADA CitectSCADA ODBC Overflow Attempt"; flow:established,to_server; dsize:4; byte_test:4,>,399,0; reference:cve,2008-2639; reference:url,www.digitalbond.com/index.php/2008/09/08/ids-signature-for-citect-vuln/; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; classtype:attempted-user; sid:2008542; rev:8; metadata:created_at 2010_07_30, updated_at 2016_06_07;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (bungeejumping-br.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bungeejumping-br|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021663; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|tda-au.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022877; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (groupbungee-br.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|groupbungee-br|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021664; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|forevery0ung.bit"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022878; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (divextreme-au.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|divextreme-au|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021665; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 9e 99 a3 02 bc 7d 3f 4e|"; fast_pattern; content:"|55 04 03|"; distance:0; content:"|10|www.undernet.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022879; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (crazyjump-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|crazyjump-uy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021666; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 06|"; pcre:"/^.\x02[A-Z]{2}/Rs"; content:"|55 04 08|"; distance:0; pcre:"/^.\x02[A-Z]{2}/Rs"; content:"|55 04 07|"; distance:0; pcre:"/^.{2}[A-Z][a-z]+(?:\x20[A-Z][a-z]+)?[01]/Rs"; content:"|55 04 09|"; fast_pattern; distance:0; pcre:"/^.{2}\d{2,3}(?:\x20[A-Z][a-z]+\.?){1,3}[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|55 04 0b|"; distance:0; content:"|55 04 03|"; distance:0; pcre:"/^.(.[a-z]{4,12}\.(?:us|org|net|biz|info|mobi|com)[01]).*?\x55\x04\x03.\1/Rs"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022868; rev:4; metadata:attack_target Client_and_Server, created_at 2016_06_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (stuntjumps.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|stuntjumps|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021667; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e5 51 a8 51 66 e3 5c 7d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022880; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (tandemskydive-au.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tandemskydive-au|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021668; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1714 (msg:"ET MALWARE Qarallax RAT Keepalive C2 (set)"; flow:to_server,established; content:"|00 00 09 00 00 00 00 00 00 00|"; depth:10; threshold:type both, track by_src, count 5, seconds 30; flowbits:set,ET.qarallax; flowbits:noalert; reference:md5,cf178c55c0572d8fea89137c62afdc98; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; classtype:command-and-control; sid:2022882; rev:1; metadata:created_at 2016_06_08, former_category MALWARE, updated_at 2016_06_08;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (groupdive-au.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|groupdive-au|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021669; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-alert tcp $EXTERNAL_NET 1714 -> $HOME_NET any (msg:"ET MALWARE Qarallax RAT Keepalive C2"; flow:from_server,established; flowbits:isset,ET.qarallax; content:"|00 00 0c 00 00 00 00 00 00 00|"; depth:10; threshold:type both, track by_src, count 5, seconds 30; reference:md5,cf178c55c0572d8fea89137c62afdc98; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; classtype:command-and-control; sid:2022883; rev:1; metadata:created_at 2016_06_08, former_category MALWARE, updated_at 2016_06_08;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (au-skydivelessons.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|au-skydivelessons|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021670; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M0"; flow:established,to_server; urilen:40<>65; content:"0"; http_uri; offset:40; depth:15; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])0(?:(?P=sep)|\d)*?$/Ui"; classtype:exploit-kit; sid:2020995; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (bungee4you-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|bungee4you-uy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021671; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M1"; flow:established,to_server; urilen:40<>65; content:"1"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])1(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2020996; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (uruguay-crazybungee.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|uruguay-crazybungee|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021672; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M2"; flow:established,to_server; urilen:40<>65; content:"2"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])2(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2020997; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (bungeejumping-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bungeejumping-uy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021673; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M5"; flow:established,to_server; urilen:40<>65; content:"5"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])5(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2021000; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (groupbungee-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|groupbungee-uy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021674; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M6"; flow:established,to_server; urilen:40<>65; content:"6"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])6(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2021001; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (circlesofourlives-ir.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|circlesofourlives-ir|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021675; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M7"; flow:established,to_server; urilen:40<>65; content:"7"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])7(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2021002; rev:4; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (clickflowers-hk.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|clickflowers-hk|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021676; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M8"; flow:established,to_server; urilen:40<>65; content:"8"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])8(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2021003; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (cropcirclestours.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cropcirclestours|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021677; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M9"; flow:established,to_server; urilen:40<>65; content:"9"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])9(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2021004; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (irelancropcircles.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|irelancropcircles|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021678; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Redkit Java Exploit request to .class file"; flow:established,to_server; content:".class"; http_uri; pcre:"/\/\w{1,2}\/\w{1,2}\.class$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014830; rev:3; metadata:created_at 2012_05_30, updated_at 2016_06_10;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (ir-cool.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|ir-cool|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021679; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; content:"bgcolor"; content:"<html>"; pcre:"/^\s*?<body>(?:\s*<\/?[^\s\x2f>]+>\s*)*\s*?<object(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value=\x22#[a-f0-9]{6}\x22[^>]*?>\s*?\n\s*?<param(?=[^>]*?name\s*?=\s*?\x22allowScriptAccess\x22)[^>]*?value=\x22always\x22[^>]*?>\s*?\n\s*?).{1,1000}?\s<\/object>\s+<\/body>\s+<\/html>\s*$/Rs"; content:" name"; pcre:"/^\s*=\s*(?P<var1>[\x22\x27][a-z]+[\x22\x27]).+?\sid\s*=\s*(?P=var1)/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025044; rev:2; metadata:created_at 2016_06_11, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (magnificentcircles.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|magnificentcircles|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021680; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M2"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"|3c 2f 73 63 72 69 70 74 3e 0a 3c 6f 62 6a 65 63 74|"; within:150; pcre:"/^(?=[^\r\n]*d27cdb6e-ae6d-11cf-96b8-444553540000)[^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P<var>[a-z]+)[\x22\x27][^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P=var)[\x22\x27][^\r\n]*>[\r\n]+(?P<spc>\s+)<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22bgcolor\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22allowScriptAccess\x22)[^\r\n]*>[\r\n]+(?P=spc)<embed(?=[^\r\n]*\ssrc\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27])[^\r\n]+[\r\n]*<\/object>\s*<\/body>\s*<\/html>\s*$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025045; rev:2; metadata:created_at 2016_06_12, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (china-flowershop.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|china-flowershop|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021681; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|brutus.neuronio.pt"; distance:1; within:19; content:"|0c|sampo@iki.fi"; distance:0; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021521; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (hongkong-bouquets.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|hongkong-bouquets|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021682; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Google Chrome Pdfium JPEG2000 Heap Overflow"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"stream"; content:"|00 00 00 0c 6a 50 20 20 0d 0a 87 0a|"; distance:0; content:"|00 00 00 00 6a 70 32 63 ff 4f|"; distance:0; content:"|ff 51|"; within:200; content:"|00 00 ff|"; distance:36; within:3; byte_test:1,>,0x51,0,relative; byte_test:1,<,0x94,0,relative; pcre:"/^[\x52\x5c\x64\x65\x90\x93]/R"; classtype:bad-unknown; sid:2022890; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_06_13, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (beautifuldaisies.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|beautifuldaisies|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021683; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Botnet Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; content:!"Referer|3a|"; http_header; content:"data="; nocase; http_client_body; depth:5; content:"ew0KCSJhZGRyZXNzIiA6"; fast_pattern; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; classtype:command-and-control; sid:2022891; rev:2; metadata:created_at 2016_06_13, former_category MALWARE, updated_at 2016_06_13;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (rosesinchina.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|rosesinchina|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021684; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Veritas backupexec_agent exploit"; flow:to_server,established; content:"|00 00 00 00 00 00 09 01|"; offset:12; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; byte_jump: 4, 32; byte_test: 4,>,3000,0,relative; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,doc.emergingthreats.net/bin/view/Main/2002065; reference:cve,2004-1172; classtype:misc-attack; sid:2002065; rev:8; metadata:created_at 2010_07_30, updated_at 2016_06_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing 2018-01-12"; flow:from_server,established; file_data; content:"var ListEntries"; nocase; content:"|27 2e 2a 66 75 63 6b 2e 2a 27 2c|"; within:50; content:"|27 2e 2a 70 75 73 73 79 2e 2a 27 2c|"; distance:0; content:"|27 2e 2a 6e 69 63 65 2e 2a 74 72 79 2e 2a 27|"; distance:0; classtype:social-engineering; sid:2025685; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL DELETED WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; reference:bugtraq,11763; reference:cve,2004-1080; reference:url,www.immunitysec.com/downloads/instantanea.pdf; reference:url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx; classtype:misc-attack; sid:2103017; rev:8; metadata:created_at 2010_09_23, updated_at 2016_06_14;)
+alert dns $HOME_NET any -> [82.163.143.135,82.163.142.137] any (msg:"ET MALWARE OSX/Mami Possible DNS Query to Evil DNS Server"; threshold:type limit, track by_src, count 1, seconds 60; reference:md5,8482fc5dbc6e00da151bea3eba61e360; reference:url,objective-see.com/blog/blog_0x26.html; classtype:trojan-activity; sid:2025200; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_01_16, deployment Perimeter, former_category TROJAN, malware_family Mami, performance_impact Moderate, signature_severity Major, updated_at 2018_01_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Hidden Javascript Redirect - Possible Phishing Jun 17"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/x-javascript"; http_header; file_data; content:"data_receiver_url"; fast_pattern; nocase; content:"redirect_url"; nocase; distance:0; content:"current_page"; nocase; distance:0; content:"cc_data"; nocase; distance:0; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*location\s*\.\s*href\s*=\s*redirect_url/Rsi"; reference:url,myonlinesecurity.co.uk/very-unusual-paypal-phishing-attack/; classtype:social-engineering; sid:2022905; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_06_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Dropbox"; nocase; within:25; content:"Select Your Email Provider"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025206; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE JKDDOS Bot CnC Phone Home Message"; dsize:<510; flow:established,to_server; content:"|10 00 00 00|Windows|20|"; depth:12; reference:md5,d6b3baae9fb476f0cf3196e556cab348; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry/; classtype:command-and-control; sid:2012892; rev:3; metadata:created_at 2011_05_31, former_category MALWARE, updated_at 2011_05_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Chase"; nocase; within:25; content:"WYSIWYG Web Builder"; nocase; distance:0; content:"folling information about yourself"; nocase; fast_pattern; classtype:social-engineering; sid:2025207; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
 
-#alert tcp $EXTERNAL_NET [443,465,993,995,25] -> $HOME_NET any (msg:"ET CURRENT_EVENTS excessive fatal alerts (possible POODLE attack against client)"; flow:from_server,established; ssl_version:sslv3; content:"|15 03 00 00|"; depth:4; byte_jump:2,3,post_offset -1; isdataat:!2,relative; threshold:type both, track by_dst, count 50, seconds 300; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019417; rev:4; metadata:created_at 2014_10_15, updated_at 2016_06_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:"background-color|3a 20|rgb(235, 60, 0)"; fast_pattern; nocase; within:200; content:"$Config={|22|scid|22 3a|"; nocase; distance:0; content:"secure.aadcdn.microsoftonline-p.com"; nocase; distance:0; content:"<title"; nocase; distance:0; content:"Sign in to your account"; nocase; within:50; classtype:social-engineering; sid:2025208; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LoadMoney User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|Downloader 18.7|0d 0a|"; http_header; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2022911; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category MALWARE, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2017_04_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:"<title>Chase"; nocase; fast_pattern; content:"googlebot|22 20|content=|22|noindex"; nocase; distance:0; content:"function unhideBody()"; nocase; distance:0; content:"type=|22|password"; nocase; distance:0; classtype:social-engineering; sid:2025210; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M2"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"<script>"; within:500; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>\s*<object(?=[^\r\n]*d27cdb6e-ae6d-11cf-96b8-444553540000)[^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P<var>[a-z]+)[\x22\x27][^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P=var)[\x22\x27][^\r\n]*>[\r\n]+(?P<spc>\s+)<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22bgcolor\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22allowScriptAccess\x22)[^\r\n]*>[\r\n]+(?P=spc)<embed(?=[^\r\n]*\ssrc\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27])[^\r\n]+[\r\n]*<\/object>\s*<\/body>\s*<\/html>\s*$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025046; rev:2; metadata:created_at 2016_06_24, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-01-18 M1"; flow:established,to_client; file_data; content:"<title>Bank of America"; nocase; fast_pattern; content:"WYSIWYG Web Builder"; nocase; within:200; content:"Untitled1.css"; nocase; within:300; classtype:social-engineering; sid:2025211; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
 
-alert udp any 67 -> any 68 (msg:"ET INFO Web Proxy Auto Discovery Protocol WPAD DHCP 252 option Possible BadTunnel"; content:"|02|"; depth:1; content:"|fc|"; byte_jump:1,0,relative,post_offset -9; content:"/wpad.dat"; within:9; fast_pattern; classtype:protocol-command-decode; sid:2022915; rev:1; metadata:created_at 2016_06_24, updated_at 2016_06_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-01-18 M2"; flow:established,to_client; file_data; content:"<title>Confirm Your Account"; nocase; fast_pattern; content:"WYSIWYG Web Builder"; nocase; within:200; content:"Untitled1.css"; nocase; distance:0; classtype:social-engineering; sid:2025212; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 d9 0c 85 30 1c bb ac a0|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022920; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Chase Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>chase online - confirm</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2025213; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|lobemaintaty.space"; fast_pattern; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022921; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-18 M2"; flow:established,to_client; file_data; content:"<title>Log in to your PayPal account</title>"; fast_pattern; nocase; content:"<form action=|22|webscr.php?cmd=_"; nocase; distance:0; classtype:social-engineering; sid:2025215; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2018_01_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2209 Symantec PowerPoint Parsing Buffer Overflow M1"; flow:established,from_server; file_data; content:"|C8 6A CD E5 F1 2C B0 16 E6 F2 36 7B 41 2E 7F 4B C4 27 13 CF F3 1F FF 2B A8 2B 3A FE 09 77 BE CE 29 00 00 BA 0F 91 03 00 00|"; content:!"|00 00|"; distance:503; within:2; content:"|00 00 BA 0F 16 01 00 00|"; distance:913; within:8; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022923; rev:2; metadata:created_at 2016_06_29, updated_at 2016_06_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Questionnaire Phishing Landing 2018-01-19"; flow:established,to_client; file_data; content:"<title>Questionnaire</title>"; nocase; fast_pattern; content:"assets/css/theDocs.all.min.css"; nocase; distance:0; content:"<h3>DOCUMENT MANAGEMENT SYSTEM"; distance:0; classtype:social-engineering; sid:2025226; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2209 Symantec PowerPoint Parsing Buffer Overflow M2"; flow:established,from_server; file_data; content:"|C8 6A CD E5 F1 2C B0 16 E6 F2 36 7B 41 2E 7F 4B C4 27 13 CF F3 1F FF 2B A8 2B 3A FE 09 77 BE CE 29 00 00 BA 0F A9 03 00 00|"; content:!"|00 00|"; distance:50; within:2; content:"|00 00 BA 0F 2E 01 00 00|"; distance:937; within:8; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022924; rev:2; metadata:created_at 2016_06_29, updated_at 2016_06_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email Verification/Upgrade Phishing Landing 2018-01-22"; flow:established,to_client; file_data; content:"<title>Email Verification</title>"; nocase; fast_pattern; content:"Sign in to upgrade your mailbox"; nocase; distance:0; content:"Mail Admin"; nocase; distance:0; classtype:social-engineering; sid:2025229; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow"; flow:established,from_server; file_data; content:"|4d 53 43 46|"; depth:4; byte_jump:4,8,little; isdataat:1; reference:cve,2016-2211; reference:cve,CVE-2014-9732; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022930; rev:2; metadata:created_at 2016_06_30, updated_at 2016_06_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Multiple Javascript Unescapes - Common Obfuscation Observed in Phish Landing"; flow:established,to_client; file_data; content:"document.write(unescape"; fast_pattern; nocase; within:100; content:"document.write(unescape"; nocase; distance:0; content:"document.write(unescape"; nocase; distance:0; classtype:social-engineering; sid:2025231; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2018_01_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M2"; flow:established,to_client; file_data; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022932; rev:2; metadata:created_at 2016_06_30, updated_at 2016_06_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email Server Mobile Security Settings Phishing Landing 2018-01-22"; flow:established,to_client; file_data; file_data; content:"<html>|0d 0a 0d 0a|<script type=|22|text/javascript|22|>|0d 0a|<!--|0d 0a|document.write"; within:100; nocase; content:"3c%68%65%61%64%3e%0d%0a%0d%0a%3c%74%69%74%6c%65%3e%45%6d%61%69%6c%20%53%65%72%76%65%72"; distance:0; content:"<input type=|22|hidden|22 20|name=|22|login|22 20|value=|22|"; nocase; distance:0; content:"User ID|3a 20|<font face=|22|verdana|22 20|size=|22|2|22 20|color=|22|#000000|22|"; nocase; distance:0; classtype:social-engineering; sid:2025232; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M1"; flow:established,to_client; file_data; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022933; rev:2; metadata:created_at 2016_06_30, updated_at 2016_06_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>&#68|3b|&#114|3b|&#111|3b|&#112|3b|&#98|3b|&#111|3b|&#120|3b|</title>"; nocase; within:300; classtype:social-engineering; sid:2025233; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_22;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 cf 74 72 c9 4e 72 20 e4|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|AU"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022943; rev:2; metadata:attack_target Client_and_Server, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Blocked Incoming Emails Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"<title>Retrieval Error</title>"; nocase; fast_pattern; content:"onload=|22|populate()"; nocase; distance:0; content:"<input id=|22|Password|22 20|name=|22|Password"; nocase; distance:0; classtype:social-engineering; sid:2025242; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_22;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,from_server; content:"|09 00 f8 f1 74 46 04 c2 a4 42|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022944; rev:2; metadata:attack_target Client_and_Server, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ABSA Online Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"setTimeout(function(){top.window.location"; nocase; fast_pattern; content:"<title"; nocase; within:150; content:"Absa Online"; nocase; within:50; classtype:social-engineering; sid:2025243; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Rockloader)"; flow:established,from_server; content:"|55 04 03|"; content:"|55 04 03|"; content:"|08|server29"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022945; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"<title>Facebook</title>"; nocase; content:"Login with Facebook"; nocase; distance:0; content:"Hosted on free web hosting 000webhost.com"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025245; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Zeus C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1e|7yh0mdze6ztr7erew835im3w8.info"; fast_pattern; distance:1; within:31; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022946; rev:2; metadata:attack_target Client_and_Server, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LCL Banque et Assurance (FR) Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"<title"; nocase; content:"La Banque Postale|20 e2 80 93 20|La Banque Postale"; fast_pattern; within:80; nocase; content:"background-color|3a 20|#FFFFFF|3b|"; nocase; distance:0; classtype:social-engineering; sid:2025246; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Landing Jul 04 2016 M1"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; content:"name"; pcre:"/^\s*=\s*[\x22\x27]bgcolor[\x22\x27]/R"; content:"<script>"; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>/Rs"; content:" id"; distance:0; pcre:"/^\s*=\s*[\x22\x27][a-z]+[\x22\x27]/R"; content:"|62 5f 39 34 38 38 33 66 36 34 35 33 31 65 65 37 62 31 37 61 37 33 62 38 32 33 66 5f 63 31 61 36 63 63 36 36 37 65|"; fast_pattern; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025049; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-25"; flow:established,to_client; file_data; content:"security is our top priority"; nocase; content:"Use us wherever you pay"; fast_pattern; nocase; distance:0; content:"onsubmit=|22|return checkform(this)|3b 22|"; nocase; distance:0; content:"function checkform"; nocase; distance:0; content:"style.backgroundColor=|22|#FF6A6A|22|"; nocase; distance:0; classtype:social-engineering; sid:2025247; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Landing Jul 04 2016 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; content:"name"; pcre:"/^\s*=\s*[\x22\x27]bgcolor[\x22\x27]/R"; content:"<script>"; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>/Rs"; content:" id"; distance:0; pcre:"/^\s*=\s*[\x22\x27][a-z]+[\x22\x27]/R"; content:"|3c 68 31 3e 62 6c 61 63 6b 62 6f 78 3c 2f 68 31 3e|"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025050; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multi-Email Popupwnd Phishing Landing 2018-01-25"; flow:established,to_client; file_data; content:"function popupwnd(url, "; fast_pattern; nocase; content:"var popupwindow = this.open(url"; nocase; distance:0; content:"your email provider"; nocase; distance:0; content:"'no','no','no','no','no'"; nocase; distance:0; classtype:social-engineering; sid:2025248; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Landing Jul 04 2016 M3"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; content:"name"; pcre:"/^\s*=\s*[\x22\x27]bgcolor[\x22\x27]/R"; content:"<script>"; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>/Rs"; content:" id"; distance:0; pcre:"/^\s*=\s*[\x22\x27][a-z]+[\x22\x27]/R"; content:"value"; pcre:"/^\s*=\s*[\x22\x27]\/[^\x22\x27]*\.html\.swf[\x22\x27]/R"; content:".html.swf"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025051; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multi-Email Phishing Landing 2018-01-25"; flow:established,to_client; file_data; content:"<title"; nocase; content:"View Document"; nocase; within:30; content:"<a href=|22|eciffo365.php"; nocase; fast_pattern; distance:0; content:"<a href=|22|kooltuo.php"; nocase; distance:0; classtype:social-engineering; sid:2025249; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Payload Jul 05 2016"; flow:established,from_server; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; classtype:exploit-kit; sid:2022949; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2016_07_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing 2018-01-25"; flow:established,to_client; file_data; content:"<title>Sign in to your account"; nocase; fast_pattern; content:"function LoginErrors(){this.userNameFormatError"; nocase; within:300; classtype:social-engineering; sid:2025250; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M3"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; fast_pattern:only; content:"<object"; content:"  <param"; distance:0; pcre:"/^[^>]*name\s*=\s*[\x22\x27]bgcolor[\x22\x27]/R"; content:"<script>"; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>/Rs"; content:" id"; distance:0; pcre:"/^\s*=\s*[\x22\x27][a-z]+[\x22\x27]/R"; content:"movie"; content:"value"; pcre:"/^\s*=\s*[\x22\x27]\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)[\x22\x27]/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025047; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to Hamas Terrorist Propaganda TV Channel (aqsatv .ps)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|aqsatv|02|ps|00|"; nocase; distance:0; fast_pattern; classtype:policy-violation; sid:2023873; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_02_06, cve url_nctc_gov_site_groups_hamas_html, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (H1N1 C2 or Zeus Panda C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|huhu.com"; fast_pattern; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022922; rev:3; metadata:attack_target Client_and_Server, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP overflow Media Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013077; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_06_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jul 7"; flow:to_server,established; content:"GET"; http_method; content:".dill/?ip="; fast_pattern; nocase; http_uri; content:"&os="; http_uri; nocase; distance:0; content:"&browser="; http_uri; nocase; distance:0; content:"&isp="; http_uri; nocase; distance:0; classtype:social-engineering; sid:2022954; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_07, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP exploit"; flow:established,to_server; content:"/pch.php?f="; http_uri; pcre:"/pch\.php\?f=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013548; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate Detected (Bancos C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|US"; distance:1; within:4; content:"|55 04 08|"; content:"|02|FL"; distance:1; within:4; content:"|55 04 07|"; content:"|05|Miami"; distance:1; within:7; fast_pattern; content:"|55 04 0a|"; content:"|08|Business"; distance:1; within:10; reference:md5,e89ff40a8832cd27d2aae48ff7cd67d2; reference:url,malware-traffic-analysis.net/2016/06/09/index2.html; classtype:domain-c2; sid:2022888; rev:3; metadata:attack_target Client_and_Server, created_at 2016_06_10, deployment Perimeter, former_category MALWARE, malware_family Bancos, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2018_04_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP exploit 2"; flow:established,to_server; content:"/hcp_vbs.php?f="; http_uri; pcre:"/hcp_vbs\.php\?f=\d+&d=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013549; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zango-Hotbar User-Agent (zb-hb)"; flow:to_server,established; content:"zb-hb-"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+zb-hb-/Hi"; reference:url,doc.emergingthreats.net/2003223; classtype:trojan-activity; sid:2003223; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential Blackhole Exploit Pack Binary Load Request 2"; flow:established,to_server; content:".php?e="; fast_pattern; nocase; http_uri; content:"&f="; nocase; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a|"; http_header; content:"Host|3a|"; http_header; distance:0; pcre:"/\.php\?e=\w+&f=\w+$/U"; flowbits:set,et.exploitkitlanding; reference:url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/; classtype:bad-unknown; sid:2013550; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_08, deployment Perimeter, former_category TROJAN, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Halberd Load Balanced Webserver Detection Scan"; flow:to_server,established; content:"Pragma|3a| no-cache"; http_header; content:"Firefox/1.0.3"; http_header; fast_pattern; offset:40; depth:40; threshold: type threshold, track by_src, count 40, seconds 15; reference:url,www.halberd.superadditive.com; reference:url,doc.emergingthreats.net/2008536; classtype:attempted-recon; sid:2008536; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole landing page with malicious Java applet"; flow:established,from_server; file_data; content:"<applet code=|27|buildService.MapYandex.class|27|"; content:".jar"; content:"</applet>"; classtype:bad-unknown; sid:2013553; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED SQLCheck Database Scan Detected"; flow:to_server,established; content:"%20FROM%20customers"; fast_pattern:only; content:"User-Agent|3a| Lynx/2.8.6rel.4 libwww-FM/2.14"; http_header; threshold: type threshold, track by_dst, count 10, seconds 20; reference:url,wiki.remote-exploit.org/backtrack/wiki/SQLcheck; reference:url,doc.emergingthreats.net/2009478; classtype:attempted-recon; sid:2009478; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole MapYandex.class malicious jar"; flow:established,from_server; content:"|0d 0a|Content-Type|3a 20|application/java-archive|0d 0a|"; content:"MapYandex.class"; fast_pattern:only; content:"PK"; classtype:bad-unknown; sid:2013554; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"GPL DELETED IRC nick change"; flow:to_server,established; content:"NICK "; depth:5; fast_pattern; classtype:policy-violation; sid:2100542; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole landing page with malicious Java applet"; flow:established,from_server; file_data; content:"<applet"; content:"code="; content:".jar"; content:"e00oMDD"; fast_pattern; content:"</applet>"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013700; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M4 (with URI Primer)"; flow:established,from_server; flowbits:isset,Neutrino.URI.Primer; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; fast_pattern:only; content:"movie"; content:"value"; pcre:"/^\s*=\s*[\x22\x27]\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|(?=[a-z]*\d+[a-z]+\d)(?=\d*[a-z]+\d+[a-z])[a-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)[\x22\x27]/R"; content:"bgcolor"; nocase; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025048; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_06_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP exploit 3"; flow:established,to_server; content:"/pch2.php?c="; http_uri; pcre:"/pch2.php?c=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013746; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Job314/Neutrino Reboot EK Flash Exploit Jan 07 2015 M2"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern; content:!"|0d 0a|Cookie|3a|"; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|(?=[a-z]*\d+[a-z]+\d)(?=\d*[a-z]+\d+[a-z])[a-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f\x2f(?P<host>[^\r\n\x3a\x2f]+)(?:\x3a\d{1,5})?\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)\r\n.*?Host\x3a\x20(?P=host)(?:\x3a\d{1,5})?\r\n/Hsi"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025042; rev:3; metadata:created_at 2016_01_08, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 2"; flow:established,to_server; content:"/2ddfp.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013786; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 10 M2"; flow:established,from_server; file_data; content:"|76 61 72 20 66 72 61 67 6d 65 6e 74 20 3d 20 63 72 65 61 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70 3a|"; classtype:exploit-kit; sid:2022956; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_07_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 2"; flow:established,to_server; content:"/1ddfp.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013787; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading To EK Jul 10 M1"; flow:established,to_server; content:".js?chebstr=0."; http_uri; pcre:"/\.js\?chebstr=0\.\d+$/U"; classtype:exploit-kit; sid:2022957; rev:2; metadata:created_at 2016_07_11, updated_at 2016_07_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated Javascript padded charcodes 25"; flow:established,from_server; content:"75"; depth:500; content:"86"; within:4; content:"74"; within:4; content:"92"; within:4; content:"84"; within:4; classtype:bad-unknown; sid:2013950; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (H1N1 CnC)"; flow:established,from_server; content:"|09 00 cc e5 16 49 2c 1e 96 57|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022959; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing Loading... Wait Please"; flow:established,from_server; content:"Wait Please"; fast_pattern:only; content:">Loading..."; content:"<script"; distance:0; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013972; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email Account Exceeded Quota Phishing Landing 2016-07-11"; flow:from_server,established; file_data; content:"<title>WebMail"; nocase; fast_pattern; content:"E-Mail account has exceeded"; nocase; distance:0; content:"upgrade your mailbox"; nocase; distance:0; content:"avoid disrupt and lost"; nocase; distance:0; content:"Password"; nocase; distance:0; classtype:social-engineering; sid:2031954; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole hostile PDF v1"; flow:established,from_server; file_data; content:"|25 50 44 46 2d 31 2e 36|"; content:"|4b 69 64 73 5b 32 38 20 30 20 52 5d 3e 3e|"; distance:0; content:"javascript"; nocase; distance:0; classtype:trojan-activity; sid:2013991; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Outdated Mac Flash Version"; flow:established,to_server; content:"x-flash-version|3a 20|"; http_header; content:!"18,0,0,366|0d 0a|"; distance:0; within:12; http_header;  content:!"22,0,0,209|0d 0a|"; distance:0; within:12; http_header; content:"Macintosh"; http_user_agent; threshold: type limit, count 1, seconds 60, track by_src; classtype:policy-violation; sid:2014727; rev:60; metadata:created_at 2012_05_09, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole hostile PDF v2"; flow:established,from_server; file_data; content:"|25 50 44 46 2d 31 2e 36|"; content:"|20 2f 4b 69 64 73 20 5b 31 20 30 20 52 5d 20 2f 54 79 70 65 2f 50 61 67 65 73 3e 3e|"; distance:0; content:"javascript"; nocase; distance:0; classtype:trojan-activity; sid:2013992; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Potential Sofacy Phishing Redirect"; flow:established,to_client; file_data; content:"// stop for sometime if needed"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/phresh-phishing-against-government-defence-and-energy.html; classtype:targeted-activity; sid:2019541; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_28, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole PDF Exploit Request /fdp2.php"; flow:established,to_server; content:"/fdp2.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014035; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_12_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|www.__RANDOM_STR_.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022961; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_07_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Likely Flash exploit download request score.swf"; flow:established,to_server; content:"/score.swf"; http_uri; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014053; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan-Downloader.Win32.Small.hkp Checkin via HTTP"; flow:established,to_server; dsize:96; content:"GET /"; depth:5; pcre:"/^[^\r\n]*\/[0-9a-f]{78}\sHTTP/Ri"; reference:url,doc.emergingthreats.net/2007755; classtype:trojan-activity; sid:2007755; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole-like Java Exploit request to .jar?t="; flow:established,to_server; content:".jar?t="; http_uri; nocase; fast_pattern; content:"&h="; http_uri; distance:0; content:"|29| Java/1."; http_header; pcre:"/\.jar\?t=\d+&h=[^&]+$/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014094; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 13 2016 2"; flow:established,to_server; content:"POST"; http_method; content:".swf"; nocase; http_header; content:"|4d 61 6e 75 66 75 63 6b|"; nocase; http_client_body; content:"|4d 61 63 72 6f 77 69 6e|"; nocase; http_client_body; classtype:exploit-kit; sid:2022964; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_13, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_07_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole - Help and Control Panel Exploit Request"; flow:established,to_server; content:"/cph2.php?c="; http_uri; reference:url,jsunpack.jeek.org/?report=2b1d42ba5b47676db4864855ac239a73fb8217ff; classtype:trojan-activity; sid:2014125; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_01_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible malicious zipped-executable"; flow:established,from_server; file_data; content:"PK|01 02|"; within:4; content:".xla"; nocase; content:"PK|05 06|"; within:52; content:"|01 00 01 00|"; distance:4; within:4; classtype:trojan-activity; sid:2018086; rev:5; metadata:created_at 2014_02_07, former_category CURRENT_EVENTS, updated_at 2016_07_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole Likely Flash Exploit Request /field.swf"; flow:established,to_server; content:"/field.swf"; http_uri; classtype:trojan-activity; sid:2014126; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_01_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware Bart .onion Payment Domain (khh5cmzh5q7yp7th)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|khh5cmzh5q7yp7th"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022958; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, malware_family Ransomware, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2016_07_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 4"; flow:established,to_server; content:"/adfp2.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014157; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"GPL MISC Source Port 20 to <1024"; flow:to_server; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:2100503; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 4"; flow:established,to_server; content:"/addfp1.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014158; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"GPL MISC source port 53 to <1024"; flow:to_server; flags:S,12; reference:arachnids,07; classtype:bad-unknown; sid:2100504; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 5"; flow:established,to_server; content:"/adp"; http_uri; content:".php?f="; http_uri; pcre:"/\/adp\d\.php\?=[0-9a-z]{2,6}/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014195; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"GPL POLICY SOCKS Proxy attempt"; flags:S,12; flow:to_server; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:2100615; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - info.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"info."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?info\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014235; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET SCAN Behavioral Unusually fast inbound Telnet Connections, Potential Scan or Brute Force"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,www.rapid7.com/nexpose-faq-answer2.htm; reference:url,doc.emergingthreats.net/2001904; classtype:misc-activity; sid:2001904; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - contacts.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"contacts."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; within:6; http_header; pcre:"/attachment\x3b[^\r\n]*?contacts\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014236; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3127 (msg:"ET SCAN Behavioral Unusual Port 3127 traffic, Potential Scan or Backdoor"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 10 , seconds 60; reference:url,doc.emergingthreats.net/2002973; classtype:misc-activity; sid:2002973; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - calc.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"calc."; http_header; distance:0; fast_pattern; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?calc\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014237; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"ET SCAN Behavioral Unusually fast outbound Telnet Connections, Potential Scan or Brute Force"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,www.rapid7.com/nexpose-faq-answer2.htm; reference:url,doc.emergingthreats.net/2008230; classtype:misc-activity; sid:2008230; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - about.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"about."; http_header; distance:0; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?about\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014238; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Landing URI Struct June 13 M1"; flow:established,to_server; urilen:27<>114; content:"/index.php?"; depth:11; http_uri; pcre:"/^\/index\.php\?[a-z]{8,80}=(?:\d{10,13}|\d{15,20})$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+).*?\r\nHost\x3a\x20(?!(?P=refhost))/Hsi"; classtype:exploit-kit; sid:2021263; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_13, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Tax Landing Page with JavaScript Attack"; flow:established,from_server; content:"Please wait, till tax confirmation is ready."; fast_pattern:only; content:"try{"; content:"catch("; classtype:attempted-admin; sid:2014274; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Landing URI Struct June 13 M2"; flow:established,to_server; urilen:27<>114; content:"/index.php?"; depth:11; http_uri; pcre:"/^\/index\.php\?[a-z]{8,80}=(?:\d{10,13}|\d{15,20})$/U"; pcre:"/Host\x3a\x20(?P<refhost>[^\x3a\r\n]+).*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?!(?P=refhost))/Hsi"; classtype:exploit-kit; sid:2021264; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_13, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 6"; flow:established,to_server; content:"/data/ap2.php"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014279; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Landing URI Struct June 13 M3"; flow:established,to_server; urilen:27<>114; content:"/index.php?"; depth:11; http_uri; pcre:"/^\/index\.php\?[a-z]{8,80}=(?:\d{10,13}|\d{15,20})$/U"; content:!"Referer|3a|"; http_header; classtype:exploit-kit; sid:2021265; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_13, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 6"; flow:established,to_server; content:"/ap1.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014280; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Nuclear EK Landing URI Struct T1"; flow:to_server,established; urilen:>14; content:"GET /"; byte_test:1,>,64,0,relative; byte_test:1,<,91,0,relative; content:".html"; http_uri; fast_pattern; offset:11; pcre:"/^\/[A-Z](?=[a-z0-9]*?[A-Z][a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z][A-Z0-9]*?[a-z])[A-Za-z0-9]{9,}\.html$/U"; pcre:"/Host\x3a\x20(?=[0-9]{0,22}[a-z])(?=[a-z]*?[0-9][a-z]{0,22}[0-9])[a-z0-9]{23}\x2e[^\x2e\r\n]+\x2e[^\x2e\r\n]/H"; classtype:exploit-kit; sid:2021040; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_30, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java Applet with Obfuscated URL 2"; flow:established,from_server; file_data; content:"<applet"; content:"Mlgg"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014281; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Nuclear EK Landing URI Struct Oct 26 2015"; flow:to_server,established; content:".php?option=com_"; http_uri; content:"&itemid="; http_uri; content:"&id="; http_uri; pcre:"/&id=\d+(?:\x3a(?:[a-z0-9]*?[A-Z])(?:[A-Z0-9]*?[a-z])[A-Za-z0-9]{10,}\.{0,2})?&catid=\d+&itemid=\d+$/U"; classtype:exploit-kit; sid:2021999; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_26, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Download Secondary Request ?pagpag"; flow:established,to_server; content:".php?pagpag="; http_uri; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014282; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert udp any 68 -> any 67 (msg:"ET POLICY Possible Kali Linux hostname in DHCP Request Packet"; content:"|63 82 53 63 35 01 03|"; content:"|0c 04|kali"; distance:0; nocase; reference:url,www.kali.org; classtype:policy-violation; sid:2022973; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_07_18, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2017_10_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP exploit 4"; flow:established,to_server; content:"/hhcp.php?c="; http_uri; pcre:"/hhcp.php?c=[a-f0-9]{5}$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014284; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET HUNTING Suspicious SMTP Settings in XLS - Possible Phishing Document"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-type|3a 20|application/vnd.ms-excel"; http_header; file_data; content:"/configuration/sendusing"; nocase; fast_pattern; content:"/configuration/smtpserver"; nocase; distance:0; content:"/configuration/smtpauthenticate"; nocase; distance:0; content:"/configuration/sendusername"; nocase; distance:0; content:"/configuration/sendpassword"; nocase; distance:0; reference:md5,710ea2ed2c4aefe70bf082b06b82818a; reference:url,symantec.com/connect/blogs/malicious-macros-arrive-phishing-emails-steal-banking-information; classtype:social-engineering; sid:2022974; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_07_18, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated Javascript 171 charcodes >= 48"; flow:established,from_server; content:"G<H6>F=7.49B7F"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014298; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MultiPlug.J Checkin"; flow:established,to_server; urilen:>103; content:"/?q="; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"POST"; http_method; pcre:"/^\/(?:[A-Za-z]+\d?\/)?\?q=(?=[a-z0-9+/]*[A-Z])(?=[A-Z0-9+/]*[a-z])(?=[A-Za-z0-9+/\x25]*\d)[A-Za-z0-9+/\x25]{100}/U"; content:!"map24.com|0d 0a|"; http_header; content:!"aptrk.com|0d 0a|"; http_header; content:!"Accept-"; http_header; pcre:"/^Accept\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r?$/Hi"; reference:md5,64482895a11d120a9f17ded96aa43cd3; reference:md5,a108ae58850e8f48428070d3193e5c11; classtype:pup-activity; sid:2020422; rev:15; metadata:created_at 2015_02_13, former_category ADWARE_PUP, updated_at 2016_07_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - readme.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"readme."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?readme\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014301; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jul 21 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Google Security"; nocase; fast_pattern; content:"beep.mp3"; nocase; distance:0; content:"function alertCall"; nocase; distance:0; content:"function alertTimed"; nocase; distance:0; content:"function alertLoop"; nocase; distance:0; classtype:social-engineering; sid:2022981; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED INBOUND Blackhole Java Exploit request similar to /content/jav.jar"; flow:established,to_server; content:"/content/jav"; http_uri; content:".jar"; http_uri; pcre:"/\/content\/jav\d?\.jar$/U"; classtype:trojan-activity; sid:2014346; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lethic - Client Alive"; flow:established,to_server; dsize:6; content:"|01 00 21 01|"; offset:2; depth:4; classtype:trojan-activity; sid:2015522; rev:3; metadata:created_at 2012_07_25, updated_at 2016_07_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole qwe123 PDF"; flow:established,from_server; file_data; content:"%PDF-1.6"; depth:8; content:"|20 28|qwe123"; classtype:trojan-activity; sid:2014368; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Mar 30 M3"; flow:established,to_client; file_data; content:"try "; content:"= new ActiveXObject"; distance:0; content:"catch"; distance:0; content:"=|20 22|Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi|22|,"; content:"=|20 22|Kaspersky.IeVirtualKeyboardPluginSm.JavascriptApi|22|,"; content:".location="; distance:0; classtype:exploit-kit; sid:2022984; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_26, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_07_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cutwail Redirection Page 1"; flow:established,from_server; content:"document.location="; depth:200; content:".php?"; within:100; pcre:"/\.php\?[^&]{1,8}=[a-f0-9]{16}[\x22\x27\x3b\x20\x0a\x0d]/"; classtype:bad-unknown; sid:2014378; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|04|svr2"; distance:1; within:5; tls.fingerprint:"0e:03:44:08:34:6e:2c:66:fa:ec:a8:f8:97:24:ea:1f:f6:c7:5a:5e"; reference:md5,87223f535afd8b11dd79c6f39fc059d9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018600; rev:12; metadata:attack_target Client_and_Server, created_at 2014_06_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole client=done Cookie Set"; flow:established,from_server; content:"client=done|3b|"; content:"client=done|3b|"; http_cookie; depth:12; classtype:bad-unknown; sid:2014412; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (CryptoWall C2)"; flow:established,from_server; content:"|20|kpai7ycr7jxqkilp.torexplorer.com"; tls.fingerprint:"0e:dd:72:24:52:c1:2c:68:6f:16:a7:ee:7b:e7:4b:56:e8:9a:6d:b5"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018693; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole client=done Cookie Present"; flow:established,to_server; content:"client=done"; http_header; content:"client=done"; http_cookie; depth:11; classtype:bad-unknown; sid:2014413; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|1b|corporati-sdfs222222you.com"; fast_pattern:8,20; tls.fingerprint:"19:56:b7:ff:84:f6:f8:41:f5:b5:8d:63:76:88:59:b6:d5:f0:3d:3c"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018694; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole Landing Page applet param window.document"; flow:established,from_server; content:"<applet"; content:"<param"; distance:0; content:"window.document"; distance:0; classtype:bad-unknown; sid:2014414; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|11|evergreen.kiev.ua"; fast_pattern:only; tls.fingerprint:"1a:3f:a8:f8:56:d4:da:64:83:f0:7b:29:40:41:cf:84:2e:b4:e9:b5"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018695; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - scandsk.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"scandsk"; http_header; fast_pattern; within:20; content:".exe|0d 0a|"; http_header; distance:0; classtype:bad-unknown; sid:2014440; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0e|kilomenter.com"; tls.fingerprint:"25:c3:39:6d:47:d5:df:12:fa:af:dd:06:68:7e:7e:69:f8:fc:6f:e8"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018697; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole - Landing Page Requested - /Home/index.php"; flow:to_server,established; urilen:15; content:"/Home/index.php"; http_uri; flowbits:set,et.exploitkitlanding; flowbits:noalert; classtype:bad-unknown; sid:2014441; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|21|worldwidetrading-compaanny2you.su"; fast_pattern:9,20; tls.fingerprint:"28:49:e8:47:e0:d5:ba:85:bf:59:18:2a:92:e5:35:41:d5:5f:a8:dc"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018698; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole - Landing Page Requested - *.php?*=16HexCharacters in http_uri"; flow:to_server,established; urilen:>23; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,7}=[a-f0-9]{16}$/U"; pcre:"/=.*[a-f].*$/U"; flowbits:set,et.exploitkitlanding; flowbits:noalert; classtype:bad-unknown; sid:2014442; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|17|delfi-fro-youindigo.net"; fast_pattern:only; tls.fingerprint:"34:8e:8f:a3:05:d8:b1:e5:fe:d5:3c:07:1e:dd:58:e7:a0:c9:d9:d4"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018699; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Page redirecting to driveby"; flow:from_server,established; content:"|0d 0a 0d 0a|"; content:"/Home/index.php\" width=1 height=1 scrolling=no></iframe>"; distance:0; classtype:bad-unknown; sid:2014444; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Malware C2)"; flow:established,from_server; content:"|0e|jpyjcy0qmd.gov"; fast_pattern:only; tls.fingerprint:"36:ae:19:7c:21:ca:c2:56:0f:6d:6e:dc:a5:0c:46:3e:a0:49:f1:52"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018700; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Blackhole PDF served from iframe"; flow:established,from_server; content:".pdf|27|/></iframe>"; fast_pattern:only; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:2014470; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0d|riffpedia.net"; fast_pattern:only; tls.fingerprint:"46:de:ba:70:b2:f5:e1:7b:a8:54:cf:02:26:ec:5b:df:8f:b0:06:7b"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018701; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing .prototype.q catch with split"; flow:established,from_server; content:".prototype.q}catch("; fast_pattern:only; content:".split("; classtype:trojan-activity; sid:2014537; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0f|slksecurity.com"; fast_pattern:only; tls.fingerprint:"4b:1d:64:c1:63:7a:ae:42:7a:a0:7d:6c:75:6c:13:b9:77:71:56:03"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018702; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing Loading... Please Wait"; flow:established,from_server; content:"Please Wait"; fast_pattern:only; content:">Loading..."; content:"<script"; distance:0; classtype:trojan-activity; sid:2014538; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|12|billing-service.ru"; fast_pattern:only; tls.fingerprint:"4e:ac:f7:ce:46:3d:ff:ae:b2:40:cb:d9:7a:09:f0:dd:42:08:e7:48"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018704; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing for Loading prototype catch"; flow:established,from_server; content:">Loading..."; fast_pattern:only; content:").prototype."; content:"}catch("; within:10; classtype:trojan-activity; sid:2014540; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0e|ckytiqfles.com"; fast_pattern:only; tls.fingerprint:"4f:b4:c8:1e:f5:c1:bf:0e:2e:53:3d:8c:46:63:40:67:a1:5f:25:fe"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018705; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Recieved - applet PluginDetect and 10hexchar title"; flow:established,to_client; file_data; content:"PluginDetect"; content:"<applet"; pcre:"/<title>[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2014644; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0e|web-names1.com"; fast_pattern:only; tls.fingerprint:"59:c1:d3:55:1c:d5:43:55:39:10:72:03:0d:21:57:7a:c6:5a:49:83"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018706; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Obfuscated Please wait Message"; flow:established,to_client; file_data; content:"Please|3A|wait|3A|page|3A|is|3A|loading"; flowbits:set,et.exploitkitlanding; reference:url,isc.sans.edu/diary.html?storyid=13051; classtype:trojan-activity; sid:2014659; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|09|server265"; fast_pattern:only; tls.fingerprint:"65:a7:7d:36:d1:b5:36:65:f6:0d:19:71:89:24:50:4f:7d:3f:95:08"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018707; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing for prototype catch substr"; flow:established,from_server; content:"try{prototype|3b|}catch("; fast_pattern; content:"substr"; distance:0; classtype:trojan-activity; sid:2014661; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|13|statistic4he2om.com"; fast_pattern:only; tls.fingerprint:"69:c6:78:70:7b:fd:48:36:29:15:71:fb:ae:40:04:59:c9:0b:9e:ed"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018708; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole - Jar File Naming Algorithm"; flow:established,to_client; content:"Content-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; pcre:"/=[0-9a-f]{8}\.jar/H"; file_data; content:"PK"; depth:2; classtype:trojan-activity; sid:2014664; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|17|delfi-fro-youindigo.com"; tls.fingerprint:"72:ce:ed:55:39:c6:0f:e7:ef:db:c8:7e:77:7f:73:1c:75:d3:ff:ea"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018711; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Injected Page Leading To Driveby"; flow:established,to_client; file_data; content:"/images.php?t="; distance:0; fast_pattern; content:"width=\"1\" height=\"1\""; within:100; classtype:trojan-activity; sid:2014666; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_05_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|10|secureonesee.com"; fast_pattern:only; tls.fingerprint:"74:06:45:7d:94:2e:bc:79:e4:91:45:4c:d5:7d:fc:f9:bc:c8:95:af"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018712; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page JavaScript Split String Obfuscation of CharCode"; flow:established,to_client; content:"|22|h|22|+|22|arCode|22 3B|"; classtype:trojan-activity; sid:2014773; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0f|bitcoin-send.ru"; fast_pattern:only; tls.fingerprint:"78:0e:3b:97:7f:c1:19:e7:a0:e1:cd:51:92:90:9b:a0:ba:95:c8:c7"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018714; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Malicious PDF qweqwe="; flow:established,to_client; content:"><qwe qweqwe="; reference:url,jsunpack.jeek.org/dec/go?report=4d25f4f01ff5cdbee35a23fcd9e047b69d917b47; classtype:trojan-activity; sid:2014774; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (ZeuS C2)"; flow:established,from_server; content:"|06|lzx.su"; fast_pattern:only; tls.fingerprint:"79:67:bb:dd:e9:c1:17:46:8d:26:cd:de:db:20:e2:1c:46:63:bd:d7"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018715; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole PDF Payload Request"; flow:established,to_server; content:"/content/"; http_uri; content:".php?f="; http_uri; pcre:"/\x2Fcontent\x2F[a-z0-9]{1,6}\x2Ephp\x3Ff\x3D[0-9]{1,5}$/Ui"; classtype:trojan-activity; sid:2014775; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|07|server8"; fast_pattern:only; tls.fingerprint:"9d:5f:4b:bd:00:81:77:0e:67:43:31:e9:a0:db:e7:45:c9:85:e8:50"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018716; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole PDF Payload Request With Double Colon"; flow:established,to_server; content:"/content/"; http_uri; content:".php?f="; http_uri; content:"|3A 3A|"; http_uri; pcre:"/\x2Fcontent\x2F[a-z0-9]{1,6}\x2Ephp\x3Ff\x3D[0-9]{1,5}\x3A\x3A[0-9]{1,5}$/Ui"; classtype:trojan-activity; sid:2014776; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (CryptoWall C2)"; flow:established,from_server; content:"|1c|kpai7ycr7jxqkilp.tor2www.com"; tls.fingerprint:"a7:da:82:eb:15:e9:87:09:ba:62:5c:84:3d:bb:e7:ad:d3:24:6a:c9"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018717; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Try App.title Catch - May 22nd 2012"; flow:established,to_client; file_data; content:"try{app.title}catch("; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014801; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|1a|root@localhost.localdomain"; tls.fingerprint:"a8:c7:79:04:f3:e6:1e:6d:18:2d:7a:69:15:25:c4:09:ff:12:ef:86"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018718; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Obfuscated Javascript Blob"; flow:established,to_client; file_data; content:"<pre id=|22|"; content:"style=|22|display|3A|none|3B 22 3E|"; within:100; isdataat:400,relative; content:!"|20|"; within:400; content:!"pre|3E|"; within:400; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|3C 2F|pre|3E|3Cscript|3E|"; fast_pattern; distance:400; pcre:"/display\x3Anone\x3B\x22\x3E[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}[^\r\n]*\x3C\x2Fpre\x3E\x3Cscript\x3E/sm"; classtype:trojan-activity; sid:2014820; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Shylock C2)"; flow:established,from_server; content:"|10|Internet Banking"; fast_pattern:only; tls.fingerprint:"b0:03:44:3e:f1:2b:5f:f4:4b:5a:00:a2:68:d2:09:5b:43:d2:a8:6f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018720; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole RawValue Specific Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; depth:5; content:"|2E|rawValue|5D 5B|0|5D 2E|split|28 27 2D 27 29 3B|"; distance:0; reference:cve,2010-0188; classtype:trojan-activity; sid:2014821; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|15|futuredynamicteam.com"; tls.fingerprint:"b6:02:85:17:c1:0f:e9:e3:10:48:f0:2e:58:53:e5:c1:74:1f:ef:b8"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018721; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Malicious PDF asdvsa"; flow:established,from_server; file_data; content:"obj"; content:"<<"; within:4; content:"(asdvsa"; within:80; classtype:trojan-activity; sid:2014823; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak C2)"; flow:established,from_server; content:"|0f|security256.com"; fast_pattern:only; tls.fingerprint:"ba:e6:e4:56:b7:23:9d:2e:01:cd:2a:bb:6a:10:13:9d:96:3c:73:14"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018722; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Script Profile ASD"; flow:established,to_client; file_data; content:"pre id=|22|asd|22|"; classtype:trojan-activity; sid:2014825; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0f|sec-picture.net"; fast_pattern:only; tls.fingerprint:"c8:7e:eb:70:75:75:e5:23:8d:77:73:10:2d:f1:73:07:2a:bb:bf:0b"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018723; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Fraudulent Paypal Mailing Server Response June 04 2012"; flow:from_server,established; content:"<html>|0d 0a|<title>Paypal"; fast_pattern; content:"|3a 20|Loading<"; distance:0; classtype:trojan-activity; sid:2014858; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|1d|planet2wideg2yandex-corti.com"; tls.fingerprint:"c9:b0:97:d6:2d:6f:7b:36:5f:88:fc:ec:1d:a9:4d:ed:5e:d9:32:1f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018724; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Obfuscated Javascript redirecting to Blackhole June 7 2012"; flow:established,from_server; file_data; content:"st=\"no3"; content:"3rxtc\"\;Date"; distance:12; within:60; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014873; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0c|kin.pgsox.cc"; fast_pattern:only; tls.fingerprint:"cb:f6:8e:89:9c:14:cd:be:d2:5b:20:d3:98:ce:67:24:d6:0d:e0:a6"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018725; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SutraTDS (enema) used in Blackhole campaigns"; flow:to_server,established; content:"/top2.html"; http_uri; content:"|0d 0a|Host|3a| enema."; http_header; classtype:bad-unknown; sid:2014885; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|10|bitcoin-beta.com"; fast_pattern:only; tls.fingerprint:"d4:fa:65:54:b5:f6:24:3a:50:eb:14:53:e4:40:bb:a5:8d:a5:6f:61"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018726; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Try Prototype Catch June 11 2012"; flow:from_server,established; content:"try{"; content:"=prototype"; within:25; content:"|3b|}catch("; within:15; classtype:bad-unknown; sid:2014888; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|10|invoice-maker.ru"; fast_pattern:only; tls.fingerprint:"d7:b1:19:96:6c:5b:41:dd:99:b2:e1:e1:c8:74:5f:cb:65:f8:09:de"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018727; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing - UPS Number Loading.. Jun 15 2012"; flow:established,from_server; content:"|20|Number|3A 20 09|Loading|2E 2E 3C|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014907; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|12|poppperdropper.com"; fast_pattern:only; tls.fingerprint:"dd:bd:80:27:40:3b:bd:f2:17:e6:34:53:0b:ee:72:40:ce:d6:8a:8e"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018728; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing - Verizon Balance Due Jun 15 2012"; flow:established,from_server; content:"|20|Balance Due|3a| Loading|2c 20|please wait|2e 2e 2e|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014908; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|10|www.total4me.org"; fast_pattern:only; tls.fingerprint:"df:4b:2f:32:9f:19:f8:a5:02:33:e4:f5:1e:e1:61:6e:b8:0d:c7:f1"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018729; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; content:"|0d 0a 9c 62 d8 66 66 66 66 54|"; classtype:trojan-activity; sid:2014909; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|06|0bg.ru"; fast_pattern:only; tls.fingerprint:"df:9c:32:dd:ba:0b:e9:6f:08:52:bc:59:3d:a3:d7:82:12:b1:d5:45"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018730; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Try Prototype Catch Jun 18 2012"; flow:established,from_server; content:"try{prototype"; content:"|3B|}catch("; within:12; classtype:trojan-activity; sid:2014921; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|10|greengarden1.com"; fast_pattern:only; tls.fingerprint:"e8:52:a3:e8:cd:0b:eb:2d:28:df:62:2e:2c:a4:d5:4d:f4:3c:cc:9f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018731; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Please wait a moment Jun 20 2012"; flow:established,to_client; file_data; content:"Please wait a moment. You will be forwarded..."; classtype:trojan-activity; sid:2014931; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|07|server9"; fast_pattern:only; tls.fingerprint:"f5:e2:b6:7a:1e:92:49:ab:ac:d0:4f:68:36:9b:2a:0d:fb:0b:4f:d7"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018732; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole RawValue Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; depth:5; content:"|2E|rawValue|5D 5B|0|5D 2E|split|28 27 2D 27 29 3B 26 23|"; distance:0; reference:cve,2010-0188; classtype:trojan-activity; sid:2014940; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0e|fileprofes.com"; fast_pattern:only; tls.fingerprint:"f9:86:e8:fa:b5:55:bb:db:96:9f:f2:4c:48:8c:d9:66:09:43:5e:ec"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018733; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert  http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL 3"; flow:established,from_server; content:"|3c|applet"; fast_pattern; content:"56|3a|14|3a|14|3a|19|3a|27|3a|50|3a|50|3a|"; within:100; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015005; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0b|gorms4tu.be"; fast_pattern:only; tls.fingerprint:"ff:15:52:d1:df:5c:d0:0e:c5:69:00:31:9e:9f:24:80:4a:e6:0c:63"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018734; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Split String Obfuscation of Eval 1"; flow:established,to_client; file_data; content:"e|22|+|22|va"; pcre:"/(\x3D|\x5B\x22])e\x22\x2B\x22va/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015012; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"47:46:41:98:fc:47:5a:2e:a1:76:18:38:b1:f8:0d:ea:e7:99:d0:5f"; classtype:domain-c2; sid:2018736; rev:8; metadata:attack_target Client_and_Server, created_at 2014_06_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Split String Obfuscation of Eval 2"; flow:established,to_client; file_data; content:"e|22|+|22|v|22|+|22|a"; pcre:"/(\x3D|\x5B\x22])e\x22\x2B\x22v\x22\x2B\x22a/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015013; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|pistofon.ru"; distance:1; within:12; content:"|13|someone@pistofon.ru"; fast_pattern:only; tls.fingerprint:"43:cb:f3:ff:69:9b:3d:dc:58:29:17:bd:ff:41:ed:59:13:c7:39:8a"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018746; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Split String Obfuscation of Eval 3"; flow:established,to_client; content:"ev|22|+|22|a"; pcre:"/(\x3D|\x5B\x22])ev\x22\x2B\x22a/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015014; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|trustasia.asia"; distance:1; within:15; tls.fingerprint:"09:f0:c1:86:37:73:63:98:2c:19:7a:ed:2a:ca:60:2d:ce:4f:cf:16"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018747; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Eval Variable Obfuscation 1"; flow:established,to_client; file_data; content:"=|22|ev|22 3B|"; content:"+|22|al|22|"; distance:0; pcre:"/\x2B\x22al\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015025; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nagchampa.in"; distance:1; within:13; tls.fingerprint:"cd:bc:8b:c2:e9:63:ee:6c:e5:18:e0:6a:92:42:a5:4a:28:19:eb:7f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018851; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Eval Variable Obfuscation 2"; flow:established,to_client; file_data; content:"=|22|e|22 3B|"; content:"+|22|val|22|"; distance:0; pcre:"/\x2B\x22val\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015026; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"1e:0f:3d:14:42:f9:52:2b:24:25:15:cb:69:68:a1:0b:08:f4:85:7c"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018858; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED 09 July 2012 Blackhole Landing Page - Please Wait Loading"; flow:established,from_server; file_data; content:"Please wait, the page is loading..."; nocase; content:"x-java-applet"; distance:0; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015048; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 ac 31 2f c6 b3 12 c1 f9|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"be:1a:58:4a:85:c8:79:f8:55:5d:98:4f:c3:6b:ef:69:db:6d:8a:d5"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018859; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole TKR Landing Page /last/index.php"; flow:established,to_server; content:"/last/index.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015475; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 dd 04 88 42 80 63 7d af|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"80:ac:8f:7c:a8:c6:dd:1b:5b:23:17:63:e9:09:50:52:40:a9:d1:a6"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018860; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"chcyih.class"; classtype:trojan-activity; sid:2015486; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"4d:0f:1f:0f:96:85:ef:f1:24:e5:6a:31:19:2a:2b:ea:e7:88:d8:8b"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018861; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (2)"; flow:established,to_server; content:"/java.jar"; http_uri; nocase; fast_pattern:only; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2015487; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"ab:92:db:cc:12:05:45:36:1d:3a:cc:c5:50:d4:e5:79:67:d4:85:71"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018862; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"NewClass1.class"; classtype:trojan-activity; sid:2015488; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"f7:41:76:2e:a8:09:4a:8d:95:ad:84:ba:ea:0d:42:e8:0c:e5:84:d0"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018863; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Redirection Page Try Math.Round Catch - 7th August 2012"; flow:established,to_client; file_data; content:"try{"; content:"=Math.round|3B|}catch("; distance:0; classtype:trojan-activity; sid:2015586; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 ab 62 ca a2 20 83 75 2d|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"bc:08:3e:da:9c:3a:84:fa:bf:6d:39:23:7e:bb:7a:d8:65:54:0b:56"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018864; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool jnlp URI Struct"; flow:established,to_server; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.jnlp(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015619; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 f6 57 75 bc c6 71 7c 74|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"0b:b0:85:d5:61:df:07:c8:89:e5:ba:d5:1c:84:63:71:d4:fc:fd:61"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018865; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Hwehes String - August 13th 2012"; flow:established,to_client; file_data; content:"hwehes"; content:"hwehes"; distance:0; content:"hwehes"; distance:0; content:"hwehes"; distance:0; classtype:trojan-activity; sid:2015622; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 cf 22 8c cf e7 2c 1b 1f|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"a9:24:0e:12:4a:b9:4f:16:74:4d:54:c2:50:f2:df:46:1d:dc:39:2b"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018866; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Admin bhadmin.php access Outbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; classtype:attempted-user; sid:2015659; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|msvsprot.com"; distance:1; within:13; tls.fingerprint:"ea:ab:3c:a3:76:94:c8:9d:57:b9:21:b4:f3:93:0b:af:de:02:2d:e0"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018910; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED - Blackhole Admin Login Outbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; classtype:attempted-user; sid:2015660; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|local.domain"; distance:1; within:13; tls.fingerprint:"8f:37:76:15:40:99:b6:c2:dc:34:b8:c3:7f:f5:21:17:21:44:a9:a4"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018911; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Admin bhadmin.php access Inbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; classtype:attempted-user; sid:2015661; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 08 13 0a|Some-State"; content:"|13 18|Internet Widgits Pty"; within:35; tls.fingerprint:"e5:0e:e9:90:a3:12:b9:e2:e6:8c:46:d1:89:e1:e9:23:81:74:1b:f9"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018915; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED - Blackhole Admin Login Inbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; classtype:attempted-user; sid:2015662; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 08 13 0a|Some-State"; content:"|13 18|Internet Widgits Pty"; within:35; tls.fingerprint:"e6:d3:0c:d0:41:d1:9d:3a:3e:9c:82:e0:b9:e3:e1:67:ad:0f:ee:9f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018916; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Nov 09 2012"; flow:established,from_server; file_data; content:"applet"; content:"0b0909041f"; fast_pattern; within:200; classtype:bad-unknown; sid:2015680; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 ff 7f 8a 27 bf 5c f4 53|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"35:66:21:93:91:b9:56:61:88:b4:c8:02:1e:a3:eb:c6:1c:97:35:c3"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018937; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole2 - URI Structure"; flow:established,to_server; urilen:>122; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/U"; classtype:attempted-user; sid:2015700; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jul 29 M1"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>errorx"; nocase; fast_pattern; content:"<audio autoplay"; nocase; distance:0; content:"setInterval"; nocase; pcre:"/^\s*\(\s*function\s*\(\s*\)\s*\{\s*alert/Ri"; classtype:social-engineering; sid:2022991; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_29, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:"<param"; distance:0; content:"value="; distance:0; pcre:"/^.{1,5}[a-f0-9]{100}/R"; classtype:trojan-activity; sid:2015710; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_09_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jul 29 M4"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function loadNumber"; nocase; fast_pattern; content:"function doRedirect"; nocase; distance:0; content:"function randomString"; nocase; distance:0; content:"function leavebehind"; nocase; distance:0; content:"function myFunction"; nocase; distance:0; content:"function confirmExit"; nocase; distance:0; classtype:social-engineering; sid:2022994; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_29, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MALVERTISING - Redirect To Blackhole - Push JavaScript"; flow:established,to_client; file_data; content:".push( 'h' )\;"; content:".push( 't' )\;"; within:20; classtype:trojan-activity; sid:2015740; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jul 7"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"default_number|3b|"; nocase; distance:0; content:"default_plain_number|3b|"; fast_pattern; nocase; distance:0; content:"plain_number|3b|"; nocase; distance:0; content:"loco_params|3b|"; nocase; distance:0; content:"loco|3b|"; nocase; distance:0; classtype:social-engineering; sid:2022955; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_07, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (4)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"hw.class"; content:"test.class"; classtype:trojan-activity; sid:2015759; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Base64 Data URI Javascript Refresh - Possible Phishing Landing"; flow:from_server,established; file_data; content:"<script"; nocase; content:"window.location="; distance:0; content:"data|3a|text/html|3b|base64,"; distance:1; within:22; fast_pattern; classtype:social-engineering; sid:2031955; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool eot URI Struct"; flow:to_server,established; content:".eot"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.eot(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015787; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading To EK Jul 30 M1"; flow:established,to_server; content:".js?chbstr=0."; http_uri; pcre:"/\.js\?chbstr=0\.\d+$/U"; classtype:exploit-kit; sid:2022995; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_30, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool Jar URI Struct"; flow:to_server,established; content:".jar"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.jar(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015796; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Aug1 2016"; flow:established,from_server; file_data; content:"|76 61 72 20 68 65 61 64 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 62 6f 64 79 27 29 5b 30 5d 3b 20 76 61 72 20 73 63 72 69 70 74 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 73 63 72 69 70 74 2e 73 72 63 3d 20 22 2f 2f|"; pcre:"/^[^\r\n\x22\?]+[&?][^=\r\n\x22]+=[a-f0-9]+[^\r\n\x22\?]*[&?][^=\r\n\x22]+=[a-f0-9]+\x22\s*\x3b\s*head\.appendChild\(\s*script\s*\)\x3b/R"; classtype:exploit-kit; sid:2022998; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_08_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2 Landing Page (3)"; flow:to_server,established; content:"/ngen/controlling/"; fast_pattern:only; http_uri; content:".php"; http_uri; classtype:trojan-activity; sid:2015797; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ZeuS CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|taxreclaim.am"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023005; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Zeus_SSL, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool EXE URI Struct"; flow:to_server,established; content:".exe"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.exe(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015798; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 08|"; content:"|04|Atak"; distance:1; within:5; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023006; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET DELETED Blackhole 2 Landing Page (5)"; flow:to_server,established; content:"/forum/links/column.php"; http_uri; nocase; content:".ru:8080|0d 0a|"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015802; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 95 9d ed 5e 9f 95 7f b4|"; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023007; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole/Cool Landing URI Struct"; flow:to_server,established; content:".php"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.php(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015803; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 9c 26 67 04 e7 9a e0 56|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023008; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackHole 2 PDF Exploit"; flow:established,from_server; file_data; content:"/Index[5 1 7 1 9 4 23 4 50 3]"; flowbits:isset,ET.pdf.in.http; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015804; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|secureit.pw"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023009; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole2 Non-Vulnerable Client Fed Fake Flash Executable"; flow: established,to_server; content:"/adobe/update_flash_player.exe"; http_uri; reference:url,research.zscaler.com/2012/10/blackhole-exploit-kit-v2-on-rise.html; classtype:trojan-activity; sid:2015817; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 da e8 83 5e e4 0a d0 5c|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023010; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2.0 Binary Get Request"; flow:established,to_server; content:"GET"; http_method; content:"Java/1."; http_user_agent; content:".php?"; http_uri; pcre:"/\.php\?\w{2,8}\=(0[0-9a-b]|3[0-9]){5,32}\&\w{2,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{1,8}\=\d{2}\&\w{1,8}\=\w{1,8}\&\w{1,8}\=\w{1,8}$/U"; reference:url,fortknoxnetworks.blogspot.be/2012/10/blackhole-20-binary-get-request.html; classtype:successful-user; sid:2015836; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader.Pony CnC)"; flow:from_server,established; content:"|09 00 a7 26 cd 4c 62 32 35 26|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023011; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for file containing Java payload URIs (2)"; flow:established,to_server; content:"php?fbebf=nt34t4"; http_uri; content:"|29 20|Java/"; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015863; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|09 00 b8 a4 f2 db af 86 f7 53|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023012; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for file containing Java payload URIs (3)"; flow:established,to_server; content:".php?asvvab=125qwafdsg"; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015871; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|04 26 98 61 57|"; fast_pattern; content:"|55 04 03|"; distance:0; content:"|25|ASA Temporary Self Signed Certificate"; distance:1; within:38; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023013; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16/32-hex/a-z.php Landing Page URI"; flow:established,to_server; content:".php"; http_uri; content:"/"; http_uri; distance:-6; within:1; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/[a-z]\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015877; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware Locky .onion Payment Domain (zjfq4lnfbs7pncr5)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zjfq4lnfbs7pncr5"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022997; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2016_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2 Landing Page (7)"; flow:to_server,established; content:"/news/enter/2012-1"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/news\/enter\/2012-1[0-2]-([0-2][0-9]|3[0-1])\.php/U"; classtype:trojan-activity; sid:2015932; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"GPL EXPLOIT WEB-MISC JBoss RMI class download service directory listing attempt"; flow:to_server,established; content:"GET %. HTTP/1."; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2; classtype:web-application-attack; sid:2103461; rev:1; metadata:created_at 2016_08_04, updated_at 2016_08_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool txt URI Struct"; flow:to_server,established; content:".txt"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.txt(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015933; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Safe/CritX/FlashPack URI with Windows Plugin-Detect Data"; flow:established,to_server; content:"/pd.php?id="; http_uri; fast_pattern:only; pcre:"/\/pd\.php\?id=[a-f0-9]+$/U"; classtype:exploit-kit; sid:2017812; rev:5; metadata:created_at 2013_12_06, updated_at 2016_08_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Dec 03 2012"; flow:established,from_server; file_data; content:"applet"; content:"yy3Ojj"; within:1600; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015978; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RAMNIT.A M1"; flow:established,from_server; file_data; content:"|43 72 65 61 74 65 54 65 78 74 46 69 6c 65 28 44 72 6f 70 50 61 74 68|"; nocase; content:"|57 53 48 73 68 65 6c 6c 2e 52 75 6e 20 44 72 6f 70 50 61 74 68 2c 20 30|"; nocase; reference:url,www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A; classtype:trojan-activity; sid:2023028; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_09, deployment Perimeter, malware_family Ramnit, performance_impact Moderate, signature_severity Major, updated_at 2016_08_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16/32-hex/a-z.php Jar Download"; flow:established,to_server; content:".php"; http_uri; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/[a-z]\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016229; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RAMNIT.A M2"; flow:established,from_server; file_data; content:"|6c 61 6e 67 75 61 67 65 3d 56 42 53 63 72 69 70 74|"; nocase; content:"|57 72 69 74 65 44 61 74 61 20 3d|"; nocase; content:"|22 34 44 35 41 39 30 30|"; nocase; distance:0; content:"|44 72 6f 70 46 69 6c 65 4e 61 6d 65 20 3d 20|"; reference:url,www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A; classtype:trojan-activity; sid:2023029; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, malware_family Ramnit, performance_impact Low, signature_severity Major, updated_at 2016_08_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Jan 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"Dyy"; within:300; content:"Ojj"; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016242; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|www.endeverllcandjohns13.com"; distance:1; within:29; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023030; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_09, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Feb 04 2012"; flow:established,from_server; file_data; content:"applet"; content:"Ojj"; within:300; content:"Dyy"; within:300; classtype:bad-unknown; sid:2016341; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_02_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|16 03 01 00|"; depth:4; content:"|09 00 8e b6 50 28 b2 eb aa d8|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023031; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_09, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/q.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:23; content:"/q.php"; offset:17; http_uri; pcre:"/^\/[0-9a-f]{16}\/q\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016563; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Outgoing Chromoting Session Response"; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; depth:170; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; distance:39; reference:url,xinn.org/Chromoting.html; classtype:not-suspicious; sid:2013800; rev:3; metadata:created_at 2011_10_26, updated_at 2016_08_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/q.php Jar Download"; flow:established,to_server; content:"/q.php"; offset:17; http_uri; pcre:"/^\/[0-9a-f]{16}\/q\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016564; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Incoming Chromoting Session Response"; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; depth:170; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; distance:39; reference:url,xinn.org/Chromoting.html; classtype:not-suspicious; sid:2013801; rev:4; metadata:created_at 2011_10_26, updated_at 2016_08_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:40; content:"/ff.php"; http_uri; offset:33; pcre:"/^\/[0-9a-f]{32}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016722; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Mozila Error"; fast_pattern; nocase; content:"<audio autoplay"; nocase; distance:0; content:"data|3a|image/png|3b|base64,"; nocase; classtype:social-engineering; sid:2023038; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:33; depth:7; http_uri; pcre:"/^\/[0-9a-f]{32}\/ff\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016723; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M4"; flow:to_server,established; content:"GET"; http_method; content:".php?num="; fast_pattern; nocase; http_uri; content:"&country="; nocase; distance:0; http_uri; content:"&city="; nocase; distance:0; http_uri; content:"&os="; nocase; distance:0; http_uri; content:"&ip="; nocase; distance:0; http_uri; classtype:social-engineering; sid:2023040; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:24; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016724; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M5"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Hacking Attack"; nocase; fast_pattern; content:"mozfullscreenerror"; nocase; distance:0; content:"toggleFullScreen"; distance:0; content:"addEventListener"; distance:0; content:"countdown"; nocase; classtype:social-engineering; sid:2023041; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016725; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Generic Excel Online Phish Aug 9"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Excel; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023046; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Reversed Applet Observed in Sakura/Blackhole Landing"; flow:established,from_server; file_data; content:"eulav "; nocase; fast_pattern:only; content:"eman "; nocase; content:"marap<"; nocase; within:500; content:"telppa"; within:500; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016729; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxy.Win32.Agent.mx (2)"; flow:established,to_server; content:"q.php"; fast_pattern; nocase; http_uri; content:!".chartbeat.net"; nocase; http_header; content:"&p="; nocase; http_uri; content:"&x="; nocase; http_uri; content:"&i="; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&o="; nocase; http_uri; content:"&v="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006406; classtype:trojan-activity; sid:2006406; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2 Landing Page (9)"; flow:to_server,established; content:"/closest/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/^\/closest\/(([a-z]{1,16}[-_]){1,4}[a-z]{1,16}|[a-z0-9]{20,}+)\.php/U"; classtype:trojan-activity; sid:2016755; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Adobe Shared Document Phish Aug 11 2016"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Adobe; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023048; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED - Possible BlackHole request with decryption Base"; flow:established,to_server; content:"&jopa="; nocase; http_uri; fast_pattern:only; pcre:"/&jopa=\d+$/U"; classtype:trojan-activity; sid:2016813; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 12 M2"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"#foxboxmsg"; fast_pattern; nocase; content:"getURLParameter"; nocase; distance:0; content:"default_number"; nocase; distance:0; content:"default_plain_number"; nocase; distance:0; content:"loco_params"; nocase; distance:0; classtype:social-engineering; sid:2023052; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_12, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED BlackHole Java Exploit Artifact"; flow:established,to_server; content:"/hw.class"; http_uri; content:"Java/1."; http_user_agent; reference:url,vanheusden.com/httping/; classtype:policy-violation; sid:2016848; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert udp $HOME_NET 53 -> $EXTERNAL_NET 1:1023 (msg:"ET DOS DNS Amplification Attack Possible Outbound Windows Non-Recursive Root Hint Reserved Port"; content:"|81 00 00 01 00 00|"; depth:6; offset:2; byte_test:2,>,10,0,relative; byte_test:2,>,10,2,relative; content:"|0c|root-servers|03|net|00|"; distance:0; content:"|0c|root-servers|03|net|00|"; distance:0; threshold: type both, track by_dst, seconds 60, count 5; reference:url,twitter.com/sempersecurus/status/763749835421941760; reference:url,pastebin.com/LzubgtVb; classtype:bad-unknown; sid:2023054; rev:2; metadata:attack_target Server, created_at 2016_08_12, deployment Datacenter, performance_impact Low, updated_at 2016_08_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK JNLP request"; flow:established,to_server; content:".php?jnlp="; http_uri; nocase; fast_pattern:only; pcre:"/\.php\?jnlp=[a-f0-9]{10}(,|$)/Ui"; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016931; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET 1:1023 (msg:"ET DOS DNS Amplification Attack Possible Inbound Windows Non-Recursive Root Hint Reserved Port"; content:"|81 00 00 01 00 00|"; depth:6; offset:2; byte_test:2,>,10,0,relative; byte_test:2,>,10,2,relative; content:"|0c|root-servers|03|net|00|"; distance:0; content:"|0c|root-servers|03|net|00|"; distance:0; threshold: type both, track by_dst, seconds 60, count 5; reference:url,twitter.com/sempersecurus/status/763749835421941760; reference:url,pastebin.com/LzubgtVb; classtype:bad-unknown; sid:2023053; rev:2; metadata:attack_target Server, created_at 2016_08_12, deployment Datacenter, performance_impact Low, updated_at 2016_08_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/a.php Landing Page/Java exploit URI"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{32}\/a\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016971; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Payload Jun 26 2016"; flow:established,from_server; file_data; content:"|2c 2d dd 4b 40 44 77 41|"; within:9; classtype:exploit-kit; sid:2022916; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_06_26, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2016_08_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/a.php Jar Download"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{32}\/a\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016972; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SMS Fake Mobile Virus Scam Aug 16 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Protect your Computer"; nocase; fast_pattern; content:"Your Computer"; nocase; distance:0; content:"INFECTED"; distance:0; content:"Enter Your Number"; nocase; distance:0; content:"SCAN NOW</button>"; nocase; distance:0; classtype:social-engineering; sid:2023069; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/a.php Landing Page/Java exploit URI"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{16}\/a\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016973; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Adobe Online Phish Aug 16 2016"; flow:to_server,established; content:"POST"; http_method; content:"=sent"; nocase; http_uri; content:"feedback="; nocase; depth:9; http_client_body; fast_pattern; content:"&feedbacknow="; nocase; distance:0; http_client_body; flowbits:set,ET.genericphish; pcre:"/=sent$/Ui"; classtype:credential-theft; sid:2024559; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/a.php Jar Download"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{16}\/a\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016974; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert udp any any -> any 161 (msg:"ET EXPLOIT Equation Group ExtraBacon Cisco ASA PMCHECK Disable"; content:"|bf a5 a5 a5 a5 b8 d8 a5 a5 a5 31 f8 bb a5|"; content:"|ac 31 fb b9 a5 b5 a5 a5 31 f9 ba a2 a5 a5 a5 31 fa cd 80 eb 14 bf|"; distance:2; within:22; content:"|31 c9 b1 04 fc f3 a4 e9 0c 00 00 00 5e eb ec e8 f8 ff ff ff 31 c0 40 c3|"; distance:4; within:24; reference:url,xorcatt.wordpress.com/2016/08/16/equationgroup-tool-leak-extrabacon-demo/; classtype:attempted-admin; sid:2023070; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, created_at 2016_08_17, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Initial Gate from Linked-In Mailing Campaign"; flow:established,to_server; content:"/linkendorse.html"; http_uri; classtype:exploit-kit; sid:2016984; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SUSPICIOUS Grey Advertising Often Leading to EK"; flow:established,from_server; file_data; content:"|69 66 20 28 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 20 26 26 20 74 79 70 65 6f 66 20 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 20 3d 3d 3d 20 27 73 74 72 69 6e 67 27 29|"; content:"|66 75 6e 63 74 69 6f 6e 20 28 73 72 63 2c 20 61 73 79 6e 63 2c 20 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 2c 20 63 61 6c 6c 62 61 63 6b 29|"; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=854; classtype:exploit-kit; sid:2021763; rev:3; metadata:created_at 2015_09_12, updated_at 2016_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Variant Payload Download"; flow:established,to_server; urilen:>48; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:3[0-2a-e8-9]|[47][0-2]|2[d-j]|5[2-7]|6[c-e]){5}&[^=]+=(?:3[0-2a-e8-9]|[47][0-2]|2[d-j]|5[2-7]|6[c-e]){10}&/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017076; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert udp any any -> any 161 (msg:"ET EXPLOIT Equation Group ExtraBacon Cisco ASA AAAADMINAUTH Disable"; content:"|bf a5 a5 a5 a5 b8 d8 a5 a5 a5 31 f8 bb a5|"; content:"|ad 31 fb b9 a5 b5 a5 a5 31 f9 ba a2 a5 a5 a5 31 fa cd 80 eb 14 bf|"; distance:2; within:22; content:"|31 c9 b1 04 fc f3 a4 e9 0c 00 00 00 5e eb ec e8 f8 ff ff ff 31 c0 40 c3|"; distance:4; within:24; reference:url,xorcatt.wordpress.com/2016/08/16/equationgroup-tool-leak-extrabacon-demo/; classtype:attempted-admin; sid:2023071; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, created_at 2016_08_17, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole EK Jar Download URI Struct"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,16}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|[a-z]{16,20}\/[a-z]{16,20}|closest\/[a-z0-9]+)\.php\?[A-Za-z0-9\!\(\)\*\-\_]+=[A-Za-z0-9\!\(\)\*\-\_]+&[A-Za-z0-9\!\(\)\*\-\_]+=[A-Za-z0-9\!\(\)\*\-\_]+$/U"; classtype:exploit-kit; sid:2017140; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Netflix Phish Aug 17 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"firstName="; depth:10; nocase; fast_pattern; http_client_body; content:"&lastName="; nocase; http_client_body; distance:0; content:"&cardNumber="; nocase; http_client_body; distance:0; content:"&authURL="; nocase; http_client_body; distance:0; content:"&encryptedOaepLen="; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023072; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole EK Plugin-Detect July 12 2013"; flow:established,from_server; file_data; content:"4CMiojbvl2cyVmd71DZwRGc"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017141; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Mobile Virus Scam M1 Aug 18 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Virus Detected"; nocase; fast_pattern; content:"#loading-bar"; nocase; distance:0; content:"navigator.vibrate"; nocase; distance:0; content:"Download Now"; nocase; distance:0; content:"Download Now"; nocase; distance:0; classtype:social-engineering; sid:2023079; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Reversed Embedded JNLP Observed in Sakura/Blackhole Landing"; flow:established,from_server; file_data; content:"deddebme_plnj"; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017198; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET EXPLOIT CISCO FIREWALL SNMP Buffer Overflow Extrabacon (CVE-2016-6366)"; content:"|06 01 04 01 09 09 83 6B|"; pcre:"/^(?:\x01(?:(?:\x01(?:(?:\x04(?:(?:\x03(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x04(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x01(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a])?)?|\x02(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a])?)?))?|\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c])?|\x02(?:[\x01\x02\x03\x04])?|\x03(?:[\x01\x02])?))?|\x03(?:(?:\x03(?:\x01(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e])?)?)?|\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13])?|\x02(?:[\x01\x02])?))?|\x05(?:(?:\x02(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07])?)?|\x01(?:[\x01\x02\x03])?))?|\x02(?:(?:[\x01\x02]|\x03(?:\x01(?:[\x01\x02\x03])?)?))?|\x06(?:\x01(?:[\x01\x02\x03\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x07(?:[\x01\x02])?|\x04))?|\x02(?:(?:\x02(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c])?|(?:\x01)?\x01))?)/Rsi"; content:"|81 10 81 10 81 10 81 10 81 10 81 10 81 10 81 10|"; within:160; fast_pattern; reference:cve,2016-6366; classtype:misc-attack; sid:2023086; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, created_at 2016_08_25, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_08_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackHole EK Non-standard base64 Key"; flow:established,from_server; file_data; content:"var "; content:" = |22|"; within:10; content:!"|22|"; within:65; content:"|22|"; distance:65; within:1; content:!"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; distance:-66; within:62; content:" & 15) << 4)"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017265; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.DarkComet Keepalive Outbound"; flow:to_server,established; content:"KEEPALIVE"; depth:9; pcre:"/^KEEPALIVE\d+$/"; reference:md5,d4f949f268d00522cfbae5d18cbce933; classtype:trojan-activity; sid:2023091; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2016_08_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool obfuscated plugindetect in charcodes w/o sep Jul 10 2013"; flow:established,from_server; file_data; content:"<div>"; content:!"<"; within:1000; pcre:"/^([0-9a-z]{8})?(?P<p>[0-9a-z]{2})(?P<d>(?!(?P=p))[0-9a-z]{2})(?P=p)(?P=d)([0-9a-z]{2}){10}(?P<q>[0-9a-z]{2})[0-9a-z]{2}(?P<dot>[0-9a-z]{2})[0-9a-z]{2}(?P=dot)[0-9a-z]{2}(?P=q)/R"; classtype:trojan-activity; sid:2017346; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Landing Feb 26"; flow:to_server,established; content:"GET"; http_method; content:".html"; http_uri; content:"rackcdn.com|0d 0a|"; http_header; fast_pattern; pcre:"/^\/[a-zA-Z0-9]+\.html$/U"; pcre:"/\x0d\x0aHost\x3a\x20[a-f0-9]{20}-[a-f0-9]{32}\.r[0-9]{1,2}\.cf[0-9]\.rackcdn\.com\x0d\x0a/H"; classtype:social-engineering; sid:2022574; rev:3; metadata:created_at 2016_03_01, former_category CURRENT_EVENTS, updated_at 2016_08_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackHole EK Variant PDF Download"; flow:established,from_server; content:".pdf"; http_header; fast_pattern:only; file_data; content:"%PDF-"; within:100; flowbits:isset,et.BHEK.PDF; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017416; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt"; flow:established,to_client; file_data; content:"Heap|2E|"; nocase; content:"Heap|2E|"; nocase; distance:0; content:"Heap|2E|"; nocase; distance:0; classtype:shellcode-detect; sid:2013222; rev:4; metadata:created_at 2011_07_06, updated_at 2016_08_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Payload Download Sep 11 2013"; flow:established,to_server; urilen:>56; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:[^&]?(?:3[0-2a-e8-9]|7[x-y6-7\-3]|x[b-e6-9xz]|\-[b-hy-z9]|w[wa-f6-9]|5[2-9a-e]|[47][0-2]|8[a-ez9]|2[d-j]|6[c-e])){5}&[^=]+=(?:[^&]?(?:3[0-2a-e8-9]|7[x-y6-7\-3]|x[b-e6-9xz]|\-[b-hy-z9]|w[wa-f6-9]|5[2-9a-e]|[47][0-2]|8[a-ez9]|2[d-j]|6[c-e])){10}&/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017454; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Challack Tool in use"; flow:no_stream,to_server; flags:R; dsize:1; content:"x"; threshold: type both, track by_dst, seconds 1, count 90; reference:url,www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf; reference:cve,2016-5696; classtype:misc-attack; sid:2023140; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2016_08_29, deployment Datacenter, performance_impact Significant, signature_severity Major, updated_at 2016_08_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Variant PDF Download Sep 11 2013"; flow:established,to_server; urilen:>56; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:[^&](?:5[5-9a-e]|8[9a-e])){5}[^=]+=[^&]+&[^=]+=(?:[^&](?:5[5-9a-f]|8[9a-e])){10}([^&]60[^&]60(?:[^&](?:5[5-9a-f]|8[9a-e])){10})*?&/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017456; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT RST Flood With Window"; flow:no_stream,to_server; flags:R; window:!0; threshold: type both, track by_dst, seconds 1, count 101; reference:url,www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf; reference:cve,2016-5696; classtype:misc-attack; sid:2023141; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2016_08_29, deployment Perimeter, performance_impact Significant, signature_severity Major, updated_at 2016_08_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated base64 decoder Sep 12 2013"; flow:established,from_server; file_data; content:" & 15) << 4)"; content:" & 3) << (3+3))"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017461; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE NetWire / Ozone / Darktrack Alien RAT - Client KeepAlive"; flow:established,to_server; flowbits:isset,ET.NetWire; content:"|01 00 00 00 00|"; depth:5; dsize:6; reference:url,researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic; reference:url,www.circl.lu/pub/tr-23; classtype:trojan-activity; sid:2021978; rev:6; metadata:created_at 2015_10_20, updated_at 2016_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole initial landing/gate"; flow:established,to_server; content:"/jquery/get.php?ver=jquery.latest.js"; http_uri; classtype:trojan-activity; sid:2017481; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER AnonGhost PHP Webshell"; flow:from_server,established; file_data; content:"base64_decode("; content:"Bbm9uR2hvc3Qg"; fast_pattern; classtype:trojan-activity; sid:2023143; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2016_09_01, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2016_09_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Variant PDF Download"; flow:established,to_server; urilen:>48; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=[^&]{10}&[^=]+=[^&]+&[^=]+=[^&]{20}((?P<sep>[^&]{2})(?P=sep)[^&]{20})*?&/U"; flowbits:set,et.BHEK.PDF; flowbits:noalert; classtype:exploit-kit; sid:2017556; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2014-6332 Sep 01 2016 (HFS Actor) M1"; flow:established,from_server; file_data; content:"|26 63 68 72 77 28 32 31 37 36 29 26 63 68 72 77 28 30 31 29 26|"; nocase; content:"|26 63 68 72 77 28 33 32 37 36 37 29|"; nocase; content:"|73 65 74 6e 6f 74 73 61 66 65 6d 6f 64 65 28 29|"; nocase; content:"|72 75 6e 73 68 65 6c 6c 63 6f 64 65 28 29|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023145; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family IEiExploit, performance_impact Low, signature_severity Major, updated_at 2016_09_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Blackhole eval haha"; flow:established,from_server; content:"eval(haha"; fast_pattern:only; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:2020604; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Locky Ransomware Renaming File via SMB"; flow:to_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|11 00|"; distance:8; within:2; content:"|00|.|00|z|00|e|00|p|00|t|00|o|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2023147; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2017_04_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackHole EK Landing Nov 17 2015"; flow:from_server,established; file_data; content:"|2e 73 74 79 6c 65 2e 6c 65 66 74 3d 3d 3d 22 22 29 7b 67 67 3d 22 67 65 74 41 22 3b 7d 71 71 3d 22 71 22 3b 67 67 2b 3d 22 74 74 72 69 22 3b 66 75 6e 63 74 69 6f 6e 20 63 78 7a 28 29|"; fast_pattern:17,20; classtype:exploit-kit; sid:2022113; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Locky Ransomware Writing Instructions via SMB"; flow:to_server,established; content:"|FE|SMB|40 00|"; offset:4; depth:6; content:"|05 00|"; distance:6; within:2; content:"_|00|H|00|E|00|L|00|P|00|_|00|i|00|n|00|s|00|t|00|r|00|u|00|c|00|t|00|i|00|o|00|n|00|s|00|.|00|h|00|t|00|m|00|l"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2023148; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2017_04_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SchwSonne CnC Beacon M2"; flow:established,to_server; content:"C|7c|P-UID-"; depth:8; fast_pattern; content:"|7c|Microsoft"; distance:0; content:"|7c|["; distance:0; content:"]|7c|"; distance:0; classtype:command-and-control; sid:2025252; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_25, deployment Perimeter, former_category MALWARE, malware_family SchwartzSonnne, signature_severity Major, tag c2, updated_at 2018_01_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $HOME_NET any -> $HOME_NET [445,139] (msg:"ET MALWARE Zlader Ransomware Worm Propagating Over SMB v1 ASCII"; flow:to_server,established; content:"|FF|SMB|A2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|24|RECYCLE|2E|BIN|2E 7B|"; nocase; distance:0; fast_pattern; pcre:"/\x24RECYCLE\.BIN\.\x7B[0-9A-F]{8}\x2D(?:[0-9A-F]{4}\x2D){3}[0-9A-F]{12}\x7D\x5C\x7B[0-9A-F]{8}\x2D(?:[0-9A-F]{4}\x2D){3}[0-9A-F]{12}\x7D\.(?:scr|pif|cmd)/i"; threshold:type limit, track by_src, count 10, seconds 60; reference:url,www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_zlader.b; classtype:trojan-activity; sid:2023149; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"document.write(unescape"; nocase; fast_pattern; content:"3C%74%69%74%6C%65%3E%26%23%33%37%30%33%38%3B%26%23%32%30%32%31%34%3B%26%23%33%35%37%37%34%3B%26%23%33%32%36%32%32%3B"; nocase; distance:0; classtype:social-engineering; sid:2025255; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Encoded CVE-2014-6332 (As Observed in SunDown EK) M1"; flow:established,to_client; file_data; content:"|43 68 72 28 39 39 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 34 29 20 26 20 43 68 72 28 31 31 39 29 20 26 20 43 68 72 28 34 30 29 20 26 20 43 68 72 28 35 31 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 35 34 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 34 31 29|"; classtype:exploit-kit; sid:2023151; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, signature_severity Major, updated_at 2016_09_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Halkbank (TK) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Halkbank|20 c4 b0 6e 74 65 72 6e 65 74 20 c5 9e 75 62 65 73 69|"; within:50; fast_pattern; classtype:social-engineering; sid:2025258; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Encoded CVE-2014-6332 (As Observed in SunDown EK) M2"; flow:established,to_client; file_data; content:"|43 68 72 28 39 39 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 34 29 20 26 20 43 68 72 28 31 31 39 29 20 26 20 43 68 72 28 34 30 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 34 39 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 35 34 29|"; classtype:exploit-kit; sid:2023152; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, signature_severity Major, updated_at 2016_09_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Smail Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"...|7c|1|7c|Smail Code|7c|1|7c|..."; fast_pattern; nocase; content:"ALTER ANYTHING BELOW THIS LINE"; nocase; distance:0; classtype:social-engineering; sid:2025259; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Encoded CVE-2014-6332 (As Observed in SunDown EK) M3"; flow:established,to_client; file_data; content:"|43 68 72 28 33 32 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 30 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 39 37 29 20 26 20 43 68 72 28 31 30 32 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 30 39 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 30 30 29 20 26 20 43 68 72 28 31 30 31 29|"; classtype:exploit-kit; sid:2023153; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, signature_severity Major, updated_at 2016_09_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2018-01-29 M1"; flow:established,to_client; file_data; content:"Apple ID|20 3a|"; within:100; content:"<title>Apple (Switzerland)"; nocase; fast_pattern; classtype:social-engineering; sid:2025260; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/LuaBot CnC Beacon Response"; flow:established,from_server; file_data; content:"script|7c|"; within:7; content:"|7c|endscript"; distance:0; fast_pattern; content:"script|7c|"; distance:0; reference:url,blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html; classtype:command-and-control; sid:2023156; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family Linux_LuaBot, signature_severity Major, tag c2, updated_at 2016_09_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing M2 2018-01-29"; flow:established,to_client; file_data; content:"background|3a 20|#3baee7|3b|"; nocase; distance:0; content:"-webkit-linear-gradient(top, #3baee7, #08c)"; nocase; distance:0; content:"text-shadow|3a 20|1px 1px 3px #666666"; nocase; distance:0; content:"background|3a 20|#3cb0fd|3b|"; nocase; distance:0; content:"-webkit-linear-gradient(top, #3cb0fd, #3498db)"; nocase; distance:0; content:".dark {"; nocase; distance:0; content:"color|3a 20|#525252|3b|"; nocase; distance:0; content:".dark-select {"; nocase; distance:0; content:"background|3a 20|#DFDFDF url('down-arrow.png')"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025261; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 58|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012086; rev:3; metadata:created_at 2010_12_23, updated_at 2016_09_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"Dear <b id=|22|accessreturn|22|>User</b>,"; nocase; fast_pattern; content:"<b>Ticket|20 3a 20|#"; nocase; distance:0; content:"<b>For This Reason|20 3a 20|"; nocase; distance:0; classtype:social-engineering; sid:2025262; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|vuinuzhz.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023157; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"<title"; content:"Office 365"; nocase; within:25; content:"function LoginErrors(){this.userNameFormatError"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2025263; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|18|certificatestatistic.com"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023158; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Onedrive Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"<title"; nocase; content:"OneDrive Online Security"; nocase; within:50; classtype:social-engineering; sid:2025264; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_01_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|careersnetworks.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023159; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Smartsheet Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"<title>Log In|20 7c 20|Smartsheet</title>"; nocase; fast_pattern; content:"<form action="; nocase; distance:0; content:".php|22 20|class=|22|clsJspOuterForm|22 20|id="; nocase; distance:0; content:"method=|22|POST|22 20|name=|22|ctlForm|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025265; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|microsoftstore.local"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023160; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Redirect 2018-01-30"; flow:established,to_client; file_data; content:"<html>|0d 0a|<body>|0d 0a|<script type=|22|text/JavaScript|22|>|0d 0a|<!--|0d 0a|"; nocase; depth:55; content:"setTimeout(|22|location.href|20|=|20 27|redirection.php?"; nocase; within:100; fast_pattern; pcre:"/^[a-z0-9_]{50,}/Ri"; content:"|27 3b 22|,0)|3b 0d 0a|-->|0d 0a|</script>|0d 0a|</body>"; nocase; within:100; classtype:bad-unknown; sid:2025267; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_01_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|fxpsjcklcqf.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023162; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Impots.gouv.fr Phishing Landing 2018-01-30"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Particulier|20 7c 20|impots.gouv.fr"; nocase; within:50; fast_pattern; classtype:social-engineering; sid:2025268; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|ywxozojqmcd.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023163; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Turbotax Phishing Landing 2018-01-30"; flow:established,to_client; file_data; content:"<title>My TurboTax"; nocase; fast_pattern; content:"Login to your MyTurboTax account to start"; nocase; distance:0; content:"User ID"; nocase; distance:0; content:"Email Password"; nocase; distance:0; classtype:social-engineering; sid:2025269; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|06|fwafdw"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023164; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-01-30"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Bank of America|20 7c 20|Online Banking"; nocase; within:40; fast_pattern; content:"CONTENT=|22|Unrecognized computer"; nocase; distance:0; content:"SiteKey Challenge Questions"; nocase; distance:0; classtype:social-engineering; sid:2025270; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|business-swiss.online"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023165; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Capital One Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Online Banking - Capital One 360</title>"; nocase; classtype:social-engineering; sid:2025271; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|pro-access.cn"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023166; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Verizon Wireless Phishing Landing 2018-01-30"; flow:established,to_client; file_data; content:"<!-- saved from url="; nocase; within:200; content:"<title"; nocase; distance:0; content:"Sign in"; nocase; within:10; content:"verizonwireless.com"; nocase; within:100; classtype:social-engineering; sid:2025274; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|securefreeonly.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023167; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-31"; flow:established,to_client; file_data; content:"<title"; nocase; content:"P&#97|3b|yP&#97|3b|l"; nocase; within:35; fast_pattern; classtype:social-engineering; sid:2025276; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Hancitor CnC)"; flow:established,from_server; content:"|09 00 ce 75 ce f8 84 a5 7e e5|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023168; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple iTunes Phishing Landing (DE) 2018-01-31"; flow:established,to_client; file_data; content:"<ISONLINE VALUE=TRUE></ISONLINE>"; nocase; within:200; content:"<title>iTunes - Stornierungsformular"; nocase; fast_pattern; classtype:social-engineering; sid:2025277; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1d|ntracking.sys-optimatic.cloud"; distance:1; within:30; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023169; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Hellion Postmaster Phishing Landing 2018-01-31"; flow:established,to_client; file_data; content:"/hellion/postmaster.png"; fast_pattern; nocase; content:"/hellion/logos.png"; nocase; distance:0; classtype:social-engineering; sid:2025279; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|secureinishman.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023170; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Roundcube Multi-Brand Phishing Landing 2018-01-31"; flow:established,to_client; file_data; content:"FILES/jstz.min.js?s="; nocase; fast_pattern; content:"rcube_webmail()"; nocase; distance:0; content:"function MM_findObj"; nocase; distance:0; content:"function MM_validateForm"; nocase; distance:0; classtype:social-engineering; sid:2025280; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|systemresystem.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023171; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Website Phishing Landing - Mirrored Website Comment Observed"; flow:established,to_client; file_data; content:"<!-- Mirrored from "; pcre:"/^(?:www(?:1\.masterconsultas\.com\.ar|\.linkedin\.com)|(?:tools\.google|facebook)\.com|cfspart\.impots\.gouv\.fr)/Ri"; content:"by HTTrack Website Copier/"; distance:0; classtype:social-engineering; sid:2025282; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|secureinterrr100.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023172; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE DDoS Win32/Nitol.A Checkin"; flow:established,to_server; dsize:1000<>1300; content:"|fe ff ff ff|"; content:"|00 00|Win|20|"; fast_pattern; content:"|20|MB"; byte_test:1,>,0x29,-7,relative; byte_test:1,<,0x40,-7,relative; content:"MHz"; distance:0; byte_test:1,>,0x29,-7,relative; byte_test:1,<,0x40,-7,relative; content:"bps"; distance:0; content:"|20|"; distance:-5; within:1; byte_test:1,>,0x29,-2,relative; byte_test:1,<,0x40,-2,relative; reference:md5,990955327075071d4aa1f73c3c6c7e7f; reference:url,blog.netlab.360.com/public-cloud-threat-intelligence-202203/; classtype:command-and-control; sid:2036414; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category MALWARE, malware_family Nitol_DDoS, performance_impact Low, signature_severity Major, updated_at 2018_02_01;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|supergoodvin888.pw"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023173; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Live Login Phishing Landing 2018-02-01"; flow:established,to_client; file_data; content:"<title>Sign In</title>"; nocase; content:"Outlook.com is a free, personal email service from Microsoft."; nocase; within:150; fast_pattern; classtype:social-engineering; sid:2025284; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_01;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|statuscheck.online"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023174; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING TSB Bank / Lloyds Bank Phishing Landing 2018-02-01"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Online Personal Verification"; nocase; within:100; fast_pattern; classtype:social-engineering; sid:2025285; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|Otakkibigytu"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023175; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-01"; flow:established,to_client; file_data; content:"<title>Wells Fargo Online|c2 ae 20|Verification</title>"; nocase; classtype:social-engineering; sid:2025286; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_01;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (RockLoader CnC)"; flow:established,from_server; content:"|09 00 cb 68 d8 f0 41 2b 87 4c|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023176; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING AT&T Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"<title>AT&amp|3b|T - Login</title>"; nocase; fast_pattern; content:".php|22 20|method=|22|post|22 20|id=|22|LoginForm|22 20 20|focus=|22|userid|22 20|name=|22|LoginForm|22 20|type=|22|com.sbc.idm.igate_edam.forms.LoginFormBean|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025244; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|host-ui.ru"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023177; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Likely Cloned .EDU Website Phishing Landing 2018-02-02"; flow:established,to_client; file_data; content:"<!-- saved from url=("; within:300; pcre:"/^\s*?\d+?\s*?\)https?:\/\/[^/]+\.edu\//Rsi"; content:"<form"; nocase; distance:0; classtype:social-engineering; sid:2025290; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Ebay Phish Sept 8 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Host|3a 20|107SbTd9CBhSbT"; http_header; nocase; fast_pattern; content:"Referer|3a 20|http|3a 2f 2f|107sbtd9cbhsbt"; http_header; distance:0; content:"email"; nocase; http_client_body; content:"pass"; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023181; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M2"; flow:established,to_client; file_data; content:"<title>Wells Fargo&nbsp|3b|Sign On to View Your Accounts</title>"; nocase; fast_pattern; content:"Online &amp|3b 20|Mobile Security"; nocase; distance:0; classtype:social-engineering; sid:2025293; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OSX/Mokes.A CnC Heartbeat"; flow:established,to_client; dsize:<300; content:"200"; offset:9; depth:3; content:"Content-Type|3a 20|text/html"; content:"Connection|3a 20|close|0d 0a|"; content:"Content-Encoding|3a 20|gzip|0d 0a|"; flowbits:isset,ET.OSX.Mokes; reference:url,securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered; classtype:command-and-control; sid:2023183; rev:2; metadata:affected_product Mac_OSX, created_at 2016_09_08, deployment Perimeter, former_category MALWARE, tag OSX_Malware, updated_at 2016_09_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M3"; flow:established,to_client; file_data; content:"<title>Wells Fargo&nbsp|3b|Sign On to View Your Accounts</title>"; nocase; fast_pattern; content:"View Your Accounts</h1>"; nocase; distance:0; content:"disableSubmitsCollectUserPrefs"; nocase; distance:0; classtype:social-engineering; sid:2025294; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2102314; rev:4; metadata:created_at 2010_09_23, updated_at 2016_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M5"; flow:established,to_client; file_data; content:"<title>Wells Fargo  - Update Your Identification</title>"; nocase; fast_pattern; content:"../css js/passwordReset.css"; within:200; classtype:social-engineering; sid:2025296; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Kaaza Media desktop p2pnetworking.exe Activity"; content:"|e30cb0|"; depth:6; threshold: type limit, track by_dst, count 1 , seconds 600; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000340; classtype:policy-violation; sid:2000340; rev:11; metadata:created_at 2010_07_30, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M6"; flow:established,to_client; file_data; content:"Online Banking Identity Verification Process</TITLE>"; within:300; content:"name=KONICHIWA1"; within:250; classtype:social-engineering; sid:2025297; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 4242 (msg:"GPL DELETED eDonkey transfer"; flow:to_server,established; content:"|E3|"; depth:1; reference:url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html; classtype:policy-violation; sid:2102586; rev:4; metadata:created_at 2010_09_23, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M7"; flow:established,to_client; file_data; content:"<title>Wells Fargo Online&reg|3b 20|Enrollment</title>"; classtype:social-engineering; sid:2025298; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 (CVE 2016-3861) Set"; flow:established,from_server; file_data; content:"ftyp"; fast_pattern; offset:4; depth:4; content:"|00|"; distance:5; within:1; flowbits:set,ET.MP4Stagefright; flowbits:noalert; reference:cve,2016-3861; reference:url,googleprojectzero.blogspot.com.br/2016/09/return-to-libstagefright-exploiting.html; classtype:attempted-user; sid:2023184; rev:2; metadata:created_at 2016_09_12, tag Android_Exploit, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M8"; flow:established,to_client; file_data; content:"<head><!-- WFB 3.4 -->"; within:300; fast_pattern; content:"var bundle|3b|(function(){function a(b){var c=|22 22 3b|for(var d=0,e=b.length|3b|d<e|3b|++d){var f=b.charCodeAt(d)|3b|c+=f>=55296?b[d]|3a|String.fromCharCode"; distance:0; classtype:social-engineering; sid:2025299; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 (CVE 2016-3861) ROP"; flow:established,from_server; content:"ID3"; content:!"|FF|"; within:1; content:"|41 d8 41 d8 41 dc 41 d8 41 d8 41 dc|"; fast_pattern; within:800; pcre:"/^(\x41\xd8\x41\xd8\x41\xdc){2,}\x41\x00/R"; flowbits:isset,ET.MP4Stagefright; reference:cve,2016-3861; reference:url,googleprojectzero.blogspot.com.br/2016/09/return-to-libstagefright-exploiting.html; classtype:attempted-user; sid:2023185; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, performance_impact Low, signature_severity Major, tag Android_Exploit, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M9"; flow:established,to_client; file_data; content:"<title>Wells Fargo - Security Upgrade</title>"; classtype:social-engineering; sid:2025300; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Evil Redirector Leading to EK Sep 12 2016"; flow:established,from_server; content:"Set-Cookie|3a 20|CAMPAIGNE.REFERER_COOKIE="; fast_pattern:12,20; content:"CAMPAIGNE.REFERER_COOKIE="; http_cookie; classtype:exploit-kit; sid:2023187; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EvilTDS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2018_04_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M10"; flow:established,to_client; file_data; content:"<title>Wells Fargo Email Verification"; nocase; fast_pattern; content:"input[type=email], input[type=password]"; nocase; distance:0; classtype:social-engineering; sid:2025301; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data; content:"|25 32 32 25 37 30 25 36 66 25 37 33 25 36 39 25 37 34 25 36 39 25 36 66 25 36 65 25 33 61 25 32 30 25 36 31 25 36 32 25 37 33 25 36 66 25 36 63 25 37 35 25 37 34 25 33 62|"; nocase; classtype:exploit-kit; sid:2023188; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, tag Redirector, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Download of PDF With Uncompressed Flash Content flowbit set"; flow:established,to_client; content:"stream"; content:"|0a|FWS"; within:5; fast_pattern; pcre:"/stream(\x0D\x0A|\x0A)FWS/"; flowbits:set,ET.flash.pdf; flowbits:noalert; reference:url,www.symantec.com/connect/blogs/analysis-zero-day-exploit-adobe-flash-and-reader; reference:url,blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/; classtype:misc-activity; sid:2012906; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_05_31, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest Inject (compromised site) M2 Sep 12 2016"; flow:established,from_server; file_data; content:"|25 33 62 25 36 36 25 36 39 25 36 63 25 37 34 25 36 35 25 37 32 25 33 61 25 36 31 25 36 63 25 37 30 25 36 38 25 36 31 25 32 38 25 36 66 25 37 30 25 36 31 25 36 33 25 36 39 25 37 34 25 37 39 25 33 64 25 33 30 25 32 39 25 33 62 25 32 30 25 32 64 25 36 64 25 36 66 25 37 61 25 32 64 25 36 66 25 37 30 25 36 31 25 36 33 25 36 39 25 37 34 25 37 39 25 33 61 25 33 30 25 33 62 25 32 32 25 33 65|"; nocase; classtype:exploit-kit; sid:2023189; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, tag Redirector, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MeltDown PoC Download In Progress"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|57 53 41 50 41 51|"; content:"|0F AE F0|"; distance:50; within:53; content:"|0F AE|"; distance:15; within:12; pcre:"/^[\x30-\x3f\x7D]/Rs"; content:"|0F AE F0 0F 31|"; distance:45; within:25; content:"|0F AE F0 0F 31|"; distance:17; within:12; reference:cve,2017-5754; classtype:attempted-admin; sid:2025195; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_01_10, deployment Perimeter, former_category EXPLOIT, malware_family MeltDown_Exploit, performance_impact Low, signature_severity Major, updated_at 2018_02_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK EITest Sep 02 M2"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"Cookie|3a|"; pcre:"/^\/(?=[a-z\d]+[+-][a-z\d]+[+-][a-z\d]+[+-])[a-z\d+-]*\/$/U"; classtype:exploit-kit; sid:2023150; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Spectre PoC Download In Progress"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|E7 03 00 00|"; content:"|48 0F AE|"; distance:17; within:9; pcre:"/^[\x30-\x3f\x7D]/Rs"; content:"|48 0F AE 3D|"; distance:41; within:10; content:"|48 98|"; distance:64; within:22; content:"|0F 01 F9|"; distance:50; within:9; content:"|0F 01 F9|"; distance:30; within:9; reference:cve,2017-5753; reference:cve,2017-5715; classtype:attempted-admin; sid:2025196; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_01_10, deployment Perimeter, former_category EXPLOIT, malware_family Spectre_Exploit, performance_impact Low, signature_severity Major, updated_at 2018_02_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b641)"; flow:established,from_server; file_data; content:"RnVuY3Rpb24gbGVha01lbS"; classtype:exploit-kit; sid:2023190; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Banque Populaire Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:".logo_banque"; nocase; content:",.authentif p.num_carte"; nocase; fast_pattern; content:"<title"; content:"Authentification"; nocase; within:20; classtype:social-engineering; sid:2025306; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b642)"; flow:established,from_server; file_data; content:"Z1bmN0aW9uIGxlYWtNZW0g"; classtype:exploit-kit; sid:2023191; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"PayPaI</title>"; nocase; fast_pattern; content:"application-name content=PayPaI>"; nocase; distance:0; classtype:social-engineering; sid:2025307; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b643)"; flow:established,from_server; file_data; content:"GdW5jdGlvbiBsZWFrTWVtI"; classtype:exploit-kit; sid:2023192; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Antibots Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"<?php|0d 0a|include|20 22|antibots.php|22 3b 0d 0a|?>"; within:100; classtype:social-engineering; sid:2025308; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b644)"; flow:established,from_server; file_data; content:"cHJlZml4ICYgIiV1MDAxNiV1NDE0MSV1NDE0MSV1NDE0MSV1NDI0MiV1NDI0Mi"; classtype:exploit-kit; sid:2023193; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Upgrade Payment Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"ONE MORE STEP"; content:"<title"; nocase; distance:0; content:"Enter Your Credit"; nocase; within:25; content:"UPGRADE PAYMENT"; distance:0; content:"fbCreditCard"; nocase; distance:0; classtype:social-engineering; sid:2025309; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b645)"; flow:established,from_server; file_data; content:"ByZWZpeCAmICIldTAwMTYldTQxNDEldTQxNDEldTQxNDEldTQyNDIldTQyNDIi"; classtype:exploit-kit; sid:2023194; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Yahoo Account Verification Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Yahoo! Account Verification"; nocase; within:40; fast_pattern; classtype:social-engineering; sid:2025311; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b646)"; flow:established,from_server; file_data; content:"wcmVmaXggJiAiJXUwMDE2JXU0MTQxJXU0MTQxJXU0MTQxJXU0MjQyJXU0MjQyI"; classtype:exploit-kit; sid:2023195; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google/Adobe Shared Document Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"<title"; nocase; content:"sign in"; nocase; within:25; content:"MM_validateForm(|27|password|27 2c 27 27 2c 27|R|27 2c 27|mail|27 2c 27 27 2c 27|RisEmail|27 2c 27|phone|27 2c 27 27 2c 27|NisNum|27|)"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025312; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Sep 12 2016 T2"; flow:established,from_server; file_data; content:".split"; nocase; pcre:"/^\s*\(\s*[\x22\x27][\x00-\x09\x80-\xff][\x22\x27]\s*\)\s*\x3b\s*[A-Za-z0-9]+\s*=\s*[\x22\x27]/Rsi"; content:"|01 2e 02 3c 03 3e 04 3d 05 5c 22 06 5c 27 07 29|"; fast_pattern; within:16; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2023196; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family RIG, performance_impact Low, signature_severity Major, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Orange Phishing Landing 2018-02-05 (FR)"; flow:established,to_client; file_data; content:"<title"; content:"pour continuer, identifiez-vous"; nocase; within:50; fast_pattern; content:"index_fichiers/authuser"; nocase; distance:0; content:"title=|22|site orange.fr"; nocase; distance:0; classtype:social-engineering; sid:2025313; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
 
-alert tcp any any -> $HOME_NET 3306 (msg:"ET EXPLOIT Possible MySQL CVE-2016-6662 Attempt"; flow:established,to_server; content:"|03|"; offset:4; content:"unhex"; nocase; distance:0; content:"67656e6572616c5f6c6f675f66696c65"; distance:0; nocase; content:"2e636e66"; nocase; content:"6e6d616c6c6f635f6c6962"; reference:cve,2016-6662; reference:url,legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html; classtype:attempted-admin; sid:2023201; rev:1; metadata:affected_product MySQL, attack_target Server, created_at 2016_09_13, deployment Datacenter, updated_at 2016_09_13;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] DorkBot.Downloader CnC Response"; flow:established,to_client; dsize:517; content:"|45 36 27 18|"; depth:4; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; reference:url,www.freebuf.com/articles/terminal/153428.html; reference:url,research.checkpoint.com/dorkbot-an-investigation/; classtype:command-and-control; sid:2025152; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2018_02_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Java Exploit Kit with fast-flux like behavior hostile FQDN - Sep 05 2012"; flow:established,to_server; content:".justdied.com|0d 0a|"; http_header; classtype:exploit-kit; sid:2015681; rev:3; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE [PTsecurity] DorkBot.Downloader CnC Beacon"; flow:established,to_server; dsize:170; content:"|45 36 27 18 08 20|"; depth:6; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; reference:url,www.freebuf.com/articles/terminal/153428.html; reference:url,research.checkpoint.com/dorkbot-an-investigation/; classtype:command-and-control; sid:2025153; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_02_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"<DIR>"; content:"File(s)"; distance:0; content:"Dir(s)"; content:"bytes free"; fast_pattern; distance:0; classtype:trojan-activity; sid:2023205; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2016_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Spectre Kernel Memory Leakage JavaScript (POC Based)"; flow:established,from_server; file_data; content:"<script"; content:"|3c 20|simpleByteArray.length|29|"; distance:0; content:"simpleByteArray|5b|"; within:50; content:"|2a 20|TABLE1_STRIDE|29 7c 30 29 20 26 20 28|TABLE1_BYTES-1|29|"; distance:0; fast_pattern; content:"|5e 3d 20|probeTable|5b|"; distance:0; content:"|7c 30 5d 7c 30 3b|"; distance:0; reference:cve,2017-5753; reference:cve,2017-5715; reference:url,spectreattack.com/spectre.pdf; classtype:attempted-user; sid:2025184; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_04, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2018_02_06;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows Microsoft Windows DOS prompt command Error Invalid Argument"; flow:established,to_server; content:"ERROR|3a| Invalid Argument/Option"; fast_pattern; classtype:trojan-activity; sid:2023206; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Spectre Kernel Memory Leakage JavaScript"; flow:established,from_server; file_data; content:"<script"; nocase; content:"<"; distance:0; content:".length"; distance:0; nocase; fast_pattern; pcre:"/^\s*?\)\s*?\{\s*(?P<var>[^\s]+)\s*=[^\x5b]+?\x5b\s*(?P=var)\s*?\|\s*?0\s*?\]\s*?\x3b\s*?/Rsi"; content:"^="; distance:0; pcre:"/^\s*[^\s]+\x5b\s*?[^\x5d\x7c]+\x7c\s*?0\s*?\x5d\s*?\x7c\s*?0\s*?\x3b/Rsi"; reference:cve,2017-5753; reference:cve,2017-5715; reference:url,github.com/cgvwzq/spectre; classtype:attempted-user; sid:2025185; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_04, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2018_02_06;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows Microsoft Windows DOS prompt command Error not recognized"; flow:established,to_server; content:"|27| is not recognized as an internal or external command|2c|"; content:"operable program or batch file."; fast_pattern; classtype:trojan-activity; sid:2023207; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing 2018-02-06"; flow:established,to_client; file_data; content:"content=|22|Connecting to PDSA"; nocase; within:600; content:"<title>Sign In</title>"; nocase; distance:0; content:"function LoginErrors(){this.userNameFormatError"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025316; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_06;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows Microsoft Windows DOS prompt command Error not found"; flow:established,to_server; content:"The following command was not found|3a 20|"; classtype:trojan-activity; sid:2023208; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Google|20 7c 20|Drive , Safe"; nocase; fast_pattern; content:"your email provider"; nocase; distance:0; classtype:social-engineering; sid:2025322; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows net statistics workstation Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Workstation Statistics for |5c 5c|"; fast_pattern; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][A-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}/Rsi"; classtype:trojan-activity; sid:2023209; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Business Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>DropBox Buisness</title>"; nocase; classtype:social-engineering; sid:2025323; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows net statistics server Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Server Statistics for |5c 5c|"; fast_pattern; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][A-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}/Rsi"; classtype:trojan-activity; sid:2023210; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Apple - Login"; nocase; content:"href=|22|incorrect_files/"; nocase; distance:0; classtype:social-engineering; sid:2025324; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows driverquery -v Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Module Name"; content:"Display Name"; content:"Description"; content:"Driver Type"; fast_pattern; classtype:trojan-activity; sid:2023211; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Verification Phishing Landing 2018-01-31"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Mail Verification"; nocase; within:50; fast_pattern; content:"your mailbox"; nocase; distance:0; content:"email password"; nocase; distance:0; content:"All rights reserved"; nocase; distance:0; classtype:social-engineering; sid:2025278; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows driverquery -si Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"DeviceName"; fast_pattern; content:"InfName"; content:"IsSigned"; content:"Manufacturer"; classtype:trojan-activity; sid:2023212; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Upgrade Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Mail Settings|20 7c 20|Email"; nocase; within:40; fast_pattern; classtype:social-engineering; sid:2025310; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows qwinsta Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"SESSIONNAME"; fast_pattern; content:"USERNAME"; content:"ID"; content:"STATE"; content:"TYPE"; content:"DEVICE"; classtype:trojan-activity; sid:2023213; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Business Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"background-color|3a 20|#ffffff|3b|border|3a 20|1px solid #d0d4d9|3b|box-shadow|3a 20|4px 4px 4px #d0d4d9|3b|"; nocase; content:"id=|22|wk|22 20|name=|22|wk|22 20|method=|22|post|22|"; nocase; distance:0; fast_pattern; content:"Sign In To View"; nocase; distance:0; classtype:social-engineering; sid:2025325; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows quser Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"USERNAME"; fast_pattern; content:"SESSIONNAME"; content:"ID"; content:"STATE"; content:"IDLE TIME"; content:"LOGON TIME"; classtype:trojan-activity; sid:2023214; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Web App Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Sign in</title>"; nocase; content:"border|3a 20|1px solid #848484|3b|"; nocase; distance:0; content:"background-color|3a 20|#fff3c0|3b|"; nocase; distance:0; content:"left|3a|389px|3b 20|top|3a|0px|3b 20|width|3a|507px|3b 20|height|3a|474px|3b 20|z-index|3a|0"; nocase; distance:0; content:"<input name=|22|userid|22|"; nocase; distance:0; content:"<input name=|22|formtext2|22|"; nocase; distance:0; classtype:social-engineering; sid:2025326; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows gpresult Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Operating System Group Policy Result tool v"; fast_pattern; classtype:trojan-activity; sid:2023215; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Chase Online - Logon"; nocase; fast_pattern; content:"<!--POH-->"; nocase; distance:0; content:"function AllowNoDups()"; nocase; distance:0; classtype:social-engineering; sid:2025328; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC OS get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Boot Device"; fast_pattern; content:"Build Number"; content:"Build Type"; classtype:trojan-activity; sid:2023217; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Verification Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Admin|20 7c 20|Upgrade|3b|</title>"; nocase; fast_pattern; classtype:social-engineering; sid:2025329; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC COMPUTERSYSTEM get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AdminPasswordStatus"; fast_pattern; content:"AutomaticManagedPagefile"; content:"Build Type"; classtype:trojan-activity; sid:2023218; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY [Fidelis] Abnormal x509v3 SubjectKeyIdentifier extension"; flow:established,from_server; dsize:>768; content:"|16 03|"; depth:2; content:"|06 03 55 1d 0e 04|"; offset:336; pcre:"/^.\x04[^\x08\x10\x14\x20\x30\x40]/R"; threshold: type limit, track by_src, seconds 30, count 1; reference:url,www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities; classtype:misc-attack; sid:2025319; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_02_06, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2018_02_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC NETLOGIN get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AccountExpires"; fast_pattern; content:"AuthorizationFlags"; content:"BadPasswordCount"; classtype:trojan-activity; sid:2023219; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY [Fidelis] Abnormal Very Long x509v3 SubjectKeyIdentifier Extension"; flow:established,from_server; dsize:>768; content:"|16 03|"; depth:2; content:"|06 03 55 1d 0e 04|"; offset:336; pcre:"/^[\x80-\xff]/R"; threshold: type limit, track by_src, seconds 30, count 1; reference:url,www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities; classtype:misc-attack; sid:2025320; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_02_06, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2018_02_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC NIC get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AdapterType"; fast_pattern; content:"AdapterTypeId"; content:"AutoSense"; classtype:trojan-activity; sid:2023220; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus/Reveton checkin to /images.rar"; flow:established,to_server; content:"/images.rar"; fast_pattern; depth:11; http_uri; content:"User-Agent|3a 20|Internet Explorer"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^Host\x3a (\d+\.){3}\d+$/Dm"; reference:md5,2697e2b81ba1c90fcd32e24715fcf40a; classtype:command-and-control; sid:2014135; rev:4; metadata:created_at 2012_01_19, former_category MALWARE, updated_at 2018_02_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC PROCESS get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"CSCreationClassName"; fast_pattern; content:"CSName"; content:"Description"; content:"ExecutablePath"; classtype:trojan-activity; sid:2023221; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Known Reveton Domain HTTP whatwillber.com"; flow:established,to_server; content:"whatwillber.com|0d 0a|"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015874; rev:6; metadata:created_at 2012_11_09, former_category TROJAN, updated_at 2018_02_08;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC SERVER get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"BlockingRequestsRejected"; fast_pattern; content:"BytesReceivedPersec"; content:"BytesTotalPersec"; content:"ExecutablePath"; classtype:trojan-activity; sid:2023222; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ASB Bank Phishing Landing 2018-02-09 M2"; flow:established,to_client; file_data; content:"<title>ASB Bank - Log in"; nocase; fast_pattern; content:"<img src=|22|https://online.asb.co.nz/auth/img/logo-asb.png|22 20|alt=|22|ASB Logo|22|"; nocase; distance:0; content:".php|22 20|autocomplete=|22|off|22 20|aria-autocomplete=|22|none|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025336; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC SHARE get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AccessMask"; fast_pattern; content:"AllowMaximum"; content:"Caption"; content:"Description"; classtype:trojan-activity; sid:2023224; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ASB Bank Phishing Landing 2018-02-09 M1"; flow:established,to_client; file_data; content:"<title>ASB Bank - Log in"; nocase; fast_pattern; content:"<img src=|22|logo-asb.png|22 20|alt=|22|ASB Logo|22|"; nocase; distance:0; content:".php|22 20|id=|22|login|22 20|autocomplete=|22|off|22|"; nocase; distance:0; classtype:social-engineering; sid:2025334; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC SYSACCOUNT get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Caption"; content:"Description"; content:"Domain"; content:"InstallDate"; content:"LocalAccount"; fast_pattern; classtype:trojan-activity; sid:2023225; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-09"; flow:established,to_client; file_data; content:"<title>Wells Fargo Online</title>"; nocase; fast_pattern; content:"View Your Accounts"; nocase; distance:0; content:"placeholder=|22|Personal ID"; nocase; distance:0; content:"Connection Secured"; nocase; distance:0; classtype:social-engineering; sid:2025337; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC STARTUP get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Caption"; content:"Command"; content:"Description"; content:"Location"; content:"UserSID"; fast_pattern; classtype:trojan-activity; sid:2023226; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LinkedIn Phishing Landing 2018-02-09 M1"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Sign In to LinkedIn|20 7c 20|LinkedIn"; nocase; within:40; classtype:social-engineering; sid:2025335; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PC Support Tech Support Scam Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>PC Support"; nocase; fast_pattern; content:"getParameterByName"; nocase; distance:0; content:"decodeURIComponent"; nocase; distance:0; content:"FormattedNumber"; nocase; distance:0; content:"showRecurringPop"; nocase; distance:0; classtype:social-engineering; sid:2023238; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-09"; flow:established,to_client; file_data; content:"<title>Facebook</title>"; nocase; fast_pattern; content:"We didn't recognize your email address or phone number"; nocase; distance:0; content:"theForm.pass.value.length"; nocase; distance:0; classtype:social-engineering; sid:2025339; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_09;)
 
-#alert tcp any any -> any any (msg:"ET DELETED LuminosityLink - Data Channel Server Response 2"; flow:established,to_client; content:"8_=_8"; isdataat:!1,relative; dsize:<25; classtype:trojan-activity; sid:2022708; rev:2; metadata:created_at 2016_04_06, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Revalidation Phishing Landing 2018-02-09"; flow:established,to_client; file_data; content:"<title>Re-Validate Your Mailbox</title>"; nocase; fast_pattern; classtype:social-engineering; sid:2025340; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_09;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|curenasriense.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023243; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-12"; flow:established,to_client; file_data; content:"hackgallo10k.png"; within:500; nocase; fast_pattern; content:"Facebook application"; nocase; distance:0; classtype:social-engineering; sid:2025341; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_11;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|transadvert.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023244; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-02-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"One Drive Cloud Document"; nocase; within:40; fast_pattern; content:"function popupwnd(url,"; nocase; distance:0; classtype:social-engineering; sid:2025342; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|glob-marketing.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023245; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Wells Fargo"; nocase; distance:0; content:"if(user.length<6){alert("; nocase; distance:0; content:"if(pass.length<6){alert("; nocase; distance:0; classtype:social-engineering; sid:2025343; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_11;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 8F|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012088; rev:3; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2016_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-13 M1"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Facebook Application"; nocase; within:30; fast_pattern; content:"placeholder=|22|Password"; nocase; distance:0; classtype:social-engineering; sid:2025347; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows sc query Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"SERVICE_NAME|3A|"; content:"DISPLAY_NAME|3A|"; content:"TYPE"; content:"STATE"; classtype:trojan-activity; sid:2023246; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_16, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-13 M2"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Facebook"; nocase; within:20; content:"k7LsZ6Kzebp.css"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025348; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 19 2016"; flow:established,from_server; file_data; content:"|29 2b 22 2e 49 65 56 22 2b|"; fast_pattern; content:"|29 2b 22 58 4f 22 2b|"; content:"|6e 65 77 20 77 69 6e 64 6f 77 5b 22 41 22 2b|"; content:"|29 7b 72 65 74 75 72 6e|"; content:"|2e 74 6f 53 74 72 69 6e 67|"; classtype:exploit-kit; sid:2023248; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family EvilRedirector, malware_family Magnitude, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox/OneDrive Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title"; nocase; content:"One Place For All Your Files"; within:60; nocase; content:"function popupwnd(url, toolbar"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025327; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 19 2016 (EItest Inject)"; flow:established,from_server; file_data; content:"3a-20-61-62-73-6f-6c-75-74-65-3b-7a-2d-69-6e-64-65-78-3a-2d-31-3b"; nocase; classtype:exploit-kit; sid:2023250; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family EvilTDS, malware_family EITest, signature_severity Major, tag Redirector, updated_at 2016_09_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LinkedIn Phishing Landing 2018-02-13"; flow:established,to_client; file_data; content:"<title>Business|20 7c 20|LinkedIn"; nocase; fast_pattern; content:"<title>Sign Up</title>"; nocase; distance:0; classtype:social-engineering; sid:2025349; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 19 2016 (EItest Inject) M2"; flow:established,from_server; file_data; content:"|32 32 2d 36 66 2d 37 30 2d 36 31 2d 37 31 2d 37 35 2d 36 35 2d 32 32 2d 32 66 2d 33 65 2d 33 63 2d 32 66 2d 36 66 2d 36 32 2d 36 61 2d 36 35 2d 36 33 2d 37 34 2d 33 65 2d 30 64 2d 30 61 2d 33 63 2d 32 66 2d 36 34 2d 36 39 2d 37 36 2d 33 65 22 2e 72 65 70 6c 61 63 65 28 2f 2d 2f 67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65|"; nocase; classtype:exploit-kit; sid:2023251; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family EvilTDS, malware_family EITest, signature_severity Major, tag Redirector, updated_at 2016_09_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-13"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Wells Fargo - Verification"; nocase; within:40; fast_pattern; content:"account was suspended"; nocase; distance:0; content:"enable verification process"; nocase; distance:0; classtype:social-engineering; sid:2025351; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M1"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P<space>[\s\r\n]+)<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025052; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_07, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Capital One Phishing Landing 2018-02-13 M2"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Validate Your Card Information"; nocase; within:50; fast_pattern; content:"</capitaloneheader>"; nocase; distance:0; classtype:social-engineering; sid:2025352; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025053; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Capital One Phishing Landing 2018-02-13 M1"; flow:established,to_client; file_data; content:"ng-app=|22|signInControllerApp|22|"; nocase; within:100; content:"<title>Sign In</title>"; nocase; distance:0; content:"href=|22|index_fichiers/favicon.ico"; nocase; distance:0; content:"usabilla_live_button_container"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025350; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M3"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025054; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Email Validation Phishing Landing 2018-02-13"; flow:established,to_client; file_data; content:"function validateForm()"; nocase; content:"email.match(/fuck"; nocase; distance:0; content:"email.match(/asshole"; nocase; distance:0; content:"email.match(/dickhead"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025353; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M4"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025055; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing 2018-02-14"; flow:established,to_client; file_data; content:"<title"; nocase; content:"dropbox"; nocase; within:10; content:"text/css|22|>.hny-htirfw"; nocase; fast_pattern; within:100; content:"class=|22|psw_error"; nocase; distance:0; classtype:social-engineering; sid:2025355; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M5"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025056; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Linkedin Phishing Landing 2018-02-14"; flow:established,to_client; file_data; content:"<title>Business|20 7c 20|LinkedIn</title>"; nocase; content:"function MM_validateForm()"; nocase; distance:0; content:"#a11y-content"; nocase; distance:0; classtype:social-engineering; sid:2025356; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M6"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025057; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-14"; flow:established,to_client; file_data; content:"<title>Account Recovery Information</title>"; nocase; fast_pattern; content:"<title>Account Recovery Information</title>"; nocase; distance:0; content:"facebook account has been disabled"; nocase; distance:0; classtype:social-engineering; sid:2025357; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M7"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P<space>[\s\r\n]+)<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025058; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Website Phishing Landing - Saved Website Comment Observed"; flow:established,to_client; file_data; content:"<!-- saved from url=("; within:300; pcre:"/^\s*?\d+?\s*?\)(?:https://(?:w(?:ww(?:\.(?:(?:bankofamerica|paypal|ups|wellsfargo)\.com|a(?:dobecloud\.com|mazon\.co\.jp)|tax\.service\.gov\.uk|cibc\.mobi)|1\.royalbank\.com)|ebmail\.(?:i(?:llinois|ndstate)\.ed|optusnet\.com\.a)u)|(?:s(?:i(?:tekey\.bankofamerica|gnin\.ebay)|ecure(?:\.bankofamerica|05c\.chase))|login\.(?:(?:microsoftonlin|liv)e|verizonwireless|alibaba)|my\.screenname\.aol)\.com|(?:(?:ex(?:change\.(?:louisvill|purdu)|mail\.oregonstat)e|owa\.uaa\.alaska)\.ed|ib\.nab\.com\.a)u|voscomptesenligne\.labanquepostale\.fr|auth\.centurylink\.net)|/logon/logon/chaseOnline|#www\.kucoin\.com)/Rsi"; classtype:social-engineering; sid:2025281; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M8"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025059; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title>Online...... - Berliner....</title>"; nocase; fast_pattern; content:"berliner-sparkasse.de"; nocase; distance:0; classtype:social-engineering; sid:2025361; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 2"; flow:established,to_server; content:"/search/?"; http_uri; depth:10; pcre:"/^\x2Fsearch\x2F\x3F[a-z]{2,5}\x3D/U"; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019391; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title>Dropbox</title>"; within:300; nocase; fast_pattern; content:"featuredcontentglider.init({"; nocase; distance:0; content:"#yregbnr #yregbnrti #yregbnrtii"; nocase; distance:0; classtype:social-engineering; sid:2025362; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 3"; flow:established,to_server; content:"GET"; http_method; content:"/results/?text="; http_uri; depth:15; content:"&utm="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019392; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"images/fbgiftscards.jpg"; within:100; fast_pattern; content:"CavalryLogger="; nocase; distance:0; content:"Facebook</title>"; nocase; content:"function Form1_Validator"; nocase; distance:0; content:"var alertsay"; nocase; distance:0; classtype:social-engineering; sid:2025363; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 4"; flow:established,to_server; content:"GET"; http_method; content:"/find/?utm="; http_uri; depth:11; content:"&oprnd="; http_uri; content:"&channel="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019393; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M1"; flow:established,to_client; file_data; content:"<title>Wells Fargo BANK</title>"; fast_pattern; content:"Access Your Accounts</div>"; nocase; distance:0; classtype:social-engineering; sid:2025292; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 5"; flow:established,to_server; content:"GET"; http_method; content:"/watch/?"; http_uri; depth:8; content:"channel="; http_uri; content:"&utm="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; reference:md5,ee64d3273f9b4d80020c24edcbbf961e; classtype:command-and-control; sid:2019394; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title"; content:"Dropbox Verification"; within:30; nocase; fast_pattern; content:"PhoneVerificationChallenge"; nocase; distance:0; content:"RecoveryEmailChallenge"; nocase; distance:0; classtype:social-engineering; sid:2025365; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:"/close/?channel="; http_uri; depth:16; content:"&ags="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019390; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title>Chase Online - Logon</title><!--"; nocase; fast_pattern; classtype:social-engineering; sid:2025366; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2015-2419 As observed in Magnitude EK"; flow:established,from_server; file_data; content:"|5b 30 78 35 33 2c 20 30 78 35 35 2c 20 30 78 35 36 2c 20 30 78 65 38 2c 20 30 78 30 39 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 35 65 2c 20 30 78 35 64 2c 20 30 78 35 62 2c 20 30 78 38 62 2c 20 30 78 36 33 2c 20 30 78 30 63 2c 20 30 78 63 32 2c 20 30 78 30 63 2c 20 30 78 30 30 2c 20 30 78 39 30 5d|"; nocase; content:"|30 78 31 32 38 65 30 30 32 30|"; nocase; content:"|4a 53 4f 4e|"; nocase; content:"|73 74 72 69 6e 67 69 66 79|"; nocase; classtype:exploit-kit; sid:2023253; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_21, deployment Perimeter, former_category EXPLOIT, malware_family Magnitude, signature_severity Major, tag Magnitude_EK, updated_at 2016_09_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Square Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"/* VODKA */"; fast_pattern; content:"<form action=|22|--WEBBOT-SELF--"; nocase; distance:0; classtype:social-engineering; sid:2025367; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET PHISHING DNS Query to Ebay Phishing Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|107sbtd9cbhsbtd5d80"; fast_pattern; distance:0; nocase; threshold:type limit, track by_src, count 1, seconds 30; classtype:social-engineering; sid:2023180; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing_07012016, updated_at 2017_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Multi-Account Phish 2018-02-16"; flowbits:isset,ET.genericphish; file_data; content:"<input id=|22|login-username|22 20|name=|22|username|22 20|value=|22|"; nocase; content:"<input name=|22|password|22 20|value="; nocase; distance:0; content:"autocomplete=|22|current-password|22|"; nocase; distance:0; content:"Wrong password. Try again or click Forgot password"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025368; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|ns-cheap.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023262; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Spotify Phishing Landing 2018-02-19"; flow:established,to_client; file_data; content:"<title>Login - Spotify</title>"; nocase; fast_pattern; content:"LOGIN WITH FACEBOOK"; nocase; distance:0; content:"spotify.com"; nocase; distance:0; classtype:social-engineering; sid:2025369; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_19;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|gl-markt.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023263; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Smartermail Phishing Landing 2018-02-20"; flow:established,to_client; file_data; content:"<title"; content:"SmarterMail"; nocase; within:20; fast_pattern; content:"<form method=|22|post|22 20|action=|22|login.php|22 20|id=|22|aspnetForm|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025371; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_20;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|hoonietospeed.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023264; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING USAA Phishing Landing 2018-02-20"; flow:established,to_client; file_data; content:"<title"; nocase; content:"USAA / Welcome to USAA"; nocase; distance:0; fast_pattern; content:".php|22 20|method=|22|POST|22 20|id=|22|Logon|22 20|name=|22|Logon|22 20|class=|22|yuimenubaritemlabel|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025372; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_20;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|dnbcheck.pw"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023265; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Yahoo Phishing Landing 2018-02-20"; flow:established,to_client; file_data; content:"<title>Securite utilisateur</title>"; nocase; fast_pattern; content:"<title>S&eacute|3b|curite Yahoo</title>"; nocase; distance:0; classtype:social-engineering; sid:2025373; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_20;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|statway.online"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023266; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-22"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Wells Fargo Sign On to Unlock Your Accounts"; nocase; within:50; classtype:social-engineering; sid:2025377; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_22;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|petetongtt.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023267; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing 2018-02-22"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Sign In"; nocase; within:15; content:"Validate"; nocase; within:20; content:"personal Microsoft account"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2025378; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_22;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|09 00 e4 52 b4 b2 9e 40 bd 86|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0d|Synology Inc."; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023268; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Upgrade Advantage Phishing Landing 2018-02-22"; flow:established,to_client; file_data; content:"<img src=|22|./hellion/logo1.png"; nocase; fast_pattern; content:"method=|22|post|22 20|action=|22|post.php"; nocase; distance:0; classtype:social-engineering; sid:2025379; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_22;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|verifybyamexcards.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023269; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-22"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Wells Fargo - Please confirm your identity"; fast_pattern; within:50; nocase; content:"For security reasons"; nocase; distance:0; content:".php|22 20|novalidate=|22 22|"; nocase; distance:0; classtype:social-engineering; sid:2025380; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_22;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT SUSPICIOUS DTLS Pre 1.0 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 01 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018559; rev:2; metadata:created_at 2014_06_13, former_category CURRENT_EVENTS, updated_at 2014_06_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Craigslist Phishing Landing 2018-02-26"; flow:established,to_client; file_data; content:"<title"; nocase; content:"craigslist - account log in"; nocase; fast_pattern; within:30; content:".php|22 20|method=|22|POST|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025394; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_26;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT SUSPICIOUS DTLS 1.2 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 fe fd 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018561; rev:3; metadata:created_at 2014_06_13, former_category CURRENT_EVENTS, updated_at 2014_06_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Mobile Phishing Landing 2018-02-26"; flow:established,to_client; file_data; content:"<title>Login</title>"; nocase; content:"mbasic.facebook.com"; nocase; distance:0; content:"name=|22|username|22 20|autocomplete=|22|off|22 20|placeholder=|22|E-mail|22|"; nocase; distance:0; fast_pattern; content:"name=|22|password|22 20|autocomplete=|22|off|22 20|placeholder=|22|Password|22|"; nocase; distance:0; classtype:social-engineering; sid:2025396; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_26;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|dnbcheck.site"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023286; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Update Phishing Landing 2018-02-26"; flow:established,to_client; file_data; content:"<img src=|22|./hellion/logo.png"; nocase; fast_pattern; content:"<form method=|22|post|22 20|action=|22|post.php|22|>"; nocase; distance:0; content:"<input name=|22|email|22 20|type=|22|hidden|22|"; nocase; distance:0; classtype:social-engineering; sid:2025397; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_26;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|mainmar.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023287; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Amazon Phishing Landing (DE) 2018-02-26"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Amazon.de - Kontofreischaltung"; nocase; within:40; fast_pattern; content:"$(|22|#browser_info|22|).val(client.getBrowser"; nocase; distance:0; content:"$(|22|#os_info|22|).val(client.getOS()"; nocase; distance:0; classtype:social-engineering; sid:2025398; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BleedingLife EK Payload Request"; flow:to_server,established; content:"GET"; http_method; content:".php?e="; http_uri; fast_pattern; content:"&h="; content:!"Referer|3a|"; http_header; pcre:"/\.php\?e=\d{4}\-\d{4}&h=[a-f0-9]{32}$/Ui"; flowbits:set,ET.BleedingLife.Payload; classtype:exploit-kit; sid:2023290; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Exploit_Kit, malware_family BleedingLife, signature_severity Major, tag BleedingLifeEK, updated_at 2016_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Browser Plugin Detect - Observed in Phish Landings"; flow:established,to_client; file_data; content:"#browser_info"; content:"getBrowserMajorVersion()"; nocase; distance:0; fast_pattern; content:"#os_info"; nocase; distance:0; content:"getOSVersion()"; nocase; distance:0; content:"getScreenPrint()"; nocase; distance:0; content:"getPlugins()"; nocase; distance:0; content:"getJavaVersion()"; nocase; distance:0; content:"getFlashVersion()"; nocase; distance:0; content:"getSilverlightVersion()"; nocase; distance:0; classtype:social-engineering; sid:2025399; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2018_02_26;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET busybox MIRAI hackers - Possible Brute Force Attack"; flow:to_server,established; content:"MIRAI"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023019; rev:2; metadata:attack_target Server, created_at 2016_08_08, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2016_09_26;)
+alert udp any 11211 -> $EXTERNAL_NET any (msg:"ET DOS Possible Memcached DDoS Amplification Response Outbound"; flowbits:isset,ET.memcached.ddos; content:"STATS|20|pid"; depth:9; fast_pattern; threshold: type both, count 100, seconds 60, track by_dst; reference:url,blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/; classtype:attempted-dos; sid:2025402; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Server, created_at 2018_03_01, deployment Perimeter, former_category DOS, performance_impact Low, signature_severity Major, updated_at 2018_03_01;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|secursitenot.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023294; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $EXTERNAL_NET 11211 -> $HOME_NET any (msg:"ET DOS Possible Memcached DDoS Amplification Inbound"; content:"STATS|20|pid"; depth:9; fast_pattern; threshold: type both, count 100, seconds 60, track by_dst; reference:url,blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/; classtype:attempted-dos; sid:2025403; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2018_03_01, deployment Perimeter, former_category DOS, performance_impact Low, signature_severity Major, updated_at 2018_03_01;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|gtldsfs.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023295; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing Oct 04 2017"; flow:established,to_client; file_data; content:"|0d 0a 54 68 65 6d 65 20 4e 61 6d 65 3a 20|"; within:100; content:"|0d 0a 41 75 74 68 6f 72 3a 20 4d 4b 28 72 6a 29|"; within:100; fast_pattern; classtype:social-engineering; sid:2024799; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_02;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|cdnfastnetwork.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023296; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"ET CURRENT_EVENTS CERTEGO Possible JScript Coming Over SMB v2"; flow:established,from_server; content:"|FE|SMB"; offset:4; depth:8; content:"|08 00|"; distance:8; within:10; content:"var"; distance:48; fast_pattern; content:"="; distance:0; isdataat:2,relative; reference:url,twitter.com/SettiDavide89/status/970965983228723201; reference:url,www.certego.net/it/news/quant-url/; classtype:trojan-activity; sid:2025409; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_06, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2018_03_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 26 2016 T2"; flow:established,from_server; file_data; content:"|6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 20 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; pcre:"/^\s*\x27[^\x27]+\x27width=\x27250\x27\sheight=\x27250\x27>\s*<\/iframe>\s*<\/div>/R"; classtype:exploit-kit; sid:2023303; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_27, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-03-08"; flow:established,to_client; file_data; content:"<title>One Drive Cloud Document Sharing"; nocase; fast_pattern; content:"function popupwnd(url"; nocase; distance:0; content:"'no','no','no','no','no','no'"; nocase; distance:0; classtype:social-engineering; sid:2025410; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET busybox ECCHI hackers - Possible Brute Force Attack"; flow:to_server,established; content:"ECCHI"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023304; rev:1; metadata:attack_target Server, created_at 2016_09_27, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2016_09_27;)
+#alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Win32.Zbot.chas/Unruy.H Covert DNS CnC Channel TXT Response"; content:"|C0 0C 00 10 00 01|"; content:"|00 dd dc|"; distance:4; within:3; content:!"v="; distance:0; content:!"p="; distance:0; content:!"spf2.0/"; content:!"spf1"; distance:0; content:!"|7c|"; distance:0; content:!"_domainkey"; classtype:command-and-control; sid:2013935; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2011_11_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2018_03_05;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|arcnetcdn.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023308; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_28, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chalbhai Phishing Landing 2018-03-12"; flow:established,to_client; file_data; content:"document.forms[|22|chalbhai|22|][|22|password|22|]"; nocase; classtype:social-engineering; sid:2025418; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_12;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|sdpvss.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023309; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_28, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Upgrade Email Account Phishing Landing 2018-03-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Secure Login|20 7c 20|E-Mail Administrator"; within:40; nocase; fast_pattern; content:"upgrade your mailbox"; nocase; distance:0; classtype:social-engineering; sid:2025421; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 20 2016"; flow:established,from_server; file_data; content:"Base64.encode(rc4("; nocase; fast_pattern; content:"+|22 3a|timeDelta|2c 22|+"; nocase; content:"cfg.key|29 29|"; nocase; distance:0; pcre:"/^[\x3b\x2c]postRequest\x28cfg\.urlSoftDetectorCallback/Ri"; classtype:exploit-kit; sid:2023252; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, deployment Perimeter, malware_family EvilTDS, malware_family Malvertising, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Retrieve Pending Emails Phishing Landing 2018-03-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Retrieve Pending Emails"; within:30; nocase; fast_pattern; content:"receive any pending mails on server after login"; nocase; distance:0; classtype:social-engineering; sid:2025422; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_12;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible Cisco IKEv1 Information Disclosure Vulnerability CVE-2016-6415"; dsize:>828; content:"|00 00 00 00 00 00 00 00 01 10|"; offset:8; depth:10; content:"|80 02 00|"; distance:30; byte_test:1,<,3,0,relative; byte_test:1,>,0,0,relative; content:"|80 04 00 01 00 06|"; distance:1; within:6; fast_pattern; byte_test:2,>,768,0,relative; reference:cve,2016-6415; classtype:attempted-user; sid:2023311; rev:1; metadata:affected_product Cisco_PIX, attack_target Networking_Equipment, created_at 2016_09_29, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2016_09_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Ourtime Phishing Landing 2018-03-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"ourtime.com - the 50+ single network"; nocase; within:40; fast_pattern; content:"<form method=|22|post|22 20|action=|22|post.php|22|"; nocase; distance:0; classtype:social-engineering; sid:2025423; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP QVOD Related Spyware/Malware User-Agent (Qvod)"; flow:established,to_server; content:"User-Agent|3a| Qvod"; nocase; http_header; reference:url,www.siteadvisor.com/sites/update.qvod.com; reference:url,www.threatexpert.com/reports.aspx?find=update.qvod.com; reference:url,doc.emergingthreats.net/2009785; classtype:pup-activity; sid:2009785; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2016_09_29;)
+alert tcp any any -> $HOME_NET 25 (msg:"ET EXPLOIT [PT Security] Exim <4.90.1 Base64 Overflow RCE (CVE-2018-6789)"; flow: established,to_server,only_stream; content:"|0D 0A|AUTH"; pcre:"/AUTH\s+\S+\s+(?:[a-zA-Z0-9\+\/=]{4})*+[a-zA-Z0-9\+\/=]{3}\s/"; reference:cve,2018-6789; reference:url,devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/; reference:url,github.com/ptresearch/AttackDetection/blob/master/CVE-2018-6789/cve-2018-6789.rules; classtype:attempted-admin; sid:2025427; rev:1; metadata:attack_target SMTP_Server, created_at 2018_03_13, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Minor, updated_at 2018_03_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Eval With Base64.decode seen in DOL Watering Hole Attack 05/01/13"; flow:established,from_server; content:"Base64.decode"; nocase; fast_pattern:only; content:"eval("; nocase; pcre:"/^[\r\n\s]*?Base64\.decode[\r\n\s]*?\x28[\r\n\s]*?[\x22\x27]/Ri"; content:!"|22|J0RVREFPTkUn|22|"; content:!"|22|J01PQklMRSc|3D 22|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016807; rev:6; metadata:created_at 2013_05_02, former_category CURRENT_EVENTS, updated_at 2013_05_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Taplika Browser Hijacker Status Messages"; flow:established,to_server; content:".php?context="; fast_pattern; http_uri; content:"&status="; http_uri; distance:0; content:"&sesid="; http_uri; distance:0; content:"&iid="; http_uri; distance:0; content:"&cd="; http_uri; distance:0; content:"&cr="; http_uri; distance:0; reference:md5,02aa7a5e3a78f1a50ae5f72519787bb9; reference:url,malwaretips.com/blogs/remove-taplika-virus/; classtype:trojan-activity; sid:2022808; rev:3; metadata:created_at 2016_05_16, former_category MALWARE, updated_at 2018_03_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Flash Exploit Likely SunDown EK"; flow:established,from_server; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"9090909090909090909090909090909090909090EB"; classtype:exploit-kit; sid:2023313; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, malware_family SunDown, performance_impact Low, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_10_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Taplika Browser Hijacker Checkin M1"; flow:established,to_server; content:".php?a="; fast_pattern; http_uri; content:"&cd="; http_uri; distance:0; content:"&cr="; http_uri; distance:0; content:"&ir="; http_uri; distance:0; reference:md5,02aa7a5e3a78f1a50ae5f72519787bb9; reference:url,malwaretips.com/blogs/remove-taplika-virus/; classtype:trojan-activity; sid:2022809; rev:3; metadata:created_at 2016_05_16, former_category MALWARE, updated_at 2018_03_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK Landing Oct 03 2016"; flow:from_server,established; file_data; content:"|28 65 78 70 6c 6f 69 74 29|"; content:"|2e 65 78 65 63 28 69 6e 70 75 74 29 29 7b 72 65 74 75 72 6e 2d 31 7d 69 6e 70 75 74 3d 69 6e 70 75 74 2e 72 65 70 6c 61 63 65|"; content:"|6b 65 79 53 74 72|"; classtype:exploit-kit; sid:2023314; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, malware_family SunDown, performance_impact Low, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_10_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Taplika Browser Hijacker Checkin M2"; flow:established,to_server; content:"/?f="; depth:4; http_uri; fast_pattern; content:"&a="; http_uri; distance:0; content:"&cd="; http_uri; distance:0; content:"&cr="; http_uri; distance:0; content:"&ir="; http_uri; distance:0; reference:md5,02aa7a5e3a78f1a50ae5f72519787bb9; reference:url,malwaretips.com/blogs/remove-taplika-virus/; classtype:trojan-activity; sid:2022810; rev:3; metadata:created_at 2016_05_16, former_category MALWARE, updated_at 2018_03_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Locky AlphaNum Downloader Oct 3 2016"; flow:from_server,established; flowbits:isnotset,ET.http.binary; flowbits:isset,ET.LockyDL; content:"ETag|3a|"; http_header; content:!"Content-Disposition|3a|"; http_header; content:!"Cookie|3a|"; content:"Content-Length|3a 20|1"; http_header; fast_pattern:only; pcre:"/^Content-Length\x3a\x201[6-8]\d{4}\r?$/Hm"; file_data; content:!"MZ"; within:2; content:!"PK"; within:2; content:!"GIF"; within:3; content:!"|FF D8 FF|"; within:3; content:!"CWS"; within:3; content:!"ZWS"; within:3; pcre:"/^.{4}[\x0a-\x7f]{0,100}[\x00-x09\x80-\xff]/s"; classtype:trojan-activity; sid:2023316; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, signature_severity Major, updated_at 2016_10_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit Landing Page (2)"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".mine.nu|0d 0a|"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015758; rev:3; metadata:created_at 2012_10_04, former_category EXPLOIT_KIT, updated_at 2018_03_15;)
 
-alert udp any any -> $DNS_SERVERS 53 (msg:"ET EXPLOIT BIND9 msg->reserved Assertion DoS Packet Inbound (CVE-2016-2776)"; dsize:>512; content:"|00 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; content:"|00 00 01 00 01|"; distance:0; content:"|00 00 FA|"; distance:0; reference:cve,cve-2016-2776; reference:url,blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html; classtype:attempted-dos; sid:2023317; rev:3; metadata:affected_product BIND, attack_target Server, created_at 2016_10_04, deployment Datacenter, signature_severity Major, updated_at 2016_10_05;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg:"ET SCAN Suspicious inbound to PostgreSQL port 5432"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010939; classtype:bad-unknown; sid:2010939; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|allenia.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023319; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 4333 (msg:"ET SCAN Suspicious inbound to mSQL port 4333"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010938; classtype:bad-unknown; sid:2010938; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|ssltrustcontrol.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023320; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN Suspicious inbound to mySQL port 3306"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010937; classtype:bad-unknown; sid:2010937; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|usgivememoney.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023321; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1521 (msg:"ET SCAN Suspicious inbound to Oracle SQL port 1521"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010936; classtype:bad-unknown; sid:2010936; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|p.scgreencharter.org"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023322; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1433 (msg:"ET SCAN Suspicious inbound to MSSQL port 1433"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010935; classtype:bad-unknown; sid:2010935; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|fastsvpsd.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023323; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe PDF Reader Phishing Landing 2018-03-27"; flow:established,to_client; file_data; content:"<title>Adobe|d0 92 c2 ae 20|PDF Reader|d0 92 c2 ae 20|Xl</title>"; nocase; fast_pattern; content:"this file is protected by adobe"; nocase; distance:0; content:"confirm your email to access this document"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:"onsubmit=|22|MM_validateForm(&#39|3b|email&#39|3b|,&#39|3b|&#39|3b|,&#39|3b|RisEmail&#39|3b|,&#39|3b|password&#39|3b|,&#39|3b|&#39|3b|,&#39|3b|R&#39|3b|)"; nocase; distance:0; content:"view pdf document"; nocase; distance:0; classtype:social-engineering; sid:2025442; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|csos.brycepeterson.net"; distance:1; within:23; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023324; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED APT CozyCar SSL Cert 4"; flow:established,from_server; content:"|55 04 03|"; content:"|19|www.illuminatistudios.net"; distance:1; within:26; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021421; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2018_03_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|mgudoor.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023325; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Phishing Landing 2018-03-28"; flow:established,to_client; file_data; content:"<title>internal revenue service</title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:"last 4 of ssn"; nocase; distance:0; content:"if ($('#email').val() == '')"; nocase; distance:0; classtype:social-engineering; sid:2025443; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_28;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|zigerds.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023326; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-03-28"; flow:established,to_client; file_data; content:"<TITLE>Chase Online - Logon</TITLE>"; nocase; fast_pattern; content:"name=started action=logon.php?lob=rbglogon method=post"; nocase; distance:0; classtype:social-engineering; sid:2025447; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK (EITest Inject) Oct 03 2016"; flow:established,from_server; file_data; content:"|25 75 30 30 33 64 25 75 30 30 36 63 25 75 30 30 33 33 25 75 30 30 35 33|"; content:"|73 72 63 20 3d 20 75 6e 65 73 63 61 70 65|"; classtype:exploit-kit; sid:2023312; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Impots Phishing Landing 2018-03-28"; flow:established,to_client; file_data; content:"<title>impots.gouv.fr</title>"; nocase; fast_pattern; content:".php|22|"; nocase; distance:0; content:"name=|22|form1|22|"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025448; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SunDown EK Flash Exploit Sep 22 2016"; flow:established,to_server; content:".swf"; http_uri; content:"/index.php?"; http_header; pcre:"/^\/\d+\/\d+\.swf$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f\x2f[^\r\n\x2f]+\/index\.php\?[^\x3d&]+=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=)?\r\n/H"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023270; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_10_06;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] Ursnif Socks Proxy Check-in"; flow:established,to_server; stream_size:server,=,1; content:"|2d|"; offset:8; depth:1; content:"|2d|"; distance:4; within:1; content:"|2d|"; distance:4; within:1; content:"|2d|"; distance:4; within:1; content:"|2d30|"; distance:12; within:2; content:"|0000 0000 0000 0000 0000 0000|"; distance:1; within:12; fast_pattern; pcre:"/^[0-9A-Z]{8}-[0-9A-Z]{4}-[0-9A-Z]{4}-[0-9A-Z]{4}-[0-9]{12}-0[0-9]{1}/"; flowbits:set,PT.UrsnifProxy; flowbits:noalert; classtype:trojan-activity; sid:2025444; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category TROJAN, malware_family ursnif, performance_impact Low, signature_severity Major, updated_at 2018_03_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Likely Neutrino EK or other EK IE Flash request to DYNDNS set non-standard filename"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:d(?:yndns\.[a-z]{2,3}|esi)|c(?:ricket|a?fe?)|(?:lin|wor)k|s(?:u|pace)|accountant|t(?:k|op)|g[aq]|xyz|ml|pw)(?:\x3a\d{1,5})?\r$/Hmi"; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; classtype:exploit-kit; sid:2021752; rev:13; metadata:created_at 2015_09_09, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert tcp $EXTERNAL_NET !$HTTP_PORTS  -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Ursnif Socks5 Proxy Connection"; flow:established,from_server; flowbits:isset,PT.UrsnifProxy; stream_size:server,=,5; dsize:3; content:"|050100|"; fast_pattern; depth:3; classtype:trojan-activity; sid:2025445; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category TROJAN, malware_family ursnif, performance_impact Low, signature_severity Major, updated_at 2018_03_28;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|geernabys.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023336; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_12, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Comcast/Xfinity Phishing Landing 2018-03-30"; flow:established,to_client; file_data; content:"<!-- saved from url="; nocase; fast_pattern; within:300; content:")https://"; within:15; pcre:"/^[^/]+(?:xfinity|comcast)\.(?:com|net)/Ri"; classtype:social-engineering; sid:2025450; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c7 b5 8a 8d d7 e8 44 b0|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023347; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply for unallocated address space - Potentially Malicious 1.1.1.0/24"; content:"|00 01 00 01|"; content:"|00 04 01 01 01|"; distance:4; within:5; classtype:trojan-activity; sid:2016104; rev:4; metadata:created_at 2012_12_28, former_category TROJAN, updated_at 2018_04_03;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|facenoplays.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023348; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Docs Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Sign in - Google Accounts"; nocase; within:30; fast_pattern; content:"input[type=email]"; nocase; distance:0; content:"input[type=password]"; nocase; distance:0; classtype:social-engineering; sid:2025364; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_03;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Potentially Malicious Traffic 1"; flow:established,to_server; content:"285d7b6cf94d8fdc657edaa73c2f07f3"; classtype:trojan-activity; sid:2023339; rev:3; metadata:created_at 2016_10_18, updated_at 2016_10_18;)
+#alert http $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing Aug 17 2015"; flow:established,from_server; file_data; content:"ScriptEngineMajorVersion"; nocase; content:"ScriptEngineMinorVersion"; nocase; content:"ScriptEngineBuildVersion"; nocase; fast_pattern; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; nocase; classtype:exploit-kit; sid:2021638; rev:3; metadata:created_at 2015_08_17, former_category CURRENT_EVENTS, updated_at 2018_04_03;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 97 21 dd 62 8b bc 65 25|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023350; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious HTML Script Tag in 401 Unauthorized Response (External Source)"; flow:from_server,established; content:"HTTP/1.1 401 Unauthorized|0d 0a|"; depth:27; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010514; classtype:web-application-activity; sid:2010514; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2018_04_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Oct 19 2016"; flow:established,from_server; content:"nginx"; http_header; pcre:"/^Content-Length\x3a\x20\d{2,3}\r?$/Hmi"; file_data; content:"document.write|28|"; within:15; pcre:"/^(?=[^\n>]*position\x3aabsolute)(?=[^\n>]*top\x3a\x20-\d+px\x3b)[^\n]*<iframe(?=[^\n>]*width=\d{3})(?=[^\n>]*height=\d{3})[^\n>]*src=[\x22\x27]http[^\n>]+\s*>\s*/R"; content:"</|27|+|27|iframe>"; within:12; fast_pattern; pcre:"/^[^\n]*\x29\x3b$/R"; classtype:exploit-kit; sid:2023352; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_19;)
+alert tcp any any -> $HOME_NET 4786 (msg:"ET EXPLOIT Possible CVE-2018-0171 Exploit (PoC based)"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 07|"; depth:12; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; distance:12; within:36; content:"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"; distance:4; within:44; reference:cve,2018-0171; reference:url,embedi.com/blog/cisco-smart-install-remote-code-execution/; classtype:attempted-admin; sid:2025472; rev:1; metadata:affected_product Cisco_ASA, attack_target Networking_Equipment, created_at 2018_04_06, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2018_04_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Oct 19 2016 T2"; flow:established,from_server; content:"Content-Type|3a 20|text/javascript|0d 0a|"; http_header; content:"nginx"; http_header; file_data; content:"var"; within:3; pcre:"/^\s*(?P<var>[^\r\n\s\x3d\x2c\x3b]+)\s*=[^\n]*<iframe(?=[^\n>]*top\x3a-\d+px\x3b)[^\n>]+src\s*=\s*\x5c?[\x22\x27]http[^\n>]+>\s*<\/iframe>\x22\x3bdocument\.write\((?P=var)\)\x3b\s*$/R"; content:"</iframe>|22 3b|document.write"; fast_pattern; classtype:exploit-kit; sid:2023353; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>wells,fargo sign on to view your accounts</title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025473; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bitter RAT TCP CnC Beacon"; flow:established,from_server; content:"BITTER1234"; depth:10; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; reference:md5,6e855944d171a3acbb64635dbe7a9c62; classtype:command-and-control; sid:2023399; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category MALWARE, malware_family Bitter_implant, signature_severity Major, tag c2, updated_at 2016_10_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>|7c 20|tracking system</title>"; nocase; content:"DHL%20_%20Tracking%20System_files/"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025474; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|hlaprise.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023402; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>resolution center - paypal</title>"; nocase; content:"href=|22|resolutioncenter_files/"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025478; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|calmiinity.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023403; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title id=|22|pagetitle|22|>facebook - log in or sign up</title>"; nocase; content:"<form id=|22|login_form|22 20|action=|22|post.php|22 20|method=|22|post|22 20|onsubmit=|22|return window.event"; nocase; distance:0; classtype:social-engineering; sid:2025479; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|rootenplay.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023404; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>share file|20 7c 20|one drive</title>"; nocase; content:"file is waiting"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:"onedrive protected file"; nocase; distance:0; classtype:social-engineering; sid:2025480; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 89 f7 85 18 43 70 17 d1|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023405; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>apple - my apple id</title>"; nocase; content:"method=|22|post|22|"; nocase; distance:0; content:"id=|22|donnee"; nocase; distance:0; fast_pattern; content:"name=|22|donnee"; nocase; distance:0; classtype:social-engineering; sid:2025481; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|statuscheck.site"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023406; rev:2; metadata:attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Post.ch Cloned Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<!-- saved from url="; nocase; within:300; content:"https://account.post.ch"; nocase; within:30; classtype:social-engineering; sid:2025482; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware/Cerber Checkin 2"; dsize:<11; content:"hi"; depth:2; fast_pattern; pcre:"/^[a-f0-9]{7,}$/R"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,ac4d7fb5739862e9914556ed5d50f84f; classtype:command-and-control; sid:2023453; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_10_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>chase online - account update</title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:".php|22|"; nocase; distance:0; content:"onsubmit=|22|javascript|3a|return webform_onsubmit()|3b 22|"; nocase; distance:0; classtype:social-engineering; sid:2025475; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,ET.SuspExeTLDs; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023464; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2017_10_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE QRat.Java.RAT Post-Checkin Request"; flow:established,to_server; content:"|7b 22 6d 61 67 69 63 22 3a 22|"; depth:10; offset:2; fast_pattern; content:"|22 2c 22 69 6e 64 65 78 22 3a 22|"; distance:0; content:"|22 68 61 73 2d 72 65 71 75 65 73 74 65 72 22 3a|"; distance:0; content:"|2c 22 68 61 73 2d 61 63 63 65 70 74 65 72 22 3a|"; distance:0; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:command-and-control; sid:2025393; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category MALWARE, malware_family QRat, signature_severity Major, tag Qrat, updated_at 2018_03_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK EITest Inject Oct 17 2016"; flow:established,from_server; file_data; content:"=l3S"; fast_pattern; content:"|22|frameBorder|22 2c 20 22|0|22|"; nocase; content:"document.createElement|28 22|iframe|22 29 3b|"; nocase; content:" document.body.appendChild"; nocase; content:"http|3a 2f 2f|"; nocase; pcre:"/^[^\x2f\x22\x27]+\/\?[^=&\x22\x27]+=l3S/Ri"; classtype:exploit-kit; sid:2023343; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_17, deployment Perimeter, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2018-04-14"; flow:established,to_client; file_data; content:"method=|22|post|22|"; nocase; content:"javascript|3a|popupwnd(|22|gmail"; nocase; distance:0; fast_pattern; content:"javascript|3a|popupwnd(|22|outlook"; nocase; distance:0; content:"javascript|3a|popupwnd(|22|aol"; nocase; distance:0; content:"javascript|3a|popupwnd(|22|yahoo"; nocase; distance:0; classtype:social-engineering; sid:2025502; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible CryptoWall download from e-mail link March 9 2015"; flow:established,to_server; content:"GET"; http_method; content:".zip"; http_uri; fast_pattern:only; content:".html"; http_header; pcre:"/\.zip$/U"; content:"Referer|3a|"; http_header; pcre:"/^Referer\x3a\x20http\x3a\/\/[^\x2f]+\/[a-z0-9]{6}\/[a-z0-9]{5}\.html\r?$/Hm"; classtype:trojan-activity; sid:2020649; rev:3; metadata:created_at 2015_03_09, updated_at 2016_11_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mail Verification Phishing Landing 2018-04-18"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Mail Verification"; nocase; within:20; fast_pattern; content:"img src=|22|files/"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:"name=|22|passwd|22|"; nocase; distance:0; content:"All rights reserved"; nocase; distance:0; classtype:social-engineering; sid:2025514; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_18;)
 
-alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024: (msg:"ET P2P Vuze BT UDP Connection"; dsize:<80; content:!"|00 22 02 00|"; depth: 4; content:"|00 00 04|"; distance:8; within:3; content:"|00 00 00 00 00|"; distance:6; within:5; threshold: type limit, count 1, seconds 120, track by_src; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010140; classtype:policy-violation; sid:2010140; rev:7; metadata:created_at 2010_07_30, updated_at 2016_11_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Evil Redirector Leading to EK Sep 12 2016"; flow:established,from_server; content:"Set-Cookie|3a 20|CAMPAIGNE.REFERER_COOKIE="; fast_pattern:12,20; content:"CAMPAIGNE.REFERER_COOKIE="; http_cookie; classtype:exploit-kit; sid:2023187; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EvilTDS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2018_04_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Nov 01 2016"; flow:established,from_server; file_data; content:"|5c 78 35 63 5c 78 36 62 5c 78 36 31 5c 78 37 33 5c 78 35 66 5c 78 36 35 5c 78 36 65 5c 78 36 37 5c 78 36 39 5c 78 36 65 5c 78 36 35 5c 78 32 65 5c 78 36 34 5c 78 36 63 5c 78 36 63 5c 78 32 66 5c 78 32 33 5c 78 33 32 5c 78 33 34 5c 78 32 66 5c 78 33 32 5c 78 32 32 5c 78 37 64|"; nocase; classtype:exploit-kit; sid:2023474; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_11_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PDF Cloud Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>Sign In - PDF Cloud"; nocase; fast_pattern; content:"href=|22|index_files/adobe.css"; nocase; distance:0; content:"Sign in with your email address to view or download attachment"; nocase; distance:0; classtype:social-engineering; sid:2025515; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ZeuS - ICE-IX cid= in cookie"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Cookie|3a| cid="; http_raw_header; pcre:"/^\d{4}\r$/RDm"; content:!"mowersdirect.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2014198; rev:13; metadata:created_at 2012_02_07, former_category TROJAN, updated_at 2017_09_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>Bank of America|20 7c 20|Online Banking|20 7c 20|Sign In|20 7c 20|Online ID"; nocase; fast_pattern; content:"content=|22|WYSIWYG Web Builder"; nocase; distance:0; content:"href=|22|css/Untitled1.css"; nocase; distance:0; classtype:social-engineering; sid:2025516; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_19;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|03 02 01 02 02 09 00|"; fast_pattern; content:"|30 09 06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:!"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[A-Z][a-z]{3,}\s(?:[A-Z][a-z]{3,}\s)?(?:[A-Z](?:[A-Za-z]{0,4}?[A-Z]|(?:\.[A-Za-z]){1,3})|[A-Z]?[a-z]+|[a-z](?:\.[A-Za-z]){1,3})\.?[01]/Rs"; content:"|55 04 03|"; distance:0; byte_test:1,>,7,1,relative; pcre:"/^.{2}(?!www)\d?[A-Z]?(?:[a-z]{3,20}\.)?[a-z]{5,}(?:\d[a-z]{5,})?\.[a-z]{2,5}[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022535; rev:11; metadata:attack_target Client_and_Server, created_at 2016_02_17, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox 000webhost Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>Dropbox"; nocase; content:"method=|22|POST|22|"; nocase; distance:0; content:"Select your email provider"; nocase; distance:0; fast_pattern; content:"powered-by-000webhost"; nocase; distance:0; classtype:social-engineering; sid:2025517; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zberp/ZeusVM receiving config via image file (steganography)"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"|ff fe 3f 10 00 00|"; distance:0; byte_test:4,>,100,4,relative,little; byte_extract:4,4,config_len,relative,little; content:!"|00|"; within:config_len; pcre:"/^[^\x00]+(\xff\xd9)?$/R"; reference:md5,1e1f44f8a403c4ebc6943eb2dcf731ff; reference:url,securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/#.U5Xgpyh4l8u; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021382; rev:11; metadata:created_at 2015_07_06, updated_at 2016_11_03;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Anubis - 195.22.26.192/26"; content:"|00 01 00 01|"; content:"|00 04 c3 16 1a|"; distance:4; within:5; byte_test:1,>,224,0,relative; content:!"|0e|anubisnetworks|03|com|00|"; nocase; content:!"|05|mpsmx|03|net|00|"; nocase; content:!"|09|mailspike|03|com|00|"; nocase; content:!"|09|mailspike|03|org|00|"; nocase; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:2018455; rev:5; metadata:created_at 2014_05_08, former_category TROJAN, updated_at 2018_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zberp/ZeusVM receiving config via image file (steganography) 2"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"0103F|00|"; distance:0; content:"|ff fe|"; distance:-10; within:2; byte_test:2,>,100,0,relative,little; byte_extract:2,0,config_len,relative,little; content:!"|00|"; distance:6; within:config_len; pcre:"/^0103F\x00[^\x00]+(\xff\xd9)?$/R"; reference:md5,7ba76b0ec1249b19a46e1603e5ab0a90; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021383; rev:3; metadata:created_at 2015_07_06, updated_at 2016_11_03;)
+alert tcp any any -> any 4786 (msg:"ET INFO Cisco Smart Install Protocol Observed"; flow:established,only_stream; content:"|00 00 00 01 00 00 00 01|"; depth:8; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; classtype:misc-activity; sid:2025519; rev:1; metadata:attack_target Networking_Equipment, created_at 2018_04_20, deployment Perimeter, deployment Internal, former_category INFO, signature_severity Minor, updated_at 2018_04_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zberp/ZeusVM receiving config via image file (steganography) 3"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"0103F|00|"; distance:0; content:"|ff fe ff ff|"; distance:-10; within:4; pcre:"/^0103F\x00[^\x00]+(\xff\xd9)?$/R"; reference:md5,7ba76b0ec1249b19a46e1603e5ab0a90; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021527; rev:5; metadata:created_at 2015_07_23, updated_at 2016_11_03;)
+alert tcp any any -> any 4786 (msg:"ET EXPLOIT Cisco Smart Install Exploitation Tool - Update Ios and Execute"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 02 00 00 01 c4|"; depth:16; content:"://"; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; reference:url,github.com/Sab0tag3d/SIET; classtype:bad-unknown; sid:2025520; rev:1; metadata:attack_target Networking_Equipment, created_at 2018_04_20, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2018_04_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Linux.Mirai Login Attempt (xc3511)"; flow:to_server,established; content:"xc3511|0d 0a|"; dsize:8; reference:url,www.flashpoint-intel.com/when-vulnerabilities-travel-downstream; classtype:trojan-activity; sid:2023333; rev:4; metadata:affected_product DVR, attack_target IoT, created_at 2016_10_10, deployment Datacenter, malware_family ddos_bot, performance_impact Low, signature_severity Major, updated_at 2016_11_08;)
+alert tcp any any -> any 4786 (msg:"ET EXPLOIT Cisco Smart Install Exploitation Tool - ChangeConfig"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 03 00 00 01 28|"; depth:16; content:"://"; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; reference:url,github.com/Sab0tag3d/SIET; classtype:bad-unknown; sid:2025521; rev:1; metadata:attack_target Networking_Equipment, created_at 2018_04_20, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2018_04_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (1111111)"; flow:to_server,established; content:"1111111|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023430; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert tcp any any -> any 4786 (msg:"ET EXPLOIT Cisco Smart Install Exploitation Tool - GetConfig"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 08 00 00 04 08|"; depth:16; content:"copy|20|"; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; reference:url,github.com/Sab0tag3d/SIET; classtype:bad-unknown; sid:2025522; rev:1; metadata:attack_target Networking_Equipment, created_at 2018_04_20, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2018_04_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (54321)"; flow:to_server,established; content:"54321|0d 0a|"; nocase; dsize:7; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023431; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Centurylink Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>centurylink"; nocase; content:"href=|22|centurylink|25|20_|25|20login_files/"; nocase; fast_pattern; distance:0; classtype:social-engineering; sid:2025523; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (666666)"; flow:to_server,established; content:"666666|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023432; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING MyADP Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>Login to MyADP"; nocase; fast_pattern; content:"href=|22|AD/"; nocase; distance:0; content:"src=|22|AD/"; nocase; distance:0; classtype:social-engineering; sid:2025524; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (7ujMko0admin)"; flow:to_server,established; content:"7ujMko0admin|0d 0a|"; nocase; dsize:14; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023433; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Phishing Landing M1 2018-04-19"; flow:established,to_client; file_data; content:"<title>Sign in to your Microsoft account"; nocase; content:"<!-- /ko -->"; nocase; distance:0; fast_pattern; content:"<!-- /ko"; nocase; distance:0; content:"<!-- /ko"; nocase; distance:0; content:"<!-- /ko"; nocase; distance:0; classtype:social-engineering; sid:2025525; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (7ujMko0vizxv)"; flow:to_server,established; content:"7ujMko0vizxv|0d 0a|"; nocase; dsize:14; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023434; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Comcast/Xfinity Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>sign in to xfinity"; nocase; content:"src=|22|comcast_files/"; nocase; distance:0; fast_pattern; content:"src=|22|comcast_files/"; nocase; distance:0; classtype:social-engineering; sid:2025528; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (888888)"; flow:to_server,established; content:"888888|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023435; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LCL Banque Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>lcl banque"; nocase; content:"src=|22|./lcl_files/"; nocase; distance:0; fast_pattern; content:"src=|22|./lcl_files/"; nocase; distance:0; classtype:social-engineering; sid:2025529; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (anko)"; flow:to_server,established; content:"anko|0d 0a|"; nocase; dsize:6; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023436; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Phishing Landing M2 2018-04-19"; flow:established,to_client; file_data; content:"<title>Sign in to your account"; nocase; content:"content=|22|WYSIWYG Web Builder"; nocase; distance:0; content:"<form name=|22|ff|22|"; nocase; distance:0; fast_pattern; content:"method=|22|POST|22|"; nocase; distance:0; classtype:social-engineering; sid:2025526; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (dreambox)"; flow:to_server,established; content:"dreambox|0d 0a|"; nocase; dsize:10; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023437; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Popupwnd Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"function popupwnd(url,"; nocase; fast_pattern; content:"var popupwindow = this.open(url,"; nocase; distance:0; content:"onload=|22|unhideBody()|22|"; nocase; distance:0; content:",'no','no','no','no','no','no'"; nocase; distance:0; classtype:social-engineering; sid:2025527; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (fucker)"; flow:to_server,established; content:"fucker|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023438; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Unknown - Landing Page Requested - /?Digit"; flow:established,to_server; urilen:9<>16; content:"/?"; http_uri; depth:13; pcre:"/^\/[a-z0-9]{6,10}\/\?[0-9]{1,2}$/Ui"; classtype:bad-unknown; sid:2016193; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_08_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (hi3518)"; flow:to_server,established; content:"hi3518|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023439; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
+#alert ip $HOME_NET any -> 1.1.1.0/24 any (msg:"ET POLICY Connection to previously unallocated address space 1.1.1.0/24"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2017000; rev:4; metadata:created_at 2013_06_11, former_category POLICY, updated_at 2018_04_24;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (ikwb)"; flow:to_server,established; content:"ikwb|0d 0a|"; nocase; dsize:6; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023440; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE HawkEye Keylogger FTP"; flow:established,to_server; content:"STOR HawkEye"; nocase; pcre:"/^(?:_|Keylogger)/Ri"; reference:md5,85f3b302afa0989a91053af6092f3882; classtype:trojan-activity; sid:2020410; rev:4; metadata:created_at 2015_02_12, updated_at 2015_02_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (juantech)"; flow:to_server,established; content:"juantech|0d 0a|"; nocase; dsize:10; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023441; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY WebRTC IP tracking Javascript"; flow:established,from_server; file_data; content:"function getIPs|28|callback|29|"; nocase; fast_pattern; content:"ip_dups"; nocase; content:"handleCandidate"; nocase; content:"RTCPeerConnection"; nocase; reference:url,github.com/diafygi/webrtc-ips; classtype:successful-recon-limited; sid:2021089; rev:3; metadata:created_at 2015_05_13, former_category POLICY, updated_at 2018_04_26;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (jvbzd)"; flow:to_server,established; content:"jvbzd|0d 0a|"; nocase; dsize:7; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023442; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MS10-090 IE CSS Exploit Metasploit POC Specific Unicoded"; flow:to_client,established; content:"|40 00 69 00 6d 00 70 00 6f 00 72 00 74 00|"; content:"|40 00 69 00 6d 00 70 00 6f 00 72 00 74 00|"; distance:0; content:"|40 00 69 00 6d 00 70 00 6f 00 72 00 74 00|"; distance:0; pcre:"/@\x00i\x00m\x00p\x00o\x00r\x00t\x00\x20.{4,20}[^\x00\w\s.]/sG"; reference:cve,CVE-2010-3971; reference:url,breakingpointsystems.com/community/blog/ie-vulnerability/; reference:bid,45246; classtype:attempted-admin; sid:2012149; rev:6; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, created_at 2011_01_05, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category WEB_CLIENT, signature_severity Critical, tag Web_Client_Attacks, tag Metasploit, updated_at 2018_04_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (klv123)"; flow:to_server,established; content:"klv123|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023443; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-05-01"; flow:established,to_client; file_data; content:"<title"; nocase; content:"bank of america"; nocase; within:30; content:"<form name=|22|b0a|22|"; nocase; distance:0; fast_pattern; content:".php?session=$pmd$pmd|22 20|method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025549; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (klv1234)"; flow:to_server,established; content:"klv1234|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023444; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-05-01"; flow:established,to_client; file_data; content:"<title"; nocase; content:"One Drive"; nocase; within:25; content:"function popupwnd(url"; nocase; distance:0; content:"choose your email provider"; nocase; distance:0; content:"onclick=|22|popupwnd("; nocase; distance:0; fast_pattern; content:"'no','no','no','no','no','no'"; nocase; distance:0; classtype:social-engineering; sid:2025550; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_05_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (meinsm)"; flow:to_server,established; content:"meinsm|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023445; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java/QRat Variant Checkin"; flow:established,to_server; dsize:9; content:"|00 07|nemesis"; classtype:command-and-control; sid:2025552; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_01, deployment Perimeter, former_category MALWARE, malware_family QRat, signature_severity Major, updated_at 2018_05_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (realtek)"; flow:to_server,established; content:"realtek|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023446; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - GIF Header With HTML Form"; flow:established,to_client; file_data; content:"GIF89a"; within:6; content:"<form "; nocase; fast_pattern; within:150; content:!"_VIEWSTATE"; classtype:trojan-activity; sid:2017134; rev:5; metadata:created_at 2013_07_12, updated_at 2013_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (service)"; flow:to_server,established; content:"service|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023447; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Downloader.Win32.Agent.vhvw Checkin MINIASP"; flow:to_server,established; content:".asp?device_t="; http_uri; content:"&key="; http_uri; content:"&device_id="; http_uri; content:"&cv="; http_uri; threshold: type both, track by_src, count 1, seconds 120; reference:md5,e4a4e2a3b3adaf3a31e34cd2844a3374; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=1042762#none; classtype:trojan-activity; sid:2016430; rev:5; metadata:created_at 2012_04_18, former_category TROJAN, updated_at 2018_05_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (ubnt)"; flow:to_server,established; content:"ubnt|0d 0a|"; nocase; dsize:6; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023448; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Netflix Phishing Landing 2018-05-02"; flow:established,to_client; file_data; content:"|23 20 4e 65 77 20 53 63 61 6d 61 20 4e 65 74 66 6c 69 78 20 32 30 31 38 20 42 79 20 58 2d 59 61 63 20 23|"; within:500; classtype:social-engineering; sid:2025555; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_02;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (vizxv)"; flow:to_server,established; content:"vizxv|0d 0a|"; nocase; dsize:7; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023449; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-05-02"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Log in to your PayPal"; nocase; within:40; content:"PayPaI.|20 7c 20|All rights reserved."; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025556; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_02;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (xmhdipc)"; flow:to_server,established; content:"xmhdipc|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023450; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe PDF in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"%PDF-"; within:6; flowbits:set,ET.pdf.in.http; flowbits:noalert; reference:cve,CVE-2008-2992; reference:bugtraq,30035; reference:secunia,29773; classtype:not-suspicious; sid:2015671; rev:10; metadata:created_at 2010_09_25, updated_at 2010_09_25;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (zlxx)"; flow:to_server,established; content:"zlxx|0d 0a|"; nocase; dsize:6; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023451; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Phishing Landing 2018-05-07"; flow:established,to_client; file_data; content:"<title>mytax portal</title>"; nocase; fast_pattern; content:"id=|22|form1|22 20|name=|22|form1|22|"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:".php|22|"; nocase; distance:0; content:"name=|22|pww|22 20|type=|22|password|22 20|id=|22|pww|22|"; nocase; distance:0; classtype:social-engineering; sid:2025561; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (Zte521)"; flow:to_server,established; content:"Zte521|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023452; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER CoinHive In-Browser Miner Detected"; flow:established,from_server; file_data; content:"coinhive.min.js"; nocase; fast_pattern; content:"start"; nocase; distance:0; content:"script"; content:"var"; distance:0; pcre:"/^\s*(?P<var>[a-zA-Z0-9]{3,20})\s*=\s*new\s*CoinHive\s*\.\s*[^\(]+\(\s*[\x22\x27][A-Za-z0-9]+\s*[\x22\x27]\s*(?:\x2c\s*\x7b\s*\w+\x3a\s*\d\.\d\x7d)?\)\s*\x3b\s+(?P=var)\s*\.\s*start/Ri"; classtype:coin-mining; sid:2024721; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category COINMINER, performance_impact Moderate, signature_severity Minor, updated_at 2018_05_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Bank Phish M1 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"username="; depth:9; nocase; http_client_body; content:"&login.x="; nocase; distance:0; http_client_body; content:"&login.y="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023487; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Atadommoc.C - HTTP CnC"; flow:established,to_server; content:"POST"; http_method; content:"rxT"; http_client_body; depth:3; classtype:command-and-control; sid:2015581; rev:3; metadata:created_at 2012_08_07, former_category TROJAN, updated_at 2018_05_08;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|heeriekupman.com"; distance:1; within:17; classtype:domain-c2; sid:2023489; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Netflix Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"content=|22 48 46 2d 4a 61 63 6b 73 6f 6e 22|"; nocase; content:"name=|22 48 46 2d 4a 61 63 6b 73 6f 6e 22|"; nocase; distance:0; content:"class=|22 48 46 5f 4a 61 63 6b 73 6f 4e 5f|"; nocase; distance:0; content:"class=|22 42 79 5f 48 61 73 73 61 6e 5f 46 61 72 74 6f 75 74 22|"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025568; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|infosec256bit.com"; distance:1; within:18; classtype:domain-c2; sid:2023491; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Netflix Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"class=|22 6d 6f 75 73 74 61 63 68 65 22|"; nocase; fast_pattern; content:"class=|22 77 69 7a 22|"; nocase; distance:0; content:"class=|22 68 61 73 73 61 6e 22|"; nocase; distance:0; classtype:social-engineering; sid:2025569; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|sslsecure777.com"; distance:1; within:17; classtype:domain-c2; sid:2023492; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"class=|22 6c 6f 67 69 6e 5f 6d 6f 75 73 74 61 63 68 65 22|"; nocase; fast_pattern; content:"class=|22 6e 73 69 74 22|"; nocase; distance:0; content:"class=|22 74 39 61 79 61 64 22|"; nocase; distance:0; content:"class=|22 74 73 61 6e 61 22|"; nocase; distance:0; classtype:social-engineering; sid:2025570; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|dodstersystem.com"; distance:1; within:18; classtype:domain-c2; sid:2023493; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"class=|22 69 6d 67 5f 76 69 63 74 69 6d 65 22|"; nocase; fast_pattern; content:"class=|22 6e 61 6d 65 5f 76 69 63 74 69 6d 65 22|"; nocase; distance:0; content:"class=|22 6d 6f 75 73 74 61 63 68 65 22|"; nocase; distance:0; content:"class=|22 6d 6f 75 73 74 61 63 68 65 5f 61 6e 6f 6e 69 73 6d 61 22|"; nocase; distance:0; content:"class=|22 6d 69 61 5f 6b 68 61 6c 69 66 61 22|"; nocase; distance:0; classtype:social-engineering; sid:2025571; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|whatissslnow.com"; distance:1; within:17; classtype:domain-c2; sid:2023494; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"<!--|20 41 6e 4f 5f 6f 6e 69 73 6d 61 20|-->"; nocase; fast_pattern; content:"name=|22 41 6e 6f 6e 69 73 6d 61 22|"; nocase; distance:0; content:"class=|22 41 6e 6f 6e 69 73 6d 61|"; nocase; distance:0; classtype:social-engineering; sid:2025572; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|getifourl.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023498; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"class=|22 61 2d 6e 2d 6f 2d 6e 2d 69 2d 73 2d 6d 2d 61 22|"; nocase; fast_pattern; content:"id=|22 62 6f 74 64 6b 68 6f 6c 22|"; nocase; distance:0; classtype:social-engineering; sid:2025573; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 d1 c2 e8 fc aa 20 b5 6d|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023499; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Chalbhai (Multibrand) Phishing Landing 2018-05-10"; flow:established,to_client; file_data; content:"function unhideBody()"; nocase; fast_pattern; content:"bodyElems"; distance:0; pcre:"/^\s*=\s*document\s*\.\s*getElementsByTagName\s*\(\s*[\x22\x27]body[\x22\x27]/Ri"; content:"bodyElems[0]"; distance:0; pcre:"/^\s*\.\s*style\s*\.\s*visibility\s*=\s*[\x22\x27]visible[\x22\x27]/Ri"; content:"style=|22|visibility:hidden|22 20|onload=|22|unhideBody()|22|"; nocase; distance:0; content:"<div id=|22|image1|22 20|style=|22|position|3a|absolute|3b 20|overflow|3a|hidden|3b 20|left|3a|"; nocase; distance:0; classtype:social-engineering; sid:2025653; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 1"; flow:established,from_server; file_data; content:"URL=tel|3a|"; nocase; fast_pattern; pcre:"/^\+?[0-9-]{10,}[\x22\x27]/Rsi"; content:"sms|3a|"; nocase; content:"setTimeout"; nocase; content:"window"; nocase; pcre:"/^\s*?\.\s*?location\s*?\.\s*?href/Rsi"; content:"for"; nocase; pcre:"/^\s*?\(\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b\s*?(?P=var)\s*?\<\s*?(?:0x)?\d{4,}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b\s*?(?P<var2>[^\x3d\x3b\)\s]+)\s*?=\s*?(?P=var2)\s*?\+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"; reference:url,www.mulliner.org/blog/blosxom.cgi/security/ios_WebView_auto_dialer.html; classtype:trojan-activity; sid:2023500; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2016_11_11, deployment Perimeter, updated_at 2016_11_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded U3D"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/U3D"; within:64; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; reference:cve,2018-4989; reference:cve,2018-4987; classtype:bad-unknown; sid:2013995; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_12_08, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2018_05_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 2"; flow:established,from_server; file_data; content:"URL=tel|3a|"; nocase; fast_pattern; pcre:"/^\+?[0-9-]{10,}[\x22\x27]/Rsi"; content:"itms-apps|3a|"; nocase; content:"setTimeout"; nocase; content:"window"; nocase; pcre:"/^\s*?\.\s*?location\s*?\.\s*?href/Rsi"; content:"for"; nocase; pcre:"/^\s*?\(\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b\s*?(?P=var)\s*?\<\s*?(?:0x)?\d{4,}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b\s*?(?P<var2>[^\x3d\x3b\)\s]+)\s*?=\s*?(?P=var2)\s*?\+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"; reference:url,www.mulliner.org/blog/blosxom.cgi/security/ios_WebView_auto_dialer.html; classtype:trojan-activity; sid:2023501; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2016_11_11, deployment Perimeter, updated_at 2016_11_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Javascript obfuscation using app.setTimeOut in PDF in Order to Run Code"; flow:established,to_client; content:"PDF-"; depth:300; content:"app.setTimeOut("; nocase; distance:0; reference:url,www.h-online.com/security/features/CSI-Internet-PDF-timebomb-1038864.html?page=4; reference:url,www.vicheck.ca/md5query.php?hash=6932d141916cd95e3acaa3952c7596e4; reference:cve,2018-4980; reference:cve,2018-4961; classtype:bad-unknown; sid:2011868; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2018_05_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Base64 HTTP URL Refresh - Common Phish Landing Obfuscation 2016-01-01"; flow:to_client,established; file_data; content:"<meta http-equiv="; nocase; content:"refresh"; distance:1; nocase; content:"data|3a|text/html|3b|base64,"; distance:0; fast_pattern; nocase; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x22|\x27/Rsi"; content:!"cGFnZV9ub3RfZm91bmQuaHRtb"; classtype:social-engineering; sid:2031695; rev:3; metadata:created_at 2016_01_01, former_category PHISHING, updated_at 2016_11_11;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0d|IT Department"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|0b|example."; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021013; rev:7; metadata:attack_target Client_and_Server, created_at 2015_04_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family TrickBot, malware_family Dridex, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2018_05_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:from_server,established; content:"|16|"; content:"|55 04 03|"; content:"|09|localhost"; distance:1; within:11; content:"|09 00 ff 41 25 0a bf 95 6d 71|"; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0b|domzino org"; distance:1; within:13; reference:md5,f6e81ae634bbcc309a4a5e01f20e4136; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023502; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vibem.C CnC Activity"; flow:established,to_server; content:"|63 76 c4 52 99 1d 04 80 a9 1b 2d|"; depth:11; content:!"|00|"; reference:md5,bef6faabe3d80037c18fa7b806f4488e; classtype:command-and-control; sid:2025581; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2018_05_18;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET PHISHING Chrome Extension Phishing DNS Request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"chrome-extension"; nocase; distance:0; fast_pattern; reference:url,www.seancassidy.me/lostpass.html; classtype:social-engineering; sid:2022372; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_19, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_11_11;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query For Browser Cryptocurrency Mining Domain"; content:"|06|static|0a|reasedoper|02|pw|00|"; fast_pattern; nocase; reference:url,www.welivesecurity.com/2017/09/14/cryptocurrency-web-mining-union-profit/; classtype:trojan-activity; sid:2024779; rev:5; metadata:affected_product Web_Browsers, created_at 2017_09_27, former_category POLICY, malware_family CoinMiner, updated_at 2018_05_23;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU SSL CnC Cert"; flow:established,from_server; content:"|02|IT"; content:"|03|AAA"; distance:0; content:"|02|BB"; distance:0; content:"|03|EEE"; distance:0; content:"|0d|IT Department"; distance:0; content:"|0a|SASDS_Srv0"; fast_pattern; distance:0; reference:md5,cbd1c2db9ffc6b67cea46d271594c2ae; classtype:command-and-control; sid:2023509; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_15, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, updated_at 2016_11_15;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Winnti-related DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|securitytactics|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024868; rev:3; metadata:created_at 2017_10_18, former_category TROJAN, updated_at 2018_05_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET SCAN Redis SSH Key Overwrite Probing"; flow:to_server,established; content:"*"; depth:1; content:"config"; content:"set"; distance:0; content:"dir"; distance:0; content:"/.ssh"; distance:0; isdataat:!5,relative; reference:url,antirez.com/news/96; classtype:misc-attack; sid:2023510; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_07, deployment Datacenter, performance_impact Low, signature_severity Minor, tag SCAN_Redis_SSH, updated_at 2016_11_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious Chrome Extension Click Fraud Activity via Websocket"; flow:established,to_client; content:"|7b 22|id|22 3a|"; within:10; content:"|2c 22|data|22 3a 7b 22|method|22 3a 22|GET|22 2c 22|url|22 3a 22|"; distance:0; content:"|22 2c 22|headers|22 3a 7b 22|"; distance:0; content:"|2c 22|timeout|22 3a|30000|2c 22|body|22 3a 22|"; distance:0; fast_pattern; threshold: type both, track by_dst, count 1, seconds 120; reference:url,www.icebrg.io/index.php?p=blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; reference:url,www.icebrg.io/blog/more-extensions-more-money-more-problems; classtype:trojan-activity; sid:2025221; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2018_06_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET EXPLOIT REDIS Attemted SSH Authorized Key Writing Attempt"; flow:established,to_server; content:"*"; depth:1; content:"config"; content:"set"; distance:0; content:"|0D 0A|dbfilename|0D 0A|"; distance:0; content:"|0D 0A|authorized_keys|0D 0A|"; distance:0; reference:url,antirez.com/news/96; classtype:attempted-admin; sid:2023511; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_11_15, deployment Datacenter, signature_severity Major, tag SCAN_Redis_SSH, updated_at 2016_11_15;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cryptocurrency Miner Checkin"; flow:established,to_server; content:"|7b 22|id|22 3a|"; nocase; depth:6; content:"|22|jsonrpc|22 3a|"; nocase; distance:0; content:"|22 2c 22|method|22 3a 22|login|22 2c 22|params|22 3a|"; fast_pattern; content:"|22|pass|22 3a 22|"; nocase; content:"|22|agent|22 3a 22|"; nocase; content:!"<title"; nocase; content:!"<script"; nocase; content:!"<html"; nocase; classtype:policy-violation; sid:2024792; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2018_06_15;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET EXPLOIT REDIS Attempted SSH Key Upload"; flow:established,to_server; content:"*"; depth:1; content:"|0D 0A|set|0D 0A|"; content:"ssh-rsa "; distance:0; reference:url,antirez.com/news/96; classtype:attempted-admin; sid:2023512; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_11_15, deployment Datacenter, signature_severity Major, tag SCAN_Redis_SSH, updated_at 2016_11_15;)
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Nov 20 2014"; flow:established,from_server; file_data; content:"swfobject.embedSWF"; fast_pattern; pcre:"/^\s*?\(\s*?[\x22\x27]\/[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+\x3d(?:[a-z]+|[0-9]+)[\x22\x27]/Rs"; classtype:exploit-kit; sid:2019761; rev:5; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 eb 14 76 ac 55 37 6b 52|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023521; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Nov 20 2014"; flow:established,from_server; file_data; content:"swfobject.embedSWF"; fast_pattern; pcre:"/^\s*?\(\s*?[\x22\x27]\/(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?[\x22\x27]/Rs"; classtype:exploit-kit; sid:2019762; rev:4; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 82 eb e4 e6 d5 39 9c 05|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023522; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET DELETED Job314/Neutrino Reboot EK Flash Exploit Nov 20 2014"; flow:established,to_server; content:"x-flash-version|3a|"; fast_pattern:only; http_header; pcre:"/^\/(?:[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)$/U"; pcre:"/^Referer\x3a[^\r\n]+\x3a\d+\/(?:[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,3}|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3})/Hm"; classtype:exploit-kit; sid:2019763; rev:9; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy CnC Beacon"; flow:established,to_server; content:"|8a 00 d1 00 8a 00 6a 00|"; depth:8; reference:url,citizenlab.org/2016/11/parliament-keyboy/; reference:md5,8846d109b457a2ee44ddbf54d1cf7944; classtype:command-and-control; sid:2023527; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category MALWARE, malware_family KeyBoy, signature_severity Major, tag c2, updated_at 2016_11_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Evil Flash Redirector to Job314/Neutrino Reboot EK"; flow:established,to_server; content:"POST"; http_method; content:".php?item="; http_uri; content:"&sort="; http_uri; content:".swf?item="; http_header; fast_pattern:only; content:"photo="; http_client_body; depth:6; classtype:exploit-kit; sid:2019908; rev:3; metadata:created_at 2014_12_11, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Chthonic CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|res1allenia.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023528; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Jan 27 2015"; flow:established,from_server; file_data; content:"name=|22|movie|22|"; fast_pattern; pcre:"/^\s*?value\s*?=\s*?[\x22\x27]\/[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+\x3d(?:[a-z]+|[0-9]+)[\x22\x27]/Rs"; classtype:exploit-kit; sid:2020320; rev:6; metadata:created_at 2015_01_28, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Chthonic MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|digtheromb.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023530; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Jan 27 2015"; flow:established,from_server; file_data; content:"name=|22|movie|22|"; fast_pattern; pcre:"/^\s*?value\s*?=\s*?[\x22\x27]\/(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?[\x22\x27]/Rs"; classtype:exploit-kit; sid:2020321; rev:5; metadata:created_at 2015_01_28, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Unknown Redirector Nov 17 2016"; flow:from_server,established; file_data; content:"<script>"; content:".indexOf(|22|_mauthtoken|22|)=="; distance:0; content:"|22|ooglebot|22|"; content:"|7c|fennec|7c|"; content:"|22|_mauthtoken=1|3b| path=/|3b|expires=|22|"; fast_pattern; reference:url,labs.sucuri.net/?note=2016-11-17; classtype:trojan-activity; sid:2023531; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_18, deployment Perimeter, signature_severity Major, tag Android, updated_at 2016_11_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET DELETED Job314/Neutrino Reboot EK Payload Nov 20 2014"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"Windows NT"; fast_pattern:only; http_header; content:"User-Agent|3a 20|Mozilla"; content:"GET"; http_method; pcre:"/^\/(?:[a-z]+\.[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)$/U"; classtype:exploit-kit; sid:2020388; rev:9; metadata:created_at 2015_02_10, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Unknown Landing URI Nov 17 2016"; flow:to_server,established; content:"/kt/JpNx9n"; http_uri; pcre:"/\/kt\/JpNx9n$/U"; reference:url,labs.sucuri.net/?note=2016-11-17; classtype:trojan-activity; sid:2023532; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_18, deployment Perimeter, signature_severity Major, tag Android, updated_at 2016_11_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Aug 02 2015"; flow:established,from_server; file_data; content:"value=|22|#ffffff|22|"; content:!".swf"; nocase; content:"<html>"; pcre:"/^\s*?<body>\s*?<script>(?:\s*var\s+[a-z]+\s*?=\s*?\d+\s*?\x3b\s*?)*?\s*?<\/script>/Rs"; content:"<object"; pcre:"/^(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22(?![^\x22]+\.[Ss][Ww][Ff])[^\x22]*?\x22/Rs"; content:"</object>"; distance:0; pcre:"/^\s*?<\/body>\s*?\s*?<\/html>\s*?$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2021587; rev:6; metadata:created_at 2015_08_04, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sweatmeat.pw"; distance:1; within:13; classtype:domain-c2; sid:2023537; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Flash Exploit M2 Aug 02 2015"; flow:from_server,established; flowbits:isset,ET.Neutrino; content:"nginx"; http_header; nocase; file_data; content:"CWS"; fast_pattern; within:3; classtype:exploit-kit; sid:2021588; rev:4; metadata:created_at 2015_08_04, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:established,from_server; content:"|09 00 b8 d7 6d 5b 44 1a 9f 0a|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023542; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Flash Exploit M3 Aug 02 2015"; flow:from_server,established; flowbits:isset,ET.Neutrino; content:"nginx"; http_header; nocase; file_data; content:"ZWS"; fast_pattern; within:3; classtype:exploit-kit; sid:2021589; rev:6; metadata:created_at 2015_08_04, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Tuhkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|biszweater.pw"; distance:1; within:14; classtype:domain-c2; sid:2023538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Job314/Neutrino EK Flash Exploit M1 Aug 02 2015 (IE)"; flow:to_server,established; content:"x-flash-version|3a|"; http_header; fast_pattern:only; content:!".swf"; http_uri; nocase; content:!".flv"; http_uri; nocase; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?:[a-z\d+]*?[A-Z])(?:[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?!www\.)(?P<refhost>[^\x3a\x2f\r\n]+)(?:\x3a\d{1,5})?\/(?:[a-z]{3,20}\/(?:(?:[a-z\d+]*?[A-Z])(?:[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)\r\n.*?Host\x3a\x20(?P=refhost)/Hsi"; content:!"Cookie|3a 20|"; classtype:exploit-kit; sid:2021590; rev:7; metadata:created_at 2015_08_04, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|coinf333.info"; distance:1; within:14; classtype:domain-c2; sid:2023539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET ![80,8080,3128,3129] (msg:"ET DELETED Job314/Neutrino Reboot EK Payload Aug 19 2015"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"Windows NT"; fast_pattern:only; http_header; content:"User-Agent|3a 20|Mozilla"; content:"GET"; http_method; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?:[a-z\d+]*?[A-Z])(?:[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$/U"; pcre:"/^Host\x3a[^\r\n]*?\x3a(?!(80(?:80)|312[89]))\d+\r$/Hm"; classtype:exploit-kit; sid:2021694; rev:6; metadata:created_at 2015_08_19, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 bc 7c af f0 e8 ee 0f e8|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023540; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Oct 19 2015"; flow:established,from_server; file_data; content:!".swf"; content:"<html>"; pcre:"/^\s*?\r?\n\s*?<body>\s*?\r?\n\s*?<script>\s*\r?\n\s*?<\/script>/Rs"; content:"value=|22|#ffffff|22|"; content:"<object"; pcre:"/^(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22(?![^\x22]+\.[Ss][Ww][Ff])[^\x22]*?\x22/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2021969; rev:4; metadata:created_at 2015_10_19, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC)"; flow:established,from_server; content:"|09 00 e7 1f b0 eb b2 ae 21 70|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023541; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Jan 07 2015"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"value=|22|#ffffff|22|"; nocase; content:"<html>"; pcre:"/^\s*?<body>\s*?<script>(?:\s*var\s+[a-z]+\s*?=\s*?\d+\s*?\x3b\s*?){3,}\s*?<\/script>/Rs"; content:"<object"; pcre:"/^(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)\x22/Rsi"; content:"</object>"; distance:0; pcre:"/^\s*?<\/body>\s*?\s*?<\/html>\s*?$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025040; rev:4; metadata:created_at 2016_01_08, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FlokiBot CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; content:"|55 04 03|"; distance:0; content:"|08|uspal.cf"; distance:1; within:9; reference:md5,3ddf657800e60a57b884b87e1e8a987c; classtype:domain-c2; sid:2023536; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Job314/Neutrino Reboot EK Flash Exploit Jan 07 2015 M1"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern; content:!"|0d 0a|Cookie|3a|"; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)$/U"; pcre:"/Host\x3a\x20(?P<host>[^\x3a\r\n]+)(?:\x3a\d{1,5})?\r\n.*?Referer\x3a\x20http\x3a\x2f\x2f(?P=host)\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)\r\n/Hsi"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025041; rev:3; metadata:created_at 2016_01_08, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 a7 15 36 3b e0 82 35 9b|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023543; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Job314/Neutrino Reboot EK Flash Exploit Jan 07 2015 M2"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern; content:!"|0d 0a|Cookie|3a|"; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|(?=[a-z]*\d+[a-z]+\d)(?=\d*[a-z]+\d+[a-z])[a-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f\x2f(?P<host>[^\r\n\x3a\x2f]+)(?:\x3a\d{1,5})?\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)\r\n.*?Host\x3a\x20(?P=host)(?:\x3a\d{1,5})?\r\n/Hsi"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025042; rev:4; metadata:created_at 2016_01_08, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/VB.SDB CnC Beacon"; flow:established,to_server; content:"Auth"; depth:4; content:"|20 40 20|"; distance:0; content:"|5c 23 2f|Microsoft|20|"; distance:0; fast_pattern; reference:md5,5a9a8502b87ce1a6a608debd10761957; reference:url,securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/; classtype:command-and-control; sid:2023544; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2016_11_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing May 31 2016"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"value=|22|#ffffff|22|"; nocase; content:"<html>"; pcre:"/^\s*?<body>\s*?<object(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)\x22/Rsi"; content:"</object>"; distance:0; pcre:"/^\s*?<\/body>\s*?\s*?<\/html>\s*?$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025043; rev:3; metadata:created_at 2016_05_31, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate Detected (Gootkit CnC)"; flow:from_server,established; content:"|09 00 c7 52 05 4b 9d 0e f6 96|"; content:"|55 04 03|"; content:"|09|localhost"; distance:1; within:10; reference:md5,fa224c69088cc331a6b30bc5069fa9d5; classtype:domain-c2; sid:2023550; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; content:"bgcolor"; content:"<html>"; pcre:"/^\s*?<body>(?:\s*<\/?[^\s\x2f>]+>\s*)*\s*?<object(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value=\x22#[a-f0-9]{6}\x22[^>]*?>\s*?\n\s*?<param(?=[^>]*?name\s*?=\s*?\x22allowScriptAccess\x22)[^>]*?value=\x22always\x22[^>]*?>\s*?\n\s*?).{1,1000}?\s<\/object>\s+<\/body>\s+<\/html>\s*$/Rs"; content:" name"; pcre:"/^\s*=\s*(?P<var1>[\x22\x27][a-z]+[\x22\x27]).+?\sid\s*=\s*(?P=var1)/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025044; rev:3; metadata:created_at 2016_06_11, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing M5"; flow:to_server,established; content:"POST"; http_method; content:"/wp-"; http_uri; depth:4; content:".php"; http_uri; content:"usr="; nocase; depth:4; http_client_body; fast_pattern; content:"&pss="; nocase; http_client_body; distance:0; classtype:credential-theft; sid:2031561; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_11_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M2"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"|3c 2f 73 63 72 69 70 74 3e 0a 3c 6f 62 6a 65 63 74|"; within:150; pcre:"/^(?=[^\r\n]*d27cdb6e-ae6d-11cf-96b8-444553540000)[^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P<var>[a-z]+)[\x22\x27][^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P=var)[\x22\x27][^\r\n]*>[\r\n]+(?P<spc>\s+)<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22bgcolor\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22allowScriptAccess\x22)[^\r\n]*>[\r\n]+(?P=spc)<embed(?=[^\r\n]*\ssrc\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27])[^\r\n]+[\r\n]*<\/object>\s*<\/body>\s*<\/html>\s*$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025045; rev:3; metadata:created_at 2016_06_12, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Flokibot CnC)"; flow:from_server,established; content:"|09 00 9c 56 80 8c 3d 64 03 c6|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023554; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_29, deployment Perimeter, former_category MALWARE, malware_family Flokibot, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M2"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"<script>"; within:500; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>\s*<object(?=[^\r\n]*d27cdb6e-ae6d-11cf-96b8-444553540000)[^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P<var>[a-z]+)[\x22\x27][^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P=var)[\x22\x27][^\r\n]*>[\r\n]+(?P<spc>\s+)<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22bgcolor\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22allowScriptAccess\x22)[^\r\n]*>[\r\n]+(?P=spc)<embed(?=[^\r\n]*\ssrc\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27])[^\r\n]+[\r\n]*<\/object>\s*<\/body>\s*<\/html>\s*$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025046; rev:3; metadata:created_at 2016_06_24, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|dnsapis.net"; distance:1; within:12; classtype:domain-c2; sid:2023555; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_29, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M3"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; fast_pattern:only; content:"<object"; content:"  <param"; distance:0; pcre:"/^[^>]*name\s*=\s*[\x22\x27]bgcolor[\x22\x27]/R"; content:"<script>"; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>/Rs"; content:" id"; distance:0; pcre:"/^\s*=\s*[\x22\x27][a-z]+[\x22\x27]/R"; content:"movie"; content:"value"; pcre:"/^\s*=\s*[\x22\x27]\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)[\x22\x27]/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025047; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|msg.capital"; distance:1; within:12; classtype:domain-c2; sid:2023556; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_29, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M4 (with URI Primer)"; flow:established,from_server; flowbits:isset,Neutrino.URI.Primer; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; fast_pattern:only; content:"movie"; content:"value"; pcre:"/^\s*=\s*[\x22\x27]\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|(?=[a-z]*\d+[a-z]+\d)(?=\d*[a-z]+\d+[a-z])[a-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)[\x22\x27]/R"; content:"bgcolor"; nocase; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025048; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_06_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Check-in 2"; flow:established,to_server; dsize:69; content:"|41 00 00 00 83|"; depth:5; flowbits:set,ET.NetwireRAT.Client; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:2025035; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category TROJAN, malware_family Netwire_RAT, signature_severity Major, updated_at 2017_11_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Landing Jul 04 2016 M1"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; content:"name"; pcre:"/^\s*=\s*[\x22\x27]bgcolor[\x22\x27]/R"; content:"<script>"; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>/Rs"; content:" id"; distance:0; pcre:"/^\s*=\s*[\x22\x27][a-z]+[\x22\x27]/R"; content:"|62 5f 39 34 38 38 33 66 36 34 35 33 31 65 65 37 62 31 37 61 37 33 62 38 32 33 66 5f 63 31 61 36 63 63 36 36 37 65|"; fast_pattern; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025049; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Netwire RAT Check-in 2"; flow:established,to_client; dsize:69; content:"|41 00 00 00 85|"; depth:5; flowbits:isset,ET.NetwireRAT.Client; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:2025036; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category TROJAN, malware_family Netwire_RAT, signature_severity Major, updated_at 2017_11_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Landing Jul 04 2016 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; content:"name"; pcre:"/^\s*=\s*[\x22\x27]bgcolor[\x22\x27]/R"; content:"<script>"; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>/Rs"; content:" id"; distance:0; pcre:"/^\s*=\s*[\x22\x27][a-z]+[\x22\x27]/R"; content:"|3c 68 31 3e 62 6c 61 63 6b 62 6f 78 3c 2f 68 31 3e|"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025050; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Firefox 0-day used against TOR browser Nov 29 2016 M1"; flow:established,from_server; file_data; content:"|66 69 6e 64 50 6f 70 52 65 74|"; nocase; content:"|66 69 6e 64 53 74 61 63 6b 50 69 76 6f 74|"; nocase; content:"|56 69 72 74 75 61 6c 41 6c 6c 6f 63|"; nocase; content:"|72 6f 70 43 68 61 69 6e|"; nocase; content:"|6b 65 72 6e 65 6c 33 32 2e 64 6c 6c|"; nocase; reference:url,arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/; classtype:attempted-admin; sid:2023559; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Firefox, attack_target Client_Endpoint, created_at 2016_11_30, deployment Perimeter, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_11_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Landing Jul 04 2016 M3"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; content:"name"; pcre:"/^\s*=\s*[\x22\x27]bgcolor[\x22\x27]/R"; content:"<script>"; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>/Rs"; content:" id"; distance:0; pcre:"/^\s*=\s*[\x22\x27][a-z]+[\x22\x27]/R"; content:"value"; pcre:"/^\s*=\s*[\x22\x27]\/[^\x22\x27]*\.html\.swf[\x22\x27]/R"; content:".html.swf"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025051; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Firefox 0-day used against TOR browser Nov 29 2016 M2"; flow:established,from_server; file_data; content:"|72 6f 70 43 68 61 69 6e 28 72 6f 70 42 61 73 65 2c 76 74 61 62 6c 65 5f 6f 66 66 73 65 74 2c 31 30 2c 72 6f 70 41 72 72 42 75 66 29 3b|"; nocase; reference:url,arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/; classtype:attempted-admin; sid:2023560; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Firefox, attack_target Client_Endpoint, created_at 2016_11_30, deployment Perimeter, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_11_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M1"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P<space>[\s\r\n]+)<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025052; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_07, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30"; flow:established,from_server; file_data; content:"|43 6f 6c 6c 65 63 74 47 61 72 62 61 67 65|"; nocase; content:"|73 70 72 61 79 48 65 61 70|"; nocase; content:"|73 65 74 41 64 64 72 65 73 73|"; nocase; content:"|30 78 63 36 62 65 63|"; nocase; content:"|30 78 46 46 46 46 30 30 30 30|"; nocase; classtype:attempted-admin; sid:2023568; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_30, deployment Perimeter, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_11_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025053; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30"; flow:established,from_server; file_data; content:"|77 72 69 74 65 4e 28 72 6f 70 61 64 64 72 20 2b 20 69 20 2a 20 34 2c 20 72 6f 70 5b 69 5d 2c 20 34 29 3b|"; classtype:attempted-admin; sid:2023569; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_30, deployment Perimeter, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_11_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M3"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025054; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zeus OPENSSL Banker Malicious SSL Certificate Detected"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a0 c9 ee 35 a4 1c 6f 74|"; distance:0; content:"|55 04 06|"; distance:0; content:"|02|AU"; distance:1; within:3; reference:md5,a8139f8c2547f11522c3d7d58b90c422; classtype:domain-c2; sid:2023590; rev:2; metadata:attack_target Client_and_Server, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M4"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025055; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zeus OPENSSL Banker Malicious SSL Certificate Detected"; flow:from_server,established; content:"|55 04 03|"; content:"|0B|fleil42.com"; distance:1; within:12; reference:md5,50ede75eb74a0a795500cc7b8c6c9f54; classtype:domain-c2; sid:2023591; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M5"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025056; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Tepfer.InfoStealer CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/scan.php"; fast_pattern:only; http_uri; content:!"Referer|3A|"; http_header; content:"="; http_client_body; depth:10; reference:md5,6e715fe727f927bc76e923d2e524d1e3; classtype:command-and-control; sid:2018415; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_04_24, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_12_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M6"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025057; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ISearchTech.com XXXPornToolbar Activity (MyApp)"; flow: to_server,established; content:" MyApp|0d 0a|"; http_header; fast_pattern:only; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/2001492; classtype:trojan-activity; sid:2001492; rev:39; metadata:created_at 2010_07_30, updated_at 2016_12_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M7"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P<space>[\s\r\n]+)<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025058; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|izaberiauto.com"; distance:1; within:16; classtype:domain-c2; sid:2023593; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_12_08, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M8"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025059; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"redim "; nocase; fast_pattern; pcre:"/^\s*?Preserve/Rsi"; content:"<script "; nocase; pcre:"/^[^>]*?(?:language\s*?=\s*?[\x22\x27]vbscript[\x22\x27]|type\s*?=\s*?[\x22\x27]text\/vbscript[\x22\x27])/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019706; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_14, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_12_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Downloading Jar"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/m"; http_uri; content:"?l"; http_uri; distance:0; pcre:"/\/m[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2016551; rev:9; metadata:created_at 2013_03_08, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-alert tcp any 443 -> any any (msg:"ET MALWARE Potential Sefnit C2 traffic (from server)"; flow: from_server,established; content:"SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1"; classtype:command-and-control; sid:2018449; rev:8; metadata:created_at 2014_05_05, former_category MALWARE, updated_at 2016_12_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"h"; depth:1; http_client_body; content:"="; within:12; http_client_body; content:"&p"; distance:24; within:2; http_client_body; pcre:"/^h[a-z0-9]{0,10}\x3d[a-f0-9]{24}&p[a-z0-9]{0,10}\x3d[a-z0-9]{1,11}&i/P"; classtype:exploit-kit; sid:2016562; rev:8; metadata:created_at 2013_03_12, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 98 ea a6 c4 99 a7 b3 f7|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023639; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data April 12 2013"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/c"; http_uri; depth:2; pcre:"/^\/c[a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; content:"p"; depth:1; http_client_body; pcre:"/^p[a-z0-9]{0,20}\x3d[a-z0-9]{1,20}&i[a-z0-9]{0,20}\x3d%[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016753; rev:11; metadata:created_at 2013_04_13, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 33434 (msg:"ET INFO Noction IRP Probe"; flow:stateless; flags:SP; content:"|4E 4F 43 54 49 4F 4E 20 49 52 50|"; reference:url,www.noction.com/faq; classtype:bad-unknown; sid:2023640; rev:1; metadata:created_at 2016_12_14, deployment Perimeter, performance_impact Low, signature_severity Minor, updated_at 2016_12_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK Plugin-Detect April 12 2013"; flow:established,from_server; file_data; content:"PluginDetect"; fast_pattern:only; nocase; content:"$(document).ready"; content:"function"; distance:0; pcre:"/\x28[\r\n\s]*?(?P<qa1>[\x22\x27]?)[a-f0-9]{24}(?P=qa1)[\r\n\s]*?,[\r\n\s]*?(?P<qa2>[\x22\x27]?)[a-z0-9]{1,20}(?P=qa2)[\r\n\s]*?/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016756; rev:7; metadata:created_at 2013_04_13, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .pif"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset 2; content:".pif"; distance:-4; within:4; reference:url,doc.emergingthreats.net/2001407; classtype:suspicious-filename-detect; sid:2001407; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data May 15 2013"; flow:established,to_server; content:"POST"; nocase; http_method; pcre:"/^\/[a-z][a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; pcre:"/^Referer\x3a[^\r\n]+[?&][a-z]+=\d+\r$/Hmi"; content:"=%25"; http_client_body; pcre:"/=%25[0-9A-F]{2}%25[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016853; rev:16; metadata:created_at 2013_05_16, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
 
-#alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .scr"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset 2; content:".scr"; distance:-4; within:4; reference:url,doc.emergingthreats.net/2001408; classtype:suspicious-filename-detect; sid:2001408; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK Plugin-Detect 2 May 20 2013"; flow:established,from_server; file_data; content:"encodeURIComponent(xor(JSON.stringify"; fast_pattern:8,20; content:"PluginDetect.getVersion"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016868; rev:15; metadata:created_at 2013_05_21, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Edge SmartScreen Page Spoof Attempt Dec 16 2016"; flow:from_server,established; file_data; content:"ms-appx-web|3a|//"; fast_pattern; nocase; content:"microsoftedge"; nocase; distance:0; content:"/assets/errorpages/"; nocase; distance:0; content:"BlockedDomain="; nocase; distance:0; reference:url,www.brokenbrowser.com/spoof-addressbar-malware/; classtype:social-engineering; sid:2023657; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2016_12_16, deployment Perimeter, former_category PHISHING, malware_family Tech_Support_Scam, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_12_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format"; flow:established,to_server; content:"GET"; http_method; content:"/a"; depth:2; http_uri; pcre:"/^\/a[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?q[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2016975; rev:4; metadata:created_at 2013_06_05, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET DELETED Butterfly/Mariposa Bot client init connection"; dsize:21; content:"|18|"; depth:1; content:"|00 00|"; distance:16; flowbits:set,ET.ButterflyJoin; flowbits:noalert; classtype:trojan-activity; sid:2011295; rev:9; metadata:created_at 2010_09_28, updated_at 2016_12_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format July 04 2013"; flow:established,to_server; content:"GET"; http_method; content:"/s"; depth:2; http_uri; pcre:"/^\/s[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?d[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017104; rev:5; metadata:created_at 2013_07_05, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|03 02 01 02 02 09 00|"; fast_pattern; content:"|30 09 06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:!"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; pcre:"/^.{2}[A-Z][a-z]+(?:\x27[a-z]+|(?:\x20[A-Z][a-z]+){1,2})?[01]/Rs"; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[A-Z][a-z]{3,}\s(?:[A-Z][a-z]{3,}\s)?(?:[A-Z](?:[A-Za-z]{0,4}?[A-Z]|(?:\.[A-Za-z]){1,3})|[A-Z]?[a-z]+)\.?[01]/Rs"; content:"|55 04 03|"; distance:0; byte_test:1,>,7,1,relative; pcre:"/^.{2}(?:(?:\d[A-Z]?|[A-Z]\d?)[a-z]{6,20}|[A-Z]?[a-z]{3,7}\d[a-z]{3,7})\.(?:(?:\d[A-Z]?|[A-Z]\d?)[a-z]{6,20}|[A-Z]?[a-z]{3,7}\d[a-z]{3,7})\.(?!(?:com|net|org)[01])[a-z]{2,}[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022627; rev:12; metadata:attack_target Client_and_Server, created_at 2016_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format Sep 30 2013"; flow:established,to_server; content:"GET"; http_method; content:"/k"; depth:2; http_uri; content:"?e"; http_uri; pcre:"/^\/k[a-z]{4,13}\?e[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017266; rev:8; metadata:created_at 2013_08_01, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [6789] (msg:"ET MALWARE Possible Linux.Mirai DaHua Default Credentials Login"; flow:to_server,established; content:"888888|0d 0a|888888"; depth:14; content:"busybox telnetd -p"; distance:0; reference:url,isc.sans.edu/diary/21833; classtype:attempted-admin; sid:2023674; rev:1; metadata:attack_target IoT, created_at 2016_12_20, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2016_12_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format Sep 19 2013"; flow:established,to_server; content:"GET"; http_method; content:"/g"; depth:2; http_uri; content:"?t"; http_uri; distance:0; pcre:"/^\/g[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?t[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017491; rev:6; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Cerber Bitcoin Address Check"; flow:to_server,established; content:"/api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_="; http_uri; nocase; fast_pattern:20,20; content:!"Referer"; http_header; content:!"|0d 0a|Cookie|3a 20|"; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; http_header; reference:url,www.bleepingcomputer.com/news/security/cerber-ransomware-4-10-now-shows-the-version-number-in-ransom-notes/; classtype:trojan-activity; sid:2023676; rev:2; metadata:created_at 2016_12_20, former_category TROJAN, updated_at 2017_07_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Exploit Download Sep 19 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/r"; http_uri; content:"?j"; http_uri; distance:0; pcre:"/\/r[a-z]+?\?j[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017492; rev:5; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M5"; flow:from_server,established; flowbits:isset,et.IE7.NoRef.NoCookie; content:"Content-Type|3a 20|text/javascript"; file_data; pcre:"/^(?P<v1>\S{1,100})\s+(?P<v2>\S{1,100})\s+=\s+\x22\x22\x3b\s+(?P=v2)\s+\+\=\s+\x27(?P=v1).+?(?P=v1)\x27\x3b.+?(?P=v2)\s\+=\s[\x22\x27].+?(?P=v2)\s\+=\s[\x22\x27].+?(?P=v2)\s\+=\s[\x22\x27].+?(?P=v2)\s\+=\s[\x22\x27]/R"; classtype:trojan-activity; sid:2023673; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, malware_family Trojan_Kwampirs, signature_severity Major, updated_at 2016_12_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download Sep 19 2013"; flow:established,to_server; content:"Java/1."; fast_pattern:only; http_user_agent; content:"/f"; http_uri; content:"?j"; http_uri; distance:0; pcre:"/\/f[a-z]+?\?j[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017493; rev:5; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Ransomware Checkin"; flow:established,to_server; content:"/index.html"; http_uri; content:"POST"; http_method; content:!"User-Agent|3a| "; http_header; content:"application/octet-stream|0d 0a 0d 0a|"; http_client_body; content:"/"; http_client_body; distance:2; within:1; pcre:"/filename=\x22\d+?\x22/P"; classtype:trojan-activity; sid:2016185; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2016_12_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format Oct 15 2013"; flow:established,to_server; content:"GET"; http_method; content:"/o"; depth:2; http_uri; content:"?h"; http_uri; pcre:"/^\/o[a-z]{4,13}\?h[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017593; rev:8; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Tinba DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|03|com"; distance:15; within:4; fast_pattern; content:"|0c|"; distance:-17; within:1; pcre:"/^[a-z]{12}/R"; threshold: type both, track by_src, count 50, seconds 10; content:!"|08|sophosxl|03|"; reference:md5,1044af21a7c4cbc291ab418a47de52b4; reference:url,seculert.com/blog/2014/09/tiny-tinba-trojan-could-pose-big-threat.html; reference:url,garage4hackers.com/entry.php?b=3086; classtype:trojan-activity; sid:2019230; rev:2; metadata:created_at 2014_09_24, updated_at 2014_09_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Exploit Download Oct 15 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/b"; http_uri; content:"?n"; http_uri; distance:0; pcre:"/\/b[a-z]+?\?n[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017594; rev:9; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 b9 dc 45 b2 1c 85 40 25|"; content:"|55 04 03|"; distance:0; content:"|04|host"; distance:1; within:5; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023689; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_12_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download Oct 15 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/v"; http_uri; content:"?n"; http_uri; distance:0; pcre:"/\/v[a-z]+?\?n[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017595; rev:10; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET ![25,587,6666:7000,8076] (msg:"ET POLICY IRC Channel JOIN on non-standard port"; flow:to_server,established; dsize:<64; content:"JOIN "; nocase; depth:5; pcre:"/&|#|\+|!/R"; reference:url,doc.emergingthreats.net/bin/view/Main/2000348; classtype:trojan-activity; sid:2000348; rev:15; metadata:created_at 2010_07_30, updated_at 2017_01_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK XORed pluginDetect 1"; flow:established,to_client; file_data; content:"M%01%06%00%18%02%11"; within:19; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017596; rev:4; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 6892 (msg:"ET MALWARE W32/Cerber.Ransomware CnC Checkin M4"; dsize:14; pcre:"/^[a-f0-9]{14}$/"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,1f41be13d5d19e1a5c76b6d7256a8df4; reference:md5,6707e861e377409bd1037452c7c5fa74; classtype:command-and-control; sid:2023695; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, former_category MALWARE, malware_family Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_01_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK XORed pluginDetect 2"; flow:established,to_client; file_data; content:"_%11%11%16%0A%12%06"; within:19; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017597; rev:4; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoreFlooder.Q Data Posting"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/upload"; nocase; http_uri; content:"file="; nocase; http_uri; content:"&id="; http_uri; nocase; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FCOREFLOOD%2EQ; reference:url,doc.emergingthreats.net/2008352; classtype:trojan-activity; sid:2008352; rev:10; metadata:created_at 2010_07_30, updated_at 2017_01_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET DELETED Possible Neutrino EK Landing URI Format Nov 1 2013"; flow:established,to_server; urilen:18<>37; content:"GET"; http_method; content:"?"; http_uri; offset:6; depth:11; content:"="; http_uri; distance:5; within:8; pcre:"/^\/[a-z]{5,14}\?[a-z]{5,12}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017652; rev:9; metadata:created_at 2013_11_01, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) Observed in SunDown EK 1"; flow:established,to_client; file_data; content:"0x1DA2F5"; fast_pattern; nocase; content:"0x1DA2CB"; nocase; distance:0; content:"getPrototypeOf"; nocase; content:".__proto__"; nocase; content:"Symbol.species"; reference:cve,2016-7200; reference:url,malware.dontneedcoffee.com/2017/01/CVE-2016-7200-7201.html; classtype:attempted-user; sid:2023700; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2017_01_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Exploit/Payload Download Nov 1 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; pcre:"/^\/[a-z]{5,14}\?[a-z]{5,12}=[a-z]{6,11}$/U"; reference:url,pastebin.com/194D8UuK; classtype:exploit-kit; sid:2017653; rev:15; metadata:created_at 2013_11_01, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) Observed in SunDown EK 2"; flow:established,to_client; file_data; content:"rop.length"; fast_pattern; nocase; content:"Write64"; nocase; distance:0; pcre:"/^\s*\x28\s*retPtrAddr\.add\s*\x28\s*i\s*\*\s*8\s*\x29\s*,\s*rop\s*\x5b/Rsi"; reference:cve,2016-7200; reference:url,malware.dontneedcoffee.com/2017/01/CVE-2016-7200-7201.html; classtype:attempted-user; sid:2023701; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2017_01_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Redirect to Neutrino EK goi.php Nov 4 2013"; flow:established,to_server; urilen:8; content:"/goi.php"; http_uri; classtype:exploit-kit; sid:2017661; rev:4; metadata:created_at 2013_11_04, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B642"; flow:established,from_server; file_data; content:"RyaWdnZXJGaWxsRnJvbVByb3RvdHlwZXNCdW"; classtype:trojan-activity; sid:2023703; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2017_01_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK Landing Page Dec 09 2013"; flow:from_server,established; file_data; content:".charCodeAt("; fast_pattern; pcre:"/^[^\)]+\)[\r\n\s]*?\^[\r\n\s]*?[\w\.\_\-]*?\.charCodeAt\([^\)]+\)[\r\n\s]*?\,/Rsi"; content:"Math.floor"; content:"$(document).ready"; content:"decodeURIComponent"; pcre:"/^[\r\n\s]*?\,/Rsi"; content:"+= |22 22|"; content:"+= |22 22|"; distance:0; classtype:exploit-kit; sid:2017824; rev:4; metadata:created_at 2013_12_10, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B643"; flow:established,from_server; file_data; content:"UcmlnZ2VyRmlsbEZyb21Qcm90b3R5cGVzQnVn"; classtype:trojan-activity; sid:2023704; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2017_01_06;)
+#alert tcp $EXTERNAL_NET 8000 -> $HOME_NET any (msg:"ET DELETED Possible Neutrino EK SilverLight Exploit Jan 11 2014"; flow:established,from_server; file_data; content:"AppManifest.xaml"; content:"dig.dll"; nocase; fast_pattern:only; pcre:"/\bdig\.dll\b/"; classtype:exploit-kit; sid:2017958; rev:3; metadata:created_at 2014_01_11, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-alert udp $HOME_NET 5351 -> [!224.0.0.1,$EXTERNAL_NET] any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response to External Network"; dsize:12; content:"|80 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019490; rev:3; metadata:created_at 2014_10_22, updated_at 2017_01_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET DELETED Possible Neutrino EK IE/Silverlight Payload Download"; flow:established,to_server; content:"WinHttp.WinHttpRequest."; http_header; pcre:"/^\/[a-z]+?\?[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017971; rev:11; metadata:created_at 2014_01_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING PDF Containing Subform with JavaScript"; flow:established,to_client; file_data; content:"%PDF"; within:4; content:"subform"; nocase; distance:0; fast_pattern; content:"script"; nocase; distance:0; reference:cve,2017-2962; classtype:attempted-user; sid:2014154; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag DriveBy, updated_at 2017_01_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Likely Neutrino EK or other EK IE Flash request to DYNDNS set non-standard filename"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:d(?:yndns\.[a-z]{2,3}|esi)|c(?:ricket|a?fe?)|(?:lin|wor)k|s(?:u|pace)|accountant|t(?:k|op)|g[aq]|xyz|ml|pw)(?:\x3a\d{1,5})?\r$/Hmi"; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; classtype:exploit-kit; sid:2021752; rev:14; metadata:created_at 2015_09_09, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) Observed in SunDown EK 3"; flow:established,from_server; file_data; content:"|66 75 6e 63 74 69 6f 6e 20 54 72 69 67 67 65 72 46 69 6c 6c 46 72 6f 6d 50 72 6f 74 6f 74 79 70 65 73 42 75 67 28 6c 6f 2c 20 68 69 29|"; nocase; content:"|63 68 61 6b 72 61 42 61 73 65 2e 61 64 64|"; nocase; content:"|73 68 63 6f 64 65 41 64 64 72 2e 61 6e 64|"; nocase; classtype:exploit-kit; sid:2023699; rev:3; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, former_category EXPLOIT, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2017_01_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Landing Landing URI Struct (fb set)"; flow:to_server,established; content:!"Cookie|3a|"; content:"Windows NT"; http_header; fast_pattern:only; content:"User-Agent|3a 20|Mozilla"; content:"GET"; http_method; pcre:"/^User-agent\x3a\x20[^\r\n]*?(?:MSIE|rv\x3a11|Edge\/)/Hmi"; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$/U"; content:!"Cookie|3a|"; flowbits:set,Neutrino.URI.Primer; flowbits:noalert; classtype:exploit-kit; sid:2025064; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_06_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, tag Neutrino, updated_at 2020_08_20;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert"; flow:established,from_server; content:"|00 dd 45 ec 3f 08 74 58 6a|"; content:"|0a|Department"; distance:0; content:"|55 04 03|"; distance:0; content:"|0f|www.example.com"; distance:1; within:16; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:command-and-control; sid:2023708; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_01_09, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2017_01_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Page"; flow:established,from_server; file_data; content:".javaEnabled"; content:"f1=true"; nocase; fast_pattern:only; content:"window."; nocase; pcre:"/^(?P<windname>[a-z0-9]+)(?P<plug1>([sj]|f1))=true.+?window\.(?P=windname)(?P<plug2>(?:(?!(?P=plug1))([sj]|f1)))=true.+?window\.(?P=windname)(?!(?:(?P=plug1)|(?P=plug2)))(?:[sj]|f1)=true/Rsi"; classtype:exploit-kit; sid:2017569; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO ATF file in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"|41 54 46|"; within:3; flowbits:set,ET.atf.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023714; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_01_10, deployment Perimeter, updated_at 2017_01_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Payload Download"; flow:established,to_server; urilen:15; content:"Java/1."; http_header; content:"/1"; depth:2; http_uri; pcre:"/^\/1[a-z0-9]{13}$/U"; classtype:exploit-kit; sid:2017571; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe FDF in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"%FDF-"; within:5; flowbits:set,ET.fdf.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023715; rev:2; metadata:affected_product Adobe_Reader, attack_target Client_Endpoint, created_at 2017_01_10, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_01_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|7c 68 a3 34 36|"; within:5; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017630; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible Locky Ransomware Writing Encrypted File over - SMB and SMB-DS v2"; flow:to_server,established; content:"|FE|SMB|40 00|"; offset:4; depth:6; content:"|05 00|"; distance:6; within:2; content:"|00|.|00|l|00|o|00|c|00|k|00|y|00 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022639; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2017_01_10, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Flash Exploit"; flow:established,to_server; urilen:15; content:"/0"; depth:2; http_uri; pcre:"/^GET \/0(?P<baseuri>[a-z0-9]{10})[a-z0-9]{3} HTTP\/1\.[01]\r\n.*?Referer\x3a http\x3a\/\/[^\/]+?\/(?P=baseuri)\r\n/s"; classtype:exploit-kit; sid:2017695; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible IE/SilverLight GoonEK Payload Download"; flow:to_server,established; content:".mp3?rnd="; fast_pattern:only; http_uri; pcre:"/\/\d+\.mp3\x3frnd\x3d\d+$/U"; classtype:exploit-kit; sid:2017998; rev:8; metadata:created_at 2014_01_22, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Possible Flash/IE Payload"; flow:established,to_server; urilen:15; content:"/1"; depth:2; http_uri; pcre:"/^\/1[a-z0-9]{13}$/U"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:exploit-kit; sid:2017703; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Venom CnC Beacon"; flow:established,to_server; content:"|9e ab 49 31 08 53 b5 d4|"; depth:8; reference:url,security.web.cern.ch/security/venom.shtml; classtype:command-and-control; sid:2023716; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family Linux_Venom, signature_severity Major, tag c2, updated_at 2017_01_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Nov 18 2013"; flow:established,from_server; file_data; content:"<title>"; content:"soft apple."; fast_pattern; distance:0; content:"</title>"; distance:0; content:"AgControl.AgControl"; nocase; content:"Math.floor"; nocase; classtype:exploit-kit; sid:2017729; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2020_08_20;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|specadv.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023717; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Styx/Angler EK SilverLight Exploit"; flow:established,from_server; file_data; content:"PK"; within:2; content:"ababbss.dll"; fast_pattern; content:"AppManifest.xaml"; classtype:exploit-kit; sid:2017732; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|p.fmsacademy.it"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023718; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XOR'd Payload"; flow:from_server,established; file_data; content:"|7c 68 a3 34 36 36 37 38|"; within:8; classtype:exploit-kit; sid:2017809; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|17|sc.jacksburgershack.com"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023719; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Flash Exploit Dec 24 2013"; flow:established,to_server; urilen:15; content:"/4"; depth:2; http_uri; pcre:"/^GET \/4(?P<baseuri>[a-z0-9]{10})[a-z0-9]{3} HTTP\/1\.[01]\r\n.*?Referer\x3a http\x3a\/\/[^\/]+?\/(?P=baseuri)\r\n/s"; classtype:exploit-kit; sid:2017901; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|m.williamdegel.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023720; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Possible Flash/IE Payload Dec 24 2013"; flow:established,to_server; urilen:15; content:"/3"; depth:2; http_uri; pcre:"/^\/3[a-z0-9]{13}$/U"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:exploit-kit; sid:2017902; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|cdn.ui-data.cc"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023721; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Flash Exploit Dec 26 2013"; flow:established,to_server; content:"/4"; depth:2; http_uri; content:"?&xkey="; http_uri; content:"&exec=aHR0cDov"; http_uri; pcre:"/\/4[a-z0-9]{13}\?&xkey=/U"; classtype:exploit-kit; sid:2017904; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|baikalsecret.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023722; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014"; flow:established,to_client; file_data; content:"window.GetKey"; nocase; fast_pattern; content:"window.GetUrl"; nocase; content:"aHR0cDov"; distance:0; content:"#default#VML"; classtype:exploit-kit; sid:2017953; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|disaaxpalallow.me"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023723; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014 1"; flow:established,to_client; file_data; content:"ODAvM"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?ODAvM[a-zA-Z0-9\/\+]{18}(?:=|%3D)[\x22\x27]/R"; classtype:exploit-kit; sid:2017954; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|aucom.pw"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023724; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014 2"; flow:established,to_client; file_data; content:"4MC8x"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?4MC8x[a-zA-Z0-9\/\+]{18}(?:=|%3D){2}[\x22\x27]/R"; classtype:exploit-kit; sid:2017955; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|publicstats.tk"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023725; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014 3"; flow:established,to_client; file_data; content:"OjgwL"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?OjgwL[a-zA-Z0-9\/\+]{19}[\x22\x27]/R"; classtype:exploit-kit; sid:2017956; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Chthonic CnC)"; flow:established,from_server; content:"|09 00 e6 0c cf da 58 8f a7 b2|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023726; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (1) Jan 17 2013"; flow:established,to_client; file_data; content:"|2c 36 f4 6f 6d 6a 66 67|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017984; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert udp $HOME_NET any -> [$EXTERNAL_NET,!255.255.255.255] 69 (msg:"ET TFTP Outbound TFTP Read Request"; content:"|00 01|"; depth:2; reference:url,doc.emergingthreats.net/2008120; classtype:policy-violation; sid:2008120; rev:4; metadata:created_at 2010_07_30, updated_at 2017_01_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (2) Jan 17 2013"; flow:established,to_client; file_data; content:"|2c 3e f2 32 30 34 6e 68|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017985; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Andromeda download with fake Zip header (1)"; flow:to_client,established; file_data; content:"PK|03 04|"; within:4; byte_test:1,>,64,0,relative; classtype:trojan-activity; sid:2018575; rev:3; metadata:created_at 2014_06_17, updated_at 2014_06_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (3) Jan 17 2013"; flow:established,to_client; file_data; content:"|7d 6b f8 64 76 74 6e 66|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017986; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Andromeda download with fake Zip header (2)"; flow:to_client,established; file_data; content:"PK|03 04|"; within:4; byte_test:1,>,20,1,relative; classtype:trojan-activity; sid:2018576; rev:4; metadata:created_at 2014_06_17, updated_at 2017_01_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (4)"; flow:established,to_client; file_data; content:"|21 3b e3 70 65 6e 66 64|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017989; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pony DLL Download M2"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|59 55 49 50 57 44 46 49 4c 45 30 59 55 49 50 4b 44 46 49 4c 45 30 59 55 49 43 52 59 50 54 45 44 30 59 55 49|"; classtype:trojan-activity; sid:2023741; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_13, deployment Perimeter, malware_family Pony, signature_severity Major, updated_at 2017_01_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Page Feb 24 2014"; flow:from_server,established; file_data; content:"AgControl.AgControl"; nocase; fast_pattern:only; content:"parseInt"; nocase; content:"32"; pcre:"/^\W/R"; content:"63"; nocase; within:100; pcre:"/^\W/R"; content:"if"; distance:-200; within:200; nocase; pcre:"/^(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?\((?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?(?P<vname>[^\s>=]+)(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?<(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?32\b.{0,200}(?P=vname)(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?\x3d(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?63\b.{1,200}\+=.{0,200}\((?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?(?P=vname)/Rsi"; classtype:exploit-kit; sid:2018171; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DustySky Checkin"; flow:established,to_server; urilen:10; content:"GET"; http_method; content:"/index.php"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"uvnc.com|0d 0a|"; http_header; nocase; content:"Host|3a|"; depth:5; http_header; content:"Connection|3a 20|Keep-Alive"; distance:0; http_header; pcre:"/^Host\x3a[^\r\n]+\r\nConnection\x3a\x20Keep-Alive\r\n(?:\r\n)?$/H"; content:!"Cookie|3a|"; reference:md5,07fd870e4ea8dd6b9503a956b5bb47f3; classtype:trojan-activity; sid:2021918; rev:6; metadata:created_at 2015_10_06, former_category TROJAN, updated_at 2017_03_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Apr 01 2014"; flow:established,to_client; file_data; content:"|3a|stroke id="; content:"|3a|oval>"; content:"(function"; pcre:"/^\s*?\(\s*?\)\s*?{\s*?return\s*?(?:[^\s]+\(\s*?)?[\x22\x27][a-f0-9]{10}/Rs"; content:"(function"; distance:0; pcre:"/^\s*?\(\s*?\)\s*?{\s*?return\s*?(?:[^\s]+\(\s*?)?[\x22\x27][a-f0-9]{10}/Rs"; content:"/*"; pcre:"/^[a-zA-Z0-9]+\*\//R"; content:"/*"; distance:0; pcre:"/^[a-zA-Z0-9]+\*\//R"; content:"/*"; distance:0; pcre:"/^[a-zA-Z0-9]+\*\//R"; classtype:exploit-kit; sid:2018346; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic.KD.291903/Win32.TrojanClicker.Agent.NII Nconfirm Checkin"; flow:to_server,established; content:"/nconfirm.php?rev="; http_uri; content:"&code="; http_uri; content:"&param="; http_uri; content:"&num="; http_uri; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544; classtype:trojan-activity; sid:2014398; rev:4; metadata:created_at 2011_08_04, updated_at 2017_01_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Apr 14 2014"; flow:established,from_server; file_data; content:"Cjw/eG1sIHZlcnNpb249"; content:"^="; content:"eval"; pcre:"/^\W/R"; content:"/*"; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; classtype:bad-unknown; sid:2018387; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_04_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Evil JS Ransomware"; flow:from_server,established; file_data; content:"|5c|u006d|5c|u0065|5c|u0073|5c|u0073|5c|u0061|5c|u0067|5c|u0065"; content:"<html><body|20|bgcolor=|22|#F78181|22|>"; nocase; within:100; content:"Hello.|20|Your|20|UID|3a|"; within:100; content:"|65 76 69 6c 20 72 61 6e 73 6f 6d 77 61 72 65|"; fast_pattern; within:100; content:"|75 6e 69 71 75 65 20 73 74 72 6f 6e 67 65 73 74 20 41 45 53 20 6b 65 79|"; distance:0; content:"|73 65 6e 64 20 6d 65 20 79 6f 75 72 20 55 49 44 20 74 6f|"; distance:0; content:"|4c 69 73 74 20 6f 66 20 65 6e 63 72 79 70 74 65 64 20 66 69 6c 65 73|"; distance:0; reference:md5,b9d81c51c10abd64107edc5e73a26aea; reference:url,www.cert.pl/en/news/single/evil-a-poor-mans-ransomware-in-javascript/; classtype:trojan-activity; sid:2023747; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_18, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2017_01_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Styx/Angler EK SilverLight Exploit 2"; flow:established,from_server; file_data; content:"PK"; within:2; content:"fotosaster.dll"; fast_pattern; content:"AppManifest.xaml"; classtype:exploit-kit; sid:2018498; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ADWARE_PUP Windows executable sent when remote host claims to send an image M3"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| image/png"; pcre:"/^(?:(?!\r?\n\r?\n).)*?\r?\n\r?\nMZ/Rs"; content:"!This program"; distance:0; fast_pattern; classtype:pup-activity; sid:2023750; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2017_12_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (5)"; flow:established,to_client; file_data; content:"|3a 0e a6 51 77 79 53 59|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018509; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Nemucod Downloader Oct 04"; flow:established,to_server; content:"/log.php?f="; http_uri; depth:11; fast_pattern; pcre:"/^\/log\.php\?f=[0-1](?:\.[a-z]+)?$/U"; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a 20|"; classtype:trojan-activity; sid:2023318; rev:3; metadata:created_at 2016_10_05, updated_at 2017_01_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (6)"; flow:established,to_client; file_data; content:"|2c 3e c2 32 61 34 6e 68|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018510; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft RDP Client for Mac RCE"; flow:established,to_client; content:"rdp|3a 2f 2f|"; nocase; content:"drivestoredirect"; fast_pattern; nocase; distance:0; content:"rdp|3a 2f 2f|"; nocase; pcre:"/^\S+?drivestoredirect/Ri"; reference:url,www.wearesegment.com/research/Microsoft-Remote-Desktop-Client-for-Mac-Remote-Code-Execution; classtype:attempted-admin; sid:2023755; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_01_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_01_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (7)"; flow:established,to_client; file_data; content:"|0b 28 ff 53 4b 75 39 68|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018511; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_31, deployment Perimeter, former_category TROJAN, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Jan 24"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title> Windows Official Support"; fast_pattern; nocase; content:"This Is A Critical Warning"; nocase; distance:0; classtype:social-engineering; sid:2023757; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_24, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2017_01_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Aug 16 2014"; flow:established,to_client; file_data; content:"0|22 29 3b 0a 0d 0a|</script>"; pcre:"/^\s*?<script>\s*?(?P<func>[A-Za-z0-9]+)\s*?\(\s*?[\x22\x27](?P<var>[^1\x22\x27]+)1[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>\s*?(?P=func)\s*?\(\s*?[\x22\x27](?P=var)2[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>\s*?(?P=func)\s*?\(\s*?[\x22\x27](?P=var)3[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>/Rsi"; classtype:exploit-kit; sid:2018950; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_08_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|j24ojpexpgaorlxj"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2023738; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, tag dupe, updated_at 2017_01_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Encoded Shellcode IE"; flow:established,from_server; file_data; content:"|f1 f4 c2 a2 8b 34 6e 68|"; within:8; classtype:exploit-kit; sid:2018954; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert udp $HOME_NET any -> [$EXTERNAL_NET,!255.255.255.255] 69 (msg:"ET TFTP Outbound TFTP Write Request"; content:"|00 02|"; depth:2; reference:url,doc.emergingthreats.net/2008116; classtype:policy-violation; sid:2008116; rev:4; metadata:created_at 2010_07_30, updated_at 2017_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Encoded Shellcode Silverlight"; flow:established,from_server; file_data; content:"|f1 fc f4 ff 87 6a 66 67|"; within:8; classtype:exploit-kit; sid:2018955; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; file_data; content:"|5C|x0a|5C|x0a|5C|x0a|5C|x0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013267; rev:5; metadata:created_at 2011_07_14, updated_at 2017_01_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Encoded Shellcode Flash"; flow:established,from_server; file_data; content:"|e7 c4 a6 c1 9d 79 53 59|"; within:8; classtype:exploit-kit; sid:2018956; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal"; flow:established,from_server; file_data; content:"mCharCode"; pcre:"/(?P<p>[0-9a-f]{2,4})(?P<sep>[\x2e\x2c\x3b\x3a])(?P<d>(?!(?P=p))[0-9a-f]{2,4})(?P=sep)(?P=p)(?P=sep)(?P=d)(?P=sep)([0-9a-f]{2,4}(?P=sep)){10}(?P<q>(?!((?P=p)|(?P=d)))[0-9a-f]{2,4})(?P=sep)[0-9a-f]{2,4}(?P=sep)(?P<dot>(?!((?P=p)|(?P=d)|(?P=q)))[0-9a-f]{2,4})(?P=sep)[0-9a-f]{2,4}(?P=sep)(?P=dot)(?P=sep)[0-9a-f]{2,4}(?P=sep)(?P=q)/R"; classtype:trojan-activity; sid:2016730; rev:14; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Encoded Shellcode Java"; flow:established,from_server; file_data; content:"|d6 e2 ff c3 a1 75 39 68|"; within:8; classtype:exploit-kit; sid:2018957; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Successful Find My iPhone Phish (SP) Jan 30 2017"; flow:from_server,established; file_data; content:"<title>Buscar iPhone"; fast_pattern; content:"<div class=|22|icloud"; nocase; distance:0; content:"Buscar iPhone"; nocase; distance:0; content:"<div class=|22|error"; nocase; distance:0; classtype:credential-theft; sid:2023772; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Apr 01 2014"; flow:established,to_client; content:"Expires|3a| Sat, 26 Jul 1997 05|3a|00|3a|00 GMT|0d 0a|Last-Modified|3a| Sat, 26 Jul 2040 05|3a|00|3a|00 GMT|0d 0a|"; fast_pattern:55,20; http_header; classtype:exploit-kit; sid:2019224; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M1 Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"cusd="; depth:5; nocase; http_client_body; content:"&tbNickname="; nocase; distance:0; http_client_body; fast_pattern; content:"&ddCIF="; nocase; distance:0; http_client_body; content:"&Go="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023773; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Oct 22 2014"; flow:established,from_server; content:"Expires|3a| Sat, 26 Jul"; http_header; content:"Last-Modified|3a| Sat, 26 Jul 2040 05|3a|00"; http_header; fast_pattern:15,20; classtype:exploit-kit; sid:2019488; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2020_08_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M2 Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?SecureToken="; http_header; content:"&fill="; http_header; distance:0; content:"PIN="; depth:4; nocase; http_client_body; fast_pattern; content:"&Go="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023774; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Oct 22 2014"; flow:established,from_server; file_data; content:".join(|22 22|)|3b 3b|"; pcre:"/^\s*?\n\s*?(?P<func>[^\x28\r\n\s]+)\s*?\(\s*?(?P<var>[^\+\x29]+)\+[^\r\n]+\r?\n\s*?<\/script>\s+<script>\s+(?P=func)\s*?\x28\s*?(?P=var)\+[^\r\n]+\r?\n\s*?<\/script>\s+<script>\s+(?P=func)\s*?\x28\s*?(?P=var)\+/Rs"; classtype:exploit-kit; sid:2019489; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DustySky PoisonIvy CnC Beacon"; flow:established,to_server; dsize:48; content:"|75 f0 01 ef 23 bf db 30 19 9f 56 74 01 f7 30 a0|"; offset:16; depth:16; reference:md5,2cd8c27bdc88ebba3e36114a1b55cef6; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:command-and-control; sid:2023812; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family DustSky_related_Implant, signature_severity Major, tag c2, updated_at 2017_01_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Flash Exploit URI Struct"; flow:established,to_server; urilen:65; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^\/[a-z0-9\x2d\x5f]{62}(?:(?:[a-z0-9\x2d\x5f]|=)=|[a-z0-9\x2d\x5f]{2})$/Ui"; classtype:exploit-kit; sid:2019513; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DustySky QuasarRAT CnC Beacon"; flow:established,from_server; content:"|10 00 00 00 99 9a c7 b8|"; depth:8; reference:md5,a19d4ff89a3f699a6f8237a7905e80e1; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:command-and-control; sid:2023813; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family DustSky_related_Implant, signature_severity Major, tag c2, updated_at 2017_01_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Java Exploit URI Struct"; flow:established,to_server; urilen:65; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/^\/[a-z0-9\x2d\x5f]{62}(?:(?:[a-z0-9\x2d\x5f]|=)=|[a-z0-9\x2d\x5f]{2})$/Ui"; classtype:exploit-kit; sid:2019514; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FAKEIE 11.0 Minimal Headers (flowbit set)"; flow:to_server,established; content:" rv|3a|11.0"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^User-Agent\x3a[^\r\n]+rv\x3a11\.0[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/H"; flowbits:set,FakeIEMinimal; flowbits:noalert; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019343; rev:3; metadata:created_at 2014_10_03, updated_at 2017_02_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (1)"; flow:established,to_client; file_data; content:"|0e c7 9d 28 8c cb ae 85|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019893; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable and linking format (ELF) file download Over HTTP"; flow:established; flowbits:isnotset,ET.ELFDownload; file_data; content:"|7F|ELF"; within:4; flowbits:set,ET.ELFDownload; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000418; classtype:policy-violation; sid:2019240; rev:14; metadata:created_at 2014_09_25, updated_at 2017_02_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (2)"; flow:established,to_client; file_data; content:"|69 b8 3c 09 08 6c b1 4c|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019968; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sogou.com Spyware User-Agent (SogouIMEMiniSetup)"; flow:established,to_server; content:"User-Agent|3a| SogouIME"; http_header; reference:url,doc.emergingthreats.net/2008500; classtype:pup-activity; sid:2008500; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2017_04_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (3)"; flow:established,to_client; file_data; content:"|28 46 c5 83 df ef a3 2a|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019969; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to Hamas Terrorist Propaganda TV Channel (aqsatv .ps)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|aqsatv|02|ps|00|"; nocase; distance:0; fast_pattern; classtype:policy-violation; sid:2023873; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_02_06, cve url_nctc_gov_site_groups_hamas_html, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (4)"; flow:established,to_client; file_data; content:"|41 ad 58 53 4c 7f 25 9e|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019992; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert tcp any 445 -> $HOME_NET any (msg:"ET DOS SMB Tree_Connect Stack Overflow Attempt (CVE-2017-0016)"; flow:from_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|03 00|"; distance:8; within:2; byte_test:1,&,1,2,relative; byte_jump:2,8,little,from_beginning; byte_jump:2,4,relative,little; isdataat:1000,relative; content:!"|FE|SMB"; within:1000; reference:cve,2017-0016; classtype:attempted-dos; sid:2023832; rev:3; metadata:affected_product SMBv3, attack_target Client_and_Server, created_at 2017_02_03, deployment Datacenter, signature_severity Major, updated_at 2017_02_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (5)"; flow:established,to_client; file_data; content:"|b8 67 f0 44 43 1e fe 5b|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019993; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Mobile Phish M1 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"iden="; depth:5; nocase; http_client_body; content:"&AG="; nocase; distance:0; http_client_body; content:"&CC="; nocase; distance:0; http_client_body; content:"&CCDIG="; nocase; distance:0; http_client_body; content:"&PASSNET="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023890; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_02_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Dec 24 2014"; flow:established,from_server; content:"Expires|3a| Sat, 26 Jul"; http_header; content:"Last-Modified|3a| Sat, 26 Jul 2039 "; http_header; fast_pattern:12,20; classtype:exploit-kit; sid:2020068; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Mobile Phish M2 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"DDD="; depth:4; nocase; http_client_body; content:"&CELLULAR="; nocase; distance:0; http_client_body; fast_pattern; content:"&SDESEIS="; nocase; distance:0; http_client_body; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023891; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_02_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (6)"; flow:established,to_client; file_data; content:"|82 67 9f c3 f1 71 70 fc|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020071; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO MP4 in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"|66 74 79 70 6D|"; offset:4; depth:5; content:"mp4"; within:12; flowbits:set,ET.mp4.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023713; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_01_10, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_02_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (7)"; flow:established,to_client; file_data; content:"|04 6e 76 82 2e 2c 2c 48|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020072; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO MP4 in HTTP Flowbit Set M2"; flow:from_server,established; file_data; content:"|66 74 79 70 69 73 6f 6d|"; offset:4; depth:8; flowbits:set,ET.mp4.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023892; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_02_10, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_02_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (8)"; flow:established,to_client; file_data; content:"|31 90 49 ae c8 2b 73 75|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020204; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Ticketbleed Client Hello (CVE-2016-9244)"; flow:established,from_client; content:"|16 03|"; depth:2; content:"|01|"; distance:3; within:1; content:"|03 03|"; distance:3; within:2; byte_test:1,<,32,32,relative; byte_test:1,>,1,32,relative; flowbits:set,ET.ticketbleed; flowbits:noalert; reference:cve,2016-9244; reference:url,filippo.io/Ticketbleed; classtype:misc-attack; sid:2023896; rev:3; metadata:affected_product HTTP_Server, attack_target Server, created_at 2017_02_10, deployment Datacenter, performance_impact Moderate, signature_severity Major, updated_at 2017_02_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (9)"; flow:established,to_client; file_data; content:"|0b c7 6a 1e 7c c2 43 ea|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020225; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Ticketbleed Server Hello (CVE-2016-9244)"; flow:established,to_client; content:"|16 03|"; depth:2; content:"|02|"; distance:3; within:1; content:"|03 03|"; distance:3; within:2; content:"|20|"; distance:32; within:1; flowbits:isset,ET.ticketbleed; reference:url,filippo.io/Ticketbleed; reference:cve,2016-9244; classtype:misc-attack; sid:2023897; rev:3; metadata:affected_product HTTP_Server, attack_target Server, created_at 2017_02_10, deployment Datacenter, performance_impact Moderate, signature_severity Major, updated_at 2017_02_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Flash Exploit URI Structure Jan 21 2015"; flow:established,to_server; urilen:>48; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^\/(?:[A-Za-z0-9-_]{4}){11,}(?:[A-Za-z0-9-_]{2}==|[A-Za-z0-9-_]{3}=)?$/U"; pcre:"/^Referer\x3a[^\r\n]+\/(?:[a-z0-9]+\.php|\d+)\r$/Hm"; classtype:exploit-kit; sid:2020234; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO MP4 in HTTP Flowbit Set M3"; flow:from_server,established; file_data; content:"|66 74 79 70 71 74 20 20|"; offset:4; depth:8; flowbits:set,ET.mp4.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023900; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_02_14, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_02_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Feb 04 2015"; flow:established,from_server; content:"26 Jul 2039"; http_header; fast_pattern:only; content:"Expires|3a| Sat, 26 Jul"; http_header; pcre:"/Last-Modified\x3a\x20[A-Z][a-z]+, 26 Jul 2039/H"; classtype:exploit-kit; sid:2020355; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Craigslist Phishing Domain Feb 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"craigslist.org"; http_header; fast_pattern; content:!"craigslist.org|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+craigslist\.org[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023881; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, signature_severity Major, tag Phishing, tag dupe, updated_at 2017_02_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Feb 04 2015 M2"; flow:established,from_server; content:"26 Jul 2040"; http_header; fast_pattern:only; content:"Expires|3a| Sat, 26 Jul"; http_header; pcre:"/Last-Modified\x3a\x20[A-Z][a-z]+, 26 Jul 2040/H"; classtype:exploit-kit; sid:2020356; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Malware CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|publicstats.tk"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023529; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag dupe, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Primer Feb 04 2014 (noalert)"; flow:established,from_server; file_data; content:"Elinor"; pcre:"/^\W/R"; flowbits:set,ET.Angler.Primer; flowbits:noalert; classtype:exploit-kit; sid:2020365; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET busybox MEMES Hackers - Possible Brute Force Attack"; flow:to_server,established; content:"MEMES"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023901; rev:1; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_02_14, deployment Perimeter, malware_family Mirai, performance_impact Moderate, signature_severity Major, updated_at 2017_02_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Primer Feb 04 2014 (noalert)"; flow:established,from_server; file_data; content:"Dashwood"; pcre:"/^\W/R"; flowbits:set,ET.Angler.Primer; flowbits:noalert; classtype:exploit-kit; sid:2020366; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 1"; flow:established,from_server; content:"|55 04 03|"; content:"|14|giftshop.mefound.com"; distance:1; within:21; classtype:domain-c2; sid:2023902; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Feb 04 2014 T1"; flow:established,from_server; flowbits:isset,ET.Angler.Primer; file_data; content:"|76 61 72 20 6b 3d 30 3b 20 6b 3c 31 3b 6b 2b 2b 29 7b 3b 7d 7d|"; classtype:exploit-kit; sid:2020367; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 2"; flow:established,from_server; content:"|55 04 03|"; content:"|14|estimate.mefound.com"; distance:1; within:21; classtype:domain-c2; sid:2023903; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (11)"; flow:established,to_client; file_data; content:"|c1 e4 07 2f 13 ad 23 2e|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020387; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 3"; flow:established,from_server; content:"|55 04 03|"; content:"|16|tradeboard.mefound.com"; distance:1; within:23; classtype:domain-c2; sid:2023904; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Post-infection HTTP Request Feb 20 2015"; flow:established,to_server; urilen:13; content:"GET"; http_method; content:"?"; http_uri; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; fast_pattern:2,20; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/^\/[a-z]{3}\?[A-F0-9]{8}$/U"; classtype:exploit-kit; sid:2020496; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 4"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|referenceblog.ignorelist.com"; distance:1; within:29; classtype:domain-c2; sid:2023905; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (12)"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020591; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 5"; flow:established,from_server; content:"|07|Makeups"; content:"|55 04 03|"; distance:0; content:"|12|www.ignorelist.com"; distance:1; within:19; classtype:domain-c2; sid:2023906; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (13)"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020592; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 6"; flow:established,from_server; content:"|55 04 03|"; content:"|15|latest.ignorelist.com"; distance:1; within:22; classtype:domain-c2; sid:2023907; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (14)"; flow:established,to_client; file_data; content:"|c5 91 b0 40 ed d9 90 e2|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020593; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 7"; flow:established,from_server; content:"|55 04 03|"; content:"|15|tipnews.longmusic.com"; distance:1; within:22; classtype:domain-c2; sid:2023908; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (15)"; flow:established,to_client; file_data; content:"|c5 91 b0 40 ed d9 90 e2|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020594; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_1_1)"; flow:established,to_server; content:"IUgyYll"; content:"t"; within:3; content:"L"; within:3; content:"l"; within:3; content:"N"; within:3; content:"3"; within:3; content:"Q"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023918; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (16)"; flow:established,to_client; file_data; content:"|71 37 53 d7 19 3c 44 ac|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020595; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_1_2)"; flow:established,to_server; content:"I"; content:"U"; within:3; content:"g"; within:3; content:"y"; within:3; content:"Y"; within:3; content:"l"; within:3; content:"ltLlN3Q"; within:9; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023919; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (17)"; flow:established,to_client; file_data; content:"|71 37 53 d7 19 3c 44 ac|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020596; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_2_1)"; flow:established,to_server; content:"FIMmJZ"; content:"b"; within:3; content:"S"; within:3; content:"5"; within:3; content:"T"; within:3; content:"d"; within:3; content:"0"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023920; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (18)"; flow:established,to_client; file_data; content:"|ff be d1 79 e8 64 54 d1|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020597; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_2_2)"; flow:established,to_server; content:"F"; content:"I"; within:3; content:"M"; within:3; content:"m"; within:3; content:"J"; within:3; content:"Z"; within:3; content:"bS5Td0"; within:8; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023921; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (19)"; flow:established,to_client; file_data; content:"|ff be d1 79 e8 64 54 d1|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020598; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_3_1)"; flow:established,to_server; content:"hSDJiWW"; content:"0"; within:3; content:"u"; within:3; content:"U"; within:3; content:"3"; within:3; content:"d"; within:3; content:"A"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (20)"; flow:established,to_client; file_data; content:"|64 4e 63 0d 03 30 d6 a5|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020599; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_3_2)"; flow:established,to_server; content:"h"; content:"S"; within:3; content:"D"; within:3; content:"J"; within:3; content:"i"; within:3; content:"W"; within:3; content:"W0uU3dA"; within:9; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (21)"; flow:established,to_client; file_data; content:"|64 4e 63 0d 03 30 d6 a5|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020600; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_1_1)"; flow:established,to_server; content:"QDM0Zlo"; content:"3"; within:3; content:"R"; within:3; content:"V"; within:3; content:"t"; within:3; content:"w"; within:3; content:"X"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023924; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (22)"; flow:established,to_client; file_data; content:"|c5 91 b0 40 ed d9 90 e2|"; distance:1728; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020730; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_1_2)"; flow:established,to_server; content:"Q"; content:"D"; within:3; content:"M"; within:3; content:"0"; within:3; content:"Z"; within:3; content:"l"; within:3; content:"o3RVtwX"; within:9; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (23)"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; distance:1728; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021059; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_2_1)"; flow:established,to_server; content:"AzNGZa"; content:"N"; within:3; content:"0"; within:3; content:"V"; within:3; content:"b"; within:3; content:"c"; within:3; content:"F"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023926; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (24)"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021126; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_2_2)"; flow:established,to_server; content:"A"; content:"z"; within:3; content:"N"; within:3; content:"G"; within:3; content:"Z"; within:3; content:"a"; within:3; content:"N0VbcF"; within:8; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023927; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (25)"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021127; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_3_1)"; flow:established,to_server; content:"AMzRmWj"; content:"d"; within:3; content:"F"; within:3; content:"W"; within:3; content:"3"; within:3; content:"B"; within:3; content:"c"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023928; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Exploit URI Struct May 28 2015 M1"; flow:to_server,established; urilen:>51; content:"."; http_uri; offset:49; depth:1; content:!"/"; http_uri; offset:1; pcre:"/^\/(?=[a-z0-9_-]{0,47}?[A-Z][a-z0-9_-]{0,46}?[A-Z])(?=[A-Z0-9_-]{0,47}?[a-z][A-Z0-9_-]{0,46}?[a-z])(?=[A-Za-z_-]{0,47}?[0-9][A-Za-z_-]{0,46}?[0-9])[A-Za-z0-9_-]{48}\.[a-z]{2,25}\d?\??/U"; pcre:"/^Referer\x3a\x20http\x3a\x2f\x2f?[^\x2f]+\/[a-z]{3,20}((?P<sep>[_-]?)[a-z]{3,20}(?P=sep)(?:[a-z]{3,20}(?P=sep))?)?[a-z]{3,20}\/\d{10,20}(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,AnglerEK.Struct; classtype:exploit-kit; sid:2021157; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_3_2)"; flow:established,to_server; content:"A"; content:"M"; within:3; content:"z"; within:3; content:"R"; within:3; content:"m"; within:3; content:"W"; within:3; content:"jdFW3Bc"; within:10; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023929; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 11"; flow:to_server,established; urilen:>22; content:"/?"; offset:12; depth:86; fast_pattern; pcre:"/^\/[a-z]{3,20}(?P<sep>[_-])[a-z]{3,20}(?P=sep)[a-z]{3,20}(?:(?P=sep)[a-z]{3,20}\/\?[a-z]{6,}=\d{15,20}|(?:(?P=sep)[a-z]{3,20})?\/\?[a-z]{6,}=\d{10,13})$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+).*?\r\nHost\x3a\x20(?!(?:(?P=refhost)|www\.))/Hsi"; flowbits:set,AnglerEK; classtype:exploit-kit; sid:2021248; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"ET MALWARE MAGICHOUND.MPK Activity via IRC"; flow:established,to_server; content:"PRIVMSG mpk|20 3a|"; content:"!MpkPing|20|<<mpk>>"; fast_pattern; distance:0; pcre:"/^\d{5}/R"; content:"<<mpk>>|20|<<mpk>>"; distance:0; pcre:"/^\d/R"; content:"<<mpk>>"; distance:0; reference:md5,ece5b62a4ed4e88dab4f1b5451f54794; classtype:trojan-activity; sid:2023940; rev:2; metadata:created_at 2015_10_14, cve url_researchcenter_paloaltonetworks_com_2017_02_unit42_magic_hound_campaign_attacks_saudi_targets_, updated_at 2017_02_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 11 M2"; flow:to_server,established; urilen:>22; content:"/?"; offset:12; depth:86; fast_pattern; pcre:"/^\/[a-z]{3,20}(?P<sep>[_-])[a-z]{3,20}(?P=sep)[a-z]{3,20}(?:(?P=sep)[a-z]{3,20}\/\?[a-z]{6,}=\d{15,20}|(?:(?P=sep)[a-z]{3,20})?\/\?[a-z]{6,}=\d{10,13})$/U"; pcre:"/Host\x3a\x20(?!www\.)(?P<refhost>[^\x3a\r\n]+).*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?!(?P=refhost))/Hsi"; flowbits:set,AnglerEK; classtype:exploit-kit; sid:2021266; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Malicious PowerSploit PowerShell Script Observed over HTTP"; flow:established,from_server; file_data; content:"CmdletBinding()"; content:"$DoNotZeroMZ"; distance:0; fast_pattern; reference:url,github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1; classtype:trojan-activity; sid:2023947; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, updated_at 2017_02_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 11 M3"; flow:to_server,established; urilen:>22; content:"/?"; offset:12; depth:86; fast_pattern; pcre:"/^\/[a-z]{3,20}(?P<sep>[_-])[a-z]{3,20}(?P=sep)[a-z]{3,20}(?:(?P=sep)[a-z]{3,20}\/\?[a-z]{6,}=\d{15,20}|(?:(?P=sep)[a-z]{3,20})?\/\?[a-z]{6,}=\d{10,13})$/U"; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20(?!www\.)[^\x2e]+(?:\.[^\x2e\r\n]+){2,}\r$/Hmi"; flowbits:set,AnglerEK; classtype:exploit-kit; sid:2021267; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely MAGICHOUND.FETCH Receiving PowerSploit PowerShell over HTTP"; flow:established,from_server; content:"$PEBytes"; content:"$PEBytes0=|22|TV"; distance:0; fast_pattern; reference:url,github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1; classtype:trojan-activity; sid:2023949; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND_FETCH, signature_severity Major, updated_at 2017_02_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 15"; flow:to_server,established; urilen:>26; content:"/search?"; http_uri; depth:8; content:!"."; http_uri; content:!"+"; http_uri; content:!"|20|"; http_uri; pcre:"/^\/search\?[a-z0-9]{1,5}=[a-z0-9]{1,5}(?:&[a-z0-9]{1,5}=[a-z0-9]{1,5}){4,}$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+).*?\r\nHost\x3a\x20(?!(?:(?P=refhost)|www\.))/Hsi"; content:!"|2e 73 70 6f 72 74 73 61 75 74 68 6f 72 69 74 79 2e 63 6f 6d 0d 0a|"; http_header; content:!"Cookie|3a 20|"; flowbits:set,AnglerEK; classtype:exploit-kit; sid:2021269; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE MAGICHOUND.FETCH SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|16|service.chrome-up.date"; distance:1; within:27; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023952; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND_related, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 15 M2"; flow:to_server,established; urilen:>26; content:"/search?"; http_uri; depth:8; content:!"."; http_uri; content:!"+"; http_uri; content:!"|20|"; http_uri; pcre:"/^\/search\?[a-z0-9]{1,5}=[a-z0-9]{1,5}(?:&[a-z0-9]{1,5}=[a-z0-9]{1,5}){4,}$/U"; pcre:"/Host\x3a\x20(?!www\.)(?P<refhost>[^\x3a\r\n]+).*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?!(?P=refhost))/Hsi"; flowbits:set,AnglerEK; content:!"|2e 73 70 6f 72 74 73 61 75 74 68 6f 72 69 74 79 2e 63 6f 6d 0d 0a|"; http_header; content:!"|2e 72 65 73 75 6c 74 73 70 61 67 65 2e 63 6f 6d 0d 0a|"; http_header; classtype:exploit-kit; sid:2021270; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MAGICHOUND.LEASH IRC CnC Beacon"; flow:established,to_server; content:"USER AS_a # # |3a|des|0d 0a|"; depth:20; reference:md5,3c8a142d2e3b84fb0d210250af77cc9b; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:command-and-control; sid:2023963; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family MAGICHOUND_LEASH, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 15 M3"; flow:to_server,established; urilen:>26; content:"/search?"; http_uri; depth:8; content:!"."; http_uri; content:!"+"; http_uri; content:!"|20|"; http_uri; pcre:"/^\/search\?[a-z0-9]{1,5}=[a-z0-9]{1,5}(?:&[a-z0-9]{1,5}=[a-z0-9]{1,5}){4,}$/U"; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20(?!www\.)[^\x2e]+(?:\.[^\x2e\r\n]+){2,}(?:\x3a\d{1,5})?\r$/Hmi"; content:!"|2e 73 70 6f 72 74 73 61 75 74 68 6f 72 69 74 79 2e 63 6f 6d 0d 0a|"; http_header; content:!"Cookie|3a 20|"; flowbits:set,AnglerEK; classtype:exploit-kit; sid:2021271; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iCloud (CN) Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"Host|3a 20 31 31 32 32 33 33 68 74 2e 70 77|"; fast_pattern:only; classtype:credential-theft; sid:2024000; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (16) M2"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; within:2048; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021280; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful California Bank & Trust Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"AccountNo="; depth:10; nocase; http_client_body; fast_pattern; content:"&token="; nocase; distance:0; http_client_body; content:"&check=Login"; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024001; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_02_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (11) M2"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; within:2048; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021281; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Shared Document Phishing Landing Feb 21 2017"; flow:from_server,established; file_data; content:"<title>Dropbox"; nocase; fast_pattern; content:"openOffersDialog"; nocase; distance:0; classtype:social-engineering; sid:2025688; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (26)"; flow:established,from_server; file_data; content:"|51 CB 7B FC 19 9B 77 FB|"; distance:40; within:8; classtype:exploit-kit; sid:2021360; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET !3389 (msg:"ET SCAN MS Terminal Server Traffic on Non-standard Port"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash="; fast_pattern; classtype:attempted-recon; sid:2023753; rev:2; metadata:affected_product Microsoft_Terminal_Server_RDP, attack_target Server, created_at 2017_01_23, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_02_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (27)"; flow:established,from_server; file_data; content:"|51 CB 7B FC 19 9B 77 FB|"; distance:1424; within:8; classtype:exploit-kit; sid:2021361; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M1 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; http_client_body; content:"&CHKCLICK="; nocase; distance:0; http_client_body; content:"&NNAME="; nocase; distance:0; http_client_body; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&K1="; nocase; distance:0; http_client_body; content:"&Q1="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024011; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (28)"; flow:established,from_server; file_data; content:"|EB BD 89 F5 C0 3B 7A 3E|"; distance:42; within:8; classtype:exploit-kit; sid:2021509; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M2 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; content:"&cardSelected="; nocase; distance:0; http_client_body; content:"&rbcCardNumber="; nocase; distance:0; http_client_body; fast_pattern; content:"&twoDigitIssueNumber="; nocase; distance:0; http_client_body; content:"&atmpin="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024012; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (29)"; flow:established,from_server; file_data; content:"|EB BD 89 F5 C0 3B 7A 3E|"; distance:746; within:8; classtype:exploit-kit; sid:2021510; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M3 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; fast_pattern; content:"&fullname="; nocase; distance:0; http_client_body; content:"&dob="; nocase; distance:0; http_client_body; content:"&ssn="; nocase; distance:0; http_client_body; content:"&mmn="; nocase; distance:0; http_client_body; content:"&dl="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024013; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Angler EK Redirector Sept 25 2015"; flow:to_client,established; file_data; content:"<body>"; pcre:"/^(?:(?!<\/body).)+?Content\s*?loading.*?Please wait.*?<iframe/Rsi"; content:"Content loading"; nocase; content:"Please wait"; nocase; distance:0; content:"<iframe s1=|22|off|22|"; fast_pattern; distance:0; content:"mask=true"; distance:0; classtype:exploit-kit; sid:2021840; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M4 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; fast_pattern; content:"&sq1="; nocase; distance:0; http_client_body; content:"&sq1a="; nocase; distance:0; http_client_body; content:"&sq2="; nocase; distance:0; http_client_body; content:"&sq2a="; nocase; distance:0; http_client_body; content:"&sq3="; nocase; distance:0; http_client_body; content:"&sq3a="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024014; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (1)"; flow:established,to_client; file_data; content:"|d8 57 45 e6 17 f8 ec bb|"; distance:4; within:8; classtype:exploit-kit; sid:2021970; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Redirect M2 Feb 24 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; file_data; content:"<meta http-equiv="; nocase; within:50; content:"refresh"; nocase; distance:1; within:7; content:"/webapps/"; nocase; distance:0; content:"/websrc"; distance:5; within:7; fast_pattern; classtype:social-engineering; sid:2024017; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, tag Phishing, updated_at 2017_02_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (2)"; flow:established,to_client; file_data; content:"|d5 88 7d dc 8a 95 4b be|"; distance:4; within:8; classtype:exploit-kit; sid:2021971; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Feb 26 2016"; flow:established,from_server; file_data; content:"|3d 20 28 2f 2a 67 66 2a 2f 22 73 5c 78 37 35 62 73 22 29 2b 2f 2a 67 66 2a 2f 22 74 72 22 3b|"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2024021; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2017_02_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (3)"; flow:established,to_client; file_data; content:"|08 42 7d|"; distance:4; within:3; pcre:"/^(?:\x4c|\x35)/R"; classtype:exploit-kit; sid:2021972; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing Feb 27 2017"; flow:from_server,established; file_data; content:"<title>Dropbox"; nocase; fast_pattern; content:"app.png"; nocase; distance:0; content:"live.png"; nocase; distance:0; content:"off.png"; nocase; distance:0; classtype:social-engineering; sid:2025689; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (4)"; flow:established,to_client; file_data; content:"|05 9d 45|"; distance:4; within:4; pcre:"/^(?:\x76|\x0f)/R"; classtype:exploit-kit; sid:2021973; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5500 (msg:"ET HUNTING Suspicious VNC Remote Admin Request"; flow:to_server,established; content:"|49 44 3a|"; depth:3; content:"temp"; nocase; fast_pattern; distance:0; content:"|52 46 42 20 30 30 33 2e 30 30 38 0a|"; distance:0; reference:md5,2faf3040e8286d506144a0585d8f4162; classtype:trojan-activity; sid:2024029; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_01, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2017_03_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (5)"; flow:established,to_client; file_data; content:"|91 29 83 25 66 1e be fb|"; distance:4; within:8; classtype:exploit-kit; sid:2021989; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Tags Remote Code Execution Attempt"; flow:established,to_client; content:"table"; nocase; content:"position|3A|absolute"; nocase; within:30; content:"clip|3A|rect"; fast_pattern; nocase; within:15; reference:bid,44536; reference:cve,2010-3962; classtype:attempted-user; sid:2011891; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_11_05, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_03_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (6)"; flow:established,to_client; file_data; content:"|57 05 11 53 6c d2 02 f9|"; distance:4; within:8; classtype:exploit-kit; sid:2021990; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tcp any any -> any [139,445] (msg:"ET INFO Potentially unsafe SMBv1 protocol in use"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; content:!"r"; within:1; threshold: type limit, count 1, track by_src, seconds 1200; reference:url,www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices; reference:url,blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/; classtype:not-suspicious; sid:2023997; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2017_03_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ecessa WANWorx WVR-30 Cross-Site Request Forgery"; flow:from_server,established; file_data; content:"method"; nocase; content:"POST"; content:"user_username"; content:"user_passwd"; content:"checked"; content:"savecrtcfg"; fast_pattern; classtype:web-application-attack; sid:2025737; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2018_07_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Microsoft-Edge protocol in use (Observed in Magnitude EK)"; flow:established,to_client; file_data; content:"microsoft-edge|3a|http"; nocase; fast_pattern; byte_test:1,>,0x21,-20,relative; byte_test:1,<,0x28,-20,relative; byte_test:1,!=,0x23,-20,relative; byte_test:1,!=,0x24,-20,relative; byte_test:1,!=,0x25,-20,relative; byte_test:1,!=,0x26,-20,relative; content:"location"; nocase; content:"iframe"; nocase; content:"contentWindow"; nocase; reference:url,www.brokenbrowser.com/abusing-of-protocols/; classtype:exploit-kit; sid:2024030; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_03_06, former_category WEB_CLIENT, malware_family BrokenBrowser, signature_severity Major, updated_at 2017_03_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Intex Router N-150 Cross-Site Request Forgery"; flow:from_server,established; file_data; content:"method"; nocase; content:"POST"; content:"PPW"; content:"submit"; content:"SSID"; content:"isp"; content:"WAN"; content:"wirelesspassword"; fast_pattern; content:"name"; content:"value"; classtype:web-application-attack; sid:2025739; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Local file read using read protocol"; flow:established,to_client; file_data; content:"read|3a|"; nocase; fast_pattern; byte_test:1,>,0x21,-6,relative; byte_test:1,<,0x28,-6,relative; byte_test:1,!=,0x23,-6,relative; byte_test:1,!=,0x24,-6,relative; byte_test:1,!=,0x25,-6,relative; byte_test:1,!=,0x26,-6,relative; pcre:"/^\s*,\s*[a-zA-Z]\x3a[\x2f\x5c]/Ri"; reference:url,www.brokenbrowser.com/abusing-of-protocols/; classtype:misc-activity; sid:2024031; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_03_06, former_category WEB_CLIENT, malware_family BrokenBrowser, signature_severity Major, updated_at 2017_03_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Docusign Phishing Landing 2018-05-01"; flow:established,to_client; file_data; content:"<title> DocuSlgn </title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025551; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_06_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Vanguard Phish Mar 06 2017"; flow:to_server,established; content:"POST"; http_method; content:"dmform-0="; depth:9; nocase; http_client_body; content:"&label-dmform-0=User+name"; nocase; distance:0; http_client_body; content:"&label-dmform-1=Password"; nocase; distance:0; http_client_body; content:"&label-dmform-8=Account+Email"; nocase; distance:0; http_client_body; content:"&label-dmform-9=Password"; nocase; distance:0; http_client_body; content:"&dmformsubject=Vang"; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024032; rev:2; metadata:created_at 2017_03_06, former_category PHISHING, updated_at 2019_09_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] Wells Fargo Phishing Landing 2018-06-20"; flow:established,to_client; file_data; content:"<title>Wells Fargo |3a| Banking|2c|"; nocase; fast_pattern; content:"content=|22|WELLS FARGO BANK|22|"; nocase; distance:0; classtype:social-engineering; sid:2025624; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_06_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible MacOSX HelpViewer 10.12.1 XSS Arbitrary File Execution and Arbitrary File Read (CVE-2017-2361)"; flow:established,from_server; file_data; content:"%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f"; content:"javascript%253aeval"; fast_pattern; content:"help|3a 2f 2f|"; pcre:"/document\s*\.\s*location\s*?\x3d\s*?[\x27\x22]help\x3a\/\/\/[^\x3b]+?\%25252f\.\.\%25252f\.\.\%25252f\.\.\%25252f/"; reference:url,exploit-db.com/exploits/41443/; classtype:attempted-user; sid:2024034; rev:2; metadata:affected_product Mac_OSX, affected_product Safari, attack_target Client_Endpoint, created_at 2017_03_08, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2017_03_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] OneDrive Phishing Landing 2018-06-15"; flow:established,to_client; file_data; content:"<title>One Drive Cloud Document Sharing"; nocase; fast_pattern; content:"Select with email provider below"; nocase; distance:0; content:"Login with Office 365"; nocase; distance:0; classtype:social-engineering; sid:2025625; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_06_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 15 M3"; flow:to_server,established; urilen:>26; content:"/search?"; http_uri; depth:8; content:!"."; http_uri; content:!"+"; http_uri; content:!"|20|"; http_uri; pcre:"/^\/search\?[a-z0-9]{1,5}=[a-z0-9]{1,5}(?:&[a-z0-9]{1,5}=[a-z0-9]{1,5}){4,}$/U"; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20(?!www\.)[^\x2e]+(?:\.[^\x2e\r\n]+){2,}(?:\x3a\d{1,5})?\r$/Hmi"; content:!"|2e 73 70 6f 72 74 73 61 75 74 68 6f 72 69 74 79 2e 63 6f 6d 0d 0a|"; http_header; content:!"Cookie|3a 20|"; flowbits:set,AnglerEK; classtype:exploit-kit; sid:2021271; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Palevo (OUTBOUND)"; dsize:21; content:"|18|"; depth:1; content:"|80 00 00|"; reference:md5,119ee859144111dbc5419f4d5fd9b6b1; reference:md5,095d76e0bc48361b40d717b238f11501; reference:md5,5f1296995c7ccba13c0c0655baf03a3a; classtype:trojan-activity; sid:2013236; rev:3; metadata:created_at 2011_07_09, former_category TROJAN, updated_at 2018_06_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 15 M2"; flow:to_server,established; urilen:>26; content:"/search?"; http_uri; depth:8; content:!"."; http_uri; content:!"+"; http_uri; content:!"|20|"; http_uri; pcre:"/^\/search\?[a-z0-9]{1,5}=[a-z0-9]{1,5}(?:&[a-z0-9]{1,5}=[a-z0-9]{1,5}){4,}$/U"; pcre:"/Host\x3a\x20(?!www\.)(?P<refhost>[^\x3a\r\n]+).*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?!(?P=refhost))/Hsi"; flowbits:set,AnglerEK; content:!"|2e 73 70 6f 72 74 73 61 75 74 68 6f 72 69 74 79 2e 63 6f 6d 0d 0a|"; http_header; content:!"|2e 72 65 73 75 6c 74 73 70 61 67 65 2e 63 6f 6d 0d 0a|"; http_header; classtype:exploit-kit; sid:2021270; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert udp any 67 -> any 68 (msg:"ET EXPLOIT DynoRoot DHCP - Client Command Injection"; content:"|02|"; depth:1; content:"|35 01 05 fc|"; distance:0; content:"|2f|bin|2f|sh"; fast_pattern; distance:0; reference:url,exploit-db.com/exploits/44652/; reference:cve,2018-1111; classtype:attempted-admin; sid:2025765; rev:2; metadata:attack_target Networking_Equipment, created_at 2018_06_29, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Atadommoc.C - HTTP CnC"; flow:established,to_server; content:"POST"; http_method; content:"rxT"; http_client_body; depth:3; classtype:command-and-control; sid:2015581; rev:2; metadata:created_at 2012_08_07, former_category TROJAN, updated_at 2018_05_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"ET EXPLOIT CloudMe Sync Buffer Overflow"; flow:established,to_server; content:"|fe e7 d1 61 a8 98 03 69 10 06 e7 6f 6f 0a c4 61 5a ea c8 68 e1 52 d6 68 a2 7c fa 68 ff fd ff ff|"; fast_pattern; distance:0; content:"|92 70 b4 6e 47 27 d5 68 ff ff ff ff bc 48 f9 68|"; distance:0; content:"|3c 06 f8 68 72 a4 f9 68 c0 ff ff ff 92 70 b4 6e|"; distance:0; content:"|ab 57 f0 61 a3 ef b5 6e  d1 14 dc 61 0c ed b4 64 45 62 ba 61|"; distance:0; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; distance:0; reference:url,exploit-db.com/exploits/44784/; reference:cve,2018-6892; classtype:attempted-admin; sid:2025766; rev:2; metadata:attack_target Server, created_at 2018_06_29, cve CVE_2018_6892, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Icoo CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/tUrl.xml?num="; http_uri; fast_pattern:only; content:"Accept-Language|3A| de-at"; http_header; reference:md5,1d2ddece4cd5cff3658c59e20d40dd8b; classtype:command-and-control; sid:2015019; rev:2; metadata:created_at 2012_07_04, former_category MALWARE, updated_at 2012_07_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS DAMICMS Cross-Site Request Forgery (Add Admin)"; flow:from_server,established; file_data; content:"history.pushState"; content:"/admin.php?s=/Admin/doadd|22| method=|22|POST|22|>"; nocase; fast_pattern; content:"name=|22|username|22|"; content:"name=|22|password|22|"; reference:url,exploit-db.com/exploits/44960/; classtype:web-application-attack; sid:2025771; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_02, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Gimemo/Aldibot CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"ukashcode="; http_client_body; depth:10; content:"&euro="; http_client_body; distance:0; content:"&submitukash="; http_client_body; distance:0; reference:url,www.evild3ad.com/?p=1693; classtype:command-and-control; sid:2014864; rev:2; metadata:created_at 2012_06_06, former_category MALWARE, updated_at 2012_06_06;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FTPShell client Stack Buffer Overflow"; flow:established,from_server; content:"220|20 22|"; isdataat:400,relative; content:!"|00|"; within:400; content:!"|22|"; within:400; content:!"|0b|"; within:400; content:!"|0a|"; within:400; content:!"|0d|"; within:400; content:"|ed 2e 45 22 20|"; fast_pattern; distance:400; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-7573; reference:url,exploit-db.com/exploits/44968/; classtype:attempted-user; sid:2025779; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SubmitToTDWTF.asmx DailyWTF Potential Source Code Leakage"; flow:established,to_server; content:"/SubmitWTF.asmx"; http_uri; content:"codeSubmission"; reference:url,thedailywtf.com/Articles/Submit-WTF-Code-Directly-From-Your-IDE.aspx; reference:url,code.google.com/p/submittotdwtf/source/browse/trunk/; classtype:policy-violation; sid:2011871; rev:2; metadata:created_at 2010_10_29, former_category POLICY, updated_at 2010_10_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ModSecurity 3.0.0 Cross-Site Scripting"; flow:established,from_server; file_data; content:"onError"; content:"prompt"; fast_pattern; content:"img"; pcre:"/^\s*((?!>).)+?\s*src\s*=\s*[\x22\x27]\s*[^\x27\x28]+?[\x22\x27]\s*onError\s*=\s*prompt\s*\x28\s*[^)]*?(?:document|s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Rsi"; reference:cve,2018-13065; reference:url,exploit-db.com/exploits/44970/; classtype:attempted-user; sid:2025781; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Critical, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shiz/Rohimafo Binary Download Request"; flow:established,to_server; content:".php?id="; nocase; http_uri; content:"&magic="; http_uri; nocase; fast_pattern; pcre:"/\.php\?id=\d+&magic=(-)?\d+$/U"; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:url,doc.emergingthreats.net/2010793; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:trojan-activity; sid:2011769; rev:6; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET EXPLOIT Oracle Weblogic Server Deserialization Remote Command Execution"; flow:established,to_server; content:"java.rmi.registry.Registry"; fast_pattern; content:"java.lang.reflect.Proxy"; content:"java.rmi.server.RemoteObjectInvocationHandler"; content:"UnicastRef"; reference:url,exploit-db.com/exploits/44553/; reference:cve,2018-2628; classtype:attempted-user; sid:2025788; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_05, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; byte_test:3,<,1200,0,relative; content:"|03 02 01 02 02 09 00|"; fast_pattern; content:"|30 09 06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[A-Z][a-z]{3,}\s(?:[A-Z][a-z]{3,}\s)?(?:[A-Z](?:[A-Za-z]{0,4}?[A-Z]|(?:\.[A-Za-z]){1,3})|[A-Z]?[a-z]+|[a-z](?:\.[A-Za-z]){1,3})\.?[01]/Rs"; content:"|55 04 03|"; distance:0; byte_test:1,>,13,1,relative; content:!"www."; distance:2; within:4; pcre:"/^.{2}(?P<CN>(?:(?:\d?[A-Z]?|[A-Z]?\d?)(?:[a-z]{3,20}|[a-z]{3,6}[0-9_][a-z]{3,6})\.){0,2}?(?:\d?[A-Z]?|[A-Z]?\d?)[a-z]{3,}(?:[0-9_-][a-z]{3,})?\.(?!com|org|net|tv)[a-z]{2,9})[01].*?(?P=CN)[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; content:!"GoDaddy"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023476; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat PDF Reader use after free JavaScript engine (CVE-2017-16393)"; flow:established,from_server; flowbits:isset,ET.pdf.in.http; file_data; content:"this.addAnnot"; nocase; content:"this.addField"; nocase; content:".popupRect"; nocase; content:".setAction("; nocase; content:"OnFocus"; nocase; content:"setFocus"; nocase; pcre:"/\s+?(?P<var1>[^\s\x3d]+?)\s*?=\s*?this\.addAnnot.+?(?P=var1)\s*\x2epopupRect\s*?=\s*?0x4000/si"; pcre:"/\s+?(?P<var2>[^\s\x3d]+?)\s*?=\s*?this\.addField.+?(?P=var2)\s*\x2e\s*setAction\s*?\x28\s*?[\x22\x27]\s*?OnFocus[^\x29]+popupOpen\s*?=\s*?true/si"; reference:cve,2017-16393; classtype:attempted-user; sid:2025091; rev:3; metadata:affected_product Adobe_Reader, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Mar 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"yass_email="; depth:11; nocase; http_client_body; content:"&yass_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024046; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_03_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Exim Internet Mailer Remote Code Execution"; flow:established,to_server; content:"JHtydW57L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3Av"; reference:cve,2018-6789; reference:url,exploit-db.com/exploits/44571/; classtype:attempted-user; sid:2025793; rev:2; metadata:attack_target SMTP_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful ANZ Internet Banking Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"typ="; depth:4; nocase; http_client_body; content:"&cid="; nocase; distance:0; http_client_body; content:"&cpass="; nocase; distance:0; http_client_body; content:"&homepn="; nocase; distance:0; http_client_body; content:"&workpn="; nocase; distance:0; http_client_body; content:"&mobilepn="; nocase; distance:0; http_client_body; content:"&telepass="; nocase; distance:0; http_client_body; content:"&ccnumber="; nocase; distance:0; http_client_body; fast_pattern; content:"&cvv="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024050; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 9000 (msg:"ET EXPLOIT xdebug OS Command Execution"; flow:established,to_server; content:"eval -i 1 --|0d 0a|ZmlsZV9wdXRfY29udGVudH"; reference:url,exploit-db.com/exploits/44568/; classtype:attempted-user; sid:2025794; rev:2; metadata:attack_target Web_Server, created_at 2018_07_09, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload Download M1 Mar 14 2017"; flow:established,from_server; file_data; content:"|2e de 08 bb 99 8a 7b 6c|"; within:8; classtype:exploit-kit; sid:2024053; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_03_14;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT bin bash base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"vYmluL2Jhc2"; classtype:attempted-user; sid:2025806; rev:2; metadata:attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload Download M2 Mar 14 2017"; flow:established,from_server; file_data; content:"|5e 5a a3 90 b9 31 7b 54|"; within:8; classtype:exploit-kit; sid:2024054; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_03_14;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"vKjw/cGhwI"; classtype:attempted-user; sid:2025809; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful iCloud Phish Mar 15 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta http-equiv=|22|Content-Type|22|"; nocase; content:"alert"; content:"|41 70 70 6c 65 20 49 44|"; nocase; within:20; fast_pattern; content:"|68 69 73 74 6f 72 79 2e 62 61 63 6b|"; nocase; distance:0; classtype:credential-theft; sid:2024059; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_03_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"MeW84UDNCb2ND"; classtype:attempted-user; sid:2025812; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 2381 (msg:"ET EXPLOIT HP Smart Storage Administrator Remote Command Injection"; flow:to_server,established; content:"echo -n|20|"; pcre:"/^\s*(?:f0VMR|9FTE|\/RUxG)/R"; reference:cve,2016-8523; classtype:attempted-user; sid:2024063; rev:2; metadata:affected_product HP_Smart_Storage_Administrator, attack_target Server, created_at 2017_03_15, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2017_03_15;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"c3lzdGVtKCIgcGhw"; classtype:attempted-user; sid:2025795; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|nopassworddomaine.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024068; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"N5c3RlbSgiIHBoc"; classtype:attempted-user; sid:2025796; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|asdallls.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"zeXN0ZW0oIiBwaH"; classtype:attempted-user; sid:2025797; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|treesaboutword.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024070; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 4"; flow:established,to_server; content:"c3lzdGVtKCJwaH"; classtype:attempted-user; sid:2025798; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Android Marcher C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|randfservices.co.uk"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024071; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 5"; flow:established,to_server; content:"N5c3RlbSgicGhw"; classtype:attempted-user; sid:2025799; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|radomir.tk"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024072; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 6"; flow:established,to_server; content:"zeXN0ZW0oInBoc"; classtype:attempted-user; sid:2025800; rev:2; metadata:created_at 2018_07_09, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|ui-images.ru"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024073; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT file_put_contents php base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"ZmlsZV9wdXRfY29udGVudH"; classtype:attempted-user; sid:2025801; rev:2; metadata:affected_product Web_Server_Applications, affected_product PHP, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|sopelnas.co"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024074; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT file_put_contents php base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"ZpbGVfcHV0X2NvbnRlbnRz"; classtype:attempted-user; sid:2025802; rev:2; metadata:affected_product Web_Server_Applications, affected_product PHP, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|nesiron.co"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024075; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT file_put_contents php base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"maWxlX3B1dF9jb250ZW50c"; classtype:attempted-user; sid:2025803; rev:2; metadata:affected_product Web_Server_Applications, affected_product PHP, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|securityupdate.at"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024076; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT bin bash base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"L2Jpbi9iYXNo"; classtype:attempted-user; sid:2025804; rev:2; metadata:attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Chthonic MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|Anyverizozovali"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024077; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT bin bash base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"9iaW4vYmFza"; classtype:attempted-user; sid:2025805; rev:2; metadata:attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; pcre:"/^.[\x0e\x0f](?!(?:www|ns))[a-z0-9]{2,3}/R"; content:".faisrl.net"; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024078; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"Lyo8P3BocC"; classtype:attempted-user; sid:2025807; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; pcre:"/^.[\x0a\x0b](?!(?:www|ns))[a-z0-9]{1,2}/R"; content:".kjaro.it"; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024079; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"8qPD9waHAg"; classtype:attempted-user; sid:2025808; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|24brb.tk"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024080; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"THlvOFAzQm9jQ"; classtype:attempted-user; sid:2025810; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|interface-ui.ru"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024081; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"x5bzhQM0JvY0"; classtype:attempted-user; sid:2025811; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sogelfeld.ws"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024082; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 4"; flow:established,to_server; content:"OHFQRDl3YUhBZ"; classtype:attempted-user; sid:2025813; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|kmeses.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024084; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 5"; flow:established,to_server; content:"hxUEQ5d2FIQW"; classtype:attempted-user; sid:2025814; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sklaaaor.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024085; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 6"; flow:established,to_server; content:"4cVBEOXdhSEFn"; classtype:attempted-user; sid:2025815; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|securessl.info"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024086; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 7"; flow:established,to_server; content:"dktqdy9jR2h3S"; classtype:attempted-user; sid:2025816; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|gamagrjoba.at"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024087; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 8"; flow:established,to_server; content:"ZLancvY0dod0"; classtype:attempted-user; sid:2025817; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|c.beccaccechepassione.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024088; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 9"; flow:established,to_server; content:"2S2p3L2NHaHdJ"; classtype:attempted-user; sid:2025818; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|shanycuusenetscape.xyz"; distance:1; within:23; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024089; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT [eSentire] Fake Flash Update 2018-07-09"; flow:established,to_client; file_data; content:"<title>Critical error!"; nocase; fast_pattern; content:"Your player version"; nocase; distance:0; content:"has a critical vulnerability"; nocase; distance:0; content:"FlashPlayer.exe"; nocase; distance:0; classtype:trojan-activity; sid:2025647; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_10, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2018_07_10;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|userlicensenon.club"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024090; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp any any -> $HOME_NET 4070 (msg:"ET EXPLOIT HID VertX and Edge door controllers command_blink_on Remote Command Execution"; content:"command_blink_on|3b|"; fast_pattern; content:"|60|"; within:44; reference:url,exploit-db.com/exploits/44992/; classtype:attempted-user; sid:2025821; rev:2; metadata:attack_target IoT, created_at 2018_07_10, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|w4ait0.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024091; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp any any -> $HOME_NET 4070 (msg:"ET SCAN HID VertX and Edge door controllers discover"; dsize:<45; content:"discover|3b|013|3b|"; reference:url,exploit-db.com/exploits/44992/; classtype:attempted-recon; sid:2025822; rev:2; metadata:attack_target IoT, created_at 2018_07_10, deployment Datacenter, former_category SCAN, updated_at 2018_07_18;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Length) M1"; flow:to_server,established; content:"Content-Length|3a|"; nocase; content:"{"; content:"}"; content:"java|2e|"; nocase; content:"|2e|ognl"; fast_pattern:only; pcre:"/^Content-Length\x3a[^\r\n]*?\{(?=[^\r\n]*java\.)[^\r\n]*\.ognl[^\r\n]*\}/mi"; classtype:web-application-attack; sid:2024094; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_03_20, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2017_03_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] Adobe Phishing Landing 2018-07-04"; flow:from_server,established; content:"<title>PDF Online"; nocase; fast_pattern; content:"Please Enter Your receiving Email Address"; nocase; distance:0; content:"method=|22|post|22|"; nocase; classtype:social-engineering; sid:2025648; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_10, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Minor, updated_at 2018_07_10;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Length) M2"; flow:to_server,established; content:"Content-Length|3a 20 25 7b 28|"; nocase; content:"{"; content:"}"; classtype:web-application-attack; sid:2024095; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_03_20, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2017_03_21;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows RRAS SMB Remote Code Execution"; flow:established,to_server; content:"|21 00 00 00 10 27 00 00 a4 86 01 00 41 41 41 41 04 00 00 00 41 41 41 41 a4 86 01 00 ad 0b 2d 06 d0 ba 61 41 41 90 90 90 90 90|"; reference:cve,2017-11885; reference:url,exploit-db.com/exploits/44616/; classtype:attempted-user; sid:2025824; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_07_11, deployment Perimeter, deployment Datacenter, former_category NETBIOS, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Disposition) M2"; flow:to_server,established; content:"Content-Disposition|3a 20 25 7b 28|"; nocase; content:"{"; content:"}"; classtype:web-application-attack; sid:2024097; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_03_20, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2017_03_21;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE [eSentire] Win32/Spy.Banker.ADIO CnC Checkin"; flow:to_server,established; dsize:<35; content:"|3c 7c|"; depth:2; content:"|7c 3e|OPERADOR|3c 7c 3e|"; fast_pattern; distance:0; reference:md5,f45991556122b07d501fa995bd4e74a7; classtype:command-and-control; sid:2025652; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_11, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, signature_severity Major, updated_at 2018_07_11;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP STAT * dos attempt"; flow:to_server,established; content:"STAT"; nocase; pcre:"/^STAT\s+[^\n]*\x2a/smi"; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:attempted-dos; sid:2101777; rev:12; metadata:created_at 2010_09_23, former_category FTP, updated_at 2020_08_20;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cmd powershell base64 encoded to Web Server 1"; flow:established,to_server; content:"Y21kIC9jIHBvd2Vyc2hlbGwuZXhl"; classtype:attempted-user; sid:2025827; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_12, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"/billwebsvr.dll?Buy?user="; http_uri; content:"&key="; http_uri; content:"&channel="; http_uri; content:"&corp="; http_uri; content:"&product="; http_uri; content:"&phone="; http_uri; content:"&private="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012862; rev:4; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cmd powershell base64 encoded to Web Server 2"; flow:established,to_server; content:"NtZCAvYyBwb3dlcnNoZWxsLmV4Z"; classtype:attempted-user; sid:2025828; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_12, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_18;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET DOS Microsoft Windows LSASS Remote Memory Corruption (CVE-2017-0004)"; flow:established,to_server; content:"|FF|SMB|73|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; byte_test:1,&,0x08,6,relative; byte_test:1,&,0x10,5,relative; byte_test:1,&,0x04,5,relative; byte_test:1,&,0x02,5,relative; byte_test:1,&,0x01,5,relative; content:"|ff 00|"; distance:28; within:2; content:"|84|"; distance:25; within:1; content:"NTLMSSP"; fast_pattern; within:64; reference:url,github.com/lgandx/PoC/tree/master/LSASS; reference:url,support.microsoft.com/en-us/kb/3216771; reference:url,support.microsoft.com/en-us/kb/3199173; reference:cve,2017-0004; reference:url,technet.microsoft.com/library/security/MS17-004; classtype:attempted-dos; sid:2023497; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_11, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2017_01_12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cmd powershell base64 encoded to Web Server 3"; flow:established,to_server; content:"jbWQgL2MgcG93ZXJzaGVsbC5leG"; classtype:attempted-user; sid:2025829; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_12, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M1 Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"act="; depth:4; nocase; http_client_body; content:"&command="; nocase; distance:16; within:9; http_client_body; fast_pattern; content:"&PIN="; nocase; distance:0; http_client_body; content:"&Go="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024102; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Execve(/bin/sh) Shellcode"; content:"|31 c0 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 50 53 89 e1 b0 0b cd 80|"; classtype:shellcode-detect; sid:2025695; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2018_07_13, deployment Perimeter, former_category SHELLCODE, performance_impact Low, updated_at 2018_07_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M2 Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"account="; depth:8; nocase; http_client_body; content:"&pin"; nocase; distance:16; within:4; http_client_body; content:"&command="; nocase; distance:0; http_client_body; content:"&PrimaryApplicant="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024103; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tcp $HOME_NET 445 -> any any (msg:"ET POLICY SMB Remote AT Scheduled Job Pipe Creation"; flow:established,to_client; content:"SMB"; depth:8; content:"\\PIPE\\atsvc|00|"; distance:0; classtype:bad-unknown; sid:2025714; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK Landing Page Dec 09 2013"; flow:from_server,established; file_data; content:".charCodeAt("; fast_pattern; pcre:"/^[^\)]+\)[\r\n\s]*?\^[\r\n\s]*?[\w\.\_\-]*?\.charCodeAt\([^\)]+\)[\r\n\s]*?\,/Rsi"; content:"Math.floor"; content:"$(document).ready"; content:"decodeURIComponent"; pcre:"/^[\r\n\s]*?\,/Rsi"; content:"+= |22 22|"; content:"+= |22 22|"; distance:0; classtype:exploit-kit; sid:2017824; rev:3; metadata:created_at 2013_12_10, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB Executable File Transfer"; flow:established,to_server; content:"SMB"; depth:8; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.smb.binary; classtype:bad-unknown; sid:2025699; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK Plugin-Detect 2 May 20 2013"; flow:established,from_server; file_data; content:"encodeURIComponent(xor(JSON.stringify"; fast_pattern:8,20; content:"PluginDetect.getVersion"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016868; rev:14; metadata:created_at 2013_05_21, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For an Executable File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|exe|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025700; rev:2; metadata:attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Exploit Download Sep 30 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/j"; http_uri; content:"?f"; http_uri; distance:0; pcre:"/\/j[a-z]+?\?f[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017267; rev:8; metadata:created_at 2013_08_01, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For an Executable File"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|e|00|x|00|e|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025701; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Exploit Download Oct 15 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/b"; http_uri; content:"?n"; http_uri; distance:0; pcre:"/\/b[a-z]+?\?n[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017594; rev:8; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For an Executable File In a Temp Directory"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"t|00|e|00|m|00|p|00|\\|00|"; nocase; distance:0; content:"|00 2E 00|e|00|x|00|e|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025703; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download Oct 15 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/v"; http_uri; content:"?n"; http_uri; distance:0; pcre:"/\/v[a-z]+?\?n[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017595; rev:9; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a Powershell .ps1 File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|ps1|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025704; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK XORed pluginDetect 1"; flow:established,to_client; file_data; content:"M%01%06%00%18%02%11"; within:19; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017596; rev:3; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|p|00|s|00|1|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025705; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK XORed pluginDetect 2"; flow:established,to_client; file_data; content:"_%11%11%16%0A%12%06"; within:19; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017597; rev:3; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a .bat File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|bat|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025706; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Exploit/Payload Download Nov 1 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; pcre:"/^\/[a-z]{5,14}\?[a-z]{5,12}=[a-z]{6,11}$/U"; reference:url,pastebin.com/194D8UuK; classtype:exploit-kit; sid:2017653; rev:14; metadata:created_at 2013_11_01, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a .bat File"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|b|00|a|00|t|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025707; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Redirect to Neutrino EK goi.php Nov 4 2013"; flow:established,to_server; urilen:8; content:"/goi.php"; http_uri; classtype:exploit-kit; sid:2017661; rev:3; metadata:created_at 2013_11_04, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a DLL File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|dll|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025708; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Neutrino/Fiesta EK SilverLight Exploit Jan 13 2014 DLL Naming Convention"; flow:established,from_server; file_data; content:"PK|01 02|"; content:"|10 00|"; distance:24; within:2; content:"AppManifest.xaml"; distance:16; within:16; content:"PK|01 02|"; within:36; content:"|07 00|"; distance:24; within:2; pcre:"/^.{16}[a-z]{3}\.dll/Rs"; content:"PK|05 06|"; within:36; content:"|02 00 02 00|"; distance:4; within:4; classtype:exploit-kit; sid:2017963; rev:3; metadata:created_at 2014_01_14, former_category CURRENT_EVENTS, updated_at 2017_03_29;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|d|00|l|00|l|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025709; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET DELETED Possible Neutrino EK IE/Silverlight Payload Download"; flow:established,to_server; content:"WinHttp.WinHttpRequest."; http_header; pcre:"/^\/[a-z]+?\?[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017971; rev:10; metadata:created_at 2014_01_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a .sys File - Possible Lateral Movement"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|sys|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025710; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Neutrino/Fiesta EK SilverLight Exploit March 05 2014 DLL Naming Convention"; flow:established,from_server; file_data; content:"PK|01 02|"; content:"|10 00|"; distance:24; within:2; content:"AppManifest.xaml"; distance:16; within:16; content:"PK|01 02|"; within:36; content:"|08 00|"; distance:24; within:2; pcre:"/^.{16}[a-z]{4}\.dll/Rs"; content:"PK|05 06|"; within:36; content:"|02 00 02 00|"; distance:4; within:4; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018226; rev:3; metadata:created_at 2014_03_06, former_category CURRENT_EVENTS, updated_at 2017_03_29;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a .sys File - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|s|00|y|00|s|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025711; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
 
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Flash Exploit M2 Aug 02 2015"; flow:from_server,established; flowbits:isset,ET.Neutrino; content:"nginx"; http_header; nocase; file_data; content:"CWS"; fast_pattern; within:3; classtype:exploit-kit; sid:2021588; rev:3; metadata:created_at 2015_08_04, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB Remote AT Scheduled Job Create Request - Possible Lateral Movement"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"atsvc|00|"; distance:0; classtype:bad-unknown; sid:2025712; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
 
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Flash Exploit M3 Aug 02 2015"; flow:from_server,established; flowbits:isset,ET.Neutrino; content:"nginx"; http_header; nocase; file_data; content:"ZWS"; fast_pattern; within:3; classtype:exploit-kit; sid:2021589; rev:5; metadata:created_at 2015_08_04, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Inbound Web Servers Likely Command Execution 1"; flow:established,to_server; content:"base64"; fast_pattern; content:"f0VM"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; classtype:attempted-user; sid:2025716; rev:3; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Job314/Neutrino EK Flash Exploit M1 Aug 02 2015 (IE)"; flow:to_server,established; content:"x-flash-version|3a|"; http_header; fast_pattern:only; content:!".swf"; http_uri; nocase; content:!".flv"; http_uri; nocase; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?:[a-z\d+]*?[A-Z])(?:[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?!www\.)(?P<refhost>[^\x3a\x2f\r\n]+)(?:\x3a\d{1,5})?\/(?:[a-z]{3,20}\/(?:(?:[a-z\d+]*?[A-Z])(?:[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)\r\n.*?Host\x3a\x20(?P=refhost)/Hsi"; content:!"Cookie|3a 20|"; classtype:exploit-kit; sid:2021590; rev:6; metadata:created_at 2015_08_04, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Inbound Web Servers Likely Command Execution 2"; flow:established,to_server; content:"base64"; fast_pattern; content:"9FT"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; classtype:attempted-user; sid:2025717; rev:3; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Malicious Macro DL BIN March 2017"; flow:established,to_server; content:"GET"; http_method; content:"?showforum="; http_uri; fast_pattern:only; pcre:"/\?showforum=$/Ui"; content:!".php"; http_uri; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; reference:md5,ad575f6795526f2ee5e730f76a3b5346; classtype:trojan-activity; sid:2024109; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2019_04_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Inbound Web Servers Likely Command Execution 3"; flow:established,to_server; content:"base64"; fast_pattern; content:"/RU"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; classtype:attempted-user; sid:2025718; rev:3; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0|0d 0a|"; nocase; http_header; content:!"autodesk.com"; http_header; reference:url,doc.emergingthreats.net/2010908; classtype:trojan-activity; sid:2010908; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_04_03;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Linux"; flow:established,to_server; content:"jsonrpc"; content:"method"; content:"miner_file"; content:".bash"; content:"5c5c7837665c5c7834355c5c7834635c5c783436"; fast_pattern; reference:url,exploit-db.com/exploits/45044/; reference:cve,2018-1000049; classtype:attempted-user; sid:2025861; rev:1; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mail.ru Phish Apr 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"new_auth_form="; depth:14; nocase; http_client_body; fast_pattern; content:"&page="; nocase; distance:0; http_client_body; content:"&back="; nocase; distance:0; http_client_body; content:"&FromAccount="; nocase; distance:0; http_client_body; content:"&Login="; nocase; distance:0; http_client_body; content:"&selector="; nocase; distance:0; http_client_body; content:"&Username="; nocase; distance:0; http_client_body; content:"&Password="; nocase; distance:0; http_client_body; content:"&saveauth="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024167; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Windows"; flow:established,to_server; content:"jsonrpc"; content:"method"; content:"miner_file"; content:".bat"; content:"706f7765727368656c6c2e657865"; fast_pattern; reference:url,exploit-db.com/exploits/45044/; reference:cve,2018-1000049; classtype:attempted-user; sid:2025862; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK CVE-2016-0189 Exploit M2"; flow:established,from_server; file_data; content:"|73 74 72 54 6f 49 6e 74 28 4d 69 64 28 6d 65 6d 2c 20 31 2c 20 32 29 29|"; content:"|2b 20 26 48 31 37 34|"; reference:cve,2016-0189; classtype:exploit-kit; sid:2024169; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_04_04;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded ASCII Inbound Web Servers Likely Command Execution 4"; flow:established,to_server; content:"5c5c7837665c5c7834355c5c7834635c5c783436"; classtype:attempted-user; sid:2025732; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2018_07_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK CVE-2015-2419 Exploit"; flow:established,from_server; file_data; content:"EB125831C966B9"; nocase; content:"05498034088485C975F7FFE0E8E9FFFFFFD10D61074028D7D5D3B544E0"; distance:2; within:58; nocase; reference:cve,2016-0189; classtype:exploit-kit; sid:2024170; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_04_04;)
+alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE QRat.Java.RAT Checkin Response"; flow:established,to_client; content:"|7b 22 6d 61 73 6d 61 67 22 3a 22|"; within:48; fast_pattern; content:"|22 2c 22 6d 61 73 76 65 72 22 3a|"; distance:0; content:"|2c 22 6d 61 73 69 64 22 3a 22|"; distance:0; content:"|22 2c 22 6e 65 65 64 2d 6d 6f 72 65 22 3a|"; distance:0; content:"|7b 22 6d 61 67 69 63 22 3a 22|"; distance:0; content:"|22 2c 22 69 6e 64 65 78 22 3a 22|"; distance:0; content:"|22 68 61 73 2d 72 65 71 75 65 73 74 65 72 22 3a|"; distance:0; content:"|22 68 61 73 2d 61 63 63 65 70 74 65 72 22 3a|"; distance:0; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:command-and-control; sid:2025392; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category MALWARE, malware_family QRat, signature_severity Major, updated_at 2018_07_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-LINK DIR-615 Cross-Site Request Forgery (CVE-2017-7398)"; flow:from_server,established; file_data; content:"/form2WlanBasicSetup.cgi"; fast_pattern; nocase; content:"method"; nocase; distance:0; pcre:"/^\s*=\s*[\x27\x22]\s*POST/Rsi"; content:"ssid"; nocase; content:"save"; nocase; content:"Apply"; nocase; distance:0; reference:cve,CVE-2017-7398; classtype:attempted-user; sid:2024181; rev:2; metadata:affected_product D_Link_DIR_615, attack_target Client_Endpoint, created_at 2017_04_05, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2017_04_05;)
+alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Hidden Window Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|-|00|w|00|"; nocase; distance:0; content:"|00|h|00|i|00|d|00|d|00|e|00|n|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025720; rev:3; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M1 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"cpf="; depth:4; nocase; http_client_body; fast_pattern; content:"&next_pag="; nocase; distance:0; http_client_body; content:"&entrar="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024186; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With No Profile Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|n|00|o|00|p|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025722; rev:2; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M2 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_net="; depth:8; nocase; http_client_body; fast_pattern; content:"&cpf="; nocase; distance:0; http_client_body; content:"&continuar_acess="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024187; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Execution Bypass Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|e|00|x|00|e|00|c|00|"; nocase; distance:0; content:"|00|b|00|y|00|p|00|a|00|s|00|s|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025723; rev:2; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M3 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_4="; depth:6; nocase; http_client_body; fast_pattern; content:"&psw_net="; nocase; distance:0; http_client_body; content:"&cpf="; nocase; distance:0; http_client_body; content:"&proseguir="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024188; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With NonInteractive Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|n|00|o|00|n|00|i|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025724; rev:2; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sogelfeld.ws"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024083; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert smb any any -> $HOME_NET 445 (msg:"ET POLICY RunDll Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|r|00|u|00|n|00|d|00|l|00|l|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2025725; rev:3; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE W32/Kegotip CnC Beacon"; flow:established,to_server; content:"QXNka"; depth:5; reference:url,www.soleranetworks.com/blogs/cryptolocker-kegotip-medfos-malware-triple-threat/; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FKegotip.C; classtype:command-and-control; sid:2017627; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_10_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2017_04_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 UTF-8 Inbound Web Servers Likely Command Execution 5"; flow:established,to_server; content:"XDE3N1wxMDVcMTE0XDEwN"; classtype:attempted-user; sid:2025832; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_18, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_18;)
 
-alert tcp any any -> $HOME_NET 23 (msg:"ET EXPLOIT Cisco Catalyst Remote Code Execution (CVE-2017-3881)"; flow:to_server,established; content:"|ff fa 24 00 03|CISCO_KITS"; content:"|3a|"; distance:2; within:1; isdataat:160,relative; content:!"|3a|"; within:160; reference:url,artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/; classtype:attempted-user; sid:2024194; rev:1; metadata:affected_product CISCO_Catalyst, attack_target IoT, created_at 2017_04_10, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2017_04_10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 UTF-8 Inbound Web Servers Likely Command Execution 6"; flow:established,to_server; content:"wxNzdcMTA1XDExNFwxMD"; classtype:attempted-user; sid:2025833; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_18, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_18;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Win32.DarkComet Keepalive Inbound"; flow:from_server,established; dsize:<30; content:"KEEPALIVE"; nocase; depth:9; pcre:"/^KEEPALIVE\x7c?\d/i"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; classtype:trojan-activity; sid:2013091; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_06_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2017_04_10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 UTF-8 Inbound Web Servers Likely Command Execution 7"; flow:established,to_server; content:"cMTc3XDEwNVwxMTRcMTA2"; classtype:attempted-user; sid:2025834; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_18, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_18;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocENG Inject M3"; flow:established,from_server; file_data; content:"|69 64 3d 22 62 62 62 31 22 3e 43 6c 69 63 6b 20 6f 6e 20 74 68 65 20 43 68 72 6f 6d 65 5f 46 6f 6e 74 2e 65 78 65|"; classtype:social-engineering; sid:2024200; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, signature_severity Major, updated_at 2017_04_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED EXE Download Request To Wordpress Folder Likely Malicious"; flow:established,to_server; content:"GET"; http_method; content:"/wp-"; http_uri; content:".exe"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\.exe(?:\?[0-9])?$/U"; pcre:"/\/wp-(?:content|admin|includes)\//U"; reference:md5,1828f7090d0ad2844d3d665d2f41f911; classtype:trojan-activity; sid:2022239; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2015_12_09, deployment Datacenter, former_category TROJAN, signature_severity Major, tag Wordpress, updated_at 2018_07_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Response"; flow:from_server,established; file_data; content:"[{|22|id|22 3a 22|0|22|,|22|command|22 3a 22|OK|22|}"; depth:26; fast_pattern; reference:md5,bc76d516a66e4002461128f62896c6dd; classtype:trojan-activity; sid:2024202; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_04_11, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Ewind, signature_severity Major, tag Android, updated_at 2017_04_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Github Phishing Landing 2018-07-19"; flow:established,from_server; file_data; content:"form action=|22|login.php|22|"; content:"<h1>Sign in to GitHub</h1>"; distance:0; fast_pattern; content:"<input type=|22|text|22 20|name=|22|username|22|"; distance:0; classtype:social-engineering; sid:2025873; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phish, updated_at 2018_07_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Setup"; flow:established,to_server; content:".php?setup=d&s="; http_uri; content:"&r="; pcre:"/\.php\?setup=d&s=\d+&r=\d+$/U"; classtype:exploit-kit; sid:2015946; rev:3; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2017_04_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Twitter Phishing Landing 2018-07-19"; flow:established,from_server; file_data; content:"<title>Login to Twitter</title>"; content:"form action=|22|login.php|22|"; distance:0; content:"|20 20 20 20 20 20|name=|22|usernameOrEmail|22 0a|"; distance:0; fast_pattern; classtype:social-engineering; sid:2025874; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Minor, tag Phish, updated_at 2018_07_19;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (11)"; dsize:13<>32; content:"a"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023622; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Hex Escape Inbound Web Servers Likely Command Execution 8"; flow:established,to_server; content:"XFx4N2ZcXHg0NVxceDRjXFx4ND"; classtype:attempted-user; sid:2025865; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_19;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (1)"; dsize:13<>32; content:"0"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023612; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Hex Escape Inbound Web Servers Likely Command Execution 9"; flow:established,to_server; content:"xceDdmXFx4NDVcXHg0Y1xceDQ2"; classtype:attempted-user; sid:2025866; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_19;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (10)"; dsize:13<>32; content:"9"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023621; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Hex Escape Inbound Web Servers Likely Command Execution 10"; flow:established,to_server; content:"cXHg3ZlxceDQ1XFx4NGNcXHg0N"; classtype:attempted-user; sid:2025867; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_19;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (12)"; dsize:13<>32; content:"b"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023623; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic plain Inbound Web Servers Likely Command Execution 11"; flow:established,to_server; content:"|5c|177|5c|105|5c|114|5c|106|5c|"; fast_pattern; classtype:attempted-user; sid:2025868; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_19;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (13)"; dsize:13<>32; content:"c"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023624; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic plain Inbound Web Servers Likely Command Execution 12"; flow:established,to_server; content:"|5c 5c|x7f|5c 5c|x45|5c 5c|x4c|5c 5c|x46|5c 5c|"; classtype:attempted-user; sid:2025869; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_19;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (14)"; dsize:13<>32; content:"d"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023625; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Netflix Phishing Landing 2017-07-20"; flow:established,from_server; file_data; content:"<title>Netflix</title>"; content:"meta content=|22|watch movies"; distance:0; content:"meta content=|22|Watch Netflix movies"; distance:0; fast_pattern; content:"action=|22|login.php|22|"; distance:0; classtype:social-engineering; sid:2025875; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_20, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Minor, tag Phish, updated_at 2018_07_20;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (15)"; dsize:13<>32; content:"e"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023626; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LinkedIn Phishing Landing 2017-07-20"; flow:established,from_server; file_data; content:"class=|22|ie ie6 lte9 lte8 lte7 os-linux|22|>"; content:"<title>LinkedIn|26 23|58|3b 20|Log In or Sign Up</title>"; distance:0; fast_pattern; content:"action=|22|login.php|22|"; distance:0; classtype:social-engineering; sid:2025876; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_20, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Minor, tag Phish, updated_at 2018_07_20;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (16)"; dsize:13<>32; content:"f"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023627; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE passwd file Outbound from WEB SERVER Linux"; flow:established,from_server; file_data; content:"root:x:0:0:root:/root:/bin/"; within:27; classtype:successful-recon-limited; sid:2025879; rev:1; metadata:created_at 2018_07_20, updated_at 2018_07_20;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (2)"; dsize:13<>32; content:"1"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023613; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] DHL Phish Landing July 24 2018"; flow:established,to_client; file_data; content:"<TITLE>Tracking made easy"; nocase; content:"Login to Continue Tracking your Package"; nocase; distance:0; content:"Sign In With Your Correct Email and Password To Review Package Information"; nocase; distance:0; classtype:social-engineering; sid:2025886; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_07_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2018_07_24;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (3)"; dsize:13<>32; content:"2"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023614; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"ET EXPLOIT Remote Command Execution via Android Debug Bridge"; flow:from_server,established; content:"CNXN|00 00 00 01 00 10 00 00 07 00 00 00 32 02 00 00 BC B1 A7 B1|host|3a 3a|"; distance:40; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/open-adb-ports-being-exploited-to-spread-possible-satori-variant-in-android-devices/; classtype:trojan-activity; sid:2025887; rev:1; metadata:created_at 2018_07_24, updated_at 2018_07_24;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (4)"; dsize:13<>32; content:"3"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023615; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"ET EXPLOIT Remote Command Execution via Android Debug Bridge 2"; flow:from_server,established; content:"OPENX|02 00 00 00 00 00 00 F2 17 4A 00 00 B0 AF BA B1|shell|3a|>/sdcard/Download/f|20|&&|20|cd|20|/sdcard/Download/|3b 20|>/dev/f|20|&&|20|cd|20|/dev/|3b 20|>/data/local/tmp/f|20|&&|20|cd|20|/data/local/tmp/|3b 20|busybox|20|wget|20|http|3a|//"; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/open-adb-ports-being-exploited-to-spread-possible-satori-variant-in-android-devices/; classtype:trojan-activity; sid:2025888; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_24, deployment Perimeter, former_category EXPLOIT, signature_severity Critical, updated_at 2018_07_24;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (5)"; dsize:13<>32; content:"4"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023616; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 6000: (msg:"ET DELETED Zeus P2P CnC"; dsize:72; content:!"|00 00 00|"; offset:5; byte_extract:1,63,padding; byte_test:1,!=,0xff,71; byte_test:1,!=,0x00,71; byte_test:1,=,padding,64; byte_test:1,=,padding,65; byte_test:1,=,padding,66; byte_test:1,=,padding,67; byte_test:1,=,padding,68; byte_test:1,=,padding,69; byte_test:1,=,padding,70; byte_test:1,=,padding,71; reference:url,www.abuse.ch/?p=3499; classtype:command-and-control; sid:2013739; rev:16; metadata:created_at 2011_10_05, former_category TROJAN, updated_at 2018_07_24;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (6)"; dsize:13<>32; content:"5"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023617; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Golden Rat Checkin"; flow:to_server,established; content:"<HmzaPacket>|3e 0a 20 20|<Command>"; depth:25; fast_pattern; content:"<MSG>"; within:40; content:"</MSG>|3e 0a 20 20|"; distance:0; content:"</HmzaPacket></HAMZA_DELIMITER_STOP>"; distance:0; reference:url,csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf; reference:md5,6296586cf9a59b25d1b8ab3eeb0c2a33; classtype:trojan-activity; sid:2025895; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_GoldenRat, tag Android, updated_at 2018_07_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (7)"; dsize:13<>32; content:"6"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023618; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Underminer EK IE Exploit"; flow:established,to_client; file_data; content:"IE=EmulateIE9"; nocase; content:"</head"; nocase; within:200; content:"<body"; nocase; within:200; content:"<script"; nocase; within:200; content:"!!window.ActiveXObject"; nocase; within:200; content:"try"; within:200; content:"parent.parent.setLocalStoreUserData"; nocase; distance:0; pcre:"/^\s*\([\x22\x27][A-F0-9a-f]{32}[\x22\x27]\s*\)\s*\x3b\s*}\s*catch\s*\(e\)\s*\{\s*\}\s*\}\s*<\/script>\s*<\/body>/Rsi"; classtype:exploit-kit; sid:2025911; rev:1; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2018_07_26;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (8)"; dsize:13<>32; content:"7"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023619; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Underminer EK Flash Exploit"; flow:established,to_client; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; fast_pattern; content:"<param"; nocase; pcre:"/^(?=[^>]*? name\s*=\s*[\x22\x27]flashvars)[^>]*? value\s*=\s*[\x22\x27]url=https?\x3a[^\x22\x27]*?\.wasm/Rsi"; classtype:exploit-kit; sid:2025914; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2018_07_27;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (9)"; dsize:13<>32; content:"8"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Underminer EK Plugin Check"; flow:established,to_client; content:"Cache-Control|3a 20|private|3b 20|no-store|3b 20|no-cache|0d 0a|"; http_header; content:"Content-Encoding|3a 20|gzip|0d 0a|"; http_header; file_data; content:"name:location.hostname,init:function()"; nocase; within:300; content:"document.body.appendChild(UserData.userData)"; nocase; distance:0; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; content:".setAttribute(|22|type|22|,|22|application/x-shockwave-flash|22|)"; nocase; distance:0; content:".test(navigator.userAgent)?function"; nocase; distance:0; content:"map([|22|ShockwaveFlash.ShockwaveFlash|22|,|22|AcroPDF.PDF|22|,|22|PDF.PdfCtrl|22|,|22|QuickTime.QuickTime|22|,|22|RealPlayer|22|,|22|SWCtl.SWCtl|22|,|22|WMPlayer.OCX|22|,|22|AgControl.AgControl|22|,|22|Skype.Detection|22|]"; nocase; fast_pattern; classtype:exploit-kit; sid:2025915; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2018_09_28;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO http string in hex Possible Obfuscated Exploit Redirect"; flow:established,to_client; content:"=[|22 5c|x68|5c|x74|5c|x74|5c|x70|5c|x3A|5c|x2F|5c|x2F|5c|"; classtype:bad-unknown; sid:2012118; rev:3; metadata:created_at 2010_12_30, former_category CURRENT_EVENTS, updated_at 2017_04_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED IP Check Domain (showmyipaddress.com in HTTP Host)"; flow:established,to_server; content:"Host|3a| www.showmyipaddress.com"; nocase; http_header; classtype:policy-violation; sid:2012691; rev:3; metadata:created_at 2011_04_18, former_category POLICY, updated_at 2018_07_31;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Redirection to driveby Page Home index.php"; flow:established,from_server; content:"/Home/index.php|22| width=1 height=1 scrolling=no></iframe>"; classtype:exploit-kit; sid:2013436; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_19, deployment Perimeter, former_category INFO, signature_severity Major, tag DriveBy, updated_at 2017_04_14;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle WebLogic Deserialization  (CVE-2018-2893)"; flow:established,to_server; content:"t3|20|12"; depth:5; fast_pattern; content:"AS|3a|255"; distance:0; content:"HL|3a|19"; distance:0; content:"MS|3a|10000000"; distance:0; content:"PU|3a|t3|3a|//"; distance:0; reference:cve,2018-2893; reference:url,github.com/pyn3rd/CVE-2018-2893; classtype:attempted-admin; sid:2025929; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2018_08_01, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_08_01;)
 
-alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALROMANCE MS17-010"; flow:from_server,established; content:"|FF|SMB|25 05 00 00 80|"; offset:4; depth:9; content:"LSbfLScnLSepLSlfLSmf"; distance:0; fast_pattern; content:"LSrfLSsrLSscLSblLSss"; within:20; content:"LSshLStrLStcLSopLScd"; within:20; flowbits:set,ETPRO.ETERNALROMANCE; classtype:trojan-activity; sid:2024208; rev:1; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_04_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Christian Mingle Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>christian mingle - login</title>"; nocase; fast_pattern; content:"<form method=|22|post|22 20|action=|22|data.php|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025973; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
 
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ECLIPSEDWING MS08-067"; flow:to_server,established; content:"|ff|SMB|2f 00 00 00 00|"; offset:4; depth:9; content:"|00 00 00 00 ff ff ff ff 08 00|"; distance:30; within:10; content:"|2e 00 00 00 00 00 00 00 2e 00 00 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; within:12; fast_pattern; content:"|2e 00 00 00 00 00 00 00 2e 00 00 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; within:12; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; distance:0; isdataat:800,relative; classtype:trojan-activity; sid:2024215; rev:1; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_04_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>sign in to your microsoft account</title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025974; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
 
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALCHAMPION MS17-010 Sync Request (set)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18 03 c0 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:4; depth:24; content:"|00 00 00 00 ff ff ff ff 00 00|"; distance:17; within:10; content:"|5c 00 50 00 49 00 50 00 45 00 5c 00 4c 00 41 00 4e 00 4d 00 41 00 4e 00 00 00|"; distance:13; within:26; content:"|82 00|zb12g12DWrLehig24"; within:19; fast_pattern; flowbits:set,ET.ETERNALCHAMPIONsync; flowbits:noalert; classtype:trojan-activity; sid:2024212; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_04_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>log in to your paypal account</title>"; nocase; fast_pattern; content:"|7a 31 31 38 2e 63 73 73|"; nocase; distance:0; classtype:social-engineering; sid:2025975; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Malicious Gzip PowerShell over HTTP"; flow:established,from_server; file_data; content:"FromBase64String"; content:"H4sIAI"; distance:0; fast_pattern; content:"GzipStream"; nocase; distance:0; classtype:trojan-activity; sid:2024221; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_18, deployment Perimeter, former_category TROJAN, malware_family PowerShell, performance_impact Moderate, signature_severity Major, tag PowerShell, updated_at 2017_04_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Free Mobile Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>free mobile - bienvenue dans votre espace"; nocase; fast_pattern; content:"<img id=|22|fins|22 20|src=|22|fins.png|22|>"; nocase; distance:0; content:"<input type=|22|password|22 20|name=|22|ps|22 20|id=|22|ps|22|"; nocase; distance:0; classtype:social-engineering; sid:2025976; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"ET MALWARE IRC Nick change on non-standard port"; flow:to_server,established; dsize:<64; content:"NICK "; depth:5; content:!"twitch.tv|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; classtype:trojan-activity; sid:2000345; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>adobe pdf</title>"; nocase; fast_pattern; content:"title=|22|you are not signed in yet|22|"; nocase; distance:0; content:"title=|22|login to continue|22|"; nocase; distance:0; content:"adobe pdf online"; nocase; distance:0; content:"email password"; nocase; distance:0; classtype:social-engineering; sid:2025977; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iCloud Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"ip="; depth:3; nocase; http_client_body; content:"&city="; nocase; distance:0; http_client_body; content:"&country="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; fast_pattern; content:"&sbBtn="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024231; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Ajax Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>sign in to your account"; nocase; content:"action: posturl|20|}|22 20|action=|22|connectidx.php|22|"; nocase; distance:0; fast_pattern; content:"privacy.microsoft.com"; nocase; distance:0; classtype:social-engineering; sid:2025978; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alitalia Airline Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"carta="; depth:6; nocase; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; content:"&imageField"; nocase; distance:0; http_client_body; content:"&nome="; nocase; distance:0; http_client_body; content:"&VBV="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024232; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Alibaba Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"content=|22|alibaba manufacturer directory"; nocase; content:"class=|22|xman"; nocase; distance:0; fast_pattern; content:"id=|22|xman"; nocase; distance:0; content:"<iframe"; nocase; distance:0; classtype:social-engineering; sid:2025979; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET POLICY Radmin Remote Control Session Authentication Initiate"; flow:established,to_server; dsize:<20; content:"|01 00 00 00 05 00 00 02 27 27 02 00 00 00|"; flowbits:set,BE.Radmin.Auth.Challenge; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003481; classtype:not-suspicious; sid:2003481; rev:5; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>sign in to your account</title>"; nocase; content:"onerror=|22|$loader.on(this,true)|22 20|onload=|22|$loader.on(this)"; nocase; distance:0; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:"secure.aadcdn.microsoftonline-p.com"; nocase; distance:0; classtype:social-engineering; sid:2025981; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
 
-alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Authentication Response"; flowbits:isset,BE.Radmin.Auth.Challenge; flow:established,from_server; dsize:<20; content:"|01 00 00 00 05 00 00 00 27 27 00 00 00 00|"; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003482; classtype:not-suspicious; sid:2003482; rev:6; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (getavs)"; flow:established,to_client; content:"|00 00 00 00|getavs="; offset:1; depth:11; fast_pattern; reference:md5,0f0f6f48c3ee5f8e7cd3697c40002bc7; classtype:trojan-activity; sid:2036286; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_08, deployment Perimeter, former_category MALWARE, malware_family MSIL_Crimson, performance_impact Moderate, signature_severity Major, updated_at 2018_08_08;)
 
-alert ftp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET HUNTING Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; classtype:non-standard-protocol; sid:2003055; rev:13; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2021_12_16;)
+alert tcp-pkt any 445 -> $HOME_NET any (msg:"ET EXPLOIT SMB Null Pointer Dereference PoC Inbound (CVE-2018-0833)"; flow:from_server,established; content:"|FD 53 4D 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; offset:4; reference:url,krbtgt.pw/smbv3-null-pointer-dereference-vulnerability/; reference:cve,2018-0833; classtype:attempted-admin; sid:2025983; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_08, deployment Internal, former_category EXPLOIT, signature_severity Minor, updated_at 2018_08_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT ElTest Exploit Kit Redirection Script"; flow:established,to_client; file_data; content:"<script"; nocase; content:"text/javascript"; within:50; nocase; content:"|22|iframe|22|"; within:100; nocase; content:".style.border= |22|0px|22|"; within:200; fast_pattern; nocase; content:"frameborder"; within:100; nocase; content:".setAttribute("; within:50; nocase; content:"document.body.appendChild("; within:100; nocase; content:"= |22|http"; within:100; nocase; content:".src="; distance:0; nocase; content:"<|2F|script>"; within:50; nocase; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-campaign-evolution-eitest-october-december-2016/; classtype:exploit-kit; sid:2024237; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_24, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Moderate, signature_severity Major, updated_at 2017_04_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe PDX in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"%PDX-"; within:5; flowbits:set,ET.pdx.in.http; flowbits:noalert; classtype:not-suspicious; sid:2025985; rev:2; metadata:affected_product Adobe_Reader, created_at 2018_08_10, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2018_08_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING ARM Binary Downloaded via WGET Containing Suspicious Netcat Command - Possible IoT Malware"; flow:from_server,established; flowbits:isset,ET.armwget; content:"|25|24|25|28nc+"; content:"+-e+|25|2Fbin|25|2Fsh|25|29"; within:50; fast_pattern; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; classtype:trojan-activity; sid:2024241; rev:2; metadata:attack_target IoT, created_at 2017_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2017_04_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe Flash Uncompressed in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"FWS"; within:3; flowbits:set,HTTP.UncompressedFlash; flowbits:noalert; classtype:not-suspicious; sid:2016394; rev:7; metadata:created_at 2013_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2018_08_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ARM Binary Downloaded via WGET Containing GoAhead and Multiple Camera RCE 0Day Vulnerabilities"; flow:from_server,established; flowbits:isset,ET.armwget; content:"/set_ftp.cgi"; fast_pattern; content:"&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr="; distance:0; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; reference:url,pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html; classtype:trojan-activity; sid:2024242; rev:2; metadata:attack_target IoT, created_at 2017_04_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_04_25;)
+alert tcp any any -> $HOME_NET 12397 (msg:"ET SCADA SEIG SYSTEM 9 - Remote Code Execution"; flow:established,to_server; content:"|14 60 00 00 66 66 07 00 10 00 00 00 19 00 00 00 00 00 04 00 00 00 60 00|"; depth:24; content:!"|0d|"; distance:0; content:!"|0a|"; distance:0; content:!"|ff|"; content:!"|00|"; distance:0; reference:url,exploit-db.com/exploits/45218/; reference:cve,2013-0657; classtype:attempted-user; sid:2026003; rev:1; metadata:created_at 2018_08_21, former_category SCADA, updated_at 2018_08_21;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL cert (pyteHole Ransomware)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|services.pasmik.net"; distance:1; within:20; reference:md5,f652968bfe0861b56c8bdc111d902512; classtype:trojan-activity; sid:2024246; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_25, deployment Perimeter, former_category MALWARE, malware_family pyteHole, signature_severity Major, tag Ransomware, updated_at 2017_04_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 26"; flow:established,to_server; stream_size:server,=,1; content:"|5a 95 2a 22 4d 37 9e 51 83 55 8f|"; depth: 11; reference:md5,8f8d778bea33bc542b58c0631cf9d7e0; classtype:command-and-control; sid:2026004; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Remcos, updated_at 2018_08_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CozyDuke APT HTTP Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/"; depth:20; http_header; pcre:"/\.php\?$/U"; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:targeted-activity; sid:2020962; rev:3; metadata:created_at 2015_04_22, former_category TROJAN, updated_at 2018_12_03;)
+alert tcp any any -> $HOME_NET 27700 (msg:"ET SCADA SEIG Modbus 3.4 - Remote Code Execution"; flow:established,to_server; content:"|42 42 ff ff 07 03 44 00 64|"; fast_pattern; content:"|90 90 90 90 90 90 90 90 90 90|"; distance:0; reference:url,exploit-db.com/exploits/45220/; reference:cve,2013-0662; classtype:attempted-user; sid:2026005; rev:1; metadata:created_at 2018_08_21, former_category SCADA, updated_at 2018_08_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32.LoadMoney User Agent"; flow:established,to_server; content:"Downloader "; http_user_agent; fast_pattern:only; pcre:"/^User-Agent\x3a Downloader \d\.\d\r?$/Hm"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024260; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_27, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2017_04_27;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Rallovs.A CnC Beacon"; flow:established,to_server; dsize:>1000; content:"|00 00 00 00|2|00|0|00|"; fast_pattern; pcre:"/^[1-9]\x00\d/R"; content:"|00|-|00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00|-|00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 20 00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 3a 00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 3a 00|"; pcre:"/^\d\x00\d/R"; content:"|00 00|2|00|0|00|"; distance:0; content:"|00|-|00|"; distance:3; within:3; reference:md5,67a039a3139c6ef1bf42424acf658d01; reference:url,blog.cylance.com/spear-a-threat-actor-resurfaces; classtype:command-and-control; sid:2021117; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_19, deployment Perimeter, former_category TROJAN, signature_severity Major, tag c2, updated_at 2018_08_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Red Leaves magic packet response detected (APT10 implant)"; flowbits:isset,ncc.apt10.beacon_send; flow:established,to_client; dsize:12; content:"|7a 8d 9b dc|"; offset:4; depth:4; threshold:type limit, track by_dst, count 1, seconds 600; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; reference:url,blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html; classtype:targeted-activity; sid:2024174; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family RedLeaves, malware_family Red_Leaves, performance_impact Low, signature_severity Major, tag APT, tag APT10, tag RedLeaves, updated_at 2017_04_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !139 (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 2"; flow:to_server,established; content:"|12 12|"; offset:2; depth:2; content:!"|12 12|"; within:2; content:"|12 12|"; distance:2; within:2; content:!"|12 12|"; within:2; content:"|12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12|"; pcre:"/[^\x12][^\x4e\x38\x39\x2f\x6e\x28\x29\x30\x2d\x2e\x2c\x3e\x31\x18][\x40-\x48\x4a-\x4d\x31-\x34\x3a-\x3c\x3f\x50-\x5f\x60-\x6c\x6f\x73-\x7f\x70\x71\x20-\x27\x2a\x2b]{1,14}\x12/R"; reference:md5,00ccc1f7741bb31b6022c6f319c921ee; classtype:command-and-control; sid:2019202; rev:4; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2014_09_22;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red Leaves magic packet detected (APT10 implant)"; flow:established,to_server; dsize:12; content:"|7a 8d 9b dc|"; offset:4; depth:4; flowbits:set,ncc.apt10.beacon_send; threshold:type limit, track by_src, count 1, seconds 600; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; reference:url,blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html; classtype:targeted-activity; sid:2024173; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family RedLeaves, malware_family Red_Leaves, performance_impact Low, signature_severity Major, tag APT10, tag RedLeaves, updated_at 2017_04_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Chalbhai Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function unhideBody()"; nocase; content:"onload=|22|unhideBody()|22|"; nocase; distance:0; content:".php|22 20|name=|22|chalbhai|22 20|id=|22|chalbhai|22 20|method=|22|post|22|"; nocase; fast_pattern; distance:0; classtype:social-engineering; sid:2026041; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FoxxySoftware - Landing Page"; flow:established,to_client; content:"eval(function(p,a,c,"; content:"|7C|zzz|7C|"; distance:0; classtype:trojan-activity; sid:2014934; rev:3; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2017_04_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic AES Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"var hea2p ="; nocase; content:"0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz"; nocase; distance:0; content:"var hea2t ="; nocase; distance:0; content:"Aes.Ctr.decrypt(hea2t, hea2p"; nocase; fast_pattern; distance:0; classtype:social-engineering; sid:2026043; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound"; flow:to_server; content:"|84 00 00|"; byte_test:1,<,9,0,relative; byte_jump:1,0,relative,post_offset -4; content:"|00 00 00|"; within:3; byte_test:1,<,8,0,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022506; rev:3; metadata:created_at 2016_02_12, former_category EXPLOIT, updated_at 2017_05_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Chalbhai Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function unhideBody()"; nocase; content:"onload=|22|unhideBody()|22|"; nocase; distance:0; content:"name=chalbhai id=chalbhai method=post"; nocase; fast_pattern; distance:0; classtype:social-engineering; sid:2026042; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 2"; flow:to_server; content:"|84 20|"; depth:2; offset:16; byte_test:2,<,9,12,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022515; rev:2; metadata:created_at 2016_02_12, former_category EXPLOIT, updated_at 2017_05_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Hellion Postmaster Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<img src=|22|./hellion/postmaster.png|22|"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:"<img src=|22|./hellion/logos.png|22|"; nocase; distance:0; classtype:social-engineering; sid:2026044; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 3"; flow:to_server; content:"|84 10|"; depth:2; offset:16; byte_test:2,<,9,12,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022516; rev:2; metadata:created_at 2016_02_12, former_category EXPLOIT, updated_at 2017_05_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Document Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<h3>DOCUMENT MANAGEMENT SYSTEM</h3>"; fast_pattern; nocase; content:"javascript:void(0)|3b 22|>Document</a> -> <a href=|22|javascript:void(0)|3b 22|>Important Files</a> -> Current File</div>"; nocase; distance:0; content:"<h3>File to Download</h3>"; content:"USER AUTHENTICATION</h4>"; nocase; distance:0; classtype:social-engineering; sid:2026045; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Successful Google App Oauth Phish M1 Mar 3 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Chrome Alert</title>"; fast_pattern:7,20; nocase; content:"<script type=|22|text/javascript|22 20|src=|22|/alert.php?h="; nocase; distance:0; classtype:credential-theft; sid:2024266; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_03, deployment Perimeter, former_category PHISHING, tag Phishing, updated_at 2019_09_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multi-Email Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function popupwnd(url,"; nocase; fast_pattern; content:"var popupwindow = this.open(url,"; nocase; distance:0; content:"onclick=|22|popupwnd("; nocase; distance:0; content:"onclick=|22|popupwnd("; nocase; distance:0; content:"onclick=|22|popupwnd("; nocase; distance:0; classtype:social-engineering; sid:2026046; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Successful Google App Oauth Phish M3 Mar 3 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/javascript"; http_header; content:"alert="; http_cookie; file_data; content:"navigator.languages"; nocase; content:"Your computer is infected"; nocase; distance:0; fast_pattern:5,20; content:"navegador contiene malware"; nocase; distance:0; content:"navigateur contient MALWARE"; nocase; distance:0; content:"&subid=alertyes"; nocase; distance:0; classtype:credential-theft; sid:2024268; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple AES Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"jQuery(function($)"; nocase; content:"$('.cc-number').payment('formatCardNumber"; nocase; distance:0; content:"$(|22|#ssn|22|).mask(|22|999-99-9999"; nocase; distance:0; content:"Aes.Ctr.decrypt(hea2t, hea2p"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2026049; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Google App Oauth Phish M4 Mar 3 2017"; flow:to_server,established; content:"GET"; http_method; content:"/tds.php?h="; depth:11; http_uri; fast_pattern; nocase; content:"&subid=alert"; nocase; distance:32; within:12; http_uri; content:"/r.php?h="; http_header; content:"|0d 0a|"; distance:32; within:2; http_header; classtype:credential-theft; sid:2024269; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Stripe Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Stripe: Login"; nocase; fast_pattern; content:"<form name=|22|appleConnectForm"; nocase; distance:0; content:"onsubmit=|22|if(do_submit(3)) return true|3b 20|"; nocase; distance:0; content:"id=|22|pass0|22|"; nocase; distance:0; classtype:social-engineering; sid:2026050; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Google App Oauth Phish M2 Mar 3 2017"; flow:to_server,established; content:"GET"; http_method; content:"/alert.php?h="; depth:13; http_uri; fast_pattern; nocase; content:"/r.php?h="; http_header; content:"|0d 0a|"; distance:32; within:2; http_header; classtype:credential-theft; sid:2024267; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe PDF Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function MM_validateForm() { //v"; nocase; content:"email address to view or download"; nocase; distance:0; content:"PDF is protected"; nocase; distance:0; content:"onclick=|22|MM_validateForm('password"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2026051; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET MALWARE SuperCMD CnC Beacon"; flow:established,to_server; content:"windows update "; depth:15; pcre:"/^[A-F0-9]+\x00/R"; reference:md5,816db8a1916201309d2a24b4a745305b; reference:url,blogs.rsa.com/supercmd-rat/; classtype:command-and-control; sid:2024273; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, tag c2, updated_at 2017_05_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Docs Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"url(Google_docs_files/"; nocase; fast_pattern; content:"href=|22|Google_docs_files/"; nocase; distance:0; content:"your email provider"; nocase; distance:0; content:"data-description=|22|Sign in with"; nocase; distance:0; classtype:social-engineering; sid:2026052; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M1"; flow:to_server,established; content:"Host|3a|"; http_header; nocase; content:"("; http_header; nocase; content:")"; http_header; pcre:"/^Host\x3a[^\r\n]+?[\x28\x29\x27\x22\x7b\x7d]/Hmi"; reference:url,exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html; classtype:web-application-attack; sid:2024277; rev:2; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2017_05_05, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2017_05_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING WeTransfer Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Encrypted Message"; nocase; fast_pattern; content:"<div id=|22|gmail|22|"; nocase; distance:0; content:"<div id=|22|yahoo|22|"; nocase; distance:0; content:"your email provider"; nocase; distance:0; classtype:social-engineering; sid:2026053; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Known Hostile Domain ant.trenz .pl Lookup"; content:"|03|ant|05|trenz|02|pl|00|"; nocase; classtype:trojan-activity; sid:2024281; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_08, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2017_05_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>|ce 92 d0 b0 6e 6b 20 d0 be 66 20 ce 91 6d d0 b5 72 d1 96 d1 81 d0 b0 20 7c 20 ce 9f 6e 6c d1 96 6e d0 b5 20 ce 92 d0 b0 6e 6b d1 96 6e 67 20 7c 20 d0 85 d1 96 67 6e 20 ce 99 6e 20 7c 20 ce 9f 6e 6c d1 96 6e d0 b5 20 ce 99 44|</title>"; classtype:social-engineering; sid:2026054; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX winhlp32 ActiveX control attack - phase 1"; flowbits:noalert; flow: to_client,established; file_data; content:"|3C|OBJECT"; nocase; content:"application/x-oleobject"; nocase; within:64; content:"codebase="; nocase; content:"hhctrl.ocx"; nocase; within:15; flowbits:set,winhlp32; reference:url,doc.emergingthreats.net/bin/view/Main/2001622; classtype:web-application-attack; sid:2001622; rev:16; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2017_05_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Bank of America"; nocase; content:"name=|22|generator|22 20|content=|22|WYSIWYG"; nocase; distance:0; content:"href=|22|css/Untitled"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2026055; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX winhlp32 ActiveX control attack - phase 2"; flow:to_client,established; flowbits:isset,winhlp32; file_data; content:"|3C|PARAM"; nocase; content:"value="; nocase; content:"command|3B|"; nocase; pcre:"/(javascript|http|ftp|vbscript)/iR"; reference:url,doc.emergingthreats.net/bin/view/Main/2001623; classtype:web-application-attack; sid:2001623; rev:15; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2017_05_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Mailbox Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Mail Verification"; nocase; fast_pattern; content:"<form method=|22|post|22 20|action=|22|x3d.php|22|>"; nocase; distance:0; classtype:social-engineering; sid:2026056; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX winhlp32 ActiveX control attack - phase 3"; flow:to_client, established; flowbits:isset,winhlp32; file_data; content:".HHClick|2829|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001624; classtype:web-application-attack; sid:2001624; rev:15; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2017_05_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Mailbox Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Mail Settings|20 7c 20|Email Upgrade"; nocase; fast_pattern; content:"<form method=|22|post|22 20|action=|22|post.php|22|>"; nocase; distance:0; classtype:social-engineering; sid:2026057; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Cridex Self Signed SSL Certificate (TR Some-State Internet Widgits)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|55 04 06 13 02|TR"; content:"|55 04 08 13 0a|Some-State"; distance:0; content:"|13 18|Internet Widgits Pty"; within:35; classtype:trojan-activity; sid:2015559; rev:5; metadata:attack_target Client_Endpoint, created_at 2012_08_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Dropbox|20 7c 20|Sign in"; nocase; fast_pattern; content:"name=|22|generator|22 20|content=|22|Web Page Maker"; nocase; distance:0; content:"<div id=|22|image1|22 20|style=|22|position:absolute|3b 20|overflow:hidden|3b 20|left:"; nocase; distance:0; classtype:social-engineering; sid:2026058; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jun 03 2016"; flow:established,to_server; content:"/wordpress/?"; http_uri; depth:12; pcre:"/^\/wordpress\/\?[A-Za-z0-9]{4}(?:&utm_source=le)?$/U"; classtype:exploit-kit; sid:2022859; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2017_05_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Linkedin Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Sign In|20 7c 20|LinkedIn"; nocase; content:"<form id=|22|form1|22 20|name=|22|form1|22 20|method=|22|post|22 20|action=|22|login.php|22|>"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2026059; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-#alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT Foofus.net Password dumping dll injection"; flow:to_server,established; content:"|6c 00 73 00 72 00 65 00 6d 00 6f 00 72 00 61|"; reference:url,xinn.org/Snort-fgdump.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008476; classtype:suspicious-filename-detect; sid:2008476; rev:4; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2017_05_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M1 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 22 32 6b 31 37 20 70 72 69 76 38 20 62 79 20 6b 40 6d 65 6c 32 70 20 24 22 20 2d 2d 3e|"; classtype:social-engineering; sid:2026061; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Avsystemcare.com Fake AV User-Agent (LocusSoftware NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| LocusSoftware, NetInstaller"; http_header; reference:url,doc.emergingthreats.net/2008150; classtype:pup-activity; sid:2008150; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_05_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M2 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 22 61 6d 61 7a 6f 6e 20 62 79 20 6b 40 6d 65 6c 32 70 20 24 22 20 2d 2d 3e|"; classtype:social-engineering; sid:2026062; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP Delphi Likely Precursor to Scan"; itype:8; icode:0; content:"Pinging from Delphi code written"; reference:url,www.koders.com/delphi/fid942A4EAF946B244BD3CD9BC83FEAAC35BA1F38AB.aspx; reference:url,doc.emergingthreats.net/2010681; classtype:misc-activity; sid:2010681; rev:3; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M3 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 22 69 74 75 6e 65 73 20 62 79 20 68 61 69 74 68 65 6d 20 62 61 74 20 24 22 20 2d 2d 3e|"; classtype:social-engineering; sid:2026063; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $HOME_NET 3306 -> $EXTERNAL_NET any (msg:"ET SCAN Multiple MySQL Login Failures Possible Brute Force Attempt"; flow:from_server,established; dsize:<251; byte_test:1,<,0xfb,0,little; content:"|ff 15 04 23 32 38 30 30 30|"; offset:4; threshold: type threshold, track by_src, count 5, seconds 120; reference:url,doc.emergingthreats.net/2010494; classtype:attempted-recon; sid:2010494; rev:4; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M4 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 73 63 61 6d 20 70 72 6f 20 62 79 20 74 68 75 67 2d 6e 65 74 2d 65 76 65 72 20 26 20 70 75 6e 69 73 68 65 72 2d 6f 75 6a 64 69|"; classtype:social-engineering; sid:2026064; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $HOME_NET any -> any 445 (msg:"ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001569; classtype:misc-activity; sid:2001569; rev:15; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M5 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 75 70 64 61 74 65 20 62 79 20 74 61 6b 72 69 7a 20 26 20 32 30 31 35 20 2d 2d 3e|"; classtype:social-engineering; sid:2026065; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $HOME_NET any -> any 139 (msg:"ET SCAN Behavioral Unusual Port 139 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001579; classtype:misc-activity; sid:2001579; rev:15; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M6 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 75 70 64 61 74 65 20 62 79 20 78 62 6f 6f 6d 62 65 72 20 26 20 78 68 61 74 20 2d 2d 3e|"; classtype:social-engineering; sid:2026066; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $HOME_NET any -> any 137 (msg:"ET SCAN Behavioral Unusual Port 137 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001580; classtype:misc-activity; sid:2001580; rev:15; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M7 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 2d 20 63 72 65 61 74 65 64 20 62 79 20 6c 65 67 7a 79 20 2d 2d 2d 20 69 63 71 20 3a 20 36 39 32 35 36 31 38 32 34 20 2d 2d 2d 2d 3e|"; classtype:social-engineering; sid:2026067; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $HOME_NET any -> any 135 (msg:"ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001581; classtype:misc-activity; sid:2001581; rev:15; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M8 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 6d 6f 64 65 64 20 62 79 20 61 6e 74 68 72 61 78 2d 2d 3e|"; classtype:social-engineering; sid:2026068; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $HOME_NET any -> any 1434 (msg:"ET SCAN Behavioral Unusual Port 1434 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 40 , seconds 60; reference:url,doc.emergingthreats.net/2001582; classtype:misc-activity; sid:2001582; rev:15; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M9 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 74 68 65 20 73 63 72 69 70 74 20 77 61 73 20 6f 72 69 67 69 6e 61 6c 79 20 63 6f 64 65 64 20 62 79 20 61 6c 69 62 6f 62 6f 20 33 36 30 2d 2d 3e|"; classtype:social-engineering; sid:2026069; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $HOME_NET any -> any 1433 (msg:"ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 40 , seconds 60; reference:url,doc.emergingthreats.net/2001583; classtype:misc-activity; sid:2001583; rev:16; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M10 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 74 68 65 20 73 63 72 69 70 74 20 77 61 73 20 6f 72 69 67 69 6e 61 6c 79 20 63 6f 64 65 64 20 62 79 20 6f 6c 64 6c 65 67 65 6e 64 20 33 36 30 2d 2d 3e|"; classtype:social-engineering; sid:2026070; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Inbound)"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; reference:url,doc.emergingthreats.net/2001972; classtype:network-scan; sid:2001972; rev:20; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING AT&T Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>AT&"; nocase; content:"href=|22|https://home.secureapp.att.net/"; nocase; distance:0; content:".php|22 20|method=|22|post|22 20|id=|22|LoginForm|22|"; nocase; distance:0; content:"|22|type=|22|com.sbc.idm.igate_edam.forms.LoginFormBean|22|"; nocase; distance:0; classtype:social-engineering; sid:2026060; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP @hello request Likely Precursor to Scan"; itype:8; icode:0; content:"@hello ???"; reference:url,doc.emergingthreats.net/2010641; classtype:misc-activity; sid:2010641; rev:3; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript invalidcheck escape attempt (SMTP)"; flow:to_server,established; file_data; content:"legal"; content:"restore"; distance:0; content:"currentdevice"; content:"putdeviceprops"; pcre:"/legal[^x7B]*\x7B[^\x7D]*restore/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026084; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2018_09_05;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Outbound)"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; reference:url,threatpost.com/en_us/blogs/new-worm-morto-using-rdp-infect-windows-pcs-082811; classtype:misc-activity; sid:2013479; rev:5; metadata:created_at 2011_08_29, former_category SCAN, updated_at 2017_05_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript invalidcheck escape attempt"; flow:to_client,established; file_data; content:"legal"; content:"restore"; distance:0; content:"currentdevice"; content:"putdeviceprops"; pcre:"/legal[^x7B]*\x7B[^\x7D]*restore/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026085; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
 
-alert icmp any any -> any any (msg:"ET MALWARE Philis.J ICMP Sweep (Payload Hello World)"; icode:0; itype:0; dsize:11; content:"Hello,World"; reference:url,vil.nai.com/vil/content/v_141203.htm; reference:url,doc.emergingthreats.net/2008017; classtype:trojan-activity; sid:2008017; rev:4; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_05_11;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript illegal read undefinedfilename attempt (SMTP)"; flow:to_server,established; file_data; content:"undefinedfilename"; fast_pattern; content:"errordict"; content:"invalidfileaccess"; content:"typecheck"; pcre:"/errordict\s+\x2Finvalidfileaccess/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026086; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET MALWARE MS Terminal Server Single Character Login possible Morto inbound"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash="; content:"|0d 0a|"; distance:1; within:2; nocase; pcre:"/Cookie\x3a mstshash=[a-zA-Z]\r\n/"; flowbits:set,ET.RDP.Morto; reference:cve,CAN-2001-0540; classtype:trojan-activity; sid:2021630; rev:2; metadata:created_at 2015_08_14, former_category TROJAN, updated_at 2017_05_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript illegal read undefinedfilename attempt"; flow:to_client,established; file_data; content:"undefinedfilename"; fast_pattern; content:"errordict"; content:"invalidfileaccess"; content:"typecheck"; pcre:"/errordict\s+\x2Finvalidfileaccess/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026087; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded Adobe Shockwave Flash Possibly Related to Remote Code Execution Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:".swf"; fast_pattern; nocase; distance:0; flowbits:set,ET.flash.pdf; flowbits:noalert; reference:url,feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/; reference:cve,2010-1297; reference:cve,2010-2201; classtype:bad-unknown; sid:2011499; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_05_11;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript illegal delete bindnow attempt (SMTP)"; flow:to_server,established; file_data; content:"unlink("; fast_pattern; content:"|2E|bindnow"; content:"stopped"; distance:0; pcre:"/\x2Ebindnow[^\x7D]*\x7D\s*stopped/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026088; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded Flash Possible Remote Code Execution Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"/SubType"; distance:0; content:"flash"; nocase; within:100; reference:url,feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/; reference:cve,2010-1297; classtype:bad-unknown; sid:2011505; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_05_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript illegal delete bindnow attempt"; flow:to_client,established; file_data; content:"unlink("; fast_pattern; content:"|2E|bindnow"; content:"stopped"; distance:0; pcre:"/\x2Ebindnow[^\x7D]+\x7D\s*stopped/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026089; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 CMS backdoor access admin-access cookie and HTTP POST"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"|0d 0a|Cookie\: "; nocase; content:"admin-access="; content:"e107language_"; pcre:"/Cookie: .*admin-access=/i"; reference:url,seclists.org/fulldisclosure/2010/Jan/480; reference:url,www.e107.org/news.php; reference:url,doc.emergingthreats.net/2010719; classtype:attempted-admin; sid:2010719; rev:3; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2017_05_11;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript setpattern type confusion attempt (SMTP)"; flow:to_server,established; file_data; content:"16#"; content:"setpattern"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026090; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE MSIL/May Ransomware SSL Cert Observed"; flow:established,from_server; content:"|55 04 03|"; content:"|13|mayofware.solutions"; distance:1; within:20; reference:md5,9bee9fbe8c87f491ed31e94bb0c2e06f; classtype:trojan-activity; sid:2024304; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family May, signature_severity Major, tag Ransomware, updated_at 2017_05_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript setpattern type confusion attempt"; flow:to_client,established; file_data; content:"16#"; content:"setpattern"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026091; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
 
-alert tcp any any -> $HOME_NET 1556 (msg:"ET EXPLOIT NB8-01 - Unauthed RCE via bprd"; flow:established,to_server; content:"ack="; depth:4; content:"extension=bprd"; distance:0; fast_pattern; pcre:"/^.*?[\x24\x60]/R"; reference:url,seclists.org/fulldisclosure/2017/May/27; classtype:web-application-attack; sid:2024308; rev:1; metadata:attack_target Server, created_at 2017_05_17, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_05_17;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript LockDistillerParams type confusion attempt (SMTP)"; flow:to_server,established; file_data; content:"LockDistillerParams"; content:"16#"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026092; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
 
-alert tcp any any -> $HOME_NET 1556 (msg:"ET EXPLOIT NB8-02 - Possible Unauthed RCE via nbbsdtar"; flow:established,to_server; content:"ack="; depth:4; content:"extension=bprd"; distance:0; fast_pattern; content:"/bin/"; distance:0; reference:url,seclists.org/fulldisclosure/2017/May/27; classtype:web-application-attack; sid:2024309; rev:1; metadata:attack_target Server, created_at 2017_05_17, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_05_17;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript LockDistillerParams type confusion attempt"; flow:to_client,established; file_data; content:"LockDistillerParams"; content:"16#"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026093; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
 
-alert tcp any any -> $HOME_NET 1556 (msg:"ET EXPLOIT NB8-04 - Possible Unauthed RCE via whitelist bypass"; flow:established,to_server; content:"ack="; depth:4; content:"extension=bprd"; distance:0; fast_pattern; content:"BPCD_WHITELIST_PATH"; distance:0; reference:url,seclists.org/fulldisclosure/2017/May/27; classtype:web-application-attack; sid:2024310; rev:1; metadata:attack_target Server, created_at 2017_05_17, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_05_17;)
+alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Mikrotik Winbox RCE Attempt (CVE-2018-14847)"; flow:established,to_server; content:"|680100664d320500ff010600ff09050700ff090701000021352f2f2f2f2f2e2f2e2e2f2f2f2f2f2f2e2f2e2e2f2f2f2f2f2f2e2f2e2e2f666c6173682f72772f73746f72652f757365722e6461740200ff88020000000000080000000100ff8802000200000002000000|"; offset:0; reference:url,github.com/mrmtwoj/0day-mikrotik; reference:url,www.helpnetsecurity.com/2018/08/03/mikrotik-cryptojacking-campaign; reference:cve,2018-14847; classtype:attempted-admin; sid:2025972; rev:3; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2018_08_06, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2018_09_11;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Agent Tesla Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a| "; nocase; content:"|5b|Agent Tesla"; fast_pattern; nocase; classtype:trojan-activity; sid:2022006; rev:3; metadata:created_at 2015_10_28, former_category TROJAN, updated_at 2017_05_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Possible Ursnif/Gamaredon Related VNC Module CnC Beacon"; flow:established,to_server; dsize:12; content:"RFB 003.008|0a|"; depth:12; reference:md5,27741793672d8b69803f3d2434743731; reference:md5,076fd584d2fcdf5110f41bcbbd9f2c62; reference:md5,49749ee8fb2a2dab83494ab0e6cf5e7b; classtype:command-and-control; sid:2035893; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, malware_family ursnif, malware_family PowerSniff, malware_family Punchbuggy_VNC_Module, malware_family Gamaredon, signature_severity Major, tag c2, updated_at 2018_09_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2"; flow:established,to_server; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; http_header; fast_pattern:only; content:"Host|3a 20|"; http_header; pcre:"/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi"; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024299; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family wannacry, signature_severity Major, tag Ransomware, updated_at 2017_05_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)"; flow:established,to_server; dsize:<500; content:"|00 6c 6c|"; depth:6; fast_pattern; pcre:"/^[0-9]{2,3}\x00\x6c\x6c(?P<var>[\x20-\x2f\x30-\x39\x3a-\x40\x41-\x5a\x5b-\x60\x7b-\x7e][\x20-\x7e]+?[\x20-\x2f\x30-\x39\x3a-\x40\x41-\x5a\x5b-\x60\x7b-\x7e])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?P=var)[^\r\n]+(?P=var)$/i"; flowbits:set,ETPRO.njratgeneric; reference:md5,d68eaf3b43ba1d26b9067489bbf7ee44; classtype:command-and-control; sid:2033132; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_22, deployment Perimeter, former_category MALWARE, malware_family Bladabindi, malware_family njrat, performance_impact Moderate, signature_severity Major, updated_at 2017_03_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4"; flow:established,to_server; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; http_header; fast_pattern:only; content:"Host|3a 20|"; http_header; pcre:"/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi"; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024301; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family wannacry, signature_severity Major, tag Ransomware, updated_at 2017_05_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER JSP.SJavaWebManage WebShell Pass 20-09-2018 1"; flow:established,from_server; file_data; content:"|3c 25 40|page"; depth:7; content:"String|20|PASS|20|=|20 22|09a0aa1091460d23e5a68550826b359b|22|"; distance:0; fast_pattern; reference:md5,91eaca79943c972cb2ca7ee0e462922c; classtype:trojan-activity; sid:2026337; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_09_20, deployment Datacenter, former_category WEB_SERVER, malware_family SJavaWebManage, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2018_09_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5"; flow:established,to_server; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; http_header; fast_pattern:only; content:"Host|3a 20|"; http_header; pcre:"/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi"; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024302; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family wannacry, signature_severity Major, tag Ransomware, updated_at 2017_05_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER JSP.SJavaWebManage WebShell Pass 20-09-2018 2"; flow:established,from_server; file_data; content:"|3c 25 40|page"; depth:7; content:"String|20|PASS|20|=|20 22|098f6bcd4621d373cade4e832627b4f6|22|"; distance:0; fast_pattern; reference:md5,91eaca79943c972cb2ca7ee0e462922c; classtype:trojan-activity; sid:2026338; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_09_20, deployment Datacenter, former_category WEB_SERVER, malware_family SJavaWebManage, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2018_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Samsung Galaxy Knox Android Browser RCE smdm attempt"; flow:to_client,established; file_data; content:"smdm|3a|//"; nocase; distance:0; reference:url,blog.quarkslab.com/abusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerability.html; reference:url,cxsecurity.com/issue/WLB-2014110124; classtype:web-application-activity; sid:2019750; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_19, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_05_24;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER JSP.SJavaWebManage WebShell Access"; flow:established,from_server; file_data; content:"|3c 25 40|page"; depth:7; content:"|22|os.name|22|"; distance:0; content:"|22|/bin/sh|22|"; distance:0; content:"getRuntime|28 29|.exec|28|"; fast_pattern; reference:md5,91eaca79943c972cb2ca7ee0e462922c; classtype:trojan-activity; sid:2026336; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_09_20, deployment Datacenter, former_category WEB_SERVER, malware_family SJavaWebManage, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2018_09_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Scotiabank Phish M2 May 24 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?Step=Account"; nocase; http_uri; content:"mmn="; depth:4; nocase; http_client_body; content:"&seccode="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024327; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_05_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic MRxJoker Phishing Landing 2018-09-27"; flow:established,to_client; file_data; content:"content=|22|@importmrxjokercss|22|"; nocase; fast_pattern; content:"name=|22|mrxjokercard|22|"; nocase; distance:0; classtype:social-engineering; sid:2026419; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2018_09_27;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (.so file write to share) (CVE-2017-7494)"; flow:to_server,established; content:"SMB|2d 00|"; offset:5; depth:5; content:"|00 00|"; distance:1; within:2; content:"|12 00|"; distance:40; within:2; content:"|2e|so|00|"; fast_pattern; distance:16; reference:cve,2017-7494; reference:url,github.com/rapid7/metasploit-framework/pull/8450; classtype:attempted-admin; sid:2024335; rev:1; metadata:attack_target SMB_Server, created_at 2017_05_25, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2017_05_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE VBScript Redirect Style Exe File Download"; flow:to_client,established; flowbits:isset,ET.Locky; file_data; content:"MZ"; depth:2; fast_pattern; content:"This program"; within:100; classtype:trojan-activity; sid:2026434; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category MALWARE, malware_family Locky, malware_family Emotet, signature_severity Major, updated_at 2018_10_04;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (NT Create AndX .so) (CVE-2017-7494)"; flow:to_server,established; content:"SMB|a2 00|"; offset:5; depth:5; content:"|00 00|"; distance:1; within:2; content:"|2e|so|00|"; fast_pattern; distance:16; reference:cve,2017-7494; reference:url,github.com/rapid7/metasploit-framework/pull/8450; classtype:attempted-admin; sid:2024336; rev:1; metadata:attack_target SMB_Server, created_at 2017_05_25, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2017_05_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NCSC XAgent Beacon"; flow:established,to_server; content:"HTTP/1.1|0d 0a|Accept|3a|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*"; content:!"Host|3a| yandex.ru"; pcre:"/^(?:GET|POST)\/(?:watch|search|find|results|open|search|close)\/\?(?:text=|from=|aq=|ai=|ags=|oe=|btnG=|oprnd=|utm=|channel=|itwm=)/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026437; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_10_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible $MFT NTFS Device Access in HTTP Response"; flow:from_server,established; content:"file://"; content:"/$MFT/"; distance:0; fast_pattern; content:"src"; pcre:"/^\s*=\s*[^>]*file\x3a[^>]*\/\x24MFT\//Ris"; reference:url,www.securitytracker.com/id/1038575; classtype:trojan-activity; sid:2024337; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_30, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_05_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NCSC XAgent itwm beacon v1"; flow:established,to_server; content:"/?itwm"; fast_pattern; pcre:"/itwm=[A-Za-z0-9\-\_]{29,35}/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026438; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_10_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible CryptXXX Ransomware Renaming Encrypted File SMB v2"; flow:to_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|11 00|"; distance:8; within:2; content:"|00|.|00|c|00|r|00|y|00|p|00|t|00|"; nocase; distance:0; fast_pattern; pcre:"/^[^A-Za-z0-9]/R"; classtype:trojan-activity; sid:2022840; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_05_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NCSC XAgent itwm beacon v2"; flow:established,to_server; content:"&itwm"; fast_pattern; pcre:"/&itwm=[A-Za-z0-9\-\_]{29,35}/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026439; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_10_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing URI T1 Jun 02 2017"; flow:established,to_server; content:"/e71cac9dd645d92189c49e2b30ec627a/dcb4c6c6149b2208fbcf7c9d8c59548e"; http_uri; classtype:exploit-kit; sid:2024343; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_06_02;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NCSC APT28 - Web/request -FILE- contenttype"; flow:established,from_client; content:"-FILE-"; pcre:"/[A-Z0-9\-]{16}-FILE-[^\r\n]+.tmp/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026441; rev:2; metadata:created_at 2018_10_04, former_category MALWARE, updated_at 2018_10_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing T1 Jun 02 2017 M1"; flow:established,from_server; file_data; content:"|3c 70 61 72 61 6d 20 6e 61 6d 65 3d 46 6c 61 73 68 56 61 72 73 20 76 61 6c 75 65 3d 22 69 64 64 71 64 3d 27|"; classtype:exploit-kit; sid:2024346; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_06_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAR Containing Executable Downloaded"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".exe"; fast_pattern; nocase; classtype:trojan-activity; sid:2016379; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_02_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2018_10_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing T1 Jun 02 2017 M2"; flow:established,from_server; file_data; content:"|25 37 37 25 37 33 25 36 33 25 37 32 25 36 39 25 37 30 25 37 34 25 32 45 25 36 35 25 37 38 25 36 35|"; content:"|2e 53 74 61 72 74 52 65 6d 6f 74 65 44 65 73 6b 74 6f 70|"; classtype:exploit-kit; sid:2024347; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_06_02;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN StarDotStar HELO, suspected AUTH LOGIN botnet"; flow:established,to_server; content:"HELO|20 2a 2e 2a 0d 0a|"; depth:11; classtype:bad-unknown; sid:2026463; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2018_10_12;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,2525,587] (msg:"ET MALWARE Executioner Ransomware Reporting Infection via SMTP"; flow:established,to_server; dsize:<40; content:"DECRYPT CODE|20 3a 20 20 20 20 20 20 20|"; fast_pattern; depth:21; reference:md5,eec4f84d12139add6d6ebf3b8c72fff7; classtype:trojan-activity; sid:2024351; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_06, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Executioner, signature_severity Major, tag Ransomware, updated_at 2017_06_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Edge Remote Command Execution PoC (CVE-2018-8495)"; flow:established,to_client; file_data; content:"wshfile:"; content:"../../"; within:100; content:"SyncAppvPublishingServer.vbs"; within:200; nocase; fast_pattern; content:"window.onkeydown=e=>"; nocase; distance:0; content:"window.onkeydown=z="; nocase; distance:0; content:"click()"; nocase; distance:0; reference:url,leucosite.com/Microsoft-Edge-RCE/; reference:cve,2018-8495; classtype:attempted-user; sid:2026488; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2018_10_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M1 B641"; flow:established,from_server; file_data; content:"|4a694270626e525562314e30636968685a4752794b|"; classtype:exploit-kit; sid:2024353; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 69"; flow:established,to_server; content:"|e3 34 a1 ef b4 32 58 d0 f0 3d 66|"; depth:11; reference:md5,f9dbf2c028d3ad58328c190a6adb3301; classtype:command-and-control; sid:2026509; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M1 B642"; flow:established,from_server; file_data; content:"|596761573530564739546448496f5957526b6369|"; classtype:exploit-kit; sid:2024354; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 70"; flow:established,to_server; content:"|35 cd 13 07 49 3a 45 81 02 35 bb|"; depth:11; reference:md5,8e99866b89e9349c21b34e6575f2412f; classtype:command-and-control; sid:2026510; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M1 B643"; flow:established,from_server; file_data; content:"|6d49476c7564465276553352794b47466b5a484970|"; classtype:exploit-kit; sid:2024355; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 71"; flow:established,to_server; content:"|38 b6 1d 2b 3b 5c 11 b4 d8 75 2c|"; depth:11; reference:md5,24bf188785e18db8fcb7dfa50363b3f5; classtype:command-and-control; sid:2026511; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M2 B641"; flow:established,from_server; file_data; content:"|496d784a62477873496a6f69646d6c7964485668624842796233526c5933|"; classtype:exploit-kit; sid:2024356; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 72"; flow:established,to_server; content:"|eb e7 a2 ec 6e 3e cc a8 34 b5 91|"; depth:11; reference:md5,98a010ad867f4c36730cc6a87c94528c; classtype:command-and-control; sid:2026512; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M2 B642"; flow:established,from_server; file_data; content:"|4a735357787362434936496e5a70636e523159577877636d39305a574e30|"; classtype:exploit-kit; sid:2024357; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 73"; flow:established,to_server; content:"|2e 11 6e fe 1c 00 92 21 3c ce 31|"; depth:11; reference:md5,9e31ee4bb378d3cf6f80f9f30e9f810f; classtype:command-and-control; sid:2026513; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M2 B643"; flow:established,from_server; file_data; content:"|6962456c73624777694f694a3261584a306457467363484a766447566a64|"; classtype:exploit-kit; sid:2024358; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
+#alert tcp any any <> any any (msg:"ET MALWARE NCSC APT28 - CompuTrace_Beacon_UserAgent"; flow:established; content:"|0d0a|TagId|3a|"; fast_pattern; content: "POST / "; content:!"namequery.com"; content:!"Host: 209.53.113."; content:!"dnssearch.org"; content:!"Cookie:"; content:!"fnbcorporate.co.za"; content:!"207.6.98."; pcre:"/Mozilla\/[0-9]{1,2}.[0-9]{1,2}\(compatible\; MSIE [0-9]{1,2}.[0-9]{1,2}\;\)\x0d\x0a/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026440; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_10_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M3 B641"; flow:established,from_server; file_data; content:"|593268796479677a4d6a63324e79|"; pcre:"/(?:NocncoMjE3Ni|Y2hydygyMTc2K|jaHJ3KDIxNzYp)/"; classtype:exploit-kit; sid:2024359; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/BlackCarat Response from CnC"; flow:established,from_server; dsize:13; content:"|72 50 bf 9e|"; offset:9; depth:4; fast_pattern; reference:md5,514AB639CD556CEBD78107B4A68A202A; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2018/AncelKuprins-VB2018-WolfSheep.pdf; classtype:command-and-control; sid:2026524; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category MALWARE, malware_family CaratRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M3 B642"; flow:established,from_server; file_data; content:"|6a61484a334b444d794e7a59334b|"; pcre:"/(?:NocncoMjE3Ni|Y2hydygyMTc2K|jaHJ3KDIxNzYp)/"; classtype:exploit-kit; sid:2024360; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
+alert tcp $EXTERNAL_NET $SSH_PORTS -> any any (msg:"ET POLICY Potentially Vulnerable LibSSH Server Observed - Possible Authentication Bypass (CVE-2018-10933)"; flow:from_server,established; content:"SSH-2.0-libssh-0."; depth:17; pcre:"/^[67]\.[01235]/R"; reference:url,www.libssh.org/security/advisories/CVE-2018-10933.txt; reference:url,github.com/blacknbunny/libSSH-Authentication-Bypass; reference:cve,2018-10933; classtype:bad-unknown; sid:2026526; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_10_19, deployment Perimeter, former_category POLICY, signature_severity Major, tag CVE_2018_10933, updated_at 2018_10_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M4 B641"; flow:established,from_server; file_data; content:"|657949784e7a51784e6949364e4441344d44597a4e6977694d5463304f5459694f6a51774f4441324d7a5973496a45334e6a4d78496a6f304d4467304e7a51344c4349784e7a59304d43|"; classtype:exploit-kit; sid:2024362; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT IE Double Free (CVE-2018-8460)"; flow:to_client,established; file_data; content:"<script"; nocase; content:"CreateElement"; nocase; content:"cssText"; nocase; content:"DOMAttrModified"; fast_pattern; nocase; content:"addEventListener"; nocase; pcre:"/(?P<obj>[^\s]{1,25})\s*=\s*document\s*\.\s*createElement.*?(?P<func>[^\s]{1,25})\s*=\s*function\s*\x28\s*e\s*\x29\s*{[^}]*this\s*\.\s*style\s*\.\s*cssText.*?(?P=obj)\s*\.\s*addEventListener\s*\x28\s*[\x22\x27]\s*DOMAttrModified\s*[\x22\x27]\s*\x2c\s*(?P=func)/si"; reference:cve,2018-8460; classtype:attempted-user; sid:2026531; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category WEB_CLIENT, updated_at 2018_10_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M4 B642"; flow:established,from_server; file_data; content:"|73694d5463304d5459694f6a51774f4441324d7a5973496a45334e446b32496a6f304d4467774e6a4d324c4349784e7a597a4d5349364e4441344e4463304f4377694d5463324e444169|"; classtype:exploit-kit; sid:2024363; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
+alert icmp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible CVE-2018-4407 - Apple ICMP DoS PoC"; itype:12; icode:0; content:"AAAAAAAA"; fast_pattern; reference:url,lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407; reference:url,twitter.com/ihackbanme/status/1057811965945376768; classtype:attempted-user; sid:2026567; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_11_01, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2018_11_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful GoogleFile Phish"; flow:established,to_server; content:"g2-choseyouremailprovider="; http_client_body; content:"g2-password="; http_client_body; classtype:credential-theft; sid:2020803; rev:3; metadata:created_at 2015_03_30, former_category PHISHING, updated_at 2019_09_06;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Upatre/Dyre/Kegotip SSL Cert Sept 8 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|0b 30 09 06 03 55 04 06 13 02 55 53|"; distance:0; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; byte_extract:1,1,olength,relative; content:!"|2e|"; within:olength; content:!"|20|"; within:olength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:!"support@"; distance:0; pcre:"/^.{2}[A-Za-z][a-z]*?@[a-z]+\.com0/R"; content:".com0"; fast_pattern:only; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021749; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2018_11_01;)
 
-alert icmp any any -> any any (msg:"ET MALWARE OpenSSH in ICMP Payload - Possible Covert Channel"; itype:8; icode:0; content:"openssh"; nocase; classtype:trojan-activity; sid:2024366; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_06_08, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2017_06_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Perl/Shellbot.SM IRC CnC Checkin"; flow:established,to_server; content:"JOIN"; depth:4; content:"Procesor - model name"; distance:0; content:"Numar Procesoare"; distance:0; fast_pattern; content:"|3a|uid="; distance:0; content:"gid="; distance:0; content:"groups="; distance:0; reference:md5,ca42fda581175fd85ba7dab8243204e4; classtype:command-and-control; sid:2026579; rev:1; metadata:attack_target Client_and_Server, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, malware_family Shellbot_SM, performance_impact Low, signature_severity Major, tag Perl, updated_at 2018_11_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful BBVA Phish Jun 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"cuenta="; depth:7; nocase; http_client_body; fast_pattern; content:"&cuenta="; nocase; distance:0; http_client_body; content:"&nvoWizard="; nocase; distance:0; http_client_body; content:"&domain="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024372; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT Sending Screenshot"; flow:established,to_server; dsize:>1000; content:"sc.cap_sep_"; depth:11; nocase; fast_pattern; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026585; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, malware_family JavaRAT, performance_impact Moderate, signature_severity Major, updated_at 2018_11_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible iTunes Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>iTunes Connect</TITLE>"; classtype:social-engineering; sid:2018303; rev:4; metadata:created_at 2014_03_21, former_category CURRENT_EVENTS, updated_at 2017_06_16;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mylobot Receiving XOR Encrypted Config (0xde)"; flow:established,from_server; content:"|00 00 00 00|"; depth:4; content:"|b6 aa aa ae e4 f1 f1|"; distance:1; within:7; fast_pattern; content:"|de 00 00 00 00|"; distance:0; reference:url,www.netformation.com/our-pov/mylobot-continues-global-infections/; classtype:trojan-activity; sid:2026613; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_11_15, deployment Perimeter, former_category TROJAN, malware_family Mylobot, performance_impact Low, signature_severity Major, updated_at 2018_11_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Dropbox - Sign in</title>"; classtype:social-engineering; sid:2020332; rev:3; metadata:created_at 2015_01_30, former_category CURRENT_EVENTS, updated_at 2017_06_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Xbalti Phishing Landing 2018-11-26"; flow:established,from_server; file_data; content:"|2d 2d 7e 28 20 20 5c 20 7e 29 29 29 29 29 29 29 29 29 29 29 29 0d 0a 20 20 20 20 2f 20 20 20 20 20 5c 20 20 60 5c 2d 28 28 28 28 28 28 28 28 28|"; within:400; content:"|5c 20 20 5c 20 42 59 20 58 42 41 4c 54 49 20 2f|"; fast_pattern; classtype:social-engineering; sid:2026650; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_11_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Alibaba Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Alibaba&nbsp|3b|Manufacturer&nbsp|3b|Directory"; nocase; classtype:social-engineering; sid:2024389; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-10"; flow:established,to_server; content:"POST"; http_method; content:"id1="; depth:4; nocase; http_client_body; content:"|25|40"; distance:0; http_client_body; content:"&id2="; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:credential-theft; sid:2026465; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_11_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Free Mobile Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Free Mobile - Bienvenue dans votre Espace"; nocase; classtype:social-engineering; sid:2024393; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-08-27"; flow:established,to_server; content:"POST"; http_method; content:"id1="; depth:4; nocase; http_client_body; content:"|25|40"; distance:0; http_client_body; content:"&id2="; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:credential-theft; sid:2026038; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_11_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible AOL Mail Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>AOL Mail|3a 20|Simple, Free, Fun</title>"; nocase; classtype:social-engineering; sid:2024394; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
+#alert udp $HOME_NET 137 -> $EXTERNAL_NET 137 (msg:"ET POLICY NetBIOS nbtstat Type Query Outbound"; content:"|20 43 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 00 01|"; threshold:type limit, track by_src, count 1, seconds 10; classtype:unknown; sid:2013490; rev:4; metadata:created_at 2011_08_30, former_category POLICY, updated_at 2018_11_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible OWA Mail Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Outlook Web Access</title>"; nocase; classtype:social-engineering; sid:2024395; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
+#alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"ET POLICY NetBIOS nbtstat Type Query Inbound"; content:"|20 43 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 00 01|"; threshold:type limit, track by_src, count 1, seconds 10; classtype:unknown; sid:2013491; rev:4; metadata:created_at 2011_08_30, former_category POLICY, updated_at 2018_11_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible OWA Mail Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Outlook Web App</title>"; nocase; classtype:social-engineering; sid:2024396; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Delphi APT28 Zebrocy/Zekapab Reporting to CnC"; flow:established,to_server; content:"POST"; http_method; content:".php?res="; http_uri; content:"data="; http_client_body; depth:5; content:"%0D%0AHost%20Name|3a|%20%20%20"; http_client_body; distance:0; content:"%0D%0AOS%20Name|3a|%20%20%20"; http_client_body; distance:0; content:"%0D%0ARegistered%20Owner|3a|%20%20%20"; http_client_body; distance:0; fast_pattern; content:"%0D%0AOriginal%20Install%20Date|3a|%20%20%20"; http_client_body; distance:0; http_protocol; content:"HTTP/1.0"; http_header_names; content:!"Referer"; reference:url,www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf; classtype:targeted-activity; sid:2026682; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_30, deployment Perimeter, former_category TROJAN, malware_family Zebrocy, malware_family Zekapab, performance_impact Low, signature_severity Major, tag APT28, updated_at 2018_11_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Facebook Help Center Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Facebook Help Center</title>"; nocase; classtype:social-engineering; sid:2024397; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CozyDuke APT HTTP Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/"; depth:20; http_header; pcre:"/\.php\?$/U"; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:targeted-activity; sid:2020962; rev:4; metadata:created_at 2015_04_22, former_category TROJAN, updated_at 2018_12_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Adobe PDF Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Adobe PDF</title>"; nocase; classtype:social-engineering; sid:2024399; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Certificate with Unknown Content M2"; flow:established,to_client; file_data; content:"-----BEGIN CERTIFICATE-----|0A|"; depth:28; fast_pattern; byte_test:1,!=,0x4D,0,relative; reference:url,blog.nviso.be/2018/07/31/powershell-inside-a-certificate-part-1/; classtype:misc-activity; sid:2026684; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_04, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Informational, updated_at 2018_12_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible DHL Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>DHL |7c| Tracking</TITLE>"; nocase; classtype:social-engineering; sid:2024400; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Certificate with Unknown Content M1"; flow:established,to_client; file_data; content:"-----BEGIN CERTIFICATE-----|0D 0A|"; depth:29; fast_pattern; byte_test:1,!=,0x4D,0,relative; reference:url,blog.nviso.be/2018/07/31/powershell-inside-a-certificate-part-1/; classtype:misc-activity; sid:2026649; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_26, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Major, updated_at 2018_11_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Adobe ID Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>Sign In - Adobe ID</TITLE>"; nocase; classtype:social-engineering; sid:2024401; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] WeChat (Ransomware/Stealer) Config"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"md5"; depth:3; fast_pattern; content:"nnnn"; distance:12; within:4; content:"z"; distance:28; within:1; content:"z"; distance:32; within:1; content:"z"; distance:35; within:1; reference:url,thehackernews.com/2018/12/china-ransomware-wechat.html; classtype:trojan-activity; sid:2026687; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Stealer, signature_severity Major, tag Ransomware, updated_at 2018_12_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BeEF Module in use"; flow:established,from_server; file_data; content:"beef.websocket.send"; pcre:"/^\s*?\(/Rs"; content:"beef.encode.base64.encode"; pcre:"/^\s*?\(/Rs"; classtype:attempted-user; sid:2024415; rev:2; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category WEB_CLIENT, performance_impact Moderate, signature_severity Major, updated_at 2017_06_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 27 (msg:"ET MALWARE ELF/Samba CnC Checkin"; flow:established,to_server; dsize:8; content:"|11 10 10 01 22 32 21 52|"; fast_pattern; reference:url,www.guardicore.com/2018/11/butter-brute-force-ssh-attack-tool-evolution; classtype:command-and-control; sid:2026717; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_12_10, deployment Perimeter, former_category MALWARE, malware_family Samba, performance_impact Low, signature_severity Major, updated_at 2018_12_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2017-0199 Common Obfus Stage 2 DL"; flow:established,from_server; file_data; content:"|7b 5c 72 74|"; within:4; content:!"|66|"; within:1; content:"|5C 6F 62 6A 61 75 74 6C 69 6E 6B|"; nocase; distance:0; reference:md5,8168b2305289ecc778216405d1fd7984; reference:cve,2017-0199; classtype:trojan-activity; sid:2024413; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_06_19;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RedControle Probing Infected System"; flow:established,to_server; dsize:14; content:"SE_ND_CO_NN_EC"; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/poking-the-bear-three-year-campaign-targets-russian-critical-infrastructure.html; reference:md5,855b937f668ecd90b8be004fd3c24717; classtype:trojan-activity; sid:2026723; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category TROJAN, malware_family RedControle, performance_impact Low, signature_severity Major, updated_at 2018_12_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DragonOK KHRAT Downloader Receiving Payload"; flow:established,from_server; file_data; content:".DAT,K1|22 0d 0a|fso"; reference:md5,404518f469a0ca85017136b6b5166ae3; classtype:trojan-activity; sid:2024418; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_20, deployment Perimeter, former_category TROJAN, malware_family DragonOK, malware_family KHRAT, performance_impact Low, signature_severity Major, tag Targeted, tag APT, tag CNAPT, updated_at 2017_06_20;)
+alert smb $HOME_NET any -> $HOME_NET any (msg:"ET MALWARE Shamoon v3 64bit Propagating Internally via SMB"; flow:to_server,established; content:"|00 00 00 00 00 00|"; content:"MZ"; distance:2; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|48 FF C5 42 0F B6|"; distance:0; fast_pattern; content:"|32 45|"; distance:2; within:2; content:"|41 88 41 FF|"; distance:1; within:4; reference:url,www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/new-version-of-disk-wiping-shamoon-disttrack-spotted-what-you-need-to-know; classtype:trojan-activity; sid:2026733; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Server, created_at 2018_12_14, deployment Perimeter, former_category TROJAN, malware_family Shamoon, performance_impact Low, signature_severity Major, tag SMB, tag Worm, tag Wiper, updated_at 2018_12_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE x0Proto File Contents Exfil Request"; flow:established,from_server; dsize:9; content:"DLOAD|0c|1|0c|1"; depth:9; reference:md5,3d5a4b51ff4ad8534873e02720aeff34; classtype:trojan-activity; sid:2024423; rev:1; metadata:created_at 2017_06_23, updated_at 2017_06_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AveMaria Initial CnC Checkin"; flow:established,to_server; dsize:12; content:"|29 bb 66 e4 00 00 00 00 00 00 00 00|"; fast_pattern; reference:url,app.any.run/tasks/67362469-76df-4b19-bfda-5d95a2b4d179; classtype:command-and-control; sid:2026736; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_15, deployment Perimeter, former_category MALWARE, malware_family AveMaria, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2018_12_15;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE x0Proto File Info Request"; flow:established,from_server; dsize:8; content:"REQF|0c|1|0c|1"; depth:8; reference:md5,3d5a4b51ff4ad8534873e02720aeff34; classtype:trojan-activity; sid:2024424; rev:1; metadata:created_at 2017_06_23, updated_at 2017_06_23;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.Orion Stealer Exfil via FTP"; flow:established,to_server; content:"STOR PC|3a 20|"; depth:9; content:"/Orion Logger - System Details|3a 20|"; distance:0; fast_pattern; reference:md5,007c4edc6e1ca963a9b2e05e136142f2; classtype:trojan-activity; sid:2026741; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_21, former_category TROJAN, updated_at 2018_12_21;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/OceanLotus / ELF/RotaJakario CnC Checkin"; flow:established,to_server; content:"|41 61 54 03|"; offset:1; depth:4; fast_pattern; content:"|63 63 63 63 63 63 63 63|"; distance:0; reference:url,researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/; reference:url,blog.netlab.360.com/stealth_rotajakiro_backdoor_en; classtype:targeted-activity; sid:2024425; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_06_26, deployment Perimeter, former_category MALWARE, malware_family OceanLotus, performance_impact Low, tag Targeted, tag APT, tag OceanLotus, tag OSX, updated_at 2017_06_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Redirect 2019-01-02"; flow:from_server,established; file_data; content:"<!--"; depth:4; content:"window.top.location='account/?view=login&appIdKey="; nocase; within:150; isdataat:!50,relative; classtype:social-engineering; sid:2026748; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_01_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2019_01_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Watering Hole Redirect Inject Jun 28 2017"; flow:established,from_server; file_data; content:"REMOTE_URL"; content:"C_TIMEOUT"; distance:0; content:"apply_payload"; distance:0; fast_pattern; content:"execute_request"; distance:0; classtype:trojan-activity; sid:2024431; rev:2; metadata:created_at 2017_06_28, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_06_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET COINMINER Random Hash Pascalcoin Miner Checkin"; flow:established,to_server; content:"{|22|params|22|:[|22|rhminer/"; depth:20; classtype:coin-mining; sid:2026750; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_02, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2019_01_02;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (HiddenTear Variant CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|wwecuador.com"; distance:1; within:14; reference:md5,02c1da1c668ac71995f56c2c198d7d73; classtype:domain-c2; sid:2024433; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_06_28, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Hidden_Tear, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_06_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TitanFox Loader CnC Checkin"; flow:established,to_server; dsize:<100; content:"|00 01 00 01 02 02 2b 6e 65 74 2e 74 63 70 3a 2f 2f|"; depth:30; fast_pattern; reference:url,app.any.run/tasks/421691f8-bb33-4be3-abcb-6ee36e772856; classtype:command-and-control; sid:2026759; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_04, deployment Perimeter, former_category MALWARE, malware_family TitanFox, performance_impact Low, signature_severity Major, tag Loader, updated_at 2019_01_04;)
 
-alert tcp $HOME_NET any -> $HOME_NET 42 (msg:"ET EXPLOIT Possible WINS Server Remote Memory Corruption Vulnerability"; flow:to_server,established; dsize:48; content:"|00 00 78 00|"; offset:4; depth:4; content:"|00 00 00 05|"; offset:16; depth:4; fast_pattern; threshold: type both, count 3, seconds 1, track by_src; reference:url,blog.fortinet.com/2017/06/14/wins-server-remote-memory-corruption-vulnerability-in-microsoft-windows-server; classtype:attempted-user; sid:2024435; rev:1; metadata:affected_product Windows_DNS_server, attack_target DNS_Server, created_at 2017_06_29, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2017_06_29;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 58|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012087; rev:3; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2010_12_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (CVE-2009-3103)"; flow:to_server,established; content:"|FF 53 4d 42 72|"; offset:4; depth:5; content:"|00 26|"; distance:7; within:2; reference:url,www.exploit-db.com/exploits/14674/; reference:url,www.microsoft.com/technet/security/bulletin/ms09-050.mspx; reference:cve,2009-3103; classtype:attempted-user; sid:2012063; rev:3; metadata:created_at 2010_12_17, former_category NETBIOS, updated_at 2017_06_27;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F 1A|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012091; rev:4; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2010_12_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tinba CnC Checkin"; flow:to_server,established; content:"POST"; http_method; urilen:7; content:"tinba/"; http_uri; fast_pattern; content:"User-Agent|3a 20|Mozilla/5.0|28|compatible|3b| MSIE 10.0|3b| Windows NT 6.1|3b| Trident|2f|6.0|29|"; http_header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; reference:md5,d360ee49950e7da3978379494667260c; classtype:command-and-control; sid:2024441; rev:2; metadata:created_at 2017_07_05, former_category MALWARE, updated_at 2019_10_25;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F A9|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012093; rev:4; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2010_12_23;)
 
-alert tcp any any -> any 445 (msg:"ET EXPLOIT ETERNALBLUE Exploit M2 MS17-010"; flow:established,to_server; content:"|8000a80000000000000000000000000000000000ffff000000000000ffff0000000000000000000000000000000000000000000000f1dfff000000000000000020f0dfff00f1dfffffffffff600004100000000080efdfff|"; reference:cve,CVE-2017-0143; classtype:attempted-admin; sid:2024297; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_07_06;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F A9|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012092; rev:3; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2010_12_23;)
 
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE Exploit M3 MS17-010"; flow:to_server,established; content:"|ff|SMB|32 00 00 00 00 18 07 c0|"; offset:4; depth:12; content:"|00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|"; distance:2; within:16; fast_pattern; content:"|0f 0c 00 00 10 01 00 00 00 00 00 00 00 f2 00 00 00 00 00 0c 00 42 00 00 10 4e 00 01 00 0e 00 0d 10 00|"; distance:2; within:34; isdataat:1000,relative; threshold: type both, track by_src, count 10, seconds 1; classtype:trojan-activity; sid:2024430; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_27, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_07_06;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 8F|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012088; rev:4; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2016_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Capitech Internet Banking Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Capitec Internet Banking</title>"; nocase; classtype:social-engineering; sid:2024453; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_07_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F 1A|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012090; rev:3; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2010_12_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Apple iCloud Phish Jan 23 2017"; flow:to_server,established; content:"POST"; http_method; content:"usuario="; depth:8; nocase; http_client_body; content:"&contrasena="; nocase; distance:0; http_client_body; content:"&hdtxt="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023758; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_24, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert tcp $HOME_NET ![23,25,80,137,139,445] -> $EXTERNAL_NET 20000: (msg:"ET MALWARE Sourtoff Download Simda Request"; flow:established,to_server; dsize:18; content:"|0a 10|"; depth:2; flowbits:set,ET.TROJAN.Sourtoff; flowbits:noalert; reference:md5,5469af0daa10f8acbe552cd2f1f6a6bb; classtype:trojan-activity; sid:2019312; rev:3; metadata:created_at 2014_09_29, updated_at 2019_01_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credit Agricole Phish Aug 15 2016 M1"; flow:to_server,established; content:"POST"; http_method; content:"ident="; fast_pattern; depth:6; nocase; http_client_body; content:"&ReadOut="; nocase; distance:0; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&nuum="; nocase; distance:0; http_client_body; content:"&xrypt="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023063; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET 853 (msg:"ET INFO DNS Over TLS Request Outbound"; flow:established,to_server; content:"|16 03 01 01|"; depth:4; reference:url,www.linuxbabe.com/ubuntu/ubuntu-stubby-dns-over-tls; classtype:trojan-activity; sid:2026774; rev:2; metadata:created_at 2019_01_10, former_category INFO, updated_at 2019_01_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credit Agricole Phish Aug 15 2016 M2"; flow:to_server,established; content:"POST"; http_method; content:"nom="; depth:4; nocase; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pemail="; fast_pattern; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023064; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AtomLogger Exfil via FTP"; flow:established,to_server; content:"Username|3a 20|"; content:"|0d 0a|Machine Name|3a 20|"; distance:0; content:"|0d 0a|Operating System|3a 20|"; distance:0; content:"|0d 0a|IP Address|3a 20|"; distance:0; content:"|0d 0a|Country|3a 20|"; distance:0; content:"|0d 0a|RAM|3a 20|"; distance:0; content:"|0d 0a|Online since|3a 20|"; distance:0; content:"|0d 0a 0d 0a 0d 0a 0d 0a|================================|0d 0a|Keystrokes and Window Log|0d 0a|"; distance:0; fast_pattern; reference:md5,78bd897a638e7c0d3c00c31c8c68f18b; classtype:trojan-activity; sid:2026824; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_17, deployment Perimeter, former_category TROJAN, malware_family AtomLogger, performance_impact Moderate, signature_severity Major, updated_at 2019_01_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Generic 107 Phish Jul 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"-login.id-107sbtd9cbhsbt"; nocase; http_header; fast_pattern:4,20; pcre:"/^Host\x3a\x20[^\r\n]+\-login\.id\-107sbtd9cbhsbt[^\r]+$/Hmi"; classtype:credential-theft; sid:2024463; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_12, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert udp $HOME_NET [!3389,1024:65535] -> $EXTERNAL_NET [!3389,1024:65535] (msg:"ET P2P Edonkey Search Request (search by name)"; dsize:>5; content:"|e3 98|"; depth:2; content:"|01|"; within:3; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003319; classtype:policy-violation; sid:2003319; rev:4; metadata:created_at 2010_07_30, updated_at 2019_01_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Bank Phish M2 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:"1="; depth:2; nocase; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&cvv1="; nocase; distance:0; http_client_body; fast_pattern; content:"&mobile1="; nocase; distance:0; http_client_body; content:"&next"; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023488; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_11_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Bitter RAT C2 Response"; flow:established,to_client; stream_size:client,=,1; stream_size:server,=,12; dsize:11; content:"|0b 00 d2 0b 00 00|"; offset:5; depth:6; reference:md5,fc516905e3237f1aa03a38a0dde84b52; classtype:command-and-control; sid:2026826; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_21, deployment Perimeter, former_category MALWARE, malware_family BitterRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2019_01_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Wells Fargo Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"card_num="; depth:9; nocase; http_client_body; content:"&full_name="; nocase; distance:0; http_client_body; content:"&ssn_num="; nocase; distance:0; http_client_body; fast_pattern; content:"&j_password="; nocase; distance:0; http_client_body; content:"&userPrefs="; nocase; distance:0; http_client_body; content:"&jsenabled="; nocase; distance:0; http_client_body; content:"&origin="; nocase; distance:0; http_client_body; content:"&screenid="; nocase; distance:0; http_client_body; content:"&ndsid="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023771; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 85"; flow:established,to_server; content:"|c4 e2 a1 27 66 76 0b 6d bf 25 73|"; depth:11; reference:md5,c00606ac4ed2e1e8a5f503051c555e72; classtype:command-and-control; sid:2026852; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Remcos, updated_at 2019_01_24;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Striked Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; depth:4; content:".php|20|HTTP/1.1|0d 0a|Host|3a 20|"; distance:0; content:"|0d 0a|User-Agent|3a 20|python"; distance:0; fast_pattern; content:"|0d 0a 0d 0a|crid="; distance:0; content:"&dta="; distance:0; content:!"Referer|3a|"; reference:md5,80317e3194d8f7fd495b0bf06cae2295; classtype:command-and-control; sid:2024465; rev:1; metadata:attack_target Client_Endpoint, created_at 2017_07_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2017_07_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 86"; flow:established,to_server; content:"|ce 4a a7 2f c0 8c 6d 5f 38 20 e9|"; depth:11; reference:md5,f78b75d64e5119f48c0644dfbcffba9d; classtype:command-and-control; sid:2026853; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Remcos, updated_at 2019_01_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Excel Online Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Excel Online"; nocase; content:!"Training"; nocase; within:25; classtype:social-engineering; sid:2024392; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_07_17;)
+alert udp $HOME_NET 1024:65535 -> [$EXTERNAL_NET,!224.0.0.0/4] 1024:65535 (msg:"ET P2P ThunderNetwork UDP Traffic"; dsize:<38; content:"|32 00 00 00|"; depth:4; content:"|00 00 00 00|"; distance:1; threshold:type limit, track by_src, count 1, seconds 300; reference:url,xunlei.com; reference:url,en.wikipedia.org/wiki/Xunlei; reference:url,doc.emergingthreats.net/2009099; classtype:policy-violation; sid:2009099; rev:4; metadata:created_at 2010_07_30, updated_at 2019_01_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Known Malicious Stratum Authline (2017-07-11 1)"; flow:established,to_server; dsize:<120; content:"|22|login|22 3a|"; content:"|22|slavf1@yandex.ru|22|"; distance:0; fast_pattern; content:"|22|pass|22|"; distance:0; content:"|22|XMRig/"; reference:md5,4bc4b071d9a7e482f3ecf8b2cbe10873; classtype:coin-mining; sid:2024454; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_11, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2017_07_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 87"; flow:established,to_server; stream_size:server,=, 1; content:"|e9 9d ca 64 2d 84 6e 6b cc 48 16|"; depth:11; reference:md5,872fc6cc16b7ba7e2a74b03927d50e85; classtype:command-and-control; sid:2026862; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_30, deployment Perimeter, former_category MALWARE, malware_family Remcos, signature_severity Major, updated_at 2019_01_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Parite.B Checkin 3"; flow:to_server,established; dsize:>1000; content:"|00 00 00 00 9c 00 00 00 06 00 00 00 01 00 00 00|"; offset:0; depth:16; content:"|b1 1d 00 00 02 00 00 00|"; distance:0; reference:md5,d10d6d2a29dd27b44e015dd6bf4cb346; classtype:command-and-control; sid:2024429; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_27, deployment Perimeter, deployment Internet, former_category MALWARE, malware_family Parite, performance_impact Moderate, signature_severity Major, updated_at 2017_07_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible RTF File With Obfuscated Version Header"; flow:established,to_client; file_data; content:"{|5C|rt"; within:4; content:!"f"; within:1; classtype:bad-unknown; sid:2026863; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_30, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2019_01_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Known Malicious Stratum Authline (2017-07-17 7)"; flow:established,to_server; dsize:<120; content:"|22|login|22 3a|"; content:"|22|ownyaga@gmail.com|22|"; distance:0; fast_pattern; content:"|22|pass|22|"; distance:0; content:"|22|XMRig/"; reference:md5,3b24a327e60ee77668d09e5b96e27dc8; classtype:coin-mining; sid:2024471; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, deployment Internet, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2017_07_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert tcp $HOME_NET !80 -> $EXTERNAL_NET [!25,!445,!1500] (msg:"ET MALWARE Win32/BlackCarat XORed (0x77) CnC Checkin"; flow:established,to_server; dsize:>800; content:"|77 77|"; offset:2; depth:2; content:"|77|"; distance:1; within:1; content:"|77 77 77 77 77 77 77 77 77 77 77 77 77|"; distance:1; within:13; content:"|20 77 1e 77 19 77 13 77 18 77 00 77 04|"; distance:0; fast_pattern; content:!"|00 00 00 00 00 00|"; reference:md5,514AB639CD556CEBD78107B4A68A202A; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2018/AncelKuprins-VB2018-WolfSheep.pdf; classtype:command-and-control; sid:2026525; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category MALWARE, malware_family BlackCarat, performance_impact Low, signature_severity Major, tag RAT, updated_at 2019_01_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP InstallCore Variant CnC Checkin"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; content:"|7c|"; http_client_body; depth:40; content:"POST|20|/|20|HTTP/1.1|0d 0a|Accept|3a 20 2a 2f 2a 0d 0a|Host|3a|"; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x7c/P"; reference:md5,42374945061c7941d6690793ae393d3a; classtype:pup-activity; sid:2024428; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Moderate, signature_severity Major, updated_at 2017_09_01;)
+#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Request"; flow:established,from_server; content:"Thanks Snailsor,FuYu,BloodSword"; reference:url,doc.emergingthreats.net/2009146; classtype:web-application-activity; sid:2009146; rev:5; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2010_07_30;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Data Transfer with Cisco config"; content:"|00 03|"; depth:2; content:"|0a 21 20|version|20|"; distance:2; within:12; classtype:policy-violation; sid:2015857; rev:5; metadata:created_at 2012_11_01, former_category TFTP, updated_at 2017_07_19;)
+#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Related Activity"; flow:established,from_server; content:"public string Password|3D 22|21232f297a57a5a743894a0e4a801fc3|22 3B|"; nocase; reference:url,doc.emergingthreats.net/2009147; classtype:web-application-activity; sid:2009147; rev:5; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2010_07_30;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Data Transfer With Cisco Config 2"; content:"|00 03|"; depth:2; content:"NVRAM config last update"; distance:0; classtype:policy-violation; sid:2024481; rev:2; metadata:affected_product Cisco_ASA, affected_product Cisco_PIX, affected_product CISCO_Catalyst, attack_target Networking_Equipment, created_at 2017_07_19, deployment Perimeter, former_category TFTP, performance_impact Moderate, signature_severity Major, updated_at 2017_07_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Upload Attempt"; flow:established,to_server; content:"public string Password|3D 22|21232f297a57a5a743894a0e4a801fc3|22 3B|"; nocase; reference:url,doc.emergingthreats.net/2009149; classtype:web-application-activity; sid:2009149; rev:5; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [442,443,446,447,8001] (msg:"ET MALWARE Win32/Ramnit Checkin"; flow:established,to_server; dsize:6; content:"|00 ff|"; depth:2; content:"|00 00|"; distance:1; within:2; reference:md5,3fc81e102825a74b27faabbcd9408993; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; reference:md5,5740a73856128270b37ec4afae870d12; classtype:command-and-control; sid:2018558; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_06, deployment Perimeter, former_category MALWARE, malware_family Ramnit, performance_impact Low, signature_severity Major, updated_at 2017_07_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:established,from_server; content:"traderserviceinfo.info"; fast_pattern; tls_cert_issuer; content:"C=AU, ST=Some-State, L=City, O=Some|20|Company"; classtype:domain-c2; sid:2026899; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_12, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_02_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT EITest Keitaro Evil Redirect Leading to SocENG July 25 2017"; flow:established,to_server; content:"/?nbVykj"; pcre:"/\/\?nbVykj$/U"; classtype:social-engineering; sid:2024494; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2017_07_25;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 44818 (msg:"ET EXPLOIT Possible MicroLogix 1100 PCCC DoS Condition (CVE-2017-7924)"; flow:to_server,established; content:"|4b 02 20 67 24 01|"; content:"|a2|"; distance:0; content:"|05 47|"; distance:1; within:2; reference:cve,2017-7924; reference:url,rapid7.com/db/modules/auxiliary/dos/scada/allen_bradley_pccc; classtype:attempted-dos; sid:2026917; rev:1; metadata:created_at 2019_02_18, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2019_02_18;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishery Phishing Tool - Default SSL Certificate Observed"; flow:established,from_server; content:"|55 04 03|"; content:"|08|go-phish"; fast_pattern; distance:1; within:9; reference:url,github.com/ryhanson/phishery; classtype:trojan-activity; sid:2024505; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_28, deployment Perimeter, former_category INFO, signature_severity Major, tag Phishing, updated_at 2017_07_28;)
+alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Encoded Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|-|00|e|00|n|00|c|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025721; rev:3; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2019_02_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ISMAgent Receiving Commands from CnC Server"; flow:from_server,established; content:"|23|command|23 23|systeminfo"; offset:36; fast_pattern; content:"&&"; distance:0; reference:md5,a70a08a1e17b820c7dc8ee1247d6bfa2; reference:url,researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/; classtype:command-and-control; sid:2024503; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_28, deployment Perimeter, former_category MALWARE, malware_family Ismdoor, performance_impact Moderate, signature_severity Major, updated_at 2017_07_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible SharpShooter Framework Generated Script"; flow:established,to_client; file_data; content:"rc4=function|28|key,str|29|"; nocase; content:"key.charCodeAt|28|i%key.length|29|"; fast_pattern; nocase; distance:0; content:"String.fromCharCode|28|str.charCodeAt|28|"; content:"decodeBase64=function"; nocase; distance:0; content:"b64block="; nocase; distance:0; reference:url,www.mdsec.co.uk/2018/03/payload-generation-using-sharpshooter/; reference:url,blog.morphisec.com/sharpshooter-pen-testing-framework-used-in-attacks; classtype:trojan-activity; sid:2026918; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2019_02_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG encrypted payload M1 Feb 02 2016"; flow:established,to_client; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; classtype:exploit-kit; sid:2022484; rev:3; metadata:created_at 2016_02_03, former_category CURRENT_EVENTS, updated_at 2017_08_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible SharpShooter Framework Generated VBS Script"; flow:established,to_client; file_data; content:"RC4|28|byteMessage, strKey|29|"; nocase; content:"function decodeBase64|28|base64|29|"; nocase; distance:0; content:".createElement|28 22|tmp|22 29|"; nocase; distance:0; content:"decoded = decodeBase64|28|"; nocase; distance:0; reference:url,www.mdsec.co.uk/2018/03/payload-generation-using-sharpshooter/; reference:url,blog.morphisec.com/sharpshooter-pen-testing-framework-used-in-attacks; classtype:trojan-activity; sid:2026919; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_18, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2019_02_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG encrypted payload M1 Aug 01 2017"; flow:established,to_client; file_data; content:"|73 29 88 ff e0 d1 0e 74|"; within:8; reference:md5,263a2cf88f340b2a755db749be1371ea; classtype:exploit-kit; sid:2024507; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, signature_severity Major, tag RigEK, updated_at 2017_08_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell NoProfile Command Received In Powershell Stagers"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"-nop"; nocase; distance:0; classtype:trojan-activity; sid:2026988; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Minor, tag PowerShell, updated_at 2019_02_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest Inject July 25 2017"; flow:established,from_server; file_data; content:"var a=a|7c 7c|window.event|3b|doOpen|28 22|http"; nocase; pcre:"/^s?\x3a\x2f\x2f[^\x22\x27]+\/\?[A-Za-z0-9]{5,6}(?:=[^&\x22\x27]+)?[\x22\x27]\x29\x3bsetCookie\(\x22popundr\x22,1,864e5\)\}/Ri"; classtype:exploit-kit; sid:2024493; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2017_07_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell Hidden Window Command Common In Powershell Stagers M1"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"-w"; nocase; distance:0; content:"hidden"; within:17; classtype:trojan-activity; sid:2026989; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
 
-#alert tcp any any -> $HOME_NET [139,445] (msg:"ET DOS Possible SMBLoris NBSS Length Mem Exhaustion Vuln Inbound"; flow:established,to_server; content:"|00 01|"; depth:2; threshold:type both,track by_dst,count 3, seconds 90; reference:url,isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/; classtype:trojan-activity; sid:2024510; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_08_02, deployment Internal, former_category DOS, performance_impact Significant, signature_severity Major, updated_at 2017_08_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell Hidden Window Command Common In Powershell Stagers M2"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"-w 1"; nocase; distance:0; classtype:trojan-activity; sid:2026990; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious Domain SSL Cert in SNI (JS_POWMET)"; flow:established,to_server; content:"|16|"; depth:1; content:"|01|"; distance:4; content:"|00 00 0c|bogerando.ru"; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware; reference:md5,31f83bf81b139bcc69e51df2c76a0bf2; classtype:trojan-activity; sid:2024512; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_02, deployment Perimeter, former_category TROJAN, malware_family JS_POWMET, performance_impact Low, signature_severity Major, updated_at 2017_08_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell NonInteractive Command Common In Powershell Stagers"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"-noni"; nocase; distance:0; classtype:trojan-activity; sid:2026991; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
 
-alert tcp any any -> $HOME_NET [139,445] (msg:"ET DOS SMBLoris NBSS Length Mem Exhaustion Attempt (PoC Based)"; flow:established,to_server; content:"|00 01 ff ff|"; depth:4; threshold:type both,track by_dst,count 30, seconds 300; reference:url,isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/; classtype:trojan-activity; sid:2024511; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_08_02, deployment Internal, former_category DOS, performance_impact Significant, signature_severity Major, updated_at 2017_08_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M2"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"FromBase64String|28|"; nocase; distance:0; classtype:trojan-activity; sid:2026993; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Landing M1 Aug 05 2017"; flow:established,from_server; file_data; content:"|5b 30 5d 5b 22 41 22 2b|"; content:"|29 2b 22 58 22 2b 22 4f 22 2b|"; distance:0; fast_pattern; content:"|72 65 74 75 72 6e 20 28 22 22 2b|"; content:"|29 2b 22 41 74 22 5d|"; distance:0; classtype:exploit-kit; sid:2024514; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_08_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Magnitude, updated_at 2017_08_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell DownloadFile Command Common In Powershell Stagers"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"DownloadFile|28|"; nocase; distance:0; classtype:trojan-activity; sid:2026994; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Landing M2 Aug 05 2017"; flow:established,from_server; file_data; content:"|43 72 65 61 74 65 4f 62 6a 65 63 74 28|"; pcre:"/^(?P<var>[A-Z0-9a-z]{1,20})\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29/Rsi"; content:"|45 78 65 63 75 74 65 28|"; pcre:"/^(?P<var>[A-Z0-9a-z]{1,20})\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29/Ri"; content:"|52 65 44 69 6d|"; content:"|50 72 65 73 65 72 76 65|"; content:"|55 6e 45 73 63 61 70 65|"; classtype:exploit-kit; sid:2024515; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Magnitude, updated_at 2017_08_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell DownloadString Command Common In Powershell Stagers"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"DownloadString|28|"; nocase; distance:0; classtype:trojan-activity; sid:2026995; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT HTA File containing Wscript.Shell Call - Potential CVE-2017-0199"; flow:established,to_client; flowbits:isset,et.http.hta; content:"Wscript.Shell"; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html; reference:url,securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/; classtype:attempted-user; sid:2024196; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_10, cve 2017_0199, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2017_08_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell DownloadData Command Common In Powershell Stagers"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"DownloadData|28|"; nocase; distance:0; classtype:trojan-activity; sid:2026996; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mail.ru Phish Aug 10 2017"; flow:to_server,established; content:"POST"; http_method; content:"1login="; depth:7; nocase; http_client_body; fast_pattern; content:"&login="; nocase; distance:0; http_client_body; content:"&Domain="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024532; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (V3LU9) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"V3LU9"; fast_pattern; distance:0; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026920; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible AMSI Powershell Bypass Attempt B641"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBk"; fast_pattern; classtype:trojan-activity; sid:2024534; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (ctT2J) in DNS TXT Response"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"ctT2J"; fast_pattern; distance:0; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026921; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible AMSI Powershell Bypass Attempt B642"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"EAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZ"; fast_pattern; classtype:trojan-activity; sid:2024535; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (dy1PYmp) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dy1PYmp"; fast_pattern; distance:0; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026922; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible AMSI Powershell Bypass Attempt B643"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"hAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAG"; fast_pattern; classtype:trojan-activity; sid:2024536; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (V3LU9iam) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"V3LU9iam"; fast_pattern; distance:0; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026923; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible AMSI Powershell Bypass Attempt"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"System.Management.Automation.AmsiUtils"; fast_pattern; nocase; content:"amsiInitFailed"; nocase; content:"setvalue"; nocase; content:"$null"; nocase; distance:0; content:"$true"; nocase; distance:0; classtype:trojan-activity; sid:2024537; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (XctT2JqZW) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"XctT2JqZW"; fast_pattern; distance:0; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026924; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Veil Powershell Encoder B641"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"KAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAo"; classtype:trojan-activity; sid:2024538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (dy1PYmplY3) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dy1PYmplY3"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026925; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Veil Powershell Encoder B642"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"gALAAkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAK"; classtype:trojan-activity; sid:2024539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (FydC1Qcm9) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"FydC1Qcm9"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026926; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Veil Powershell Encoder B643"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"oACwAJAAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnAC"; classtype:trojan-activity; sid:2024540; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (RhcnQtUHJ) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"RhcnQtUHJ"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026927; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Phish - Verify Email Error Message M1 Aug 14 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"PASSWORD NOT MATCHED"; nocase; depth:20; fast_pattern; classtype:credential-theft; sid:2024541; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (YXJ0LVByb2N) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"YXJ0LVByb2N"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026928; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Successful Phish - Verify Email Error Message M2 Aug 14 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"ERROR! PLEASE CLICK BACK"; nocase; depth:24; fast_pattern; classtype:credential-theft; sid:2024542; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (RhcnQtUHJvY2) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"RhcnQtUHJvY2"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026929; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Paypal Phish M1 Aug 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"_csrf="; depth:6; nocase; http_client_body; content:"&processSignin="; nocase; distance:0; http_client_body; content:"&login_email="; nocase; distance:0; http_client_body; content:"&rememberProfileCheck="; nocase; distance:0; http_client_body; content:"&login_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&rememberProfile="; nocase; distance:0; http_client_body; content:"&rememberProfileCheck="; nocase; distance:0; http_client_body; content:"&showTryPasswordlessButton="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024544; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_14, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (GFydC1Qcm9jZX) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"GFydC1Qcm9jZX"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026930; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M3 Aug 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"country="; depth:8; nocase; http_client_body; content:"&cc_holder="; nocase; distance:0; http_client_body; content:"&cc_number="; nocase; distance:0; http_client_body; fast_pattern; content:"&expdate_month="; nocase; distance:0; http_client_body; content:"&expdate_year="; nocase; distance:0; http_client_body; content:"&cvv2_number="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024546; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (YXJ0LVByb2Nlc3) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"YXJ0LVByb2Nlc3"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026931; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Chase Phish M1 Aug 15 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; content:"<title>"; nocase; content:"Chase Online"; nocase; within:50; fast_pattern; classtype:credential-theft; sid:2031575; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (Zva2UtV21pTWV) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"Zva2UtV21pTWV"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026932; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious Windows SCT Download MSXMLHTTP AX"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; file_data; content:"<registration"; nocase; distance:0; content:"progid"; distance:0; nocase; content:"<script"; nocase; distance:0; content:"<![CDATA["; nocase; content:"ActiveXObject"; nocase; distance:0; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024553; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, signature_severity Major, tag PowerShell_Downloader, updated_at 2017_08_15;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (52b2tlLVdtaU1) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"52b2tlLVdtaU1"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026933; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert udp $EXTERNAL_NET 389 -> $HOME_NET 389 (msg:"ET DOS CLDAP Amplification Reflection (PoC based)"; dsize:52; content:"|30 84 00 00 00 2d 02 01 01 63 84 00 00 00 24 04 00 0a 01 00|"; fast_pattern; threshold:type both, count 100, seconds 60, track by_src; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; reference:url,packetstormsecurity.com/files/139561/LDAP-Amplication-Denial-Of-Service.html; classtype:attempted-dos; sid:2024584; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Server, created_at 2017_08_16, deployment Perimeter, former_category DOS, performance_impact Significant, signature_severity Major, updated_at 2017_08_16;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (dm9rZS1XbWlNZXR) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dm9rZS1XbWlNZXR"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026934; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"ET DOS Potential CLDAP Amplification Reflection"; content:"objectclass0"; fast_pattern; threshold:type both, count 200, seconds 60, track by_src; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; reference:url,packetstormsecurity.com/files/139561/LDAP-Amplication-Denial-Of-Service.html; classtype:attempted-dos; sid:2024585; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2017_08_16, deployment Perimeter, former_category DOS, performance_impact Significant, signature_severity Major, updated_at 2017_08_16;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (52b2tlLVdtaU1ldG) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"52b2tlLVdtaU1ldG"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026935; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert tcp [$EXTERNAL_NET,!199.30.201.192/29] any -> $HOME_NET any (msg:"ET MALWARE NetWire / Ozone / Darktrack Alien RAT - Server Hello"; flow:established,to_client; flowbits:isset,ET.NetWire; content:"|01 00 00 00 00|"; depth:5; dsize:6; reference:url,researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic; reference:url,www.circl.lu/pub/tr-23; classtype:trojan-activity; sid:2021977; rev:6; metadata:created_at 2015_10_20, former_category TROJAN, updated_at 2017_08_17;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (nZva2UtV21pTWV0aG) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"nZva2UtV21pTWV0aG"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026936; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2015-07-28"; flow:established,to_client; file_data; content:"<title>Google Documents Email Verification</title>"; content:"emailID"; distance:0; content:"document.other.email"; distance:0; fast_pattern; content:"emailPASS"; distance:0; content:"document.other.phone"; distance:0; classtype:social-engineering; sid:2031712; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (dm9rZS1XbWlNZXRob2) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dm9rZS1XbWlNZXRob2"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026937; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing Jul 10 2015"; flow:to_client,established; file_data; content:".php|22 20|method=|22|POST|22|"; fast_pattern; content:"Sign in with Gmail"; distance:0; content:"Sign in with Yahoo"; distance:0; content:"Sign in with Hotmail"; distance:0; content:"Sign in with AOL"; distance:0; content:"Sign in with Others"; distance:0; classtype:social-engineering; sid:2025683; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_07_12;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (Zva2UtQ29) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"Zva2UtQ29"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026938; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Google Drive/Dropbox Phishing Landing Jul 10 2015"; flow:to_client,established; file_data; content:"openOffersDialog|28 29 3b|"; content:"dropboxmaincontent"; fast_pattern; distance:0; content:"Verification Required"; nocase; distance:0; classtype:social-engineering; sid:2021400; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (dm9rZS1Db21) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dm9rZS1Db21"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026939; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert http $EXTERNAL_NET !2095 -> $HOME_NET any (msg:"ET PHISHING Possible Successful Phish - Generic Status Messages Sept 11 2015"; flow:established,to_client; file_data; content:"|22|ajax_timeout|22 20 3A 20 22|"; content:"Authenticating|20 E2 80 A6 22 2C|"; fast_pattern; distance:0; content:"|22|expired_session|22 20 3A 20 22|Your"; distance:0; content:"|22|prevented_xfer|22 20 3A 20 22|The session"; distance:0; content:"successful. Redirecting|20 E2 80 A6 22 2C|"; distance:0; content:"|22|token_incorrect|22 20 3A 20 22|The security"; distance:0; classtype:credential-theft; sid:2021761; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (nZva2UtQ29tbW) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"nZva2UtQ29tbW"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026940; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Google Drive Phishing Landing 2015-07-13"; flow:to_client,established; file_data; content:"UPLOADED FILE"; fast_pattern; content:"Sign in with your existing Email Service"; distance:0; content:"Email Service Provider"; distance:0; content:"select.com"; distance:0; content:"VIEW DOCUMENT"; distance:0; classtype:social-engineering; sid:2031707; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_13, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (52b2tlLUNvbW1) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"52b2tlLUNvbW1"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026941; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2015-07-28"; flow:established,to_client; file_data; content:"<title>Google Documents Email Verification</title>"; content:"emailID.value"; distance:0; content:"emailPASS.value"; distance:0; classtype:social-engineering; sid:2031713; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (dm9rZS1Db21tYW) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dm9rZS1Db21tYW"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026942; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE LURK Trojan Communication Protocol detected"; flow:established,to_server; content:"LURK|30|"; depth:5; content:"|78 9c|"; distance:8; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014225; rev:3; metadata:created_at 2012_02_14, former_category TROJAN, updated_at 2017_08_21;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (52b2tlLUNvbW1hbm) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"52b2tlLUNvbW1hbm"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026943; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious Windows SCT Download MSXMLHTTP AX M2"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; file_data; content:"<package"; nocase; distance:0; content:"<component"; distance:0; nocase; content:"<script"; nocase; distance:0; content:"<![CDATA["; nocase; content:"ActiveXObject"; nocase; distance:0; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024602; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell_Downloader, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2017_08_22;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"hpcyBwcm9"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027027; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Disdain EK Payload Aug 23 2017"; flow:established,from_server; file_data; content:"|30 26 e2 3d 9d f5 5b 16|"; within:8; flowbits:set,ET.DisDain.EK; classtype:exploit-kit; sid:2024608; rev:2; metadata:created_at 2017_08_23, updated_at 2017_08_23;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"lzIHByb2d"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027028; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Disdain EK Flash Exploit M1 Aug 23 2017"; flow:established,from_server; flowbits:isset,ET.DisDain.EK; file_data; content:"CWS"; within:3; classtype:exploit-kit; sid:2024609; rev:2; metadata:created_at 2017_08_23, updated_at 2017_08_23;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"aXMgcHJvZ3J"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027029; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Disdain EK Flash Exploit M2 Aug 23 2017"; flow:established,from_server; flowbits:isset,ET.DisDain.EK; file_data; content:"ZWS"; within:3; classtype:exploit-kit; sid:2024610; rev:2; metadata:created_at 2017_08_23, updated_at 2017_08_23;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"hpcyBwcm9ncm"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027030; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Disdain EK Flash Exploit M3 Aug 23 2017"; flow:established,from_server; flowbits:isset,ET.DisDain.EK; file_data; content:"FWS"; within:3; classtype:exploit-kit; sid:2024611; rev:2; metadata:created_at 2017_08_23, updated_at 2017_08_23;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"GlzIHByb2dyYW"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027031; rev:2; metadata:attack_target DNS_Server, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OSX.Pwnet.A Certificate Observed"; flow:established,from_server; content:"|55 04 03|"; content:"|08|vlone.cc"; distance:1; within:9; reference:url,sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/; classtype:trojan-activity; sid:2024613; rev:1; metadata:created_at 2017_08_23, updated_at 2017_08_23;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"aXMgcHJvZ3JhbS"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027032; rev:2; metadata:created_at 2019_03_05, former_category ATTACK_RESPONSE, updated_at 2019_03_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>NatWest Online Banking</title>"; nocase; classtype:social-engineering; sid:2024622; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"gAaQBzACAAcAByAG8AZwByAGE"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027033; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Pin and Password - NWOLB</title>"; nocase; classtype:social-engineering; sid:2024623; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"BoAGkAcwAgAHAAcgBvAGcAcgB"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027034; rev:2; metadata:created_at 2019_03_05, updated_at 2019_03_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Security Details - NWOLB</title>"; nocase; classtype:social-engineering; sid:2024624; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"aABpAHMAIABwAHIAbwBnAHIAYQB"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027035; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Successful Bitstamp Cryptocurrency Exchange Phish Aug 30 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; content:"302"; http_stat_code; content:"Location|3a 20|https://www.bitstamp.net"; http_header; classtype:credential-theft; sid:2024639; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"BoAGkAcwAgAHAAcgBvAGcAcgBhAG"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027036; rev:2; metadata:created_at 2019_03_05, updated_at 2019_03_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED HEX Payload DL with MSXMLHTP (Observed in Locky campaign)"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; file_data; content:"4d"; nocase; within:2; pcre:"/^\s*5a\s*90\s*00\s*03\s*00\s*00\s*00/Rsi"; classtype:trojan-activity; sid:2024650; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Significant, signature_severity Major, updated_at 2019_05_28;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"GgAaQBzACAAcAByAG8AZwByAGEAbQ"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027037; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE CobianRAT Receiving Additional Commands From CnC"; flow:from_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"more|7c 2d 7c|"; within:30; fast_pattern; pcre:"/^(?:FM|SM|CP|CM|MC|NF|CH|PS|PT)/R"; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:command-and-control; sid:2024653; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category MALWARE, malware_family CobianRAT, performance_impact Low, signature_severity Major, updated_at 2017_09_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"aABpAHMAIABwAHIAbwBnAHIAYQBtAC"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027038; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family CoinMiner, signature_severity Major, updated_at 2019_03_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Dropbox - Verify Email</title>"; fast_pattern; classtype:social-engineering; sid:2024656; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_09_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"FyZ29ycCB"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027039; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE CobianRAT Checkin to CnC"; flow:to_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"|02|LOGIN|7c 2d 7c|"; within:30; fast_pattern; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:command-and-control; sid:2024651; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category MALWARE, malware_family CobianRAT, performance_impact Low, signature_severity Major, updated_at 2017_09_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"1hcmdvcnA"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027040; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE CobianRAT Receiving Commands From CnC"; flow:from_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; fast_pattern; content:"|00 00 02|"; within:30; pcre:"/^(?:Lg|Execute|FLD|Sc)\x7c\x2d\x7c/R"; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:command-and-control; sid:2024652; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category MALWARE, malware_family CobianRAT, performance_impact Low, signature_severity Major, updated_at 2017_09_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"YXJnb3JwIHN"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027041; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE CobianRAT Receiving Config Commands from CnC"; flow:from_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"Svr|7c 2d 7c|"; within:100; fast_pattern; pcre:"/^(?:\x40|\x21|\x23|\x7e|\x24)/R"; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:command-and-control; sid:2024654; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category MALWARE, malware_family CobianRAT, performance_impact Low, signature_severity Major, updated_at 2017_09_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"1hcmdvcnAgc2"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027042; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE CobianRAT Screenshot Exfil to CnC"; flow:to_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"|02|Sc|7c 2d 7c|"; within:30; fast_pattern; content:"JFIF"; within:10; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:command-and-control; sid:2024655; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category MALWARE, malware_family CobianRAT, performance_impact Low, signature_severity Major, updated_at 2017_09_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"WFyZ29ycCBzaW"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027043; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Dropbox Phish (Locky) Sep 01 2017"; flow:to_server,established; content:"POST"; http_method; content:"is_xhr="; depth:7; nocase; http_client_body; content:"current_email"; nocase; distance:0; http_client_body; content:"&email_sig="; nocase; distance:0; http_client_body; content:"&login_sd="; nocase; distance:0; http_client_body; content:"&login_email="; nocase; distance:0; http_client_body; content:"&login_password="; nocase; distance:0; http_client_body; content:"&remember_me="; nocase; distance:0; http_client_body; content:"&specter_login_tm="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024657; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"YXJnb3JwIHNpaF"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027044; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Exploit"; flow:established,from_server; file_data; content:"triggerBug"; nocase; fast_pattern; pcre:"/^\s*(?:\x28|\%28)/Rs"; content:"exploit"; nocase; pcre:"/^\s*(?:\x28|\%28)o/Rs"; content:"intToStr"; nocase; pcre:"/^\s*(?:\x28|\%28)x/Rs"; content:"strToInt"; nocase; pcre:"/^\s*(?:\x28|\%28)s/Rs"; classtype:trojan-activity; sid:2024676; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Critical, updated_at 2017_09_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M1"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"|20|-e"; nocase; distance:0; pcre:"/^(?:nc)?\s*(?:[A-Z0-9+\/]{4})*(?:[A-Z0-9+\/]{2}==|[A-Z0-9+\/]{3}=)/Ri"; classtype:trojan-activity; sid:2026992; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_03_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.Bot CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?hwid="; http_uri; fast_pattern; content:"&os="; http_uri; distance:0; content:"&build="; http_uri; distance:0; content:"&cpu="; http_uri; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,92c3157d76c67668ca815541c6bb3ba8; classtype:command-and-control; sid:2024679; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2017_09_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential W32/Dridex Alphanumeric Download Pattern"; flow:established,to_server; urilen:9<>47; content:"GET"; http_method; content:".exe"; http_uri; offset:6; fast_pattern; content:!"Referer|3A|"; http_header; content:"Accept|3a|"; http_header; pcre:"/^\/(?=[a-z\d]{0,18}(?:[a-z]\d|\d[a-z]|~[a-z])[a-z\d]{0,18}(?:\/[a-z\d]{0,18}(?:[a-z]\d|\d[a-z])[a-z\d]{0,18}){1,2}\.exe$)(?=[a-f\d\x2f\x7e]{0,40}[g-z])[a-z0-9~]{2,20}(?:\/[a-z0-9]{2,20}){1,2}\.exe$/U"; pcre:"/^User-Agent\x3a\x20[^\r\n]+?(?:MSIE|rv\x3a11\.0)/Hmi"; reference:md5,03c5bfb5c0c7a936ad62ebe03019edd0; classtype:trojan-activity; sid:2021607; rev:7; metadata:created_at 2015_08_11, former_category CURRENT_EVENTS, updated_at 2015_08_11;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Adwind)"; flow:established,from_server; content:"|55 04 03|"; content:"|18|www.svx2id6wmwgfxela.net"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024682; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Adwind, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Download Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A646F776E6C6F61642073756363657373"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027049; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (URLzone)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|dicco.at"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024681; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family URLZone, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2018_04_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Download Command Error"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A646F776E6C6F6164206661696C65642C"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027050; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|sslstatsita.info"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024685; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Upload Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A75706C6F61642073756363657373"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027051; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|fiftyflorston.win"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024683; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Upload Command Error"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A75706C6F6164206661696C65642C"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027052; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|09|lio.party"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024684; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Directory Change Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A6469726563746F7279206368616E6765642073756363657373"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027053; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|115f697a1698.bid"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024686; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Sleep Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A72756E74696D65206368616E67656420746F2072756E74696D65"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027048; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_07;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|7193a37d9d98.bid"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024687; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [AV] EarthWorm/Termite IoT Agent Reporting Infection"; dsize:<500; flow:established,to_server; content:"|00 00 00 01|"; offset:1; depth:4; content:"|00 00 00 01 6b 00 00 00 01|"; distance:7; within:9; fast_pattern; content:"agent"; distance:4; within:5; pcre:"/^\x00+?[\x20-\x7f]+?\x00+?$/R"; reference:url,github.com/anhilo/xiaogongju/tree/422136c014ba6b95ad3a746662be88372eb11b09; reference:url,www.alienvault.com/blogs/labs-research/internet-of-termites; classtype:trojan-activity; sid:2027064; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_07, deployment Perimeter, former_category TROJAN, malware_family Termite, malware_family EarthWorm, performance_impact Moderate, signature_severity Major, updated_at 2019_03_07;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] pkt checker 0"; flow:established, to_server; dsize:200<>513; stream_size:client,>,0; stream_size:server,=,1; stream_size:client, <,513; flowbits:noalert; flowbits:set,FB180732_0; classtype:trojan-activity; sid:2024694; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Moderate, signature_severity Major, updated_at 2017_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE EarthWorm/Termite IoT Agent CnC Response"; dsize:<500; flow:established,from_server; content:"|00 00 00 01|"; offset:1; depth:4; content:"|00 00 00 01 6b 00 00 00 01|"; distance:7; within:9; fast_pattern; content:"agent"; distance:4; within:5; pcre:"/^\x00+?[\x20-\x7f]+?\x00+?$/R"; reference:url,github.com/anhilo/xiaogongju/tree/422136c014ba6b95ad3a746662be88372eb11b09; reference:url,www.alienvault.com/blogs/labs-research/internet-of-termites; classtype:command-and-control; sid:2027065; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_03_07, deployment Perimeter, former_category MALWARE, malware_family Termite, malware_family EarthWorm, performance_impact Moderate, signature_severity Major, updated_at 2019_03_07;)
 
-#alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] pkt checker 1"; flow:established, to_client; dsize:30<>33; stream_size:server,<,35; stream_size:client,<,513; stream_size:server,>,0; stream_size:client,>,30; flowbits:noalert; flowbits:isset,FB180732_0; flowbits:unset, FB180732_0; flowbits:set,FB180732_1; classtype:trojan-activity; sid:2024695; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Moderate, signature_severity Major, updated_at 2017_09_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OSX/EvilOSX Client Receiving Commands"; flow:established,to_client; content:"404"; http_stat_code; file_data; content:"DEBUG"; depth:9; fast_pattern; reference:url,github.com/Marten4n6/EvilOSX/; classtype:trojan-activity; sid:2027066; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_03_07, deployment Perimeter, former_category TROJAN, malware_family EvilOSX, performance_impact Moderate, signature_severity Major, updated_at 2019_03_07;)
 
-#alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] pkt checker 3"; flow:established, to_client; dsize:30<>33; stream_size:server, <,70; stream_size:client, <,610; stream_size:client, >,0; stream_size:server, >,35; flowbits:noalert; flowbits:isset, FB180732_2; flowbits:unset, FB180732_2; flowbits:set, FB180732_3; classtype:trojan-activity; sid:2024697; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Moderate, signature_severity Major, updated_at 2017_09_11;)
+alert tcp $EXTERNAL_NET ![22,23,25,80,139,443,445] -> $HOME_NET any (msg:"ET MALWARE Netwire RAT Check-in"; flow:established,to_client; dsize:>68; content:"|41 00 00 00 05|"; depth:5; flowbits:isset,ET.NetwireRAT.Client; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:2018427; rev:4; metadata:created_at 2014_04_28, former_category TROJAN, updated_at 2019_03_08;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] Backdoor.Win32/Remcos RAT pkt checker 4"; flow:established, to_server; stream_size:server,<,70; stream_size:client,<,696; stream_size:client,>,0; stream_size:server,>,35; flowbits:isset,FB180732_3; flowbits:unset,FB180732_3; threshold:type limit,track by_src,count 1, seconds 30; reference:url,blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2; classtype:trojan-activity; sid:2024698; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Moderate, signature_severity Major, updated_at 2020_11_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2018-8174 Common Construct B64 M2"; flow:from_server,established; file_data; content:"|68546147567362474e765a4756425a475279554746795957|"; classtype:attempted-user; sid:2027070; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] pkt checker 2"; flow:established, to_server; dsize:50<>101; stream_size:server, <,35; stream_size:client, <,610; stream_size:server, >,0; stream_size:client, >,30; flowbits:noalert; flowbits:isset, FB180732_1; flowbits:unset,FB180732_1; flowbits:set,FB180732_2; classtype:trojan-activity; sid:2024696; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Significant, signature_severity Major, updated_at 2017_10_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2018-8174 Common Construct B64 M1"; flow:from_server,established; file_data; content:"|4b464e6f5a5778735932396b5a55466b5a484a5159584a6862|"; classtype:attempted-user; sid:2027069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HoeflerText Chrome Popup DriveBy Download Attempt 1"; flow:established,to_client; file_data; content:"The |22|HoeflerText|22| font wasn't found"; nocase; fast_pattern; content:"you have to update the |22|Chrome Font Pack|22|"; distance:0; nocase; content:"Click on the Chrome_Font.exe"; distance:0; nocase; content:"Latest version"; distance:0; nocase; content:"href=|22|http"; distance:0; nocase; content:"window.chrome"; distance:0; nocase; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; classtype:exploit-kit; sid:2024238; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2017_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2018-8174 Common Construct B64 M3"; flow:from_server,established; file_data; content:"|6f5532686c6247786a6232526c5157526b636c4268636d4674|"; classtype:attempted-user; sid:2027071; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HoeflerText Chrome Popup DriveBy Download Attempt 2"; flow:established,to_client; file_data; content:"The |22|HoeflerText|22| font was not found"; nocase; fast_pattern; content:"you have to update the |22|Chrome Font Pack|22|"; distance:0; nocase; content:"To install |22|HoeflerText|22| font for your PC"; distance:0; nocase; content:"Download the .js"; distance:0; nocase; content:".attr('href',"; distance:0; nocase; metadata: former_category CURRENT_EVENTS; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; classtype:exploit-kit; sid:2024700; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_12, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Spelevo EK Landing M1"; flow:from_server,established; file_data; content:"|554778315a326c75524756305a574e30|"; content:"-=8))%256)|3b|}"; content:"+=72){"; content:"[0] < 21) return false|3b|"; content:",[0] > 31) return false|3b|"; distance:0; content:"[0] == 31 &&"; content:"[3] > 153) return false|3b|"; distance:0; content:"flash"; nocase; classtype:exploit-kit; sid:2027072; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Spleevo_EK, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK encrypted payload Sept 11 (1)"; flow:established,to_client; file_data; content:"|8d b1 8a d0 36 8d 5d bf|"; within:8; classtype:exploit-kit; sid:2024691; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2017_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Spelevo EK Landing M2"; flow:from_server,established; file_data; content:"|516248566e615735455a58526c5933|"; content:"-=8))%256)|3b|}"; content:"+=72){"; content:"[0] < 21) return false|3b|"; content:",[0] > 31) return false|3b|"; distance:0; content:"[0] == 31 &&"; content:"[3] > 153) return false|3b|"; distance:0; content:"flash"; nocase; classtype:exploit-kit; sid:2027073; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Spleevo_EK, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Emotet Post Drop C2 Comms"; flow:established,from_server; file_data; content:"|502163174a9069e5f28277c59da7fb141ee82f8e|"; classtype:command-and-control; sid:2035042; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2017_09_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Spelevo EK Landing M3"; flow:from_server,established; file_data; content:"|427364576470626b526c6447566a64|"; content:"-=8))%256)|3b|}"; content:"+=72){"; content:"[0] < 21) return false|3b|"; content:",[0] > 31) return false|3b|"; distance:0; content:"[0] == 31 &&"; content:"[3] > 153) return false|3b|"; distance:0; content:"flash"; nocase; classtype:exploit-kit; sid:2027074; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_03_11, former_category CURRENT_EVENTS, malware_family Spleevo_EK, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
 
-#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu Certificate flowbit set 1"; flow:established, to_client; content:"|30 82 04|"; depth:300; content:"|30 82 03|"; distance:1; within:3; content:"|a0 03 02 01 02 02 04|"; distance:1; within:7; content:"|30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 81|"; distance:4; within:17; flowbits:set,FB332502_; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 30; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024751; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_21;)
+alert tcp $HOME_NET any -> any any (msg:"ET MALWARE Win32/Termite Agent Implant Keep-Alive"; flow:established,to_server; dsize:<600; content:"|00 00 00|"; offset:1; depth:3; content:"|00 00 00|"; distance:1; within:3; content:"|00 00 00|"; distance:1; within:3; content:"|00 00 00|This|20|Client|20|Node|00 00 00|"; distance:1; within:22; fast_pattern; content:"|ff ff ff ff ff ff ff ff|"; distance:0; reference:md5,2820653437d5935d94fcb0c997d6f13c; classtype:trojan-activity; sid:2027084; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_14, deployment Perimeter, deployment Internal, former_category TROJAN, malware_family Termite, performance_impact Low, signature_severity Major, updated_at 2019_03_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [:32768] (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 2"; flow:established, to_server; content:"|17 03|"; depth:2; content:"|00 40|"; distance:1; within:2; fast_pattern; stream_size:server, >,1789; stream_size:server, <,2124; stream_size:client, >,447; stream_size:client, <,1722; flowbits:isset, FB332502_; flowbits:set, FB332502_0; flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024752; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_21;)
+alert tcp $HOME_NET any -> any any (msg:"ET MALWARE Win32/Termite Agent Implant CnC Checkin"; flow:established,to_server; dsize:<600; content:"|00 00 00|"; offset:1; depth:3; content:"|00 00 00 00 00 00 00 ff 01|"; distance:1; within:9; content:"|ff ff ff ff ff ff ff ff|"; distance:0; content:"|00 00 00|This|20|Client|20|Node|00 00 00|"; distance:0; fast_pattern; reference:md5,2820653437d5935d94fcb0c997d6f13c; classtype:command-and-control; sid:2027083; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_14, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Termite, performance_impact Low, signature_severity Major, updated_at 2019_03_14;)
 
-#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 5"; flow:established,to_client; content:"|17 03|"; depth:2; content:"|00 50|"; distance:1; within:2; fast_pattern; stream_size:server, >,1889; stream_size:server, <,2224; stream_size:client, >,1476; stream_size:client, <,8722; flowbits:isset, FB332502_2; flowbits:unset, FB332502_2; flowbits:set, FB332502_3; flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024755; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_21;)
+alert tcp $EXTERNAL_NET [19400:19500] -> $HOME_NET any (msg:"ET MALWARE Win32/Spy.Agent.POX Variant CnC"; flow:established,to_client; dsize:4; content:"|6c 69 73 74|"; reference:md5,bb15e442a527a83939d9ff1b835f99dd; classtype:command-and-control; sid:2035057; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_03_22;)
 
-#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu"; flow:established, to_client; content:"|17 03|"; depth:2; content:"|00 50|"; distance:1; within:2; fast_pattern; stream_size:server, >,1889; stream_size:server, <,2436; stream_size:client, >,1476; stream_size:client, <,8834; flowbits:isset, FB332502_3; flowbits:unset, FB332502_3; threshold:type limit, track by_src, count 1, seconds 30; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024756; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
+alert smtp any any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - EXE SMTP Attachment"; flow:established; content:"|0D 0A 0D 0A|TV"; content:"AAAAAAAAAAAAAAAA"; within:200; classtype:bad-unknown; sid:2017886; rev:3; metadata:created_at 2013_12_20, former_category INFO, updated_at 2019_03_27;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|vinci-energie.co"; distance:1; within:17; reference:md5,69f8181bfe4a53d9e0b73c81a4ae4587; classtype:domain-c2; sid:2024757; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_and_Server, created_at 2017_09_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag MalDoc, updated_at 2017_09_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Malicious Macro DL BIN March 2017"; flow:established,to_server; content:"GET"; http_method; content:"?showforum="; http_uri; fast_pattern:only; pcre:"/\?showforum=$/Ui"; content:!".php"; http_uri; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; reference:md5,ad575f6795526f2ee5e730f76a3b5346; classtype:trojan-activity; sid:2024109; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2019_04_03;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED Possible OptionsBleed (CVE-2017-9798)"; flow:established,to_server; content:"OPTIONS"; http_method; flowbits:set,ET.2017-9798; threshold: type both, count 30, seconds 30, track by_src; classtype:misc-activity; sid:2024759; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_19, cve 2017_9798, deployment Perimeter, former_category WEB_SERVER, performance_impact Moderate, signature_severity Major, updated_at 2019_12_20;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF.Initdz.Coinminer C2 Systeminfo (D2)"; flow:established,to_server; content:"D2|7c|System|20|Information&"; fast_pattern; depth:22; content:"Manufacturer|3a|"; distance:0; content:"Product|20|Name|3a|"; distance:0; content:"Version|3a 20|"; distance:0; content:"|0a|D3|7c|MemTotal|3a 20|"; distance:0; reference:md5,8438f4abf3bc5844af493d60ea8eb8f6; classtype:coin-mining; sid:2027150; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_04_03, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2019_04_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Suspicious Darkwave Popads Pop Under Redirect"; flow:established,to_client; file_data; content:"|2f 2a 20 50 72 69 76 65 74 20 64 61 72 6b 76 2e 20 45 61 63 68 20 64 6f 6d 61 69 6e 20 69 73 20 32 68 20 66 6f 78 20 64 65 61 64 20 2a 2f|"; classtype:policy-violation; sid:2024764; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_23, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2017_09_23;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outbound SMTP NTLM Authentication Observed"; flow:established,to_server; content:"AUTH|20|ntlm|20|"; depth:10; nocase; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; classtype:policy-violation; sid:2027152; rev:1; metadata:attack_target Client_and_Server, created_at 2019_04_04, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2019_04_04;)
 
-#alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT [PTsecurity] DoublePulsar Backdoor installation communication"; flow: to_server, established; content:"|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test:2,!=,0x0000,52,relative,little; pcre: "/^.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/R"; reference:url,github.com/ptresearch/AttackDetection; classtype:attempted-admin; sid:2024766; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Server, created_at 2017_09_25, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2017_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:] (msg:"ET ATTACK_RESPONSE LaZagne Artifact Outbound in FTP"; flow:established,to_server; content:"The LaZagne Project"; fast_pattern; reference:url,github.com/AlessandroZ/LaZagne; classtype:trojan-activity; sid:2027151; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_04, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family Stealer, malware_family LaZange, signature_severity Major, updated_at 2019_04_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M1"; flow:established,to_server; urilen:6<>20; pcre:"/^(?:\/(?:(?:af|p66)\/(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}|(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}\?))$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; content:"MSIE 7.0"; http_user_agent; classtype:trojan-activity; sid:2024767; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Unknown - news=1 in http_cookie"; flow:established,to_client; content:"Set-Cookie|3a| news=1"; http_raw_header; classtype:exploit-kit; sid:2014438; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M2"; flow:established,to_server; urilen:6<>20; pcre:"/^(?:\/(?:(?:af|p66)\/(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}|(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}\?))$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; content:"Firefox/54.0"; http_user_agent; classtype:trojan-activity; sid:2024768; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_05;)
+#alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC WMI Remote Process Execution"; flow:to_server,established; dce_iface:00000143-0000-0000-c000-000000000046; classtype:bad-unknown; sid:2027167; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_09, deployment Internal, former_category NETBIOS, signature_severity Informational, updated_at 2019_04_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Possible Zip DL containing single VBS script"; flow:established,from_server; file_data; content:"|50 4b 01 02|"; content:".vbs"; nocase; distance:0; pcre:"/^(?:(?!PK).)*?\x50\x4b\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00/Rs"; classtype:bad-unknown; sid:2024769; rev:2; metadata:created_at 2017_09_26, former_category WEB_CLIENT, updated_at 2017_09_26;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With No Profile Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-nop"; distance:0; classtype:bad-unknown; sid:2027169; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2015-11-06"; flow:established,from_server; file_data; content:"Sign in with your email address"; nocase; content:"view or download attachment"; nocase; distance:0; content:"Select your email provider"; nocase; distance:0; content:"Sign in with Gmail"; nocase; distance:0; fast_pattern; content:"Sign in with Yahoo"; nocase; distance:0; content:"Sign in with Hotmail"; nocase; distance:0; content:"Sign in with AOL"; nocase; distance:0; content:"Sign in with Others"; nocase; distance:0; classtype:social-engineering; sid:2031736; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2017_09_27;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Hidden Window Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-w"; distance:0; content:"hidden"; nocase; within:17; classtype:bad-unknown; sid:2027170; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 1"; flow:established,to_server; content:"|17 03|"; depth:2; content:"|00 b0|"; distance:1; within:2; fast_pattern; stream_size:client,>,424; stream_size:client,<,685; flowbits:isset,FB346039_0; flowbits:unset,FB346039_0; flowbits:set,FB346039_1; flowbits:set,FB346039_2; flowbits:noalert; classtype:command-and-control; sid:2024774; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Execution Bypass Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"exec"; nocase; distance:0; content:"bypass"; nocase; within:18; classtype:bad-unknown; sid:2027171; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 0"; flow:established,to_server; content:"|17 03|"; depth:2; content:"|00 a0|"; distance:1; within:2; fast_pattern; stream_size:server,>,4868; stream_size:server,<,5949; stream_size:client,>,424; stream_size:client,<,685; flowbits:isset,FB346039_0; flowbits:unset,FB346039_0; flowbits:set,FB346039_1; flowbits:noalert; classtype:command-and-control; sid:2024773; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Encoded Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-enc"; nocase; distance:0; classtype:bad-unknown; sid:2027172; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 2"; flow:established,to_client; content:"|1703|"; depth:2; content:"|0140|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,10069; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_1; flowbits:unset,FB346039_1; flowbits:unset,FB346039_2; flowbits:set,FB346039_3; flowbits:noalert; classtype:command-and-control; sid:2024775; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With NonInteractive Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-noni"; nocase; distance:0; classtype:bad-unknown; sid:2027173; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 3"; flow:established,to_client; content:"|1703|"; depth:2; content:"|04A0|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,10069; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_3; flowbits:unset,FB346039_3; flowbits:set,FB346039_4; classtype:command-and-control; sid:2024776; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"cmd.exe"; nocase; distance:0; classtype:bad-unknown; sid:2027174; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 5"; flow:established,to_client; content:"|1503|"; depth:2; content:"|0020|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,10069; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_4; flowbits:unset,FB346039_4; classtype:command-and-control; sid:2024778; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Using Comspec Environmental Variable Over SMB - Very Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"%comspec"; nocase; distance:0; classtype:bad-unknown; sid:2027178; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 4"; flow:established,to_client; content:"|17 03|"; depth:2; content:"|02 00|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,6500; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_2; flowbits:unset,FB346039_2; classtype:command-and-control; sid:2024777; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_29;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Using Comspec Environmental Variable Over SMB - Very Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|%|00|c|00|o|00|m|00|s|00|p|00|e|00|c|00|"; nocase; distance:0; classtype:bad-unknown; sid:2027179; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
 
-#alert tls $HOME_NET any  -> $EXTERNAL_NET any (msg:"ET POLICY Request for Coinhive Browser Monero Miner M1"; flow:established,to_server; tls_sni; content:"coinhive.com"; classtype:policy-violation; sid:2024785; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2017_10_02;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|c|00|m|00|d|00|.|00|e|00|x|00|e|00|"; nocase; distance:0; classtype:bad-unknown; sid:2027175; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, updated_at 2019_04_10;)
 
-#alert tls $HOME_NET any  -> $EXTERNAL_NET any (msg:"ET POLICY Request for Jsecoin Browser Miner M1"; flow:established,to_server; tls_sni; content:"jsecoin.com"; classtype:policy-violation; sid:2024787; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2017_10_02;)
+#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"cmd "; nocase; distance:0; classtype:bad-unknown; sid:2027176; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE [PTsecurity] Black Stealer Exfil FTP STOR"; flow:established,to_server; content:"STOR Black Stealer"; depth:18; nocase; fast_pattern; classtype:trojan-activity; sid:2024791; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2017_10_02;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Nslookup Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"nslookup"; nocase; distance:0; classtype:bad-unknown; sid:2027183; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
 
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 6000: (msg:"ET DELETED Zeus P2P CnC"; dsize:72; content:!"|00 00 00|"; offset:5; byte_extract:1,63,padding; byte_test:1,!=,0xff,71; byte_test:1,!=,0x00,71; byte_test:1,=,padding,64; byte_test:1,=,padding,65; byte_test:1,=,padding,66; byte_test:1,=,padding,67; byte_test:1,=,padding,68; byte_test:1,=,padding,69; byte_test:1,=,padding,70; byte_test:1,=,padding,71; reference:url,www.abuse.ch/?p=3499; classtype:command-and-control; sid:2013739; rev:15; metadata:created_at 2011_10_05, former_category TROJAN, updated_at 2018_07_24;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Nslookup Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|n|00|s|00|l|00|o|00|o|00|k|00|u|00|p|00|"; nocase; distance:0; classtype:bad-unknown; sid:2027184; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M4"; flow:established,to_server; urilen:>6; pcre:"/^(?:\/(?:(?:af|p66)\/(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}|(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}\?*(?:(?P<var1>[^=&]+)=(?P=var1))?))$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; content:"Firefox"; http_user_agent; flowbits:set,ET.Locky; flowbits:noalert; classtype:trojan-activity; sid:2026462; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2018_10_09;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Ipconfig Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"ipconfig"; nocase; distance:0; classtype:bad-unknown; sid:2027185; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Scotiabank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Sign in to Scotiabank"; nocase; classtype:social-engineering; sid:2024795; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Ipconfig Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|i|00|p|00|c|00|o|00|n|00|f|00|i|00|g|00|"; nocase; distance:0; classtype:bad-unknown; sid:2027186; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, malware_family CoinMiner, signature_severity Minor, updated_at 2019_04_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Desjardins Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Log on|20 7c 20|Desjardins"; nocase; classtype:social-engineering; sid:2024796; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_10_03;)
+alert tcp any [21,22,23,25,53,80,443,8080] -> any !3389 (msg:"ET POLICY Tunneled RDP msts Handshake"; dsize:<65; content:"|03 00 00|"; depth:3; content:"|e0|"; distance:2; within:1; content:"Cookie|3a 20|mstshash="; distance:5; within:17; reference:url,www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html; classtype:bad-unknown; sid:2027192; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible BMO Bank of Montreal Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>BMO Bank of Montreal Online Banking</title>"; nocase; classtype:social-engineering; sid:2024798; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_10_03;)
+alert tcp any [21,22,23,25,53,80,443,8080] -> any !3389 (msg:"ET POLICY Tunneled RDP Handshake"; flow:established; content:"|c0 00|Duca"; depth:250; content:"rdpdr"; content:"cliprdr"; reference:url,www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html; classtype:bad-unknown; sid:2027193; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M3 Oct 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"as_cpf="; depth:7; nocase; http_client_body; content:"&as_pass="; nocase; distance:0; http_client_body; fast_pattern; content:"&sender="; nocase; distance:0; http_client_body; content:"&as_continue="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024801; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Net View Command in SMB Traffic - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"net"; nocase; distance:0; content:"view"; nocase; within:9; classtype:bad-unknown; sid:2027187; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PayPal Phishing Landing Nov 24 2014"; flow:established,to_client; file_data; content:"<title>Login - PayPal</title>"; classtype:social-engineering; sid:2019785; rev:4; metadata:created_at 2014_11_24, former_category CURRENT_EVENTS, updated_at 2017_10_05;)
+#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Net View Command in SMB Traffic - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|n|00|e|00|t|00|"; nocase; distance:0; fast_pattern; content:"|00|v|00|i|00|e|00|w|00|"; nocase; within:19; classtype:bad-unknown; sid:2027188; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Phish Yahoo Credentials Oct 1"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"yahoopassword="; depth:14; nocase; fast_pattern; http_client_body; classtype:credential-theft; sid:2021892; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Yahoo CD Player ActiveX Open Stack Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"YoPlayer.YoPlyCd.1"; nocase; distance:0; content:"open"; nocase; reference:url,www.shinnai.net/exploits/pD9YWswsoR3EIcE9bf3N.txt; reference:url,doc.emergingthreats.net/2010946; classtype:attempted-user; sid:2010946; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag ActiveX, updated_at 2019_04_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Suspended Account Phish M1 Aug 09 2016"; flow:to_server,established; content:"POST"; http_method; content:"name-re="; nocase; depth:8; fast_pattern; http_client_body; content:"&dob"; nocase; distance:0; http_client_body; content:"&donnee"; nocase; distance:0; http_client_body; content:"&is_valid_email"; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023042; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Webmoney Advisor ActiveX Redirect Method Remote DoS Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; content:"3AFFD7F7-FD3D-4C9D-8F83-03296A1A8840"; nocase; distance:0; content:"Redirect"; nocase; reference:url,exploit-db.com/exploits/12431; reference:url,doc.emergingthreats.net/2011723; classtype:attempted-user; sid:2011723; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag ActiveX, updated_at 2019_04_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Landing Uri Nov 25 2015"; flow:to_server,established; content:"GET"; http_method; content:".php?usernms="; http_uri; fast_pattern; pcre:"/\.php\?usernms=[^@]+@[^\r\n]+$/Ui"; classtype:social-engineering; sid:2022187; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Webmoney Advisor ActiveX Control DoS Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TOOLBAR3Lib.ToolbarObj"; nocase; distance:0; content:"Redirect"; nocase; reference:url,exploit-db.com/exploits/12431; reference:url,doc.emergingthreats.net/2011724; classtype:attempted-user; sid:2011724; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag ActiveX, updated_at 2019_04_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Jimdo Outlook Web App Phishing Nov 16 2105"; flow:to_server,established; content:"POST"; http_method; content:"|2f 66 6f 72 6d 2f 73 75  62 6d 69 74 2f|"; http_uri; content:"|6a 69 6d 64 6f 2e 63 6f 6d 0d 0a|"; http_header; fast_pattern; content:"|6d 6f 64 75 6c 65 49 64 3d|"; nocase; http_client_body; depth:9; content:"|26 64 61 74 61 3b 3d|"; nocase; distance:0; http_client_body; content:"|45 6d 61 69 6c|"; nocase; distance:0; http_client_body; content:"|50 61 73 73 77 6f 72 64|"; nocase; distance:0; http_client_body; content:"|43 6f 6e 66 69 72 6d 2b  50 61 73 73 77 6f 72 64|"; nocase; distance:0; http_client_body; pcre:"/\/form\/submit\/$/U"; classtype:credential-theft; sid:2022094; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_16, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+#alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC DCOM ShellExecute - Likely Lateral Movement"; flow:established,to_server; content:"|00|S|00|h|00|e|00|l|00|l|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|"; reference:url,enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/; reference:url,enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/; reference:url,attack.mitre.org/techniques/T1175/; classtype:bad-unknown; sid:2027190; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category NETBIOS, signature_severity Minor, updated_at 2019_04_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing Oct 04 2017"; flow:established,to_client; file_data; content:"|0d 0a 54 68 65 6d 65 20 4e 61 6d 65 3a 20|"; within:100; content:"|0d 0a 41 75 74 68 6f 72 3a 20 4d 4b 28 72 6a 29|"; within:100; fast_pattern; classtype:social-engineering; sid:2024799; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_02;)
+alert smb any any -> $HOME_NET any (msg:"ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|w|00|m|00|i|00|c|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2025726; rev:3; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2019_04_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Download of Embedded OpenType (EOT) File flowbit set"; flow:established,to_client; file_data; content:"|4c 50|"; offset:34; depth:2; flowbits:set,ET.EOT.Download; flowbits:noalert; reference:url,www.w3.org/Submission/EOT/#FileFormat; classtype:misc-activity; sid:2024829; rev:2; metadata:affected_product Internet_Explorer, affected_product Mac_OSX, affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2017_10_10;)
+alert smb any any -> $HOME_NET any (msg:"ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|w|00|m|00|i|00|c|00|.|00|e|00|x|00|e|00|"; nocase; distance:0; classtype:trojan-activity; sid:2027180; rev:2; metadata:attack_target SMB_Client, created_at 2019_04_10, deployment Perimeter, deployment Internal, former_category POLICY, signature_severity Major, updated_at 2019_04_16;)
 
-alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY PsExec service created"; flow:to_server,established; content:"P|00|S|00|E|00|X|00|E|00|S|00|V|00|C"; nocase; reference:url,xinn.org/Snort-psexec.html; reference:url,doc.emergingthreats.net/2010781; classtype:suspicious-filename-detect; sid:2010781; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert smb any any -> $HOME_NET any (msg:"ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"wmic.exe"; nocase; distance:0; classtype:trojan-activity; sid:2027181; rev:2; metadata:attack_target SMB_Client, created_at 2019_04_10, deployment Perimeter, deployment Internal, former_category POLICY, signature_severity Major, updated_at 2019_04_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2015-07-27"; flow:to_client,established; file_data; content:"<title>Secure Login</title>"; content:"action=|22|emsg1.php|22|"; fast_pattern; distance:0; content:"valid Apple ID"; distance:0; content:"valid Password"; distance:0; classtype:social-engineering; sid:2031708; rev:3; metadata:created_at 2015_07_27, former_category PHISHING, updated_at 2017_10_12;)
+alert smb any any -> $HOME_NET any (msg:"ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"wmic "; nocase; distance:0; classtype:trojan-activity; sid:2027182; rev:2; metadata:attack_target SMB_Client, created_at 2019_04_10, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2019_04_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing Jan 30 2014"; flow:established,to_client; file_data; content:"<title>Apple - Update Your Information</title>"; classtype:social-engineering; sid:2018042; rev:3; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2017_10_12;)
+alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Activity Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|.|00|e|00|x|00|e|00|"; nocase; distance:0; classtype:trojan-activity; sid:2027202; rev:1; metadata:created_at 2019_04_16, former_category POLICY, updated_at 2019_04_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing M2 July 24 2015"; flow:to_client,established; file_data; content:"invoicetoptables"; nocase; fast_pattern; content:"invoicecontent"; nocase; distance:0; content:"displayTextgmail"; nocase; distance:0; content:"displayTexthotmail"; nocase; distance:0; content:"displayTextaol"; nocase; distance:0; classtype:social-engineering; sid:2021536; rev:3; metadata:created_at 2015_07_27, former_category CURRENT_EVENTS, updated_at 2017_10_13;)
+alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Activity Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00 20 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2025719; rev:3; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2019_04_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED PHISH Generic Webmail - Landing Page Sept 11"; flow:established,to_client; file_data; content:"<title>Webmail Login"; fast_pattern; content:"For Webmail to function properly"; distance:0; content:"you must enable JavaScript"; distance:0; content:"You have logged out"; distance:0; content:"Please select a locale"; distance:0; content:"Email Address"; distance:0; classtype:social-engineering; sid:2021760; rev:3; metadata:created_at 2015_09_11, former_category PHISHING, updated_at 2021_06_23;)
+alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Possible Powershell .ps1 Script Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:".ps1"; nocase; distance:0; classtype:bad-unknown; sid:2027203; rev:2; metadata:created_at 2019_04_16, updated_at 2019_04_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Potential Data URI Phishing Oct 02 2015"; flow:established,to_client; file_data; content:"<script type=|22|text/javascript|22|>"; nocase; content:"window.location="; nocase; within:17; content:"PCFET0NUWVBFIGh0bWw+DQo"; fast_pattern; distance:0; reference:url,blog.malwarebytes.org/online-security/2015/10/this-pdf-version-is-not-supported-data-uri-phish; classtype:social-engineering; sid:2021893; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2017_10_13;)
+alert smb any any -> $HOME_NET 445 (msg:"ET HUNTING Possible Powershell .ps1 Script Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|.|00|p|00|s|00|1|00|"; nocase; distance:0; classtype:bad-unknown; sid:2027204; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_16, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2019_04_16;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE DNSMessenger Payload (TXT base64 gzip header)"; content:"|00 10 00 01|"; content:"H4sIA"; distance:7; within:5; fast_pattern; reference:url,blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html; classtype:trojan-activity; sid:2024840; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_13, deployment Perimeter, former_category TROJAN, malware_family DNSMessenger, performance_impact Moderate, signature_severity Major, updated_at 2017_10_13;)
+alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Possible WMI .mof Managed Object File Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:".mof"; nocase; distance:0; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf; classtype:bad-unknown; sid:2027205; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_16, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2019_04_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Enom Phish Mar 08 2016"; flow:to_server,established; content:"POST"; http_method; content:"enom"; http_header; nocase; content:"ctl00_ScriptManager"; depth:19; nocase; fast_pattern; http_client_body; content:"user="; nocase; http_client_body; distance:0; content:"pass"; nocase; distance:0; http_client_body; content:"Login=Login"; nocase; distance:0; http_client_body; reference:url,welivesecurity.com/2016/03/07/beware-spear-phishers-hijack-website/; classtype:credential-theft; sid:2022604; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Possible WMI .mof Managed Object File Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|.|00|m|00|o|00|f|00|"; nocase; distance:0; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf; classtype:bad-unknown; sid:2027206; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_16, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2019_04_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Apple Phish 2015-07-27"; flow:to_client,established; file_data; content:"<title>Confirm your account</title>"; content:"action=|22|msg2.php|22|"; distance:0; fast_pattern; content:"Adress Line"; distance:0; content:"Zip/Postal Code"; distance:0; classtype:credential-theft; sid:2031709; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert smb any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Possible Lateral Movement - File Creation Request in Remote System32 Directory (T1105)"; flow:established,to_server; content:"|05 00|"; offset:16; depth:2; content:"|00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|S|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00|"; fast_pattern; classtype:attempted-user; sid:2027267; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_23, deployment Internal, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1105, tag lateral_movement, tag remote_file_copy, updated_at 2019_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Apple Phish 2015-07-27"; flow:to_client,established; file_data; content:"Question Of Security"; fast_pattern; content:"nom de votre meilleur"; distance:0; content:"What is your mother maiden name ?"; distance:0; content:"rue avez-vous grandi"; distance:0; content:"What is your favourite show ?"; distance:0; classtype:credential-theft; sid:2031710; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Possible Remote System32 DLL Hijack Command Inbound via HTTP (T1038, T1105)"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"copy|20|"; content:".dll"; distance:0; content:"|5c|Windows|5c|System32|5c|"; distance:0; fast_pattern; content:".dll"; distance:0; content:"copy|20|"; pcre:"/^(?P<dll_name>[a-z0-9\-_]{1,20})\.dll\s*\\\\(([0-9]{1,3}\.){3}[0-9]{1,3}|([a-z0-9\-]{1,30}\.){1,8}[a-z]{1,8})\\\w{1,10}\$\\Windows\\System32\\(?P=dll_name)\.dll/Ri"; reference:url,posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992; classtype:attempted-user; sid:2027268; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_23, deployment Internal, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1038, tag T1105, updated_at 2019_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Apple Phish 2015-07-27"; flow:to_client,established; file_data; content:"<title>Confirm your account</title>"; content:"action=|22|msg1.php|22|"; fast_pattern; distance:0; content:"Cardholder's Name"; distance:0; content:"Credit Card Number"; distance:0; content:"CVC (CVV)"; distance:0; content:"3D Secure/VBV"; distance:0; classtype:credential-theft; sid:2031711; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download HTTP"; flow:established,to_client; flowbits:isnotset,ET.http.binary; flowbits:isnotset,ET.INFO.WindowsUpdate; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2018959; classtype:policy-violation; sid:2018959; rev:4; metadata:created_at 2014_08_19, former_category POLICY, updated_at 2017_02_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Apple Store Phish Landing 2015-07-30"; flow:to_client,established; file_data; content:"<title>Apple Store - Verification</title>"; nocase; content:"/* VODKA */"; nocase; fast_pattern; classtype:social-engineering; sid:2031716; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|c|00|m|00|d|00 20 00|"; nocase; distance:0; classtype:bad-unknown; sid:2027177; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Apple Store Phish Landing 2015-07-30"; flow:to_client,established; file_data; content:"fancyConfirm|28|"; nocase; fast_pattern; content:"checkcvv|28 29|"; nocase; distance:0; content:"checkexm|28 29|"; nocase; distance:0; content:"isvalidcc|28 29|"; nocase; distance:0; content:"imready|28 29|"; nocase; distance:0; classtype:social-engineering; sid:2031717; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cryptocurrency Miner Checkin M2"; flow:established,to_server; content:"|7b 22|id|22 3a|"; nocase; depth:6; content:"|22|jsonrpc|22 3a|"; nocase; distance:0; content:"|22 2c 22|method|22 3a 22|login|22 2c 22|params|22 3a|"; fast_pattern; nocase; content:"|22|agent|22 3a 22|"; nocase; content:!"<title"; nocase; content:!"<script"; nocase; content:!"<html"; nocase; content:!"|22|pass|22 3a 22|"; nocase; classtype:policy-violation; sid:2027316; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_06, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2019_05_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Apple Store Phish Landing 2015-07-30"; flow:to_client,established; file_data; content:"Verification</title>"; nocase; fast_pattern; content:"chosed your country."; nocase; content:"chosed an expiration month."; nocase; distance:0; content:"chosed an expiration year."; nocase; distance:0; classtype:social-engineering; sid:2031718; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Anyplace Remote Access Initial Connection Attempt (005)"; flow:established,to_server; content:"HTTP|2f|1.1|20|005|0d 0a|VERSION|3a 20|"; depth:23; content:"PLATFORM|3a 20|"; distance:0; content:"IPADDRESS|3a 20|"; distance:0; fast_pattern; reference:md5,30e4f96590d530ba5dc1762f8b87c16b; classtype:trojan-activity; sid:2027323; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_07, deployment Perimeter, deployment Internal, former_category INFO, malware_family Anyplace, performance_impact Low, signature_severity Major, tag RAT, updated_at 2019_05_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Google Docs Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Google Secure Docs</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2024842; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
+alert smb any any -> $HOME_NET any (msg:"ET MALWARE Covenant .NET Framework P2P C&C Protocol Gruntsvc Named Pipe Interaction"; flow:established,to_server; content:"SMB"; depth:8; content:"g|00|r|00|u|00|n|00|t|00|s|00|v|00|c|00|"; nocase; distance:0; fast_pattern; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; reference:url,posts.specterops.io/designing-peer-to-peer-command-and-control-ad2c61740456; classtype:command-and-control; sid:2027326; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_07, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Covenant, performance_impact Low, signature_severity Major, updated_at 2019_05_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloud Drive Phish Landing 2015-08-12"; flow:to_client,established; file_data; content:"<title>Cloud Drive</title>"; nocase; fast_pattern; content:"reqired to view this document"; nocase; distance:0; classtype:social-engineering; sid:2031721; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Anyplace Remote Access Checkin (051)"; flow:established,to_server; content:"HTTP|2f|1.1|20|051"; depth:12; content:"VER|3a 20|"; distance:0; content:"OBJ|3a 20|"; distance:0; content:"FUNC|3a 20|"; distance:0; content:"NAME|3a 20|"; distance:0; content:"ACC|3a 20|"; distance:0; content:"SRV|3a 20|"; distance:0; content:"PRODUCT|3a 20|"; distance:0; fast_pattern; reference:md5,30e4f96590d530ba5dc1762f8b87c16b; classtype:trojan-activity; sid:2027324; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_07, deployment Perimeter, deployment Internal, former_category INFO, malware_family Anyplace, performance_impact Low, signature_severity Major, tag RAT, updated_at 2019_05_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Anonisma AES Crypto Observed in Javascript - Possible Phishing Landing 2015-12-29"; flow:established,from_server; file_data; content:"Encriptado por Anonisma"; nocase; fast_pattern; content:"Aes.cipher"; nocase; distance:0; content:"Aes.keyExpansion"; nocase; distance:0; classtype:social-engineering; sid:2031741; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tcp $HOME_NET any -> any any (msg:"ET MALWARE Win32/ElectricFish Authentication Packet Observed"; flow:established,to_server; content:"aaaabbbbccccdddd|00 00 00 00 00 00 00 00|"; depth:24; fast_pattern; content:"|00 00 04 00 00 00|"; distance:2; within:6; reference:url,www.us-cert.gov/ncas/analysis-reports/AR19-129A; classtype:trojan-activity; sid:2027340; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_09, deployment Perimeter, deployment Internal, former_category TROJAN, malware_family ElectricFish, performance_impact Low, signature_severity Major, tag APT, tag T1090, tag connection_proxy, updated_at 2019_05_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phishing Landing 2016-07-11"; flow:from_server,established; file_data; content:"<title>DHL GLOBAL"; nocase; fast_pattern; content:"MM_validateForm"; nocase; distance:0; content:"E-mail Address or Member ID"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Phone Number"; nocase; distance:0; classtype:social-engineering; sid:2031998; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2017_10_17;)
+#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Activity Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; classtype:bad-unknown; sid:2027168; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Winnti-related DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|securitytactics|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024868; rev:2; metadata:created_at 2017_10_18, former_category TROJAN, updated_at 2018_05_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5"; flow:established,to_server; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; http_header; fast_pattern:only; content:"Host|3a 20|"; http_header; pcre:"/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi"; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024302; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family wannacry, signature_severity Major, tag Ransomware, updated_at 2017_05_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; content:"dnslog.mobi"; http_header; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024864; rev:2; metadata:created_at 2017_10_18, former_category TROJAN, updated_at 2017_10_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4"; flow:established,to_server; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; http_header; fast_pattern:only; content:"Host|3a 20|"; http_header; pcre:"/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi"; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024301; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family wannacry, signature_severity Major, tag Ransomware, updated_at 2017_05_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B645W Oct 19 2017"; flow:established,from_server; file_data; content:"TAHQAYQByAHQALQBQAHIAbwBjAGUAcwBz"; pcre:"/(?:RABvAHcAbgBsAG8AYQBkAEYAaQBsAG|QAbwB3AG4AbABvAGEAZABGAGkAbABl|EAG8AdwBuAGwAbwBhAGQARgBpAGwAZ)/"; pcre:"/(?:VwByAGkAdABlAC0ASABvAHMAd|cAcgBpAHQAZQAtAEgAbwBzAH|XAHIAaQB0AGUALQBIAG8AcwB0)/"; pcre:"/(?:UwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0|MAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4Ad|TAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAH)/"; classtype:trojan-activity; sid:2024883; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2"; flow:established,to_server; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; http_header; fast_pattern:only; content:"Host|3a 20|"; http_header; pcre:"/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi"; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024299; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family wannacry, signature_severity Major, tag Ransomware, updated_at 2017_05_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B641 Oct 19 2017"; flow:established,from_server; file_data; content:"U3RhcnQtUHJvY2Vzc"; pcre:"/(?:RG93bmxvYWRGaWxl|Rvd25sb2FkRmlsZ|Eb3dubG9hZEZpbG)/"; pcre:"/(?:V3JpdGUtSG9zd|dyaXRlLUhvc3|Xcml0ZS1Ib3N0)/"; pcre:"/U3lzdGVtLk5ldC5XZWJDbGllbn|N5c3RlbS5OZXQuV2ViQ2xpZW50|TeXN0ZW0uTmV0LldlYkNsaWVud/"; classtype:trojan-activity; sid:2024878; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
+alert tcp any any -> any 3389 (msg:"ET EXPLOIT [NCC GROUP] Possible Bluekeep Inbound RDP Exploitation Attempt (CVE-2019-0708)"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 f0|"; distance:2; within:2; content:"|00 05 00 14 7c 00 01|"; within:512; content:"|03 c0|"; distance:3; within:384; content:"MS_T120|00|"; distance:6; within:372; nocase; fast_pattern; threshold: type limit, track by_src, count 2, seconds 600; reference:cve,CVE-2019-0708; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Signatures/suricata/2019_05_rdp_cve_2019_0708.txt; classtype:attempted-admin; sid:2027369; rev:3; metadata:attack_target Client_and_Server, created_at 2019_05_21, deployment Perimeter, deployment Internet, deployment Internal, former_category EXPLOIT, malware_family Bluekeep, signature_severity Major, updated_at 2019_05_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B642 Oct 19 2017"; flow:established,from_server; file_data; content:"N0YXJ0LVByb2Nlc3"; pcre:"/(?:RG93bmxvYWRGaWxl|Rvd25sb2FkRmlsZ|Eb3dubG9hZEZpbG)/"; pcre:"/(?:V3JpdGUtSG9zd|dyaXRlLUhvc3|Xcml0ZS1Ib3N0)/"; pcre:"/U3lzdGVtLk5ldC5XZWJDbGllbn|N5c3RlbS5OZXQuV2ViQ2xpZW50|TeXN0ZW0uTmV0LldlYkNsaWVud/"; classtype:trojan-activity; sid:2024879; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
+#alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"GPL DELETED BGP spoofed connection reset attempt"; flow:established; flags:RSF*; threshold:type both,track by_dst,count 10,seconds 10; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2102523; rev:9; metadata:created_at 2010_09_23, former_category MISC, updated_at 2019_05_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B643 Oct 19 2017"; flow:established,from_server; file_data; content:"TdGFydC1Qcm9jZXNz"; pcre:"/(?:RG93bmxvYWRGaWxl|Rvd25sb2FkRmlsZ|Eb3dubG9hZEZpbG)/"; pcre:"/(?:V3JpdGUtSG9zd|dyaXRlLUhvc3|Xcml0ZS1Ib3N0)/"; pcre:"/U3lzdGVtLk5ldC5XZWJDbGllbn|N5c3RlbS5OZXQuV2ViQ2xpZW50|TeXN0ZW0uTmV0LldlYkNsaWVud/"; classtype:trojan-activity; sid:2024880; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
+#alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"GPL DELETED MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; classtype:policy-violation; sid:2100540; rev:13; metadata:created_at 2010_09_23, former_category CHAT, updated_at 2019_05_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B644W Oct 19 2017"; flow:established,from_server; file_data; content:"UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAc"; pcre:"/(?:RABvAHcAbgBsAG8AYQBkAEYAaQBsAG|QAbwB3AG4AbABvAGEAZABGAGkAbABl|EAG8AdwBuAGwAbwBhAGQARgBpAGwAZ)/"; pcre:"/(?:VwByAGkAdABlAC0ASABvAHMAd|cAcgBpAHQAZQAtAEgAbwBzAH|XAHIAaQB0AGUALQBIAG8AcwB0)/"; pcre:"/(?:UwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0|MAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4Ad|TAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAH)/"; classtype:trojan-activity; sid:2024881; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
+alert tcp any any -> $HOME_NET [139,445] (msg:"ET MALWARE Suspected ExtraPulsar Backdoor"; flow:established,to_server; content:"ExPu"; depth:11; offset:4; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; distance:0; reference:url,github.com/zerosum0x0/smbdoor; classtype:trojan-activity; sid:2027370; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_21, deployment Internal, former_category TROJAN, malware_family ExtraPulsar, signature_severity Major, updated_at 2019_05_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B645W Oct 19 2017"; flow:established,from_server; file_data; content:"MAdABhAHIAdAAtAFAAcgBvAGMAZQBzAH"; pcre:"/(?:RABvAHcAbgBsAG8AYQBkAEYAaQBsAG|QAbwB3AG4AbABvAGEAZABGAGkAbABl|EAG8AdwBuAGwAbwBhAGQARgBpAGwAZ)/"; pcre:"/(?:VwByAGkAdABlAC0ASABvAHMAd|cAcgBpAHQAZQAtAEgAbwBzAH|XAHIAaQB0AGUALQBIAG8AcwB0)/"; pcre:"/(?:UwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0|MAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4Ad|TAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAH)/"; classtype:trojan-activity; sid:2024882; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Apr 08 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"Q|22|"; fast_pattern; content:"length"; pcre:"/^\s*?\<\s*?10/Rs"; content:"replace"; within:500; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22(?:\!(?:\x22\s*?\+\s*?\x22)?)?Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:exploit-kit; sid:2020865; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2022_05_03;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android JadeRAT CnC Beacon 2"; flow:to_server,established; dsize:22; content:"@!hi|3a|"; depth:5; fast_pattern; pcre:"/^\d{15}\r\n$/R"; reference:md5,9027f111377598362972745478e40311; reference:url,blog.lookout.com/mobile-threat-jaderat; classtype:command-and-control; sid:2024896; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_JadeRAT, signature_severity Major, tag Android, tag c2, updated_at 2017_10_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Executable Transfer in SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"MZ"; distance:0; content:"This program "; distance:0; content:"PE|00 00|"; distance:0; classtype:bad-unknown; sid:2027191; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
 
-alert tcp any any -> any 445 (msg:"ET MALWARE Possible Dragonfly APT Activity - SMB credential harvesting"; flow:established,to_server; content:"|FF|SMB|75 00 00 00 00|"; offset:4; depth:9; content:"|08 00 01 00|"; distance:3; content:"|00 5c 5c|"; distance:2; within:3; content:"|5c|AME_ICON.PNG"; distance:7; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA17-293A; reference:url,www.us-cert.gov/sites/default/files/publications/MIFR-10128883_TLP_WHITE.pdf; classtype:targeted-activity; sid:2024898; rev:1; metadata:attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2017_10_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED HEX Payload DL with MSXMLHTP (Observed in Locky campaign)"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; file_data; content:"4d"; nocase; within:2; pcre:"/^\s*5a\s*90\s*00\s*03\s*00\s*00\s*00/Rsi"; classtype:trojan-activity; sid:2024650; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Significant, signature_severity Major, updated_at 2019_05_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Snatch CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|salegrutboy.eu"; distance:1; within:15; reference:md5,3b79f06be1f6909149bcadfaacfad2d0; classtype:domain-c2; sid:2024902; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, malware_family Snatch, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_10_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Session Established Flowbit Set"; flow:to_server,established; flowbits:isset,ms.rdp.synack; flowbits:unset,ms.rdp.synack; flowbits:set,ms.rdp.established; flowbits:noalert; reference:cve,2012-0152; classtype:not-suspicious; sid:2014386; rev:3; metadata:created_at 2012_03_15, former_category DOS, updated_at 2012_03_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Snatch CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|lookmans.eu"; distance:1; within:12; reference:md5,aa50e2ce1fc07ccfbc6b916ccdbfd19b; classtype:domain-c2; sid:2024903; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, malware_family Snatch, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_10_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/Moose NAT Traversal CnC Beacon - Sleep"; flow:established,from_server; dsize:8; content:"|16 00|"; depth:2; content:!"|04 00|"; within:2; content:!"|00 00|"; within:2; content:!"|00|"; distance:2; within:1; content:!"|00|"; distance:5; within:1; flowbits:isset,ET.Linux.Moose; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021151; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_05_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Qtloader encrypted payload Oct 19 (1)"; flow:established,to_client; file_data; content:"|1a 3d d0 28 82 1a 6f 08|"; depth:8; fast_pattern; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024907; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_09_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/Moose NAT Traversal CnC Beacon - Multiple Tunnel"; flow:established,from_server; dsize:8; content:"|17 00|"; depth:2; content:!"|04 00|"; within:2; content:!"|00 00|"; within:2; content:!"|00|"; distance:2; within:1; content:!"|00|"; distance:5; within:1; flowbits:isset,ET.Linux.Moose; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021152; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_05_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Qtloader encrypted check-in response Oct 19 (1)"; flow:established,to_client; file_data; content:"|0c 3c|"; depth:2; content:"|04 a3|"; distance:1; within:2; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024909; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_09_10;)
+alert udp $HOME_NET any -> any 57621 (msg:"ET POLICY Spotify P2P Client"; flow:to_server; dsize:44; content:"|53 70 6f 74 55 64 70 30|"; depth:8; threshold:type limit, count 1, track by_src, seconds 300; classtype:not-suspicious; sid:2027397; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2019_05_30, deployment Internal, performance_impact Low, signature_severity Minor, updated_at 2019_05_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BadRabbit Driveby Download M2 Oct 24 2017"; flow:established,from_server; file_data; content:"Msxml2.XMLHTTP.6.0"; fast_pattern; content:"InjectionString"; nocase; distance:0; content:"hasOwnProperty"; nocase; distance:0; content:"navigator"; nocase; distance:0; pcre:"/^\s*\.\s*userAgent/Ri"; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*referrer/Ri"; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*cookie/Ri"; content:"window"; nocase; distance:0; pcre:"/^\s*\.\s*location\s*\.\s*hostname/Ri"; content:"!!document"; nocase; distance:0; pcre:"/^\s*\.\s*cookie/Ri"; reference:url,www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/; classtype:trojan-activity; sid:2024912; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2017_10_24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/HiddenWasp CnC Request (set)"; flow:established,to_server; flowbits:set,ET.Linux.HiddenWasp; flowbits:noalert; content:"|75 63 65 73 00 01|"; depth:6; fast_pattern; reference:url,www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/; reference:md5,5b134e0a1a89a6c85f13e08e82ea35c3; classtype:command-and-control; sid:2027395; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_05_29, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2019_05_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [!9997,1024:] (msg:"ET MALWARE Dropper-497 (Yumato) Initial Checkin"; flow:established,to_server; dsize:5; content:"|30 30 30 0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:command-and-control; sid:2007917; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/HiddenWasp CnC Response"; flow:established,from_server; flowbits:isset,ET.Linux.HiddenWasp; content:"|75 63 65 73 00 01|"; depth:6; fast_pattern; reference:url,www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/; reference:md5,5b134e0a1a89a6c85f13e08e82ea35c3; classtype:command-and-control; sid:2027396; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_05_29, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2019_05_31;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IoT_reaper ELF Binary Download"; flow:established,from_server; flowbits:isset,ET.iotreaper; file_data; content:"|7f 45 4c 46|"; depth:4; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024929; rev:1; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_10_25;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET MALWARE Executable contained in DICOM Medical Image SMB File Transfer"; flow:established,to_server; flowbits:isset,ET.smb.binary; content:"SMB"; depth:8; content:"MZ"; distance:0; content:"DICM"; fast_pattern; distance:126; within:4; reference:url,github.com/d00rt/pedicom/; reference:url,labs.cylera.com/2019/04/16/pe-dicom-medical-malware/; classtype:trojan-activity; sid:2027402; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2019_05_31, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2019_05_31;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5050 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 13 ba|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003281; classtype:protocol-command-decode; sid:2003281; rev:6; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
+alert tcp any any -> $HOME_NET [104,2104,22104] (msg:"ET MALWARE Executable contained in DICOM Medical Image PACS DICOM Protocol Transfer"; flow:established,to_client; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"DICM"; offset:128; depth:4; fast_pattern; reference:url,github.com/d00rt/pedicom/; reference:url,labs.cylera.com/2019/04/16/pe-dicom-medical-malware/; classtype:trojan-activity; sid:2027403; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2019_05_31, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2019_05_31;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 443 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 01 bb|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003268; classtype:protocol-command-decode; sid:2003268; rev:6; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
+alert tcp any [104,2104,22104] -> $HOME_NET any (msg:"ET MALWARE Executable contained in DICOM Medical Image Received from PACS DICOM Device"; flow:established,to_client; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"DICM"; offset:128; depth:4; fast_pattern; reference:url,github.com/d00rt/pedicom/; reference:url,labs.cylera.com/2019/04/16/pe-dicom-medical-malware/; classtype:trojan-activity; sid:2027404; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2019_05_31, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2019_05_31;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 443 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 01 bb|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003269; classtype:protocol-command-decode; sid:2003269; rev:6; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool Exploit Kit iframe with obfuscated Java version check Jun 26 2013"; flow:established,from_server; file_data; content:"<textarea id|3d 22|"; content:"|22|>"; pcre:"/^(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{2}(?P<J>[0-9a-z]{2})[0-9a-z]{4}(?P=v)[0-9a-z]{6}(?P=space)[0-9a-z]{2}(?P=space)[0-9a-z]{64}(?P=J)(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017073; rev:4; metadata:created_at 2013_06_27, former_category EXPLOIT_KIT, updated_at 2013_06_27;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 25 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 19|"; depth:4; threshold:type both, track by_src, count 2, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003256; classtype:protocol-command-decode; sid:2003256; rev:6; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Windows 64bit procdump Dump File Exfiltration"; flow:established,to_server; content:"|00 2a 00 2a 00 2a 00 20 00|p|00|r|00|o|00|c|00|d|00|u|00|m|00|p|00|6|00|4|00 2e 00|e|00|x|00|e"; fast_pattern; reference:url,attack.mitre.org/techniques/T1003/; classtype:attempted-admin; sid:2027435; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_05, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1003, tag credential_dumping, updated_at 2019_06_05;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 25 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 19|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003254; classtype:protocol-command-decode; sid:2003254; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Windows 32bit procdump Dump File Exfiltration"; flow:established,to_server; content:"|00 2a 00 2a 00 2a 00 20 00|p|00|r|00|o|00|c|00|d|00|u|00|m|00|p|00 2e 00|e|00|x|00|e"; fast_pattern; reference:url,attack.mitre.org/techniques/T1003/; classtype:attempted-admin; sid:2027436; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_05, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1003, tag credential_dumping, updated_at 2019_06_05;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 25 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 19|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003255; classtype:protocol-command-decode; sid:2003255; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex Template 3 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"Your|20|computer|20|was|20|infected|20|with|20|my|20|private|20|malware"; fast_pattern; content:"malware|20|gave|20|me|20|full"; distance:0; content:"accounts|20 28|see|20|password|20|above|29|"; distance:0; content:"MANY|20|EMBARASSING|20|VIDEOS"; distance:0; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2027437; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_06, deployment Perimeter, former_category TROJAN, malware_family Phorpiex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2019_06_06;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 25 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 19|"; depth:4; threshold:type both, track by_src, count 2, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003257; classtype:protocol-command-decode; sid:2003257; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex Template 4 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"infected|20|you|20|with|20|a|20|malware"; content:"malware|20|gave|20|me|20|full"; distance:0; content:"collected|20|everything|20|private|20|from|20|you"; distance:0; content:"FEW|20|EMBARASSING|20|VIDEOS"; distance:0; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2027438; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_06, deployment Perimeter, former_category TROJAN, malware_family Phorpiex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2019_06_06;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 DNS Inbound Request (Windows Source)"; dsize:10<>40; flow:established,to_server; content:"|05 01 00 03|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003258; classtype:protocol-command-decode; sid:2003258; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:65535,![3389]] (msg:"ET POLICY TLS/SSL Client Key Exchange on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; content:"|10|"; within:6; reference:url,doc.emergingthreats.net/2003006; classtype:unusual-client-port-connection; sid:2003006; rev:9; metadata:created_at 2010_07_30, updated_at 2019_06_06;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 DNS Inbound Request (Linux Source)"; dsize:10<>40; flow:established,to_server; content:"|05 01 00 03|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003259; classtype:protocol-command-decode; sid:2003259; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE cryptodefense Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type|3a| multipart/form-data|3b 20|boundary="; pcre:"/^[\x2d]+(?P<boundry>[0-9]+)\r\n.+filename\x3d[\x22\x27](?P=boundry)[\x22\x27]/Rsi"; content:!"Referer"; http_header; content:!"Accept-Encoding|3a|"; http_header; content:"filename="; fast_pattern:only; http_client_body; content:"form-data|3b| name="; pcre:"/^[\x22\x27][a-z][\x27\x22]/Ri"; classtype:command-and-control; sid:2018386; rev:3; metadata:created_at 2014_04_14, former_category MALWARE, updated_at 2014_04_14;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 HTTP Proxy Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 50|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003260; classtype:protocol-command-decode; sid:2003260; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert dns any any -> $HOME_NET any (msg:"ET HUNTING Suspicious Registrar Nameservers in DNS Response (carbon2u)"; content:"|00 02 00 01|"; content:"|03|ns1|08|carbon2u|03|com|00|"; distance:14; within:18; fast_pattern; classtype:bad-unknown; sid:2027471; rev:1; metadata:created_at 2019_06_14, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2019_06_14;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 HTTP Proxy Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 50|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003261; classtype:protocol-command-decode; sid:2003261; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Server Response (WAIT)"; flow:established,to_client; flowbits:isset,ET.Linux.Ngioweb; content:" 200 OK|0d 0a|"; content:"|0d 0a 0d 0a|WAIT "; distance:0; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/; classtype:command-and-control; sid:2027508; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_06_21;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 HTTP Proxy Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 50|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003262; classtype:protocol-command-decode; sid:2003262; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Server Response (CONNECT)"; flow:established,to_client; flowbits:isset,ET.Linux.Ngioweb; content:" 200 OK|0d 0a|"; content:"|0d 0a 0d 0a|CONNECT "; distance:0; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/; classtype:command-and-control; sid:2027509; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_06_21;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 HTTP Proxy Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 50|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003263; classtype:protocol-command-decode; sid:2003263; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Server Response (DISCONNECT)"; flow:established,to_client; flowbits:isset,ET.Linux.Ngioweb; content:" 200 OK|0d 0a|"; content:"|0d 0a 0d 0a|DISCONNECT "; distance:0; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/; classtype:command-and-control; sid:2027510; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_06_21;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 443 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|01 bb|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003266; classtype:protocol-command-decode; sid:2003266; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Server Response (CERT)"; flow:established,to_client; flowbits:isset,ET.Linux.Ngioweb; content:" 200 OK|0d 0a|"; content:"|0d 0a 0d 0a|CERT "; distance:0; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/; classtype:command-and-control; sid:2027511; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_06_21;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 443 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|01 bb|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003267; classtype:protocol-command-decode; sid:2003267; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Cox Page - Possible Phishing Landing M2"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"<!-- saved from url=("; within:500; content:")https://idm.east.cox.net/"; distance:4; within:26; fast_pattern; classtype:social-engineering; sid:2027535; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_06_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5190 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|14 46|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003270; classtype:protocol-command-decode; sid:2003270; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Miarroba Phishing Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"|3c 21 2d 2d 20 49 6e 73 65 72 74 65 64 20 62 79 20 6d 69 61 72 72 6f 62 61 20 2d 2d 3e|"; classtype:social-engineering; sid:2027561; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2019_06_26;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5190 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|14 46|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003271; classtype:protocol-command-decode; sid:2003271; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert tcp any ![445,138,80] -> any any (msg:"ET HUNTING SUSPICIOUS IRC - PRIVMSG *.(exe|tar|tgz|zip)  download command"; flow:established,to_client; content:"PRIVMSG|20|"; pcre:"/^[^\r\n]+\.(?:t(?:ar|gz)|exe|zip)/Ri"; classtype:bad-unknown; sid:2017318; rev:5; metadata:created_at 2013_08_13, former_category CURRENT_EVENTS, updated_at 2019_07_01;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5190 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 14 46|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003272; classtype:protocol-command-decode; sid:2003272; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Godlua Backdoor Stage-3 Client Heartbeat (Jun 2019- Dec 2019) (set)"; flow:established,to_server; flowbits:set,ET.Godlua.heartbeat; flowbits:noalert; dsize:7; content:"|02 00 04 5d|"; depth:4; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027672; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, malware_family Godlua, performance_impact Moderate, signature_severity Major, tag Backdoor, updated_at 2019_07_03;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5190 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 14 46|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003273; classtype:protocol-command-decode; sid:2003273; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Godlua Backdoor Stage-3 Client Heartbeat (Dec 2019- Jul 2020) (set)"; flow:established,to_server; flowbits:set,ET.Godlua.heartbeat; flowbits:noalert; dsize:7; content:"|02 00 04 5e|"; depth:4; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027673; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2019_07_03;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 1863 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|07 47|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003274; classtype:protocol-command-decode; sid:2003274; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Godlua Backdoor Stage-3 Client Heartbeat (Jul 2020- Jan 2021) (set)"; flow:established,to_server; flowbits:set,ET.Godlua.heartbeat; flowbits:noalert; dsize:7; content:"|02 00 04 5f|"; depth:4; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027674; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, malware_family Godlua, performance_impact Moderate, signature_severity Major, tag Backdoor, updated_at 2019_07_03;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 1863 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|07 47|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003275; classtype:protocol-command-decode; sid:2003275; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Godlua Backdoor Stage-3 Server Heartbeat Reply (Jun 2019 - Sep 2020)"; flow:established,to_client; flowbits:isset,ET.Godlua.heartbeat; dsize:13; content:"|02 00 0a 31 35|"; depth:5; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027675; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, malware_family Godlua, performance_impact Moderate, signature_severity Major, tag Backdoor, updated_at 2019_07_03;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 1863 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 07 47|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003276; classtype:protocol-command-decode; sid:2003276; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Godlua Backdoor Stage-3 Server Heartbeat Reply (Sep 2020 - Nov 2023)"; flow:established,to_client; flowbits:isset,ET.Godlua.heartbeat; dsize:13; content:"|02 00 0a 31 36|"; depth:5; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027676; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, malware_family Godlua, performance_impact Moderate, signature_severity Major, tag Backdoor, updated_at 2019_07_03;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 1863 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 07 47|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003277; classtype:protocol-command-decode; sid:2003277; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 06|"; pcre:"/^.\x02[A-Z]{2}/Rs"; content:"|55 04 08|"; distance:0; pcre:"/^.\x02[A-Z]{2}/Rs"; content:"|55 04 07|"; distance:0; pcre:"/^.{2}[A-Z][a-z]+(?:\x20[A-Z][a-z]+)?[01]/Rs"; content:"|55 04 09|"; fast_pattern; distance:0; pcre:"/^.{2}\d{2,3}(?:\x20[A-Z][a-z]+\.?){1,3}[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|55 04 0b|"; distance:0; content:"|55 04 03|"; distance:0; pcre:"/^.(.[a-z]{4,12}\.(?:us|org|net|biz|info|mobi|com)[01]).*?\x55\x04\x03.\1/Rs"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022868; rev:5; metadata:attack_target Client_and_Server, created_at 2016_06_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5050 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|13 ba|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003278; classtype:protocol-command-decode; sid:2003278; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Zoom Client Auto-Join (CVE-2019-13450)"; flow:established,to_client; file_data; content:"localhost|3a|19421/launch?action=join&confno="; reference:url,medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5; reference:cve,2019-13450; classtype:attempted-user; sid:2027696; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_07_10, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Informational, updated_at 2019_07_10;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5050 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|13 ba|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003279; classtype:protocol-command-decode; sid:2003279; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Socks5 Proxy to Onion (set)"; flow:established,to_server; flowbits:set,ET.Socks5.OnionReq; content:"|05 01 00 03|"; depth:4; content:".onion|00 50|"; distance:0; fast_pattern; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:policy-violation; sid:2027703; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_07_11, deployment Perimeter, former_category POLICY, performance_impact Moderate, signature_severity Major, updated_at 2019_07_11;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5050 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 13 ba|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003280; classtype:protocol-command-decode; sid:2003280; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE eCh0raix/QNAPCrypt Requesting Key/Wallet/Note"; flow:established,to_server; flowbits:isset,ET.Socks5.OnionReq; flowbits:set,ET.QNAPCrypt.DetailReq; content:"GET /api/GetAvailKeysByCampId/"; depth:30; fast_pattern; content:".onion|0d 0a|User-Agent|3a 20|Go-http-client/1.1"; distance:0; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:trojan-activity; sid:2027704; rev:1; metadata:attack_target IoT, created_at 2019_07_11, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2019_07_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple ID Phishing Landing 2015-08-19"; flow:to_client,established; file_data; content:"<title>"; nocase; content:"My Apple ID"; fast_pattern; nocase; within:35; classtype:social-engineering; sid:2031723; rev:3; metadata:created_at 2015_08_19, former_category PHISHING, updated_at 2017_10_29;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE eCh0raix/QNAPCrypt Successful Server Response"; flow:established,from_server; flowbits:isset,ET.QNAPCrypt.DetailReq; content:"HTTP/1.1 200 OK|0d 0a|"; depth:17; content:"Content-Type|3a 20|application/json"; distance:0; content:"|7b 22|RsaPublicKey|22 3a 22|-----BEGIN RSA PUBLIC KEY"; content:"|22 7d 2c 7b 22|BtcPublicKey|22 3a 22|"; fast_pattern; content:"|22 7d 2c 7b 22|Readme|22 3a 22|"; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:trojan-activity; sid:2027705; rev:1; metadata:attack_target IoT, created_at 2019_07_11, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2019_07_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN BankSnif/Nethelper User-Agent (nethelper)"; flow:to_server,established; content:"nethelper"; http_user_agent; fast_pattern:only; pcre:"/\bnethelper\b/Vi"; reference:url,doc.emergingthreats.net/2002877; classtype:trojan-activity; sid:2002877; rev:16; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Miarroba Phish 2019-07-11"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"<!-- Inserted by miarroba -->"; fast_pattern; nocase; classtype:credential-theft; sid:2027699; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_07_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Cashpoint.com Related checkin User-Agent (inetinst)"; flow:established,to_server; content:"User-Agent|3a| inetinst|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007808; classtype:trojan-activity; sid:2007808; rev:7; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_10_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Check-in (set)"; flow:established,to_server; dsize:>65; content:"|41 00 00 00 99|"; depth:5; flowbits:set,ET.NetwireRAT.Client; flowbits:noalert; reference:url,www.circl.lu/pub/tr-23/; reference:md5,3c4a93154378e17e71830ff164bb54c4; classtype:trojan-activity; sid:2029477; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Netwire, updated_at 2019_07_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Cashpoint.com Related checkin User-Agent (okcpmgr)"; flow:established,to_server; content:"User-Agent|3a| okcpmgr|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007810; classtype:trojan-activity; sid:2007810; rev:7; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_10_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Blacknix CnC Checkin"; flow:to_server,established; dsize:200<>300; content:"|32|"; depth:1; content:"|7c 78 01|"; distance:2; within:3; pcre:"/^[0-9]{3}\x7cx/"; reference:md5,b4e95d3ec39cf8c7347ca1c64cfed631; classtype:command-and-control; sid:2027731; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Blacknix, updated_at 2019_07_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Rf-cheats.ru Trojan Related User-Agent (RFRudokop v.1.1 account verification)"; flow:to_server,established; content:"RFRudokop"; http_user_agent; depth:9; reference:url,doc.emergingthreats.net/2008046; classtype:trojan-activity; sid:2008046; rev:8; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_10_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Blacknix CnC Heartbeat"; flow:to_server,established; dsize:15; content:"|7c 78 01|"; offset:2; depth:3; pcre:"/^[0-9]{2}\x7cx/"; threshold: type both, track by_src, count 5, seconds 60; reference:md5,b4e95d3ec39cf8c7347ca1c64cfed631; classtype:command-and-control; sid:2027732; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Blacknix, updated_at 2019_07_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS WinFixer Trojan Related User-Agent (ElectroSun)"; flow:established,to_server; content:"User-Agent|3a| ElectroSun "; http_header; reference:url,doc.emergingthreats.net/2008608; classtype:trojan-activity; sid:2008608; rev:9; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_10_30;)
+#alert ssh [94.140.120.163,49.50.70.223,80.82.67.21,125.160.17.32] any -> any any (msg:"ET MALWARE Windigo SSH Connection Received (Ebury < 1.7.0)"; ssh_proto; content:"2.0"; ssh_software; pcre:"/^[a-f0-9]{40,}$/"; reference:url,security.web.cern.ch/security/advisories/windigo/windigo.shtml; classtype:trojan-activity; sid:2027729; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Windigo, updated_at 2019_07_19;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IMDDOS Botnet User-Agent i am ddos"; flow: established,to_server; content:"User-Agent|3A| i am ddos"; nocase; depth:300; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011484; rev:5; metadata:created_at 2010_09_29, former_category USER_AGENTS, updated_at 2017_10_30;)
+#alert ssh [94.140.120.163,49.50.70.223,80.82.67.21,125.160.17.32] any -> any any (msg:"ET MALWARE Windigo SSH Connection Received (Ebury > 1.7.0)"; ssh_proto; content:"2.0"; ssh_software; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$$/"; reference:url,security.web.cern.ch/security/advisories/windigo/windigo.shtml; classtype:trojan-activity; sid:2027730; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Windigo, updated_at 2019_07_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Asprox.FakeAV Affiliate Download Location Response - Likely Pay-Per-Install For W32/Papras.Spy or W32/ZeroAccess"; flowbits:isset,ET.asproxfakeav; flow:established,to_client; file_data; content:"http|3A|//"; within:50; content:".exe?ts="; fast_pattern; distance:0; content:"&affid="; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016531; rev:3; metadata:created_at 2013_03_05, former_category TROJAN, updated_at 2017_11_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080,80] (msg:"ET MALWARE W32/Emotet.v4 Checkin 3"; flow:established,to_server; content:"|20|MSIE|20|"; http_user_agent; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/W"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/Ps"; http_request_line; content:"POST / HTTP/1."; depth:14; fast_pattern; http_header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Accept"; content:!"Referer"; content:!"Content-Type"; content:!"Cookie"; content:!"TagId"; http_content_len; byte_test:0,<=,999,0,string,dec; byte_test:0,>,99,0,string,dec; classtype:command-and-control; sid:2035050; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share Possible DLL Preloading Exploit Attempt"; flowbits:isset,ET.PROPFIND; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html; reference:url,www.us-cert.gov/cas/techalerts/TA10-238A.html; reference:url,www.microsoft.com/technet/security/advisory/2269637.mspx; reference:url,blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx; reference:url,blog.metasploit.com/2010/08/better-faster-stronger.html; reference:url,blog.rapid7.com/?p=5325; classtype:attempted-user; sid:2011457; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_05_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080,80] (msg:"ET MALWARE W32/Emotet.v4 Checkin 2"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"|20|MSIE|20|"; http_user_agent; fast_pattern; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a[03478]+)?/W"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/Ps"; http_protocol; content:"HTTP/1."; http_content_len; byte_test:0,>,150,0,string,dec; http_header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Accept"; content:!"Referer"; content:!"Content-Type"; content:!"Cookie"; content:!"TagId"; classtype:command-and-control; sid:2035048; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2019_06_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Exploit URI Struct June 19 2015"; flow:established,to_server; content:"?time="; http_uri; fast_pattern; content:"&stamp="; distance:0; http_uri; content:"."; distance:0; http_uri; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\.[a-z]+\?time=[^&]+&stamp=[a-z]*\d+(?:\.[a-z]*\d+)+$/U"; classtype:exploit-kit; sid:2021307; rev:3; metadata:created_at 2015_06_19, former_category CURRENT_EVENTS, updated_at 2015_06_19;)
+alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 443 (msg:"ET MALWARE [GIGAMON_ATR] FIN8 BADHATCH Remote Shell Banner"; flow:established,to_server; dsize:>100; content:"|2a 20|SUPER|20|REMOTE|20|SHELL|20|v2|2e|2|20|SSL"; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:targeted-activity; sid:2027751; rev:1; metadata:created_at 2019_07_23, deployment Perimeter, former_category TROJAN, malware_family ShellTea, performance_impact Low, signature_severity Major, tag Backdoor, updated_at 2019_07_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Flash Exploit URI Struct June 19 2015"; flow:established,to_server; content:"GET"; http_method; content:"/%"; http_header; content:"http%3A%2F%2F"; distance:2; within:13; nocase; http_header; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\//U"; content:"Referer|3a 20|http"; http_header; pcre:"/^[^\r\n]+\/%(?:3A|20)http%3A%2F%2F/Hmi"; classtype:exploit-kit; sid:2021309; rev:3; metadata:created_at 2015_06_19, former_category CURRENT_EVENTS, updated_at 2015_06_19;)
+alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 443 (msg:"ET MALWARE [GIGAMON_ATR] FIN8 BADHATCH CnC Checkin"; flow:established,to_server; dsize:64; content:"-SH"; offset:44; depth:3; pcre:"/(?:[0-9A-F]{8}\-){5}\-SH/"; content:"|02 09 01|"; offset:52; depth:3; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027752; rev:1; metadata:created_at 2019_07_23, deployment Perimeter, former_category MALWARE, malware_family ShellTea, performance_impact Low, signature_severity Major, tag Backdoor, updated_at 2019_07_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET POLICY Radmin Remote Control Session Setup Initiate"; flow:established,to_server; content:"|01 00 00 00 01 00 00 00 08 08|"; flowbits:set,ET.BE.Radmin.Challenge; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003479; classtype:not-suspicious; sid:2003479; rev:6; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DNS Query for .co TLD"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|co|00|"; distance:0; fast_pattern; classtype:bad-unknown; sid:2027759; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category DNS, signature_severity Minor, updated_at 2019_07_26;)
 
-#alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,ET.BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003480; classtype:not-suspicious; sid:2003480; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Adobe Phish 2019-07-29"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"<title>Adobe Document Cloud"; fast_pattern; nocase; classtype:credential-theft; sid:2027764; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSH Server Banner Detected on Expected Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,ET.is_ssh_server_banner; reference:url,doc.emergingthreats.net/2001973; classtype:misc-activity; sid:2001973; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert icmp any any -> any any (msg:"ET MALWARE Possible ICMP Backdoor Tunnel Command - whoami"; itype:8; icode:0; content:"whoami"; depth:6; nocase; reference:url,www.hackingarticles.in/command-and-control-tunnelling-via-icmp; classtype:trojan-activity; sid:2027763; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_29, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2019_07_29;)
 
-#alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSH Client Banner Detected on Expected Port"; flowbits:isset,ET.is_ssh_server_banner; flowbits:noalert; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001974; classtype:misc-activity; sid:2001974; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> any [!$HTTP_PORTS,1024:] (msg:"ET POLICY Windows Update P2P Activity"; flow:established,to_server; dsize:<100; content:"Swarm|20|protocol"; depth:20; classtype:not-suspicious; sid:2027766; rev:2; metadata:created_at 2019_07_31, updated_at 2019_07_31;)
 
-#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSH Server Banner Detected on Unusual Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,ET.is_ssh_server_banner; reference:url,doc.emergingthreats.net/2001979; classtype:misc-activity; sid:2001979; rev:8; metadata:created_at 2010_07_30, updated_at 2017_02_01;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex Template 5 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"one|20|of|20|your|20|passwords|20|is|3a|"; content:"infected|20|with|20|my|20|private|20|malware"; distance:0; content:"I|20|RECORDED|20|YOU|20 28|through|20|your|20|webcam"; distance:0; fast_pattern; content:"bitcoin|20|wallet|20|is|3a|"; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2027769; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_31, deployment Perimeter, former_category TROJAN, malware_family Phorpiex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2019_07_31;)
 
-#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSH Client Banner Detected on Unusual Port"; flowbits:isset,is_ssh_server_banner; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,ET.is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001980; classtype:misc-activity; sid:2001980; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any any -> any any (msg:"ET EXPLOIT Possible VXWORKS Urgent11 RCE Attempt - Urgent Flag"; flags:U+; reference:url,armis.com/urgent11; reference:cve,2019-12255; reference:cve,2019-12260; reference:cve,2019-12261; reference:cve,2019-12263; classtype:attempted-admin; sid:2027768; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_31, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2019_07_31;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY SSH banner detected on TCP 443 likely proxy evasion"; flow:established,from_server; content:"SSH-"; depth:4; flowbits:set,ET.is_ssh_server_banner; classtype:bad-unknown; sid:2013936; rev:6; metadata:created_at 2011_11_21, updated_at 2011_11_21;)
+#alert tcp any any -> any any (msg:"ET EXPLOIT Possible VXWORKS Urgent11 RCE Attempt - Illegal Urgent Flag"; flags:SUF+; reference:url,armis.com/urgent11; reference:cve,2019-12255; reference:cve,2019-12260; reference:cve,2019-12261; reference:cve,2019-12263; classtype:attempted-admin; sid:2027770; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2019_08_01;)
 
-#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected within Banner on Expected Port"; flow: from_server,established; flowbits:noalert; content:"SSH-"; offset:0; depth:4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; content:"|0d 0a|"; offset: 4; depth: 255; byte_test:1,=,20,5,relative; flowbits: set,ET.is_ssh_server_banner; flowbits: set,ET.is_ssh_server_kex; reference:url,www.proftpd.org/docs/contrib/mod_sftp.html; classtype:misc-activity; sid:2022325; rev:3; metadata:created_at 2016_01_01, updated_at 2016_01_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Covenant Framework HTTP Hello World Server Response"; flow:established,to_client; file_data; content:"Hello World! eyJHVUlEIjoi"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_dst; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027794; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2019_08_04;)
 
-#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected within Banner on Unusual Port"; flow: from_server,established; flowbits:noalert; content:"SSH-"; offset:0; depth:4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; content:"|0d 0a|"; offset: 4; depth: 255; byte_test:1,=,20,5,relative; flowbits: set,ET.is_ssh_server_banner; flowbits: set,ET.is_ssh_server_kex; reference:url,www.proftpd.org/docs/contrib/mod_sftp.html; classtype:misc-activity; sid:2022326; rev:2; metadata:created_at 2016_01_01, updated_at 2016_01_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Covenant Framework Grunt Stager HTTP Download (Grunt.GruntStager)"; flow:established,to_client; file_data; content:".CreateInstance(|27|Grunt.GruntStager|27|)"; fast_pattern; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027795; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2019_08_04;)
 
-#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected on Expected Port"; flowbits:isset,ET.is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5; flowbits: set,is_ssh_server_kex; reference:url,doc.emergingthreats.net/2001975; classtype:misc-activity; sid:2001975; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Covenant Framework Grunt Stager HTTP Download (DynamicInvoke)"; flow:established,to_client; file_data; content:"toStream(assembly_str)"; content:"delegate.DynamicInvoke(array.ToArray()).CreateInstance("; distance:0; fast_pattern; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027796; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2019_08_04;)
 
-#alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSHv2 Client KEX Detected on Expected Port"; flowbits:isset,is_ssh_server_kex; flowbits:noalert; flow: from_client,established; byte_test:1,=,20,5; flowbits: set,ET.is_ssh_client_kex; reference:url,doc.emergingthreats.net/2001976; classtype:misc-activity; sid:2001976; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Covenant Framework Grunt PowerShell Stager HTTP Download"; flow:established,to_client; file_data; content:"IO.Compression.CompressionMode]|3a 3a|Decompress"; content:".Value.Write("; distance:0; content:"Reflection.Assembly]|3a 3a|Load("; fast_pattern; distance:0; content:".EntryPoint.Invoke("; distance:0; content:"Out-Null"; distance:0; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027797; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2019_08_04;)
 
-#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected on Unusual Port"; flowbits:isset,ET.is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5; flowbits: set,is_ssh_server_kex; reference:url,doc.emergingthreats.net/2001981; classtype:misc-activity; sid:2001981; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Covenant Framework Grunt MSBuild Stager HTTP Download"; flow:established,to_client; file_data; content:"System.IO.Compression.CompressionMode.Decompress"; content:"System.Reflection.Assembly.Load("; distance:0; content:".EntryPoint.Invoke("; distance:0; fast_pattern; content:"|3c 2f|UsingTask|3e|"; distance:0; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027798; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2019_08_04;)
 
-#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSHv2 Client KEX Detected on Unusual Port"; flowbits:noalert; flowbits:isset,is_ssh_server_kex; flow: from_client,established; byte_test:1,=,20,5; flowbits: set,ET.is_ssh_client_kex; reference:url,doc.emergingthreats.net/2001982; classtype:misc-activity; sid:2001982; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nyanw0rm CnC Keep-Alive (Outbound) M2"; flow:established,to_server; dsize:16; content:"|49 42 d4 b5 38 70 fe 86 2a 4e d2 73 0d 95 79 e5|"; reference:md5,5c12015ebeb755c0b6029468a13e59a9; classtype:command-and-control; sid:2027813; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Nyanw0rm, updated_at 2019_08_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET HUNTING SUSPICIOUS busybox shell"; flow:to_server,established; content:"shell"; fast_pattern:only; pcre:"/\bshell\b/"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023017; rev:3; metadata:attack_target Server, created_at 2016_08_08, deployment Datacenter, former_category TELNET, performance_impact Low, signature_severity Major, updated_at 2016_08_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nyanw0rm CnC Keep-Alive (Outbound) M1"; flow:established,to_server; dsize:16; content:"|73 08 e2 bc 6d 8c 9d b5 85 52 b1 e1 5d 5a 9a 8e|"; reference:md5,d6db3ac5a8022184f03a34fbfdcb926d; classtype:command-and-control; sid:2027812; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Nyanw0rm, updated_at 2019_08_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET HUNTING SUSPICIOUS busybox enable"; flow:to_server,established; content:"enable"; fast_pattern:only; pcre:"/\benable\b/"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023018; rev:4; metadata:attack_target Server, created_at 2016_08_08, deployment Datacenter, former_category TELNET, performance_impact Low, signature_severity Major, updated_at 2016_08_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v1 UDP Flood Command Inbound"; flow:established,from_server; content:".udp|20|"; depth:5; fast_pattern; pcre:"/^((?:\d{1,3}\.){3}\d{1,3}|((?:https?\x3a\/\/)?[a-z0-9\-]{1,30}\.){1,8}[a-z]{1,8})/Ri"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027837; rev:2; metadata:affected_product Linux, created_at 2019_08_09, deployment Perimeter, former_category TROJAN, malware_family Emptiness, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2019_08_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Binary in HTTP by Type Flowbit"; flow:established,from_server; content:"HTTP/1"; depth:6; content:"|0d 0a|Content-Type|3a| application/"; nocase; reference:url,doc.emergingthreats.net/2007670; classtype:not-suspicious; sid:2007670; rev:10; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_11_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v1 DNS Flood Command Inbound"; flow:established,from_server; content:".dns|20|"; depth:5; fast_pattern; pcre:"/^((\d{1,3}\.){3}\d{1,3}|((?:https?\x3a\/\/)?[a-z0-9\-]{1,30}\.){1,8}[a-z]{1,8})/Ri"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027838; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED PE EXE Install Windows file download"; flow:established; content:"MZ"; isdataat:76,relative; content:"This program must be "; distance:0; isdataat:140,relative; content:"PE"; distance:0; reference:url,www.program-transformation.org/Transform/PcExeFormat; reference:url,doc.emergingthreats.net/bin/view/Main/2000427; classtype:policy-violation; sid:2000427; rev:15; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_11_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v1 HTTP Flood Command Inbound"; flow:established,from_server; content:".http|20|"; depth:6; fast_pattern; pcre:"/^((\d{1,3}\.){3}\d{1,3}|((?:https?\x3a\/\/)?[a-z0-9\-]{1,30}\.){1,8}[a-z]{1,8})/Ri"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027839; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED PE EXE or DLL Windows file download (2)"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"Windows Program"; distance:0; isdataat:10,relative; content:"PE"; distance:0; reference:url,doc.emergingthreats.net/2010869; classtype:policy-violation; sid:2010869; rev:4; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_11_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v1.1 UDP Flood Command Inbound"; flow:established,from_server; content:"LnVkcC"; depth:6; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027840; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Update/Installer ForceDL Template Nov 03 2017"; flow:established,from_server; file_data; content:"addDownloadHint"; nocase; pcre:"/^\s*\x28\s*[\x22\x27][^\x22\x27]*[\x22\x27]\s*,\s*[\x22\x27][^\x22\x27]+\.exe[\x22\x27]/Rsi"; content:"doDownload(force)"; nocase; content:"userConversion(true)"; nocase; distance:0; content:"trigger_dl"; nocase; pcre:"/^\s*\(\s*force\s*\?\s*true\s*\x3a\s*false\s*,\s*\d+\s*,\s*\d+\s*,\s*[\x22\x27][^\x22\x27]+\.exe[\x22\x27]/Ri"; classtype:social-engineering; sid:2024945; rev:1; metadata:created_at 2017_11_03, former_category CURRENT_EVENTS, updated_at 2017_11_03;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v1.1 DNS Flood Command Inbound"; flow:established,from_server; content:"LmRucy"; depth:6; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027841; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (holidayapartments4you. com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|15|holidayapartments4you|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021645; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR UDP Flood Command Inbound"; flow:established,from_server; content:"|fe d5 57 68 f0 44 fb|"; depth:7; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027843; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
 
-#alert http $HOME_NET any -> [31.184.192.0/19] 80 (msg:"ET EXPLOIT_KIT Possible EITest Flash Redirect Sep 19 2016"; flow:established,to_server; urilen:1; content:"x-flash-version|3a 20|"; http_header; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"|0d 0a|Cookie|3a|"; classtype:exploit-kit; sid:2023249; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector_07012016, updated_at 2016_09_19;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR DNS Flood Command Inbound"; flow:established,from_server; content:"|fe d6 53 76 f0 7e fb|"; depth:7; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027844; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Volex - OceanLotus JavaScript Fake Page URL Builder Response"; flow:to_client,established; file_data; content:"|7b 22|link|22 3a 22|http"; depth:13; content:"|22|load|22|"; reference:url,volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/; classtype:targeted-activity; sid:2024967; rev:3; metadata:created_at 2017_11_06, former_category TROJAN, updated_at 2017_11_07;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR HTTP Flood Command Inbound"; flow:established,from_server; content:"|fe d6 69 33 f7 4f fb c5|"; depth:8; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027845; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Volex - OceanLotus System Profiling JavaScript (linkStorage.x00SOCKET)"; flow:to_client,established; file_data; content:"linkStorage.x00SOCKET"; reference:url,volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/; classtype:targeted-activity; sid:2024968; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_11_06, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2017_11_07;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR Exec Command Inbound"; flow:established,from_server; content:"|fe d6 57 37 c9 50 f7|"; depth:7; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027846; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Excel/Adobe Online Phishing Landing Nov 25 2015"; flow:to_client,established; file_data; content:"<title>"; nocase; content:"Online - 09KSJDJR4843984NF98738UNFD843"; within:100; nocase; fast_pattern; classtype:social-engineering; sid:2025686; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR Update Command Inbound"; flow:established,from_server; content:"|fe d5 57 74 c9 40 fc 92 e8|"; depth:9; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027847; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dinwod.Dropper Win32/Xtrat.B CnC Beacon"; flow:established,to_server; dsize:<30; content:"myversion|7C|"; depth:10; pcre:"/^\d/R"; reference:md5,dd6a13ba9177a18a8cf16b52ff643abc; classtype:command-and-control; sid:2018101; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2017_11_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp any any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai.shiina v3 CnC Checkin"; flow:established,to_server; content:"|01 03 03 07 04 02 00 06|"; depth:8; fast_pattern; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027848; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category MALWARE, malware_family Mirai, tag DDoS, updated_at 2019_08_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 1"; flow:established,to_client; file_data; content:"U3RhcnQtUHJvY2Vzc"; content:"cnVuZGxsMz"; content:"VXNlckluaXRNcHJMb2dvblNjcmlwd"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024971; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE GoonEK Jan 21 2013"; flow:established,from_server; file_data; content:"#default#VML"; fast_pattern:only; content:"|5c 5c 3a|"; content:"|5c 5c 3a|"; distance:0; content:".namespaces.add"; nocase; pcre:"/^[\r\n\s]*?\([^\)]*?[\x22\x27]#/Ri"; content:!"default#VML"; within:12; pcre:"/^d(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?e(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?f(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?a(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?u(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?l(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?t(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?#(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?V(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?M(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?L[\x22\x27]/Rs"; classtype:exploit-kit; sid:2017993; rev:10; metadata:created_at 2014_01_22, former_category MALWARE, updated_at 2014_01_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 2"; flow:established,to_client; file_data; content:"N0YXJ0LVByb2Nlc3"; content:"J1bmRsbDMy"; content:"VzZXJJbml0TXByTG9nb25TY3JpcH"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024972; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.biz Domain"; flow:established,to_server; content:".biz"; fast_pattern; http_host; isdataat:!1,relative; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027872; rev:2; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2019_08_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 3"; flow:established,to_client; file_data; content:"TdGFydC1Qcm9jZXNz"; content:"ydW5kbGwzM"; content:"Vc2VySW5pdE1wckxvZ29uU2NyaXB0"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024973; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Session_Id length greater than Client_Hello Length)"; flow:to_server,established; content:"|16 03 00|"; depth:3; content:"|01|"; distance:2; within:1; byte_extract:3,0,SSL.Client_Hello.length,relative; byte_test:1,>,SSL.Client_Hello.length,34,relative; threshold: type both, track by_src, count 5, seconds 60; reference:md5,a01d75158cf4618677f494f9626b1c4c; classtype:trojan-activity; sid:2014634; rev:2; metadata:created_at 2012_04_24, updated_at 2019_08_13;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 4"; flow:established,to_client; file_data; content:"U3RhcnQtUHJvY2Vzc"; content:"RG93bmxvYWRGaWxl"; content:"V2ViQ2xpZW50"; content:"aW8uRmlsZ"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024974; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gator Cookie"; flow: to_server,established; content:"webpdpcookie"; content:".gator.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000025; classtype:pup-activity; sid:2000025; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 5"; flow:established,to_client; file_data; content:"N0YXJ0LVByb2Nlc3"; content:"Rvd25sb2FkRmlsZ"; content:"dlYkNsaWVud"; content:"lvLkZpbG"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024975; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Binet (download complete)"; flow: to_server,established; content:"/download/cabs/"; nocase; http_uri; content:"download_complete.htm"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000366; classtype:pup-activity; sid:2000366; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 6"; flow:established,to_client; file_data; content:"TdGFydC1Qcm9jZXNz"; content:"Eb3dubG9hZEZpbG"; content:"XZWJDbGllbn"; content:"pby5GaWxl"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024976; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Binet (set_pix)"; flow: to_server,established; content:"/download/cabs/set_pix.php"; nocase; http_uri; content:"abetterinternet.com"; nocase; http_header; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000367; classtype:pup-activity; sid:2000367; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ATTACK_RESPONSE 401TRG Perl DDoS IRCBot File Download"; flow:established,from_server; content:"|6d 79 20 24 70 72 6f 63 65 73 73 20 3d 20 24 72 70 73 5b 72 61 6e 64 20 73 63 61 6c 61 72 20 40 72 70 73 5d 3b|"; classtype:trojan-activity; sid:2024977; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2017_11_07, deployment Datacenter, former_category ATTACK_RESPONSE, malware_family webshell, performance_impact Moderate, signature_severity Major, updated_at 2017_11_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Binet (randreco.exe)"; flow: to_server,established; content:"/download/cabs/RANDRECO/randreco.exe"; nocase; http_uri; content:"abetterinternet.com|0d 0a|"; nocase; http_header; fast_pattern; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000371; classtype:pup-activity; sid:2000371; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing Nov 10 2017"; flow:established,to_client; file_data; content:"<label class=|22|MobMenHol"; nocase; fast_pattern; content:"<span class=|22|MobMenIcon"; nocase; distance:0; content:"MobMenIcon"; nocase; distance:0; content:"MobMenIcon"; nocase; distance:0; content:"MobMenIcon"; nocase; distance:0; classtype:social-engineering; sid:2025693; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_07_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ADWARE_PUP User-Agent (iexplore)"; flow:established,to_server; content:"User-Agent|3a| iexplore|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2000466; classtype:pup-activity; sid:2000466; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (IcedID CnC)"; flow:established,from_server; content:"|09 00 b9 5a 68 02 24 e5 3e 2e|"; fast_pattern; content:"|55 04 03|"; content:"|06|Server"; distance:1; within:7; reference:url,securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research; reference:md5,de4ef2e24306b35d29891b45c1e3fbfd; classtype:domain-c2; sid:2024979; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_11_13, deployment Perimeter, former_category MALWARE, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_11_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP IE homepage hijacking"; flow: from_server,established; content:"wsh.RegWrite"; nocase; content:"HKLM\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Main\\\\Start Page"; nocase; reference:url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000514; classtype:pup-activity; sid:2000514; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SocEng Fake Font Download Template Nov 14 2017"; flow:established,from_server; file_data; content:"|63 6c 69 63 6b 5f 75 70 64|"; nocase; content:"|46 6f 6e 74 20 50 61 63 6b|"; nocase; content:"|2e 6a 73 20 66 69 6c 65 20 74 6f 20 73 74 61 72 74 20 74 68 65 20 69 6e 73 74 61 6c 6c 61 74 69 6f 6e 20 70 72 6f 63 65 73 73 2e|"; nocase; reference:url,malware-traffic-analysis.net/2017/11/12/index.html; classtype:social-engineering; sid:2024985; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family SocEng, performance_impact Low, signature_severity Major, updated_at 2017_11_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP shell browser vulnerability W9x/XP"; flow: from_server,established; content:"shell|3a|windows"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000519; classtype:pup-activity; sid:2000519; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lazarus FALLCHILL Fake SSL Checkin 1"; flow:established; dsize:13; content:"|17 03 01 00 08|"; depth:5; content:"|88 4d 76|"; distance:5; within:3; fast_pattern; pcre:"/[\x04\x06]\x88\x4d\x76$/"; reference:url,www.us-cert.gov/ncas/alerts/TA17-318A; classtype:command-and-control; sid:2024990; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_13, deployment Perimeter, former_category MALWARE, malware_family FALLCHILL, performance_impact Low, signature_severity Critical, tag Lazarus, updated_at 2017_11_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP shell browser vulnerability NT/2K"; flow: from_server,established; content:"shell|3a|winnt"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000520; classtype:pup-activity; sid:2000520; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> any any (msg:"ET MALWARE Lazarus FALLCHILL Fake SSL Checkin 2"; flow:established; dsize:13; content:"|17 03 01 00 08|"; depth:5; content:"|63 70 7b|"; distance:5; within:3; fast_pattern; pcre:"/[\xb0\xb2]\x63\x70\x7b$/"; reference:url,www.us-cert.gov/ncas/alerts/TA17-318A; classtype:command-and-control; sid:2024992; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category MALWARE, malware_family FALLCHILL, performance_impact Low, signature_severity Critical, tag Lazarus, updated_at 2017_11_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bargain Buddy"; flow: to_server,established; content:"/download/bargin_buddy"; nocase; http_uri; reference:url,www.doxdesk.com/parasite/BargainBuddy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000574; classtype:pup-activity; sid:2000574; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Type Confusion Microsoft Edge (CVE-2017-11873)"; flow:established,from_server; file_data; content:"[1.1, 2.2"; fast_pattern; pcre:"/^(?:\]|, 3\.3\])\x3b/R"; content:"Array(100)"; content:"i = 0|3b| i < 100"; content:"function opt("; reference:url,raw.githubusercontent.com/theori-io/pwnjs/master/examples/CVE-2017-11873.js; reference:cve,2017-11873; classtype:attempted-user; sid:2024993; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_15, deployment Perimeter, former_category WEB_CLIENT, performance_impact Significant, signature_severity Major, updated_at 2017_11_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop At Home Select.com Install Attempt"; flow: to_server,established; content:"/mindset/bunsetup.cab"; nocase; http_uri; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000580; classtype:pup-activity; sid:2000580; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PWNJS JS Constructs"; flow:established,from_server; file_data; content:"base_lo"; content:"base_hi"; content:"fake_object"; fast_pattern; pcre:"/^\s*?\[\s*?\d/Rs"; content:"i32"; pcre:"/^\s*?\[\s*?\d/Rs"; content:"f64"; pcre:"/^\s*?\[\s*?\d/Rs"; content:"array_addr"; reference:url,raw.githubusercontent.com/theori-io/pwnjs/; classtype:attempted-user; sid:2024994; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_15, deployment Perimeter, former_category WEB_CLIENT, performance_impact Moderate, signature_severity Major, updated_at 2017_11_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Shop At Home Select.com Install Download"; flow: from_server,established; content:"|ab 3b d4 97 d4 a7 b4 1d da 6e 6d 0f f4 aa 4f|"; content:"|46 b3 3b 8b 38 cc 2c 2a a4 c3 07 67 67 df 65 41|"; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000581; classtype:pup-activity; sid:2000581; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Double Base64 Unicode Net.ServicePointManager M1"; flow:established,from_server; file_data; content:"VwB3AEIATwBBAEcAVQBBAGQAQQBBAHUAQQBGAE0AQQBaAFEAQgB5AEEASABZAEEAYQBRAEIAagBBAEcAVQBBAFUAQQBCAHYAQQBHAGsAQQBiAGcAQgAw"; reference:md5,45b0e5a457222455384713905f886bd4; classtype:trojan-activity; sid:2023944; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP F1Organizer Reporting"; flow: to_server,established; content:"/f1/audit/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000582; classtype:pup-activity; sid:2000582; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Double Base64 Unicode Net.ServicePointManager M2"; flow:established,from_server; file_data; content:"cAdwBCAE8AQQBHAFUAQQBkAEEAQQB1AEEARgBNAEEAWgBRAEIAeQBBAEgAWQBBAGEAUQBCAGoAQQBHAFUAQQBVAEEAQgB2AEEARwBrAEEAYgBnAEIAM"; reference:md5,45b0e5a457222455384713905f886bd4; classtype:trojan-activity; sid:2023945; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mindset Interactive Install (1)"; flow: to_server,established; content:"/mindset5/data"; nocase; http_uri; reference:url,www.mindsetinteractive.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000583; classtype:pup-activity; sid:2000583; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Double Base64 Unicode Net.ServicePointManager M3"; flow:established,from_server; file_data; content:"XAHcAQgBPAEEARwBVAEEAZABBAEEAdQBBAEYATQBBAFoAUQBCAHkAQQBIAFkAQQBhAFEAQgBqAEEARwBVAEEAVQBBAEIAdgBBAEcAawBBAGIAZwBCAD"; reference:md5,45b0e5a457222455384713905f886bd4; classtype:trojan-activity; sid:2023946; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mindset Interactive Install (2)"; flow: to_server,established; content:"/mindset/data"; nocase; http_uri; reference:url,www.mindsetinteractive.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000584; classtype:pup-activity; sid:2000584; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Base64 Unicode WebClient DownloadString M1"; flow:established,from_server; file_data; content:"VwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZ"; reference:md5,2a0df97277ddb361cecf8726df6d78ac; classtype:trojan-activity; sid:2023941; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP F1Organizer Install Attempt"; flow: to_server,established; content:"/f1/objects/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000585; classtype:pup-activity; sid:2000585; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Base64 Unicode WebClient DownloadString M2"; flow:established,from_server; file_data; content:"VwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZ"; reference:md5,2a0df97277ddb361cecf8726df6d78ac; classtype:trojan-activity; sid:2023942; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpywareLabs VirtualBouncer Seeking Instructions"; flow: to_server,established; content:"instructions"; nocase; pcre:"/instructions\/\d{2}\.xml/mi"; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.virtualbouncer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000587; classtype:pup-activity; sid:2000587; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Base64 Unicode WebClient DownloadString M3"; flow:established,from_server; file_data; content:"XAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBn"; reference:md5,2a0df97277ddb361cecf8726df6d78ac; classtype:trojan-activity; sid:2023943; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TopMoxie Reporting Data to External Host"; flow: to_server,established; content:"/downloads/record_download.asp"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/downloads\/record_download\.asp/i"; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000588; classtype:pup-activity; sid:2000588; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY PTsecurity Remote Desktop AeroAdmin Server Hello"; flow:established,to_client; dsize:9; stream_size:client,=,1; stream_size:server,=,10; content:"|05 00 00 00 00 ff ff ff ff|"; depth:9; fast_pattern; classtype:policy-violation; sid:2025008; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2017_11_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TopMoxie Retrieving Data (downloads)"; flow: to_server,established; content:"/external/builds/downloads2/"; http_uri; nocase; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000589; classtype:pup-activity; sid:2000589; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY PTsecurity Remote Desktop AeroAdmin handshake"; flow:established,to_server; content:"|e1 00 00 00 00|"; depth:5; content:"|0b 00 00 d8 00 00 00 4d 49 47 64 4d 41|"; distance:1; within:13; fast_pattern; threshold: type limit, track by_src, count 1, seconds 30; classtype:policy-violation; sid:2025009; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2017_11_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TopMoxie Retrieving Data (common)"; flow: to_server,established; content:"/external/builds/common/"; http_uri; nocase; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000590; classtype:pup-activity; sid:2000590; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
 
-alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Possible NanoCore C2 60B"; flow:established,to_server; dsize:60; content:"|38 00 00 00|"; depth:5; pcre:"/^(?!.{0,56}\x00.{0,55}\x00.{0,54}\x00.{0,53}\x00)(?!.{0,54}\x00{2})(?!.{0,50}[A-Za-z0-9]{5})(?!(?P<b1>.).{0,53}(?P=b1).{0,52}(?P=b1).{0,51}(?P=b1).{0,50}(?P=b1))(?!.(?P<b2>.).{0,52}(?P=b2).{0,51}(?P=b2).{0,50}(?P=b2).{0,49}(?P=b2))(?!..(?P<b3>.).{0,51}(?P=b3).{0,50}(?P=b3).{0,49}(?P=b3).{0,48}(?P=b3))(?!...(?P<b4>.).{0,50}(?P=b4).{0,49}(?P=b4).{0,48}(?P=b4).{0,47}(?P=b4))(?!....(?P<b5>.).{0,49}(?P=b5).{0,48}(?P=b5).{0,47}(?P=b5).{0,46}(?P=b5))(?!.....(?P<b6>.).{0,48}(?P=b6).{0,47}(?P=b6).{0,46}(?P=b6).{0,45}(?P=b6))(?!......(?P<b7>.).{0,47}(?P=b7).{0,46}(?P=b7).{0,45}(?P=b7).{0,44}(?P=b7))(?!.......(?P<b8>.).{0,46}(?P=b8).{0,45}(?P=b8).{0,44}(?P=b8).{0,43}(?P=b8))(?!........(?P<b9>.).{0,45}(?P=b9).{0,44}(?P=b9).{0,43}(?P=b9).{0,42}(?P=b9))(?!.........(?P<b10>.).{0,44}(?P=b10).{0,43}(?P=b10).{0,42}(?P=b10).{0,41}(?P=b10))/Rs"; classtype:command-and-control; sid:2025019; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MALWARE, malware_family NanoCore, tag Nanocore, updated_at 2017_11_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Binet Ad Retrieval"; flow: to_server,established; content:"/bba/flashimages/"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000593; classtype:pup-activity; sid:2000593; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Upatre Header Structure"; flow:to_server,established; content:"GET"; http_method; content:"Accept|3a 20|text/*,|20|application/*|0d 0a|User-Agent|3a 20|"; http_header; depth:44; fast_pattern; content:!"Mozilla"; within:7; http_header; content:"|0d 0a|Host|3a 20|"; distance:0; http_header; content:!"Taitus"; http_header; content:!"Sling/"; http_header; pcre:"/\r\nHost\x3a[^\r\n]+\r\n(?:Pragma|Cache-Control)\x3a\x20no-cache\r\n(?:Connection\x3a Keep-Alive\r\n)?(?:\r\n)?$/H"; classtype:trojan-activity; sid:2018394; rev:8; metadata:created_at 2014_04_16, former_category TROJAN, updated_at 2022_03_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gator New Code Download"; flow: to_server,established; content:"/gatorcme/"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000597; classtype:pup-activity; sid:2000597; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE Possible VirLock Connectivity Check"; flow:established,to_server; dsize:36; content:"GET / HTTP/1.1|0d 0a|Host|3a 20|google.com|0d 0a 0d 0a|"; fast_pattern; threshold:type both,track by_src,count 2,seconds 10; reference:md5,94c9c2fddc99217e310d5c687adfc2f7; classtype:trojan-activity; sid:2020022; rev:3; metadata:created_at 2014_12_23, former_category TROJAN, updated_at 2022_03_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products Install"; flow: to_server,established; content:"/install_ie.jsp?product="; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000599; classtype:pup-activity; sid:2000599; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Email Attachment Possibly Related to Mydoom.L@mm"; flow:established,to_server; content:"Subject|3a 20|"; nocase; content:"mail"; nocase; within:34; content:"name|3d 22|"; pcre:"/name\x3d\x22(message|letter|.*lebanon\x2donline\x2ecom\x2elb)?\x2ezip\x22\x0d\x0a/"; reference:md5,28110a8ea5c13859ddf026db5a8a864a; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-071915-0829-99&tabid=2; classtype:trojan-activity; sid:2012932; rev:8; metadata:created_at 2011_06_06, updated_at 2011_06_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyWebSearch Toolbar Receiving Configuration"; flow: to_server,established; content:"/speedbar/mySpeedbarCfg"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000600; classtype:pup-activity; sid:2000600; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Signed TLS Certificate with md5WithRSAEncryption"; flow:established,from_server; content:"|16 03 01|"; depth:3; content:"|02|"; distance:2; within:1; byte_jump:3,0,relative,big; content:"|16 03 01|"; within:3; content:"|0b|"; distance:2; within:2; content:"|30 82|"; distance:9; within:2; content:"|30 82|"; distance:2; within:2; content:"|a0 03 02 01 02 02|"; distance:2; within:6; byte_jump:1,0,relative,big; content:"|30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00|"; within:15; reference:url,www.win.tue.nl/hashclash/rogue-ca/; reference:url,ietf.org/rfc/rfc3280.txt; reference:url,jensign.com/JavaScience/GetTBSCert/index.html; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; reference:url,news.netcraft.com/archives/2012/08/31/governments-and-banks-still-using-weak-md5-signed-ssl-certificates.html; classtype:misc-activity; sid:2015686; rev:3; metadata:created_at 2012_09_07, updated_at 2012_09_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Salongas Infection"; flow: to_server,established; content:"/sp.htm?id="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000601; classtype:pup-activity; sid:2000601; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response"; flow:from_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:isset,ET.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_11_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Configuration Access"; flow: to_server,established; content:"/oss/remoteconfig.asp"; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000902; classtype:pup-activity; sid:2000902; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)"; flow:to_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:set,ET.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_11_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Avres Agent Receiving Instructions"; flow: to_server,established; content:"/ie/updatenew/"; http_uri; content:"CONFIG"; nocase; reference:url,www.avres.net; reference:url,ar.avres.net/ie/updatenew/; reference:url,doc.emergingthreats.net/bin/view/Main/2000903; classtype:pup-activity; sid:2000903; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jan 27 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:>5; content:"/?3b"; http_uri; depth:4; pcre:"/^\/\?3b[A-Z0-9a-z]{2}(&subid=[^&]*)?$/U"; flowbits:set,ET.Keitaro; flowbits:noalert; classtype:exploit-kit; sid:2022464; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com App and Search Bar Install (1)"; flow: to_server,established; content:"/vsn/ISA/"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000908; classtype:pup-activity; sid:2000908; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 24 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:7; content:"/xLMCJ4"; http_uri; flowbits:set,ET.Keitaro; flowbits:noalert; classtype:exploit-kit; sid:2025038; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_26, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2017_11_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com App and Search Bar Install (2)"; flow: to_server,established; content:"/Appinstall?app=VVSN"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000909; classtype:pup-activity; sid:2000909; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 29 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:5; content:"/5c2C"; http_uri; flowbits:set,ET.Keitaro; flowbits:noalert; classtype:exploit-kit; sid:2025039; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2017_11_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Clock Sync App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=clock"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000910; classtype:pup-activity; sid:2000910; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Exim4 UAF Attempt (BDAT with non-printable chars)"; flow:established,to_server; content:"BDAT"; depth:5; pcre:"/^\s*\d*[^\x20-\x7e\r\n\t]/R"; reference:url,lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html; classtype:attempted-admin; sid:2025063; rev:3; metadata:attack_target SMTP_Server, created_at 2017_11_27, deployment Internal, deployment Datacenter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_11_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Weather App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=weather"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000911; classtype:pup-activity; sid:2000911; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SMTP Abuseat.org Block Message"; flow:established,from_server; content:"abuseat.org"; classtype:not-suspicious; sid:2012982; rev:4; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Clock Sync App Checkin (1)"; flow: to_server,established; content:"/clock?id="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000912; classtype:pup-activity; sid:2000912; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Brazilian Banker SSL Cert"; flow:established,from_server; tls_cert_subject; content:"CN=robervalmotores.com.br"; fast_pattern; nocase; classtype:trojan-activity; sid:2025076; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_11_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Clock Sync App Checkin (2)"; flow: to_server,established; content:"/clockDB"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000913; classtype:pup-activity; sid:2000913; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp any any -> any [139,445] (msg:"ET NETBIOS Tree Connect AndX Request IPC$ Unicode"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; content:"| 00 5c 00 69 00 70 00 63 00 24 00 00 00|"; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; reference:cve,2006-4691; classtype:protocol-command-decode; sid:2025090; rev:2; metadata:created_at 2016_06_14, former_category NETBIOS, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Weather App Checkin (1)"; flow: to_server,established; content:"/weatherDB"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000914; classtype:pup-activity; sid:2000914; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Bladabindi/njRAT (Dd19271927)"; flow:established,to_server; content:"|00|llDd19271927"; fast_pattern; offset:2; depth:14; dsize:<512; reference:md5,18fcc5f04f74737ca8a3fcf65a45629c; classtype:trojan-activity; sid:2025077; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family njrat, performance_impact Moderate, signature_severity Major, updated_at 2017_11_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Weather App Checkin (2)"; flow: to_server,established; content:"/weather?id="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000915; classtype:pup-activity; sid:2000915; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious Doc Downloading EXE"; flow:established,from_server; flowbits:isset,ET.MalDocEXEPrimer; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2020838; rev:3; metadata:created_at 2015_04_03, former_category CURRENT_EVENTS, updated_at 2015_04_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com WhenUSave App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=whenusave"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000916; classtype:pup-activity; sid:2000916; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Linksys Router Returning Device Settings To External Source"; flow:established,from_server; file_data; content:"<GetDeviceSettingsResponse>"; content:"<GetDeviceSettingsResult>"; content:"<ModelName>"; reference:url,isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Summary+What+we+know+so+far/17633; classtype:attempted-admin; sid:2018136; rev:3; metadata:created_at 2014_02_14, former_category CURRENT_EVENTS, updated_at 2017_11_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com WhenUSave Data Retrieval (offersdata)"; flow: to_server,established; content:"/OffersDataGZ?update="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000917; classtype:pup-activity; sid:2000917; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET [23,2323] (msg:"ET EXPLOIT Actiontec C1000A backdoor account M1"; flow:established,to_server; content:"QwestM0dem"; fast_pattern; metadata: former_category EXPLOIT; classtype:attempted-admin; sid:2025080; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2017_11_28, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2017_11_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Desktop Bar Install"; flow: to_server,established; content:"/Appinstall?app=desktop"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000918; classtype:pup-activity; sid:2000918; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET [23,2323] (msg:"ET EXPLOIT Actiontec C1000A backdoor account M2"; flow:established,to_server; content:"CenturyL1nk"; fast_pattern; classtype:attempted-admin; sid:2024980; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2017_11_13, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Critical, updated_at 2017_11_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com WhenUSave Data Retrieval (Searchdb)"; flow: to_server,established; content:"/SearchDB?update="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000919; classtype:pup-activity; sid:2000919; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Atraps Receiving Config via Image File (steganography)"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"|FF D9 23|"; distance:0; content:"$|3a|1|3a|$"; distance:0; fast_pattern; pcre:"/^[A-Za-z0-9+/=]+\x24\x3a\d+\x3a\x24$/R"; reference:md5,3dce01df285b3570738051672664068d; classtype:trojan-activity; sid:2025070; rev:3; metadata:created_at 2016_04_06, former_category TROJAN, updated_at 2017_11_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Install (1)"; flow: to_server,established; content:"/install/startInstallprocess.asp?"; nocase; http_uri; content: "Defau"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000920; classtype:pup-activity; sid:2000920; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SMTP Spamcop.net Block Message"; flow:established,from_server; content:"spamcop.net"; classtype:not-suspicious; sid:2012983; rev:3; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Install (2)"; flow: to_server,established; content:"/install/process/upsale/hotbar"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000921; classtype:pup-activity; sid:2000921; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain"; dns_query; content:"6dtxgqam4crv6rr6"; nocase; depth:16; reference:md5,b06d9dd17c69ed2ae75d9e40b2631b42; classtype:trojan-activity; sid:2022548; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Install (3)"; flow: to_server,established; content:"/installs/hotbar/programs/"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000922; classtype:pup-activity; sid:2000922; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to Pseudo Random Domain for Web Malware (.mynumber.org)"; dns_query; content:".mynumber.org"; nocase; isdataat:!1,relative; pcre:"/^[acdefghijlmopqrtwz]{16}\.mynumber\.org$/"; reference:url,blog.lab69.com/2012/12/another-implementation-of-pseudo-random.html; classtype:bad-unknown; sid:2018766; rev:3; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Reporting Information"; flow: to_server,established; content:"POST"; nocase; http_method; content:"/reports/hotbar/"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000923; classtype:pup-activity; sid:2000923; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Archive Download By Vulnerable Client"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"PK"; depth:2; classtype:trojan-activity; sid:2014473; rev:5; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Upgrading"; flow: to_server,established; content:"/updates/hotbar/"; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000924; classtype:pup-activity; sid:2000924; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UBoatRAT CnC Check-in"; flow:established,to_server; dsize:>48; content:"|bc b0 b0 88 88 88 88 88 88 88 88 88|"; depth:12; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/; classtype:command-and-control; sid:2025093; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_01, deployment Perimeter, former_category MALWARE, malware_family UBoatRAT, performance_impact Low, signature_severity Major, updated_at 2017_12_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Partner Checkin"; flow: to_server,established; content:"/partners/"; nocase; http_uri; content:"partners.xip"; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000925; classtype:pup-activity; sid:2000925; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN SSH BruteForce Tool with fake PUTTY version"; flow:established,to_server; ssh_proto; content:"PUTTY"; threshold: type limit, track by_src, count 1, seconds 30; classtype:network-scan; sid:2019876; rev:6; metadata:created_at 2014_12_05, former_category SCAN, updated_at 2017_12_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ISearchTech.com XXXPornToolbar Reporting"; flow: to_server,established; content:"/ist/scripts/log_downloads.php"; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000927; classtype:pup-activity; sid:2000927; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible MyEtherWallet Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>"; nocase; content:"MyEtherWallet.com"; within:30; nocase; fast_pattern; classtype:social-engineering; sid:2025140; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ISearchTech.com XXXPornToolbar Activity (1)"; flow: to_server,established; content:"/ist/bars/"; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000928; classtype:pup-activity; sid:2000928; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Netwire RAT Client HeartBeat C1 (no alert)"; flow:established,to_server; dsize:5; content:"|01 00 00 00|"; depth:4; flowbits:set,ET.Netwire.HB; flowbits:noalert; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,9475f91a426ac45d1f074373034cbea6; classtype:trojan-activity; sid:2018281; rev:4; metadata:created_at 2014_03_14, updated_at 2014_03_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Activity"; flow: to_server,established; content:"/dynamic/hotbar/"; nocase; http_uri; threshold: type limit, count 1, track by_src, seconds 360; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000929; classtype:pup-activity; sid:2000929; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Server Welcome Packet"; flow:established,from_server; dsize:12; content:"|01 00 00 00|"; depth:4; flowbits:set,ET.gadu.welcome; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008297; classtype:policy-violation; sid:2008297; rev:5; metadata:created_at 2010_07_30, former_category CHAT, updated_at 2017_12_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Traffic"; flow: to_server,established; content:"/cc/"; http_uri; content:"Host|3a| update.cc.cometsystems.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2000931; classtype:pup-activity; sid:2000931; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY IP Check Response (rl. ammyy. com)"; flow:to_client,established; file_data; content:"Your IP="; depth:8; content:", country = "; distance:0; isdataat:!3,relative; classtype:policy-violation; sid:2025150; rev:1; metadata:created_at 2017_12_13, updated_at 2017_12_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Keenvalue Update Engine"; flow: to_server,established; content:"Host|3a|secure.keenvalue.com"; http_header; content:"|0d0a|Extension|3a|Remote-Passphrase"; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2003-11-24; reference:url,doc.emergingthreats.net/bin/view/Main/2000932; classtype:pup-activity; sid:2000932; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious Fake JS Lib Inject"; flow:established,from_server; file_data; content:".min.php"; nocase; pcre:"/^(?P<q>[\x22\x27])\+(?P=q)\?(?P=q)\+(?P=q)/R"; content:"default_keyword="; within:2500; fast_pattern; content:"<"; within:2500; content:!"/script>"; within:8; pcre:"/^[\x22\x27+\s]*\/[\x22\x27+\s]*s[\x22\x27+\s]*c[\x22\x27+\s]*r[\x22\x27+\s]*i[\x22\x27+\s]*p[\x22\x27+\s]*t[\x22\x27+\s]*>/Rsi"; classtype:trojan-activity; sid:2025151; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_12_15, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_12_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP FlashTrack Agent Retrieving New App Code"; flow: to_server,established; content:"/apps/r.exe"; http_uri; reference:url,www.flashpoint.bm; reference:url,doc.emergingthreats.net/bin/view/Main/2000936; classtype:pup-activity; sid:2000936; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC)"; flow:established,to_client; tls_cert_subject; content:"C=AU, ST=f2tee4, L=gf23et65adt, O=tg4r6tds, OU=rst, CN=rvgvtfdf"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2025155; rev:1; metadata:attack_target Client_and_Server, created_at 2017_12_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_12_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products SmileyCentral"; flow: to_server,established; content:"/images/smileycentral/"; nocase; http_uri; content:"FunWebProducts"; nocase; http_header; fast_pattern; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001013; classtype:pup-activity; sid:2001013; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Trickbot/Dyre Serial Number in SSL Cert"; flow:established,to_client; tls_cert_serial; content:"89:BF:80:13:42:0A:2E:F5"; classtype:trojan-activity; sid:2025156; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Trickbot, updated_at 2017_12_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SideStep Bar Install"; flow: to_server,established; content:"/servlet/sbinstservlet"; nocase; http_uri; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001016; classtype:pup-activity; sid:2001016; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Fedex Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>FEDEX|20 7c 20|Tracking</TITLE>"; fast_pattern; nocase; classtype:social-engineering; sid:2025158; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SideStep Bar Reporting Data"; flow: to_server,established; content:"/servlet/sblogservlet"; nocase; http_uri; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001017; classtype:pup-activity; sid:2001017; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Halkbank (TK) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>|48 61 6c 6b 62 61 6e 6b 20 c4 b0 6e 74 65 72 6e 65 74 20 c5 9e 75 62 65 73 69|</title>"; nocase; classtype:social-engineering; sid:2025159; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casino on Net Ping Hit"; flow: to_server,established; content:"/Ping/Ping.txt"; nocase; http_uri; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001032; classtype:pup-activity; sid:2001032; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Ziraat Bank (TK) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>|20 48 6f c5 9f 67 65 6c 64 69 6e 69 7a 20 7c 20 5a 69 72 61 61 74 20 42 61 6e 6b 61 73 c4 b1|"; nocase; classtype:social-engineering; sid:2025160; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casino on Net Data Download"; flow: to_server,established; content:"/sdl/casinov"; nocase; http_uri; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001033; classtype:pup-activity; sid:2001033; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image M4"; flow:established,from_server; http_content_type; content:"image/jpeg"; depth:10; isdataat:!1,relative; file_data; content:"This program must be run under Win"; within:125; fast_pattern; classtype:trojan-activity; sid:2025161; rev:2; metadata:created_at 2017_12_21, former_category TROJAN, updated_at 2017_12_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Ebates Install"; flow: to_server,established; content:"/ebates.exe"; http_uri; reference:url,www.pestpatrol.com/PestInfo/e/ebates_moneymaker.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001038; classtype:pup-activity; sid:2001038; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Windows executable sent when remote host claims to send an image M2"; flow: established,from_server; http_content_type; content:"image/jpeg"; depth:10; isdataat:!1,relative; file_data; content:"MZ"; within:2; content:"!This program"; distance:0; fast_pattern; classtype:pup-activity; sid:2020757; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2017_12_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casino on Net Install"; flow: to_server,established; content:"/newdownload/newsetup/"; nocase; http_uri; content:"casinone"; nocase; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001041; classtype:pup-activity; sid:2001041; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2017-12-26"; flow:established,to_client; file_data; content:"&Rho|3b|ay&Rho|3b|aI</title>"; within:200; classtype:social-engineering; sid:2025173; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP UPX encrypted file download possible malware"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|00|code|00|"; content:"|00 C0|text|00|"; reference:url,doc.emergingthreats.net/2001047; classtype:pup-activity; sid:2001047; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible YapiKredi Bank (TR) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Bireysel|20 c4 b0|nternet|20 c5 9e|ubesi|20 7c 20|Yap|c4 b1 20|Kredi</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2024583; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_16, deployment Internet, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CometSystems Spyware"; flow: to_server,established; content:"/comet/request"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001050; classtype:pup-activity; sid:2001050; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-03"; flow:from_server,established; file_data; content:"L&#959|3b|g|20|in|20|t&#959|3b 20|y&#959|3b|ur|20|&Rho|3b|ay&Rho|3b|aI|20|acc&#959|3b|unt"; nocase; depth:300; classtype:social-engineering; sid:2025181; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Twaintec Download Attempt"; flow: to_server,established; content:"/downloads/cabs/TWTDLL/twaintec.cab"; nocase; http_uri; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001198; classtype:pup-activity; sid:2001198; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Malicious Authline Seen After CVE-2017-10271 Exploit"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|4AQe5sAFWZKECiaeNTt59LG7kVtqRoSRJMjrmQ6GiMFAeUvoL3MFeTE6zwwHkFPrAyNw2JHDxUSWL82RiZThPpk4SEg7Vqe|22 2c 20 22|"; distance:0; reference:url,otx.alienvault.com/pulse/5a4e1c4993199b299f90a212; classtype:coin-mining; sid:2025186; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_01_04, deployment Perimeter, deployment Datacenter, former_category COINMINER, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2018_01_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Twaintec Ad Retrieval"; flow: to_server,established; content:"/twain/servlet/Twain?adcontext="; nocase; http_uri; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001199; classtype:pup-activity; sid:2001199; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET 20000: -> $HOME_NET 1024: (msg:"ET MALWARE Sourtoff Receiving Simda Payload"; flow:established,from_server; flowbits:isset,ET.TROJAN.Sourtoff; dsize:1300<>1500; content:"|0a c0|"; depth:2; reference:md5,5469af0daa10f8acbe552cd2f1f6a6bb; classtype:trojan-activity; sid:2019313; rev:3; metadata:created_at 2014_09_29, former_category TROJAN, updated_at 2018_01_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Twaintec Reporting Data"; flow: to_server,established; content:"/downloads/record_download.asp"; nocase; http_uri; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001216; classtype:pup-activity; sid:2001216; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE WSO - WebShell Activity - WSO Title"; flow:established,to_client; file_data; content:"<title>"; content:" - WSO "; fast_pattern; distance:0; content:"</title>"; distance:0; classtype:attempted-user; sid:2015905; rev:3; metadata:created_at 2012_11_21, former_category CURRENT_EVENTS, updated_at 2018_01_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP F1Organizer Config Download"; flow: to_server,established; content:"/F1/Cmd4F1"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001221; classtype:pup-activity; sid:2001221; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_enumerrorlogs access"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|e|00|r|00|r|00|o|00|r|00|l|00|o|00|g|00|s|00|"; nocase; reference:url,doc.emergingthreats.net/2010001; classtype:attempted-user; sid:2010001; rev:4; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2018_01_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Regnow.com Gamehouse.com Access"; flow: to_server,established; content:"/affiliates/template.jsp?"; nocase; http_uri; content:"AID="; nocase; http_uri; reference:url,www.gamehouse.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001224; classtype:pup-activity; sid:2001224; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_readerrorlogs access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|a|00|d|00|e|00|r|00|r|00|o|00|r|00|l|00|o|00|g|00|s|00|"; nocase; reference:url,doc.emergingthreats.net/2010002; classtype:attempted-user; sid:2010002; rev:5; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2018_01_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Statblaster Receiving New configuration (update)"; flow: to_server,established; content:"/updatestats/update"; nocase; http_uri; content:".xml"; nocase; http_uri; content:"update"; depth:6; http_user_agent; content:"statblaster"; http_header; fast_pattern:only; pcre:"/\/updatestats\/update\d+?\.xml$/U"; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001225; classtype:pup-activity; sid:2001225; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_enumdsn access"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|d|00|s|00|n|00|"; nocase; reference:url,doc.emergingthreats.net/2010003; classtype:attempted-user; sid:2010003; rev:5; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2018_01_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advertising.com Data Post (villains)"; flow: to_server,established; content:"/Games/villains.aspx"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001228; classtype:pup-activity; sid:2001228; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download Non-HTTP"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; app-layer-protocol:!http; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2000419; rev:24; metadata:created_at 2010_07_30, former_category POLICY, performance_impact Significant, updated_at 2018_01_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advertising.com Data Post (cakedeal)"; flow: to_server,established; content:"/Games/cakedeal.aspx"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001230; classtype:pup-activity; sid:2001230; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (groupdive. com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|groupdive|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021659; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent Agent Installation"; flow: to_server,established; content:"/Recovery/Checkin.aspx?version"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001307; classtype:pup-activity; sid:2001307; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing 2018-01-12"; flow:from_server,established; file_data; content:"var ListEntries"; nocase; content:"|27 2e 2a 66 75 63 6b 2e 2a 27 2c|"; within:50; content:"|27 2e 2a 70 75 73 73 79 2e 2a 27 2c|"; distance:0; content:"|27 2e 2a 6e 69 63 65 2e 2a 74 72 79 2e 2a 27|"; distance:0; classtype:social-engineering; sid:2025685; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet Optomizer Reporting Data"; flow: to_server,established; content:"/io/downloads/"; nocase; http_uri; content:"/wsi8/optimize"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001308; classtype:pup-activity; sid:2001308; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> [82.163.143.135,82.163.142.137] any (msg:"ET MALWARE OSX/Mami Possible DNS Query to Evil DNS Server"; threshold:type limit, track by_src, count 1, seconds 60; reference:md5,8482fc5dbc6e00da151bea3eba61e360; reference:url,objective-see.com/blog/blog_0x26.html; classtype:trojan-activity; sid:2025200; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_01_16, deployment Perimeter, former_category TROJAN, malware_family Mami, performance_impact Moderate, signature_severity Major, updated_at 2018_01_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent Agent Checking In"; flow: to_server,established; content:"/CDADeliveries/Checkin.aspx"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001309; classtype:pup-activity; sid:2001309; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Dropbox"; nocase; within:25; content:"Select Your Email Provider"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025206; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent Agent Traffic"; flow: to_server,established; content:"/CDAFiles/DP/SysConfig"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001310; classtype:pup-activity; sid:2001310; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Chase"; nocase; within:25; content:"WYSIWYG Web Builder"; nocase; distance:0; content:"folling information about yourself"; nocase; fast_pattern; classtype:social-engineering; sid:2025207; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Rdxrp.com Traffic"; flow: to_server,established; content:"/rdxr020304.dat"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001311; classtype:pup-activity; sid:2001311; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:"background-color|3a 20|rgb(235, 60, 0)"; fast_pattern; nocase; within:200; content:"$Config={|22|scid|22 3a|"; nocase; distance:0; content:"secure.aadcdn.microsoftonline-p.com"; nocase; distance:0; content:"<title"; nocase; distance:0; content:"Sign in to your account"; nocase; within:50; classtype:social-engineering; sid:2025208; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Traffic Syndicate Add/Remove"; flow: to_server,established; content:"/Support/AddRemove.aspx?id="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001313; classtype:pup-activity; sid:2001313; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:"<title>Chase"; nocase; fast_pattern; content:"googlebot|22 20|content=|22|noindex"; nocase; distance:0; content:"function unhideBody()"; nocase; distance:0; content:"type=|22|password"; nocase; distance:0; classtype:social-engineering; sid:2025210; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent Agent"; flow: to_server,established; content:"/CDAFiles/"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001314; classtype:pup-activity; sid:2001314; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-01-18 M1"; flow:established,to_client; file_data; content:"<title>Bank of America"; nocase; fast_pattern; content:"WYSIWYG Web Builder"; nocase; within:200; content:"Untitled1.css"; nocase; within:300; classtype:social-engineering; sid:2025211; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Traffic Syndicate Agent Updating (1)"; flow: to_server,established; content:"/TbLinkConfig.asmx"; nocase; http_uri; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001315; classtype:pup-activity; sid:2001315; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-01-18 M2"; flow:established,to_client; file_data; content:"<title>Confirm Your Account"; nocase; fast_pattern; content:"WYSIWYG Web Builder"; nocase; within:200; content:"Untitled1.css"; nocase; distance:0; classtype:social-engineering; sid:2025212; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Traffic Syndicate Agent Updating (2)"; flow: to_server,established; content:"/TbInstConfig.asmx"; nocase; http_uri; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001316; classtype:pup-activity; sid:2001316; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Chase Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>chase online - confirm</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2025213; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Webhancer Data Upload"; flow: from_server,established; content:"WebHancer Authority Server"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001317; classtype:pup-activity; sid:2001317; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-18 M2"; flow:established,to_client; file_data; content:"<title>Log in to your PayPal account</title>"; fast_pattern; nocase; content:"<form action=|22|webscr.php?cmd=_"; nocase; distance:0; classtype:social-engineering; sid:2025215; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2018_01_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Speedera Agent (Specific)"; flow: to_server,established; content:"/io/downloads/3/wsem302.dl"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001321; classtype:pup-activity; sid:2001321; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Questionnaire Phishing Landing 2018-01-19"; flow:established,to_client; file_data; content:"<title>Questionnaire</title>"; nocase; fast_pattern; content:"assets/css/theDocs.all.min.css"; nocase; distance:0; content:"<h3>DOCUMENT MANAGEMENT SYSTEM"; distance:0; classtype:social-engineering; sid:2025226; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent New Install"; flow: to_server,established; content:"/NewUser/Checkin.aspx"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001322; classtype:pup-activity; sid:2001322; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email Verification/Upgrade Phishing Landing 2018-01-22"; flow:established,to_client; file_data; content:"<title>Email Verification</title>"; nocase; fast_pattern; content:"Sign in to upgrade your mailbox"; nocase; distance:0; content:"Mail Admin"; nocase; distance:0; classtype:social-engineering; sid:2025229; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Ezula Installer Download"; flow: from_server,established; content:"|65 5a 75 6c 61 20 49 6e 73 74 61 6c 6c 61 74 69 6f 6e 00 49|"; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001335; classtype:pup-activity; sid:2001335; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Multiple Javascript Unescapes - Common Obfuscation Observed in Phish Landing"; flow:established,to_client; file_data; content:"document.write(unescape"; fast_pattern; nocase; within:100; content:"document.write(unescape"; nocase; distance:0; content:"document.write(unescape"; nocase; distance:0; classtype:social-engineering; sid:2025231; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2018_01_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LocalNRD Spyware Checkin"; flow: to_server,established; content:"/a/Drk.syn?"; nocase; http_uri; content: "adcontext"; nocase; http_uri; reference:url,www.localnrd.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; classtype:pup-activity; sid:2001340; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email Server Mobile Security Settings Phishing Landing 2018-01-22"; flow:established,to_client; file_data; file_data; content:"<html>|0d 0a 0d 0a|<script type=|22|text/javascript|22|>|0d 0a|<!--|0d 0a|document.write"; within:100; nocase; content:"3c%68%65%61%64%3e%0d%0a%0d%0a%3c%74%69%74%6c%65%3e%45%6d%61%69%6c%20%53%65%72%76%65%72"; distance:0; content:"<input type=|22|hidden|22 20|name=|22|login|22 20|value=|22|"; nocase; distance:0; content:"User ID|3a 20|<font face=|22|verdana|22 20|size=|22|2|22 20|color=|22|#000000|22|"; nocase; distance:0; classtype:social-engineering; sid:2025232; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OfferOptimizer.com Spyware"; flow: to_server,established; content:"/ctx/keyword_context.php?"; nocase; http_uri; content:"urlContext=http"; nocase; http_uri; reference:url,www.offeroptimizer.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001341; classtype:pup-activity; sid:2001341; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>&#68|3b|&#114|3b|&#111|3b|&#112|3b|&#98|3b|&#111|3b|&#120|3b|</title>"; nocase; within:300; classtype:social-engineering; sid:2025233; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bonziportal Traffic"; flow: to_server,established; content:"/bonziportal/bin/"; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59256; reference:url,doc.emergingthreats.net/bin/view/Main/2001345; classtype:pup-activity; sid:2001345; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Blocked Incoming Emails Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"<title>Retrieval Error</title>"; nocase; fast_pattern; content:"onload=|22|populate()"; nocase; distance:0; content:"<input id=|22|Password|22 20|name=|22|Password"; nocase; distance:0; classtype:social-engineering; sid:2025242; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Access"; flow: to_server,established; content:"proxyhttp|0b|marketscore|03|com"; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001359; classtype:pup-activity; sid:2001359; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ABSA Online Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"setTimeout(function(){top.window.location"; nocase; fast_pattern; content:"<title"; nocase; within:150; content:"Absa Online"; nocase; within:50; classtype:social-engineering; sid:2025243; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet Optimizer Spyware Install"; flow: to_server,established; content:"/internet-optimizer/"; nocase; http_uri; content:"/optimize"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001396; classtype:pup-activity; sid:2001396; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"<title>Facebook</title>"; nocase; content:"Login with Facebook"; nocase; distance:0; content:"Hosted on free web hosting 000webhost.com"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025245; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bfast.com Spyware"; flow: to_server,established; content:"/bfast/serve?bfmid"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001398; classtype:pup-activity; sid:2001398; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LCL Banque et Assurance (FR) Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"<title"; nocase; content:"La Banque Postale|20 e2 80 93 20|La Banque Postale"; fast_pattern; within:80; nocase; content:"background-color|3a 20|#FFFFFF|3b|"; nocase; distance:0; classtype:social-engineering; sid:2025246; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Related Reporting Install"; flow: to_server,established; content:"/count/count.php?&mm"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001416; classtype:pup-activity; sid:2001416; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-25"; flow:established,to_client; file_data; content:"security is our top priority"; nocase; content:"Use us wherever you pay"; fast_pattern; nocase; distance:0; content:"onsubmit=|22|return checkform(this)|3b 22|"; nocase; distance:0; content:"function checkform"; nocase; distance:0; content:"style.backgroundColor=|22|#FF6A6A|22|"; nocase; distance:0; classtype:social-engineering; sid:2025247; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Related Receiving Config"; flow:established,to_server; http.uri; content:"/config/?"; nocase; content:"v=5"; nocase; content:"n=mm2"; nocase; content:"i="; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001417; classtype:pup-activity; sid:2001417; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multi-Email Popupwnd Phishing Landing 2018-01-25"; flow:established,to_client; file_data; content:"function popupwnd(url, "; fast_pattern; nocase; content:"var popupwindow = this.open(url"; nocase; distance:0; content:"your email provider"; nocase; distance:0; content:"'no','no','no','no','no'"; nocase; distance:0; classtype:social-engineering; sid:2025248; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Related Reporting"; flow: to_server,established; content:"/count/count.php?&mm2cpr"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001423; classtype:pup-activity; sid:2001423; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multi-Email Phishing Landing 2018-01-25"; flow:established,to_client; file_data; content:"<title"; nocase; content:"View Document"; nocase; within:30; content:"<a href=|22|eciffo365.php"; nocase; fast_pattern; distance:0; content:"<a href=|22|kooltuo.php"; nocase; distance:0; classtype:social-engineering; sid:2025249; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_24;)
+#alert tcp $EXTERNAL_NET 20 -> $HOME_NET any (msg:"ET ADWARE_PUP Abox Download"; flow:established,to_server; content:"|5c 00 43 00 61 00 72 00 6d 00 65 00 6e 00 00 00 16 00 00 00 73 00 75 00 63|"; nocase; offset:160; depth:26; reference:url,doc.emergingthreats.net/bin/view/Main/2001440; classtype:pup-activity; sid:2001440; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing 2018-01-25"; flow:established,to_client; file_data; content:"<title>Sign in to your account"; nocase; fast_pattern; content:"function LoginErrors(){this.userNameFormatError"; nocase; within:300; classtype:social-engineering; sid:2025250; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Abox Install Report"; flow: to_server,established; content:"&time="; nocase; http_uri; content:"/new_install?id="; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.adultbox.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001441; classtype:pup-activity; sid:2001441; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby Download Secondary Request"; flow:established,to_server; content:".php?t"; http_uri; pcre:"/\.php\?t[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2012401; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_03_01, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Statblaster.MemoryWatcher Download"; flow: to_server,established; content:"/memorywatcher.exe"; http_uri; reference:url,www.memorywatcher.com/eula.aspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001442; classtype:pup-activity; sid:2001442; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Obfuscated Javascript Often Used in the Blackhole Exploit Kit 3"; flow:established,from_server; content:"Content-Type|3a 20|text/html"; content:"|0d 0a|<html><body>"; within:500; content:"<script>|0d 0a 09 09 09|"; fast_pattern; within:500; pcre:"/([a-z$+-]{0,4}[0-9.*]+[a-z$+-]{0,4},){24}/R"; classtype:exploit-kit; sid:2013313; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_07_26, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Overpro Spyware Bundle Install"; flow: to_server,established; content:"Host|3a| download.overpro.com"; nocase; http_header; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/WildApp\.cab/i"; reference:url,www.wildarcade.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001444; classtype:pup-activity; sid:2001444; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Reporting Successful Java Compromise"; flow:established,to_server; content:".php?spl="; http_uri; pcre:"/\.php\?spl=[A-Z]{3}/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013652; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ADWARE_PUP 2nd-thought (W32.Daqa.C) Download"; flow: from_server,established; content:"|67 6f 69 64 72 2e 63 61 62|"; nocase; content:"|48 6f 73 74 3a 20 77 77 77 2e 77 65 62 6e 65 74 69 6e 66 6f 2e 6e 65 74|"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.secondthought.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001447; classtype:pup-activity; sid:2001447; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?b Download Secondary Request"; flow:established,to_server; content:".php?b"; http_uri; pcre:"/\.php\?b[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013664; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wintools Download/Configure"; flow: to_server,established; content:"/WTools"; nocase; http_uri; content:".cab"; nocase; http_uri; reference:url,www.intermute.com/spyware/HuntBar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001450; classtype:pup-activity; sid:2001450; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?n Download Secondary Request"; flow:established,to_server; content:".php?n"; http_uri; pcre:"/\.php\?n[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013665; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bundleware Spyware Download"; flow: to_server,established; content:"/app/InternetFuel/AppWrap.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001451; classtype:pup-activity; sid:2001451; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?page Download Secondary Request"; flow:established,to_server; content:".php?page"; http_uri; pcre:"/^[^?#]+?\.php\?page[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013666; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bundleware Spyware CHM Download"; flow: to_server,established; content:"Referer|3a| ms-its|3a|mhtml|3a|file|3a|//C|3a|counter.mht!http|3a|//"; nocase; content:"/counter/HELP3.CHM|3a 3a|/help.htm"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001452; classtype:pup-activity; sid:2001452; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?doit Download Secondary Request"; flow:established,to_server; content:".php?doit"; http_uri; pcre:"/\.php\?doit[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013788; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_10_20, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Couponage Download"; flow: to_server,established; content:".dl_"; nocase; http_uri; content:"couponage.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001453; classtype:pup-activity; sid:2001453; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Delivering PDF Exploit to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; content:"|0d 0a 0d 0a|%PDF-"; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:exploit-kit; sid:2013960; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Couponage Configure"; flow: to_server,established; content:".da_"; nocase; content:"couponage.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001454; classtype:pup-activity; sid:2001454; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit hostile PDF qwe123"; flow:established,from_server; file_data; content:"/Kids [1 0 R]/"; content:"|0d 0a 09 09|<field qwe=|22|213123|22| name=|22|qwe123|22|"; distance:0; content:"application/x-javascript"; distance:0; classtype:exploit-kit; sid:2013990; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ContextPanel Reporting"; flow: to_server,established; content:"/cplog/?logtype="; nocase; http_uri; content:"contextpanel.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001456; classtype:pup-activity; sid:2001456; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Java Rhino Script Engine Remote Code Execution Attempt"; flow:established,to_client; content:"document.createElement('applet'"; nocase; content:"setAttribute('code"; nocase; distance:0; content:"setAttribute('archive"; nocase; distance:0; content:".jar"; nocase; distance:0; content:"document.createElement('param"; nocase; distance:0; content:"setAttribute('name"; nocase; distance:0; content:"setAttribute('value"; nocase; distance:0; reference:url,blog.eset.com/2011/12/15/spam-campaign-uses-blackhole-exploit-kit-to-install-spyeye; reference:bid,50218; reference:cve,2011-3544; classtype:exploit-kit; sid:2014048; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_30, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bundleware Spyware cab Download"; flow: to_server,established; content:"/counter/counter_v3.cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001458; classtype:pup-activity; sid:2001458; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - contacts.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"contacts."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; within:6; http_header; pcre:"/attachment\x3b[^\r\n]*?contacts\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014236; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Overpro Spyware Games"; flow: to_server,established; content:"/blocks/blasterblocks"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001459; classtype:pup-activity; sid:2001459; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit JavaScript dotted quad hostile applet"; flow:established,from_server; content:"<html><body><applet"; fast_pattern; content:"archive="; distance:0; content:"code="; pcre:"/archive=[^\x3e]+?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:exploit-kit; sid:2014415; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sexmaniack Install Tracking"; flow: to_server,established; content:"/counted.php?ref="; nocase; http_uri; content:"Host|3a| counter.sexmaniack.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001460; classtype:pup-activity; sid:2001460; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - scandsk.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"scandsk"; http_header; fast_pattern; within:20; content:".exe|0d 0a|"; http_header; distance:0; classtype:bad-unknown; sid:2014440; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (1)"; flow: to_server,established; content:"/fa/evil.html"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001461; classtype:pup-activity; sid:2001461; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole - Landing Page Requested - /Home/index.php"; flow:to_server,established; urilen:15; content:"/Home/index.php"; http_uri; flowbits:set,et.exploitkitlanding; flowbits:noalert; classtype:bad-unknown; sid:2014441; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs Occuring"; flow: to_server,established; content:"/fa/?d=get"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001462; classtype:pup-activity; sid:2001462; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole - Landing Page Requested - *.php?*=16HexCharacters in http_uri"; flow:to_server,established; urilen:>23; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,7}=[a-f0-9]{16}$/U"; pcre:"/=.*[a-f].*$/U"; flowbits:set,et.exploitkitlanding; flowbits:noalert; classtype:bad-unknown; sid:2014442; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (2)"; flow: to_server,established; content:"src=http|3a|//xpire.info/i.exe"; nocase; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2001463; classtype:pup-activity; sid:2001463; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Request for Blackhole Exploit Kit Landing Page - src.php?case="; flow:established,to_server; content:"/src.php?case="; http_uri; pcre:"/\x2Fsrc\x2Ephp\x3Fcase\x3D[a-f0-9]{16}$/U"; classtype:exploit-kit; sid:2014725; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_09, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (3)"; flow: to_server,established; content:"/i.exe"; nocase; http_uri; content:"xpire.info"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001464; classtype:pup-activity; sid:2001464; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Request tkr"; flow:established,to_server; content:".php?"; http_uri; content:"src="; http_uri; distance:0; content:"&gpr="; http_uri; distance:0; content:"&tkr="; http_uri; fast_pattern; distance:0; pcre:"/[\?&]src=\d+&gpr=\d+&tkr[ib]?=[a-f0-9]/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014843; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_01, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (4)"; flow: to_server,established; content:"/dl/adv121.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001466; classtype:pup-activity; sid:2001466; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Try Prototype Catch Jun 18 2012"; flow:established,from_server; content:"try{prototype"; content:"|3B|}catch("; within:12; classtype:trojan-activity; sid:2014921; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (5)"; flow: to_server,established; content:"/dl/adv121/x.chm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001467; classtype:pup-activity; sid:2001467; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole RawValue Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; depth:5; content:"|2E|rawValue|5D 5B|0|5D 2E|split|28 27 2D 27 29 3B 26 23|"; distance:0; reference:cve,2010-0188; classtype:trojan-activity; sid:2014940; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs CHM Exploit"; flow: to_server,established; content:"/fa/ied_s7m.chm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001468; classtype:pup-activity; sid:2001468; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Try Renamed Prototype Catch - June 28th 2012"; flow:established,to_client; file_data; content:"try {"; content:"=prototype|2d|"; within:80; content:"} catch"; within:80; reference:url,research.zscaler.com/2012/06/cleartripcom-infected-with-blackhole.html; classtype:exploit-kit; sid:2014981; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_28, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (6)"; flow: to_server,established; content:"/fa/x.chm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001469; classtype:pup-activity; sid:2001469; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; content:"<html><body><script>"; content:"Math.floor"; fast_pattern; distance:0; content:"try{"; distance:0; content:"prototype"; within:20; content:"}catch("; within:20; classtype:exploit-kit; sid:2015056; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_12, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (7)"; flow: to_server,established; content:"/fa/xpl3.htm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001470; classtype:pup-activity; sid:2001470; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Exploit Kit suspected Blackhole"; flow:established,to_server; content:".js?"; http_uri; fast_pattern; urilen:33<>34; pcre:"/\/\d+\.js\?\d+&[a-f0-9]{16}$/U"; classtype:exploit-kit; sid:2015670; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Spyware Exploit"; flow: to_server,established; content:"/2DimensionOfExploitsEnc.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001471; classtype:pup-activity; sid:2001471; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2.0 Binary Get Request"; flow:established,to_server; content:"GET"; http_method; content:"Java/1."; http_user_agent; content:".php?"; http_uri; pcre:"/\.php\?\w{2,8}\=(0[0-9a-b]|3[0-9]){5,32}\&\w{2,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{1,8}\=\d{2}\&\w{1,8}\=\w{1,8}\&\w{1,8}\=\w{1,8}$/U"; reference:url,fortknoxnetworks.blogspot.be/2012/10/blackhole-20-binary-get-request.html; classtype:successful-user; sid:2015836; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Coolsearch Spyware Install"; flow: to_server,established; content:"coolsearch.biz/united.htm"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001479; classtype:pup-activity; sid:2001479; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole - TDS Redirection To Exploit Kit - Loading"; flow:established,to_client; file_data; content:"<title>Loading...!</title>"; classtype:exploit-kit; sid:2016024; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MediaTickets Spyware Install"; flow: to_server,established; content:"/mtrslib2.js"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001481; classtype:pup-activity; sid:2001481; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit PluginDetect FromCharCode Jan 04 2013"; flowbits:set,et.exploitkitlanding; flow:established,to_client; file_data; content:"80,108,117,103,105,110,68,101,116,101,99,116"; nocase; classtype:exploit-kit; sid:2016166; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP thebestsoft4u.com Spyware Install (1)"; flow: to_server,established; content:"/pa/glx.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001482; classtype:pup-activity; sid:2001482; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch Body Specific -  4/3/2013"; flow:established,to_client; file_data; content:"}try{doc[|22|body|22|]^=2}catch("; distance:0; classtype:exploit-kit; sid:2016524; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmeup Spyware Install (d.exe)"; flow: to_server,established; content:"/x30/d.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001484; classtype:pup-activity; sid:2001484; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch Body Style 2 Specific -  4/3/2013"; flow:established,to_client; file_data; content:"try{document.body^=2}catch("; distance:0; classtype:exploit-kit; sid:2016525; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP thebestsoft4u.com Spyware Install (2)"; flow: to_server,established; content:"/pa/proxyrnd.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001485; classtype:pup-activity; sid:2001485; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch False Specific -  4/3/2013"; flow:established,to_client; file_data; content:"}try{}catch("; distance:0; content:"=false|3B|}"; within:30; classtype:exploit-kit; sid:2016526; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spygalaxy.ws Spyware Checkin"; flow: to_server,established; content:"/install.php?id="; nocase; http_uri; content:"Host|3a| spygalaxy.ws|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001489; classtype:pup-activity; sid:2001489; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Shrift.php Microsoft OpenType Font Exploit Request"; flow:established,to_server; content:"/ngen/shrift.php"; http_uri; reference:cve,2011-3402; classtype:exploit-kit; sid:2017340; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ICQ-Update.biz Reporting Install"; flow: to_server,established; content:"log.php?"; nocase; http_uri; content: "IP="; nocase; http_uri; content:"Port1="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001490; classtype:pup-activity; sid:2001490; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Microsoft OpenType Font Exploit"; flow:established,to_client; content:"Content-Description|3A| File Transfer"; http_header; content:"Content-Disposition|3A| attachment|3B| filename=font.eot"; http_header; fast_pattern:33,17; reference:cve,2011-3402; classtype:exploit-kit; sid:2017341; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Spyware Checkin"; flow: to_server,established; content:"/install.gz"; nocase; http_uri; content:"Host|3a| xpire.info|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001491; classtype:pup-activity; sid:2001491; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SchwSonne CnC Beacon M2"; flow:established,to_server; content:"C|7c|P-UID-"; depth:8; fast_pattern; content:"|7c|Microsoft"; distance:0; content:"|7c|["; distance:0; content:"]|7c|"; distance:0; classtype:command-and-control; sid:2025252; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_25, deployment Perimeter, former_category MALWARE, malware_family SchwartzSonnne, signature_severity Major, tag c2, updated_at 2018_01_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Outerinfo.com Spyware Install"; flow: to_server,established; content:"/ctxad-"; nocase; http_uri; pcre:"/ctxad-\d+\.sig/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2001495; classtype:pup-activity; sid:2001495; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"document.write(unescape"; nocase; fast_pattern; content:"3C%74%69%74%6C%65%3E%26%23%33%37%30%33%38%3B%26%23%32%30%32%31%34%3B%26%23%33%35%37%37%34%3B%26%23%33%32%36%32%32%3B"; nocase; distance:0; classtype:social-engineering; sid:2025255; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Clickspring.net Spyware Reporting"; flow: to_server,established; content:"Host|3a| www.bullseye-network.com"; nocase; http_header; reference:url,sarc.com/avcenter/venc/data/adware.bargainbuddy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001501; classtype:pup-activity; sid:2001501; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Halkbank (TK) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Halkbank|20 c4 b0 6e 74 65 72 6e 65 74 20 c5 9e 75 62 65 73 69|"; within:50; fast_pattern; classtype:social-engineering; sid:2025258; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Medialoads.com Spyware Config"; flow: to_server,established; content:"/dw/cgi/download.cgi?"; nocase; http_uri; content:"sn="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"Host|3a|config.medialoads.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001503; classtype:pup-activity; sid:2001503; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Smail Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"...|7c|1|7c|Smail Code|7c|1|7c|..."; fast_pattern; nocase; content:"ALTER ANYTHING BELOW THIS LINE"; nocase; distance:0; classtype:social-engineering; sid:2025259; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Smartpops.com Spyware Install rh.exe"; flow: to_server,established; content:"/install/RH/rh.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001505; classtype:pup-activity; sid:2001505; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2018-01-29 M1"; flow:established,to_client; file_data; content:"Apple ID|20 3a|"; within:100; content:"<title>Apple (Switzerland)"; nocase; fast_pattern; classtype:social-engineering; sid:2025260; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Medialoads.com Spyware Identifying Country of Origin"; flow: to_server,established; content:"/dw/cgi/country.cgi"; nocase; http_uri; content:"User-Agent|3a|"; nocase; http_header; content:"NSISDL"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001507; classtype:pup-activity; sid:2001507; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing M2 2018-01-29"; flow:established,to_client; file_data; content:"background|3a 20|#3baee7|3b|"; nocase; distance:0; content:"-webkit-linear-gradient(top, #3baee7, #08c)"; nocase; distance:0; content:"text-shadow|3a 20|1px 1px 3px #666666"; nocase; distance:0; content:"background|3a 20|#3cb0fd|3b|"; nocase; distance:0; content:"-webkit-linear-gradient(top, #3cb0fd, #3498db)"; nocase; distance:0; content:".dark {"; nocase; distance:0; content:"color|3a 20|#525252|3b|"; nocase; distance:0; content:".dark-select {"; nocase; distance:0; content:"background|3a 20|#DFDFDF url('down-arrow.png')"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025261; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Medialoads.com Spyware Reporting (register.cgi)"; flow: to_server,established; content:"/dw/cgi/register.cgi?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"Host|3a|config.medialoads.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001509; classtype:pup-activity; sid:2001509; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"Dear <b id=|22|accessreturn|22|>User</b>,"; nocase; fast_pattern; content:"<b>Ticket|20 3a 20|#"; nocase; distance:0; content:"<b>For This Reason|20 3a 20|"; nocase; distance:0; classtype:social-engineering; sid:2025262; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfAssistant.com Spyware Install"; flow: to_server,established; content:"/distribution/questmod-1.dll"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001510; classtype:pup-activity; sid:2001510; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"<title"; content:"Office 365"; nocase; within:25; content:"function LoginErrors(){this.userNameFormatError"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2025263; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Smartpops.com Spyware Update"; flow: to_server,established; content:"/data/spv15.dat?v="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001513; classtype:pup-activity; sid:2001513; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Onedrive Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"<title"; nocase; content:"OneDrive Online Security"; nocase; within:50; classtype:social-engineering; sid:2025264; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_01_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfAssistant.com Spyware Reporting"; flow: to_server,established; content:"/sa/?a="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001514; classtype:pup-activity; sid:2001514; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Smartsheet Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"<title>Log In|20 7c 20|Smartsheet</title>"; nocase; fast_pattern; content:"<form action="; nocase; distance:0; content:".php|22 20|class=|22|clsJspOuterForm|22 20|id="; nocase; distance:0; content:"method=|22|POST|22 20|name=|22|ctlForm|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025265; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Smartpops.com Spyware Install"; flow: to_server,established; content:"/install/SE/sed.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001516; classtype:pup-activity; sid:2001516; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Redirect 2018-01-30"; flow:established,to_client; file_data; content:"<html>|0d 0a|<body>|0d 0a|<script type=|22|text/JavaScript|22|>|0d 0a|<!--|0d 0a|"; nocase; depth:55; content:"setTimeout(|22|location.href|20|=|20 27|redirection.php?"; nocase; within:100; fast_pattern; pcre:"/^[a-z0-9_]{50,}/Ri"; content:"|27 3b 22|,0)|3b 0d 0a|-->|0d 0a|</script>|0d 0a|</body>"; nocase; within:100; classtype:bad-unknown; sid:2025267; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_01_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Websearch.com Outbound Dialer Retrieval"; flow: to_server,established; content:"/1/rdgUS10.exe"; nocase; http_uri; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2001517; classtype:pup-activity; sid:2001517; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Impots.gouv.fr Phishing Landing 2018-01-30"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Particulier|20 7c 20|impots.gouv.fr"; nocase; within:50; fast_pattern; classtype:social-engineering; sid:2025268; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spywaremover Activity"; flow: to_server,established; content:"/spywareremovers.php?"; http_uri; content:"Host|3a| topantispyware.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topantispyware.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001520; classtype:pup-activity; sid:2001520; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Turbotax Phishing Landing 2018-01-30"; flow:established,to_client; file_data; content:"<title>My TurboTax"; nocase; fast_pattern; content:"Login to your MyTurboTax account to start"; nocase; distance:0; content:"User ID"; nocase; distance:0; content:"Email Password"; nocase; distance:0; classtype:social-engineering; sid:2025269; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spywaremover Activity"; flow: to_server,established; content:"/download/cabs/THNALL1L/thnall1l.exe"; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087903; reference:url,doc.emergingthreats.net/bin/view/Main/2001521; classtype:pup-activity; sid:2001521; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-01-30"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Bank of America|20 7c 20|Online Banking"; nocase; within:40; fast_pattern; content:"CONTENT=|22|Unrecognized computer"; nocase; distance:0; content:"SiteKey Challenge Questions"; nocase; distance:0; classtype:social-engineering; sid:2025270; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpywareLabs Application Install"; flow: to_server,established; content:"/DistID/BaseInstalls/V"; nocase; http_uri; content:"User-Agent|3a|"; nocase; http_header; content:"Wise"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001522; classtype:pup-activity; sid:2001522; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Capital One Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Online Banking - Capital One 360</title>"; nocase; classtype:social-engineering; sid:2025271; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Virtumonde Spyware Code Download mmdom.exe"; flow: to_server,established; content:"/mmdom.exe"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001525; classtype:pup-activity; sid:2001525; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Verizon Wireless Phishing Landing 2018-01-30"; flow:established,to_client; file_data; content:"<!-- saved from url="; nocase; within:200; content:"<title"; nocase; distance:0; content:"Sign in"; nocase; within:10; content:"verizonwireless.com"; nocase; within:100; classtype:social-engineering; sid:2025274; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Virtumonde Spyware Code Download bkinst.exe"; flow: to_server,established; content:"/bkinst.exe"; nocase; http_uri; content:"virtumonde.com"; http_header; reference:url,www.lurhq.com/iframeads.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001526; classtype:pup-activity; sid:2001526; rev:24; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-31"; flow:established,to_client; file_data; content:"<title"; nocase; content:"P&#97|3b|yP&#97|3b|l"; nocase; within:35; fast_pattern; classtype:social-engineering; sid:2025276; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ak-networks.com Spyware Code Download"; flow: to_server,established; content:"/SyncAkSoft.da_"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001530; classtype:pup-activity; sid:2001530; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple iTunes Phishing Landing (DE) 2018-01-31"; flow:established,to_client; file_data; content:"<ISONLINE VALUE=TRUE></ISONLINE>"; nocase; within:200; content:"<title>iTunes - Stornierungsformular"; nocase; fast_pattern; classtype:social-engineering; sid:2025277; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Installer silent.exe Download"; flow: from_server,established; content:"|20 28 43 29 20 32 30 30 31 2c 20 32 30 30 33 20 52 61 64 69 6d 20 50 69 63 68 61|"; reference:url,www.searchmiracle.com/silent.exe; reference:url,doc.emergingthreats.net/bin/view/Main/2001533; classtype:pup-activity; sid:2001533; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Hellion Postmaster Phishing Landing 2018-01-31"; flow:established,to_client; file_data; content:"/hellion/postmaster.png"; fast_pattern; nocase; content:"/hellion/logos.png"; nocase; distance:0; classtype:social-engineering; sid:2025279; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyspotter.com Install"; flow: to_server,established; content:"/SpySpotterInstall.cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001536; classtype:pup-activity; sid:2001536; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Roundcube Multi-Brand Phishing Landing 2018-01-31"; flow:established,to_client; file_data; content:"FILES/jstz.min.js?s="; nocase; fast_pattern; content:"rcube_webmail()"; nocase; distance:0; content:"function MM_findObj"; nocase; distance:0; content:"function MM_validateForm"; nocase; distance:0; classtype:social-engineering; sid:2025280; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyspotter.com Access"; flow: to_server,established; content:"Host|3a| "; http_header; content:"spyspotter.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001537; classtype:pup-activity; sid:2001537; rev:16; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Website Phishing Landing - Mirrored Website Comment Observed"; flow:established,to_client; file_data; content:"<!-- Mirrored from "; pcre:"/^(?:www(?:1\.masterconsultas\.com\.ar|\.linkedin\.com)|(?:tools\.google|facebook)\.com|cfspart\.impots\.gouv\.fr)/Ri"; content:"by HTTrack Website Copier/"; distance:0; classtype:social-engineering; sid:2025282; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Oenji.com Install"; flow: to_server,established; content:"/Bundled/OemjiInstall"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001538; classtype:pup-activity; sid:2001538; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Live Login Phishing Landing 2018-02-01"; flow:established,to_client; file_data; content:"<title>Sign In</title>"; nocase; content:"Outlook.com is a free, personal email service from Microsoft."; nocase; within:150; fast_pattern; classtype:social-engineering; sid:2025284; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Install (v3cab)"; flow: to_server,established; content:"/cab/v3cab.cab"; http_uri; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001540; classtype:pup-activity; sid:2001540; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING TSB Bank / Lloyds Bank Phishing Landing 2018-02-01"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Online Personal Verification"; nocase; within:100; fast_pattern; classtype:social-engineering; sid:2025285; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Install Report"; flow: to_server,established; content:"counter.htm"; nocase; pcre:"//user\d+/counter\.htm/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2001541; classtype:pup-activity; sid:2001541; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-01"; flow:established,to_client; file_data; content:"<title>Wells Fargo Online|c2 ae 20|Verification</title>"; nocase; classtype:social-engineering; sid:2025286; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET ADWARE_PUP MarketScore.com Spyware SSL Access"; flow: to_server,established; content:"www.marketscore.com"; content:"InstantSSL1"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001563; classtype:pup-activity; sid:2001563; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING AT&T Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"<title>AT&amp|3b|T - Login</title>"; nocase; fast_pattern; content:".php|22 20|method=|22|post|22 20|id=|22|LoginForm|22 20 20|focus=|22|userid|22 20|name=|22|LoginForm|22 20|type=|22|com.sbc.idm.igate_edam.forms.LoginFormBean|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025244; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware Stormer Reporting Data"; flow: established,to_server; content:"/showme.aspx?keyword="; nocase; http_uri; content:"ecomdata1="; nocase; http_client_body; reference:url,www.spywarestormer.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001570; classtype:pup-activity; sid:2001570; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Likely Cloned .EDU Website Phishing Landing 2018-02-02"; flow:established,to_client; file_data; content:"<!-- saved from url=("; within:300; pcre:"/^\s*?\d+?\s*?\)https?:\/\/[^/]+\.edu\//Rsi"; content:"<form"; nocase; distance:0; classtype:social-engineering; sid:2025290; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware Stormer/Error Guard Activity"; flow: established,to_server; content:"/sell.cgi?errorguard/1/errorguard"; nocase; http_uri; reference:url,www.spywarestormer.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001571; classtype:pup-activity; sid:2001571; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M2"; flow:established,to_client; file_data; content:"<title>Wells Fargo&nbsp|3b|Sign On to View Your Accounts</title>"; nocase; fast_pattern; content:"Online &amp|3b 20|Mobile Security"; nocase; distance:0; classtype:social-engineering; sid:2025293; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Proxied Traffic (mitmproxy agent)"; flow: to_server,established; content:"Proxy-agent|3a| ManInTheMiddle-Proxy"; http_header; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001586; classtype:pup-activity; sid:2001586; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M3"; flow:established,to_client; file_data; content:"<title>Wells Fargo&nbsp|3b|Sign On to View Your Accounts</title>"; nocase; fast_pattern; content:"View Your Accounts</h1>"; nocase; distance:0; content:"disableSubmitsCollectUserPrefs"; nocase; distance:0; classtype:social-engineering; sid:2025294; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Upgrading"; flow: to_server,established; content:"/oss/upgrchk_2a.asp"; nocase; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001587; classtype:pup-activity; sid:2001587; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M5"; flow:established,to_client; file_data; content:"<title>Wells Fargo  - Update Your Identification</title>"; nocase; fast_pattern; content:"../css js/passwordReset.css"; within:200; classtype:social-engineering; sid:2025296; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Activity (1)"; flow: to_server,established; content:"/oss/dittorules.asp"; nocase; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001588; classtype:pup-activity; sid:2001588; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M6"; flow:established,to_client; file_data; content:"Online Banking Identity Verification Process</TITLE>"; within:300; content:"name=KONICHIWA1"; within:250; classtype:social-engineering; sid:2025297; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Activity (2)"; flow: to_server,established; content:"/oss/routerrules2.asp"; nocase; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001589; classtype:pup-activity; sid:2001589; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M7"; flow:established,to_client; file_data; content:"<title>Wells Fargo Online&reg|3b 20|Enrollment</title>"; classtype:social-engineering; sid:2025298; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Microgaming.com Spyware Installation (dlhelper)"; flow: established,to_server; content:"/dlhelper.cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001641; classtype:pup-activity; sid:2001641; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M8"; flow:established,to_client; file_data; content:"<head><!-- WFB 3.4 -->"; within:300; fast_pattern; content:"var bundle|3b|(function(){function a(b){var c=|22 22 3b|for(var d=0,e=b.length|3b|d<e|3b|++d){var f=b.charCodeAt(d)|3b|c+=f>=55296?b[d]|3a|String.fromCharCode"; distance:0; classtype:social-engineering; sid:2025299; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Microgaming.com Spyware Installation (2)"; flow: established,to_server; content:"/DownloadHNew.asp?"; nocase; http_uri; content:"btag="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001643; classtype:pup-activity; sid:2001643; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M9"; flow:established,to_client; file_data; content:"<title>Wells Fargo - Security Upgrade</title>"; classtype:social-engineering; sid:2025300; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Microgaming.com Spyware Reporting Installation"; flow: established,to_server; content:"/dlhelper/downloadlogger2.asp?"; nocase; http_uri; content:"time="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001644; classtype:pup-activity; sid:2001644; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M10"; flow:established,to_client; file_data; content:"<title>Wells Fargo Email Verification"; nocase; fast_pattern; content:"input[type=email], input[type=password]"; nocase; distance:0; classtype:social-engineering; sid:2025301; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Microgaming.com Spyware Casino App Install"; flow: established,to_server; content:"/viper/thunderluck/00"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001645; classtype:pup-activity; sid:2001645; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Download of PDF With Uncompressed Flash Content flowbit set"; flow:established,to_client; content:"stream"; content:"|0a|FWS"; within:5; fast_pattern; pcre:"/stream(\x0D\x0A|\x0A)FWS/"; flowbits:set,ET.flash.pdf; flowbits:noalert; reference:url,www.symantec.com/connect/blogs/analysis-zero-day-exploit-adobe-flash-and-reader; reference:url,blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/; classtype:misc-activity; sid:2012906; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_05_31, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Toprebates.com Install (1)"; flow: established,to_server; content:"/mailz.php?id="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001646; classtype:pup-activity; sid:2001646; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MeltDown PoC Download In Progress"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|57 53 41 50 41 51|"; content:"|0F AE F0|"; distance:50; within:53; content:"|0F AE|"; distance:15; within:12; pcre:"/^[\x30-\x3f\x7D]/Rs"; content:"|0F AE F0 0F 31|"; distance:45; within:25; content:"|0F AE F0 0F 31|"; distance:17; within:12; reference:cve,2017-5754; classtype:attempted-admin; sid:2025195; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_01_10, deployment Perimeter, former_category EXPLOIT, malware_family MeltDown_Exploit, performance_impact Low, signature_severity Major, updated_at 2018_02_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Toprebates.com Install (2)"; flow: established,to_server; content:"/builds/"; nocase; http_uri; content:"AutoTrack_Install.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001647; classtype:pup-activity; sid:2001647; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Spectre PoC Download In Progress"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|E7 03 00 00|"; content:"|48 0F AE|"; distance:17; within:9; pcre:"/^[\x30-\x3f\x7D]/Rs"; content:"|48 0F AE 3D|"; distance:41; within:10; content:"|48 98|"; distance:64; within:22; content:"|0F 01 F9|"; distance:50; within:9; content:"|0F 01 F9|"; distance:30; within:9; reference:cve,2017-5753; reference:cve,2017-5715; classtype:attempted-admin; sid:2025196; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_01_10, deployment Perimeter, former_category EXPLOIT, malware_family Spectre_Exploit, performance_impact Low, signature_severity Major, updated_at 2018_02_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Toprebates.com User Confirming Membership"; flow: established,to_server; content:"/cgi/account.plx?pid="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001648; classtype:pup-activity; sid:2001648; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Banque Populaire Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:".logo_banque"; nocase; content:",.authentif p.num_carte"; nocase; fast_pattern; content:"<title"; content:"Authentification"; nocase; within:20; classtype:social-engineering; sid:2025306; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Search Scout Related Spyware (content)"; flow: established,to_server; content:"Host|3a| content.searchscout.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001650; classtype:pup-activity; sid:2001650; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"PayPaI</title>"; nocase; fast_pattern; content:"application-name content=PayPaI>"; nocase; distance:0; classtype:social-engineering; sid:2025307; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Search Scout Related Spyware (results)"; flow: established,to_server; content:"Host|3a| results.searchscout.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001653; classtype:pup-activity; sid:2001653; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Antibots Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"<?php|0d 0a|include|20 22|antibots.php|22 3b 0d 0a|?>"; within:100; classtype:social-engineering; sid:2025308; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Traffic (context.xml)"; flow: to_server,established; content:"/context/1/up_context_1.xml"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083029; reference:url,doc.emergingthreats.net/bin/view/Main/2001655; classtype:pup-activity; sid:2001655; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Upgrade Payment Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"ONE MORE STEP"; content:"<title"; nocase; distance:0; content:"Enter Your Credit"; nocase; within:25; content:"UPGRADE PAYMENT"; distance:0; content:"fbCreditCard"; nocase; distance:0; classtype:social-engineering; sid:2025309; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GlobalPhon.com Dialer"; flow: to_server,established; content:"Host|3a| www.globalphon.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001656; classtype:pup-activity; sid:2001656; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Yahoo Account Verification Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Yahoo! Account Verification"; nocase; within:40; fast_pattern; classtype:social-engineering; sid:2025311; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GlobalPhon.com Dialer Download"; flow: to_server,established; content:"/dialer/internazionale_ver"; nocase; http_uri; content:".CAB"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001657; classtype:pup-activity; sid:2001657; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google/Adobe Shared Document Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"<title"; nocase; content:"sign in"; nocase; within:25; content:"MM_validateForm(|27|password|27 2c 27 27 2c 27|R|27 2c 27|mail|27 2c 27 27 2c 27|RisEmail|27 2c 27|phone|27 2c 27 27 2c 27|NisNum|27|)"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025312; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Reporting"; flow: to_server,established; content:"Host|3a| log.cc.cometsystems.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001658; classtype:pup-activity; sid:2001658; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Orange Phishing Landing 2018-02-05 (FR)"; flow:established,to_client; file_data; content:"<title"; content:"pour continuer, identifiez-vous"; nocase; within:50; fast_pattern; content:"index_fichiers/authuser"; nocase; distance:0; content:"title=|22|site orange.fr"; nocase; distance:0; classtype:social-engineering; sid:2025313; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GlobalPhon.com Dialer (no_pop)"; flow: to_server,established; content:"/no_pop.asp?"; nocase; http_uri; content: "id="; nocase; http_uri; content:"globalphon.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001659; classtype:pup-activity; sid:2001659; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] DorkBot.Downloader CnC Response"; flow:established,to_client; dsize:517; content:"|45 36 27 18|"; depth:4; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; reference:url,www.freebuf.com/articles/terminal/153428.html; reference:url,research.checkpoint.com/dorkbot-an-investigation/; classtype:command-and-control; sid:2025152; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2018_02_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GlobalPhon.com Dialer (add_ocx)"; flow: to_server,established; content:"/add_ocx.asp?"; nocase; http_uri; content: "id="; nocase; http_uri; content:"globalphon.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001660; classtype:pup-activity; sid:2001660; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE [PTsecurity] DorkBot.Downloader CnC Beacon"; flow:established,to_server; dsize:170; content:"|45 36 27 18 08 20|"; depth:6; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; reference:url,www.freebuf.com/articles/terminal/153428.html; reference:url,research.checkpoint.com/dorkbot-an-investigation/; classtype:command-and-control; sid:2025153; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_02_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Metarewards Spyware Activity"; flow: to_server,established; content:"Host|3a| www.metareward.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001666; classtype:pup-activity; sid:2001666; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Spectre Kernel Memory Leakage JavaScript (POC Based)"; flow:established,from_server; file_data; content:"<script"; content:"|3c 20|simpleByteArray.length|29|"; distance:0; content:"simpleByteArray|5b|"; within:50; content:"|2a 20|TABLE1_STRIDE|29 7c 30 29 20 26 20 28|TABLE1_BYTES-1|29|"; distance:0; fast_pattern; content:"|5e 3d 20|probeTable|5b|"; distance:0; content:"|7c 30 5d 7c 30 3b|"; distance:0; reference:cve,2017-5753; reference:cve,2017-5715; reference:url,spectreattack.com/spectre.pdf; classtype:attempted-user; sid:2025184; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_04, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2018_02_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Webhancer Agent Activity"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:"webhancer.com"; nocase; http_header; within:32; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001678; classtype:pup-activity; sid:2001678; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Spectre Kernel Memory Leakage JavaScript"; flow:established,from_server; file_data; content:"<script"; nocase; content:"<"; distance:0; content:".length"; distance:0; nocase; fast_pattern; pcre:"/^\s*?\)\s*?\{\s*(?P<var>[^\s]+)\s*=[^\x5b]+?\x5b\s*(?P=var)\s*?\|\s*?0\s*?\]\s*?\x3b\s*?/Rsi"; content:"^="; distance:0; pcre:"/^\s*[^\s]+\x5b\s*?[^\x5d\x7c]+\x7c\s*?0\s*?\x5d\s*?\x7c\s*?0\s*?\x3b/Rsi"; reference:cve,2017-5753; reference:cve,2017-5715; reference:url,github.com/cgvwzq/spectre; classtype:attempted-user; sid:2025185; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_04, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2018_02_06;)
+#alert http any any -> $HOME_NET any (msg:"ET ADWARE_PUP Windows executable sent when remote host claims to send an image"; flow: established,from_server; content:"Content-Type|3a| image"; http_header; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2001683; classtype:pup-activity; sid:2001683; rev:18; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing 2018-02-06"; flow:established,to_client; file_data; content:"content=|22|Connecting to PDSA"; nocase; within:600; content:"<title>Sign In</title>"; nocase; distance:0; content:"function LoginErrors(){this.userNameFormatError"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025316; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Search Relevancy Spyware"; flow: established,to_server; content:"/SearchRelevancy/SearchRelevancy.dll"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.relevancy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001696; classtype:pup-activity; sid:2001696; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY [Fidelis] Abnormal x509v3 SubjectKeyIdentifier extension"; flow:established,from_server; dsize:>768; content:"|16 03|"; depth:2; content:"|06 03 55 1d 0e 04|"; offset:336; pcre:"/^.\x04[^\x08\x10\x14\x20\x30\x40]/R"; threshold: type limit, track by_src, seconds 30, count 1; reference:url,www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities; classtype:misc-attack; sid:2025319; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_02_06, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2018_02_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ISearchTech Toolbar Data Submission"; flow: to_server,established; content:"/ist/scripts/istsvc_ads_data.php?"; nocase; http_uri; content: "version="; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001697; classtype:pup-activity; sid:2001697; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY [Fidelis] Abnormal Very Long x509v3 SubjectKeyIdentifier Extension"; flow:established,from_server; dsize:>768; content:"|16 03|"; depth:2; content:"|06 03 55 1d 0e 04|"; offset:336; pcre:"/^[\x80-\xff]/R"; threshold: type limit, track by_src, seconds 30, count 1; reference:url,www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities; classtype:misc-attack; sid:2025320; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_02_06, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2018_02_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Windupdates.com Spyware Install"; flow: established,to_server; content:"/cab/CDTInc/ie/"; nocase; http_uri; content:".cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001700; classtype:pup-activity; sid:2001700; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Google|20 7c 20|Drive , Safe"; nocase; fast_pattern; content:"your email provider"; nocase; distance:0; classtype:social-engineering; sid:2025322; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Windupdates.com Spyware Loggin Data"; flow: established,to_server; content:"/logging.php?p="; nocase; http_uri; content:"Host|3a| public.windupdates.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001701; classtype:pup-activity; sid:2001701; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Business Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>DropBox Buisness</title>"; nocase; classtype:social-engineering; sid:2025323; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Flingstone Spyware Install (sportsinteraction)"; flow: established,to_server; content:"/softwares/SportsInteraction.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001705; classtype:pup-activity; sid:2001705; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Apple - Login"; nocase; content:"href=|22|incorrect_files/"; nocase; distance:0; classtype:social-engineering; sid:2025324; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop at Home Select Spyware Heartbeat"; flow: established,to_server; content:"/s.dll?MfcISAPICommand=heartbeat&param="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001708; classtype:pup-activity; sid:2001708; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Verification Phishing Landing 2018-01-31"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Mail Verification"; nocase; within:50; fast_pattern; content:"your mailbox"; nocase; distance:0; content:"email password"; nocase; distance:0; content:"All rights reserved"; nocase; distance:0; classtype:social-engineering; sid:2025278; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Flingstone Spyware Install (cxtpls)"; flow: established,to_server; content:"/softwares/cxtpls_loader_ff.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001710; classtype:pup-activity; sid:2001710; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Upgrade Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Mail Settings|20 7c 20|Email"; nocase; within:40; fast_pattern; classtype:social-engineering; sid:2025310; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Tibsystems Spyware Install (1)"; flow: to_server,established; content:"/fcgi-bin/iza2.fcgi?m="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001729; classtype:pup-activity; sid:2001729; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Business Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"background-color|3a 20|#ffffff|3b|border|3a 20|1px solid #d0d4d9|3b|box-shadow|3a 20|4px 4px 4px #d0d4d9|3b|"; nocase; content:"id=|22|wk|22 20|name=|22|wk|22 20|method=|22|post|22|"; nocase; distance:0; fast_pattern; content:"Sign In To View"; nocase; distance:0; classtype:social-engineering; sid:2025325; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP A-d-w-a-r-e.com Activity (popup)"; flow: established,to_server; content:"/cgi-bin/PopupV"; http_uri; nocase; content:"?ID={"; http_uri; nocase; reference:url,www.a-d-w-a-r-e.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001730; classtype:pup-activity; sid:2001730; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Web App Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Sign in</title>"; nocase; content:"border|3a 20|1px solid #848484|3b|"; nocase; distance:0; content:"background-color|3a 20|#fff3c0|3b|"; nocase; distance:0; content:"left|3a|389px|3b 20|top|3a|0px|3b 20|width|3a|507px|3b 20|height|3a|474px|3b 20|z-index|3a|0"; nocase; distance:0; content:"<input name=|22|userid|22|"; nocase; distance:0; content:"<input name=|22|formtext2|22|"; nocase; distance:0; classtype:social-engineering; sid:2025326; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Tibsystems Spyware Install (2)"; flow: to_server,established; content:"/tb/loader2.ocx"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001734; classtype:pup-activity; sid:2001734; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Chase Online - Logon"; nocase; fast_pattern; content:"<!--POH-->"; nocase; distance:0; content:"function AllowNoDups()"; nocase; distance:0; classtype:social-engineering; sid:2025328; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP A-d-w-a-r-e.com Activity (cmd)"; flow: established,to_server; content:"/app/VT00/ucmd.php?V="; http_uri; nocase; reference:url,www.a-d-w-a-r-e.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001735; classtype:pup-activity; sid:2001735; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Verification Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Admin|20 7c 20|Upgrade|3b|</title>"; nocase; fast_pattern; classtype:social-engineering; sid:2025329; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ak-networks.com Spyware Code Install"; flow: to_server,established; content:"/akcore.dl_"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001737; classtype:pup-activity; sid:2001737; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ASB Bank Phishing Landing 2018-02-09 M2"; flow:established,to_client; file_data; content:"<title>ASB Bank - Log in"; nocase; fast_pattern; content:"<img src=|22|https://online.asb.co.nz/auth/img/logo-asb.png|22 20|alt=|22|ASB Logo|22|"; nocase; distance:0; content:".php|22 20|autocomplete=|22|off|22 20|aria-autocomplete=|22|none|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025336; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Install (install)"; flow: to_server,established; content:"/sideb.exe"; content:"Host|3a| install.searchmiracle.com"; nocase; http_header; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001744; classtype:pup-activity; sid:2001744; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ASB Bank Phishing Landing 2018-02-09 M1"; flow:established,to_client; file_data; content:"<title>ASB Bank - Log in"; nocase; fast_pattern; content:"<img src=|22|logo-asb.png|22 20|alt=|22|ASB Logo|22|"; nocase; distance:0; content:".php|22 20|id=|22|login|22 20|autocomplete=|22|off|22|"; nocase; distance:0; classtype:social-engineering; sid:2025334; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP My-Stats.com Spyware Checkin"; flow: established,to_server; content:"/ad-partner/SelectConfirm.php?"; nocase; http_uri; content:"dummy="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001747; classtype:pup-activity; sid:2001747; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-09"; flow:established,to_client; file_data; content:"<title>Wells Fargo Online</title>"; nocase; fast_pattern; content:"View Your Accounts"; nocase; distance:0; content:"placeholder=|22|Personal ID"; nocase; distance:0; content:"Connection Secured"; nocase; distance:0; classtype:social-engineering; sid:2025337; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_09;)
+#alert http $HOME_NET any -> any any (msg:"ET ADWARE_PUP Pynix.dll BHO Activity"; flow: established,to_server; content:"ABETTERINTERNET.EXE"; nocase; http_uri; content:"bho=PYNIX.DLL"; nocase; http_uri; reference:url,www.pynix.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001748; classtype:pup-activity; sid:2001748; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LinkedIn Phishing Landing 2018-02-09 M1"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Sign In to LinkedIn|20 7c 20|LinkedIn"; nocase; within:40; classtype:social-engineering; sid:2025335; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Incredisearch.com Spyware Ping"; flow: established,to_server; content:"/ping.asp"; nocase; http_uri; content:"incredisearch.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001793; classtype:pup-activity; sid:2001793; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-09"; flow:established,to_client; file_data; content:"<title>Facebook</title>"; nocase; fast_pattern; content:"We didn't recognize your email address or phone number"; nocase; distance:0; content:"theForm.pass.value.length"; nocase; distance:0; classtype:social-engineering; sid:2025339; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Incredisearch.com Spyware Activity"; flow: established,to_server; content:"Host|3a| www.incredisearch.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001794; classtype:pup-activity; sid:2001794; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Revalidation Phishing Landing 2018-02-09"; flow:established,to_client; file_data; content:"<title>Re-Validate Your Mailbox</title>"; nocase; fast_pattern; classtype:social-engineering; sid:2025340; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Likely Trojan/Spyware Installer Requested (1)"; flow: established,to_server; content:".scr"; nocase; http_uri; pcre:"/(cartao|mensagem|voxcards|humortadela|ouca|cartaovirtual|uol3171|embratel|yahoo|viewforhumor|humormenssagem|terra)\.scr/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2001850; classtype:pup-activity; sid:2001850; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-12"; flow:established,to_client; file_data; content:"hackgallo10k.png"; within:500; nocase; fast_pattern; content:"Facebook application"; nocase; distance:0; classtype:social-engineering; sid:2025341; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DesktopTraffic Toolbar Spyware"; flow: to_server,established; content:"cgi-bin/ezl_kws.fcgi?cat"; nocase; http_uri; reference:url,research.spysweeper.com/threat_library/threat_details.php?threat=desktoptraffic.net_hijack; reference:url,doc.emergingthreats.net/bin/view/Main/2001884; classtype:pup-activity; sid:2001884; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-02-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"One Drive Cloud Document"; nocase; within:40; fast_pattern; content:"function popupwnd(url,"; nocase; distance:0; classtype:social-engineering; sid:2025342; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Begin2Search.com Spyware"; flow: to_server,established; content:"/cgi-bin/fav_del.fcgi?id"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.begin2search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001885; classtype:pup-activity; sid:2001885; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Wells Fargo"; nocase; distance:0; content:"if(user.length<6){alert("; nocase; distance:0; content:"if(pass.length<6){alert("; nocase; distance:0; classtype:social-engineering; sid:2025343; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ToolbarPartner Spyware Spambot Retrieving Target Emails"; flow: established,to_server; content:"/mailz.php?id="; nocase; http_uri; reference:url,toolbarpartner.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001895; classtype:pup-activity; sid:2001895; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-13 M1"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Facebook Application"; nocase; within:30; fast_pattern; content:"placeholder=|22|Password"; nocase; distance:0; classtype:social-engineering; sid:2025347; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zenotecnico Adware"; flow: to_server,established; content:"/cl/clientdump"; http_uri; content:"zenotecnico"; nocase; http_header; reference:url,www.zenotecnico.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001947; classtype:pup-activity; sid:2001947; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-13 M2"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Facebook"; nocase; within:20; content:"k7LsZ6Kzebp.css"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025348; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfSidekick Activity (ipixel)"; flow: established,to_server; content:"/ipixel.htm?cid="; nocase; http_uri; content:"&pck_id="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001994; classtype:pup-activity; sid:2001994; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox/OneDrive Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title"; nocase; content:"One Place For All Your Files"; within:60; nocase; content:"function popupwnd(url, toolbar"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025327; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TargetNetworks.net Spyware Reporting (req)"; flow: to_server,established; content:"/request/req.cgi?gu="; nocase; http_uri; content:"&sid="; nocase; http_uri; content:"&kw="; nocase; http_uri; reference:url,www.targetnetworks.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001997; classtype:pup-activity; sid:2001997; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LinkedIn Phishing Landing 2018-02-13"; flow:established,to_client; file_data; content:"<title>Business|20 7c 20|LinkedIn"; nocase; fast_pattern; content:"<title>Sign Up</title>"; nocase; distance:0; classtype:social-engineering; sid:2025349; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UCMore Spyware Downloading Ads"; flow: to_server,established; content:"/clientsetupfinish.html?sponsor_id="; http_uri; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; reference:url,doc.emergingthreats.net/bin/view/Main/2001998; classtype:pup-activity; sid:2001998; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-13"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Wells Fargo - Verification"; nocase; within:40; fast_pattern; content:"account was suspended"; nocase; distance:0; content:"enable verification process"; nocase; distance:0; classtype:social-engineering; sid:2025351; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BTGrab.com Spyware Downloading Ads"; flow: to_server,established; content:"/a/Drk.syn?"; nocase; http_uri; content:"adcontext="; nocase; http_uri; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; reference:url,doc.emergingthreats.net/bin/view/Main/2001999; classtype:pup-activity; sid:2001999; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Capital One Phishing Landing 2018-02-13 M2"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Validate Your Card Information"; nocase; within:50; fast_pattern; content:"</capitaloneheader>"; nocase; distance:0; classtype:social-engineering; sid:2025352; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shopnav Spyware Install"; flow: to_server,established; content:"/toolbarv3.cgi?UID="; nocase; http_uri; content:"&version="; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.shopnav.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002000; classtype:pup-activity; sid:2002000; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Capital One Phishing Landing 2018-02-13 M1"; flow:established,to_client; file_data; content:"ng-app=|22|signInControllerApp|22|"; nocase; within:100; content:"<title>Sign In</title>"; nocase; distance:0; content:"href=|22|index_fichiers/favicon.ico"; nocase; distance:0; content:"usabilla_live_button_container"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025350; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware Install"; flow: to_server,established; content:"/downloads/installers/"; http_uri; nocase; content:"simpleinternet/180sainstaller.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002003; classtype:pup-activity; sid:2002003; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2019_08_22, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Email Validation Phishing Landing 2018-02-13"; flow:established,to_client; file_data; content:"function validateForm()"; nocase; content:"email.match(/fuck"; nocase; distance:0; content:"email.match(/asshole"; nocase; distance:0; content:"email.match(/dickhead"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025353; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Topconverting Spyware Install"; flow: to_server,established; content:"/activex/weirdontheweb_topc.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002004; classtype:pup-activity; sid:2002004; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing 2018-02-14"; flow:established,to_client; file_data; content:"<title"; nocase; content:"dropbox"; nocase; within:10; content:"text/css|22|>.hny-htirfw"; nocase; fast_pattern; within:100; content:"class=|22|psw_error"; nocase; distance:0; classtype:social-engineering; sid:2025355; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent Install"; flow: to_server,established; content:"/updatestats/AI_Euro.exe"; nocase; http_uri; reference:mcafee,122249; reference:url,doc.emergingthreats.net/bin/view/Main/2002008; classtype:pup-activity; sid:2002008; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Linkedin Phishing Landing 2018-02-14"; flow:established,to_client; file_data; content:"<title>Business|20 7c 20|LinkedIn</title>"; nocase; content:"function MM_validateForm()"; nocase; distance:0; content:"#a11y-content"; nocase; distance:0; classtype:social-engineering; sid:2025356; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ESyndicate Spyware Install (esyndicateinst.exe)"; flow: to_server,established; content:"/files/eSyndicateInst.exe"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; reference:url,doc.emergingthreats.net/bin/view/Main/2002009; classtype:pup-activity; sid:2002009; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-14"; flow:established,to_client; file_data; content:"<title>Account Recovery Information</title>"; nocase; fast_pattern; content:"<title>Account Recovery Information</title>"; nocase; distance:0; content:"facebook account has been disabled"; nocase; distance:0; classtype:social-engineering; sid:2025357; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ESyndicate Spyware Install (sepinst.exe)"; flow: to_server,established; content:"/files/SEPInst.exe"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; reference:url,doc.emergingthreats.net/bin/view/Main/2002010; classtype:pup-activity; sid:2002010; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Website Phishing Landing - Saved Website Comment Observed"; flow:established,to_client; file_data; content:"<!-- saved from url=("; within:300; pcre:"/^\s*?\d+?\s*?\)(?:https://(?:w(?:ww(?:\.(?:(?:bankofamerica|paypal|ups|wellsfargo)\.com|a(?:dobecloud\.com|mazon\.co\.jp)|tax\.service\.gov\.uk|cibc\.mobi)|1\.royalbank\.com)|ebmail\.(?:i(?:llinois|ndstate)\.ed|optusnet\.com\.a)u)|(?:s(?:i(?:tekey\.bankofamerica|gnin\.ebay)|ecure(?:\.bankofamerica|05c\.chase))|login\.(?:(?:microsoftonlin|liv)e|verizonwireless|alibaba)|my\.screenname\.aol)\.com|(?:(?:ex(?:change\.(?:louisvill|purdu)|mail\.oregonstat)e|owa\.uaa\.alaska)\.ed|ib\.nab\.com\.a)u|voscomptesenligne\.labanquepostale\.fr|auth\.centurylink\.net)|/logon/logon/chaseOnline|#www\.kucoin\.com)/Rsi"; classtype:social-engineering; sid:2025281; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GrandstreetInteractive.com Install"; flow: to_server,established; content:"/tdtb.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002012; classtype:pup-activity; sid:2002012; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title>Online...... - Berliner....</title>"; nocase; fast_pattern; content:"berliner-sparkasse.de"; nocase; distance:0; classtype:social-engineering; sid:2025361; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GrandstreetInteractive.com Update"; flow: to_server,established; content:"/wupdsnff.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002013; classtype:pup-activity; sid:2002013; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title>Dropbox</title>"; within:300; nocase; fast_pattern; content:"featuredcontentglider.init({"; nocase; distance:0; content:"#yregbnr #yregbnrti #yregbnrtii"; nocase; distance:0; classtype:social-engineering; sid:2025362; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet Fuel.com Install"; flow: to_server,established; content:"/cgi-bin/omnidirect.cgi?&debug_log="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002015; classtype:pup-activity; sid:2002015; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"images/fbgiftscards.jpg"; within:100; fast_pattern; content:"CavalryLogger="; nocase; distance:0; content:"Facebook</title>"; nocase; content:"function Form1_Validator"; nocase; distance:0; content:"var alertsay"; nocase; distance:0; classtype:social-engineering; sid:2025363; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP jmnad1.com Spyware Install (2)"; flow: to_server,established; content:"/download/mw_4s_stub.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002016; classtype:pup-activity; sid:2002016; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M1"; flow:established,to_client; file_data; content:"<title>Wells Fargo BANK</title>"; fast_pattern; content:"Access Your Accounts</div>"; nocase; distance:0; classtype:social-engineering; sid:2025292; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Overpro Spyware Install Report"; flow: to_server,established; content:"/processInstall.aspx"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002017; classtype:pup-activity; sid:2002017; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Docs Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Sign in - Google Accounts"; nocase; within:30; fast_pattern; content:"input[type=email]"; nocase; distance:0; content:"input[type=password]"; nocase; distance:0; classtype:social-engineering; sid:2025364; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP jmnad1.com Spyware Install (1)"; flow: to_server,established; content:"/install.qg?"; nocase; http_uri; content: "ID="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002019; reference:url,wilderssecurity.com/threads/hijack-this-log-sandoxer-jmnad1.42146/; classtype:pup-activity; sid:2002019; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title"; content:"Dropbox Verification"; within:30; nocase; fast_pattern; content:"PhoneVerificationChallenge"; nocase; distance:0; content:"RecoveryEmailChallenge"; nocase; distance:0; classtype:social-engineering; sid:2025365; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Weird on the Web /180 Solutions Checkin"; flow: to_server,established; content:"/notifier/config.ini?v="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002036; classtype:pup-activity; sid:2002036; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title>Chase Online - Logon</title><!--"; nocase; fast_pattern; classtype:social-engineering; sid:2025366; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop at Home Select Spyware Install"; flow: established,to_server; content:"/arcadecash/setup"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002037; classtype:pup-activity; sid:2002037; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Square Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"/* VODKA */"; fast_pattern; content:"<form action=|22|--WEBBOT-SELF--"; nocase; distance:0; classtype:social-engineering; sid:2025367; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Topconverting Spyware Reporting"; flow: to_server,established; content:"/trigger.php?partner="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002040; classtype:pup-activity; sid:2002040; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Multi-Account Phish 2018-02-16"; flowbits:isset,ET.genericphish; file_data; content:"<input id=|22|login-username|22 20|name=|22|username|22 20|value=|22|"; nocase; content:"<input name=|22|password|22 20|value="; nocase; distance:0; content:"autocomplete=|22|current-password|22|"; nocase; distance:0; content:"Wrong password. Try again or click Forgot password"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025368; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OutBlaze.com Spyware Activity"; flow: to_server,established; content:"/scripts/adpopper/webservice.main"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002044; classtype:pup-activity; sid:2002044; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Spotify Phishing Landing 2018-02-19"; flow:established,to_client; file_data; content:"<title>Login - Spotify</title>"; nocase; fast_pattern; content:"LOGIN WITH FACEBOOK"; nocase; distance:0; content:"spotify.com"; nocase; distance:0; classtype:social-engineering; sid:2025369; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TargetNetworks.net Spyware Reporting (tn)"; flow: to_server,established; content:"/data/tn.dat?v="; nocase; http_uri; content:"&sid="; nocase; http_uri; reference:url,www.targetnetworks.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002046; classtype:pup-activity; sid:2002046; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Smartermail Phishing Landing 2018-02-20"; flow:established,to_client; file_data; content:"<title"; content:"SmarterMail"; nocase; within:20; fast_pattern; content:"<form method=|22|post|22 20|action=|22|login.php|22 20|id=|22|aspnetForm|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025371; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware Defs Download"; flow: to_server,established; content:"/geodefs/gdf"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002048; classtype:pup-activity; sid:2002048; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING USAA Phishing Landing 2018-02-20"; flow:established,to_client; file_data; content:"<title"; nocase; content:"USAA / Welcome to USAA"; nocase; distance:0; fast_pattern; content:".php|22 20|method=|22|POST|22 20|id=|22|Logon|22 20|name=|22|Logon|22 20|class=|22|yuimenubaritemlabel|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025372; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Pacimedia Spyware 1"; flow:to_server,established; content:"/mcp/mcp.cgi"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002083; classtype:pup-activity; sid:2002083; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Yahoo Phishing Landing 2018-02-20"; flow:established,to_client; file_data; content:"<title>Securite utilisateur</title>"; nocase; fast_pattern; content:"<title>S&eacute|3b|curite Yahoo</title>"; nocase; distance:0; classtype:social-engineering; sid:2025373; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP C4tdownload.com Spyware Activity"; flow: to_server,established; content:"/js.php?event_type=onload&recurrence="; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002088; classtype:pup-activity; sid:2002088; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-22"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Wells Fargo Sign On to Unlock Your Accounts"; nocase; within:50; classtype:social-engineering; sid:2025377; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CWS qck.cc Spyware Installer (in.php)"; flow:established,to_server; content:"/x/in.php?wm="; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002089; classtype:pup-activity; sid:2002089; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing 2018-02-22"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Sign In"; nocase; within:15; content:"Validate"; nocase; within:20; content:"personal Microsoft account"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2025378; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP IEHelp.net Spyware Installer"; flow:established,to_server; content:"/counter/help.chm"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002090; classtype:pup-activity; sid:2002090; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Upgrade Advantage Phishing Landing 2018-02-22"; flow:established,to_client; file_data; content:"<img src=|22|./hellion/logo1.png"; nocase; fast_pattern; content:"method=|22|post|22 20|action=|22|post.php"; nocase; distance:0; classtype:social-engineering; sid:2025379; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Install - silent.exe"; flow: to_server,established; content:"/silent.exe"; nocase; http_uri; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002091; classtype:pup-activity; sid:2002091; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-22"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Wells Fargo - Please confirm your identity"; fast_pattern; within:50; nocase; content:"For security reasons"; nocase; distance:0; content:".php|22 20|novalidate=|22 22|"; nocase; distance:0; classtype:social-engineering; sid:2025380; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Likely Trojan/Spyware Installer Requested (2)"; flow: established,to_server; content:".exe"; nocase; http_uri; pcre:"/(discador|ocartao|msgav|extrato|correcao|extrato_tim|visualizar|cartas&cartoes|embratel|cartao|MSN_INSTALL|VirtualCards|atualizacaonorton|serasar|CobrancaEmbratel|ExtratoTim|FlashFotos|Vacina-Norton|CartaoIloves|Cobranca|fotos_ineditas|boletocobranca|saudades|wwwuolcartoescombr|cartaoanimado)\.exe/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2002093; classtype:pup-activity; sid:2002093; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Craigslist Phishing Landing 2018-02-26"; flow:established,to_client; file_data; content:"<title"; nocase; content:"craigslist - account log in"; nocase; fast_pattern; within:30; content:".php|22 20|method=|22|POST|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025394; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CWS qck.cc Spyware Installer (web.php)"; flow:established,to_server; content:"/x/tbd_web.php?wm="; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002095; classtype:pup-activity; sid:2002095; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Mobile Phishing Landing 2018-02-26"; flow:established,to_client; file_data; content:"<title>Login</title>"; nocase; content:"mbasic.facebook.com"; nocase; distance:0; content:"name=|22|username|22 20|autocomplete=|22|off|22 20|placeholder=|22|E-mail|22|"; nocase; distance:0; fast_pattern; content:"name=|22|password|22 20|autocomplete=|22|off|22 20|placeholder=|22|Password|22|"; nocase; distance:0; classtype:social-engineering; sid:2025396; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP IEHelp.net Spyware checkin"; flow:established,to_server; content:"/l/gpr.php?"; nocase; http_uri; content: "ID1="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002096; classtype:pup-activity; sid:2002096; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Update Phishing Landing 2018-02-26"; flow:established,to_client; file_data; content:"<img src=|22|./hellion/logo.png"; nocase; fast_pattern; content:"<form method=|22|post|22 20|action=|22|post.php|22|>"; nocase; distance:0; content:"<input name=|22|email|22 20|type=|22|hidden|22|"; nocase; distance:0; classtype:social-engineering; sid:2025397; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware config Download"; flow: to_server,established; content:"/config.aspx?did="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002099; classtype:pup-activity; sid:2002099; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Amazon Phishing Landing (DE) 2018-02-26"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Amazon.de - Kontofreischaltung"; nocase; within:40; fast_pattern; content:"$(|22|#browser_info|22|).val(client.getBrowser"; nocase; distance:0; content:"$(|22|#os_info|22|).val(client.getOS()"; nocase; distance:0; classtype:social-engineering; sid:2025398; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iWon Spyware (iWonSearchAssistant)"; flow:to_server,established; content:"User-Agent|3a| iWonSearch"; http_header; reference:url,www.spywareguide.com/product_show.php?id=461; reference:url,doc.emergingthreats.net/2002169; classtype:pup-activity; sid:2002169; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Browser Plugin Detect - Observed in Phish Landings"; flow:established,to_client; file_data; content:"#browser_info"; content:"getBrowserMajorVersion()"; nocase; distance:0; fast_pattern; content:"#os_info"; nocase; distance:0; content:"getOSVersion()"; nocase; distance:0; content:"getScreenPrint()"; nocase; distance:0; content:"getPlugins()"; nocase; distance:0; content:"getJavaVersion()"; nocase; distance:0; content:"getFlashVersion()"; nocase; distance:0; content:"getSilverlightVersion()"; nocase; distance:0; classtype:social-engineering; sid:2025399; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2018_02_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 1"; flow: to_server,established; content:"/rd/Clk.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002296; classtype:pup-activity; sid:2002296; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert udp any 11211 -> $EXTERNAL_NET any (msg:"ET DOS Possible Memcached DDoS Amplification Response Outbound"; flowbits:isset,ET.memcached.ddos; content:"STATS|20|pid"; depth:9; fast_pattern; threshold: type both, count 100, seconds 60, track by_dst; reference:url,blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/; classtype:attempted-dos; sid:2025402; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Server, created_at 2018_03_01, deployment Perimeter, former_category DOS, performance_impact Low, signature_severity Major, updated_at 2018_03_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 2"; flow: to_server,established; content:"/rd/feed/TextFeed.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002297; classtype:pup-activity; sid:2002297; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert udp $EXTERNAL_NET 11211 -> $HOME_NET any (msg:"ET DOS Possible Memcached DDoS Amplification Inbound"; content:"STATS|20|pid"; depth:9; fast_pattern; threshold: type both, count 100, seconds 60, track by_dst; reference:url,blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/; classtype:attempted-dos; sid:2025403; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2018_03_01, deployment Perimeter, former_category DOS, performance_impact Low, signature_severity Major, updated_at 2018_03_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 3"; flow: to_server,established; content:"/rd/feed/XMLFeed.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002298; classtype:pup-activity; sid:2002298; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"ET CURRENT_EVENTS CERTEGO Possible JScript Coming Over SMB v2"; flow:established,from_server; content:"|FE|SMB"; offset:4; depth:8; content:"|08 00|"; distance:8; within:10; content:"var"; distance:48; fast_pattern; content:"="; distance:0; isdataat:2,relative; reference:url,twitter.com/SettiDavide89/status/970965983228723201; reference:url,www.certego.net/it/news/quant-url/; classtype:trojan-activity; sid:2025409; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_06, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2018_03_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 4"; flow: to_server,established; content:"/rd/feed/JavaScriptFeed.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002299; classtype:pup-activity; sid:2002299; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-03-08"; flow:established,to_client; file_data; content:"<title>One Drive Cloud Document Sharing"; nocase; fast_pattern; content:"function popupwnd(url"; nocase; distance:0; content:"'no','no','no','no','no','no'"; nocase; distance:0; classtype:social-engineering; sid:2025410; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 5"; flow: to_server,established; content:"/rd/feed/JavaScriptFeedSE.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002300; classtype:pup-activity; sid:2002300; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Win32.Zbot.chas/Unruy.H Covert DNS CnC Channel TXT Response"; content:"|C0 0C 00 10 00 01|"; content:"|00 dd dc|"; distance:4; within:3; content:!"v="; distance:0; content:!"p="; distance:0; content:!"spf2.0/"; content:!"spf1"; distance:0; content:!"|7c|"; distance:0; content:!"_domainkey"; classtype:command-and-control; sid:2013935; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2011_11_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2018_03_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 6"; flow: to_server,established; content:"/rd/SearchResults.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002301; classtype:pup-activity; sid:2002301; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chalbhai Phishing Landing 2018-03-12"; flow:established,to_client; file_data; content:"document.forms[|22|chalbhai|22|][|22|password|22|]"; nocase; classtype:social-engineering; sid:2025418; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 7"; flow: to_server,established; content:"/rd/jsp/BidRank/index.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002302; classtype:pup-activity; sid:2002302; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Upgrade Email Account Phishing Landing 2018-03-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Secure Login|20 7c 20|E-Mail Administrator"; within:40; nocase; fast_pattern; content:"upgrade your mailbox"; nocase; distance:0; classtype:social-engineering; sid:2025421; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 8"; flow: to_server,established; content:"/SFToolBar.html"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002303; classtype:pup-activity; sid:2002303; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Retrieve Pending Emails Phishing Landing 2018-03-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Retrieve Pending Emails"; within:30; nocase; fast_pattern; content:"receive any pending mails on server after login"; nocase; distance:0; classtype:social-engineering; sid:2025422; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products Smileychooser Spyware"; flow: to_server,established; content:"/SmileyChooser.html?"; nocase; http_uri; content:"v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002305; classtype:pup-activity; sid:2002305; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Ourtime Phishing Landing 2018-03-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"ourtime.com - the 50+ single network"; nocase; within:40; fast_pattern; content:"<form method=|22|post|22 20|action=|22|post.php|22|"; nocase; distance:0; classtype:social-engineering; sid:2025423; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products Cursorchooser Spyware"; flow: to_server,established; content:"/CursorChooser.html?"; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002306; classtype:pup-activity; sid:2002306; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 25 (msg:"ET EXPLOIT [PT Security] Exim <4.90.1 Base64 Overflow RCE (CVE-2018-6789)"; flow: established,to_server,only_stream; content:"|0D 0A|AUTH"; pcre:"/AUTH\s+\S+\s+(?:[a-zA-Z0-9\+\/=]{4})*+[a-zA-Z0-9\+\/=]{3}\s/"; reference:cve,2018-6789; reference:url,devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/; reference:url,github.com/ptresearch/AttackDetection/blob/master/CVE-2018-6789/cve-2018-6789.rules; classtype:attempted-admin; sid:2025427; rev:1; metadata:attack_target SMTP_Server, created_at 2018_03_13, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Minor, updated_at 2018_03_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products Smileychooser Spyware"; flow: to_server,established; content:"/SmileyChooser.html?"; nocase; http_uri; content:"v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002310; classtype:pup-activity; sid:2002310; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit Landing Page (2)"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".mine.nu|0d 0a|"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015758; rev:3; metadata:created_at 2012_10_04, former_category EXPLOIT_KIT, updated_at 2018_03_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EZSearch Spyware Reporting Search Strings"; flow:established,to_server; content:"/partner/rt.php?q="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002317; classtype:pup-activity; sid:2002317; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Napolar / Shifu SSL Cert Oct 9 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|19|secure.barrentomedear.com"; distance:1; within:26; reference:md5,958804a1191cb281a3a967de17763cf4; classtype:trojan-activity; sid:2019376; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EZSearch Spyware Reporting Search Category"; flow:established,to_server; content:"/partner/rt.php?cat="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002318; classtype:pup-activity; sid:2002318; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET [!37018,!37039,1024:65535] (msg:"ET DELETED Possible NanoCore C2 64B"; flow:established,to_server; dsize:68; content:"|40 00 00 00|"; depth:5; pcre:"/^(?!.{0,63}\x00.{0,62}\x00.{0,61}\x00.{0,60}\x00)(?!.{0,62}\x00{2})(?!.{0,59}[A-Za-z0-9]{5})(?!(?P<b1>.).{0,63}(?P=b1).{0,62}(?P=b1).{0,61}(?P=b1).{0,60}(?P=b1))(?!.(?P<b2>.).{0,62}(?P=b2).{0,61}(?P=b2).{0,60}(?P=b2).{0,59}(?P=b2))(?!..(?P<b3>.).{0,61}(?P=b3).{0,60}(?P=b3).{0,59}(?P=b3).{0,58}(?P=b3))(?!...(?P<b4>.).{0,60}(?P=b4).{0,59}(?P=b4).{0,58}(?P=b4).{0,57}(?P=b4))(?!....(?P<b5>.).{0,59}(?P=b5).{0,58}(?P=b5).{0,57}(?P=b5).{0,56}(?P=b5))(?!.....(?P<b6>.).{0,58}(?P=b6).{0,57}(?P=b6).{0,56}(?P=b6).{0,55}(?P=b6))(?!......(?P<b7>.).{0,57}(?P=b7).{0,56}(?P=b7).{0,55}(?P=b7).{0,54}(?P=b7))(?!.......(?P<b8>.).{0,56}(?P=b8).{0,55}(?P=b8).{0,54}(?P=b8).{0,53}(?P=b8))(?!........(?P<b9>.).{0,55}(?P=b9).{0,54}(?P=b9).{0,53}(?P=b9).{0,52}(?P=b9))(?!.........(?P<b10>.).{0,54}(?P=b10).{0,53}(?P=b10).{0,52}(?P=b10).{0,51}(?P=b10))/Rs"; classtype:command-and-control; sid:2025018; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MALWARE, malware_family NanoCore, tag Nanocore, updated_at 2019_10_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EZSearch Spyware Reporting 2"; flow:established,to_server; content:"/partner/bom.php?e="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002319; classtype:pup-activity; sid:2002319; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg:"ET SCAN Suspicious inbound to PostgreSQL port 5432"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010939; classtype:bad-unknown; sid:2010939; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Transponder Spyware Activity"; flow:established,to_server; content:"/sendROIcookie.cfm?refer="; nocase; http_uri; reference:url,www.doxdesk.com/parasite/Transponder.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002320; classtype:pup-activity; sid:2002320; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 4333 (msg:"ET SCAN Suspicious inbound to mSQL port 4333"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010938; classtype:bad-unknown; sid:2010938; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP VPP Technologies Spyware"; flow:established,to_server; content:"/DittoIA.jsh?pid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002348; classtype:pup-activity; sid:2002348; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN Suspicious inbound to mySQL port 3306"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010937; classtype:bad-unknown; sid:2010937; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alexa Spyware Reporting URL"; flow:established,to_server; content:"/image_server.cgi?size=small&url=http|3a|/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002349; classtype:pup-activity; sid:2002349; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1521 (msg:"ET SCAN Suspicious inbound to Oracle SQL port 1521"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010936; classtype:bad-unknown; sid:2010936; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP VPP Technologies Spyware Reporting URL"; flow:established,to_server; content:"/js.vppimage?key="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002350; classtype:pup-activity; sid:2002350; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1433 (msg:"ET SCAN Suspicious inbound to MSSQL port 1433"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010935; classtype:bad-unknown; sid:2010935; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Update Download"; flow: to_server,established; content:"/cc/5/masterconfig/"; nocase; http_uri; content:"/update.xml?v="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002351; classtype:pup-activity; sid:2002351; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe PDF Reader Phishing Landing 2018-03-27"; flow:established,to_client; file_data; content:"<title>Adobe|d0 92 c2 ae 20|PDF Reader|d0 92 c2 ae 20|Xl</title>"; nocase; fast_pattern; content:"this file is protected by adobe"; nocase; distance:0; content:"confirm your email to access this document"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:"onsubmit=|22|MM_validateForm(&#39|3b|email&#39|3b|,&#39|3b|&#39|3b|,&#39|3b|RisEmail&#39|3b|,&#39|3b|password&#39|3b|,&#39|3b|&#39|3b|,&#39|3b|R&#39|3b|)"; nocase; distance:0; content:"view pdf document"; nocase; distance:0; classtype:social-engineering; sid:2025442; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Context Report"; flow: to_server,established; content:"/context/1/up_context_1.xml?v="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002352; classtype:pup-activity; sid:2002352; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Phishing Landing 2018-03-28"; flow:established,to_client; file_data; content:"<title>internal revenue service</title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:"last 4 of ssn"; nocase; distance:0; content:"if ($('#email').val() == '')"; nocase; distance:0; classtype:social-engineering; sid:2025443; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware versionconfig POST"; flow:to_server,established; content:"/versionconfig.aspx?"; http_uri; content:"&ver="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002354; classtype:pup-activity; sid:2002354; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] Ursnif Socks Proxy Check-in"; flow:established,to_server; stream_size:server,=,1; content:"|2d|"; offset:8; depth:1; content:"|2d|"; distance:4; within:1; content:"|2d|"; distance:4; within:1; content:"|2d|"; distance:4; within:1; content:"|2d30|"; distance:12; within:2; content:"|0000 0000 0000 0000 0000 0000|"; distance:1; within:12; fast_pattern; pcre:"/^[0-9A-Z]{8}-[0-9A-Z]{4}-[0-9A-Z]{4}-[0-9A-Z]{4}-[0-9]{12}-0[0-9]{1}/"; flowbits:set,PT.UrsnifProxy; flowbits:noalert; classtype:trojan-activity; sid:2025444; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category TROJAN, malware_family ursnif, performance_impact Low, signature_severity Major, updated_at 2018_03_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adwave/MarketScore User-Agent (WTA)"; flow: to_server,established; content:"User-Agent|3a| WTA_"; http_header; reference:url,www.adwave.com/our_mission.aspx; reference:url,www.marketscore.com; reference:url,doc.emergingthreats.net/2002394; classtype:pup-activity; sid:2002394; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET !$HTTP_PORTS  -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Ursnif Socks5 Proxy Connection"; flow:established,from_server; flowbits:isset,PT.UrsnifProxy; stream_size:server,=,5; dsize:3; content:"|050100|"; fast_pattern; depth:3; classtype:trojan-activity; sid:2025445; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category TROJAN, malware_family ursnif, performance_impact Low, signature_severity Major, updated_at 2018_03_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Movies-etc User-Agent (IOInstall)"; flow: to_server,established; content:"User-Agent|3a| IOInstall"; nocase; http_header; reference:url,www.movies-etc.com; reference:url,doc.emergingthreats.net/2002404; classtype:pup-activity; sid:2002404; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-03-28"; flow:established,to_client; file_data; content:"<TITLE>Chase Online - Logon</TITLE>"; nocase; fast_pattern; content:"name=started action=logon.php?lob=rbglogon method=post"; nocase; distance:0; classtype:social-engineering; sid:2025447; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iframebiz - sploit.anr"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/sploit.anr"; nocase; http_uri; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002708; classtype:pup-activity; sid:2002708; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Impots Phishing Landing 2018-03-28"; flow:established,to_client; file_data; content:"<title>impots.gouv.fr</title>"; nocase; fast_pattern; content:".php|22|"; nocase; distance:0; content:"name=|22|form1|22|"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025448; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iframebiz - loaderadv***.jar"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/loaderadv"; nocase; http_uri; pcre:"/loaderadv\d+\.jar/Ui"; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002709; classtype:pup-activity; sid:2002709; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Comcast/Xfinity Phishing Landing 2018-03-30"; flow:established,to_client; file_data; content:"<!-- saved from url="; nocase; fast_pattern; within:300; content:")https://"; within:15; pcre:"/^[^/]+(?:xfinity|comcast)\.(?:com|net)/Ri"; classtype:social-engineering; sid:2025450; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Trafficsector.com Spyware Install"; flow: to_server,established; content:"/install.php?"; nocase; http_uri; content:"afid="; nocase; http_uri; content:"&user_id="; http_uri; content:"trafficsector"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002736; classtype:pup-activity; sid:2002736; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Zero Content-Length HTTP POST with data (outbound)"; flow:established,to_server; content:"POST"; nocase; http_method; http_content_len; content:"0"; fast_pattern; pcre:"/^./P"; classtype:bad-unknown; sid:2011819; rev:2; metadata:created_at 2010_10_15, updated_at 2010_10_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfSidekick Activity (rinfo)"; flow: established,to_server; content:"/rinfo.htm?"; nocase; http_uri; content:"host="; nocase; http_uri; content:"action="; nocase; http_uri; content:"client=SSK"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002738; classtype:pup-activity; sid:2002738; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious HTML Script Tag in 401 Unauthorized Response (External Source)"; flow:from_server,established; content:"HTTP/1.1 401 Unauthorized|0d 0a|"; depth:27; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010514; classtype:web-application-activity; sid:2010514; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2018_04_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP adservs.com Spyware"; flow: to_server,established; content:"/binaries/relevance.dat"; http_uri; content:"adservs"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002740; classtype:pup-activity; sid:2002740; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 4786 (msg:"ET EXPLOIT Possible CVE-2018-0171 Exploit (PoC based)"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 07|"; depth:12; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; distance:12; within:36; content:"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"; distance:4; within:44; reference:cve,2018-0171; reference:url,embedi.com/blog/cisco-smart-install-remote-code-execution/; classtype:attempted-admin; sid:2025472; rev:1; metadata:affected_product Cisco_ASA, attack_target Networking_Equipment, created_at 2018_04_06, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2018_04_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Corpsespyware.net BlackList - pcpeek"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"pcpeek-webcam-sex.com"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002766; classtype:pup-activity; sid:2002766; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>wells,fargo sign on to view your accounts</title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025473; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Corpsespyware.net Distribution - bos.biz"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"businessopportunityseeker.biz"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002767; classtype:pup-activity; sid:2002767; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>|7c 20|tracking system</title>"; nocase; content:"DHL%20_%20Tracking%20System_files/"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025474; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Corpsespyware.net Distribution - studiolacase"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"studiolacase.com"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002769; classtype:pup-activity; sid:2002769; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>resolution center - paypal</title>"; nocase; content:"href=|22|resolutioncenter_files/"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025478; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Corpsespyware.net - msits.exe access"; flow:to_server,established; content:"/msits.exe"; nocase; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002770; classtype:pup-activity; sid:2002770; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title id=|22|pagetitle|22|>facebook - log in or sign up</title>"; nocase; content:"<form id=|22|login_form|22 20|action=|22|post.php|22 20|method=|22|post|22 20|onsubmit=|22|return window.event"; nocase; distance:0; classtype:social-engineering; sid:2025479; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Corpsespyware.net - msys.exe access"; flow:to_server,established; content:"/msys.exe"; nocase; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002771; classtype:pup-activity; sid:2002771; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>share file|20 7c 20|one drive</title>"; nocase; content:"file is waiting"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:"onedrive protected file"; nocase; distance:0; classtype:social-engineering; sid:2025480; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyaxe Spyware DB Update"; flow: to_server,established; content:"/updates/database/dbver.php"; nocase; http_uri; content:"spywareaxe"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002804; classtype:pup-activity; sid:2002804; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>apple - my apple id</title>"; nocase; content:"method=|22|post|22|"; nocase; distance:0; content:"id=|22|donnee"; nocase; distance:0; fast_pattern; content:"name=|22|donnee"; nocase; distance:0; classtype:social-engineering; sid:2025481; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyaxe Spyware DB Version Check"; flow: to_server,established; content:"/updates/database/dbver.dat"; nocase; http_uri; content:"spywareaxe"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002805; classtype:pup-activity; sid:2002805; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Post.ch Cloned Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<!-- saved from url="; nocase; within:300; content:"https://account.post.ch"; nocase; within:30; classtype:social-engineering; sid:2025482; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyaxe Spyware Checkin"; flow: to_server,established; content:"/download.php?sid="; nocase; http_uri; content:"spyaxe"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002806; classtype:pup-activity; sid:2002806; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>chase online - account update</title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:".php|22|"; nocase; distance:0; content:"onsubmit=|22|javascript|3a|return webform_onsubmit()|3b 22|"; nocase; distance:0; classtype:social-engineering; sid:2025475; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DelFin Project Spyware (payload)"; flow: established,to_server; content:"/in/payload/payload.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002816; classtype:pup-activity; sid:2002816; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE QRat.Java.RAT Post-Checkin Request"; flow:established,to_server; content:"|7b 22 6d 61 67 69 63 22 3a 22|"; depth:10; offset:2; fast_pattern; content:"|22 2c 22 69 6e 64 65 78 22 3a 22|"; distance:0; content:"|22 68 61 73 2d 72 65 71 75 65 73 74 65 72 22 3a|"; distance:0; content:"|2c 22 68 61 73 2d 61 63 63 65 70 74 65 72 22 3a|"; distance:0; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:command-and-control; sid:2025393; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category MALWARE, malware_family QRat, signature_severity Major, tag Qrat, updated_at 2018_03_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DelFin Project Spyware (setup)"; flow: established,to_server; content:"/in/defaults/setup.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002817; classtype:pup-activity; sid:2002817; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2018-04-14"; flow:established,to_client; file_data; content:"method=|22|post|22|"; nocase; content:"javascript|3a|popupwnd(|22|gmail"; nocase; distance:0; fast_pattern; content:"javascript|3a|popupwnd(|22|outlook"; nocase; distance:0; content:"javascript|3a|popupwnd(|22|aol"; nocase; distance:0; content:"javascript|3a|popupwnd(|22|yahoo"; nocase; distance:0; classtype:social-engineering; sid:2025502; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Subscription POST"; flow: to_server,established; content:"/hotbar/"; nocase; http_uri; content:"Subscription.dll?"; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002820; classtype:pup-activity; sid:2002820; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mail Verification Phishing Landing 2018-04-18"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Mail Verification"; nocase; within:20; fast_pattern; content:"img src=|22|files/"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:"name=|22|passwd|22|"; nocase; distance:0; content:"All rights reserved"; nocase; distance:0; classtype:social-engineering; sid:2025514; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SideStep Bar Reporting Data (sbstart)"; flow: to_server,established; content:"/servlet/SbStartservlet"; nocase; http_uri; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002821; classtype:pup-activity; sid:2002821; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PDF Cloud Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>Sign In - PDF Cloud"; nocase; fast_pattern; content:"href=|22|index_files/adobe.css"; nocase; distance:0; content:"Sign in with your email address to view or download attachment"; nocase; distance:0; classtype:social-engineering; sid:2025515; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyWebSearch Toolbar Traffic (bar config download)"; flow: to_server,established; content:"/barcfg.jsp?"; nocase; http_uri; content:"MyWebSearchWB"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002836; classtype:pup-activity; sid:2002836; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>Bank of America|20 7c 20|Online Banking|20 7c 20|Sign In|20 7c 20|Online ID"; nocase; fast_pattern; content:"content=|22|WYSIWYG Web Builder"; nocase; distance:0; content:"href=|22|css/Untitled1.css"; nocase; distance:0; classtype:social-engineering; sid:2025516; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products StationaryChooser Spyware"; flow: to_server,established; content:"/StationeryChooser.html?"; nocase; http_uri; content: "v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002858; classtype:pup-activity; sid:2002858; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox 000webhost Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>Dropbox"; nocase; content:"method=|22|POST|22|"; nocase; distance:0; content:"Select your email provider"; nocase; distance:0; fast_pattern; content:"powered-by-000webhost"; nocase; distance:0; classtype:social-engineering; sid:2025517; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CWS Spy-Sheriff.com Infeced Buy Page Request"; flow:established,to_server; content:"/?advid="; nocase; http_uri; content:"spy-sheriff.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002933; classtype:pup-activity; sid:2002933; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Anubis - 195.22.26.192/26"; content:"|00 01 00 01|"; content:"|00 04 c3 16 1a|"; distance:4; within:5; byte_test:1,>,224,0,relative; content:!"|0e|anubisnetworks|03|com|00|"; nocase; content:!"|05|mpsmx|03|net|00|"; nocase; content:!"|09|mailspike|03|com|00|"; nocase; content:!"|09|mailspike|03|org|00|"; nocase; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:2018455; rev:5; metadata:created_at 2014_05_08, former_category TROJAN, updated_at 2018_04_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bravesentry.com Fake Antispyware Download"; flow:established,to_server; content:"/bravesentry.exe"; nocase; http_uri; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; reference:url,doc.emergingthreats.net/bin/view/Main/2002954; classtype:pup-activity; sid:2002954; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> any 4786 (msg:"ET INFO Cisco Smart Install Protocol Observed"; flow:established,only_stream; content:"|00 00 00 01 00 00 00 01|"; depth:8; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; classtype:misc-activity; sid:2025519; rev:1; metadata:attack_target Networking_Equipment, created_at 2018_04_20, deployment Perimeter, deployment Internal, former_category INFO, signature_severity Minor, updated_at 2018_04_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bestcount.net Spyware Downloading vxgame"; flow:established,to_server; content:"/vxgame1/vxv.php"; nocase; http_uri; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2002956; classtype:pup-activity; sid:2002956; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> any 4786 (msg:"ET EXPLOIT Cisco Smart Install Exploitation Tool - Update Ios and Execute"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 02 00 00 01 c4|"; depth:16; content:"://"; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; reference:url,github.com/Sab0tag3d/SIET; classtype:bad-unknown; sid:2025520; rev:1; metadata:attack_target Networking_Equipment, created_at 2018_04_20, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2018_04_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bestcount.net Spyware Initial Infection Download"; flow:established,to_server; content:"/win32.exe"; nocase; http_uri; pcre:"/\/adv\/\d+\/win32\.exe/Ui"; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2002957; classtype:pup-activity; sid:2002957; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> any 4786 (msg:"ET EXPLOIT Cisco Smart Install Exploitation Tool - ChangeConfig"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 03 00 00 01 28|"; depth:16; content:"://"; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; reference:url,github.com/Sab0tag3d/SIET; classtype:bad-unknown; sid:2025521; rev:1; metadata:attack_target Networking_Equipment, created_at 2018_04_20, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2018_04_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpySherriff Spyware Activity"; flow: to_server,established; content:"/progs_exe/jbsrak/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002984; classtype:pup-activity; sid:2002984; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> any 4786 (msg:"ET EXPLOIT Cisco Smart Install Exploitation Tool - GetConfig"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 08 00 00 04 08|"; depth:16; content:"copy|20|"; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; reference:url,github.com/Sab0tag3d/SIET; classtype:bad-unknown; sid:2025522; rev:1; metadata:attack_target Networking_Equipment, created_at 2018_04_20, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2018_04_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Jupitersatellites.biz Spyware Download"; flow: to_server,established; content:"/traff/ppiigg.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002987; classtype:pup-activity; sid:2002987; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Centurylink Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>centurylink"; nocase; content:"href=|22|centurylink|25|20_|25|20login_files/"; nocase; fast_pattern; distance:0; classtype:social-engineering; sid:2025523; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Possible Spambot Checking in to Spam"; flow:established,to_server; content:"/devrandom/"; nocase; http_uri; fast_pattern; content:!"User-Agent|3a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002988; classtype:pup-activity; sid:2002988; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING MyADP Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>Login to MyADP"; nocase; fast_pattern; content:"href=|22|AD/"; nocase; distance:0; content:"src=|22|AD/"; nocase; distance:0; classtype:social-engineering; sid:2025524; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Possible Spambot Pulling IP List to Spam"; flow:established,to_server; content:"/devrandom/access.php"; nocase; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 (compatible)"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002990; classtype:pup-activity; sid:2002990; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Phishing Landing M1 2018-04-19"; flow:established,to_client; file_data; content:"<title>Sign in to your Microsoft account"; nocase; content:"<!-- /ko -->"; nocase; distance:0; fast_pattern; content:"<!-- /ko"; nocase; distance:0; content:"<!-- /ko"; nocase; distance:0; content:"<!-- /ko"; nocase; distance:0; classtype:social-engineering; sid:2025525; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Possible Spambot getting new exe"; flow:established,to_server; content:"/traff/ppiigg.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002991; classtype:pup-activity; sid:2002991; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Comcast/Xfinity Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>sign in to xfinity"; nocase; content:"src=|22|comcast_files/"; nocase; distance:0; fast_pattern; content:"src=|22|comcast_files/"; nocase; distance:0; classtype:social-engineering; sid:2025528; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP /jk/exp.wmf Exploit Code Load Attempt"; flow:to_server,established; content:"/jk/exp.wmf"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002999; classtype:pup-activity; sid:2002999; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LCL Banque Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>lcl banque"; nocase; content:"src=|22|./lcl_files/"; nocase; distance:0; fast_pattern; content:"src=|22|./lcl_files/"; nocase; distance:0; classtype:social-engineering; sid:2025529; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PopupSh.ocx Access Attempt"; flow:to_server,established; content:"/PopupSh.ocx"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003000; classtype:pup-activity; sid:2003000; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Phishing Landing M2 2018-04-19"; flow:established,to_client; file_data; content:"<title>Sign in to your account"; nocase; content:"content=|22|WYSIWYG Web Builder"; nocase; distance:0; content:"<form name=|22|ff|22|"; nocase; distance:0; fast_pattern; content:"method=|22|POST|22|"; nocase; distance:0; classtype:social-engineering; sid:2025526; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware Actionlibs Download"; flow:to_server,established; content:"/actionurls/ActionUrlb"; http_uri; nocase; content:"partnerid="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003057; classtype:pup-activity; sid:2003057; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Popupwnd Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"function popupwnd(url,"; nocase; fast_pattern; content:"var popupwindow = this.open(url,"; nocase; distance:0; content:"onload=|22|unhideBody()|22|"; nocase; distance:0; content:",'no','no','no','no','no','no'"; nocase; distance:0; classtype:social-engineering; sid:2025527; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware Installer Download"; flow:to_server,established; content:"/downloads/valueadd/ping/ping.htm"; nocase; http_uri; content:"zango.com|0d 0a|"; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003058; classtype:pup-activity; sid:2003058; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Unknown - Landing Page Requested - /?Digit"; flow:established,to_server; urilen:9<>16; content:"/?"; http_uri; depth:13; pcre:"/^\/[a-z0-9]{6,10}\/\?[0-9]{1,2}$/Ui"; classtype:bad-unknown; sid:2016193; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware TB Installer Download"; flow:to_server,established; content:"/ZangoTBInstaller.exe"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003059; classtype:pup-activity; sid:2003059; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE HawkEye Keylogger FTP"; flow:established,to_server; content:"STOR HawkEye"; nocase; pcre:"/^(?:_|Keylogger)/Ri"; reference:md5,85f3b302afa0989a91053af6092f3882; classtype:trojan-activity; sid:2020410; rev:4; metadata:created_at 2015_02_12, updated_at 2015_02_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware Event Activity Post"; flow:to_server,established; content:"/php/uci.php"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003061; classtype:pup-activity; sid:2003061; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY WebRTC IP tracking Javascript"; flow:established,from_server; file_data; content:"function getIPs|28|callback|29|"; nocase; fast_pattern; content:"ip_dups"; nocase; content:"handleCandidate"; nocase; content:"RTCPeerConnection"; nocase; reference:url,github.com/diafygi/webrtc-ips; classtype:successful-recon-limited; sid:2021089; rev:3; metadata:created_at 2015_05_13, former_category POLICY, updated_at 2018_04_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Content-loader.com Spyware Install"; flow: to_server,established; content:"/getexe/?wmid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003074; classtype:pup-activity; sid:2003074; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MS10-090 IE CSS Exploit Metasploit POC Specific Unicoded"; flow:to_client,established; content:"|40 00 69 00 6d 00 70 00 6f 00 72 00 74 00|"; content:"|40 00 69 00 6d 00 70 00 6f 00 72 00 74 00|"; distance:0; content:"|40 00 69 00 6d 00 70 00 6f 00 72 00 74 00|"; distance:0; pcre:"/@\x00i\x00m\x00p\x00o\x00r\x00t\x00\x20.{4,20}[^\x00\w\s.]/sG"; reference:cve,CVE-2010-3971; reference:url,breakingpointsystems.com/community/blog/ie-vulnerability/; reference:bid,45246; classtype:attempted-admin; sid:2012149; rev:5; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, created_at 2011_01_05, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category WEB_CLIENT, signature_severity Critical, tag Web_Client_Attacks, tag Metasploit, updated_at 2018_04_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Content-loader.com Spyware Install 2"; flow: to_server,established; content:"/getdata/getdata.php?wmid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003075; classtype:pup-activity; sid:2003075; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Downloader.Win32.Agent.vhvw Checkin MINIASP"; flow:to_server,established; content:".asp?device_t="; http_uri; content:"&key="; http_uri; content:"&device_id="; http_uri; content:"&cv="; http_uri; threshold: type both, track by_src, count 1, seconds 120; reference:md5,e4a4e2a3b3adaf3a31e34cd2844a3374; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=1042762#none; classtype:trojan-activity; sid:2016430; rev:4; metadata:created_at 2012_04_18, former_category TROJAN, updated_at 2018_05_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Content-loader.com (ownusa.info) Spyware Install"; flow: to_server,established; content:"/fdial2.php?o="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003076; classtype:pup-activity; sid:2003076; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-05-01"; flow:established,to_client; file_data; content:"<title"; nocase; content:"bank of america"; nocase; within:30; content:"<form name=|22|b0a|22|"; nocase; distance:0; fast_pattern; content:".php?session=$pmd$pmd|22 20|method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025549; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TROJAN_VB Microjoin"; flow:established,to_server; content:"/bundle/loader.exe"; nocase; http_uri; reference:url,de.trendmicro-europe.com/consumer/vinfo/encyclopedia.php?VName=TROJ_VB.AWW; reference:url,doc.emergingthreats.net/bin/view/Main/2003084; classtype:pup-activity; sid:2003084; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-05-01"; flow:established,to_client; file_data; content:"<title"; nocase; content:"One Drive"; nocase; within:25; content:"function popupwnd(url"; nocase; distance:0; content:"choose your email provider"; nocase; distance:0; content:"onclick=|22|popupwnd("; nocase; distance:0; fast_pattern; content:"'no','no','no','no','no','no'"; nocase; distance:0; classtype:social-engineering; sid:2025550; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_05_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products SmileyCentral IEsp2 Install"; flow: to_server,established; content:"/download/install_ie_sp2.jhtml?"; nocase; http_uri; content:"product="; nocase; http_uri; content:"utmCall="; nocase; http_uri; content:"bOrganic="; nocase; http_uri; reference:url,www.myfuncards.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003151; classtype:pup-activity; sid:2003151; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Docusign Phishing Landing 2018-05-01"; flow:established,to_client; file_data; content:"<title> DocuSlgn </title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025551; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_06_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bestcount.net Spyware Exploit Download"; flow:established,to_server; content:"/sploit.anr"; nocase; http_uri; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2003153; classtype:pup-activity; sid:2003153; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java/QRat Variant Checkin"; flow:established,to_server; dsize:9; content:"|00 07|nemesis"; classtype:command-and-control; sid:2025552; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_01, deployment Perimeter, former_category MALWARE, malware_family QRat, signature_severity Major, updated_at 2018_05_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bestcount.net Spyware Data Upload"; flow:established,to_server; content:"/objects/ocget.dll"; nocase; http_uri; content:"mybest"; nocase; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2003154; classtype:pup-activity; sid:2003154; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - GIF Header With HTML Form"; flow:established,to_client; file_data; content:"GIF89a"; within:6; content:"<form "; nocase; fast_pattern; within:150; content:!"_VIEWSTATE"; classtype:trojan-activity; sid:2017134; rev:5; metadata:created_at 2013_07_12, updated_at 2013_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Thespyguard.com Spyware Install"; flow:established,to_server; content:"/soft/installers/spyguardf.php"; nocase; http_uri; reference:url,www.thespyguard.com; reference:url,www.kliksoftware.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003201; classtype:pup-activity; sid:2003201; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Netflix Phishing Landing 2018-05-02"; flow:established,to_client; file_data; content:"|23 20 4e 65 77 20 53 63 61 6d 61 20 4e 65 74 66 6c 69 78 20 32 30 31 38 20 42 79 20 58 2d 59 61 63 20 23|"; within:500; classtype:social-engineering; sid:2025555; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Thespyguard.com Spyware Update Check"; flow:established,to_server; content:"/soft/update/check_update.php"; nocase; http_uri; content:"Host|3a| www.kliksoftware.com"; nocase; http_header; fast_pattern; reference:url,www.kliksoftware.com; reference:url,www.thespyguard.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003202; classtype:pup-activity; sid:2003202; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-05-02"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Log in to your PayPal"; nocase; within:40; content:"PayPaI.|20 7c 20|All rights reserved."; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025556; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hitvirus Fake AV Install"; flow:established,to_server; content:"/soft/installers/hitvirusf.php"; nocase; http_uri; content:"get.hitvirus.com"; nocase; http_header; reference:url,www.kliksoftware.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003203; classtype:pup-activity; sid:2003203; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe PDF in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"%PDF-"; within:6; flowbits:set,ET.pdf.in.http; flowbits:noalert; reference:cve,CVE-2008-2992; reference:bugtraq,30035; reference:secunia,29773; classtype:not-suspicious; sid:2015671; rev:10; metadata:created_at 2010_09_25, updated_at 2010_09_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Thespyguard.com Spyware Updating"; flow:established,to_server; content:"/soft/update/get.php"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"mail="; nocase; http_uri; content:"Host|3a| www.kliksoftware.com"; nocase; http_header; reference:url,www.kliksoftware.com; reference:url,www.thespyguard.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003204; classtype:pup-activity; sid:2003204; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Ixeshe CnC)"; flow:established,from_server; content:"|09 00 b5 c7 52 c9 87 81 b5 03|"; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022960; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Informer from RBC)"; flow:to_server,established; content:"Informer from RBC"; fast_pattern:only; http_header; reference:url,www.kliksoftware.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003205; classtype:pup-activity; sid:2003205; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Phishing Landing 2018-05-07"; flow:established,to_client; file_data; content:"<title>mytax portal</title>"; nocase; fast_pattern; content:"id=|22|form1|22 20|name=|22|form1|22|"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:".php|22|"; nocase; distance:0; content:"name=|22|pww|22 20|type=|22|password|22 20|id=|22|pww|22|"; nocase; distance:0; classtype:social-engineering; sid:2025561; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Best-targeted-traffic.com Spyware Ping"; flow:established,to_server; content:"/ping.php?"; nocase; http_uri; content:"ul=http"; nocase; http_uri; content:"unq="; nocase; http_uri; content:"User-Agent|3a| Opera "; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003211; classtype:pup-activity; sid:2003211; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER CoinHive In-Browser Miner Detected"; flow:established,from_server; file_data; content:"coinhive.min.js"; nocase; fast_pattern; content:"start"; nocase; distance:0; content:"script"; content:"var"; distance:0; pcre:"/^\s*(?P<var>[a-zA-Z0-9]{3,20})\s*=\s*new\s*CoinHive\s*\.\s*[^\(]+\(\s*[\x22\x27][A-Za-z0-9]+\s*[\x22\x27]\s*(?:\x2c\s*\x7b\s*\w+\x3a\s*\d\.\d\x7d)?\)\s*\x3b\s+(?P=var)\s*\.\s*start/Ri"; classtype:coin-mining; sid:2024721; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category COINMINER, performance_impact Moderate, signature_severity Minor, updated_at 2018_05_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware Installer Config 2"; flow:to_server,established; content:"config.aspx"; http_uri; nocase; fast_pattern; content:"?ver="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003217; classtype:pup-activity; sid:2003217; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2022_05_03, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Netflix Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"content=|22 48 46 2d 4a 61 63 6b 73 6f 6e 22|"; nocase; content:"name=|22 48 46 2d 4a 61 63 6b 73 6f 6e 22|"; nocase; distance:0; content:"class=|22 48 46 5f 4a 61 63 6b 73 6f 4e 5f|"; nocase; distance:0; content:"class=|22 42 79 5f 48 61 73 73 61 6e 5f 46 61 72 74 6f 75 74 22|"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025568; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Conduit Connect Toolbar Message Download(Many report to be benign)"; flow: to_server,established; content:"/Message/"; http_uri; content:"User-Agent|3a| EI"; nocase; http_header; pcre:"/\/Message\/\S+\/\S+\.xml/Ui"; reference:url,www.conduit.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003218; classtype:pup-activity; sid:2003218; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Netflix Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"class=|22 6d 6f 75 73 74 61 63 68 65 22|"; nocase; fast_pattern; content:"class=|22 77 69 7a 22|"; nocase; distance:0; content:"class=|22 68 61 73 73 61 6e 22|"; nocase; distance:0; classtype:social-engineering; sid:2025569; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alexa Spyware Reporting"; flow:established,to_server; content:"/data?"; nocase; http_uri; content:"cli="; nocase; http_uri; content:"&dat="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&uid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003219; classtype:pup-activity; sid:2003219; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"class=|22 6c 6f 67 69 6e 5f 6d 6f 75 73 74 61 63 68 65 22|"; nocase; fast_pattern; content:"class=|22 6e 73 69 74 22|"; nocase; distance:0; content:"class=|22 74 39 61 79 61 64 22|"; nocase; distance:0; content:"class=|22 74 73 61 6e 61 22|"; nocase; distance:0; classtype:social-engineering; sid:2025570; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MySearchNow.com Spyware"; flow: to_server,established; content:"exe/dns.html"; nocase; http_uri; content:"User-Agent|3a| TPSystem"; nocase; http_header; reference:url,www.mysearchnow.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003221; classtype:pup-activity; sid:2003221; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"class=|22 69 6d 67 5f 76 69 63 74 69 6d 65 22|"; nocase; fast_pattern; content:"class=|22 6e 61 6d 65 5f 76 69 63 74 69 6d 65 22|"; nocase; distance:0; content:"class=|22 6d 6f 75 73 74 61 63 68 65 22|"; nocase; distance:0; content:"class=|22 6d 6f 75 73 74 61 63 68 65 5f 61 6e 6f 6e 69 73 6d 61 22|"; nocase; distance:0; content:"class=|22 6d 69 61 5f 6b 68 61 6c 69 66 61 22|"; nocase; distance:0; classtype:social-engineering; sid:2025571; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyWebSearch Toolbar Receiving Config 2"; flow: to_server,established; content:"/mySpeedbarCfg2.jsp"; nocase; http_uri; content:"MyWebSearch"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003222; classtype:pup-activity; sid:2003222; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"<!--|20 41 6e 4f 5f 6f 6e 69 73 6d 61 20|-->"; nocase; fast_pattern; content:"name=|22 41 6e 6f 6e 69 73 6d 61 22|"; nocase; distance:0; content:"class=|22 41 6e 6f 6e 69 73 6d 61|"; nocase; distance:0; classtype:social-engineering; sid:2025572; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP New.net Spyware updating"; flow:established,to_server; content:"/download/NewDotNet/"; nocase; http_uri; content:"/upgrade.cab?"; nocase; http_uri; content:"upg="; nocase; http_uri; content:"ec="; nocase; http_uri; reference:url,www.new.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003240; classtype:pup-activity; sid:2003240; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"class=|22 61 2d 6e 2d 6f 2d 6e 2d 69 2d 73 2d 6d 2d 61 22|"; nocase; fast_pattern; content:"id=|22 62 6f 74 64 6b 68 6f 6c 22|"; nocase; distance:0; classtype:social-engineering; sid:2025573; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP New.net Spyware Checkin"; flow:established,to_server; content:"/?version="; nocase; http_uri; content:"discard_tag="; nocase; http_uri; content:"source="; nocase; http_uri; content:"ptr="; nocase; http_uri; content:"br=NewDotNet"; nocase; http_uri; content:"ec="; nocase; http_uri; reference:url,www.new.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003241; classtype:pup-activity; sid:2003241; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Chalbhai (Multibrand) Phishing Landing 2018-05-10"; flow:established,to_client; file_data; content:"function unhideBody()"; nocase; fast_pattern; content:"bodyElems"; distance:0; pcre:"/^\s*=\s*document\s*\.\s*getElementsByTagName\s*\(\s*[\x22\x27]body[\x22\x27]/Ri"; content:"bodyElems[0]"; distance:0; pcre:"/^\s*\.\s*style\s*\.\s*visibility\s*=\s*[\x22\x27]visible[\x22\x27]/Ri"; content:"style=|22|visibility:hidden|22 20|onload=|22|unhideBody()|22|"; nocase; distance:0; content:"<div id=|22|image1|22 20|style=|22|position|3a|absolute|3b 20|overflow|3a|hidden|3b 20|left|3a|"; nocase; distance:0; classtype:social-engineering; sid:2025653; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpySheriff Intial Phone Home"; flow:established,to_server; content:"trial.php?rest="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"trial.php"; nocase; content:!"User-Agent|3a| "; http_header; reference:url,vil.nai.com/vil/content/v_135033.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2003251; classtype:pup-activity; sid:2003251; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded U3D"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/U3D"; within:64; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; reference:cve,2018-4989; reference:cve,2018-4987; classtype:bad-unknown; sid:2013995; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_12_08, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2018_05_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore Spyware Uploading Data"; flow: to_server,established; content:"/scripts/contentidpost.dll"; nocase; http_uri; content:"OSS-Proxy"; nocase; http_header; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003253; classtype:pup-activity; sid:2003253; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Javascript obfuscation using app.setTimeOut in PDF in Order to Run Code"; flow:established,to_client; content:"PDF-"; depth:300; content:"app.setTimeOut("; nocase; distance:0; reference:url,www.h-online.com/security/features/CSI-Internet-PDF-timebomb-1038864.html?page=4; reference:url,www.vicheck.ca/md5query.php?hash=6932d141916cd95e3acaa3952c7596e4; reference:cve,2018-4980; reference:cve,2018-4961; classtype:bad-unknown; sid:2011868; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2018_05_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Travel Update Spyware"; flow:established,to_server; content:"/abt?data="; nocase; http_uri; pcre:"/\/abt\?data=\S{150}/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2003297; classtype:pup-activity; sid:2003297; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0d|IT Department"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|0b|example."; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021013; rev:7; metadata:attack_target Client_and_Server, created_at 2015_04_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family TrickBot, malware_family Dridex, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2018_05_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP KMIP.net Spyware"; flow:established,to_server; content:"/iesocks?peer_id="; nocase; http_uri; content:"ver="; nocase; http_uri; reference:url,www.kmip.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003298; classtype:pup-activity; sid:2003298; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vibem.C CnC Activity"; flow:established,to_server; content:"|63 76 c4 52 99 1d 04 80 a9 1b 2d|"; depth:11; content:!"|00|"; reference:md5,bef6faabe3d80037c18fa7b806f4488e; classtype:command-and-control; sid:2025581; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2018_05_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Effectivebrands.com Spyware Checkin"; flow:established,to_server; content:"/iis2ebs.asp"; nocase; http_uri; content:"effectivebrands.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003304; classtype:pup-activity; sid:2003304; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query For Browser Cryptocurrency Mining Domain"; content:"|06|static|0a|reasedoper|02|pw|00|"; fast_pattern; nocase; reference:url,www.welivesecurity.com/2017/09/14/cryptocurrency-web-mining-union-profit/; classtype:trojan-activity; sid:2024779; rev:5; metadata:affected_product Web_Browsers, created_at 2017_09_27, former_category POLICY, malware_family CoinMiner, updated_at 2018_05_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Cursor DL"; flow: to_server,established; content:"/czcontent/cursor"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003307; classtype:pup-activity; sid:2003307; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious Chrome Extension Click Fraud Activity via Websocket"; flow:established,to_client; content:"|7b 22|id|22 3a|"; within:10; content:"|2c 22|data|22 3a 7b 22|method|22 3a 22|GET|22 2c 22|url|22 3a 22|"; distance:0; content:"|22 2c 22|headers|22 3a 7b 22|"; distance:0; content:"|2c 22|timeout|22 3a|30000|2c 22|body|22 3a 22|"; distance:0; fast_pattern; threshold: type both, track by_dst, count 1, seconds 120; reference:url,www.icebrg.io/index.php?p=blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; reference:url,www.icebrg.io/blog/more-extensions-more-money-more-problems; classtype:trojan-activity; sid:2025221; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2018_06_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AntiVermins.com Fake Antispyware Package User-Agent (AntiVerminser)"; flow:to_server,established; content:"User-Agent|3a|"; nocase; http_header; content:"AntiVerminser"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2003336; classtype:pup-activity; sid:2003336; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_05_03;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cryptocurrency Miner Checkin"; flow:established,to_server; content:"|7b 22|id|22 3a|"; nocase; depth:6; content:"|22|jsonrpc|22 3a|"; nocase; distance:0; content:"|22 2c 22|method|22 3a 22|login|22 2c 22|params|22 3a|"; fast_pattern; content:"|22|pass|22 3a 22|"; nocase; content:"|22|agent|22 3a 22|"; nocase; content:!"<title"; nocase; content:!"<script"; nocase; content:!"<html"; nocase; classtype:policy-violation; sid:2024792; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2018_06_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Download UBAgent) - lop.com and other spyware"; flow:to_server,established; content:"Download UBAgent"; http_header; fast_pattern:only; reference:url,www.spywareinfo.com/articles/lop/; reference:url,doc.emergingthreats.net/2003345; classtype:pup-activity; sid:2003345; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET DELETED Job314/Neutrino Reboot EK Flash Exploit Nov 20 2014"; flow:established,to_server; content:"x-flash-version|3a|"; fast_pattern:only; http_header; pcre:"/^\/(?:[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)$/U"; pcre:"/^Referer\x3a[^\r\n]+\x3a\d+\/(?:[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,3}|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3})/Hm"; classtype:exploit-kit; sid:2019763; rev:9; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gamehouse.com Activity"; flow: to_server,established; content:"/game-quit-count.jsp?ghgamecode="; http_uri; reference:url,www.gamehouse.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003348; classtype:pup-activity; sid:2003348; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data May 15 2013"; flow:established,to_server; content:"POST"; nocase; http_method; pcre:"/^\/[a-z][a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; pcre:"/^Referer\x3a[^\r\n]+[?&][a-z]+=\d+\r$/Hmi"; content:"=%25"; http_client_body; pcre:"/=%25[0-9A-F]{2}%25[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016853; rev:16; metadata:created_at 2013_05_16, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winferno Registry Fix Spyware Download"; flow: to_server,established; content:"/freeze_rpc6bundle_us/REGISTRYFIXDLL.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003353; classtype:pup-activity; sid:2003353; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Landing Landing URI Struct (fb set)"; flow:to_server,established; content:!"Cookie|3a|"; content:"Windows NT"; http_header; fast_pattern:only; content:"User-Agent|3a 20|Mozilla"; content:"GET"; http_method; pcre:"/^User-agent\x3a\x20[^\r\n]*?(?:MSIE|rv\x3a11|Edge\/)/Hmi"; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$/U"; content:!"Cookie|3a|"; flowbits:set,Neutrino.URI.Primer; flowbits:noalert; classtype:exploit-kit; sid:2025064; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_06_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, tag Neutrino, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Yourscreen.com Spyware Download"; flow: to_server,established; content:"/data/yourscreen_data.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003354; classtype:pup-activity; sid:2003354; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Nov 18 2013"; flow:established,from_server; file_data; content:"<title>"; content:"soft apple."; fast_pattern; distance:0; content:"</title>"; distance:0; content:"AgControl.AgControl"; nocase; content:"Math.floor"; nocase; classtype:exploit-kit; sid:2017729; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Catchonlife.com Spyware"; flow: to_server,established; content:"/nw3/r1.txt?"; http_uri; content:"catchonlife"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003358; classtype:pup-activity; sid:2003358; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Oct 22 2014"; flow:established,from_server; content:"Expires|3a| Sat, 26 Jul"; http_header; content:"Last-Modified|3a| Sat, 26 Jul 2040 05|3a|00"; http_header; fast_pattern:15,20; classtype:exploit-kit; sid:2019488; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Effectivebrands.com Spyware Checkin 2"; flow:established,to_server; content:"/iis2ucms.asp"; nocase; http_uri; content:"effectivebrands.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003360; classtype:pup-activity; sid:2003360; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ecessa WANWorx WVR-30 Cross-Site Request Forgery"; flow:from_server,established; file_data; content:"method"; nocase; content:"POST"; content:"user_username"; content:"user_passwd"; content:"checked"; content:"savecrtcfg"; fast_pattern; classtype:web-application-attack; sid:2025737; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Freeze.com Spyware/Adware (Pulling Ads)"; flow: to_server,established; content:"/ToastMessage/"; nocase; http_uri; content:"/Toast.asp?ysaid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003362; classtype:pup-activity; sid:2003362; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Intex Router N-150 Cross-Site Request Forgery"; flow:from_server,established; file_data; content:"method"; nocase; content:"POST"; content:"PPW"; content:"submit"; content:"SSID"; content:"isp"; content:"WAN"; content:"wirelesspassword"; fast_pattern; content:"name"; content:"value"; classtype:web-application-attack; sid:2025739; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Adopt/Zango"; flow: to_server,established; content:"/adopt.jsp?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"&sz="; nocase; http_uri; content:"cid="; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003364; classtype:pup-activity; sid:2003364; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] Wells Fargo Phishing Landing 2018-06-20"; flow:established,to_client; file_data; content:"<title>Wells Fargo |3a| Banking|2c|"; nocase; fast_pattern; content:"content=|22|WELLS FARGO BANK|22|"; nocase; distance:0; classtype:social-engineering; sid:2025624; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_06_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Zango Toolbar Spyware User Agent (ZangoToolbar )"; flow:to_server,established; content:"ZangoToolbar"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a.+ZangoToolbar.+\r$/Hmi"; reference:url,doc.emergingthreats.net/2003365; classtype:pup-activity; sid:2003365; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] OneDrive Phishing Landing 2018-06-15"; flow:established,to_client; file_data; content:"<title>One Drive Cloud Document Sharing"; nocase; fast_pattern; content:"Select with email provider below"; nocase; distance:0; content:"Login with Office 365"; nocase; distance:0; classtype:social-engineering; sid:2025625; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_06_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spy-Not.com Spyware Pulling Fake Sigs"; flow:to_server,established; content:"/updates1/SKSignatures.zip"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003375; classtype:pup-activity; sid:2003375; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert udp any 67 -> any 68 (msg:"ET EXPLOIT DynoRoot DHCP - Client Command Injection"; content:"|02|"; depth:1; content:"|35 01 05 fc|"; distance:0; content:"|2f|bin|2f|sh"; fast_pattern; distance:0; reference:url,exploit-db.com/exploits/44652/; reference:cve,2018-1111; classtype:attempted-admin; sid:2025765; rev:2; metadata:attack_target Networking_Equipment, created_at 2018_06_29, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Instafinder.com spyware"; flow: established,to_server; content:"/404/update/instafi"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003376; classtype:pup-activity; sid:2003376; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_05_03;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"ET EXPLOIT CloudMe Sync Buffer Overflow"; flow:established,to_server; content:"|fe e7 d1 61 a8 98 03 69 10 06 e7 6f 6f 0a c4 61 5a ea c8 68 e1 52 d6 68 a2 7c fa 68 ff fd ff ff|"; fast_pattern; distance:0; content:"|92 70 b4 6e 47 27 d5 68 ff ff ff ff bc 48 f9 68|"; distance:0; content:"|3c 06 f8 68 72 a4 f9 68 c0 ff ff ff 92 70 b4 6e|"; distance:0; content:"|ab 57 f0 61 a3 ef b5 6e  d1 14 dc 61 0c ed b4 64 45 62 ba 61|"; distance:0; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; distance:0; reference:url,exploit-db.com/exploits/44784/; reference:cve,2018-6892; classtype:attempted-admin; sid:2025766; rev:2; metadata:attack_target Server, created_at 2018_06_29, cve CVE_2018_6892, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spy-Not.com Spyware Updating"; flow:to_server,established; content:"/updates1/SKVersion.ini"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003377; classtype:pup-activity; sid:2003377; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS DAMICMS Cross-Site Request Forgery (Add Admin)"; flow:from_server,established; file_data; content:"history.pushState"; content:"/admin.php?s=/Admin/doadd|22| method=|22|POST|22|>"; nocase; fast_pattern; content:"name=|22|username|22|"; content:"name=|22|password|22|"; reference:url,exploit-db.com/exploits/44960/; classtype:web-application-attack; sid:2025771; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_02, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Keywords Download"; flow: to_server,established; content:"/keywords/kyfb."; nocase; http_uri; content:"partner_id="; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003388; classtype:pup-activity; sid:2003388; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FTPShell client Stack Buffer Overflow"; flow:established,from_server; content:"220|20 22|"; isdataat:400,relative; content:!"|00|"; within:400; content:!"|22|"; within:400; content:!"|0b|"; within:400; content:!"|0a|"; within:400; content:!"|0d|"; within:400; content:"|ed 2e 45 22 20|"; fast_pattern; distance:400; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-7573; reference:url,exploit-db.com/exploits/44968/; classtype:attempted-user; sid:2025779; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Application Version Check"; flow: to_server,established; content:"/versions.html"; nocase; http_uri; content:"whenu.com"; nocase; http_header; fast_pattern; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2003389; classtype:pup-activity; sid:2003389; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ModSecurity 3.0.0 Cross-Site Scripting"; flow:established,from_server; file_data; content:"onError"; content:"prompt"; fast_pattern; content:"img"; pcre:"/^\s*((?!>).)+?\s*src\s*=\s*[\x22\x27]\s*[^\x27\x28]+?[\x22\x27]\s*onError\s*=\s*prompt\s*\x28\s*[^)]*?(?:document|s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Rsi"; reference:cve,2018-13065; reference:url,exploit-db.com/exploits/44970/; classtype:attempted-user; sid:2025781; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Critical, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfAccuracy.com Spyware Pulling Ads"; flow:to_server,established; content:"/sacc/popup.php"; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99; reference:url,doc.emergingthreats.net/bin/view/Main/2003391; classtype:pup-activity; sid:2003391; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET EXPLOIT Oracle Weblogic Server Deserialization Remote Command Execution"; flow:established,to_server; content:"java.rmi.registry.Registry"; fast_pattern; content:"java.lang.reflect.Proxy"; content:"java.rmi.server.RemoteObjectInvocationHandler"; content:"UnicastRef"; reference:url,exploit-db.com/exploits/44553/; reference:cve,2018-2628; classtype:attempted-user; sid:2025788; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_05, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyhealer Fake Anti-Spyware Install User-Agent (SpyHealer)"; flow:to_server,established; content:"User-Agent|3a| SpyHeal"; nocase; http_header; reference:url,doc.emergingthreats.net/2003399; classtype:pup-activity; sid:2003399; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat PDF Reader use after free JavaScript engine (CVE-2017-16393)"; flow:established,from_server; flowbits:isset,ET.pdf.in.http; file_data; content:"this.addAnnot"; nocase; content:"this.addField"; nocase; content:".popupRect"; nocase; content:".setAction("; nocase; content:"OnFocus"; nocase; content:"setFocus"; nocase; pcre:"/\s+?(?P<var1>[^\s\x3d]+?)\s*?=\s*?this\.addAnnot.+?(?P=var1)\s*\x2epopupRect\s*?=\s*?0x4000/si"; pcre:"/\s+?(?P<var2>[^\s\x3d]+?)\s*?=\s*?this\.addField.+?(?P=var2)\s*\x2e\s*setAction\s*?\x28\s*?[\x22\x27]\s*?OnFocus[^\x29]+popupOpen\s*?=\s*?true/si"; reference:cve,2017-16393; classtype:attempted-user; sid:2025091; rev:3; metadata:affected_product Adobe_Reader, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com WhenUSave Data Retrieval (DataChunksGZ)"; flow: to_server,established; content:"/DataChunksGZ?update="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"svr="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2003404; classtype:pup-activity; sid:2003404; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Exim Internet Mailer Remote Code Execution"; flow:established,to_server; content:"JHtydW57L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3Av"; reference:cve,2018-6789; reference:url,exploit-db.com/exploits/44571/; classtype:attempted-user; sid:2025793; rev:2; metadata:attack_target SMTP_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Epilot.com Spyware Reporting"; flow:established,to_server; content:"/getresults.aspx"; nocase; http_uri; content:"?aff="; nocase; http_uri; content:"&ip="; nocase; http_uri; content:"&keyword="; nocase; http_uri; content:"&source="; nocase; http_uri; reference:url,www.intermute.com/spysubtract/researchcenter/ClientMan.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003414; classtype:pup-activity; sid:2003414; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 9000 (msg:"ET EXPLOIT xdebug OS Command Execution"; flow:established,to_server; content:"eval -i 1 --|0d 0a|ZmlsZV9wdXRfY29udGVudH"; reference:url,exploit-db.com/exploits/44568/; classtype:attempted-user; sid:2025794; rev:2; metadata:attack_target Web_Server, created_at 2018_07_09, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Epilot.com Spyware Reporting Clicks"; flow:established,to_server; content:"/click.aspx?"; nocase; http_uri; content:"?xp="; nocase; http_uri; content:"Host|3a| "; nocase; http_header; content:"epilot.com"; nocase; http_header; reference:url,www.intermute.com/spysubtract/researchcenter/ClientMan.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003416; classtype:pup-activity; sid:2003416; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT bin bash base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"vYmluL2Jhc2"; classtype:attempted-user; sid:2025806; rev:2; metadata:attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CNSMIN (3721.com) Spyware Activity"; flow:established,to_server; content:"/download/CnsMin"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003417; classtype:pup-activity; sid:2003417; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"vKjw/cGhwI"; classtype:attempted-user; sid:2025809; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CNSMIN (3721.com) Spyware Activity 2"; flow:established,to_server; content:"/download/CnsUp"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003418; classtype:pup-activity; sid:2003418; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"MeW84UDNCb2ND"; classtype:attempted-user; sid:2025812; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CNSMIN (3721.com) Spyware Activity 3"; flow:established,to_server; content:"/download/autolvsw.ini?"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003419; classtype:pup-activity; sid:2003419; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"c3lzdGVtKCIgcGhw"; classtype:attempted-user; sid:2025795; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP xxxtoolbar.com Spyware Install User-Agent"; flow:to_server,established; content:"User-Agent|3a 32 8b 86 85 86 8e 85 86 8c 0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003429; classtype:pup-activity; sid:2003429; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"N5c3RlbSgiIHBoc"; classtype:attempted-user; sid:2025796; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Abcsearch.com Spyware Reporting"; flow:established,to_server; content:"/cgi-bin/search/mxml.fcgi?"; nocase; http_uri; content:"Terms="; nocase; http_uri; content:"&affiliate="; nocase; http_uri; content:"&subid="; nocase; http_uri; content:"&Hits_Per_Page="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003438; classtype:pup-activity; sid:2003438; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"zeXN0ZW0oIiBwaH"; classtype:attempted-user; sid:2025797; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Webbuying.net Spyware Install User-Agent (wbi_v0.90)"; flow:to_server,established; content:" wbi_v0."; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+wbi_v\d/iH"; reference:url,doc.emergingthreats.net/2003441; classtype:pup-activity; sid:2003441; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 4"; flow:established,to_server; content:"c3lzdGVtKCJwaH"; classtype:attempted-user; sid:2025798; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Webbuying.net Spyware Installing"; flow:established,to_server; content:"/inst.php?"; nocase; http_uri; content:"d="; nocase; http_uri; content:"&cl="; nocase; http_uri; content:"&l="; nocase; http_uri; content:"&e="; nocase; http_uri; content:"&v=wbi_v"; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&time="; nocase; http_uri; content:"&win="; nocase; http_uri; content:"&un=0"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003442; classtype:pup-activity; sid:2003442; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 5"; flow:established,to_server; content:"N5c3RlbSgicGhw"; classtype:attempted-user; sid:2025799; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Deskwizz.com Spyware Install Code Download"; flow: to_server,established; content:"/ax/acdt-pid"; nocase; http_uri; content:".exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003444; classtype:pup-activity; sid:2003444; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 6"; flow:established,to_server; content:"zeXN0ZW0oInBoc"; classtype:attempted-user; sid:2025800; rev:2; metadata:created_at 2018_07_09, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware Command Client Checkin"; flow: to_server,established; content:"/client.php?str="; nocase; http_uri; content:"Indy Library)"; nocase; http_user_agent; reference:url,www.nuker.com/container/details/adware_command.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003446; classtype:pup-activity; sid:2003446; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT file_put_contents php base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"ZmlsZV9wdXRfY29udGVudH"; classtype:attempted-user; sid:2025801; rev:2; metadata:affected_product Web_Server_Applications, affected_product PHP, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Specificclick.net Spyware Activity"; flow: to_server,established; content:"/adopt.sm?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"&sz="; nocase; http_uri; content:"&redir="; nocase; http_uri; content:"&nmv="; nocase; http_uri; content:"&nrsz="; nocase; http_uri; content:"&r="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003450; classtype:pup-activity; sid:2003450; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT file_put_contents php base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"ZpbGVfcHV0X2NvbnRlbnRz"; classtype:attempted-user; sid:2025802; rev:2; metadata:affected_product Web_Server_Applications, affected_product PHP, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP K8l.info Spyware Activity"; flow: to_server,established; content:"/media/servlet/view/dynamic/url/zone?"; nocase; http_uri; content:"zid="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&DHWidth="; nocase; http_uri; content:"&DHHeight="; nocase; http_uri; content:"Ref="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003451; classtype:pup-activity; sid:2003451; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT file_put_contents php base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"maWxlX3B1dF9jb250ZW50c"; classtype:attempted-user; sid:2025803; rev:2; metadata:affected_product Web_Server_Applications, affected_product PHP, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CoolDeskAlert Spyware Activity"; flow:to_server,established; content:"/alert/get_xml"; nocase; http_uri; content:"deskbar_id={"; nocase; reference:url,cooldeskalert.com; reference:url,www.benedelman.org/spyware/images/bannerfarms-ad_w_a_r_e-globalstore-log-061006.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003462; classtype:pup-activity; sid:2003462; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT bin bash base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"L2Jpbi9iYXNo"; classtype:attempted-user; sid:2025804; rev:2; metadata:attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User-Agent (Toolbar) Possibly Malware/Spyware"; flow:to_server,established; content:"User-Agent|3a| Toolbar"; http_header; content:!"cf.icq.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2003463; classtype:pup-activity; sid:2003463; rev:18; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT bin bash base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"9iaW4vYmFza"; classtype:attempted-user; sid:2025805; rev:2; metadata:attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DelFin Project Spyware (setup-alt)"; flow: established,to_server; content:"/in/defaults/setup-alt.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003472; classtype:pup-activity; sid:2003472; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"Lyo8P3BocC"; classtype:attempted-user; sid:2025807; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DelFin Project Spyware (payload-alt)"; flow: established,to_server; content:"/in/payload/payload-alt.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003473; classtype:pup-activity; sid:2003473; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"8qPD9waHAg"; classtype:attempted-user; sid:2025808; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AskSearch Toolbar Spyware User-Agent (AskBar)"; flow:to_server,established; content:"|3b| AskBar"; pcre:"/User-Agent\x3a[^\n]+AskBar/iH"; reference:url,doc.emergingthreats.net/2003496; classtype:pup-activity; sid:2003496; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"THlvOFAzQm9jQ"; classtype:attempted-user; sid:2025810; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Spyware Reporting (check url)"; flow: to_server,established; content:"/go/check?build="; nocase; http_uri; content:"&source="; nocase; http_uri; content:"&merchants="; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2003504; classtype:pup-activity; sid:2003504; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"x5bzhQM0JvY0"; classtype:attempted-user; sid:2025811; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Supergames.aavalue.com Spyware"; flow: established,to_server; content:"/toolbars/msg/msg_serverside.xml"; nocase; http_uri; content:"aavalue.com"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189; reference:url,doc.emergingthreats.net/bin/view/Main/2003525; classtype:pup-activity; sid:2003525; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 4"; flow:established,to_server; content:"OHFQRDl3YUhBZ"; classtype:attempted-user; sid:2025813; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP KMIP.net Spyware 2"; flow:established,to_server; content:"/sp?c=N&i="; nocase; http_uri; content:"&v="; nocase; http_uri; reference:url,www.kmip.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003526; classtype:pup-activity; sid:2003526; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 5"; flow:established,to_server; content:"hxUEQ5d2FIQW"; classtype:attempted-user; sid:2025814; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Msgplus.net Spyware/Adware User-Agent (MsgPlus3)"; flow:to_server,established; content:"User-Agent|3a| MsgPlus3"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Messenger%20Plus!&threatid=14931; reference:url,doc.emergingthreats.net/2003529; classtype:pup-activity; sid:2003529; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 6"; flow:established,to_server; content:"4cVBEOXdhSEFn"; classtype:attempted-user; sid:2025815; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Antivermins.com Spyware/Adware User-Agent (AntiVermeans)"; flow:to_server,established; content:"User-Agent|3a| AntiVermeans"; nocase; http_header; reference:url,www.bleepingcomputer.com/forums/topic69886.htm; reference:url,doc.emergingthreats.net/2003531; classtype:pup-activity; sid:2003531; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 7"; flow:established,to_server; content:"dktqdy9jR2h3S"; classtype:attempted-user; sid:2025816; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sytes.net Related Spyware Reporting"; flow:to_server,established; content:"/Reporting/admin/upload.php"; nocase; http_uri; content:"POST"; nocase; http_method; content:"sytes.net"; nocase; http_header; reference:url,www.sophos.com/security/analyses/w32forbotdv.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003533; classtype:pup-activity; sid:2003533; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 8"; flow:established,to_server; content:"ZLancvY0dod0"; classtype:attempted-user; sid:2025817; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bravesentry.com Fake Antispyware Updating"; flow:established,to_server; content:"/update.php?v="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&vs="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; content:"Host|3a| "; http_header; content:".bravesentry.com"; nocase; http_header; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; reference:url,doc.emergingthreats.net/bin/view/Main/2003541; classtype:pup-activity; sid:2003541; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 9"; flow:established,to_server; content:"2S2p3L2NHaHdJ"; classtype:attempted-user; sid:2025818; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winfixmaster.com Fake Anti-Spyware Install"; flow: to_server,established; content:"/dispatcher.php?action="; nocase; http_uri; content:"Host|3a| www.winfix"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003543; classtype:pup-activity; sid:2003543; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT [eSentire] Fake Flash Update 2018-07-09"; flow:established,to_client; file_data; content:"<title>Critical error!"; nocase; fast_pattern; content:"Your player version"; nocase; distance:0; content:"has a critical vulnerability"; nocase; distance:0; content:"FlashPlayer.exe"; nocase; distance:0; classtype:trojan-activity; sid:2025647; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_10, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2018_07_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Privacyprotector.com Fake Anti-Spyware Install"; flow: to_server,established; content:"/privacyprotectorfreesetup.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003547; classtype:pup-activity; sid:2003547; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert udp any any -> $HOME_NET 4070 (msg:"ET EXPLOIT HID VertX and Edge door controllers command_blink_on Remote Command Execution"; content:"command_blink_on|3b|"; fast_pattern; content:"|60|"; within:44; reference:url,exploit-db.com/exploits/44992/; classtype:attempted-user; sid:2025821; rev:2; metadata:attack_target IoT, created_at 2018_07_10, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winsoftware.com Fake AV User-Agent (DNS Extractor)"; flow:to_server,established; content:"User-Agent|3a| DNS Extractor"; nocase; http_header; reference:url,doc.emergingthreats.net/2003567; classtype:pup-activity; sid:2003567; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert udp any any -> $HOME_NET 4070 (msg:"ET SCAN HID VertX and Edge door controllers discover"; dsize:<45; content:"discover|3b|013|3b|"; reference:url,exploit-db.com/exploits/44992/; classtype:attempted-recon; sid:2025822; rev:2; metadata:attack_target IoT, created_at 2018_07_10, deployment Datacenter, former_category SCAN, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Evidencenuker.com Fake AV/Anti-Spyware User-Agent (EVNUKER)"; flow:to_server,established; content:"User-Agent|3a| EVNUKER"; nocase; http_header; reference:url,doc.emergingthreats.net/2003567; classtype:pup-activity; sid:2003569; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] Adobe Phishing Landing 2018-07-04"; flow:from_server,established; content:"<title>PDF Online"; nocase; fast_pattern; content:"Please Enter Your receiving Email Address"; nocase; distance:0; content:"method=|22|post|22|"; nocase; classtype:social-engineering; sid:2025648; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_10, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Minor, updated_at 2018_07_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mirarsearch.com Spyware Posting Data"; flow:established,to_server; content:"/v70match.cgi?"; nocase; http_uri; content:"key1="; nocase; http_uri; content:"&key2="; nocase; http_uri; content:"&match="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003577; classtype:pup-activity; sid:2003577; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows RRAS SMB Remote Code Execution"; flow:established,to_server; content:"|21 00 00 00 10 27 00 00 a4 86 01 00 41 41 41 41 04 00 00 00 41 41 41 41 a4 86 01 00 ad 0b 2d 06 d0 ba 61 41 41 90 90 90 90 90|"; reference:cve,2017-11885; reference:url,exploit-db.com/exploits/44616/; classtype:attempted-user; sid:2025824; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_07_11, deployment Perimeter, deployment Datacenter, former_category NETBIOS, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Findwhat.com Spyware (clickthrough)"; flow: to_server,established; content:"/bin/findwhat.dll?clickthrough&"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003579; classtype:pup-activity; sid:2003579; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE [eSentire] Win32/Spy.Banker.ADIO CnC Checkin"; flow:to_server,established; dsize:<35; content:"|3c 7c|"; depth:2; content:"|7c 3e|OPERADOR|3c 7c 3e|"; fast_pattern; distance:0; reference:md5,f45991556122b07d501fa995bd4e74a7; classtype:command-and-control; sid:2025652; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_11, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, signature_severity Major, updated_at 2018_07_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Findwhat.com Spyware (sendmedia)"; flow: to_server,established; content:"/bin/findwhat.dll?sendmedia&"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003581; classtype:pup-activity; sid:2003581; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cmd powershell base64 encoded to Web Server 1"; flow:established,to_server; content:"Y21kIC9jIHBvd2Vyc2hlbGwuZXhl"; classtype:attempted-user; sid:2025827; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_12, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Trojan User-Agent (Windows Updates Manager)"; flow:to_server,established; content:"User-Agent|3a| Windows Updates Manager"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003585; classtype:pup-activity; sid:2003585; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cmd powershell base64 encoded to Web Server 2"; flow:established,to_server; content:"NtZCAvYyBwb3dlcnNoZWxsLmV4Z"; classtype:attempted-user; sid:2025828; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_12, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Worm.Pyks HTTP C&C Traffic User-Agent (skw00001)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| skw000"; http_header; reference:url,doc.emergingthreats.net/2003588; classtype:pup-activity; sid:2003588; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cmd powershell base64 encoded to Web Server 3"; flow:established,to_server; content:"jbWQgL2MgcG93ZXJzaGVsbC5leG"; classtype:attempted-user; sid:2025829; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_12, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Baidu.com Spyware Bar Activity"; flow:to_server,established; content:"/n?cmd="; nocase; http_uri; content:"&class="; nocase; http_uri; content:"&pn="; nocase; http_uri; content:"&tn"; nocase; http_uri; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003605; classtype:pup-activity; sid:2003605; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Execve(/bin/sh) Shellcode"; content:"|31 c0 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 50 53 89 e1 b0 0b cd 80|"; classtype:shellcode-detect; sid:2025695; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2018_07_13, deployment Perimeter, former_category SHELLCODE, performance_impact Low, updated_at 2018_07_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alexa Spyware Reporting URL Visited"; flow:established,to_server; content:"/data/"; nocase; http_uri; content:"cli="; nocase; http_uri; content:"&ver=alxi"; nocase; http_uri; fast_pattern:only; content:"&url="; nocase; http_uri; content:"alexa.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003606; classtype:pup-activity; sid:2003606; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_05_03;)
 
-alert tcp $HOME_NET 445 -> any any (msg:"ET POLICY SMB Remote AT Scheduled Job Pipe Creation"; flow:established,to_client; content:"SMB"; depth:8; content:"\\PIPE\\atsvc|00|"; distance:0; classtype:bad-unknown; sid:2025714; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP Zango Spyware (tbrequest data post)"; flow: to_server,established; content:"/tbrequest"; http_uri; nocase; content:"&q="; http_uri; nocase; pcre:"/\/tbrequest\d+\.php/Ui"; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003610; classtype:pup-activity; sid:2003610; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB Executable File Transfer"; flow:established,to_server; content:"SMB"; depth:8; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.smb.binary; classtype:bad-unknown; sid:2025699; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malwarealarm.com Fake AV/AntiSpyware Updating"; flow:established,to_server; content:"/update.php?v="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&vs="; nocase; http_uri; content:"Host|3a| www.MalwareAlarm.com"; nocase; http_header; reference:url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003611; classtype:pup-activity; sid:2003611; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For an Executable File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|exe|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025700; rev:2; metadata:attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malwarealarm.com Fake AV/AntiSpyware Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/madownload.php?&advid="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"Host|3a| download.MalwareAlarm.com"; nocase; http_header; reference:url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003612; classtype:pup-activity; sid:2003612; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_05_03;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For an Executable File"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|e|00|x|00|e|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025701; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyWebSearch Toolbar Posting Activity Report"; flow:to_server,established; content:"/jsp/cfg_redir2.jsp?id="; nocase; http_uri; content:"url=http"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003617; classtype:pup-activity; sid:2003617; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For an Executable File In a Temp Directory"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"t|00|e|00|m|00|p|00|\\|00|"; nocase; distance:0; content:"|00 2E 00|e|00|x|00|e|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025703; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alexa Spyware Redirecting User"; flow:established,to_server; content:"/redirect?http"; nocase; http_uri; content:"Host|3a| redirect.alexa.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003619; classtype:pup-activity; sid:2003619; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a Powershell .ps1 File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|ps1|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025704; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 51yes.com Spyware Reporting User Activity"; flow:established,to_server; content:"/sa.aspx?id="; http_uri; nocase; content:"&refe=http"; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003620; classtype:pup-activity; sid:2003620; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|p|00|s|00|1|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025705; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Baidu.com Spyware Sobar Bar Activity"; flow:to_server,established; content:"/sobar/sobar"; nocase; http_uri; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003630; classtype:pup-activity; sid:2003630; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a .bat File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|bat|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025706; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Generic.Malware.dld User-Agent (Sickloader)"; flow:to_server,established; content:"User-Agent|3a| Sickloader"; nocase; http_header; reference:url,doc.emergingthreats.net/2003644; classtype:pup-activity; sid:2003644; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a .bat File"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|b|00|a|00|t|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025707; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CoolStreaming Toolbar (Conduit related) User-Agent (Coolstreaming Tool-Bar)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Coolstreaming"; nocase; http_header; reference:url,doc.emergingthreats.net/2003652; classtype:pup-activity; sid:2003652; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a DLL File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|dll|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025708; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bizconcept.info Spyware Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/zuzu.php?&r="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2005319; classtype:pup-activity; sid:2005319; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|d|00|l|00|l|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025709; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Deepdo.com Toolbar/Spyware User Agent (DeepdoUpdate)"; flow:established,to_server; content:"User-Agent|3a| DeepdoUpdate/"; nocase; http_header; reference:url,doc.emergingthreats.net/2006386; classtype:pup-activity; sid:2006386; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a .sys File - Possible Lateral Movement"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|sys|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025710; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Fake Anti-Spyware Mac Check"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/nchkmac.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006427; classtype:pup-activity; sid:2006427; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a .sys File - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|s|00|y|00|s|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025711; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Fake Anti-Spyware Checkin (open)"; flow:established,to_server; content:"/open.php?sn="; nocase; http_uri; pcre:"/sn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006428; classtype:pup-activity; sid:2006428; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB Remote AT Scheduled Job Create Request - Possible Lateral Movement"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"atsvc|00|"; distance:0; classtype:bad-unknown; sid:2025712; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Karine.co.kr Related Spyware User Agent (chk Profile)"; flow:established,to_server; content:"User-Agent|3a| chk Profile|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2006429; classtype:pup-activity; sid:2006429; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Inbound Web Servers Likely Command Execution 1"; flow:established,to_server; content:"base64"; fast_pattern; content:"f0VM"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; classtype:attempted-user; sid:2025716; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Fake Anti-Spyware Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/chkblack.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006431; classtype:pup-activity; sid:2006431; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Inbound Web Servers Likely Command Execution 2"; flow:established,to_server; content:"base64"; fast_pattern; content:"9FT"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; classtype:attempted-user; sid:2025717; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Fake Anti-Spyware Checkin (ret)"; flow:established,to_server; content:"/ret.php?"; nocase; http_uri; content:"mode="; nocase; http_uri; content:"&cname="; nocase; http_uri; content:"&cn="; nocase; http_uri; pcre:"/cn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006432; classtype:pup-activity; sid:2006432; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Inbound Web Servers Likely Command Execution 3"; flow:established,to_server; content:"base64"; fast_pattern; content:"/RU"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; classtype:attempted-user; sid:2025718; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Fake Anti-Spyware Post (api_result)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/api_result.php?"; nocase; http_uri; content:"mode="; nocase; http_uri; content:"&PartID="; nocase; http_uri; content:"&mac="; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006433; classtype:pup-activity; sid:2006433; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Linux"; flow:established,to_server; content:"jsonrpc"; content:"method"; content:"miner_file"; content:".bash"; content:"5c5c7837665c5c7834355c5c7834635c5c783436"; fast_pattern; reference:url,exploit-db.com/exploits/45044/; reference:cve,2018-1000049; classtype:attempted-user; sid:2025861; rev:1; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Dummy)"; flow: established,to_server; content:"User-Agent|3a| Dummy"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007570; classtype:pup-activity; sid:2007570; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Windows"; flow:established,to_server; content:"jsonrpc"; content:"method"; content:"miner_file"; content:".bat"; content:"706f7765727368656c6c2e657865"; fast_pattern; reference:url,exploit-db.com/exploits/45044/; reference:cve,2018-1000049; classtype:attempted-user; sid:2025862; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (AntiSpyware) - Likely 2squared.com related"; flow: established,to_server; content:"User-Agent|3a| AntiSpyware"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007575; classtype:pup-activity; sid:2007575; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded ASCII Inbound Web Servers Likely Command Execution 4"; flow:established,to_server; content:"5c5c7837665c5c7834355c5c7834635c5c783436"; classtype:attempted-user; sid:2025732; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2018_07_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpyShredder Fake Anti-Spyware Install Download"; flow:established,to_server; content:"&advid="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"?=______"; http_uri; content:"&vs="; nocase; http_uri; content:"&YZYYYYYYYYYYYYYYYYYYYYYYYYYY"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007593; classtype:pup-activity; sid:2007593; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE QRat.Java.RAT Checkin Response"; flow:established,to_client; content:"|7b 22 6d 61 73 6d 61 67 22 3a 22|"; within:48; fast_pattern; content:"|22 2c 22 6d 61 73 76 65 72 22 3a|"; distance:0; content:"|2c 22 6d 61 73 69 64 22 3a 22|"; distance:0; content:"|22 2c 22 6e 65 65 64 2d 6d 6f 72 65 22 3a|"; distance:0; content:"|7b 22 6d 61 67 69 63 22 3a 22|"; distance:0; content:"|22 2c 22 69 6e 64 65 78 22 3a 22|"; distance:0; content:"|22 68 61 73 2d 72 65 71 75 65 73 74 65 72 22 3a|"; distance:0; content:"|22 68 61 73 2d 61 63 63 65 70 74 65 72 22 3a|"; distance:0; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:command-and-control; sid:2025392; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category MALWARE, malware_family QRat, signature_severity Major, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advertisementserver.com Spyware Initial Checkin"; flow:to_server,established; content:"?UID="; nocase; http_uri; content:"&DIST="; nocase; http_uri; content:"&NPR="; nocase; http_uri; content:"User-Agent|3a| Microsoft URL Control"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007601; classtype:pup-activity; sid:2007601; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Hidden Window Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|-|00|w|00|"; nocase; distance:0; content:"|00|h|00|i|00|d|00|d|00|e|00|n|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025720; rev:3; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advertisementserver.com Spyware Checkin"; flow:to_server,established; content:"monitor.php"; nocase; http_uri; content:"?UID="; nocase; http_uri; pcre:"/UID=\d/Ui"; content:"User-Agent|3a| Microsoft URL Control"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007602; classtype:pup-activity; sid:2007602; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With No Profile Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|n|00|o|00|p|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025722; rev:2; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Viruscheck.co.kr Related Fake Anti-Spyware Post (chkvs)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/chkvs.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007642; classtype:pup-activity; sid:2007642; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Execution Bypass Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|e|00|x|00|e|00|c|00|"; nocase; distance:0; content:"|00|b|00|y|00|p|00|a|00|s|00|s|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025723; rev:2; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AVSystemcare.com.com Fake Anti-Virus Product"; flow:established,to_server; http.uri; content:"?proto="; nocase; content:"&rc="; nocase; content:"&v="; nocase; content:"&abbr="; nocase; content:"&platform="; nocase; content:"&os_version="; nocase; content:"&ac="; nocase; content:"&appid="; nocase; content:"&em="; nocase; content:"&pcid="; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2007664; classtype:pup-activity; sid:2007664; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_04_18;)
 
-alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With NonInteractive Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|n|00|o|00|n|00|i|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025724; rev:2; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP IEDefender (iedefender.com) Fake Antispyware User Agent (IEDefender 2.1)"; flow:established,to_server; content:"User-Agent|3a| IEDefender "; nocase; http_header; reference:url,doc.emergingthreats.net/2007690; classtype:pup-activity; sid:2007690; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert smb any any -> $HOME_NET 445 (msg:"ET POLICY RunDll Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|r|00|u|00|n|00|d|00|l|00|l|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2025725; rev:3; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Softwarereferral.com Adware Checkin"; flow:established,to_server; content:"wmid="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&lid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007696; classtype:pup-activity; sid:2007696; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 UTF-8 Inbound Web Servers Likely Command Execution 5"; flow:established,to_server; content:"XDE3N1wxMDVcMTE0XDEwN"; classtype:attempted-user; sid:2025832; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_18, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Guard-Center.com Fake AntiVirus Post-Install Checkin"; flow:established,to_server; content:".php?"; http_uri; content:"&advid="; fast_pattern; http_uri; content:"&u="; http_uri; content:"&p="; http_uri; content:"HTTP/1."; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007744; classtype:pup-activity; sid:2007744; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 UTF-8 Inbound Web Servers Likely Command Execution 6"; flow:established,to_server; content:"wxNzdcMTA1XDExNFwxMD"; classtype:attempted-user; sid:2025833; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_18, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP host-domain-lookup.com spyware related Checkin"; flow:established,to_server; content:"?udata="; http_uri; content:"mission_supgrade|3a|"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007749; classtype:pup-activity; sid:2007749; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 UTF-8 Inbound Web Servers Likely Command Execution 7"; flow:established,to_server; content:"cMTc3XDEwNVwxMTRcMTA2"; classtype:attempted-user; sid:2025834; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_18, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alfaantivirus.com Fake Anti-Virus User-Agent (IM Download)"; flow:established,to_server; content:"User-Agent|3a| IM Download|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2007759; classtype:pup-activity; sid:2007759; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Github Phishing Landing 2018-07-19"; flow:established,from_server; file_data; content:"form action=|22|login.php|22|"; content:"<h1>Sign in to GitHub</h1>"; distance:0; fast_pattern; content:"<input type=|22|text|22 20|name=|22|username|22|"; distance:0; classtype:social-engineering; sid:2025873; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phish, updated_at 2018_07_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Internet Explorer (compatible))"; flow:to_server,established; content:"User-Agent|3a| Internet Explorer (compatible)|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007772; classtype:pup-activity; sid:2007772; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Twitter Phishing Landing 2018-07-19"; flow:established,from_server; file_data; content:"<title>Login to Twitter</title>"; content:"form action=|22|login.php|22|"; distance:0; content:"|20 20 20 20 20 20|name=|22|usernameOrEmail|22 0a|"; distance:0; fast_pattern; classtype:social-engineering; sid:2025874; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Minor, tag Phish, updated_at 2018_07_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PCDoc.co.kr Fake AV User-Agent (PCDoc11)"; flow:established,to_server; content:"PCDoc"; http_user_agent; depth:5; reference:url,doc.emergingthreats.net/bin/view/Main/2007786; classtype:pup-activity; sid:2007786; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Hex Escape Inbound Web Servers Likely Command Execution 8"; flow:established,to_server; content:"XFx4N2ZcXHg0NVxceDRjXFx4ND"; classtype:attempted-user; sid:2025865; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PCDoc.co.kr Fake AV User-Agent (mypcdoctor)"; flow:established,to_server; content:"mypcdoc"; http_user_agent; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2007804; classtype:pup-activity; sid:2007804; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Hex Escape Inbound Web Servers Likely Command Execution 9"; flow:established,to_server; content:"xceDdmXFx4NDVcXHg0Y1xceDQ2"; classtype:attempted-user; sid:2025866; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorvaccine.co.kr Related Spyware-User Agent (ers)"; flow:established,to_server; content:"User-Agent|3a| ers|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007809; classtype:pup-activity; sid:2007809; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Hex Escape Inbound Web Servers Likely Command Execution 10"; flow:established,to_server; content:"cXHg3ZlxceDQ1XFx4NGNcXHg0N"; classtype:attempted-user; sid:2025867; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Rabio Spyware/Adware Initial Registration"; flow:established,to_server; content:"POST"; http_method; nocase; content:"REGISTER|7c|"; depth:9; http_client_body; pcre:"/REGISTER\x7c\d+\x7c\d+\x7c\d+\x7c\d/P"; reference:url,www.spywareguide.com/product_show.php?id=3770; reference:url,www.rabio.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007820; classtype:pup-activity; sid:2007820; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic plain Inbound Web Servers Likely Command Execution 11"; flow:established,to_server; content:"|5c|177|5c|105|5c|114|5c|106|5c|"; fast_pattern; classtype:attempted-user; sid:2025868; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OneStepSearch Host Activity"; flow: to_server,established; content:"GET"; nocase; http_method; content:"host|3a| upgrade.onestepsearch.net"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007855; classtype:pup-activity; sid:2007855; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic plain Inbound Web Servers Likely Command Execution 12"; flow:established,to_server; content:"|5c 5c|x7f|5c 5c|x45|5c 5c|x4c|5c 5c|x46|5c 5c|"; classtype:attempted-user; sid:2025869; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Softcashier.com Spyware Install Checkin"; flow:established,to_server; content:".php?wmid="; nocase; http_uri; content:"&subid="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&lid="; nocase; http_uri; content:"&hs="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007861; classtype:pup-activity; sid:2007861; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Netflix Phishing Landing 2017-07-20"; flow:established,from_server; file_data; content:"<title>Netflix</title>"; content:"meta content=|22|watch movies"; distance:0; content:"meta content=|22|Watch Netflix movies"; distance:0; fast_pattern; content:"action=|22|login.php|22|"; distance:0; classtype:social-engineering; sid:2025875; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_20, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Minor, tag Phish, updated_at 2018_07_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vombanetworks.com Spyware Installer Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/scripts/get_cookie.php"; nocase; http_uri; content:"vomba="; http_client_body; depth:6; content:"&ff="; content:"&vombashots="; content:"&vombashots_ff="; content:"&hwd="; content:"&ver="; content:"&vinfo=Windows"; reference:url,doc.emergingthreats.net/bin/view/Main/2007870; classtype:pup-activity; sid:2007870; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LinkedIn Phishing Landing 2017-07-20"; flow:established,from_server; file_data; content:"class=|22|ie ie6 lte9 lte8 lte7 os-linux|22|>"; content:"<title>LinkedIn|26 23|58|3b 20|Log In or Sign Up</title>"; distance:0; fast_pattern; content:"action=|22|login.php|22|"; distance:0; classtype:social-engineering; sid:2025876; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_20, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Minor, tag Phish, updated_at 2018_07_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (HTTP_CONNECT)"; flow:to_server,established; content:"User-Agent|3a| HTTP_CONNECT|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007899; classtype:pup-activity; sid:2007899; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE passwd file Outbound from WEB SERVER Linux"; flow:established,from_server; file_data; content:"root:x:0:0:root:/root:/bin/"; within:27; classtype:successful-recon-limited; sid:2025879; rev:1; metadata:created_at 2018_07_20, updated_at 2018_07_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Geopia.com Fake Anti-Spyware/AV User-Agent (fs3update)"; flow:to_server,established; content:"User-Agent|3a| fs3update|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007935; classtype:pup-activity; sid:2007935; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] DHL Phish Landing July 24 2018"; flow:established,to_client; file_data; content:"<TITLE>Tracking made easy"; nocase; content:"Login to Continue Tracking your Package"; nocase; distance:0; content:"Sign In With Your Correct Email and Password To Review Package Information"; nocase; distance:0; classtype:social-engineering; sid:2025886; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_07_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2018_07_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Geopia.com Fake Anti-Spyware/AV User-Agent (fian3manager)"; flow:to_server,established; content:"User-Agent|3a| fian3manager|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007938; classtype:pup-activity; sid:2007938; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"ET EXPLOIT Remote Command Execution via Android Debug Bridge"; flow:from_server,established; content:"CNXN|00 00 00 01 00 10 00 00 07 00 00 00 32 02 00 00 BC B1 A7 B1|host|3a 3a|"; distance:40; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/open-adb-ports-being-exploited-to-spread-possible-satori-variant-in-android-devices/; classtype:trojan-activity; sid:2025887; rev:1; metadata:created_at 2018_07_24, updated_at 2018_07_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SysVenFak Fake AV Package User-Agent (gh2008)"; flow:established,to_server; content:"gh20"; http_user_agent; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2007944; classtype:pup-activity; sid:2007944; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"ET EXPLOIT Remote Command Execution via Android Debug Bridge 2"; flow:from_server,established; content:"OPENX|02 00 00 00 00 00 00 F2 17 4A 00 00 B0 AF BA B1|shell|3a|>/sdcard/Download/f|20|&&|20|cd|20|/sdcard/Download/|3b 20|>/dev/f|20|&&|20|cd|20|/dev/|3b 20|>/data/local/tmp/f|20|&&|20|cd|20|/data/local/tmp/|3b 20|busybox|20|wget|20|http|3a|//"; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/open-adb-ports-being-exploited-to-spread-possible-satori-variant-in-android-devices/; classtype:trojan-activity; sid:2025888; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_24, deployment Perimeter, former_category EXPLOIT, signature_severity Critical, updated_at 2018_07_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SysVenFak Fake AV Package Victim Checkin (victim.php)"; flow:established,to_server; content:"/victim.php?"; http_uri; pcre:"/victim\.php\?\d\d\d\d\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007945; classtype:pup-activity; sid:2007945; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Golden Rat Checkin"; flow:to_server,established; content:"<HmzaPacket>|3e 0a 20 20|<Command>"; depth:25; fast_pattern; content:"<MSG>"; within:40; content:"</MSG>|3e 0a 20 20|"; distance:0; content:"</HmzaPacket></HAMZA_DELIMITER_STOP>"; distance:0; reference:url,csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf; reference:md5,6296586cf9a59b25d1b8ab3eeb0c2a33; classtype:trojan-activity; sid:2025895; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_GoldenRat, tag Android, updated_at 2018_07_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (popup)"; flow:to_server,established; content:"User-Agent|3a| popup|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007946; classtype:pup-activity; sid:2007946; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Underminer EK IE Exploit"; flow:established,to_client; file_data; content:"IE=EmulateIE9"; nocase; content:"</head"; nocase; within:200; content:"<body"; nocase; within:200; content:"<script"; nocase; within:200; content:"!!window.ActiveXObject"; nocase; within:200; content:"try"; within:200; content:"parent.parent.setLocalStoreUserData"; nocase; distance:0; pcre:"/^\s*\([\x22\x27][A-F0-9a-f]{32}[\x22\x27]\s*\)\s*\x3b\s*}\s*catch\s*\(e\)\s*\{\s*\}\s*\}\s*<\/script>\s*<\/body>/Rsi"; classtype:exploit-kit; sid:2025911; rev:1; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2018_07_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Nguide.co.kr Fake Security Tool User-Agent (nguideup)"; flow:to_server,established; content:"User-Agent|3a| nguideup|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007947; classtype:pup-activity; sid:2007947; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Underminer EK Flash Exploit"; flow:established,to_client; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; fast_pattern; content:"<param"; nocase; pcre:"/^(?=[^>]*? name\s*=\s*[\x22\x27]flashvars)[^>]*? value\s*=\s*[\x22\x27]url=https?\x3a[^\x22\x27]*?\.wasm/Rsi"; classtype:exploit-kit; sid:2025914; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2018_07_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Msconfig.co.kr Related User Agent (BACKMAN)"; flow:to_server,established; content:"User-Agent|3a| BACKMAN|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007958; classtype:pup-activity; sid:2007958; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Underminer EK Plugin Check"; flow:established,to_client; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; fast_pattern; content:"setcallbackfunction"; nocase; content:"<param"; pcre:"/^(?=[^>]*? name\s*=\s*[\x22\x27]movie)[^>]*? value\s*=\s*[\x22\x27]+\+(?P<var>[\w_-]+)\+[^>]+\/>\s*[\x22\x27]+\+(?P<var2>[\w_-]+)\+(?=.+?\b(?P=var)\s*\>\=\s*23\s*&&\s*(?P=var)<\=\s*28\b)(?=.+?\b(?P=var)\s*\>\=\s*17\s*&&\s*(?P=var)<\=\s*18\b)(?=.+?\b(?P=var)\s*\>\=\s*11\s*&&\s*(?P=var)<\=\s*16\b).+?,\s*?(?P=var2)\s*\(\s*\)\s*\)\s*\:(?P=var)\s*\>\=\s*\d/Rsi"; classtype:exploit-kit; sid:2025915; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2018_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Msconfig.co.kr Related User-Agent (GLOBALx)"; flow:to_server,established; content:"User-Agent|3a| GLOBAL"; http_header; reference:url,doc.emergingthreats.net/2007959; classtype:pup-activity; sid:2007959; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle WebLogic Deserialization  (CVE-2018-2893)"; flow:established,to_server; content:"t3|20|12"; depth:5; fast_pattern; content:"AS|3a|255"; distance:0; content:"HL|3a|19"; distance:0; content:"MS|3a|10000000"; distance:0; content:"PU|3a|t3|3a|//"; distance:0; reference:cve,2018-2893; reference:url,github.com/pyn3rd/CVE-2018-2893; classtype:attempted-admin; sid:2025929; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2018_08_01, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_08_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Dokterfix.com Fake AV User-Agent (Magic NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| Magic NetInstaller|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007977; classtype:pup-activity; sid:2007977; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Christian Mingle Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>christian mingle - login</title>"; nocase; fast_pattern; content:"<form method=|22|post|22 20|action=|22|data.php|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025973; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Direct-web.co.kr Related Spyware Checkin"; flow:established,to_server; content:".php?appname="; nocase; http_uri; content:"&appseq="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"&type="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007978; classtype:pup-activity; sid:2007978; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>sign in to your microsoft account</title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025974; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (2 spaces)"; flow:to_server,established; content:"User-Agent|3a 20 20 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007993; classtype:pup-activity; sid:2007993; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>log in to your paypal account</title>"; nocase; fast_pattern; content:"|7a 31 31 38 2e 63 73 73|"; nocase; distance:0; classtype:social-engineering; sid:2025975; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vaccine-program.co.kr Related Spyware Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/version/controllerVersion"; fast_pattern; nocase; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007995; classtype:pup-activity; sid:2007995; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Free Mobile Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>free mobile - bienvenue dans votre espace"; nocase; fast_pattern; content:"<img id=|22|fins|22 20|src=|22|fins.png|22|>"; nocase; distance:0; content:"<input type=|22|password|22 20|name=|22|ps|22 20|id=|22|ps|22|"; nocase; distance:0; classtype:social-engineering; sid:2025976; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sears.com/Kmart.com My SHC Community spyware download"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/CSetup_xp.cab"; http_uri; reference:url,community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get-spyware.aspx; reference:url,www.benedelman.org/news/010108-1.html; reference:url,doc.emergingthreats.net/bin/view/Main/2007996; classtype:pup-activity; sid:2007996; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>adobe pdf</title>"; nocase; fast_pattern; content:"title=|22|you are not signed in yet|22|"; nocase; distance:0; content:"title=|22|login to continue|22|"; nocase; distance:0; content:"adobe pdf online"; nocase; distance:0; content:"email password"; nocase; distance:0; classtype:social-engineering; sid:2025977; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Easydownloadsoft.com Fake Anti-Virus User-Agent (IM Downloader)"; flow:established,to_server; content:"User-Agent|3a| IM Downloader|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2008000; classtype:pup-activity; sid:2008000; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Ajax Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>sign in to your account"; nocase; content:"action: posturl|20|}|22 20|action=|22|connectidx.php|22|"; nocase; distance:0; fast_pattern; content:"privacy.microsoft.com"; nocase; distance:0; classtype:social-engineering; sid:2025978; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Servicepack.kr Fake Patch Software Checkin"; flow:established,to_server; content:".php?kind="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&ver2="; nocase; http_uri; content:"&ver3="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&supportid="; nocase; http_uri; content:"&uniq="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008016; classtype:pup-activity; sid:2008016; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Alibaba Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"content=|22|alibaba manufacturer directory"; nocase; content:"class=|22|xman"; nocase; distance:0; fast_pattern; content:"id=|22|xman"; nocase; distance:0; content:"<iframe"; nocase; distance:0; classtype:social-engineering; sid:2025979; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Blank User-Agent (descriptor but no string)"; flow:to_server,established; content:"User-Agent|3a 0d 0a|"; http_header; content:!"check.googlezip.net|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008066; classtype:pup-activity; sid:2008066; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>sign in to your account</title>"; nocase; content:"onerror=|22|$loader.on(this,true)|22 20|onload=|22|$loader.on(this)"; nocase; distance:0; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:"secure.aadcdn.microsoftonline-p.com"; nocase; distance:0; classtype:social-engineering; sid:2025981; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Kwsearchguide.com Related Spyware Checkin"; flow:established,to_server; content:"/statics.php?maddr="; nocase; http_uri; content:"&ipaddr="; nocase; http_uri; content:"&ovt="; nocase; http_uri; content:"&verno="; nocase; http_uri; content:"&action="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008067; classtype:pup-activity; sid:2008067; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (getavs)"; flow:established,to_client; content:"|00 00 00 00|getavs="; offset:1; depth:11; fast_pattern; reference:md5,0f0f6f48c3ee5f8e7cd3697c40002bc7; classtype:trojan-activity; sid:2036286; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_08, deployment Perimeter, former_category MALWARE, malware_family MSIL_Crimson, performance_impact Moderate, signature_severity Major, updated_at 2018_08_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Kwsearchguide.com Related Spyware Keepalive"; flow:established,to_server; content:"/alive.php?ovt=new_link"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008069; classtype:pup-activity; sid:2008069; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp-pkt any 445 -> $HOME_NET any (msg:"ET EXPLOIT SMB Null Pointer Dereference PoC Inbound (CVE-2018-0833)"; flow:from_server,established; content:"|FD 53 4D 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; offset:4; reference:url,krbtgt.pw/smbv3-null-pointer-dereference-vulnerability/; reference:cve,2018-0833; classtype:attempted-admin; sid:2025983; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_08, deployment Internal, former_category EXPLOIT, signature_severity Minor, updated_at 2018_08_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Soft-Show.cn Related Fake AV Install"; flow:established,to_server; content:"/setup/setup.asp?id="; nocase; http_uri; content:"&pcid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&taday="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008135; classtype:pup-activity; sid:2008135; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe PDX in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"%PDX-"; within:5; flowbits:set,ET.pdx.in.http; flowbits:noalert; classtype:not-suspicious; sid:2025985; rev:2; metadata:affected_product Adobe_Reader, created_at 2018_08_10, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2018_08_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Speed-runner.com Fake Speed Test User-Agent (SRInstaller)"; flow:to_server,established; content:"User-Agent|3a| SRInstaller|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008145; classtype:pup-activity; sid:2008145; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe Flash Uncompressed in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"FWS"; within:3; flowbits:set,HTTP.UncompressedFlash; flowbits:noalert; classtype:not-suspicious; sid:2016394; rev:7; metadata:created_at 2013_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2018_08_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Speed-runner.com Fake Speed Test User-Agent (SpeedRunner)"; flow:to_server,established; content:"User-Agent|3a| SpeedRunner|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008146; classtype:pup-activity; sid:2008146; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Exploit Kit Payload Request"; flow:established,to_server; content:"/download.php?e="; http_uri; fast_pattern:only; pcre:"/\.php\?e=[^&]+?$/U"; classtype:exploit-kit; sid:2016522; rev:3; metadata:created_at 2013_03_05, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Soft-Show.cn Related Fake AV Install Ad Pull"; flow:established,to_server; content:"/setup/adClick.asp?Id="; nocase; http_uri; content:"&WebId="; nocase; http_uri; content:"&sDate="; nocase; http_uri; content:"&ver="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008148; classtype:pup-activity; sid:2008148; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Rallovs.A CnC Beacon"; flow:established,to_server; dsize:>1000; content:"|00 00 00 00|2|00|0|00|"; fast_pattern; pcre:"/^[1-9]\x00\d/R"; content:"|00|-|00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00|-|00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 20 00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 3a 00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 3a 00|"; pcre:"/^\d\x00\d/R"; content:"|00 00|2|00|0|00|"; distance:0; content:"|00|-|00|"; distance:3; within:3; reference:md5,67a039a3139c6ef1bf42424acf658d01; reference:url,blog.cylance.com/spear-a-threat-actor-resurfaces; classtype:command-and-control; sid:2021117; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_19, deployment Perimeter, former_category TROJAN, signature_severity Major, tag c2, updated_at 2018_08_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 360safe.com related Fake Security Product Update (KillerSet)"; flow:established,to_server; content:"/?KillerSet="; fast_pattern; nocase; http_uri; content:"GET"; nocase; http_method; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008149; classtype:pup-activity; sid:2008149; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 12397 (msg:"ET SCADA SEIG SYSTEM 9 - Remote Code Execution"; flow:established,to_server; content:"|14 60 00 00 66 66 07 00 10 00 00 00 19 00 00 00 00 00 04 00 00 00 60 00|"; depth:24; content:!"|0d|"; distance:0; content:!"|0a|"; distance:0; content:!"|ff|"; content:!"|00|"; distance:0; reference:url,exploit-db.com/exploits/45218/; reference:cve,2013-0657; classtype:attempted-user; sid:2026003; rev:1; metadata:created_at 2018_08_21, former_category SCADA, updated_at 2018_08_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Avsystemcare.com Fake AV User-Agent (LocusSoftware NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| LocusSoftware, NetInstaller"; http_header; reference:url,doc.emergingthreats.net/2008150; classtype:pup-activity; sid:2008150; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_05_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 26"; flow:established,to_server; stream_size:server,=,1; content:"|5a 95 2a 22 4d 37 9e 51 83 55 8f|"; depth: 11; reference:md5,8f8d778bea33bc542b58c0631cf9d7e0; classtype:command-and-control; sid:2026004; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Remcos, updated_at 2018_08_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Speed-runner.com Fake Speed Test User-Agent (SRRecover)"; flow:to_server,established; content:"User-Agent|3a| SRRecover|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008151; classtype:pup-activity; sid:2008151; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 27700 (msg:"ET SCADA SEIG Modbus 3.4 - Remote Code Execution"; flow:established,to_server; content:"|42 42 ff ff 07 03 44 00 64|"; fast_pattern; content:"|90 90 90 90 90 90 90 90 90 90|"; distance:0; reference:url,exploit-db.com/exploits/45220/; reference:cve,2013-0662; classtype:attempted-user; sid:2026005; rev:1; metadata:created_at 2018_08_21, former_category SCADA, updated_at 2018_08_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sidelinker.com-Upspider.com Spyware Checkin"; flow:established,to_server; content:"/Pro/pro.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; pcre:"/\/Pro\/pro\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008157; classtype:pup-activity; sid:2008157; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-08-27"; flow:established,to_server; content:"POST"; http_method; content:"id1="; depth:4; nocase; http_client_body; content:"|25|40"; distance:0; http_client_body; content:"&id2="; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:credential-theft; sid:2026038; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_11_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sidelinker.com-Upspider.com Spyware Count"; flow:established,to_server; content:"/Pro/cnt.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; content:"&pid="; nocase; http_uri; pcre:"/\/Pro\/cnt\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d+/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008158; classtype:pup-activity; sid:2008158; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !139 (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 2"; flow:to_server,established; content:"|12 12|"; offset:2; depth:2; content:!"|12 12|"; within:2; content:"|12 12|"; distance:2; within:2; content:!"|12 12|"; within:2; content:"|12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12|"; pcre:"/[^\x12][^\x4e\x38\x39\x2f\x6e\x28\x29\x30\x2d\x2e\x2c\x3e\x31\x18][\x40-\x48\x4a-\x4d\x31-\x34\x3a-\x3c\x3f\x50-\x5f\x60-\x6c\x6f\x73-\x7f\x70\x71\x20-\x27\x2a\x2b]{1,14}\x12/R"; reference:md5,00ccc1f7741bb31b6022c6f319c921ee; classtype:command-and-control; sid:2019202; rev:4; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2014_09_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP V-Clean.com Fake AV Checkin"; flow:established,to_server; content:"/bill_mod/bill_count.php?C_FLAG="; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 5.5|3b| Windows 98)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008180; classtype:pup-activity; sid:2008180; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Chalbhai Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function unhideBody()"; nocase; content:"onload=|22|unhideBody()|22|"; nocase; distance:0; content:".php|22 20|name=|22|chalbhai|22 20|id=|22|chalbhai|22 20|method=|22|post|22|"; nocase; fast_pattern; distance:0; classtype:social-engineering; sid:2026041; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WinButler User-Agent (WinButler)"; flow:to_server,established; content:"User-Agent|3a| WinButler|0d 0a|"; http_header; reference:url,www.winbutler.com; reference:url,www.prevx.com/filenames/239975745155427649-0/WINBUTLER.EXE.html; reference:url,doc.emergingthreats.net/2008190; classtype:pup-activity; sid:2008190; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic AES Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"var hea2p ="; nocase; content:"0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz"; nocase; distance:0; content:"var hea2t ="; nocase; distance:0; content:"Aes.Ctr.decrypt(hea2t, hea2p"; nocase; fast_pattern; distance:0; classtype:social-engineering; sid:2026043; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winxdefender.com Fake AV Package Post Install Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/checkupdate.php"; nocase; http_uri; content:"User-Agent|3a| Opera"; http_header; content:"Computer ID|3a| "; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008197; classtype:pup-activity; sid:2008197; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Chalbhai Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function unhideBody()"; nocase; content:"onload=|22|unhideBody()|22|"; nocase; distance:0; content:"name=chalbhai id=chalbhai method=post"; nocase; fast_pattern; distance:0; classtype:social-engineering; sid:2026042; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Pcclear.co.kr/Pcclear.com Fake AV User-Agent (PCClearPlus)"; flow:to_server,established; content:"User-Agent|3a| PCClear"; http_header; reference:url,www.pcclear.com; reference:url,www.pcclear.co.kr; reference:url,doc.emergingthreats.net/2008198; classtype:pup-activity; sid:2008198; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Hellion Postmaster Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<img src=|22|./hellion/postmaster.png|22|"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:"<img src=|22|./hellion/logos.png|22|"; nocase; distance:0; classtype:social-engineering; sid:2026044; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UbrenQuatroRusDldr Downloader User-Agent (UbrenQuatroRusDldr 096044)"; flow:established,to_server; content:"User-Agent|3a| UbrenQuatroRusDldr"; http_header; reference:url,doc.emergingthreats.net/2008202; classtype:pup-activity; sid:2008202; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Document Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<h3>DOCUMENT MANAGEMENT SYSTEM</h3>"; fast_pattern; nocase; content:"javascript:void(0)|3b 22|>Document</a> -> <a href=|22|javascript:void(0)|3b 22|>Important Files</a> -> Current File</div>"; nocase; distance:0; content:"<h3>File to Download</h3>"; content:"USER AUTHENTICATION</h4>"; nocase; distance:0; classtype:social-engineering; sid:2026045; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BndVeano4GetDownldr Downloader User-Agent (BndVeano4GetDownldr)"; flow:established,to_server; content:"User-Agent|3a| BndVeano4GetDownldr"; http_header; reference:url,doc.emergingthreats.net/2008203; classtype:pup-activity; sid:2008203; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multi-Email Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function popupwnd(url,"; nocase; fast_pattern; content:"var popupwindow = this.open(url,"; nocase; distance:0; content:"onclick=|22|popupwnd("; nocase; distance:0; content:"onclick=|22|popupwnd("; nocase; distance:0; content:"onclick=|22|popupwnd("; nocase; distance:0; classtype:social-engineering; sid:2026046; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP yeps.co.kr Related User-Agent (ISecu)"; flow:established,to_server; content:"User-Agent|3a| ISecu"; http_header; reference:url,doc.emergingthreats.net/2008204; classtype:pup-activity; sid:2008204; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple AES Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"jQuery(function($)"; nocase; content:"$('.cc-number').payment('formatCardNumber"; nocase; distance:0; content:"$(|22|#ssn|22|).mask(|22|999-99-9999"; nocase; distance:0; content:"Aes.Ctr.decrypt(hea2t, hea2p"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2026049; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP yeps.co.kr Related User-Agent (ISUpd)"; flow:established,to_server; content:"User-Agent|3a| ISUpd"; http_header; reference:url,doc.emergingthreats.net/2008205; classtype:pup-activity; sid:2008205; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Stripe Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Stripe: Login"; nocase; fast_pattern; content:"<form name=|22|appleConnectForm"; nocase; distance:0; content:"onsubmit=|22|if(do_submit(3)) return true|3b 20|"; nocase; distance:0; content:"id=|22|pass0|22|"; nocase; distance:0; classtype:social-engineering; sid:2026050; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Seekmo.com Spyware Data Upload"; flow:established,to_server; content:".aspx?"; http_uri; content:"eid="; http_uri; content:"&pkg_ver="; http_uri; content:"&ver="; http_uri; content:"&brand="; http_uri; content:"&mt="; http_uri; content:"&partid="; content:"&altdid="; http_uri; content:"&os="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008356; classtype:pup-activity; sid:2008356; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe PDF Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function MM_validateForm() { //v"; nocase; content:"email address to view or download"; nocase; distance:0; content:"PDF is protected"; nocase; distance:0; content:"onclick=|22|MM_validateForm('password"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2026051; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shopcenter.co .kr Spyware Install Report"; flow:established,to_server; http.uri; content:"/RewardInstall.php?mac=0"; content:"&hdd="; content:"&ver="; content:"&ie="; content:"&win="; reference:url,doc.emergingthreats.net/bin/view/Main/2008370; classtype:pup-activity; sid:2008370; rev:5; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Docs Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"url(Google_docs_files/"; nocase; fast_pattern; content:"href=|22|Google_docs_files/"; nocase; distance:0; content:"your email provider"; nocase; distance:0; content:"data-description=|22|Sign in with"; nocase; distance:0; classtype:social-engineering; sid:2026052; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gooochi Related Spyware Ad pull"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?z="; nocase; http_uri; content:"|26|ch="; nocase; fast_pattern; http_uri; content:"|26|dim="; nocase; http_uri; content:"|26|abr="; nocase; http_uri; content:!"Referer|3a| "; nocase; http_header; reference:url,www.threatexpert.com/reports.aspx?find=ads.gooochi.biz; reference:url,doc.emergingthreats.net/bin/view/Main/2008375; classtype:pup-activity; sid:2008375; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING WeTransfer Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Encrypted Message"; nocase; fast_pattern; content:"<div id=|22|gmail|22|"; nocase; distance:0; content:"<div id=|22|yahoo|22|"; nocase; distance:0; content:"your email provider"; nocase; distance:0; classtype:social-engineering; sid:2026053; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET ADWARE_PUP Realtimegaming.com Online Casino Spyware Gaming Checkin"; flow:established,to_server; dsize:<30; content:"|43 01 00|"; depth:4; content:"Casino"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008402; classtype:pup-activity; sid:2008402; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>|ce 92 d0 b0 6e 6b 20 d0 be 66 20 ce 91 6d d0 b5 72 d1 96 d1 81 d0 b0 20 7c 20 ce 9f 6e 6c d1 96 6e d0 b5 20 ce 92 d0 b0 6e 6b d1 96 6e 67 20 7c 20 d0 85 d1 96 67 6e 20 ce 99 6e 20 7c 20 ce 9f 6e 6c d1 96 6e d0 b5 20 ce 99 44|</title>"; classtype:social-engineering; sid:2026054; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advert-network.com Related Spyware Updating"; flow:established,to_server; content:"/cnconfig.gz?ct="; http_uri; content:"&bp="; http_uri; content:"&vs="; http_uri; content:"&country="; http_uri; content:"&grp="; http_uri; content:"&tcpc="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008419; classtype:pup-activity; sid:2008419; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Bank of America"; nocase; content:"name=|22|generator|22 20|content=|22|WYSIWYG"; nocase; distance:0; content:"href=|22|css/Untitled"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2026055; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advert-network.com Related Spyware Checking for Updates"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/check.php?tcpc="; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008425; classtype:pup-activity; sid:2008425; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Mailbox Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Mail Verification"; nocase; fast_pattern; content:"<form method=|22|post|22 20|action=|22|x3d.php|22|>"; nocase; distance:0; classtype:social-engineering; sid:2026056; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EMO/PCPrivacyCleaner Rougue Secuirty App GET Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"action="; nocase; http_uri; content:"addt="; nocase; http_uri; content:"pc|5F|id="; nocase; http_uri; content:"abbr="; nocase; http_uri; reference:url,www.spywaresignatures.com/details/pcprivacycleaner.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2008456; classtype:pup-activity; sid:2008456; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Mailbox Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Mail Settings|20 7c 20|Email Upgrade"; nocase; fast_pattern; content:"<form method=|22|post|22 20|action=|22|post.php|22|>"; nocase; distance:0; classtype:social-engineering; sid:2026057; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Look2Me Activity"; flow:established,to_server; content:"&ID={"; http_uri; fast_pattern:only; content:"&rand="; http_uri; content:"User-Agent|3a|Mozilla/4.0 (compatible|3b|"; http_header; pcre:"/&ID=\x7b[0-9A-F]{8}(?:-[A-F0-9]{4}){3}-[A-F0-9]{12}\x7d/U"; reference:url,doc.emergingthreats.net/bin/view/Main/2008474; classtype:pup-activity; sid:2008474; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Dropbox|20 7c 20|Sign in"; nocase; fast_pattern; content:"name=|22|generator|22 20|content=|22|Web Page Maker"; nocase; distance:0; content:"<div id=|22|image1|22 20|style=|22|position:absolute|3b 20|overflow:hidden|3b 20|left:"; nocase; distance:0; classtype:social-engineering; sid:2026058; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Cleancop.co.kr Fake AV User-Agent (CleancopUpdate)"; flow:established,to_server; content:"User-Agent|3a| Cleancop"; http_header; reference:url,doc.emergingthreats.net/2008484; classtype:pup-activity; sid:2008484; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Linkedin Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Sign In|20 7c 20|LinkedIn"; nocase; content:"<form id=|22|form1|22 20|name=|22|form1|22 20|method=|22|post|22 20|action=|22|login.php|22|>"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2026059; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchtool.co.kr Fake Product User-Agent (searchtoolup)"; flow:established,to_server; content:"User-Agent|3a| searchtool"; http_header; reference:url,doc.emergingthreats.net/2008485; classtype:pup-activity; sid:2008485; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M1 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 22 32 6b 31 37 20 70 72 69 76 38 20 62 79 20 6b 40 6d 65 6c 32 70 20 24 22 20 2d 2d 3e|"; classtype:social-engineering; sid:2026061; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Systemdoctor.com/Antivir2008 related Fake Anti-Virus User-Agent (AntivirXP)"; flow:established,to_server; content:"|3b 20|Antivir"; http_user_agent; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.wiki-security.com/wiki/Parasite/Antivirus2008; reference:url,doc.emergingthreats.net/2008549; classtype:pup-activity; sid:2008549; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M2 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 22 61 6d 61 7a 6f 6e 20 62 79 20 6b 40 6d 65 6c 32 70 20 24 22 20 2d 2d 3e|"; classtype:social-engineering; sid:2026062; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet-antivirus.com Related Fake AV User-Agent (Update Internet Antivirus)"; flow:established,to_server; content:"User-Agent|3a| Update Internet Antivirus"; http_header; reference:url,doc.emergingthreats.net/2008647; classtype:pup-activity; sid:2008647; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M3 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 22 69 74 75 6e 65 73 20 62 79 20 68 61 69 74 68 65 6d 20 62 61 74 20 24 22 20 2d 2d 3e|"; classtype:social-engineering; sid:2026063; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AV2010 Rogue Security Application User-Agent (AV2010)"; flow:to_server,established; content:"User-Agent|3a| AV2010|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008656; classtype:pup-activity; sid:2008656; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M4 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 73 63 61 6d 20 70 72 6f 20 62 79 20 74 68 75 67 2d 6e 65 74 2d 65 76 65 72 20 26 20 70 75 6e 69 73 68 65 72 2d 6f 75 6a 64 69|"; classtype:social-engineering; sid:2026064; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iframebiz - /qwertyuiyw12ertyuytre/adv***.php"; flow:established,to_server; content:"/qwertyuiyw12ertyuytre"; nocase; http_uri; reference:url,iframecash.biz; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADR.QC&VSect=T; reference:url,doc.emergingthreats.net/bin/view/Main/2008681; classtype:pup-activity; sid:2008681; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M5 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 75 70 64 61 74 65 20 62 79 20 74 61 6b 72 69 7a 20 26 20 32 30 31 35 20 2d 2d 3e|"; classtype:social-engineering; sid:2026065; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Admoke/Adload.AFB!tr.dldr Checkin"; flow: to_server,established; content:"/keyword.html"; http_uri; content:"User-Agent|3a| bdwinrun"; nocase; http_header; reference:md5,6085f2ff15282611fd82f9429d82912b; classtype:pup-activity; sid:2008742; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M6 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 75 70 64 61 74 65 20 62 79 20 78 62 6f 6f 6d 62 65 72 20 26 20 78 68 61 74 20 2d 2d 3e|"; classtype:social-engineering; sid:2026066; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (bdsclk) - Possible Admoke Admware"; flow: to_server,established; content:"User-Agent|3a| bdsclk"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008743; classtype:pup-activity; sid:2008743; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M7 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 2d 20 63 72 65 61 74 65 64 20 62 79 20 6c 65 67 7a 79 20 2d 2d 2d 20 69 63 71 20 3a 20 36 39 32 35 36 31 38 32 34 20 2d 2d 2d 2d 3e|"; classtype:social-engineering; sid:2026067; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.Yokbar Checkin URL"; flow:established,to_server; content:"?p="; http_uri; content:"&v="; http_uri; content:"&m="; http_uri; content:"&d=200"; http_uri; content:"&x="; http_uri; content:"&t="; http_uri; reference:url,doc.emergingthreats.net/2008753; classtype:pup-activity; sid:2008753; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M8 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 6d 6f 64 65 64 20 62 79 20 61 6e 74 68 72 61 78 2d 2d 3e|"; classtype:social-engineering; sid:2026068; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zenosearch Malware Checkin HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"uid="; http_client_body; depth:4; content:"&ref="; http_client_body; content:"&clid="; http_client_body; content:"&commode="; http_client_body; content:"&cmd="; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008757; classtype:pup-activity; sid:2008757; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M9 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 74 68 65 20 73 63 72 69 70 74 20 77 61 73 20 6f 72 69 67 69 6e 61 6c 79 20 63 6f 64 65 64 20 62 79 20 61 6c 69 62 6f 62 6f 20 33 36 30 2d 2d 3e|"; classtype:social-engineering; sid:2026069; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.MWGuide checkin"; flow:established,to_server; content:"/sidebar_load.php?maddr="; http_uri; content:"ipaddr="; http_uri; content:"aff_id="; http_uri; reference:url,doc.emergingthreats.net/2008839; classtype:pup-activity; sid:2008839; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M10 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 74 68 65 20 73 63 72 69 70 74 20 77 61 73 20 6f 72 69 67 69 6e 61 6c 79 20 63 6f 64 65 64 20 62 79 20 6f 6c 64 6c 65 67 65 6e 64 20 33 36 30 2d 2d 3e|"; classtype:social-engineering; sid:2026070; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.MWGuide keepalive"; flow:established,to_server; content:"/alive.php?aff_id="; http_uri; reference:url,doc.emergingthreats.net/2008840; classtype:pup-activity; sid:2008840; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING AT&T Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>AT&"; nocase; content:"href=|22|https://home.secureapp.att.net/"; nocase; distance:0; content:".php|22 20|method=|22|post|22 20|id=|22|LoginForm|22|"; nocase; distance:0; content:"|22|type=|22|com.sbc.idm.igate_edam.forms.LoginFormBean|22|"; nocase; distance:0; classtype:social-engineering; sid:2026060; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Popupblockade.com Spyware Related User-Agent (PopupBlockade/1.63.0.2/Reg)"; flow:established,to_server; content:"User-Agent|3a| PopupBlockade"; http_header; reference:url,doc.emergingthreats.net/2008894; classtype:pup-activity; sid:2008894; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript invalidcheck escape attempt (SMTP)"; flow:to_server,established; file_data; content:"legal"; content:"restore"; distance:0; content:"currentdevice"; content:"putdeviceprops"; pcre:"/legal[^x7B]*\x7B[^\x7D]*restore/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026084; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2018_09_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MySideSearch.com Spyware Install"; flow:established,to_server; content:".php?aff=mysidesearch&act=install"; http_uri; content:"User-Agent|3a| NSISDL/1.2 (Mozilla)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008915; classtype:pup-activity; sid:2008915; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript invalidcheck escape attempt"; flow:to_client,established; file_data; content:"legal"; content:"restore"; distance:0; content:"currentdevice"; content:"putdeviceprops"; pcre:"/legal[^x7B]*\x7B[^\x7D]*restore/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026085; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar.com Related Spyware Install Report"; flow:established,to_server; content:"/ciconfig.aspx?did="; http_uri; content:"&brandid="; http_uri; content:"&os="; http_uri; content:"&pkg_ver="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008917; classtype:pup-activity; sid:2008917; rev:5; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript illegal read undefinedfilename attempt (SMTP)"; flow:to_server,established; file_data; content:"undefinedfilename"; fast_pattern; content:"errordict"; content:"invalidfileaccess"; content:"typecheck"; pcre:"/errordict\s+\x2Finvalidfileaccess/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026086; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar.com Related Spyware Activity Report"; flow:established,to_server; content:"/trackedevent.aspx?eid="; http_uri; content:"&brand="; http_uri; content:"&os="; http_uri; content:"&mt="; http_uri; content:"&pkg_ver="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008918; classtype:pup-activity; sid:2008918; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript illegal read undefinedfilename attempt"; flow:to_client,established; file_data; content:"undefinedfilename"; fast_pattern; content:"errordict"; content:"invalidfileaccess"; content:"typecheck"; pcre:"/errordict\s+\x2Finvalidfileaccess/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026087; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (IE_6.0)"; flow:to_server,established; content:"User-Agent|3a| IE_6.0"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2009021; classtype:pup-activity; sid:2009021; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript illegal delete bindnow attempt (SMTP)"; flow:to_server,established; file_data; content:"unlink("; fast_pattern; content:"|2E|bindnow"; content:"stopped"; distance:0; pcre:"/\x2Ebindnow[^\x7D]*\x7D\s*stopped/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026088; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware/Spyware Trymedia.com EXE download"; flow:established,to_server; content:"GET"; nocase; http_method; content:".exe?nva="; http_uri; content:"&aff="; http_uri; content:"&token="; http_uri; content:"User-Agent|3a| Macrovision_DM"; nocase; http_header; reference:url,www.browserdefender.com/site/trymedia.com; reference:url,www.threatexpert.com/reports.aspx?find=Adware.Trymedia; reference:url,doc.emergingthreats.net/2009091; classtype:pup-activity; sid:2009091; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript illegal delete bindnow attempt"; flow:to_client,established; file_data; content:"unlink("; fast_pattern; content:"|2E|bindnow"; content:"stopped"; distance:0; pcre:"/\x2Ebindnow[^\x7D]+\x7D\s*stopped/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026089; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (get_site1)"; flow:to_server,established; content:"User-Agent|3a| get_site"; http_header; reference:url,doc.emergingthreats.net/2009111; classtype:pup-activity; sid:2009111; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript setpattern type confusion attempt (SMTP)"; flow:to_server,established; file_data; content:"16#"; content:"setpattern"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026090; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (GETJOB)"; flow:to_server,established; content:"User-Agent|3a| GETJOB"; http_header; reference:url,doc.emergingthreats.net/2009124; classtype:pup-activity; sid:2009124; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript setpattern type confusion attempt"; flow:to_client,established; file_data; content:"16#"; content:"setpattern"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026091; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Viruskill.co.kr Fake AV User-Agent Detected (virus_kill)"; flow:to_server,established; content:"User-Agent|3a| virus_kill"; http_header; reference:url,doc.emergingthreats.net/2009150; classtype:pup-activity; sid:2009150; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript LockDistillerParams type confusion attempt (SMTP)"; flow:to_server,established; file_data; content:"LockDistillerParams"; content:"16#"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026092; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware-Mirar Reporting (BAR)"; flow:to_server,established; content:"download.cgi?BUILDNAME="; nocase; http_uri; content:"&AFFILIATE="; http_uri; content:"&ID="; http_uri; content:"&ERROR=0"; http_uri; content:"User-Agent|3a| BAR"; http_header; reference:url,doc.emergingthreats.net/2009234; classtype:pup-activity; sid:2009234; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript LockDistillerParams type confusion attempt"; flow:to_client,established; file_data; content:"LockDistillerParams"; content:"16#"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026093; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP No-ad.co.kr Fake AV Related User-Agent (U2Clean)"; flow: established,to_server; content:"User-Agent|3a| U2Clean"; http_header; reference:url,doc.emergingthreats.net/2009289; classtype:pup-activity; sid:2009289; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Mikrotik Winbox RCE Attempt (CVE-2018-14847)"; flow:established,to_server; content:"|680100664d320500ff010600ff09050700ff090701000021352f2f2f2f2f2e2f2e2e2f2f2f2f2f2f2e2f2e2e2f2f2f2f2f2f2e2f2e2e2f666c6173682f72772f73746f72652f757365722e6461740200ff88020000000000080000000100ff8802000200000002000000|"; offset:0; reference:url,github.com/mrmtwoj/0day-mikrotik; reference:url,www.helpnetsecurity.com/2018/08/03/mikrotik-cryptojacking-campaign; reference:cve,2018-14847; classtype:attempted-admin; sid:2025972; rev:3; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2018_08_06, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2018_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Mozilla/4.8 ru)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.8 [ru] (Windows NT 6.0|3b| U)|0d 0a|"; fast_pattern; http_header; reference:url,doc.emergingthreats.net/2009438; classtype:pup-activity; sid:2009438; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_03_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Possible Ursnif/Gamaredon Related VNC Module CnC Beacon"; flow:established,to_server; dsize:12; content:"RFB 003.008|0a|"; depth:12; reference:md5,27741793672d8b69803f3d2434743731; reference:md5,076fd584d2fcdf5110f41bcbbd9f2c62; reference:md5,49749ee8fb2a2dab83494ab0e6cf5e7b; classtype:command-and-control; sid:2035893; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, malware_family ursnif, malware_family PowerSniff, malware_family Punchbuggy_VNC_Module, malware_family Gamaredon, signature_severity Major, tag c2, updated_at 2018_09_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (HelpSrvc)"; flow:established,to_server; content:"User-Agent|3a| HelpSrvc|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009439; classtype:pup-activity; sid:2009439; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)"; flow:established,to_server; dsize:<500; content:"|00 6c 6c|"; depth:6; fast_pattern; pcre:"/^[0-9]{2,3}\x00\x6c\x6c(?P<var>[\x20-\x2f\x30-\x39\x3a-\x40\x41-\x5a\x5b-\x60\x7b-\x7e][\x20-\x7e]+?[\x20-\x2f\x30-\x39\x3a-\x40\x41-\x5a\x5b-\x60\x7b-\x7e])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?P=var)[^\r\n]+(?P=var)$/i"; flowbits:set,ETPRO.njratgeneric; reference:md5,d68eaf3b43ba1d26b9067489bbf7ee44; classtype:command-and-control; sid:2033132; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_22, deployment Perimeter, former_category MALWARE, malware_family Bladabindi, malware_family njrat, performance_impact Moderate, signature_severity Major, updated_at 2017_03_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware PlusDream - GET Config Download/Update"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?kind="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&addresses="; nocase; http_uri; content:"&hdmacid="; nocase; reference:url,doc.emergingthreats.net/2009712; classtype:pup-activity; sid:2009712; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER JSP.SJavaWebManage WebShell Pass 20-09-2018 1"; flow:established,from_server; file_data; content:"|3c 25 40|page"; depth:7; content:"String|20|PASS|20|=|20 22|09a0aa1091460d23e5a68550826b359b|22|"; distance:0; fast_pattern; reference:md5,91eaca79943c972cb2ca7ee0e462922c; classtype:trojan-activity; sid:2026337; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_09_20, deployment Datacenter, former_category WEB_SERVER, malware_family SJavaWebManage, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2018_09_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Pivim Multibar User-Agent (Pivim Multibar)"; flow:established,to_server; content:"User-Agent|3a| Pivim"; http_header; reference:url,doc.emergingthreats.net/2009765; classtype:pup-activity; sid:2009765; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER JSP.SJavaWebManage WebShell Pass 20-09-2018 2"; flow:established,from_server; file_data; content:"|3c 25 40|page"; depth:7; content:"String|20|PASS|20|=|20 22|098f6bcd4621d373cade4e832627b4f6|22|"; distance:0; fast_pattern; reference:md5,91eaca79943c972cb2ca7ee0e462922c; classtype:trojan-activity; sid:2026338; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_09_20, deployment Datacenter, former_category WEB_SERVER, malware_family SJavaWebManage, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2018_09_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP QVOD Related Spyware/Malware User-Agent (Qvod)"; flow:established,to_server; content:"User-Agent|3a| Qvod"; nocase; http_header; reference:url,www.siteadvisor.com/sites/update.qvod.com; reference:url,www.threatexpert.com/reports.aspx?find=update.qvod.com; reference:url,doc.emergingthreats.net/2009785; classtype:pup-activity; sid:2009785; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2016_09_29;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER JSP.SJavaWebManage WebShell Access"; flow:established,from_server; file_data; content:"|3c 25 40|page"; depth:7; content:"|22|os.name|22|"; distance:0; content:"|22|/bin/sh|22|"; distance:0; content:"getRuntime|28 29|.exec|28|"; fast_pattern; reference:md5,91eaca79943c972cb2ca7ee0e462922c; classtype:trojan-activity; sid:2026336; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_09_20, deployment Datacenter, former_category WEB_SERVER, malware_family SJavaWebManage, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2018_09_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP FakeAV Windows Protection Suite/ReleaseXP.exe User-Agent (Releasexp)"; flow:established,to_server; content:"User-Agent|3a| Releasexp|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2009796; classtype:pup-activity; sid:2009796; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic MRxJoker Phishing Landing 2018-09-27"; flow:established,to_client; file_data; content:"content=|22|@importmrxjokercss|22|"; nocase; fast_pattern; content:"name=|22|mrxjokercard|22|"; nocase; distance:0; classtype:social-engineering; sid:2026419; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2018_09_27;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ADWARE_PUP Adware/Antivirus360 Config to client"; flow:established,to_client; content:"[InstallerIni]"; nocase; depth:300; content:"|0d 0a|Pid="; nocase; within:6; content:"|0d 0a|Product="; nocase; content:"|0d 0a|FID="; nocase; content:"|0d 0a|Title="; nocase; reference:url,doc.emergingthreats.net/2009809; classtype:pup-activity; sid:2009809; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE VBScript Redirect Style Exe File Download"; flow:to_client,established; flowbits:isset,ET.Locky; file_data; content:"MZ"; depth:2; fast_pattern; content:"This program"; within:100; classtype:trojan-activity; sid:2026434; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category MALWARE, malware_family Locky, malware_family Emotet, signature_severity Major, updated_at 2018_10_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casalemedia Spyware Reporting URL Visited 3"; flow: to_server,established; content:"/sd?s="; nocase; http_uri; pcre:"/\/sd\?s=\d+&f=\d&C=\d/Ui"; reference:url,doc.emergingthreats.net/2009880; classtype:pup-activity; sid:2009880; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NCSC XAgent Beacon"; flow:established,to_server; content:"HTTP/1.1|0d 0a|Accept|3a|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*"; content:!"Host|3a| yandex.ru"; pcre:"/^(?:GET|POST)\/(?:watch|search|find|results|open|search|close)\/\?(?:text=|from=|aq=|ai=|ags=|oe=|btnG=|oprnd=|utm=|channel=|itwm=)/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026437; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_10_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (ONANDON)"; flow:established,to_server; content:"User-Agent|3a| ONANDON|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2009995; classtype:pup-activity; sid:2009995; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NCSC XAgent itwm beacon v1"; flow:established,to_server; content:"/?itwm"; fast_pattern; pcre:"/itwm=[A-Za-z0-9\-\_]{29,35}/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026438; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_10_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/InternetAntivirus User-Agent (Internet Antivirus Pro)"; flow:to_server,established; content:"User-Agent|3a| Internet Antivirus"; nocase; http_header; reference:url,doc.emergingthreats.net/2010218; classtype:pup-activity; sid:2010218; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NCSC XAgent itwm beacon v2"; flow:established,to_server; content:"&itwm"; fast_pattern; pcre:"/&itwm=[A-Za-z0-9\-\_]{29,35}/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026439; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_10_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (CrazyBro)"; flow:established,to_server; content:"User-Agent|3a| CrazyBro"; nocase; http_header; reference:url,doc.emergingthreats.net/2010333; reference:url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml; reference:md5,e4664144f8e95cfec510d5efa24a35e7; reference:md5,fd2d6bb1d2a9803c49f1e175d558a934; classtype:pup-activity; sid:2010333; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp any any <> any any (msg:"ET MALWARE NCSC APT28 - CompuTrace_Beacon_UserAgent"; flow:established; content:"|0d0a|TagId|3a|"; fast_pattern; content: "POST / "; content:!"namequery.com"; content:!"Host: 209.53.113."; content:!"dnssearch.org"; content:!"Cookie:"; content:!"fnbcorporate.co.za"; content:!"207.6.98."; pcre:"/Mozilla\/[0-9]{1,2}.[0-9]{1,2}\(compatible\; MSIE [0-9]{1,2}.[0-9]{1,2}\;\)\x0d\x0a/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026440; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_10_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Malicious Applet Access (justexploit kit)"; flow:to_server,established; content:"/sdfg.jar"; http_uri; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3570.0; reference:url,doc.emergingthreats.net/2010438; classtype:exploit-kit; sid:2010438; rev:7; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NCSC APT28 - Web/request -FILE- contenttype"; flow:established,from_client; content:"-FILE-"; pcre:"/[A-Z0-9\-]{16}-FILE-[^\r\n]+.tmp/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026441; rev:2; metadata:created_at 2018_10_04, former_category MALWARE, updated_at 2018_10_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Executable purporting to be .txt file with no Referer - Likely Malware"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; http_header; content:".txt"; nocase; http_uri; pcre:"/\.txt$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010500; classtype:pup-activity; sid:2010500; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAR Containing Executable Downloaded"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".exe"; fast_pattern; nocase; classtype:trojan-activity; sid:2016379; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_02_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2018_10_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Executable purporting to be .cfg file with no Referer - Likely Malware"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; http_header; content:".cfg"; nocase; http_uri; pcre:"/\.cfg$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010501; classtype:pup-activity; sid:2010501; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-10"; flow:established,to_server; content:"POST"; http_method; content:"id1="; depth:4; nocase; http_client_body; content:"|25|40"; distance:0; http_client_body; content:"&id2="; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:credential-theft; sid:2026465; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_11_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Fake Mozilla User-Agent (Mozilla/0.xx) Inbound"; flow:established,to_server; content:"User-Agent|3a| Mozilla/0."; fast_pattern; http_header; reference:url,doc.emergingthreats.net/2010904; classtype:pup-activity; sid:2010904; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_03_17;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN StarDotStar HELO, suspected AUTH LOGIN botnet"; flow:established,to_server; content:"HELO|20 2a 2e 2a 0d 0a|"; depth:11; classtype:bad-unknown; sid:2026463; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2018_10_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fake Mozilla UA Outbound (Mozilla/0.xx)"; flow:established,to_server; content:"Mozilla/0."; http_user_agent; depth:10; reference:url,doc.emergingthreats.net/2010905; classtype:pup-activity; sid:2010905; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Edge Remote Command Execution PoC (CVE-2018-8495)"; flow:established,to_client; file_data; content:"wshfile:"; content:"../../"; within:100; content:"SyncAppvPublishingServer.vbs"; within:200; nocase; fast_pattern; content:"window.onkeydown=e=>"; nocase; distance:0; content:"window.onkeydown=z="; nocase; distance:0; content:"click()"; nocase; distance:0; reference:url,leucosite.com/Microsoft-Edge-RCE/; reference:cve,2018-8495; classtype:attempted-user; sid:2026488; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2018_10_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (gomtour)"; flow:to_server,established; content:"User-Agent|3a| gomtour|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011087; classtype:pup-activity; sid:2011087; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 69"; flow:established,to_server; content:"|e3 34 a1 ef b4 32 58 d0 f0 3d 66|"; depth:11; reference:md5,f9dbf2c028d3ad58328c190a6adb3301; classtype:command-and-control; sid:2026509; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Recuva User-Agent (OpenPage) - likely trojan dropper"; flow:to_server,established; content:"User-Agent|3a| OpenPage"; http_header; reference:url,doc.emergingthreats.net/2011101; classtype:pup-activity; sid:2011101; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 70"; flow:established,to_server; content:"|35 cd 13 07 49 3a 45 81 02 35 bb|"; depth:11; reference:md5,8e99866b89e9349c21b34e6575f2412f; classtype:command-and-control; sid:2026510; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (i-scan)"; flow:to_server,established; content:"User-Agent|3a| i-scan"; nocase; http_header; reference:url,doc.emergingthreats.net/2011105; classtype:pup-activity; sid:2011105; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 71"; flow:established,to_server; content:"|38 b6 1d 2b 3b 5c 11 b4 d8 75 2c|"; depth:11; reference:md5,24bf188785e18db8fcb7dfa50363b3f5; classtype:command-and-control; sid:2026511; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Yodao Desktop Dict)"; flow:to_server,established; content:"User-Agent|3a| Yodao"; http_header; reference:url,doc.emergingthreats.net/2011123; classtype:pup-activity; sid:2011123; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 72"; flow:established,to_server; content:"|eb e7 a2 ec 6e 3e cc a8 34 b5 91|"; depth:11; reference:md5,98a010ad867f4c36730cc6a87c94528c; classtype:command-and-control; sid:2026512; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Suggestion)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"User-Agent|3a| Suggestion|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011229; classtype:pup-activity; sid:2011229; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 73"; flow:established,to_server; content:"|2e 11 6e fe 1c 00 92 21 3c ce 31|"; depth:11; reference:md5,9e31ee4bb378d3cf6f80f9f30e9f810f; classtype:command-and-control; sid:2026513; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (GabPath)"; flow:to_server,established; content:"User-Agent|3a| GabPath"; http_header; classtype:pup-activity; sid:2011293; rev:8; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2010_09_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/BlackCarat Response from CnC"; flow:established,from_server; dsize:13; content:"|72 50 bf 9e|"; offset:9; depth:4; fast_pattern; reference:md5,514AB639CD556CEBD78107B4A68A202A; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2018/AncelKuprins-VB2018-WolfSheep.pdf; classtype:command-and-control; sid:2026524; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category MALWARE, malware_family CaratRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (KRMAK) Butterfly Bot download"; flow:to_server,established; content:"User-Agent|3a| KRMAK"; http_header; classtype:pup-activity; sid:2011297; rev:4; metadata:created_at 2010_09_28, former_category ADWARE_PUP, updated_at 2010_09_28;)
 
-alert tcp $EXTERNAL_NET $SSH_PORTS -> any any (msg:"ET POLICY Potentially Vulnerable LibSSH Server Observed - Possible Authentication Bypass (CVE-2018-10933)"; flow:from_server,established; content:"SSH-2.0-libssh-0."; depth:17; pcre:"/^[67]\.[01235]/R"; reference:url,www.libssh.org/security/advisories/CVE-2018-10933.txt; reference:url,github.com/blacknbunny/libSSH-Authentication-Bypass; reference:cve,2018-10933; classtype:bad-unknown; sid:2026526; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_10_19, deployment Perimeter, former_category POLICY, signature_severity Major, tag CVE_2018_10933, updated_at 2018_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Inbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 4.01|3b| Digital AlphaServer 1000A 4/233|3b| Windows NT|3b| Powered By 64-Bit Alpha Processor)|0d 0a|"; nocase; http_header; fast_pattern; classtype:pup-activity; sid:2011517; rev:4; metadata:created_at 2010_09_27, former_category ADWARE_PUP, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT IE Double Free (CVE-2018-8460)"; flow:to_client,established; file_data; content:"<script"; nocase; content:"CreateElement"; nocase; content:"cssText"; nocase; content:"DOMAttrModified"; fast_pattern; nocase; content:"addEventListener"; nocase; pcre:"/(?P<obj>[^\s]{1,25})\s*=\s*document\s*\.\s*createElement.*?(?P<func>[^\s]{1,25})\s*=\s*function\s*\x28\s*e\s*\x29\s*{[^}]*this\s*\.\s*style\s*\.\s*cssText.*?(?P=obj)\s*\.\s*addEventListener\s*\x28\s*[\x22\x27]\s*DOMAttrModified\s*[\x22\x27]\s*\x2c\s*(?P=func)/si"; reference:cve,2018-8460; classtype:attempted-user; sid:2026531; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category WEB_CLIENT, updated_at 2018_10_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Outbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 4.01|3b| Digital AlphaServer 1000A 4/233|3b| Windows NT|3b| Powered By 64-Bit Alpha Processor)|0d 0a|"; nocase; http_header; fast_pattern; classtype:pup-activity; sid:2011518; rev:4; metadata:created_at 2010_09_27, former_category ADWARE_PUP, updated_at 2022_03_17;)
 
-alert icmp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible CVE-2018-4407 - Apple ICMP DoS PoC"; itype:12; icode:0; content:"AAAAAAAA"; fast_pattern; reference:url,lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407; reference:url,twitter.com/ihackbanme/status/1057811965945376768; classtype:attempted-user; sid:2026567; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_11_01, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2018_11_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (dbcount)"; flow:to_server,established; content:"User-Agent|3a| dbcount|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011679; classtype:pup-activity; sid:2011679; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Perl/Shellbot.SM IRC CnC Checkin"; flow:established,to_server; content:"JOIN"; depth:4; content:"Procesor - model name"; distance:0; content:"Numar Procesoare"; distance:0; fast_pattern; content:"|3a|uid="; distance:0; content:"gid="; distance:0; content:"groups="; distance:0; reference:md5,ca42fda581175fd85ba7dab8243204e4; classtype:command-and-control; sid:2026579; rev:1; metadata:attack_target Client_and_Server, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, malware_family Shellbot_SM, performance_impact Low, signature_severity Major, tag Perl, updated_at 2018_11_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent User-Agent (PinballCorp)"; flow:to_server,established; content:"User-Agent|3a| PinballCorp"; nocase; http_header; reference:url,doc.emergingthreats.net/2011691; classtype:pup-activity; sid:2011691; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT Sending Screenshot"; flow:established,to_server; dsize:>1000; content:"sc.cap_sep_"; depth:11; nocase; fast_pattern; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026585; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, malware_family JavaRAT, performance_impact Moderate, signature_severity Major, updated_at 2018_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ADWARE_PUP User-Agent (RangeCheck/0.1)"; flow:established,to_server; content:"User-Agent|3a| RangeCheck/0.1|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2011718; classtype:pup-activity; sid:2011718; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mylobot Receiving XOR Encrypted Config (0xde)"; flow:established,from_server; content:"|00 00 00 00|"; depth:4; content:"|b6 aa aa ae e4 f1 f1|"; distance:1; within:7; fast_pattern; content:"|de 00 00 00 00|"; distance:0; reference:url,www.netformation.com/our-pov/mylobot-continues-global-infections/; classtype:trojan-activity; sid:2026613; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_11_15, deployment Perimeter, former_category TROJAN, malware_family Mylobot, performance_impact Low, signature_severity Major, updated_at 2018_11_15;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP HTML.Psyme.Gen Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/channel/channelCode.htm?"; nocase; http_uri; content:"pid="; nocase; http_uri; reference:md5,de1adb1df396863e7e3967271e7db734; classtype:pup-activity; sid:2011856; rev:4; metadata:created_at 2010_10_26, former_category ADWARE_PUP, updated_at 2010_10_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader Domain)"; flow:from_server,established; tls_cert_subject; content:"CN=driversearch.site"; nocase; isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2026644; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_21, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2018_11_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.0"; flow:established,to_server; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; content:"Host|3a 20|"; content:!"Referer|3a 20|"; http_header; content:".php?"; nocase; http_uri; classtype:pup-activity; sid:2011938; rev:6; metadata:created_at 2010_11_20, former_category ADWARE_PUP, updated_at 2010_11_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Xbalti Phishing Landing 2018-11-26"; flow:established,from_server; file_data; content:"|2d 2d 7e 28 20 20 5c 20 7e 29 29 29 29 29 29 29 29 29 29 29 29 0d 0a 20 20 20 20 2f 20 20 20 20 20 5c 20 20 60 5c 2d 28 28 28 28 28 28 28 28 28|"; within:400; content:"|5c 20 20 5c 20 42 59 20 58 42 41 4c 54 49 20 2f|"; fast_pattern; classtype:social-engineering; sid:2026650; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_11_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.1"; flow:established,to_server; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; content:"Host|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:".php?"; nocase; http_uri; content:!"Connection|3a| "; http_header; classtype:pup-activity; sid:2011939; rev:8; metadata:created_at 2010_11_20, former_category ADWARE_PUP, updated_at 2010_11_20;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader Domain)"; flow:from_server,established; tls_cert_subject; content:"CN=kortusops.icu"; nocase; isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2026659; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_27, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Loader, updated_at 2018_11_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (mrgud)"; flow:established,to_server; content:"User-Agent|3a| mrgud"; http_header; nocase; classtype:pup-activity; sid:2012172; rev:6; metadata:created_at 2011_01_12, former_category ADWARE_PUP, updated_at 2011_01_12;)
 
-#alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"ET POLICY NetBIOS nbtstat Type Query Inbound"; content:"|20 43 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 00 01|"; threshold:type limit, track by_src, count 1, seconds 10; classtype:unknown; sid:2013491; rev:3; metadata:created_at 2011_08_30, former_category POLICY, updated_at 2018_11_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Suspicious Russian Content-Language Ru Which May Be Malware Related"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; http_header; fast_pattern:only; classtype:pup-activity; sid:2012228; rev:6; metadata:created_at 2011_01_25, former_category ADWARE_PUP, updated_at 2011_01_25;)
 
-#alert udp $HOME_NET 137 -> $EXTERNAL_NET 137 (msg:"ET POLICY NetBIOS nbtstat Type Query Outbound"; content:"|20 43 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 00 01|"; threshold:type limit, track by_src, count 1, seconds 10; classtype:unknown; sid:2013490; rev:3; metadata:created_at 2011_08_30, former_category POLICY, updated_at 2018_11_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Suspicious Chinese Content-Language zh-cn Which May be Malware Related"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; http_header; fast_pattern:only; classtype:pup-activity; sid:2012229; rev:8; metadata:created_at 2011_01_25, former_category ADWARE_PUP, updated_at 2011_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Delphi APT28 Zebrocy/Zekapab Reporting to CnC"; flow:established,to_server; content:"POST"; http_method; content:".php?res="; http_uri; content:"data="; http_client_body; depth:5; content:"%0D%0AHost%20Name|3a|%20%20%20"; http_client_body; distance:0; content:"%0D%0AOS%20Name|3a|%20%20%20"; http_client_body; distance:0; content:"%0D%0ARegistered%20Owner|3a|%20%20%20"; http_client_body; distance:0; fast_pattern; content:"%0D%0AOriginal%20Install%20Date|3a|%20%20%20"; http_client_body; distance:0; http_protocol; content:"HTTP/1.0"; http_header_names; content:!"Referer"; reference:url,www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf; classtype:targeted-activity; sid:2026682; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_30, deployment Perimeter, former_category TROJAN, malware_family Zebrocy, malware_family Zekapab, performance_impact Low, signature_severity Major, tag APT28, updated_at 2018_11_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mozilla 3.0 and Indy Library User-Agent Likely Hostile"; flow:established,to_server; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; classtype:pup-activity; sid:2012536; rev:4; metadata:created_at 2011_03_22, former_category ADWARE_PUP, updated_at 2011_03_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Certificate with Unknown Content M2"; flow:established,to_client; file_data; content:"-----BEGIN CERTIFICATE-----|0A|"; depth:28; fast_pattern; byte_test:1,!=,0x4D,0,relative; reference:url,blog.nviso.be/2018/07/31/powershell-inside-a-certificate-part-1/; classtype:misc-activity; sid:2026684; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_04, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Informational, updated_at 2018_12_04;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Unknown Malware PUTLINK Command Message"; flow:established,from_server; content:"CMD PUTLINK http|3A|//"; nocase; content:"Inject|3A|"; nocase; distance:0; classtype:pup-activity; sid:2012615; rev:3; metadata:created_at 2011_04_01, former_category ADWARE_PUP, updated_at 2011_04_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Certificate with Unknown Content M1"; flow:established,to_client; file_data; content:"-----BEGIN CERTIFICATE-----|0D 0A|"; depth:29; fast_pattern; byte_test:1,!=,0x4D,0,relative; reference:url,blog.nviso.be/2018/07/31/powershell-inside-a-certificate-part-1/; classtype:misc-activity; sid:2026649; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_26, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Major, updated_at 2018_11_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Possible Windows executable sent ASCII-hex-encoded"; flow:established,from_server; content:"ascii"; http_header; nocase; content:"|0d 0a 0d 0a|4d5a"; nocase; reference:md5,513077916da4e86827a6000b40db95d5; reference:url,www.xanalysis.blogspot.com/2008/11/cve-2008-2992-adobe-pdf-exploitation.html; classtype:pup-activity; sid:2012804; rev:6; metadata:created_at 2011_05_14, former_category ADWARE_PUP, updated_at 2011_05_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] WeChat (Ransomware/Stealer) Config"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"md5"; depth:3; fast_pattern; content:"nnnn"; distance:12; within:4; content:"z"; distance:28; within:1; content:"z"; distance:32; within:1; content:"z"; distance:35; within:1; reference:url,thehackernews.com/2018/12/china-ransomware-wechat.html; classtype:trojan-activity; sid:2026687; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Stealer, signature_severity Major, tag Ransomware, updated_at 2018_12_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware/CommonName Reporting"; flow:established,to_server; content:"/report.asp?TB="; http_uri; content:"&status="; http_uri; content:"&data="; http_uri; content:"&BABE="; http_uri; content:"&BATCH="; http_uri; content:"&UDT="; http_uri; content:"&GRP="; http_uri; classtype:pup-activity; sid:2013389; rev:3; metadata:created_at 2011_08_10, former_category ADWARE_PUP, updated_at 2011_08_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 27 (msg:"ET MALWARE ELF/Samba CnC Checkin"; flow:established,to_server; dsize:8; content:"|11 10 10 01 22 32 21 52|"; fast_pattern; reference:url,www.guardicore.com/2018/11/butter-brute-force-ssh-attack-tool-evolution; classtype:command-and-control; sid:2026717; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_12_10, deployment Perimeter, former_category MALWARE, malware_family Samba, performance_impact Low, signature_severity Major, updated_at 2018_12_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Baigoo User Agent"; flow:established,to_server; content:"User-Agent|3A 20|BaiGoo Agent"; http_header; classtype:pup-activity; sid:2013405; rev:4; metadata:created_at 2011_08_11, former_category ADWARE_PUP, updated_at 2011_08_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RedControle Probing Infected System"; flow:established,to_server; dsize:14; content:"SE_ND_CO_NN_EC"; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/poking-the-bear-three-year-campaign-targets-russian-critical-infrastructure.html; reference:md5,855b937f668ecd90b8be004fd3c24717; classtype:trojan-activity; sid:2026723; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category TROJAN, malware_family RedControle, performance_impact Low, signature_severity Major, updated_at 2018_12_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfSideKick Activity (iinfo)"; flow:established,to_server; content:"/iinfo.htm?host="; http_uri; content:"&action=update"; http_uri; content:"&ver="; http_uri; content:"&bundle="; http_uri; content:"&client="; http_uri; content:"&bp_id="; http_uri; content:"&prmerr="; http_uri; content:"&ir="; http_uri; classtype:pup-activity; sid:2013448; rev:7; metadata:created_at 2011_08_22, former_category ADWARE_PUP, updated_at 2011_08_22;)
 
-alert smb $HOME_NET any -> $HOME_NET any (msg:"ET MALWARE Shamoon v3 64bit Propagating Internally via SMB"; flow:to_server,established; content:"|00 00 00 00 00 00|"; content:"MZ"; distance:2; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|48 FF C5 42 0F B6|"; distance:0; fast_pattern; content:"|32 45|"; distance:2; within:2; content:"|41 88 41 FF|"; distance:1; within:4; reference:url,www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/new-version-of-disk-wiping-shamoon-disttrack-spotted-what-you-need-to-know; classtype:trojan-activity; sid:2026733; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Server, created_at 2018_12_14, deployment Perimeter, former_category TROJAN, malware_family Shamoon, performance_impact Low, signature_severity Major, tag SMB, tag Worm, tag Wiper, updated_at 2018_12_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zugo Toolbar Spyware/Adware download request"; flow:established,to_server; content:".exe?filename="; http_uri; content:"&dddno="; http_uri; fast_pattern; content:"&channel="; http_uri; content:"&go="; http_uri; reference:url,zugo.com/privacy-policy/; classtype:pup-activity; sid:2013658; rev:3; metadata:created_at 2011_09_15, former_category ADWARE_PUP, updated_at 2011_09_15;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AveMaria Initial CnC Checkin"; flow:established,to_server; dsize:12; content:"|29 bb 66 e4 00 00 00 00 00 00 00 00|"; fast_pattern; reference:url,app.any.run/tasks/67362469-76df-4b19-bfda-5d95a2b4d179; classtype:command-and-control; sid:2026736; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_15, deployment Perimeter, former_category MALWARE, malware_family AveMaria, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2018_12_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware/Helpexpress User Agent HXLogOnly"; flow:established,to_server; content:"User-Agent|3A 20|HXLogOnly"; http_header; classtype:pup-activity; sid:2013729; rev:3; metadata:created_at 2011_10_01, former_category ADWARE_PUP, updated_at 2011_10_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Visa Phishing Landing Jan 30 2014"; flow:established,to_server; content:"/Verified by Visa"; http_uri; nocase; http_referer; content:!"http|3a 2f 2f|www.crdbbank.com"; nocase; isdataat:!1,relative; classtype:social-engineering; sid:2018045; rev:6; metadata:created_at 2014_01_30, former_category PHISHING, updated_at 2021_06_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5217 (msg:"ET ADWARE_PUP W32/SmartPops Adware Outbound Off-Port MSSQL Communication"; flow:established,to_server; content:"S|00|M|00|A|00|R|00|T|00|P|00|O|00|P"; content:"D|00|B|00|_|00|S|00|M|00|A|00|R|00|T|00|P|00|O|00|P"; distance:0; classtype:pup-activity; sid:2013956; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2017_09_21;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.Orion Stealer Exfil via FTP"; flow:established,to_server; content:"STOR PC|3a 20|"; depth:9; content:"/Orion Logger - System Details|3a 20|"; distance:0; fast_pattern; reference:md5,007c4edc6e1ca963a9b2e05e136142f2; classtype:trojan-activity; sid:2026741; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_21, former_category TROJAN, updated_at 2018_12_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Adware.Ibryte User-Agent (ic Windows NT 5.1 MSIE 6.0 Firefox/ Def)"; flow:established,to_server; content:"User-Agent|3A 20|ic Windows NT 5.1 MSIE 6.0 Firefox/ Def"; http_header; classtype:pup-activity; sid:2013999; rev:3; metadata:created_at 2011_12_08, former_category ADWARE_PUP, updated_at 2011_12_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Redirect 2019-01-02"; flow:from_server,established; file_data; content:"<!--"; depth:4; content:"window.top.location='account/?view=login&appIdKey="; nocase; within:150; isdataat:!50,relative; classtype:social-engineering; sid:2026748; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_01_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2019_01_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32-Adware.Hotclip.A Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/filetadak/app_check.php?"; nocase; http_uri; content:"kind="; nocase; http_uri; content:"pid=donkeys"; nocase; http_uri; reference:url,spydig.com/spyware-info/Win32-Adware-Hotclip-A.html; classtype:pup-activity; sid:2014069; rev:5; metadata:created_at 2012_01_02, former_category ADWARE_PUP, updated_at 2012_01_02;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET COINMINER Random Hash Pascalcoin Miner Checkin"; flow:established,to_server; content:"{|22|params|22|:[|22|rhminer/"; depth:20; classtype:coin-mining; sid:2026750; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_02, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2019_01_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/SmartTab PUP Install Activity"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| tabtoolbarup"; http_header; content:"/ins_proc.asp?kind="; http_uri; content:"&ist_yn="; http_uri; content:"&ptn_name="; http_uri; reference:url,camas.comodo.com/cgi-bin/submit?file=31c027c13105e23af64b1b02882fb2b8300fdf7f511bb4c63c71f9b09c75dd6c; reference:md5,8eaf3b7b72a9af5a85d01b674653ccac; classtype:pup-activity; sid:2014117; rev:5; metadata:created_at 2012_01_12, former_category ADWARE_PUP, updated_at 2012_01_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TitanFox Loader CnC Checkin"; flow:established,to_server; dsize:<100; content:"|00 01 00 01 02 02 2b 6e 65 74 2e 74 63 70 3a 2f 2f|"; depth:30; fast_pattern; reference:url,app.any.run/tasks/421691f8-bb33-4be3-abcb-6ee36e772856; classtype:command-and-control; sid:2026759; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_04, deployment Perimeter, former_category MALWARE, malware_family TitanFox, performance_impact Low, signature_severity Major, tag Loader, updated_at 2019_01_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Eorezo-B Adware Checkin"; flow:established,to_server; content:"x-company|3a| "; http_header; content:"EoAgence-"; http_user_agent; reference:md5,6631bb8d95906decc7e6f7c51f6469e6; classtype:pup-activity; sid:2014120; rev:4; metadata:created_at 2012_01_12, former_category ADWARE_PUP, updated_at 2012_01_12;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 58|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012087; rev:3; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2010_12_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malicious ad_track.php file Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ad_track.php"; nocase; http_uri; content:"etekey="; nocase; http_uri; content:"track.ete.cn"; nocase; http_header; classtype:pup-activity; sid:2014183; rev:5; metadata:created_at 2012_02_06, former_category ADWARE_PUP, updated_at 2012_02_06;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F 1A|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012091; rev:4; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2010_12_23;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET ADWARE_PUP Carder Card Checking Tool try2check.me SSL Certificate on Off Port"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"try2check.me"; within:400; classtype:pup-activity; sid:2014287; rev:3; metadata:attack_target Client_Endpoint, created_at 2012_02_28, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F A9|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012093; rev:4; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2010_12_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/PaPaPaEdge.Adware/Gambling Poker-Edge Checkin"; flow:established,to_server; content:"/xml_action.php?user="; http_uri; content:"&appid="; http_uri; content:"&hwid="; http_uri; content:"&id="; http_uri; content:".poker-edge.com|0d 0a|"; http_header; reference:md5,f9d226bf9807c72432050f7dcb396b06; classtype:pup-activity; sid:2014403; rev:3; metadata:created_at 2012_03_20, former_category ADWARE_PUP, updated_at 2012_03_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F A9|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012092; rev:3; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2010_12_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP BitCoinPlus Embedded site forcing visitors to mine BitCoins"; flow:established,from_server; content:"BitcoinPlusMiner("; reference:url,www.bitcoinplus.com/miner/embeddable; reference:url,www.bitcoinplus.com/miner/whatsthis; classtype:coin-mining; sid:2014535; rev:4; metadata:created_at 2012_04_10, former_category ADWARE_PUP, updated_at 2012_04_10;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F 1A|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012090; rev:3; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2010_12_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Pdfjsc.XD Related Checkin (microsoft_predator_client header field)"; flow:established,to_server; content:"microsoft_predator_client"; nocase; http_header; reference:url,www.fourteenforty.jp/products/yarai/CVE2011-0609/; reference:url,www.kahusecurity.com/2011/apec-spearphish-2/; reference:md5,3d91d9df315ffeb9bb1c774452b3114b; classtype:pup-activity; sid:2014584; rev:6; metadata:created_at 2012_04_16, former_category ADWARE_PUP, updated_at 2012_04_16;)
 
-alert tcp $HOME_NET ![23,25,80,137,139,445] -> $EXTERNAL_NET 20000: (msg:"ET MALWARE Sourtoff Download Simda Request"; flow:established,to_server; dsize:18; content:"|0a 10|"; depth:2; flowbits:set,ET.TROJAN.Sourtoff; flowbits:noalert; reference:md5,5469af0daa10f8acbe552cd2f1f6a6bb; classtype:trojan-activity; sid:2019312; rev:3; metadata:created_at 2014_09_29, updated_at 2019_01_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP W32/GameVance Adware Server Reponse To Client Checkin"; flow:established,to_client; content:"|0d 0a 0d 0a|cfgint="; content:"cid="; within:30; content:"eus="; within:30; content:"esint="; within:30; content:"sc2dcnt="; within:30; content:"domfqcap="; within:30; content:"domtm="; within:30; content:"css="; within:30; classtype:pup-activity; sid:2014605; rev:7; metadata:created_at 2012_04_17, former_category ADWARE_PUP, updated_at 2012_04_17;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET 853 (msg:"ET INFO DNS Over TLS Request Outbound"; flow:established,to_server; content:"|16 03 01 01|"; depth:4; reference:url,www.linuxbabe.com/ubuntu/ubuntu-stubby-dns-over-tls; classtype:trojan-activity; sid:2026774; rev:2; metadata:created_at 2019_01_10, former_category INFO, updated_at 2019_01_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/GameVance User-Agent (aw v3)"; flow:established,to_server; content:"User-Agent|3A 20|aw v3"; http_header; classtype:pup-activity; sid:2014606; rev:5; metadata:created_at 2012_04_17, former_category ADWARE_PUP, updated_at 2012_04_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AtomLogger Exfil via FTP"; flow:established,to_server; content:"Username|3a 20|"; content:"|0d 0a|Machine Name|3a 20|"; distance:0; content:"|0d 0a|Operating System|3a 20|"; distance:0; content:"|0d 0a|IP Address|3a 20|"; distance:0; content:"|0d 0a|Country|3a 20|"; distance:0; content:"|0d 0a|RAM|3a 20|"; distance:0; content:"|0d 0a|Online since|3a 20|"; distance:0; content:"|0d 0a 0d 0a 0d 0a 0d 0a|================================|0d 0a|Keystrokes and Window Log|0d 0a|"; distance:0; fast_pattern; reference:md5,78bd897a638e7c0d3c00c31c8c68f18b; classtype:trojan-activity; sid:2026824; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_17, deployment Perimeter, former_category TROJAN, malware_family AtomLogger, performance_impact Moderate, signature_severity Major, updated_at 2019_01_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malicious file bitdefender_isecurity.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/programas/bitdefender-internet-security/2011/bitdefender_isecurity.exe"; http_uri; nocase; reference:md5,283ae10839fff3e183193efde3e633eb; classtype:pup-activity; sid:2014735; rev:4; metadata:created_at 2012_05_11, former_category ADWARE_PUP, updated_at 2012_05_11;)
 
-alert udp $HOME_NET [!3389,1024:65535] -> $EXTERNAL_NET [!3389,1024:65535] (msg:"ET P2P Edonkey Search Request (search by name)"; dsize:>5; content:"|e3 98|"; depth:2; content:"|01|"; within:3; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003319; classtype:policy-violation; sid:2003319; rev:4; metadata:created_at 2010_07_30, updated_at 2019_01_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PCMightyMax Agent PCMM.Installer"; flow:to_server; content:"User-Agent|3A 20|PCMM.Installer"; http_header; classtype:pup-activity; sid:2014798; rev:3; metadata:created_at 2012_05_22, former_category ADWARE_PUP, updated_at 2012_05_22;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Bitter RAT C2 Response"; flow:established,to_client; stream_size:client,=,1; stream_size:server,=,12; dsize:11; content:"|0b 00 d2 0b 00 00|"; offset:5; depth:6; reference:md5,fc516905e3237f1aa03a38a0dde84b52; classtype:command-and-control; sid:2026826; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_21, deployment Perimeter, former_category MALWARE, malware_family BitterRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2019_01_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malicious pusk.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/pusk.exe"; nocase; http_uri; reference:md5,eae75c0e34d11e6daef216cfc3fbbb04; classtype:pup-activity; sid:2014810; rev:5; metadata:created_at 2012_05_25, former_category ADWARE_PUP, updated_at 2012_05_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 85"; flow:established,to_server; content:"|c4 e2 a1 27 66 76 0b 6d bf 25 73|"; depth:11; reference:md5,c00606ac4ed2e1e8a5f503051c555e72; classtype:command-and-control; sid:2026852; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Remcos, updated_at 2019_01_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/OnlineGames User Agent loadMM"; flow:established,to_server; content:"User-Agent|3A| loadMM|0D 0A|"; http_header; reference:md5,60763078b8860fd59a1d8bea2bf8900b; classtype:pup-activity; sid:2015018; rev:3; metadata:created_at 2012_07_04, former_category ADWARE_PUP, updated_at 2012_07_04;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 86"; flow:established,to_server; content:"|ce 4a a7 2f c0 8c 6d 5f 38 20 e9|"; depth:11; reference:md5,f78b75d64e5119f48c0644dfbcffba9d; classtype:command-and-control; sid:2026853; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Remcos, updated_at 2019_01_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent 100 non-printable char"; flow:to_server,established; content:"User-Agent|3a 20|"; http_header; pcre:"/^([\x7f-\xff]){100}/HRi"; reference:md5,176638536e926019e3e79370777d5e03; classtype:pup-activity; sid:2017982; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
 
-alert udp $HOME_NET 1024:65535 -> [$EXTERNAL_NET,!224.0.0.0/4] 1024:65535 (msg:"ET P2P ThunderNetwork UDP Traffic"; dsize:<38; content:"|32 00 00 00|"; depth:4; content:"|00 00 00 00|"; distance:1; threshold:type limit, track by_src, count 1, seconds 300; reference:url,xunlei.com; reference:url,en.wikipedia.org/wiki/Xunlei; reference:url,doc.emergingthreats.net/2009099; classtype:policy-violation; sid:2009099; rev:4; metadata:created_at 2010_07_30, updated_at 2019_01_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Safekeeper.Adware CnC Beacon"; flow:established,to_server; content:"/app_version/solution/cfg/exn.php?pid="; http_uri; content:".dll|0D 0A|"; http_header; pcre:"/User-Agent\x3A\x20[^\r\n]*\x2Edll\x0D\x0A/H"; reference:md5,9a1c669203b5e9ebb68e2c2cfc964daa; classtype:pup-activity; sid:2018099; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_02_10, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2014_02_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 87"; flow:established,to_server; stream_size:server,=, 1; content:"|e9 9d ca 64 2d 84 6e 6b cc 48 16|"; depth:11; reference:md5,872fc6cc16b7ba7e2a74b03927d50e85; classtype:command-and-control; sid:2026862; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_30, deployment Perimeter, former_category MALWARE, malware_family Remcos, signature_severity Major, updated_at 2019_01_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/InstallMonetizer.Adware Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"NSIS_Inetc (Mozilla)"; depth:20; http_user_agent; content:"from="; http_client_body; depth:5; content:"&type="; http_client_body; distance:0; content:"&mode="; http_client_body; distance:0; content:"&subid="; http_client_body; distance:0; content:"&mid="; http_client_body; distance:0; classtype:pup-activity; sid:2018149; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_02_18, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2014_02_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible RTF File With Obfuscated Version Header"; flow:established,to_client; file_data; content:"{|5C|rt"; within:4; content:!"f"; within:1; classtype:bad-unknown; sid:2026863; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_30, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2019_01_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/DownloadAdmin.Adware CnC Beacon"; flow:established,to_server; content:"/dl?gclid="; fast_pattern:only; http_uri; content:"&source="; http_uri; content:"&c="; http_uri; content:"&aid="; http_uri; content:"&bc="; http_uri; content:"&country="; http_uri; reference:url,malwaretips.com/blogs/remove-pup-downloadadmin-virus-removal-guide/; classtype:pup-activity; sid:2018338; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_03_31, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2014_03_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $HOME_NET !80 -> $EXTERNAL_NET [!25,!445,!1500] (msg:"ET MALWARE Win32/BlackCarat XORed (0x77) CnC Checkin"; flow:established,to_server; dsize:>800; content:"|77 77|"; offset:2; depth:2; content:"|77|"; distance:1; within:1; content:"|77 77 77 77 77 77 77 77 77 77 77 77 77|"; distance:1; within:13; content:"|20 77 1e 77 19 77 13 77 18 77 00 77 04|"; distance:0; fast_pattern; content:!"|00 00 00 00 00 00|"; reference:md5,514AB639CD556CEBD78107B4A68A202A; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2018/AncelKuprins-VB2018-WolfSheep.pdf; classtype:command-and-control; sid:2026525; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category MALWARE, malware_family BlackCarat, performance_impact Low, signature_severity Major, tag RAT, updated_at 2019_01_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/DownloadAdmin.Adware Executable Download Request"; flow:established,to_server; content:"/download/"; http_uri; content:"/dl?s="; fast_pattern:only; http_uri; content:"&c="; http_uri; content:"&brand="; http_uri; content:"&pid="; http_uri; content:"&aid="; http_uri; content:"&bc="; http_uri; content:"&country="; http_uri; content:"&cb="; http_uri; reference:url,malwaretips.com/blogs/remove-pup-downloadadmin-virus-removal-guide/; classtype:pup-activity; sid:2018339; rev:4; metadata:created_at 2014_03_31, former_category ADWARE_PUP, updated_at 2014_03_31;)
 
-#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Request"; flow:established,from_server; content:"Thanks Snailsor,FuYu,BloodSword"; reference:url,doc.emergingthreats.net/2009146; classtype:web-application-activity; sid:2009146; rev:5; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> 54.218.7.114 any (msg:"ET ADWARE_PUP DomainIQ Check-in"; flow:established,to_server; content:"User-Agent|3a 20|NSISDL/1.2|20 28|Mozilla|29 0d 0a|"; http_header; fast_pattern; reference:md5,00699af9bb10af100563adbb767bcee0; classtype:pup-activity; sid:2018458; rev:4; metadata:created_at 2014_05_09, former_category ADWARE_PUP, updated_at 2022_03_17;)
 
-#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Related Activity"; flow:established,from_server; content:"public string Password|3D 22|21232f297a57a5a743894a0e4a801fc3|22 3B|"; nocase; reference:url,doc.emergingthreats.net/2009147; classtype:web-application-activity; sid:2009147; rev:5; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Downloader.NSIS.OutBrowse.b Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/Installer/Flow?pubid="; nocase; depth:22; http_uri; fast_pattern; content:"&distid="; distance:0; http_uri; content:"&productid="; distance:0; http_uri; content:"&subpubid="; distance:0; http_uri; content:"&campaignid="; distance:0; http_uri; content:"&networkid="; distance:0; http_uri; content:"&dfb="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"&version="; distance:0; http_uri; content:"Chrome/18.0.1025.142 Safari/535.19|0d 0a|Host|3a|"; http_header; reference:md5,38eeed96ade6037dc299812eeadee164; reference:url,sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/OutBrowse%20Revenyou/detailed-analysis.aspx; classtype:pup-activity; sid:2018617; rev:7; metadata:created_at 2014_01_14, former_category ADWARE_PUP, updated_at 2016_06_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Upload Attempt"; flow:established,to_server; content:"public string Password|3D 22|21232f297a57a5a743894a0e4a801fc3|22 3B|"; nocase; reference:url,doc.emergingthreats.net/2009149; classtype:web-application-activity; sid:2009149; rev:5; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MultiPlug.J Checkin"; flow:established,to_server; urilen:>103; content:"/?q="; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"POST"; http_method; pcre:"/^\/(?:[A-Za-z]+\d?\/)?\?q=(?=[a-z0-9+/]*[A-Z])(?=[A-Z0-9+/]*[a-z])(?=[A-Za-z0-9+/\x25]*\d)[A-Za-z0-9+/\x25]{100}/U"; content:!"map24.com|0d 0a|"; http_header; content:!"aptrk.com|0d 0a|"; http_header; content:!"Accept-"; http_header; pcre:"/^Accept\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r?$/Hi"; reference:md5,64482895a11d120a9f17ded96aa43cd3; reference:md5,a108ae58850e8f48428070d3193e5c11; classtype:pup-activity; sid:2020422; rev:16; metadata:created_at 2015_02_13, former_category ADWARE_PUP, updated_at 2016_07_20;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:established,from_server; content:"traderserviceinfo.info"; fast_pattern; tls_cert_issuer; content:"C=AU, ST=Some-State, L=City, O=Some|20|Company"; classtype:domain-c2; sid:2026899; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_12, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_02_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP AdWare.Win32.BetterSurf.b SSL Cert"; flow:established,from_server; content:"CN=*.tr553.com"; threshold: type limit, track by_src, count 2, seconds 60; reference:md5,54c9288cbbf29062d6d873cba844645a; classtype:pup-activity; sid:2020712; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_03_19, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 44818 (msg:"ET EXPLOIT Possible MicroLogix 1100 PCCC DoS Condition (CVE-2017-7924)"; flow:to_server,established; content:"|4b 02 20 67 24 01|"; content:"|a2|"; distance:0; content:"|05 47|"; distance:1; within:2; reference:cve,2017-7924; reference:url,rapid7.com/db/modules/auxiliary/dos/scada/allen_bradley_pccc; classtype:attempted-dos; sid:2026917; rev:1; metadata:created_at 2019_02_18, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2019_02_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Windows executable sent when remote host claims to send an image M2"; flow: established,from_server; http_content_type; content:"image/jpeg"; depth:10; isdataat:!1,relative; file_data; content:"MZ"; within:2; content:"!This program"; distance:0; fast_pattern; classtype:pup-activity; sid:2020757; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2017_12_21;)
 
-alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Encoded Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|-|00|e|00|n|00|c|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025721; rev:3; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2019_02_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access takeCameraPicture"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:".takeCameraPicture"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017777; rev:3; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DirectsX Checkin Response"; flow:established,from_server; dsize:25; content:"|19 00 00 00|"; offset:17; depth:4; content:!"|00 00|"; within:2; content:!"|ff ff|"; within:2; content:!"_loc"; reference:url,public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf; classtype:command-and-control; sid:2019633; rev:2; metadata:created_at 2014_11_04, former_category MALWARE, updated_at 2019_02_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access sendSMS"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"sendSMS"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017782; rev:3; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible SharpShooter Framework Generated Script"; flow:established,to_client; file_data; content:"rc4=function|28|key,str|29|"; nocase; content:"key.charCodeAt|28|i%key.length|29|"; fast_pattern; nocase; distance:0; content:"String.fromCharCode|28|str.charCodeAt|28|"; content:"decodeBase64=function"; nocase; distance:0; content:"b64block="; nocase; distance:0; reference:url,www.mdsec.co.uk/2018/03/payload-generation-using-sharpshooter/; reference:url,blog.morphisec.com/sharpshooter-pen-testing-framework-used-in-attacks; classtype:trojan-activity; sid:2026918; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2019_02_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access registerMicListener"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"registerMicListener"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017783; rev:3; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible SharpShooter Framework Generated VBS Script"; flow:established,to_client; file_data; content:"RC4|28|byteMessage, strKey|29|"; nocase; content:"function decodeBase64|28|base64|29|"; nocase; distance:0; content:".createElement|28 22|tmp|22 29|"; nocase; distance:0; content:"decoded = decodeBase64|28|"; nocase; distance:0; reference:url,www.mdsec.co.uk/2018/03/payload-generation-using-sharpshooter/; reference:url,blog.morphisec.com/sharpshooter-pen-testing-framework-used-in-attacks; classtype:trojan-activity; sid:2026919; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_18, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2019_02_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access sendMail"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"sendMail"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017781; rev:3; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell NoProfile Command Received In Powershell Stagers"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"-nop"; nocase; distance:0; classtype:trojan-activity; sid:2026988; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Minor, tag PowerShell, updated_at 2019_02_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access postToSocial"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"postToSocial"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017780; rev:3; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell Hidden Window Command Common In Powershell Stagers M1"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"-w"; nocase; distance:0; content:"hidden"; within:17; classtype:trojan-activity; sid:2026989; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access getGalleryImage"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"getGalleryImage"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017778; rev:4; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell Hidden Window Command Common In Powershell Stagers M2"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"-w 1"; nocase; distance:0; classtype:trojan-activity; sid:2026990; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u001"; fast_pattern; pcre:"/^[a-f0-9]/Ri"; content:"javascript|3a|"; nocase; within:11; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:attempted-user; sid:2020397; rev:4; metadata:created_at 2015_02_12, former_category CURRENT_EVENTS, updated_at 2015_02_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell NonInteractive Command Common In Powershell Stagers"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"-noni"; nocase; distance:0; classtype:trojan-activity; sid:2026991; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u000"; fast_pattern; pcre:"/^[a-f0-9]/Ri"; content:"javascript|3a|"; nocase; within:11; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:trojan-activity; sid:2019181; rev:9; metadata:created_at 2014_09_16, former_category CURRENT_EVENTS, updated_at 2014_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M2"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"FromBase64String|28|"; nocase; distance:0; classtype:trojan-activity; sid:2026993; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Locky AlphaNum Downloader Oct 3 2016"; flow:from_server,established; flowbits:isnotset,ET.http.binary; flowbits:isset,ET.LockyDL; content:"ETag|3a|"; http_header; content:!"Content-Disposition|3a|"; http_header; content:!"Cookie|3a|"; content:"Content-Length|3a 20|1"; http_header; fast_pattern:only; pcre:"/^Content-Length\x3a\x201[6-8]\d{4}\r?$/Hm"; file_data; content:!"MZ"; within:2; content:!"PK"; within:2; content:!"GIF"; within:3; content:!"|FF D8 FF|"; within:3; content:!"CWS"; within:3; content:!"ZWS"; within:3; pcre:"/^.{4}[\x0a-\x7f]{0,100}[\x00-x09\x80-\xff]/s"; classtype:trojan-activity; sid:2023316; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, signature_severity Major, updated_at 2016_10_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell DownloadFile Command Common In Powershell Stagers"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"DownloadFile|28|"; nocase; distance:0; classtype:trojan-activity; sid:2026994; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M4"; flow:established,to_server; urilen:>6; pcre:"/^(?:\/(?:(?:af|p66)\/(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}|(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}\?*(?:(?P<var1>[^=&]+)=(?P=var1))?))$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; content:"Firefox"; http_user_agent; flowbits:set,ET.Locky; flowbits:noalert; classtype:trojan-activity; sid:2026462; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2018_10_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell DownloadString Command Common In Powershell Stagers"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"DownloadString|28|"; nocase; distance:0; classtype:trojan-activity; sid:2026995; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M3"; flow:established,to_server; urilen:>6; content:"MSIE"; http_user_agent; fast_pattern; pcre:"/^(?:\/(?:(?:af|p66)\/(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}|(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}\?*(?:(?P<var1>[^=&]+)=(?P=var1))?))$/U"; http_header_names; content:!"Referer"; content:!"Cookie"; http_start; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; flowbits:set,ET.Locky; flowbits:noalert; classtype:trojan-activity; sid:2026461; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Moderate, signature_severity Major, updated_at 2019_05_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell DownloadData Command Common In Powershell Stagers"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"DownloadData|28|"; nocase; distance:0; classtype:trojan-activity; sid:2026996; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M2"; flow:established,to_server; urilen:6<>20; pcre:"/^(?:\/(?:(?:af|p66)\/(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}|(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}\?))$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; content:"Firefox/54.0"; http_user_agent; classtype:trojan-activity; sid:2024768; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_05;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (V3LU9) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"V3LU9"; fast_pattern; distance:0; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026920; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M1"; flow:established,to_server; urilen:6<>20; pcre:"/^(?:\/(?:(?:af|p66)\/(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}|(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}\?))$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; content:"MSIE 7.0"; http_user_agent; classtype:trojan-activity; sid:2024767; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_05;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (ctT2J) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"ctT2J"; fast_pattern; distance:0; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026921; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Locky AlphaNum Downloader Oct 3 2016"; flow:to_server,established; urilen:5<>10; content:"GET"; http_method; pcre:"/^\/(?=[a-z]*[0-9][a-z-0-9]*$)(?=[0-9]*[a-z][a-z-0-9]*$)[a-z0-9]{5,8}$/U"; content:!"Cookie|3a 20|"; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_header; fast_pattern; content:"Accept|3a|"; http_header; content:"Accept-Encoding"; http_header; flowbits:set,ET.LockyDL; flowbits:noalert; classtype:trojan-activity; sid:2023315; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, signature_severity Major, updated_at 2022_03_17;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (dy1PYmp) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dy1PYmp"; fast_pattern; distance:0; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026922; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC) 2019-05-30"; flow:established,to_client; tls_cert_subject; content:"CN=halatest.info"; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,twitter.com/Racco42/status/1134214372996390913; classtype:domain-c2; sid:2027414; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_05_31, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (V3LU9iam) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"V3LU9iam"; fast_pattern; distance:0; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026923; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader Domain)"; flow:from_server,established; tls_cert_subject; content:"CN=driversearch.site"; nocase; isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2026644; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_21, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2018_11_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (XctT2JqZW) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"XctT2JqZW"; fast_pattern; distance:0; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026924; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader Domain)"; flow:from_server,established; tls_cert_subject; content:"CN=kortusops.icu"; nocase; isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2026659; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_27, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Loader, updated_at 2018_11_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (dy1PYmplY3) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dy1PYmplY3"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026925; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert dns $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Brushaloader Domain in DNS Lookup 2019-05-30"; dns_query; content:"canasikos.info"; nocase; isdataat:!1,relative; reference:url,twitter.com/Racco42/status/1134214372996390913; classtype:trojan-activity; sid:2027415; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family BrushaLoader, performance_impact Low, signature_severity Major, updated_at 2019_05_31;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (FydC1Qcm9) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"FydC1Qcm9"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026926; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/Dridex Binary Download 6th Jan 2016"; flowbits:isset,et.dridexdoc; flow:established,to_client; content:"Content-Disposition|3A| attachment|3B| filename="; http_header; content:".exe"; http_header; fast_pattern; file_data; content:"MZ"; within:2; content:"This program"; within:100; classtype:trojan-activity; sid:2022340; rev:5; metadata:created_at 2016_01_07, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (RhcnQtUHJ) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"RhcnQtUHJ"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026927; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex Remote Macro Download"; flow:established,from_server; file_data; content:"(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80)"; nocase; classtype:trojan-activity; sid:2021093; rev:3; metadata:created_at 2015_05_13, former_category CURRENT_EVENTS, updated_at 2015_05_13;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (YXJ0LVByb2N) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"YXJ0LVByb2N"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026928; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex Download 6th Jan 2016 Flowbit"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; content:"Content-Length|3a 20|0|0d 0a|"; content:"MSIE 7.0"; http_header; fast_pattern:only; content:!"Referer|3A|"; http_header; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; flowbits:set,et.dridexdoc; flowbits:noalert; classtype:trojan-activity; sid:2022339; rev:3; metadata:created_at 2016_01_07, former_category CURRENT_EVENTS, updated_at 2016_01_07;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (RhcnQtUHJvY2) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"RhcnQtUHJvY2"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026929; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Dridex Campaign Download Jan 28 2015"; flow:established,to_server; content:"GET"; http_method; content:"/js/bin.exe?="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/js\/bin\.exe\?=\d+$/U"; classtype:trojan-activity; sid:2020328; rev:3; metadata:created_at 2015_01_29, former_category CURRENT_EVENTS, updated_at 2015_01_29;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (GFydC1Qcm9jZX) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"GFydC1Qcm9jZX"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026930; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBA Office Document Dridex Binary Download User-Agent 2"; flow:established,to_server; content:"User-Agent|3A| MisterZALALU"; http_header; fast_pattern; reference:md5,2f53b7669482c2d9216a74050630fbb7; classtype:trojan-activity; sid:2020806; rev:3; metadata:created_at 2015_03_31, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (YXJ0LVByb2Nlc3) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"YXJ0LVByb2Nlc3"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026931; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBA Office Document Dridex Binary Download User-Agent"; flow:established,to_server; content:"User-Agent|3A| KAII"; http_header; fast_pattern:only; reference:md5,cb2903c89d60947fa4badec41e065d71; classtype:trojan-activity; sid:2020758; rev:3; metadata:created_at 2015_03_26, former_category CURRENT_EVENTS, updated_at 2015_03_26;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (Zva2UtV21pTWV) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"Zva2UtV21pTWV"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026932; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET MALWARE Possible Dridex e-mail inbound"; flow:established,to_server; content:"<no-replay"; fast_pattern:only; content:"User-Agent|3a 20|Roundcube"; classtype:bad-unknown; sid:2020351; rev:2; metadata:created_at 2015_02_03, former_category CURRENT_EVENTS, updated_at 2015_02_03;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (52b2tlLVdtaU1) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"52b2tlLVdtaU1"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026933; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex Downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be ef 3b e8 9f 06 3c 8d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; content:"|55 04 03|"; distance:0; content:"|0b|example.com"; distance:1; within:12; classtype:trojan-activity; sid:2020986; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (dm9rZS1XbWlNZXR) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dm9rZS1XbWlNZXR"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026934; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex Downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 92 14 63 ad 72 a8 8a 36|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0d|Casino Royale"; distance:1; within:14; classtype:trojan-activity; sid:2021615; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (52b2tlLVdtaU1ldG) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"52b2tlLVdtaU1ldG"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026935; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex downloader SSL Certificate srv1.mainsftdomain.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|srv1.mainsftdomain.com"; distance:1; within:23; content:"|55 04 03|"; distance:0; content:"|16|srv1.mainsftdomain.com"; distance:1; within:23; classtype:trojan-activity; sid:2020866; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (nZva2UtV21pTWV0aG) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"nZva2UtV21pTWV0aG"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026936; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be ef 3b e8 9f 06 3c 8d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; content:"|55 04 03|"; distance:0; content:"|0b|example.com"; distance:1; within:12; classtype:trojan-activity; sid:2020943; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (dm9rZS1XbWlNZXRob2) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dm9rZS1XbWlNZXRob2"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026937; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Aug 20 2014 D1"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 89 aa ac b6 40 58 a5 8c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,70bb2e450fe927ee32884cda6fe948b5; classtype:trojan-activity; sid:2018973; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_08_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (Zva2UtQ29) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"Zva2UtQ29"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026938; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Aug 20 2014 D2"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 9c 96 01 9e 7e d5 38 fd|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2018974; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_08_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (dm9rZS1Db21) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dm9rZS1Db21"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026939; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 05 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 49 68 e1 31 97 48 3f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,c078788d86c653f428fc3a62dd030ede; classtype:trojan-activity; sid:2019651; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (nZva2UtQ29tbW) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"nZva2UtQ29tbW"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026940; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9b c4 77 4f 2c d1 50 37|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019703; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (52b2tlLUNvbW1) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"52b2tlLUNvbW1"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026941; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a9 e0 8a 96 fb 4a 1b b6|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019699; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (dm9rZS1Db21tYW) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dm9rZS1Db21tYW"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026942; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 e8 67 40 49 01 84 b1|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019702; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (52b2tlLUNvbW1hbm) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"52b2tlLUNvbW1hbm"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026943; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e6 65 21 19 a2 a2 9e 6e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019700; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"hpcyBwcm9"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027027; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fa 3d b1 87 b3 12 ff 2f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019701; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"lzIHByb2d"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027028; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 12 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b0 48 5c e9 94 c7 59 03|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,31536d977dfc0e158d8f7a365c0543ec; classtype:trojan-activity; sid:2019705; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"aXMgcHJvZ3J"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027029; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 17 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a6 9e 89 2a 06 f4 80 5f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,b7214b7ff246175e7b6bbe2db600f98e; classtype:trojan-activity; sid:2019719; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"hpcyBwcm9ncm"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027030; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa 29 c6 1c 85 a5 85 33|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,38f4f489bd7e59ed91dc6ff95f37999f; classtype:trojan-activity; sid:2019419; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"GlzIHByb2dyYW"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027031; rev:2; metadata:attack_target DNS_Server, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d5 2e c1 9c b6 e5 96 7d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,05823d6ec6d2a483f94ae1794a06c1a6; classtype:trojan-activity; sid:2019413; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"aXMgcHJvZ3JhbS"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027032; rev:2; metadata:created_at 2019_03_05, former_category ATTACK_RESPONSE, updated_at 2019_03_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8c 54 a8 06 20 b6 93 90|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1754d4765a05e4637d2dcdbd1c28eaf1; classtype:trojan-activity; sid:2019494; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"gAaQBzACAAcAByAG8AZwByAGE"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027033; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ca f1 2e 3e cb c1 4a c0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,f4c26252042b9d520cd832b8b4a66de0; classtype:trojan-activity; sid:2019493; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"BoAGkAcwAgAHAAcgBvAGcAcgB"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027034; rev:2; metadata:created_at 2019_03_05, updated_at 2019_03_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d6 cd df 4e c0 3c fc 13|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5159780c47b8df01d5eb00d858b4d35a; classtype:trojan-activity; sid:2019495; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"aABpAHMAIABwAHIAbwBnAHIAYQB"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027035; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 81 01 15 1a 78 7f e9 6e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,2841fb14060f579e46a301baf234a1e7; classtype:trojan-activity; sid:2019522; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"BoAGkAcwAgAHAAcgBvAGcAcgBhAG"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027036; rev:2; metadata:created_at 2019_03_05, updated_at 2019_03_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 10 4b 4c 47 43 e9 4b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,bd3fd9f55900e2c63d5f4977053e8f68; classtype:trojan-activity; sid:2019523; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"GgAaQBzACAAcAByAG8AZwByAGEAbQ"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027037; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ba 53 8e c8 a2 a1 6c 17|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,e5395918babb67b495a094040efff909; classtype:trojan-activity; sid:2019520; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"aABpAHMAIABwAHIAbwBnAHIAYQBtAC"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027038; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family CoinMiner, signature_severity Major, updated_at 2019_03_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fe d5 e3 3b b2 f8 4e f4|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,e5395918babb67b495a094040efff909; classtype:trojan-activity; sid:2019521; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"FyZ29ycCB"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027039; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 3 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 02 84 39 97 d9 ef df|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,27b8d15950022f53ca4ca7004932cf2b; classtype:trojan-activity; sid:2019342; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"1hcmdvcnA"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027040; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa 95 9f e1 a6 33 7b d9|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,edefcbba2944872f31454fcb98802488; classtype:trojan-activity; sid:2019173; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"YXJnb3JwIHN"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027041; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 8c bf 77 7c 33 77 06|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5dd6e69b1e9049f295e314b523679d98; classtype:trojan-activity; sid:2019178; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"1hcmdvcnAgc2"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027042; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e8 66 93 12 61 52 ba b4|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0b|Zatusim.com"; distance:1; within:12; reference:md5,2f52d3921613b2fe06c9eb9051d45e60; classtype:trojan-activity; sid:2019186; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_09_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"WFyZ29ycCBzaW"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027043; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 19 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f8 69 16 89 bb bc f3 d7|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1da03b89c25c9f8999edb8c1abb0c4ed; classtype:trojan-activity; sid:2019200; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"YXJnb3JwIHNpaF"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027044; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 95 78 dc d3 77 1b bc 30|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,bf019054fced52ff03ed8d371dfd371d; classtype:trojan-activity; sid:2019213; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M1"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"|20|-e"; nocase; distance:0; pcre:"/^(?:nc)?\s*(?:[A-Z0-9+\/]{4})*(?:[A-Z0-9+\/]{2}==|[A-Z0-9+\/]{3}=)/Ri"; classtype:trojan-activity; sid:2026992; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_03_05;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c5 86 50 03 11 16 99 16|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,75a2e3c9f8783dfc953f6aeb8a9eda2f; classtype:trojan-activity; sid:2019276; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Download Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A646F776E6C6F61642073756363657373"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027049; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 3 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9c c5 8b 5d c7 8a 96 b7|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,0d5ad9759753cb4639cd405eddbe2a16; classtype:trojan-activity; sid:2019104; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Download Command Error"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A646F776E6C6F6164206661696C65642C"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027050; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 30 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ba c8 fb e2 d7 61 26 81|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,27ec921595f9e05e7e8933e71d336fa7; classtype:trojan-activity; sid:2019320; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Upload Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A75706C6F61642073756363657373"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027051; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 30 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c3 04 eb 4f 91 0a 85 aa|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,a3dd0964ee346db49192836569b41203; classtype:trojan-activity; sid:2019319; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Upload Command Error"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A75706C6F6164206661696C65642C"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027052; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE  Possible Dyre SSL Cert Dec 4 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 24 bd ca a0  48 b4 10|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|08|thfgtjyj"; distance:1; within:9; classtype:trojan-activity; sid:2019875; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_12_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Directory Change Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A6469726563746F7279206368616E6765642073756363657373"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027053; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb c0 73 38 d6 b1 99 a5|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,0fa515ad9fd1031b7a7891a46f72f122; classtype:trojan-activity; sid:2019275; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Sleep Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A72756E74696D65206368616E67656420746F2072756E74696D65"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027048; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_07;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert (non-ASCII) Jul 21 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/Rs"; content:!"|06 03 55 04 0b|"; distance:0; content:"|06 03 55 04 07 0c|"; within:10; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 0a 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 03 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])(?P<var>.{10,120}?[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021586; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [AV] EarthWorm/Termite IoT Agent Reporting Infection"; dsize:<500; flow:established,to_server; content:"|00 00 00 01|"; offset:1; depth:4; content:"|00 00 00 01 6b 00 00 00 01|"; distance:7; within:9; fast_pattern; content:"agent"; distance:4; within:5; pcre:"/^\x00+?[\x20-\x7f]+?\x00+?$/R"; reference:url,github.com/anhilo/xiaogongju/tree/422136c014ba6b95ad3a746662be88372eb11b09; reference:url,www.alienvault.com/blogs/labs-research/internet-of-termites; classtype:trojan-activity; sid:2027064; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_07, deployment Perimeter, former_category TROJAN, malware_family Termite, malware_family EarthWorm, performance_impact Moderate, signature_severity Major, updated_at 2019_03_07;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Aug 31 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 08|"; distance:0; pcre:"/^.{2}(?P<state>[A-Z][a-z]+).*?\x55\x04\x07.{2}(?P=state)\x0a/Rsi"; content:"|55 04 0a|"; distance:0; content:"|55 04 03|"; byte_extract:1,1,cnlength,relative; content:!"|2e|"; within:cnlength; content:"|55 04 0b|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; fast_pattern; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; reference:md5,26e83fa8b2f3eccfe975cd451933ae63; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021735; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE EarthWorm/Termite IoT Agent CnC Response"; dsize:<500; flow:established,from_server; content:"|00 00 00 01|"; offset:1; depth:4; content:"|00 00 00 01 6b 00 00 00 01|"; distance:7; within:9; fast_pattern; content:"agent"; distance:4; within:5; pcre:"/^\x00+?[\x20-\x7f]+?\x00+?$/R"; reference:url,github.com/anhilo/xiaogongju/tree/422136c014ba6b95ad3a746662be88372eb11b09; reference:url,www.alienvault.com/blogs/labs-research/internet-of-termites; classtype:command-and-control; sid:2027065; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_03_07, deployment Perimeter, former_category MALWARE, malware_family Termite, malware_family EarthWorm, performance_impact Moderate, signature_severity Major, updated_at 2019_03_07;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Aug 31 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|55 04 08|"; distance:0; byte_test:1,>,9,1,relative; byte_test:1,<,121,1,relative; pcre:"/^.{2}[A-Z]{10,120}/R"; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|55 04 03|"; byte_extract:1,1,cnlength,relative; content:!"|2e|"; within:cnlength; content:"|55 04 0b|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; distance:0; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; reference:md5,26e83fa8b2f3eccfe975cd451933ae63; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021736; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OSX/EvilOSX Client Receiving Commands"; flow:established,to_client; content:"404"; http_stat_code; file_data; content:"DEBUG"; depth:9; fast_pattern; reference:url,github.com/Marten4n6/EvilOSX/; classtype:trojan-activity; sid:2027066; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_03_07, deployment Perimeter, former_category TROJAN, malware_family EvilOSX, performance_impact Moderate, signature_severity Major, updated_at 2019_03_07;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Jan 22 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a3 c1 47 06 dd 12 ae 21|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0f|Dniepropetrovsk"; distance:1; within:16; classtype:trojan-activity; sid:2020288; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET ![22,23,25,80,139,443,445] -> $HOME_NET any (msg:"ET MALWARE Netwire RAT Check-in"; flow:established,to_client; dsize:>68; content:"|41 00 00 00 05|"; depth:5; flowbits:isset,ET.NetwireRAT.Client; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:2018427; rev:4; metadata:created_at 2014_04_28, former_category TROJAN, updated_at 2019_03_08;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Upatre/Dyre/Kegotip SSL Cert Oct 12 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|0b 30 09 06 03 55 04 06 13 02 43 41 31|"; distance:0; fast_pattern; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; byte_extract:1,1,olength,relative; content:!"|2e|"; within:olength; content:!"|20|"; within:olength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:!"support@"; distance:0; pcre:"/^.{2}[A-Za-z][a-z]*?@[a-z]+\.com[01]/R"; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021948; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2018-8174 Common Construct B64 M2"; flow:from_server,established; file_data; content:"|68546147567362474e765a4756425a475279554746795957|"; classtype:attempted-user; sid:2027070; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Gamut Spambot Checkin Response"; flow:established,from_server; file_data; content:"count_threads|09 09 09 3d 09|"; depth:18; fast_pattern; content:"|0a|efficiency_limit|09 09 3d 09|"; distance:1; within:22; flowbits:isset,ETGamut; reference:url,blog.spiderlabs.com/2014/03/gamut-spambot-analysis-.html; reference:md5,f00f3f47062646f900aa327b1d5ca3a1; classtype:command-and-control; sid:2018246; rev:3; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2014_03_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2018-8174 Common Construct B64 M1"; flow:from_server,established; file_data; content:"|4b464e6f5a5778735932396b5a55466b5a484a5159584a6862|"; classtype:attempted-user; sid:2027069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Winwebsec/Zbot/Luder Checkin Response"; flow:established,from_server; file_data; content:"ingdx.htmA{ip}"; nocase; classtype:trojan-activity; sid:2016851; rev:4; metadata:created_at 2013_05_16, former_category CURRENT_EVENTS, updated_at 2013_05_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2018-8174 Common Construct B64 M3"; flow:from_server,established; file_data; content:"|6f5532686c6247786a6232526c5157526b636c4268636d4674|"; classtype:attempted-user; sid:2027071; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible CVE-2013-3906 CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"MyWebClient"; depth:11; http_user_agent; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:command-and-control; sid:2017671; rev:6; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2013_11_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Spelevo EK Landing M1"; flow:from_server,established; file_data; content:"|554778315a326c75524756305a574e30|"; content:"-=8))%256)|3b|}"; content:"+=72){"; content:"[0] < 21) return false|3b|"; content:",[0] > 31) return false|3b|"; distance:0; content:"[0] == 31 &&"; content:"[3] > 153) return false|3b|"; distance:0; content:"flash"; nocase; classtype:exploit-kit; sid:2027072; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Spleevo_EK, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
+#alert http any any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hikvision DVR Synology Recon Scan Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/k.php?h="; http_uri; depth:9; content:"ballsack"; depth:8; http_user_agent; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,isc.sans.edu/forums/diary/More+Device+Malware+This+is+why+your+DVR+attacked+my+Synology+Disk+Station+and+now+with+Bitcoin+Miner/17879; classtype:trojan-activity; sid:2018344; rev:4; metadata:created_at 2014_04_02, former_category CURRENT_EVENTS, updated_at 2014_04_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Spelevo EK Landing M2"; flow:from_server,established; file_data; content:"|516248566e615735455a58526c5933|"; content:"-=8))%256)|3b|}"; content:"+=72){"; content:"[0] < 21) return false|3b|"; content:",[0] > 31) return false|3b|"; distance:0; content:"[0] == 31 &&"; content:"[3] > 153) return false|3b|"; distance:0; content:"flash"; nocase; classtype:exploit-kit; sid:2027073; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Spleevo_EK, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 1"; flow:established; file_data; content:"bdd1f04b-858b-11d1-b16a-00c0f0283628"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017409; rev:3; metadata:created_at 2013_09_03, former_category CURRENT_EVENTS, updated_at 2013_09_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Spelevo EK Landing M3"; flow:from_server,established; file_data; content:"|427364576470626b526c6447566a64|"; content:"-=8))%256)|3b|}"; content:"+=72){"; content:"[0] < 21) return false|3b|"; content:",[0] > 31) return false|3b|"; distance:0; content:"[0] == 31 &&"; content:"[3] > 153) return false|3b|"; distance:0; content:"flash"; nocase; classtype:exploit-kit; sid:2027074; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_03_11, former_category CURRENT_EVENTS, malware_family Spleevo_EK, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 2"; flow:established; file_data; content:"996BF5E0-8044-4650-ADEB-0B013914E99C"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017410; rev:3; metadata:created_at 2013_09_03, former_category CURRENT_EVENTS, updated_at 2013_09_03;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET MALWARE Win32/Termite Agent Implant Keep-Alive"; flow:established,to_server; dsize:<600; content:"|00 00 00|"; offset:1; depth:3; content:"|00 00 00|"; distance:1; within:3; content:"|00 00 00|"; distance:1; within:3; content:"|00 00 00|This|20|Client|20|Node|00 00 00|"; distance:1; within:22; fast_pattern; content:"|ff ff ff ff ff ff ff ff|"; distance:0; reference:md5,2820653437d5935d94fcb0c997d6f13c; classtype:trojan-activity; sid:2027084; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_14, deployment Perimeter, deployment Internal, former_category TROJAN, malware_family Termite, performance_impact Low, signature_severity Major, updated_at 2019_03_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 3"; flow:established; file_data; content:"C74190B6-8589-11d1-B16A-00C0F0283628"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017411; rev:3; metadata:created_at 2013_09_03, former_category CURRENT_EVENTS, updated_at 2013_09_03;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET MALWARE Win32/Termite Agent Implant CnC Checkin"; flow:established,to_server; dsize:<600; content:"|00 00 00|"; offset:1; depth:3; content:"|00 00 00 00 00 00 00 ff 01|"; distance:1; within:9; content:"|ff ff ff ff ff ff ff ff|"; distance:0; content:"|00 00 00|This|20|Client|20|Node|00 00 00|"; distance:0; fast_pattern; reference:md5,2820653437d5935d94fcb0c997d6f13c; classtype:command-and-control; sid:2027083; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_14, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Termite, performance_impact Low, signature_severity Major, updated_at 2019_03_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct (Reversed)"; flow:established,from_server; file_data; content:"(wrhc&)6712(wrhc&)10"; reference:cve,2014-6332; classtype:attempted-user; sid:2019806; rev:3; metadata:created_at 2014_11_26, former_category CURRENT_EVENTS, updated_at 2014_11_26;)
 
-alert tcp $EXTERNAL_NET [19400:19500] -> $HOME_NET any (msg:"ET MALWARE Win32/Spy.Agent.POX Variant CnC"; flow:established,to_client; dsize:4; content:"|6c 69 73 74|"; reference:md5,bb15e442a527a83939d9ff1b835f99dd; classtype:command-and-control; sid:2035057; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_03_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct DECC"; flow:established,from_server; file_data; content:"99,104,114,119,40,48,49,41,38,99,104,114,119,40,50,49,55,54,41,38,99,104,114,119,40,48,49,41,38,99,104,114,119,40,48,48,41"; reference:cve,2014-6332; classtype:attempted-user; sid:2019796; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
 
-alert smtp any any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - EXE SMTP Attachment"; flow:established; content:"|0D 0A 0D 0A|TV"; content:"AAAAAAAAAAAAAAAA"; within:200; classtype:bad-unknown; sid:2017886; rev:3; metadata:created_at 2013_12_20, former_category INFO, updated_at 2019_03_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct DECCS"; flow:established,from_server; file_data; content:"99, 104, 114, 119, 40, 48, 49, 41, 38, 99, 104, 114, 119, 40, 50, 49, 55, 54, 41, 38, 99, 104, 114, 119, 40, 48, 49, 41, 38, 99, 104, 114, 119, 40, 48, 48, 41"; reference:cve,2014-6332; classtype:attempted-user; sid:2019797; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF.Initdz.Coinminer C2 Systeminfo (D2)"; flow:established,to_server; content:"D2|7c|System|20|Information&"; fast_pattern; depth:22; content:"Manufacturer|3a|"; distance:0; content:"Product|20|Name|3a|"; distance:0; content:"Version|3a 20|"; distance:0; content:"|0a|D3|7c|MemTotal|3a 20|"; distance:0; reference:md5,8438f4abf3bc5844af493d60ea8eb8f6; classtype:coin-mining; sid:2027150; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_04_03, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2019_04_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEX"; flow:established,from_server; file_data; content:"63687277283031292663687277283231373629266368727728303129266368727728303029"; reference:cve,2014-6332; classtype:attempted-user; sid:2019793; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outbound SMTP NTLM Authentication Observed"; flow:established,to_server; content:"AUTH|20|ntlm|20|"; depth:10; nocase; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; classtype:policy-violation; sid:2027152; rev:1; metadata:attack_target Client_and_Server, created_at 2019_04_04, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2019_04_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEXC"; flow:established,from_server; file_data; content:"63,68,72,77,28,30,31,29,26,63,68,72,77,28,32,31,37,36,29,26,63,68,72,77,28,30,31,29,26,63,68,72,77,28,30,30,29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019794; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:] (msg:"ET ATTACK_RESPONSE LaZagne Artifact Outbound in FTP"; flow:established,to_server; content:"The LaZagne Project"; fast_pattern; reference:url,github.com/AlessandroZ/LaZagne; classtype:trojan-activity; sid:2027151; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_04, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family Stealer, malware_family LaZange, signature_severity Major, updated_at 2019_04_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEXCS"; flow:established,from_server; file_data; content:"63, 68, 72, 77, 28, 30, 31, 29, 26, 63, 68, 72, 77, 28, 32, 31, 37, 36, 29, 26, 63, 68, 72, 77, 28, 30, 31, 29, 26, 63, 68, 72, 77, 28, 30, 30, 29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019795; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
 
-#alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC WMI Remote Process Execution"; flow:to_server,established; dce_iface:00000143-0000-0000-c000-000000000046; classtype:bad-unknown; sid:2027167; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_09, deployment Internal, former_category NETBIOS, signature_severity Informational, updated_at 2019_04_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct URLENCODE"; flow:established,from_server; file_data; content:"%63%68%72%77%28%30%31%29%26%63%68%72%77%28%32%31%37%36%29%26%63%68%72%77%28%30%31%29%26%63%68%72%77%28%30%30%29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019792; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
 
-#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Activity Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; classtype:bad-unknown; sid:2027168; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2465/2463"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image/MultiPixelPacked"; classtype:bad-unknown; sid:2017773; rev:3; metadata:created_at 2013_11_26, former_category CURRENT_EVENTS, updated_at 2013_11_26;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With No Profile Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-nop"; distance:0; classtype:bad-unknown; sid:2027169; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2471/2472/2473"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image/SinglePixelPacked"; classtype:bad-unknown; sid:2017772; rev:3; metadata:created_at 2013_11_26, former_category CURRENT_EVENTS, updated_at 2013_11_26;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Hidden Window Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-w"; distance:0; content:"hidden"; nocase; within:17; classtype:bad-unknown; sid:2027170; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"ET DELETED Cisco Non-Trap PDU request on SNMPv1 trap port"; content:"|02 01 00|"; depth:3; byte_test:1,>,159,8,relative; byte_test:1,<,164,8,relative; classtype:attempted-dos; sid:2027890; rev:2; metadata:created_at 2019_08_15, former_category SNMP, updated_at 2020_08_20;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Execution Bypass Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"exec"; nocase; distance:0; content:"bypass"; nocase; within:18; classtype:bad-unknown; sid:2027171; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"GPL MALWARE BackOrifice access"; content:"|CE|c|D1 D2 16 E7 13 CF|9|A5 A5 86|"; reference:arachnids,399; classtype:misc-activity; sid:2100116; rev:7; metadata:created_at 2010_09_23, former_category TROJAN, updated_at 2010_09_23;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Encoded Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-enc"; nocase; distance:0; classtype:bad-unknown; sid:2027172; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] Py.Machete FTP Exfil 1"; flow:established,to_server; content:"STOR|20|FIREPERF.zip"; depth:17; reference:url,travisgreen.net/2019/08/14/machete-malware.html; classtype:trojan-activity; sid:2027888; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_15, deployment Perimeter, former_category TROJAN, malware_family Machete, performance_impact Moderate, signature_severity Major, updated_at 2019_08_15;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With NonInteractive Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-noni"; nocase; distance:0; classtype:bad-unknown; sid:2027173; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] Py.Machete FTP Exfil 2"; flow:established,to_server; content:"STOR|20|CRHOMEPER.zip"; depth:18; reference:url,travisgreen.net/2019/08/14/machete-malware.html; classtype:trojan-activity; sid:2027889; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_15, deployment Perimeter, former_category TROJAN, malware_family Machete, performance_impact Moderate, signature_severity Major, updated_at 2019_08_15;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"cmd.exe"; nocase; distance:0; classtype:bad-unknown; sid:2027174; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 1"; flow:from_client,established; content:"XGxpc3RvdmVycmlkZWNvdW50"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"MQ"; within:2; content:!"MV"; within:2; content:!"MT"; within:2; content:!"MH"; within:2; content:!"MF"; within:2; content:!"ME"; within:2; content:!"OQ"; within:2; content:!"OX"; within:2; content:!"MA"; within:2; content:!"MS"; within:2; content:!"MX"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018314; rev:9; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
 
-#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"cmd "; nocase; distance:0; classtype:bad-unknown; sid:2027176; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 2"; flow:from_client,established; content:"xsaXN0b3ZlcnJpZGVjb3Vud"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"DE"; within:2; content:!"DF"; within:2; content:!"Dk"; within:2; content:!"Dl"; within:2; content:!"DA"; within:2; content:!"DB"; within:2; content:!"DV"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018308; rev:8; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Using Comspec Environmental Variable Over SMB - Very Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"%comspec"; nocase; distance:0; classtype:bad-unknown; sid:2027178; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 3"; flow:from_client,established; content:"cbGlzdG92ZXJyaWRlY291bn"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"Qx"; within:2; content:!"Q5"; within:2; content:!"Qw"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018309; rev:6; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Using Comspec Environmental Variable Over SMB - Very Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|%|00|c|00|o|00|m|00|s|00|p|00|e|00|c|00|"; nocase; distance:0; classtype:bad-unknown; sid:2027179; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 4"; flow:from_client,established; content:"x1LTU1N"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){5}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018310; rev:6; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|c|00|m|00|d|00|.|00|e|00|x|00|e|00|"; nocase; distance:0; classtype:bad-unknown; sid:2027175; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, updated_at 2019_04_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 5"; flow:from_client,established; content:"XHUtNTU0"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){7}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018311; rev:5; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Nslookup Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"nslookup"; nocase; distance:0; classtype:bad-unknown; sid:2027183; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 6"; flow:from_client,established; content:"cdS01NT"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){7}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018312; rev:5; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Nslookup Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|n|00|s|00|l|00|o|00|o|00|k|00|u|00|p|00|"; nocase; distance:0; classtype:bad-unknown; sid:2027184; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
-
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Ipconfig Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"ipconfig"; nocase; distance:0; classtype:bad-unknown; sid:2027185; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
-
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Ipconfig Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|i|00|p|00|c|00|o|00|n|00|f|00|i|00|g|00|"; nocase; distance:0; classtype:bad-unknown; sid:2027186; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, malware_family CoinMiner, signature_severity Minor, updated_at 2019_04_11;)
-
-#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Net View Command in SMB Traffic - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"net"; nocase; distance:0; content:"view"; nocase; within:9; classtype:bad-unknown; sid:2027187; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
-
-#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Net View Command in SMB Traffic - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|n|00|e|00|t|00|"; nocase; distance:0; fast_pattern; content:"|00|v|00|i|00|e|00|w|00|"; nocase; within:19; classtype:bad-unknown; sid:2027188; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
-
-#alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC DCOM ShellExecute - Likely Lateral Movement"; flow:established,to_server; content:"|00|S|00|h|00|e|00|l|00|l|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|"; reference:url,enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/; reference:url,enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/; reference:url,attack.mitre.org/techniques/T1175/; classtype:bad-unknown; sid:2027190; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category NETBIOS, signature_severity Minor, updated_at 2019_04_11;)
-
-#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Executable Transfer in SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"MZ"; distance:0; content:"This program "; distance:0; content:"PE|00 00|"; distance:0; classtype:bad-unknown; sid:2027191; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
-
-alert tcp any [21,22,23,25,53,80,443,8080] -> any !3389 (msg:"ET POLICY Tunneled RDP msts Handshake"; dsize:<65; content:"|03 00 00|"; depth:3; content:"|e0|"; distance:2; within:1; content:"Cookie|3a 20|mstshash="; distance:5; within:17; reference:url,www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html; classtype:bad-unknown; sid:2027192; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
-
-alert tcp any [21,22,23,25,53,80,443,8080] -> any !3389 (msg:"ET POLICY Tunneled RDP Handshake"; flow:established; content:"|c0 00|Duca"; depth:250; content:"rdpdr"; content:"cliprdr"; reference:url,www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html; classtype:bad-unknown; sid:2027193; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
-
-alert smb any any -> $HOME_NET any (msg:"ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|w|00|m|00|i|00|c|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2025726; rev:3; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2019_04_16;)
-
-alert smb any any -> $HOME_NET any (msg:"ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|w|00|m|00|i|00|c|00|.|00|e|00|x|00|e|00|"; nocase; distance:0; classtype:trojan-activity; sid:2027180; rev:2; metadata:attack_target SMB_Client, created_at 2019_04_10, deployment Perimeter, deployment Internal, former_category POLICY, signature_severity Major, updated_at 2019_04_16;)
-
-alert smb any any -> $HOME_NET any (msg:"ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"wmic.exe"; nocase; distance:0; classtype:trojan-activity; sid:2027181; rev:2; metadata:attack_target SMB_Client, created_at 2019_04_10, deployment Perimeter, deployment Internal, former_category POLICY, signature_severity Major, updated_at 2019_04_16;)
-
-alert smb any any -> $HOME_NET any (msg:"ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"wmic "; nocase; distance:0; classtype:trojan-activity; sid:2027182; rev:2; metadata:attack_target SMB_Client, created_at 2019_04_10, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2019_04_16;)
-
-alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Activity Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|.|00|e|00|x|00|e|00|"; nocase; distance:0; classtype:trojan-activity; sid:2027202; rev:1; metadata:created_at 2019_04_16, former_category POLICY, updated_at 2019_04_16;)
-
-alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Activity Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00 20 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2025719; rev:3; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2019_04_16;)
-
-alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Possible Powershell .ps1 Script Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:".ps1"; nocase; distance:0; classtype:bad-unknown; sid:2027203; rev:2; metadata:created_at 2019_04_16, updated_at 2019_04_16;)
-
-alert smb any any -> $HOME_NET 445 (msg:"ET HUNTING Possible Powershell .ps1 Script Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|.|00|p|00|s|00|1|00|"; nocase; distance:0; classtype:bad-unknown; sid:2027204; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_16, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2019_04_16;)
-
-alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Possible WMI .mof Managed Object File Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:".mof"; nocase; distance:0; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf; classtype:bad-unknown; sid:2027205; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_16, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2019_04_16;)
-
-alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Possible WMI .mof Managed Object File Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|.|00|m|00|o|00|f|00|"; nocase; distance:0; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf; classtype:bad-unknown; sid:2027206; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_16, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2019_04_16;)
-
-alert smb any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Possible Lateral Movement - File Creation Request in Remote System32 Directory (T1105)"; flow:established,to_server; content:"|05 00|"; offset:16; depth:2; content:"|00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|S|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00|"; fast_pattern; classtype:attempted-user; sid:2027267; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_23, deployment Internal, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1105, tag lateral_movement, tag remote_file_copy, updated_at 2019_04_23;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Possible Remote System32 DLL Hijack Command Inbound via HTTP (T1038, T1105)"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"copy|20|"; content:".dll"; distance:0; content:"|5c|Windows|5c|System32|5c|"; distance:0; fast_pattern; content:".dll"; distance:0; content:"copy|20|"; pcre:"/^(?P<dll_name>[a-z0-9\-_]{1,20})\.dll\s*\\\\(([0-9]{1,3}\.){3}[0-9]{1,3}|([a-z0-9\-]{1,30}\.){1,8}[a-z]{1,8})\\\w{1,10}\$\\Windows\\System32\\(?P=dll_name)\.dll/Ri"; reference:url,posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992; classtype:attempted-user; sid:2027268; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_23, deployment Internal, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1038, tag T1105, updated_at 2019_04_23;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download HTTP"; flow:established,to_client; flowbits:isnotset,ET.http.binary; flowbits:isnotset,ET.INFO.WindowsUpdate; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2018959; classtype:policy-violation; sid:2018959; rev:4; metadata:created_at 2014_08_19, former_category POLICY, updated_at 2017_02_01;)
-
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|c|00|m|00|d|00 20 00|"; nocase; distance:0; classtype:bad-unknown; sid:2027177; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
-
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cryptocurrency Miner Checkin M2"; flow:established,to_server; content:"|7b 22|id|22 3a|"; nocase; depth:6; content:"|22|jsonrpc|22 3a|"; nocase; distance:0; content:"|22 2c 22|method|22 3a 22|login|22 2c 22|params|22 3a|"; fast_pattern; nocase; content:"|22|agent|22 3a 22|"; nocase; content:!"<title"; nocase; content:!"<script"; nocase; content:!"<html"; nocase; content:!"|22|pass|22 3a 22|"; nocase; classtype:policy-violation; sid:2027316; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_06, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2019_05_06;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Anyplace Remote Access Initial Connection Attempt (005)"; flow:established,to_server; content:"HTTP|2f|1.1|20|005|0d 0a|VERSION|3a 20|"; depth:23; content:"PLATFORM|3a 20|"; distance:0; content:"IPADDRESS|3a 20|"; distance:0; fast_pattern; reference:md5,30e4f96590d530ba5dc1762f8b87c16b; classtype:trojan-activity; sid:2027323; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_07, deployment Perimeter, deployment Internal, former_category INFO, malware_family Anyplace, performance_impact Low, signature_severity Major, tag RAT, updated_at 2019_05_07;)
-
-alert smb any any -> $HOME_NET any (msg:"ET MALWARE Covenant .NET Framework P2P C&C Protocol Gruntsvc Named Pipe Interaction"; flow:established,to_server; content:"SMB"; depth:8; content:"g|00|r|00|u|00|n|00|t|00|s|00|v|00|c|00|"; nocase; distance:0; fast_pattern; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; reference:url,posts.specterops.io/designing-peer-to-peer-command-and-control-ad2c61740456; classtype:command-and-control; sid:2027326; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_07, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Covenant, performance_impact Low, signature_severity Major, updated_at 2019_05_07;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Anyplace Remote Access Checkin (051)"; flow:established,to_server; content:"HTTP|2f|1.1|20|051"; depth:12; content:"VER|3a 20|"; distance:0; content:"OBJ|3a 20|"; distance:0; content:"FUNC|3a 20|"; distance:0; content:"NAME|3a 20|"; distance:0; content:"ACC|3a 20|"; distance:0; content:"SRV|3a 20|"; distance:0; content:"PRODUCT|3a 20|"; distance:0; fast_pattern; reference:md5,30e4f96590d530ba5dc1762f8b87c16b; classtype:trojan-activity; sid:2027324; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_07, deployment Perimeter, deployment Internal, former_category INFO, malware_family Anyplace, performance_impact Low, signature_severity Major, tag RAT, updated_at 2019_05_07;)
-
-alert tcp $HOME_NET any -> any any (msg:"ET MALWARE Win32/ElectricFish Authentication Packet Observed"; flow:established,to_server; content:"aaaabbbbccccdddd|00 00 00 00 00 00 00 00|"; depth:24; fast_pattern; content:"|00 00 04 00 00 00|"; distance:2; within:6; reference:url,www.us-cert.gov/ncas/analysis-reports/AR19-129A; classtype:trojan-activity; sid:2027340; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_09, deployment Perimeter, deployment Internal, former_category TROJAN, malware_family ElectricFish, performance_impact Low, signature_severity Major, tag APT, tag T1090, tag connection_proxy, updated_at 2019_05_09;)
-
-alert tcp any any -> any 3389 (msg:"ET EXPLOIT [NCC GROUP] Possible Bluekeep Inbound RDP Exploitation Attempt (CVE-2019-0708)"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 f0|"; distance:2; within:2; content:"|00 05 00 14 7c 00 01|"; within:512; content:"|03 c0|"; distance:3; within:384; content:"MS_T120|00|"; distance:6; within:372; nocase; fast_pattern; threshold: type limit, track by_src, count 2, seconds 600; reference:cve,CVE-2019-0708; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Signatures/suricata/2019_05_rdp_cve_2019_0708.txt; classtype:attempted-admin; sid:2027369; rev:3; metadata:attack_target Client_and_Server, created_at 2019_05_21, deployment Perimeter, deployment Internet, deployment Internal, former_category EXPLOIT, malware_family Bluekeep, signature_severity Major, updated_at 2019_05_21;)
-
-alert tcp any any -> $HOME_NET [139,445] (msg:"ET MALWARE Suspected ExtraPulsar Backdoor"; flow:established,to_server; content:"ExPu"; depth:11; offset:4; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; distance:0; reference:url,github.com/zerosum0x0/smbdoor; classtype:trojan-activity; sid:2027370; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_21, deployment Internal, former_category TROJAN, malware_family ExtraPulsar, signature_severity Major, updated_at 2019_05_22;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Apr 08 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"Q|22|"; fast_pattern; content:"length"; pcre:"/^\s*?\<\s*?10/Rs"; content:"replace"; within:500; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22(?:\!(?:\x22\s*?\+\s*?\x22)?)?Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:exploit-kit; sid:2020865; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_08_20;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M3"; flow:established,to_server; urilen:>6; content:"MSIE"; http_user_agent; fast_pattern; pcre:"/^(?:\/(?:(?:af|p66)\/(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}|(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}\?*(?:(?P<var1>[^=&]+)=(?P=var1))?))$/U"; http_header_names; content:!"Referer"; content:!"Cookie"; http_start; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; flowbits:set,ET.Locky; flowbits:noalert; classtype:trojan-activity; sid:2026461; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Moderate, signature_severity Major, updated_at 2019_05_22;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/Moose NAT Traversal CnC Beacon - Sleep"; flow:established,from_server; dsize:8; content:"|16 00|"; depth:2; content:!"|04 00|"; within:2; content:!"|00 00|"; within:2; content:!"|00|"; distance:2; within:1; content:!"|00|"; distance:5; within:1; flowbits:isset,ET.Linux.Moose; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021151; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_05_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/Moose NAT Traversal CnC Beacon - Multiple Tunnel"; flow:established,from_server; dsize:8; content:"|17 00|"; depth:2; content:!"|04 00|"; within:2; content:!"|00 00|"; within:2; content:!"|00|"; distance:2; within:1; content:!"|00|"; distance:5; within:1; flowbits:isset,ET.Linux.Moose; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021152; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_05_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-
-alert udp $HOME_NET any -> any 57621 (msg:"ET POLICY Spotify P2P Client"; flow:to_server; dsize:44; content:"|53 70 6f 74 55 64 70 30|"; depth:8; threshold:type limit, count 1, track by_src, seconds 300; classtype:not-suspicious; sid:2027397; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2019_05_30, deployment Internal, performance_impact Low, signature_severity Minor, updated_at 2019_05_30;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC) 2019-05-30"; flow:established,to_client; tls_cert_subject; content:"CN=halatest.info"; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,twitter.com/Racco42/status/1134214372996390913; classtype:domain-c2; sid:2027414; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_05_31, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-
-#alert dns $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Brushaloader Domain in DNS Lookup 2019-05-30"; dns_query; content:"canasikos.info"; nocase; isdataat:!1,relative; reference:url,twitter.com/Racco42/status/1134214372996390913; classtype:trojan-activity; sid:2027415; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family BrushaLoader, performance_impact Low, signature_severity Major, updated_at 2019_05_31;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/HiddenWasp CnC Request (set)"; flow:established,to_server; flowbits:set,ET.Linux.HiddenWasp; flowbits:noalert; content:"|75 63 65 73 00 01|"; depth:6; fast_pattern; reference:url,www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/; reference:md5,5b134e0a1a89a6c85f13e08e82ea35c3; classtype:command-and-control; sid:2027395; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_05_29, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2019_05_31;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/HiddenWasp CnC Response"; flow:established,from_server; flowbits:isset,ET.Linux.HiddenWasp; content:"|75 63 65 73 00 01|"; depth:6; fast_pattern; reference:url,www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/; reference:md5,5b134e0a1a89a6c85f13e08e82ea35c3; classtype:command-and-control; sid:2027396; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_05_29, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2019_05_31;)
-
-alert tcp any any -> $HOME_NET 445 (msg:"ET MALWARE Executable contained in DICOM Medical Image SMB File Transfer"; flow:established,to_server; flowbits:isset,ET.smb.binary; content:"SMB"; depth:8; content:"MZ"; distance:0; content:"DICM"; fast_pattern; distance:126; within:4; reference:url,github.com/d00rt/pedicom/; reference:url,labs.cylera.com/2019/04/16/pe-dicom-medical-malware/; classtype:trojan-activity; sid:2027402; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2019_05_31, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2019_05_31;)
-
-alert tcp any any -> $HOME_NET [104,2104,22104] (msg:"ET MALWARE Executable contained in DICOM Medical Image PACS DICOM Protocol Transfer"; flow:established,to_client; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"DICM"; offset:128; depth:4; fast_pattern; reference:url,github.com/d00rt/pedicom/; reference:url,labs.cylera.com/2019/04/16/pe-dicom-medical-malware/; classtype:trojan-activity; sid:2027403; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2019_05_31, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2019_05_31;)
-
-alert tcp any [104,2104,22104] -> $HOME_NET any (msg:"ET MALWARE Executable contained in DICOM Medical Image Received from PACS DICOM Device"; flow:established,to_client; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"DICM"; offset:128; depth:4; fast_pattern; reference:url,github.com/d00rt/pedicom/; reference:url,labs.cylera.com/2019/04/16/pe-dicom-medical-malware/; classtype:trojan-activity; sid:2027404; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2019_05_31, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2019_05_31;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Windows 64bit procdump Dump File Exfiltration"; flow:established,to_server; content:"|00 2a 00 2a 00 2a 00 20 00|p|00|r|00|o|00|c|00|d|00|u|00|m|00|p|00|6|00|4|00 2e 00|e|00|x|00|e"; fast_pattern; reference:url,attack.mitre.org/techniques/T1003/; classtype:attempted-admin; sid:2027435; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_05, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1003, tag credential_dumping, updated_at 2019_06_05;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Windows 32bit procdump Dump File Exfiltration"; flow:established,to_server; content:"|00 2a 00 2a 00 2a 00 20 00|p|00|r|00|o|00|c|00|d|00|u|00|m|00|p|00 2e 00|e|00|x|00|e"; fast_pattern; reference:url,attack.mitre.org/techniques/T1003/; classtype:attempted-admin; sid:2027436; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_05, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1003, tag credential_dumping, updated_at 2019_06_05;)
-
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex Template 3 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"Your|20|computer|20|was|20|infected|20|with|20|my|20|private|20|malware"; fast_pattern; content:"malware|20|gave|20|me|20|full"; distance:0; content:"accounts|20 28|see|20|password|20|above|29|"; distance:0; content:"MANY|20|EMBARASSING|20|VIDEOS"; distance:0; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2027437; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_06, deployment Perimeter, former_category TROJAN, malware_family Phorpiex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2019_06_06;)
-
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex Template 4 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"infected|20|you|20|with|20|a|20|malware"; content:"malware|20|gave|20|me|20|full"; distance:0; content:"collected|20|everything|20|private|20|from|20|you"; distance:0; content:"FEW|20|EMBARASSING|20|VIDEOS"; distance:0; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2027438; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_06, deployment Perimeter, former_category TROJAN, malware_family Phorpiex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2019_06_06;)
-
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:65535,![3389]] (msg:"ET POLICY TLS/SSL Client Key Exchange on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; content:"|10|"; within:6; reference:url,doc.emergingthreats.net/2003006; classtype:unusual-client-port-connection; sid:2003006; rev:9; metadata:created_at 2010_07_30, updated_at 2019_06_06;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080,80] (msg:"ET MALWARE W32/Emotet.v4 Checkin 2"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"|20|MSIE|20|"; http_user_agent; fast_pattern; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a[03478]+)?/W"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/Ps"; http_protocol; content:"HTTP/1."; http_content_len; byte_test:0,>,150,0,string,dec; http_header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Accept"; content:!"Referer"; content:!"Content-Type"; content:!"Cookie"; content:!"TagId"; classtype:command-and-control; sid:2035048; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2019_06_14;)
-
-alert dns any any -> $HOME_NET any (msg:"ET HUNTING Suspicious Registrar Nameservers in DNS Response (carbon2u)"; content:"|00 02 00 01|"; content:"|03|ns1|08|carbon2u|03|com|00|"; distance:14; within:18; fast_pattern; classtype:bad-unknown; sid:2027471; rev:1; metadata:created_at 2019_06_14, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2019_06_14;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Server Response (WAIT)"; flow:established,to_client; flowbits:isset,ET.Linux.Ngioweb; content:" 200 OK|0d 0a|"; content:"|0d 0a 0d 0a|WAIT "; distance:0; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/; classtype:command-and-control; sid:2027508; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_06_21;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Server Response (CONNECT)"; flow:established,to_client; flowbits:isset,ET.Linux.Ngioweb; content:" 200 OK|0d 0a|"; content:"|0d 0a 0d 0a|CONNECT "; distance:0; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/; classtype:command-and-control; sid:2027509; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_06_21;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Server Response (DISCONNECT)"; flow:established,to_client; flowbits:isset,ET.Linux.Ngioweb; content:" 200 OK|0d 0a|"; content:"|0d 0a 0d 0a|DISCONNECT "; distance:0; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/; classtype:command-and-control; sid:2027510; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_06_21;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Server Response (CERT)"; flow:established,to_client; flowbits:isset,ET.Linux.Ngioweb; content:" 200 OK|0d 0a|"; content:"|0d 0a 0d 0a|CERT "; distance:0; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/; classtype:command-and-control; sid:2027511; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_06_21;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Cox Page - Possible Phishing Landing M2"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"<!-- saved from url=("; within:500; content:")https://idm.east.cox.net/"; distance:4; within:26; fast_pattern; classtype:social-engineering; sid:2027535; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_06_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Miarroba Phishing Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"|3c 21 2d 2d 20 49 6e 73 65 72 74 65 64 20 62 79 20 6d 69 61 72 72 6f 62 61 20 2d 2d 3e|"; classtype:social-engineering; sid:2027561; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2019_06_26;)
-
-alert tcp any ![445,138,80] -> any any (msg:"ET HUNTING SUSPICIOUS IRC - PRIVMSG *.(exe|tar|tgz|zip)  download command"; flow:established,to_client; content:"PRIVMSG|20|"; pcre:"/^[^\r\n]+\.(?:t(?:ar|gz)|exe|zip)/Ri"; classtype:bad-unknown; sid:2017318; rev:5; metadata:created_at 2013_08_13, former_category CURRENT_EVENTS, updated_at 2019_07_01;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Godlua Backdoor Stage-3 Client Heartbeat (Jun 2019- Dec 2019) (set)"; flow:established,to_server; flowbits:set,ET.Godlua.heartbeat; flowbits:noalert; dsize:7; content:"|02 00 04 5d|"; depth:4; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027672; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, malware_family Godlua, performance_impact Moderate, signature_severity Major, tag Backdoor, updated_at 2019_07_03;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Godlua Backdoor Stage-3 Client Heartbeat (Dec 2019- Jul 2020) (set)"; flow:established,to_server; flowbits:set,ET.Godlua.heartbeat; flowbits:noalert; dsize:7; content:"|02 00 04 5e|"; depth:4; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027673; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2019_07_03;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Godlua Backdoor Stage-3 Client Heartbeat (Jul 2020- Jan 2021) (set)"; flow:established,to_server; flowbits:set,ET.Godlua.heartbeat; flowbits:noalert; dsize:7; content:"|02 00 04 5f|"; depth:4; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027674; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, malware_family Godlua, performance_impact Moderate, signature_severity Major, tag Backdoor, updated_at 2019_07_03;)
-
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Godlua Backdoor Stage-3 Server Heartbeat Reply (Jun 2019 - Sep 2020)"; flow:established,to_client; flowbits:isset,ET.Godlua.heartbeat; dsize:13; content:"|02 00 0a 31 35|"; depth:5; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027675; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, malware_family Godlua, performance_impact Moderate, signature_severity Major, tag Backdoor, updated_at 2019_07_03;)
-
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Godlua Backdoor Stage-3 Server Heartbeat Reply (Sep 2020 - Nov 2023)"; flow:established,to_client; flowbits:isset,ET.Godlua.heartbeat; dsize:13; content:"|02 00 0a 31 36|"; depth:5; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027676; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, malware_family Godlua, performance_impact Moderate, signature_severity Major, tag Backdoor, updated_at 2019_07_03;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Zoom Client Auto-Join (CVE-2019-13450)"; flow:established,to_client; file_data; content:"localhost|3a|19421/launch?action=join&confno="; reference:url,medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5; reference:cve,2019-13450; classtype:attempted-user; sid:2027696; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_07_10, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Informational, updated_at 2019_07_10;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Socks5 Proxy to Onion (set)"; flow:established,to_server; flowbits:set,ET.Socks5.OnionReq; content:"|05 01 00 03|"; depth:4; content:".onion|00 50|"; distance:0; fast_pattern; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:policy-violation; sid:2027703; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_07_11, deployment Perimeter, former_category POLICY, performance_impact Moderate, signature_severity Major, updated_at 2019_07_11;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE eCh0raix/QNAPCrypt Requesting Key/Wallet/Note"; flow:established,to_server; flowbits:isset,ET.Socks5.OnionReq; flowbits:set,ET.QNAPCrypt.DetailReq; content:"GET /api/GetAvailKeysByCampId/"; depth:30; fast_pattern; content:".onion|0d 0a|User-Agent|3a 20|Go-http-client/1.1"; distance:0; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:trojan-activity; sid:2027704; rev:1; metadata:attack_target IoT, created_at 2019_07_11, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2019_07_11;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE eCh0raix/QNAPCrypt Successful Server Response"; flow:established,from_server; flowbits:isset,ET.QNAPCrypt.DetailReq; content:"HTTP/1.1 200 OK|0d 0a|"; depth:17; content:"Content-Type|3a 20|application/json"; distance:0; content:"|7b 22|RsaPublicKey|22 3a 22|-----BEGIN RSA PUBLIC KEY"; content:"|22 7d 2c 7b 22|BtcPublicKey|22 3a 22|"; fast_pattern; content:"|22 7d 2c 7b 22|Readme|22 3a 22|"; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:trojan-activity; sid:2027705; rev:1; metadata:attack_target IoT, created_at 2019_07_11, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2019_07_11;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Miarroba Phish 2019-07-11"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"<!-- Inserted by miarroba -->"; fast_pattern; nocase; classtype:credential-theft; sid:2027699; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_07_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Check-in (set)"; flow:established,to_server; dsize:>65; content:"|41 00 00 00 99|"; depth:5; flowbits:set,ET.NetwireRAT.Client; flowbits:noalert; reference:url,www.circl.lu/pub/tr-23/; reference:md5,3c4a93154378e17e71830ff164bb54c4; classtype:trojan-activity; sid:2029477; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Netwire, updated_at 2019_07_16;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Blacknix CnC Checkin"; flow:to_server,established; dsize:200<>300; content:"|32|"; depth:1; content:"|7c 78 01|"; distance:2; within:3; pcre:"/^[0-9]{3}\x7cx/"; reference:md5,b4e95d3ec39cf8c7347ca1c64cfed631; classtype:command-and-control; sid:2027731; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Blacknix, updated_at 2019_07_19;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Blacknix CnC Heartbeat"; flow:to_server,established; dsize:15; content:"|7c 78 01|"; offset:2; depth:3; pcre:"/^[0-9]{2}\x7cx/"; threshold: type both, track by_src, count 5, seconds 60; reference:md5,b4e95d3ec39cf8c7347ca1c64cfed631; classtype:command-and-control; sid:2027732; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Blacknix, updated_at 2019_07_19;)
-
-#alert ssh [94.140.120.163,49.50.70.223,80.82.67.21,125.160.17.32] any -> any any (msg:"ET MALWARE Windigo SSH Connection Received (Ebury < 1.7.0)"; ssh_proto; content:"2.0"; ssh_software; pcre:"/^[a-f0-9]{40,}$/"; reference:url,security.web.cern.ch/security/advisories/windigo/windigo.shtml; classtype:trojan-activity; sid:2027729; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Windigo, updated_at 2019_07_19;)
-
-#alert ssh [94.140.120.163,49.50.70.223,80.82.67.21,125.160.17.32] any -> any any (msg:"ET MALWARE Windigo SSH Connection Received (Ebury > 1.7.0)"; ssh_proto; content:"2.0"; ssh_software; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$$/"; reference:url,security.web.cern.ch/security/advisories/windigo/windigo.shtml; classtype:trojan-activity; sid:2027730; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Windigo, updated_at 2019_07_19;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080,80] (msg:"ET MALWARE W32/Emotet.v4 Checkin 3"; flow:established,to_server; content:"|20|MSIE|20|"; http_user_agent; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/W"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/Ps"; http_request_line; content:"POST / HTTP/1."; depth:14; fast_pattern; http_header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Accept"; content:!"Referer"; content:!"Content-Type"; content:!"Cookie"; content:!"TagId"; http_content_len; byte_test:0,<=,999,0,string,dec; byte_test:0,>,99,0,string,dec; classtype:command-and-control; sid:2035050; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2022_04_18;)
-
-alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 443 (msg:"ET MALWARE [GIGAMON_ATR] FIN8 BADHATCH Remote Shell Banner"; flow:established,to_server; dsize:>100; content:"|2a 20|SUPER|20|REMOTE|20|SHELL|20|v2|2e|2|20|SSL"; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:targeted-activity; sid:2027751; rev:1; metadata:created_at 2019_07_23, deployment Perimeter, former_category TROJAN, malware_family ShellTea, performance_impact Low, signature_severity Major, tag Backdoor, updated_at 2019_07_23;)
-
-alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 443 (msg:"ET MALWARE [GIGAMON_ATR] FIN8 BADHATCH CnC Checkin"; flow:established,to_server; dsize:64; content:"-SH"; offset:44; depth:3; pcre:"/(?:[0-9A-F]{8}\-){5}\-SH/"; content:"|02 09 01|"; offset:52; depth:3; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027752; rev:1; metadata:created_at 2019_07_23, deployment Perimeter, former_category MALWARE, malware_family ShellTea, performance_impact Low, signature_severity Major, tag Backdoor, updated_at 2019_07_23;)
-
-#alert udp $HOME_NET any -> any 53 (msg:"ET DNS Query for .co TLD"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|co|00|"; distance:0; fast_pattern; classtype:bad-unknown; sid:2027759; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category DNS, signature_severity Minor, updated_at 2019_07_26;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Adobe Phish 2019-07-29"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"<title>Adobe Document Cloud"; fast_pattern; nocase; classtype:credential-theft; sid:2027764; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-
-alert icmp any any -> any any (msg:"ET MALWARE Possible ICMP Backdoor Tunnel Command - whoami"; itype:8; icode:0; content:"whoami"; depth:6; nocase; reference:url,www.hackingarticles.in/command-and-control-tunnelling-via-icmp; classtype:trojan-activity; sid:2027763; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_29, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2019_07_29;)
-
-alert tcp $HOME_NET any -> any [!$HTTP_PORTS,1024:] (msg:"ET POLICY Windows Update P2P Activity"; flow:established,to_server; dsize:<100; content:"Swarm|20|protocol"; depth:20; classtype:not-suspicious; sid:2027766; rev:2; metadata:created_at 2019_07_31, updated_at 2019_07_31;)
-
-#alert tcp any any -> any any (msg:"ET EXPLOIT Possible VXWORKS Urgent11 RCE Attempt - Urgent Flag"; flags:U+; reference:url,armis.com/urgent11; reference:cve,2019-12255; reference:cve,2019-12260; reference:cve,2019-12261; reference:cve,2019-12263; classtype:attempted-admin; sid:2027768; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_07_31, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2019_07_31;)
-
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex Template 5 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"one|20|of|20|your|20|passwords|20|is|3a|"; content:"infected|20|with|20|my|20|private|20|malware"; distance:0; content:"I|20|RECORDED|20|YOU|20 28|through|20|your|20|webcam"; distance:0; fast_pattern; content:"bitcoin|20|wallet|20|is|3a|"; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2027769; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_31, deployment Perimeter, former_category TROJAN, malware_family Phorpiex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2019_07_31;)
-
-#alert tcp any any -> any any (msg:"ET EXPLOIT Possible VXWORKS Urgent11 RCE Attempt - Illegal Urgent Flag"; flags:SUF+; reference:url,armis.com/urgent11; reference:cve,2019-12255; reference:cve,2019-12260; reference:cve,2019-12261; reference:cve,2019-12263; classtype:attempted-admin; sid:2027770; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2019_08_01;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Covenant Framework HTTP Hello World Server Response"; flow:established,to_client; file_data; content:"Hello World! eyJHVUlEIjoi"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_dst; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027794; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2019_08_04;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Covenant Framework Grunt Stager HTTP Download (Grunt.GruntStager)"; flow:established,to_client; file_data; content:".CreateInstance(|27|Grunt.GruntStager|27|)"; fast_pattern; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027795; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2019_08_04;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Covenant Framework Grunt Stager HTTP Download (DynamicInvoke)"; flow:established,to_client; file_data; content:"toStream(assembly_str)"; content:"delegate.DynamicInvoke(array.ToArray()).CreateInstance("; distance:0; fast_pattern; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027796; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2019_08_04;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Covenant Framework Grunt PowerShell Stager HTTP Download"; flow:established,to_client; file_data; content:"IO.Compression.CompressionMode]|3a 3a|Decompress"; content:".Value.Write("; distance:0; content:"Reflection.Assembly]|3a 3a|Load("; fast_pattern; distance:0; content:".EntryPoint.Invoke("; distance:0; content:"Out-Null"; distance:0; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027797; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2019_08_04;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Covenant Framework Grunt MSBuild Stager HTTP Download"; flow:established,to_client; file_data; content:"System.IO.Compression.CompressionMode.Decompress"; content:"System.Reflection.Assembly.Load("; distance:0; content:".EntryPoint.Invoke("; distance:0; fast_pattern; content:"|3c 2f|UsingTask|3e|"; distance:0; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027798; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2019_08_04;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nyanw0rm CnC Keep-Alive (Outbound) M2"; flow:established,to_server; dsize:16; content:"|49 42 d4 b5 38 70 fe 86 2a 4e d2 73 0d 95 79 e5|"; reference:md5,5c12015ebeb755c0b6029468a13e59a9; classtype:command-and-control; sid:2027813; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Nyanw0rm, updated_at 2019_08_07;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nyanw0rm CnC Keep-Alive (Outbound) M1"; flow:established,to_server; dsize:16; content:"|73 08 e2 bc 6d 8c 9d b5 85 52 b1 e1 5d 5a 9a 8e|"; reference:md5,d6db3ac5a8022184f03a34fbfdcb926d; classtype:command-and-control; sid:2027812; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Nyanw0rm, updated_at 2019_08_07;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v1 UDP Flood Command Inbound"; flow:established,from_server; content:".udp|20|"; depth:5; fast_pattern; pcre:"/^((?:\d{1,3}\.){3}\d{1,3}|((?:https?\x3a\/\/)?[a-z0-9\-]{1,30}\.){1,8}[a-z]{1,8})/Ri"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027837; rev:2; metadata:affected_product Linux, created_at 2019_08_09, deployment Perimeter, former_category TROJAN, malware_family Emptiness, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2019_08_09;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v1 DNS Flood Command Inbound"; flow:established,from_server; content:".dns|20|"; depth:5; fast_pattern; pcre:"/^((\d{1,3}\.){3}\d{1,3}|((?:https?\x3a\/\/)?[a-z0-9\-]{1,30}\.){1,8}[a-z]{1,8})/Ri"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027838; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v1 HTTP Flood Command Inbound"; flow:established,from_server; content:".http|20|"; depth:6; fast_pattern; pcre:"/^((\d{1,3}\.){3}\d{1,3}|((?:https?\x3a\/\/)?[a-z0-9\-]{1,30}\.){1,8}[a-z]{1,8})/Ri"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027839; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v1.1 UDP Flood Command Inbound"; flow:established,from_server; content:"LnVkcC"; depth:6; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027840; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v1.1 DNS Flood Command Inbound"; flow:established,from_server; content:"LmRucy"; depth:6; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027841; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR UDP Flood Command Inbound"; flow:established,from_server; content:"|fe d5 57 68 f0 44 fb|"; depth:7; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027843; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR DNS Flood Command Inbound"; flow:established,from_server; content:"|fe d6 53 76 f0 7e fb|"; depth:7; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027844; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR HTTP Flood Command Inbound"; flow:established,from_server; content:"|fe d6 69 33 f7 4f fb c5|"; depth:8; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027845; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR Exec Command Inbound"; flow:established,from_server; content:"|fe d6 57 37 c9 50 f7|"; depth:7; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027846; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR Update Command Inbound"; flow:established,from_server; content:"|fe d5 57 74 c9 40 fc 92 e8|"; depth:9; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027847; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
-
-alert tcp any any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai.shiina v3 CnC Checkin"; flow:established,to_server; content:"|01 03 03 07 04 02 00 06|"; depth:8; fast_pattern; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027848; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category MALWARE, malware_family Mirai, tag DDoS, updated_at 2019_08_09;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.biz Domain"; flow:established,to_server; content:".biz"; fast_pattern; http_host; isdataat:!1,relative; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027872; rev:2; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2019_08_13;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Session_Id length greater than Client_Hello Length)"; flow:to_server,established; content:"|16 03 00|"; depth:3; content:"|01|"; distance:2; within:1; byte_extract:3,0,SSL.Client_Hello.length,relative; byte_test:1,>,SSL.Client_Hello.length,34,relative; threshold: type both, track by_src, count 5, seconds 60; reference:md5,a01d75158cf4618677f494f9626b1c4c; classtype:trojan-activity; sid:2014634; rev:2; metadata:created_at 2012_04_24, updated_at 2019_08_13;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpywareLabs VirtualBouncer Seeking Instructions"; flow: to_server,established; content:"instructions"; nocase; pcre:"/instructions\/\d{2}\.xml/mi"; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.virtualbouncer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000587; classtype:pup-activity; sid:2000587; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TopMoxie Retrieving Data (downloads)"; flow: to_server,established; content:"/external/builds/downloads2/"; http_uri; nocase; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000589; classtype:pup-activity; sid:2000589; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TopMoxie Retrieving Data (common)"; flow: to_server,established; content:"/external/builds/common/"; http_uri; nocase; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000590; classtype:pup-activity; sid:2000590; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Keenvalue Update Engine"; flow: to_server,established; content:"Host|3a|secure.keenvalue.com"; http_header; content:"|0d0a|Extension|3a|Remote-Passphrase"; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2003-11-24; reference:url,doc.emergingthreats.net/bin/view/Main/2000932; classtype:pup-activity; sid:2000932; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Webhancer Data Upload"; flow: from_server,established; content:"WebHancer Authority Server"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001317; classtype:pup-activity; sid:2001317; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Related Receiving Config"; flow:established,to_server; http.uri; content:"/config/?"; nocase; content:"v=5"; nocase; content:"n=mm2"; nocase; content:"i="; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001417; classtype:pup-activity; sid:2001417; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_04_18;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Overpro Spyware Bundle Install"; flow: to_server,established; content:"Host|3a| download.overpro.com"; nocase; http_header; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/WildApp\.cab/i"; reference:url,www.wildarcade.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001444; classtype:pup-activity; sid:2001444; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Overpro Spyware Games"; flow: to_server,established; content:"/blocks/blasterblocks"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001459; classtype:pup-activity; sid:2001459; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Installer silent.exe Download"; flow: from_server,established; content:"|20 28 43 29 20 32 30 30 31 2c 20 32 30 30 33 20 52 61 64 69 6d 20 50 69 63 68 61|"; reference:url,www.searchmiracle.com/silent.exe; reference:url,doc.emergingthreats.net/bin/view/Main/2001533; classtype:pup-activity; sid:2001533; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP A-d-w-a-r-e.com Activity (popup)"; flow: established,to_server; content:"/cgi-bin/PopupV"; http_uri; nocase; content:"?ID={"; http_uri; nocase; reference:url,www.a-d-w-a-r-e.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001730; classtype:pup-activity; sid:2001730; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Likely Trojan/Spyware Installer Requested (1)"; flow: established,to_server; content:".scr"; nocase; http_uri; pcre:"/(cartao|mensagem|voxcards|humortadela|ouca|cartaovirtual|uol3171|embratel|yahoo|viewforhumor|humormenssagem|terra)\.scr/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2001850; classtype:pup-activity; sid:2001850; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware Install"; flow: to_server,established; content:"/downloads/installers/"; http_uri; nocase; content:"simpleinternet/180sainstaller.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002003; classtype:pup-activity; sid:2002003; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Overpro Spyware Install Report"; flow: to_server,established; content:"/processInstall.aspx"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002017; classtype:pup-activity; sid:2002017; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware Defs Download"; flow: to_server,established; content:"/geodefs/gdf"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002048; classtype:pup-activity; sid:2002048; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Likely Trojan/Spyware Installer Requested (2)"; flow: established,to_server; content:".exe"; nocase; http_uri; pcre:"/(discador|ocartao|msgav|extrato|correcao|extrato_tim|visualizar|cartas&cartoes|embratel|cartao|MSN_INSTALL|VirtualCards|atualizacaonorton|serasar|CobrancaEmbratel|ExtratoTim|FlashFotos|Vacina-Norton|CartaoIloves|Cobranca|fotos_ineditas|boletocobranca|saudades|wwwuolcartoescombr|cartaoanimado)\.exe/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2002093; classtype:pup-activity; sid:2002093; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware config Download"; flow: to_server,established; content:"/config.aspx?did="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002099; classtype:pup-activity; sid:2002099; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware versionconfig POST"; flow:to_server,established; content:"/versionconfig.aspx?"; http_uri; content:"&ver="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002354; classtype:pup-activity; sid:2002354; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware Actionlibs Download"; flow:to_server,established; content:"/actionurls/ActionUrlb"; http_uri; nocase; content:"partnerid="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003057; classtype:pup-activity; sid:2003057; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware TB Installer Download"; flow:to_server,established; content:"/ZangoTBInstaller.exe"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003059; classtype:pup-activity; sid:2003059; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware Event Activity Post"; flow:to_server,established; content:"/php/uci.php"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003061; classtype:pup-activity; sid:2003061; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bestcount.net Spyware Data Upload"; flow:established,to_server; content:"/objects/ocget.dll"; nocase; http_uri; content:"mybest"; nocase; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2003154; classtype:pup-activity; sid:2003154; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AntiVermins.com Fake Antispyware Package User-Agent (AntiVerminser)"; flow:to_server,established; content:"User-Agent|3a|"; nocase; http_header; content:"AntiVerminser"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2003336; classtype:pup-activity; sid:2003336; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_20;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AskSearch Toolbar Spyware User-Agent (AskBar)"; flow:to_server,established; content:"|3b| AskBar"; pcre:"/User-Agent\x3a[^\n]+AskBar/iH"; reference:url,doc.emergingthreats.net/2003496; classtype:pup-activity; sid:2003496; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2016_07_01;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alexa Spyware Reporting URL Visited"; flow:established,to_server; content:"/data/"; nocase; http_uri; content:"cli="; nocase; http_uri; content:"&ver=alxi"; nocase; http_uri; fast_pattern:only; content:"&url="; nocase; http_uri; content:"alexa.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003606; classtype:pup-activity; sid:2003606; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_20;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP Zango Spyware (tbrequest data post)"; flow: to_server,established; content:"/tbrequest"; http_uri; nocase; content:"&q="; http_uri; nocase; pcre:"/\/tbrequest\d+\.php/Ui"; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003610; classtype:pup-activity; sid:2003610; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 51yes.com Spyware Reporting User Activity"; flow:established,to_server; content:"/sa.aspx?id="; http_uri; nocase; content:"&refe=http"; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003620; classtype:pup-activity; sid:2003620; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AVSystemcare.com.com Fake Anti-Virus Product"; flow:established,to_server; http.uri; content:"?proto="; nocase; content:"&rc="; nocase; content:"&v="; nocase; content:"&abbr="; nocase; content:"&platform="; nocase; content:"&os_version="; nocase; content:"&ac="; nocase; content:"&appid="; nocase; content:"&em="; nocase; content:"&pcid="; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2007664; classtype:pup-activity; sid:2007664; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_04_18;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shopcenter.co .kr Spyware Install Report"; flow:established,to_server; http.uri; content:"/RewardInstall.php?mac=0"; content:"&hdd="; content:"&ver="; content:"&ie="; content:"&win="; reference:url,doc.emergingthreats.net/bin/view/Main/2008370; classtype:pup-activity; sid:2008370; rev:5; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET ADWARE_PUP Realtimegaming.com Online Casino Spyware Gaming Checkin"; flow:established,to_server; dsize:<30; content:"|43 01 00|"; depth:4; content:"Casino"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008402; classtype:pup-activity; sid:2008402; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Mozilla/4.8 ru)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.8 [ru] (Windows NT 6.0|3b| U)|0d 0a|"; fast_pattern; http_header; reference:url,doc.emergingthreats.net/2009438; classtype:pup-activity; sid:2009438; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_03_17;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Fake Mozilla User-Agent (Mozilla/0.xx) Inbound"; flow:established,to_server; content:"User-Agent|3a| Mozilla/0."; fast_pattern; http_header; reference:url,doc.emergingthreats.net/2010904; classtype:pup-activity; sid:2010904; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_03_17;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Inbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 4.01|3b| Digital AlphaServer 1000A 4/233|3b| Windows NT|3b| Powered By 64-Bit Alpha Processor)|0d 0a|"; nocase; http_header; fast_pattern; classtype:pup-activity; sid:2011517; rev:4; metadata:created_at 2010_09_27, former_category ADWARE_PUP, updated_at 2022_03_17;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Outbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 4.01|3b| Digital AlphaServer 1000A 4/233|3b| Windows NT|3b| Powered By 64-Bit Alpha Processor)|0d 0a|"; nocase; http_header; fast_pattern; classtype:pup-activity; sid:2011518; rev:4; metadata:created_at 2010_09_27, former_category ADWARE_PUP, updated_at 2022_03_17;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5217 (msg:"ET ADWARE_PUP W32/SmartPops Adware Outbound Off-Port MSSQL Communication"; flow:established,to_server; content:"S|00|M|00|A|00|R|00|T|00|P|00|O|00|P"; content:"D|00|B|00|_|00|S|00|M|00|A|00|R|00|T|00|P|00|O|00|P"; distance:0; classtype:pup-activity; sid:2013956; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2017_09_21;)
-
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET ADWARE_PUP Carder Card Checking Tool try2check.me SSL Certificate on Off Port"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"try2check.me"; within:400; classtype:pup-activity; sid:2014287; rev:3; metadata:attack_target Client_Endpoint, created_at 2012_02_28, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP BitCoinPlus Embedded site forcing visitors to mine BitCoins"; flow:established,from_server; content:"BitcoinPlusMiner("; reference:url,www.bitcoinplus.com/miner/embeddable; reference:url,www.bitcoinplus.com/miner/whatsthis; classtype:coin-mining; sid:2014535; rev:4; metadata:created_at 2012_04_10, former_category ADWARE_PUP, updated_at 2012_04_10;)
-
-#alert http $HOME_NET any -> 54.218.7.114 any (msg:"ET ADWARE_PUP DomainIQ Check-in"; flow:established,to_server; content:"User-Agent|3a 20|NSISDL/1.2|20 28|Mozilla|29 0d 0a|"; http_header; fast_pattern; reference:md5,00699af9bb10af100563adbb767bcee0; classtype:pup-activity; sid:2018458; rev:4; metadata:created_at 2014_05_09, former_category ADWARE_PUP, updated_at 2022_03_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Downloader.NSIS.OutBrowse.b Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/Installer/Flow?pubid="; nocase; depth:22; http_uri; fast_pattern; content:"&distid="; distance:0; http_uri; content:"&productid="; distance:0; http_uri; content:"&subpubid="; distance:0; http_uri; content:"&campaignid="; distance:0; http_uri; content:"&networkid="; distance:0; http_uri; content:"&dfb="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"&version="; distance:0; http_uri; content:"Chrome/18.0.1025.142 Safari/535.19|0d 0a|Host|3a|"; http_header; reference:md5,38eeed96ade6037dc299812eeadee164; reference:url,sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/OutBrowse%20Revenyou/detailed-analysis.aspx; classtype:pup-activity; sid:2018617; rev:7; metadata:created_at 2014_01_14, former_category ADWARE_PUP, updated_at 2016_06_22;)
-
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP AdWare.Win32.BetterSurf.b SSL Cert"; flow:established,from_server; content:"CN=*.tr553.com"; threshold: type limit, track by_src, count 2, seconds 60; reference:md5,54c9288cbbf29062d6d873cba844645a; classtype:pup-activity; sid:2020712; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_03_19, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access takeCameraPicture"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:".takeCameraPicture"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017777; rev:3; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access sendSMS"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"sendSMS"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017782; rev:3; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access registerMicListener"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"registerMicListener"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017783; rev:3; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access sendMail"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"sendMail"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017781; rev:3; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access postToSocial"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"postToSocial"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017780; rev:3; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access getGalleryImage"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"getGalleryImage"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017778; rev:4; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u001"; fast_pattern; pcre:"/^[a-f0-9]/Ri"; content:"javascript|3a|"; nocase; within:11; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:attempted-user; sid:2020397; rev:4; metadata:created_at 2015_02_12, former_category CURRENT_EVENTS, updated_at 2015_02_12;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u000"; fast_pattern; pcre:"/^[a-f0-9]/Ri"; content:"javascript|3a|"; nocase; within:11; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:trojan-activity; sid:2019181; rev:9; metadata:created_at 2014_09_16, former_category CURRENT_EVENTS, updated_at 2014_09_16;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Locky AlphaNum Downloader Oct 3 2016"; flow:to_server,established; urilen:5<>10; content:"GET"; http_method; pcre:"/^\/(?=[a-z]*[0-9][a-z-0-9]*$)(?=[0-9]*[a-z][a-z-0-9]*$)[a-z0-9]{5,8}$/U"; content:!"Cookie|3a 20|"; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_header; fast_pattern; content:"Accept|3a|"; http_header; content:"Accept-Encoding"; http_header; flowbits:set,ET.LockyDL; flowbits:noalert; classtype:trojan-activity; sid:2023315; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, signature_severity Major, updated_at 2022_03_17;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBA Office Document Dridex Binary Download User-Agent 2"; flow:established,to_server; content:"User-Agent|3A| MisterZALALU"; http_header; fast_pattern; reference:md5,2f53b7669482c2d9216a74050630fbb7; classtype:trojan-activity; sid:2020806; rev:3; metadata:created_at 2015_03_31, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Gamut Spambot Checkin Response"; flow:established,from_server; file_data; content:"count_threads|09 09 09 3d 09|"; depth:18; fast_pattern; content:"|0a|efficiency_limit|09 09 3d 09|"; distance:1; within:22; flowbits:isset,ETGamut; reference:url,blog.spiderlabs.com/2014/03/gamut-spambot-analysis-.html; reference:md5,f00f3f47062646f900aa327b1d5ca3a1; classtype:command-and-control; sid:2018246; rev:3; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2014_03_11;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 1"; flow:established; file_data; content:"bdd1f04b-858b-11d1-b16a-00c0f0283628"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017409; rev:3; metadata:created_at 2013_09_03, former_category CURRENT_EVENTS, updated_at 2013_09_03;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 2"; flow:established; file_data; content:"996BF5E0-8044-4650-ADEB-0B013914E99C"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017410; rev:3; metadata:created_at 2013_09_03, former_category CURRENT_EVENTS, updated_at 2013_09_03;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 3"; flow:established; file_data; content:"C74190B6-8589-11d1-B16A-00C0F0283628"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017411; rev:3; metadata:created_at 2013_09_03, former_category CURRENT_EVENTS, updated_at 2013_09_03;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct (Reversed)"; flow:established,from_server; file_data; content:"(wrhc&)6712(wrhc&)10"; reference:cve,2014-6332; classtype:attempted-user; sid:2019806; rev:3; metadata:created_at 2014_11_26, former_category CURRENT_EVENTS, updated_at 2014_11_26;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct DECC"; flow:established,from_server; file_data; content:"99,104,114,119,40,48,49,41,38,99,104,114,119,40,50,49,55,54,41,38,99,104,114,119,40,48,49,41,38,99,104,114,119,40,48,48,41"; reference:cve,2014-6332; classtype:attempted-user; sid:2019796; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct DECCS"; flow:established,from_server; file_data; content:"99, 104, 114, 119, 40, 48, 49, 41, 38, 99, 104, 114, 119, 40, 50, 49, 55, 54, 41, 38, 99, 104, 114, 119, 40, 48, 49, 41, 38, 99, 104, 114, 119, 40, 48, 48, 41"; reference:cve,2014-6332; classtype:attempted-user; sid:2019797; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEX"; flow:established,from_server; file_data; content:"63687277283031292663687277283231373629266368727728303129266368727728303029"; reference:cve,2014-6332; classtype:attempted-user; sid:2019793; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEXC"; flow:established,from_server; file_data; content:"63,68,72,77,28,30,31,29,26,63,68,72,77,28,32,31,37,36,29,26,63,68,72,77,28,30,31,29,26,63,68,72,77,28,30,30,29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019794; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEXCS"; flow:established,from_server; file_data; content:"63, 68, 72, 77, 28, 30, 31, 29, 26, 63, 68, 72, 77, 28, 32, 31, 37, 36, 29, 26, 63, 68, 72, 77, 28, 30, 31, 29, 26, 63, 68, 72, 77, 28, 30, 30, 29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019795; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct URLENCODE"; flow:established,from_server; file_data; content:"%63%68%72%77%28%30%31%29%26%63%68%72%77%28%32%31%37%36%29%26%63%68%72%77%28%30%31%29%26%63%68%72%77%28%30%30%29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019792; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2465/2463"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image/MultiPixelPacked"; classtype:bad-unknown; sid:2017773; rev:3; metadata:created_at 2013_11_26, former_category CURRENT_EVENTS, updated_at 2013_11_26;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2471/2472/2473"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image/SinglePixelPacked"; classtype:bad-unknown; sid:2017772; rev:3; metadata:created_at 2013_11_26, former_category CURRENT_EVENTS, updated_at 2013_11_26;)
-
-#alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"ET DELETED Cisco Non-Trap PDU request on SNMPv1 trap port"; content:"|02 01 00|"; depth:3; byte_test:1,>,159,8,relative; byte_test:1,<,164,8,relative; classtype:attempted-dos; sid:2027890; rev:2; metadata:created_at 2019_08_15, former_category SNMP, updated_at 2020_08_20;)
-
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] Py.Machete FTP Exfil 1"; flow:established,to_server; content:"STOR|20|FIREPERF.zip"; depth:17; reference:url,travisgreen.net/2019/08/14/machete-malware.html; classtype:trojan-activity; sid:2027888; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_15, deployment Perimeter, former_category TROJAN, malware_family Machete, performance_impact Moderate, signature_severity Major, updated_at 2019_08_15;)
-
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] Py.Machete FTP Exfil 2"; flow:established,to_server; content:"STOR|20|CRHOMEPER.zip"; depth:18; reference:url,travisgreen.net/2019/08/14/machete-malware.html; classtype:trojan-activity; sid:2027889; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_15, deployment Perimeter, former_category TROJAN, malware_family Machete, performance_impact Moderate, signature_severity Major, updated_at 2019_08_15;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 1"; flow:from_client,established; content:"XGxpc3RvdmVycmlkZWNvdW50"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"MQ"; within:2; content:!"MV"; within:2; content:!"MT"; within:2; content:!"MH"; within:2; content:!"MF"; within:2; content:!"ME"; within:2; content:!"OQ"; within:2; content:!"OX"; within:2; content:!"MA"; within:2; content:!"MS"; within:2; content:!"MX"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018314; rev:9; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 2"; flow:from_client,established; content:"xsaXN0b3ZlcnJpZGVjb3Vud"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"DE"; within:2; content:!"DF"; within:2; content:!"Dk"; within:2; content:!"Dl"; within:2; content:!"DA"; within:2; content:!"DB"; within:2; content:!"DV"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018308; rev:8; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 3"; flow:from_client,established; content:"cbGlzdG92ZXJyaWRlY291bn"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"Qx"; within:2; content:!"Q5"; within:2; content:!"Qw"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018309; rev:6; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 4"; flow:from_client,established; content:"x1LTU1N"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){5}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018310; rev:6; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 5"; flow:from_client,established; content:"XHUtNTU0"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){7}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018311; rev:5; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 6"; flow:from_client,established; content:"cdS01NT"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){7}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018312; rev:5; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
-
-alert tcp any any -> $HOME_NET !$HTTP_PORTS (msg:"ET EXPLOIT Malformed HeartBeat Request"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_extract:2,3,record_len; byte_test:2,>,2,3; byte_test:2,>,record_len,6; threshold:type limit,track by_src,count 1,seconds 120; flowbits:set,ET.MalformedTLSHB; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018372; rev:3; metadata:created_at 2014_04_08, former_category CURRENT_EVENTS, updated_at 2014_04_08;)
+alert tcp any any -> $HOME_NET !$HTTP_PORTS (msg:"ET EXPLOIT Malformed HeartBeat Request"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_extract:2,3,record_len; byte_test:2,>,2,3; byte_test:2,>,record_len,6; threshold:type limit,track by_src,count 1,seconds 120; flowbits:set,ET.MalformedTLSHB; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018372; rev:3; metadata:created_at 2014_04_08, former_category CURRENT_EVENTS, updated_at 2014_04_08;)
 
 alert tcp any any -> $HOME_NET !$HTTP_PORTS (msg:"ET EXPLOIT Malformed HeartBeat Request method 2"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_test:2,>,2,3; byte_test:2,>,200,6; threshold:type limit,track by_src,count 1,seconds 120; flowbits:set,ET.MalformedTLSHB; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018374; rev:3; metadata:created_at 2014_04_08, former_category CURRENT_EVENTS, updated_at 2014_04_08;)
 
@@ -23528,6 +22788,8 @@ alert udp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET MALWARE Win32/Dostre CnC
 
 #alert tcp $HOME_NET any -> 76.74.9.18 $HTTP_PORTS (msg:"ET DELETED Milw0rm Exploit Launch Attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/exploit.php?id="; http_uri; nocase; reference:url,www.milw0rm.com; reference:url,doc.emergingthreats.net/2009586; classtype:misc-activity; sid:2009586; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit Exploit Kit Java exploit drive-by host likely infected (nte)"; flow:established,to_server; content:"/nte/"; http_uri; nocase; content:"|0d 0a|accept-encoding|3a| pack200-gzip,gzip|0d 0a|"; nocase; content:"|0d 0a|content-type|3a| application/x-java-archive|0d 0a|"; nocase; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| Mozilla"; nocase; content:" Java/"; nocase; within:50; reference:url,www.malwaredomainlist.com/forums/index.php?action=printpage%3btopic=3781.0; reference:url,doc.emergingthreats.net/2010871; classtype:exploit-kit; sid:2010871; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
 #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT TAC Attack Directory Traversal"; flow:established,to_server; content:"/ISALogin.dll?"; http_uri; nocase; pcre:"/Template=.*\.\./UGi"; reference:cve,2005-3040; reference:url,secunia.com/advisories/16854; reference:url,cirt.dk/advisories/cirt-37-advisory.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002406; classtype:attempted-recon; sid:2002406; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
 #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT M3U File Request Flowbit Set"; flow:to_server,established; content:"GET "; depth:4; content:".m3u"; http_uri; flowbits:set,ET.m3u.download; flowbits:noalert; reference:url,doc.emergingthreats.net/2011241; classtype:not-suspicious; sid:2011241; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
@@ -24302,12 +23564,26 @@ alert udp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET MALWARE Win32/Dostre CnC
 
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zango Spyware Activity"; flow:to_server,established; content:"/banman/banman.asp?ZoneID="; http_uri; nocase; content:"&Task="; http_uri; nocase; content:"&X="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003170; classtype:trojan-activity; sid:2003170; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Altnet PeerPoints Manager Start"; flow: to_server,established; content:"/pm/start.asp"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000906; classtype:policy-violation; sid:2000906; rev:10; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Altnet PeerPoints Manager Data Submission"; flow: to_server,established; content:"/backoffice.net/stats/Add.aspx"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000598; classtype:policy-violation; sid:2000598; rev:10; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Altnet PeerPoints Manager Settings Download"; flow: to_server,established; content:"/pointsmanager/settings.cab?"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000907; classtype:policy-violation; sid:2000907; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Advertising.com Reporting Data"; flow: to_server,established; uricontent:"/site="; uricontent:"/mnum="; uricontent:"/bins="; uricontent:"/rich="; uricontent:"/logs="; uricontent:"/betr="; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002304; classtype:policy-violation; sid:2002304; rev:9; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Evidencenuker.com Fake AV Updating"; flow:established,to_server; content:"/products/evidencenuker/update.php?version="; http_uri; nocase; reference:url,www.evidencenuker.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003568; classtype:trojan-activity; sid:2003568; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MSUpdater.net Spyware Checkin"; flow:established,to_server; content:"/popsetarray.php?&country="; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002094; classtype:trojan-activity; sid:2002094; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Pacimedia Spyware 2"; flow: to_server,established; content:"/xml/check.php?"; http_uri; nocase; content:"u="; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002194; classtype:policy-violation; sid:2002194; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.Downloader.Time2Pay.AQ"; flow:established,to_server; content:"/progs_traff/"; http_uri; nocase; reference:url,research.sunbelt-software.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003034; classtype:trojan-activity; sid:2003034; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Weatherbug Design60 Upload Activity"; flow:established,to_server; content:"/GetDesign60.aspx?Magic="; http_uri; nocase; content:"?ZipCode="; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003423; classtype:trojan-activity; sid:2003423; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED YourSiteBar Data Submision"; flow: to_server,established; content:"/ist/scripts/istsvc_ads_data.php?version="; http_uri; nocase; reference:url,www.ysbweb.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001698; classtype:trojan-activity; sid:2001698; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
 #alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Crewbox Proxy Scan"; flow:established,to_server; content:".php?"; http_uri; nocase; content:"crewbox.by.ru/crew/"; http_uri; nocase; reference:url,doc.emergingthreats.net/2003156; classtype:attempted-recon; sid:2003156; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
 #alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET VOIP Centrality IP Phone (PA-168 Chipset) Session Hijacking"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"/g"; http_uri; nocase; content:"back=++Back++"; nocase; pcre:"/^\/g($|[?#])/Ui"; reference:url,www.milw0rm.com/exploits/3189; reference:url,doc.emergingthreats.net/bin/view/Main/2003329; reference:cve,2007-0528; classtype:attempted-user; sid:2003329; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
@@ -24338,11 +23614,11 @@ alert udp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET MALWARE Win32/Dostre CnC
 
 #alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER osCommerce extras/update.php disclosure"; flow:to_server,established; content:"extras/update.php"; http_uri; nocase; reference:url,retrogod.altervista.org/oscommerce_22_adv.html; reference:url,doc.emergingthreats.net/2002864; classtype:attempted-recon; sid:2002864; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports XML Information Disclosure"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"CUSTOMIZE=/"; http_uri; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*CUSTOMIZE=\//Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_read_any_xml_file.html; reference:url,doc.emergingthreats.net/2002131; classtype:web-application-activity; sid:2002131; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports XML Information Disclosure"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"CUSTOMIZE=/"; http_uri; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*CUSTOMIZE=\//Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_read_any_xml_file.html; reference:url,doc.emergingthreats.net/2002131; classtype:web-application-activity; sid:2002131; rev:11; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
 #alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports DESFORMAT Information Disclosure"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"destype=file"; http_uri; nocase; content:"desformat="; http_uri; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*destype=file.*desformat=\//Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_read_any_file.html; reference:url,doc.emergingthreats.net/2002132; classtype:web-application-activity; sid:2002132; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports OS Command Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"report="; http_uri; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*report=.*\.(rdf|rep)/Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_run_any_os_command.html; reference:url,doc.emergingthreats.net/2002133; classtype:web-application-activity; sid:2002133; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports OS Command Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"report="; http_uri; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*report=.*\.(rdf|rep)/Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_run_any_os_command.html; reference:url,doc.emergingthreats.net/2002133; classtype:web-application-activity; sid:2002133; rev:11; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
 #alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED PHP remote file include exploit attempt"; flow: to_server,established; content:"GET "; nocase; depth:4; content:".php?"; http_uri; nocase; content:"cmd="; http_uri; nocase; pcre:"/=(https?|ftps?|php)\:\/.{0,100}cmd=/Ui"; reference:url,doc.emergingthreats.net/2001810; classtype:attempted-admin; sid:2001810; rev:29; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
 
@@ -24360,25 +23636,61 @@ alert udp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET MALWARE Win32/Dostre CnC
 
 #alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Poison Null Byte"; flow:established,to_server; content:"|00|"; http_uri; depth:2400; reference:cve,2006-4542; reference:cve,2006-4458; reference:cve,2006-3602; reference:url,www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf; reference:url,doc.emergingthreats.net/2003099; classtype:web-application-activity; sid:2003099; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Fake Anti-Virus Download Inst_58s6.exe"; flow:established,to_server; content:"/Inst_58s6.exe"; http_uri; nocase; reference:url,cyveillanceblog.com/general-cyberintel/malware-google-search-results; reference:url,doc.emergingthreats.net/2010339; classtype:trojan-activity; sid:2010339; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
 #alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Apache Axis2 xsd Parameter Directory Traversal Attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/axis2/services/Version?"; http_uri; nocase; content:"xsd="; http_uri; nocase; content:"../"; depth:200; reference:bugtraq,40343; reference:url,doc.emergingthreats.net/2011160; classtype:web-application-attack; sid:2011160; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING Adobe Exploited Check-In"; flow:established,to_server; content:"GET "; nocase; depth:4; content:".php?&&reader_version="; http_uri; nocase; reference:url,doc.emergingthreats.net/2011715; classtype:trojan-activity; sid:2011715; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TROJAN Likely FakeRean Download"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"/installer/InstallerClean.exe"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010053; classtype:trojan-activity; sid:2010053; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Likely Unknown Trojan Download"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"/softwarefortubeview.40009.exe"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010058; classtype:trojan-activity; sid:2010058; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TROJAN Likely Possible Rogue A/V Win32/FakeXPA Download"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"/Soft_21.exe"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010060; classtype:trojan-activity; sid:2010060; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, pdf exploit"; flow:established,to_server; content:"/ssp/files/annonce.pdf"; http_uri; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010444; classtype:bad-unknown; sid:2010444; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, loadjavad.php exploit"; flow:established,to_server; content:"/ssp/loadjavad.php"; http_uri; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010446; classtype:bad-unknown; sid:2010446; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit Exploit Kit Java exploit drive-by host likely infected (kav)"; flow:established,to_server; content:"/kav"; http_uri; nocase; content:"|0d 0a|accept-encoding|3a| pack200-gzip,gzip|0d 0a|"; nocase; content:"|0d 0a|content-type|3a| application/x-java-archive|0d 0a|"; nocase; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| Mozilla"; nocase; content:" Java/"; nocase; within:50; reference:url,www.malwaredomainlist.com/forums/index.php?action=printpage%3btopic=3781.0; reference:url,doc.emergingthreats.net/2010870; classtype:exploit-kit; sid:2010870; rev:7; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, rogue antivirus (IAInstall.exe)"; flow:established,to_server; content:"/download/IAInstall.exe"; http_uri; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010447; classtype:bad-unknown; sid:2010447; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, trojan zbot"; flow:established,to_server; content:"/globaldirectory/updatetool.exe"; http_uri; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010448; classtype:bad-unknown; sid:2010448; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, exploit redirect"; flow:established,to_server; content:"/fkzd/2.htm"; http_uri; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010449; classtype:bad-unknown; sid:2010449; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malwareurl.com - potential oficla download (annonce.pdf)"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"/ssp/files/annonce.pdf"; http_uri; nocase; pcre:"/\/ssp\/files\/annonce\.pdf$/Ui"; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010532; classtype:trojan-activity; sid:2010532; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malwareurl.com - potential oficla download (loadjavad.php)"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"/ssp/loadjavad.php"; http_uri; nocase; pcre:"/\/ssp\/loadjavad\.php$/Ui"; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010534; classtype:trojan-activity; sid:2010534; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malwareurl - wywg executable download Likely Malware"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/wywg/"; http_uri; nocase; content:".exe"; http_uri; nocase; pcre:"/\/wywg\/[a-z0-9]{2,5}\/[a-z0-9]+\.exe$/Ui"; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010716; classtype:trojan-activity; sid:2010716; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Executable requested from /wp-content/languages"; flow:established,to_server; content:"/wp-content/languages/"; http_uri; nocase; content:".exe"; http_uri; nocase; reference:url,www.malewareurl.com; reference:url,doc.emergingthreats.net/2011220; classtype:trojan-activity; sid:2011220; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot update (av-i386-daily.zip)"; flow:established,to_server; content:"av_base/av-i386-daily.zip"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010565; reference:md5,06e69bfb6fffa17c4fc1e23af71b345c; classtype:trojan-activity; sid:2010568; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot update (av_base/pay.php)"; flow:established,to_server; content:"av_base/pay.php"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010566; reference:md5,06e69bfb6fffa17c4fc1e23af71b345c; classtype:trojan-activity; sid:2010566; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot update (av_base/ip.php)"; flow:established,to_server; content:"av_base/ip.php"; http_uri; nocase; reference:md5,06e69bfb6fffa17c4fc1e23af71b345c; reference:url,doc.emergingthreats.net/2010567; classtype:trojan-activity; sid:2010567; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Likely FAKEAV scanner page encountered - i1000000.gif"; flow:established,to_server; content:"/i1000000.gif"; http_uri; nocase; reference:url,doc.emergingthreats.net/2011760; classtype:bad-unknown; sid:2011760; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED iPhone Bot iKee.B Contacting C&C"; flow:to_server,established; content:"/xml/p.php?id="; http_uri; nocase; pcre:"/\/xml\/p\.php\?id=\d{2,}/Ui"; reference:url,mtc.sri.com/iPhone/; reference:url,doc.emergingthreats.net/2010551; classtype:trojan-activity; sid:2010551; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malvertising drive by kit collecting browser info"; flow:established,to_server; content:"/plugins.php?p=appName"; http_uri; nocase; reference:url,doc.emergingthreats.net/2011224; classtype:bad-unknown; sid:2011224; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING client requesting drive by - /x/?src="; flow:established,to_server; content:"/x/?src="; http_uri; nocase; content:"&o=o"; http_uri; nocase; reference:url,doc.emergingthreats.net/2011230; classtype:bad-unknown; sid:2011230; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED ASPROX Infected Site - ngg.js Request"; flow:established,to_server; content:"/ngg.js"; http_uri; nocase; content:!"nextgen-gallery"; nocase; reference:url,infosec20.blogspot.com/; reference:url,doc.emergingthreats.net/bin/view/Main/2008373; classtype:trojan-activity; sid:2008373; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential exploit redirect, in.cgi pepsi"; flow:established,to_server; content:"ts/in.cgi?pepsi"; http_uri; nocase; pcre:"/ts\/in\.cgi\?pepsi\d+/Ui"; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010222; classtype:bad-unknown; sid:2010222; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED ClearSite device_admin.php cs_base_path Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/include/admin/device_admin.php?"; http_uri; nocase; content:"cs_base_path="; http_uri; nocase; pcre:"/cs_base_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/65117; reference:cve,CVE-2010-2145; classtype:web-application-attack; sid:2011556; rev:2; metadata:created_at 2010_09_27, updated_at 2019_08_22;)
+
 #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SnortReport nmap.php target Parameter Arbitrary Command Execution Attempt"; flow:established,to_server; content:"GET "; depth:4; content:"/nmap.php?"; http_uri; nocase; content:"target="; http_uri; nocase; pcre:"/target=\w*\;/Ui"; reference:url,osvdb.org/show/osvdb/67739; classtype:web-application-attack; sid:2011555; rev:2; metadata:created_at 2010_09_27, updated_at 2019_08_22;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"D="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006609; classtype:web-application-attack; sid:2006609; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"D="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006609; classtype:web-application-attack; sid:2006609; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"D="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006611; classtype:web-application-attack; sid:2006611; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"D="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006611; classtype:web-application-attack; sid:2006611; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
 
 #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"D="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006612; classtype:web-application-attack; sid:2006612; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
@@ -24416,7 +23728,13 @@ alert udp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET MALWARE Win32/Dostre CnC
 
 #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/lib/function.php?"; http_uri; nocase; content:"apps_path[libs]="; http_uri; nocase; pcre:"/apps_path\[libs\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/33386/; reference:url,milw0rm.com/exploits/7687; reference:url,doc.emergingthreats.net/2009088; classtype:web-application-attack; sid:2009088; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id UPDATE"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003998; classtype:web-application-attack; sid:2003998; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id UPDATE"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003998; classtype:web-application-attack; sid:2003998; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 180solutions Spyware (tracked event reported)"; flow: to_server,established; content:"/TrackedEvent.aspx?"; http_uri; nocase; content:"eid="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001397; classtype:trojan-activity; sid:2001397; rev:13; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NACHA/Zeus Phishing Executable Download Attempt"; flow:established,to_server; content:"GET "; depth:4; content:"nacha.org."; nocase; content:".exe"; http_uri; nocase; pcre:"/\x0d\x0aHost\: (www\.)?nacha\.org\./i"; reference:url,garwarner.blogspot.com/2009/11/newest-zeus-nacha-electronic-payments.html; reference:url,doc.emergingthreats.net/2010342; classtype:trojan-activity; sid:2010342; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2019_08_22;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus Bot / Zbot Checkin (/us01d/in.php)"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/us01d/in.php"; http_uri; nocase; reference:url,garwarner.blogspot.com/2010/01/american-bankers-association-version-of.html; reference:url,doc.emergingthreats.net/2010729; classtype:trojan-activity; sid:2010729; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
 #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus Bot Request to CnC"; flow:established,to_server; content:".bin"; http_uri; content:"GET"; depth:3; http_method; content:".bin HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|Connection|3a| Close|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|Host|3a| "; content:!"|0d 0a|Referer|3a|"; nocase; reference:url,doc.emergingthreats.net/2010861; classtype:command-and-control; sid:2010861; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
@@ -24424,12 +23742,26 @@ alert udp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET MALWARE Win32/Dostre CnC
 
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Buzus Posting Data"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"/fdsupdate"; http_uri; nocase; content:"|0d 0a 0d 0a|PUTF"; reference:url,doc.emergingthreats.net/2010064; classtype:trojan-activity; sid:2010064; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Pinkslipbot Trojan Downloader"; flow:to_server,established; content:"/jl/jloader.pl?u="; http_uri; nocase; content:"&it=2"; nocase; http_uri; content:"&b="; nocase; http_uri; content:"&n="; nocase; http_uri; pcre:"/\x26n\x3d[a-z]{5}\d{4}/U"; reference:url,doc.emergingthreats.net/2010742; classtype:trojan-activity; sid:2010742; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2019_08_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"GPL DELETED story.pl access"; flow:to_server,established; content:"/story.pl"; http_uri; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:2101869; rev:7; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED DNSTools authentication bypass attempt"; flow:to_server,established; content:"/dnstools.php"; http_uri; nocase; content:"user_logged_in=true"; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:2101740; rev:7; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED DNSTools administrator authentication bypass attempt"; flow:to_server,established; content:"/dnstools.php"; http_uri; nocase; content:"user_logged_in=true"; nocase; content:"user_dnstools_administrator=true"; nocase; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:2101739; rev:8; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED SGI InfoSearch fname access"; flow:to_server,established; content:"/infosrch.cgi"; http_uri; reference:arachnids,290; reference:bugtraq,1031; reference:cve,2000-0207; classtype:web-application-activity; sid:2101727; rev:9; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
+
 #alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Exploit Suspected PHP Injection Attack (name=)"; flow:to_server,established; content:"GET "; nocase; depth:4; content:".php?"; http_uri; nocase; content:"name="; http_uri; nocase; pcre:"/name=(https?|ftps?|php)/Ui"; reference:cve,2002-0953; reference:url,doc.emergingthreats.net/2001621; classtype:web-application-attack; sid:2001621; rev:36; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Metarewards Disclaimer Access"; flow: to_server,established; content:"/www.metareward.com/mailimg/disclaimer/"; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002309; classtype:policy-violation; sid:2002309; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Nukebot Checkin"; flow:established,to_server; content:"POST "; rawbytes; depth:5; content:"/script.php?"; http_uri; content:!"User-Agent|3a|"; nocase; pcre:"/\/script\.php?\d{8}/Ui"; content:"Kernel|3a|"; reference:url,www.websense.com/securitylabs/alerts/alert.php?AlertID=743; reference:url,doc.emergingthreats.net/2003433; classtype:trojan-activity; sid:2003433; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
 #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Spambot (often Tibs) Post-Infection Checkin"; flow:established,to_server; content:"/access.php?"; http_uri; nocase; content:"w="; http_uri; nocase; content:"&a="; http_uri; nocase; content:"|0d 0a|Host|3a| "; pcre:"/Host\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; content:"|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; content:!"|0d 0a|User-Agent|3a| "; reference:url,doc.emergingthreats.net/2008174; classtype:trojan-activity; sid:2008174; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TROJAN SEO HTTP REFERER landing capture rewrite, likely Fake AV"; flow:established,to_server; content:"GET"; http_method; content:"|0d 0a|Referer|3a| "; content:"search?"; nocase; within:50; content:"q="; nocase; within:100; content:".com"; http_uri; nocase; pcre:"/\/[a-z]+\/[a-z0-9]{120,}\/[a-z0-9]+\/.+\.com$/U"; reference:url,doc.emergingthreats.net/2011066; classtype:trojan-activity; sid:2011066; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
 #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED IISProtect globaladmin.asp access"; flow:to_server,established; content:"/iisprotect/admin/GlobalAdmin.asp"; http_uri; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2102157; rev:4; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
 
 #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Portail Includes.php remote file include"; flow:established,to_server; content:"/includes/includes.php"; http_uri; content:"site_path"; http_uri; nocase; pcre:"/site_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,22361; reference:url,doc.emergingthreats.net/2003371; classtype:web-application-attack; sid:2003371; rev:8; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
@@ -24444,26 +23776,84 @@ alert udp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET MALWARE Win32/Dostre CnC
 
 #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/passwiki.php?site_id="; http_uri; nocase; pcre:"/(\.\.\/){1}/U"; reference:bugtraq,29455; reference:url,doc.emergingthreats.net/2008687; classtype:web-application-attack; sid:2008687; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2019_08_22;)
 
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 180solutions Spyware Reporting"; flow: to_server,established; content:"/showme.aspx?"; http_uri; nocase; content:"partner_id="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001400; classtype:trojan-activity; sid:2001400; rev:13; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Adwave Agent Access"; flow: to_server,established; content:"/search_404.aspx?aff="; http_uri; nocase; reference:url,www.intermute.com/spyware/HuntBar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001318; classtype:policy-violation; sid:2001318; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php UPDATE"; flow:established,to_server; content:"/wp-trackback.php?"; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005870; classtype:web-application-attack; sid:2005870; rev:7; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php ASCII"; flow:established,to_server; content:"/wp-trackback.php?"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005869; classtype:web-application-attack; sid:2005869; rev:7; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php DELETE"; flow:established,to_server; content:"/wp-trackback.php?"; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005868; classtype:web-application-attack; sid:2005868; rev:7; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php INSERT"; flow:established,to_server; content:"/wp-trackback.php?"; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005867; classtype:web-application-attack; sid:2005867; rev:7; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT"; flow:established,to_server; content:"/wp-trackback.php?"; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005866; classtype:web-application-attack; sid:2005866; rev:7; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php SELECT"; flow:established,to_server; content:"/wp-trackback.php?"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005865; classtype:web-application-attack; sid:2005865; rev:7; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE"; flow:established,to_server; content:"/nukesentinel.php?"; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004735; classtype:web-application-attack; sid:2004735; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php ASCII"; flow:established,to_server; content:"/nukesentinel.php?"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004734; classtype:web-application-attack; sid:2004734; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php DELETE"; flow:established,to_server; content:"/nukesentinel.php?"; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004733; classtype:web-application-attack; sid:2004733; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php INSERT"; flow:established,to_server; content:"/nukesentinel.php?"; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004732; classtype:web-application-attack; sid:2004732; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php UNION SELECT"; flow:established,to_server; content:"/nukesentinel.php?"; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004731; classtype:web-application-attack; sid:2004731; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php SELECT"; flow:established,to_server; content:"/nukesentinel.php?"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004730; classtype:web-application-attack; sid:2004730; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 1"; flow:to_server,established; content:"/posting.php"; http_uri; content:"color="; nocase; content:"xss|3a|expression"; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009679; classtype:web-application-attack; sid:2009679; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 2"; flow:to_server,established; content:"/posting.php"; http_uri; content:"size="; nocase; content:"xss|3a|expression"; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009680; classtype:web-application-attack; sid:2009680; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 3"; flow:to_server,established; content:"/posting.php"; http_uri; content:"color="; nocase; content:"javascript"; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009681; classtype:web-application-attack; sid:2009681; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 4"; flow:to_server,established; content:"/posting.php"; http_uri; content:"size="; nocase; content:"javascript"; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009682; classtype:web-application-attack; sid:2009682; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 5"; flow:to_server,established; content:"/posting.php"; http_uri; content:"color="; nocase; content:"|3a|url("; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009683; classtype:web-application-attack; sid:2009683; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 6"; flow:to_server,established; content:"/posting.php"; http_uri; content:"size="; nocase; content:"|3a|url("; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009684; classtype:web-application-attack; sid:2009684; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
 #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Mindset Interactive Ad Retrieval"; flow: to_server,established; content:"/mindset5"; http_uri; nocase; reference:url,www.mindsetinteractive.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000594; classtype:trojan-activity; sid:2000594; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
 #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED GuppY error.php Arbitrary Remote Code Execution"; flow: to_server,established; content:"/error.php?"; http_uri; nocase; content:"err="; http_uri; nocase; content:"_SERVER[REMOTE_ADDR]="; http_uri; nocase; reference:bugtraq,15609; reference:url,doc.emergingthreats.net/bin/view/Main/2002703; classtype:web-application-attack; sid:2002703; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker kit (bug ie0604)"; flow:established,to_server; content:"ie0604.cgi?bug="; http_uri; nocase; reference:url,doc.emergingthreats.net/2002871; classtype:web-application-attack; sid:2002871; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker kit (exploit1 ie0601)"; flow:established,to_server; content:"ie0601.cgi?exploit"; http_uri; nocase; reference:url,doc.emergingthreats.net/2002869; classtype:web-application-attack; sid:2002869; rev:10; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker kit (ie0606)"; flow:established,to_server; content:"ie0606.cgi?"; http_uri; nocase; reference:url,doc.emergingthreats.net/2002937; classtype:web-application-attack; sid:2002937; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker RootLauncher"; flow:established,to_server; content:"rleadmin.cgi?getexe="; http_uri; nocase; reference:url,doc.emergingthreats.net/2003063; classtype:web-application-attack; sid:2003063; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker kit (exploit ie0604)"; flow:established,to_server; content:"ie0604.cgi?exploit"; http_uri; nocase; reference:url,doc.emergingthreats.net/2002870; classtype:web-application-attack; sid:2002870; rev:10; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Korgo.U Reporting"; flow: to_server,established; content:"/index.php?id="; http_uri; nocase; content:"cnt="; http_uri; nocase; content:"&scn="; http_uri; nocase; content:"&inf="; http_uri; nocase; content:"&ver="; http_uri; nocase; reference:url,www.f-secure.com/v-descs/korgo_u.shtml; reference:url,doc.emergingthreats.net/2003070; classtype:trojan-activity; sid:2003070; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zango Spyware Post"; flow:to_server,established; content:"/te.aspx?ver="; http_uri; nocase; pcre:"/ver=[v\d]+/Ui"; reference:url,usa.kaspersky.com/about-us/news-press-releases.php?smnr_id=900000045; reference:url,doc.emergingthreats.net/bin/view/Main/2007607; classtype:trojan-activity; sid:2007607; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Korgo.P Reporting"; flow: to_server,established; content:"/index.php?id="; http_uri; nocase; content:"?cnt="; http_uri; nocase; content:"?scn="; http_uri; nocase; content:"?inf="; http_uri; nocase; content:"?ver="; http_uri; nocase; reference:url,www.f-secure.com/v-descs/korgo_p.shtml; reference:url,doc.emergingthreats.net/2008192; classtype:trojan-activity; sid:2008192; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential FakeAV download Setup_103s1 or Setup_207 variant"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/Setup_"; http_uri; nocase; content:".exe"; http_uri; nocase; content:!"|0d 0a|Referer|3a| "; nocase; pcre:"/\/Setup_[0-9]{3}([A-Z][0-9])?\.exe$/Ui"; reference:url,www.prevx.com/avgraph/1/AVG.html; reference:url,doc.emergingthreats.net/2010867; classtype:trojan-activity; sid:2010867; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TROJAN Likely TDSS Download (197.exe)"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"/codec/197.exe"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010056; classtype:trojan-activity; sid:2010056; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Unknown Malware Download Attempt"; flow:established,to_server; content:"/installer/Installer"; http_uri; nocase; content:".exe"; http_uri; nocase; pcre:"/\/\d+\/installer\/Installer(Clean)?\.exe$/Ui"; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010796; classtype:bad-unknown; sid:2010796; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Psyb0t Code Download"; flow:established,to_server; content:"/udhcpc.env"; http_uri; nocase; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009170; classtype:trojan-activity; sid:2009170; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 2"; flow:established,to_server; content:"GET "; depth:4; content:"/werber/"; http_uri; nocase; content:"/217.gif"; http_uri; nocase; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; reference:url,doc.emergingthreats.net/2010232; classtype:trojan-activity; sid:2010232; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 3"; flow:established,to_server; content:"GET "; depth:4; content:"/item/"; http_uri; nocase; content:"/titem.gif"; http_uri; nocase; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; reference:url,doc.emergingthreats.net/2010233; classtype:trojan-activity; sid:2010233; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trest1 Binary Download Attempt (multiple malware variants served)"; flow:established,to_server; content:"GET"; nocase; depth:3; http_method; content:!"Referer|3a| "; http_header; nocase; content:"trest1"; http_uri; fast_pattern; nocase; content:"User-Agent|3a| "; http_header; nocase; pcre:"/\/(nte|ld)\/[0-9A-Z]*trest1[0-9](\.php|\s\.asp|\.asp|\.py|\.exe|\.htm|\.html)\/[A-Z0-9]+$/Ui"; reference:url,www.malwaredomainlist.com; reference:url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on; reference:url,doc.emergingthreats.net/2010596; classtype:trojan-activity; sid:2010596; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+
 #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OS Commerce 2.2 RC2 Potential Anonymous Remote Code Execution"; flow:established,to_server; content:"POST "; depth:5; content:".php/"; http_uri; pcre:"/\/[a-z_]+\.php\/[a-z_]+\.php/U"; reference:url,seclists.org/fulldisclosure/2009/Nov/169; reference:url,seclists.org/fulldisclosure/2009/Nov/170; reference:url,doc.emergingthreats.net/2010341; classtype:web-application-attack; sid:2010341; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st Checkin (5-12 Byte keyword)"; flow:to_server,established; dsize:<900; content:"|00 00|"; offset:7; depth:9; content:"|00 00 78 9C|"; distance:2; within:4; pcre:"/^[a-z0-9\x40\x2d\x5f]{5,12}..\x00\x00..\x00\x00\x78\x9c/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; reference:url,www.norman.com/about_norman/press_center/news_archive/2012/the_many_faces_of_gh0st_rat/en; classtype:trojan-activity; sid:2015624; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_23, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2019_08_22;)
+
 alert udp $HOME_NET any -> any 53 (msg:"ET DNS Hiloti DNS CnC Channel Successful Install Message"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|empty"; nocase; distance:0; content:"|0C|explorer_exe"; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:command-and-control; sid:2011911; rev:3; metadata:created_at 2010_11_09, former_category DNS, updated_at 2019_08_29;)
 
 alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Request for Zaletelly CnC Domain"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"zaletelly"; fast_pattern; nocase; distance:0; content:"|02|be|00|"; nocase; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~MDrop-EAB/detailed-analysis.aspx; classtype:command-and-control; sid:2014513; rev:2; metadata:created_at 2012_04_05, former_category MALWARE, updated_at 2019_08_29;)
@@ -24804,3119 +24194,3267 @@ alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET DNS DNS
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Gmail Phish (set) 2016-09-12"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Email="; depth:6; nocase; http_client_body; content:"&Next=Next"; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.GmailPhish_1; flowbits:noalert; classtype:credential-theft; sid:2027956; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Successful Phishing Attempt Jan 20 2015"; flow:established,to_server; content:"POST"; http_method; urilen:20; content:"/js/moontools-1.7.js"; http_uri; fast_pattern:only; content:"username="; depth:9; http_client_body; content:"&password="; distance:0; http_client_body; classtype:credential-theft; sid:2020224; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Wells Fargo Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"card_num="; depth:9; nocase; http_client_body; content:"&full_name="; nocase; distance:0; http_client_body; content:"&ssn_num="; nocase; distance:0; http_client_body; fast_pattern; content:"&j_password="; nocase; distance:0; http_client_body; content:"&userPrefs="; nocase; distance:0; http_client_body; content:"&jsenabled="; nocase; distance:0; http_client_body; content:"&origin="; nocase; distance:0; http_client_body; content:"&screenid="; nocase; distance:0; http_client_body; content:"&ndsid="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023771; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic XBALTI Phishing Landing"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 7c 20 20 20 20 5c 20 20 5c 20 42 59 20 58 42 41 4c 54 49 20 2f 20 2d 2d 3e|"; fast_pattern; classtype:social-engineering; sid:2027966; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_09, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Successful Find My iPhone Phish (SP) Jan 30 2017"; flow:from_server,established; file_data; content:"<title>Buscar iPhone"; fast_pattern; content:"<div class=|22|icloud"; nocase; distance:0; content:"Buscar iPhone"; nocase; distance:0; content:"<div class=|22|error"; nocase; distance:0; classtype:credential-theft; sid:2023772; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound"; flow:established,to_server; content:"xc3511"; fast_pattern; reference:url,github.com/tothi/pwn-hisilicon-dvr; classtype:default-login-attempt; sid:2027973; rev:2; metadata:affected_product DVR, attack_target IoT, created_at 2019_09_09, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2019_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M1 Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"cusd="; depth:5; nocase; http_client_body; content:"&tbNickname="; nocase; distance:0; http_client_body; fast_pattern; content:"&ddCIF="; nocase; distance:0; http_client_body; content:"&Go="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023773; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [554,9527] (msg:"ET EXPLOIT HiSilicon DVR - Default Application Backdoor Password"; flow:established,to_server; content:"I0TO5Wv9"; fast_pattern; reference:url,github.com/tothi/pwn-hisilicon-dvr; classtype:default-login-attempt; sid:2027974; rev:2; metadata:affected_product DVR, attack_target IoT, created_at 2019_09_09, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2019_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M2 Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?SecureToken="; http_header; content:"&fill="; http_header; distance:0; content:"PIN="; depth:4; nocase; http_client_body; fast_pattern; content:"&Go="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023774; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AcroCEF"; ja3_hash; content:"61d50e7771aee7f2f4b89a7200b4d45e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027975; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M1 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; http_client_body; content:"&CHKCLICK="; nocase; distance:0; http_client_body; content:"&NNAME="; nocase; distance:0; http_client_body; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&K1="; nocase; distance:0; http_client_body; content:"&Q1="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024011; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846)"; flow:established,to_server; content:"|16|"; depth:1; content:"|01|"; distance:4; within:1; content:"|5c 00|"; fast_pattern; distance:0; pcre:"/[\x20-\x7e]{5,}\x5c\x00[\x20-\x7e]{5,}/"; reference:cve,2019-15846; reference:url,exim.org/static/doc/security/CVE-2019-15846.txt; classtype:attempted-admin; sid:2027959; rev:2; metadata:created_at 2019_09_06, former_category EXPLOIT, performance_impact Significant, updated_at 2019_09_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M2 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; content:"&cardSelected="; nocase; distance:0; http_client_body; content:"&rbcCardNumber="; nocase; distance:0; http_client_body; fast_pattern; content:"&twoDigitIssueNumber="; nocase; distance:0; http_client_body; content:"&atmpin="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024012; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Adium 1.5.10 (b)"; ja3_hash; content:"e4adf57bf4a7a2dc08e9495f1b05c0ea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027977; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M3 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; fast_pattern; content:"&fullname="; nocase; distance:0; http_client_body; content:"&dob="; nocase; distance:0; http_client_body; content:"&ssn="; nocase; distance:0; http_client_body; content:"&mmn="; nocase; distance:0; http_client_body; content:"&dl="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024013; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AIM"; ja3_hash; content:"49a6cf42956937669a01438f26e7c609"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027978; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M4 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; fast_pattern; content:"&sq1="; nocase; distance:0; http_client_body; content:"&sq1a="; nocase; distance:0; http_client_body; content:"&sq2="; nocase; distance:0; http_client_body; content:"&sq2a="; nocase; distance:0; http_client_body; content:"&sq3="; nocase; distance:0; http_client_body; content:"&sq3a="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024014; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AirCanada Android App"; ja3_hash; content:"0bb402a703d08a608bf82763b1b63313"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027979; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Adobe Online Phish Aug 16 2016"; flow:to_server,established; content:"POST"; http_method; content:"=sent"; nocase; http_uri; content:"feedback="; nocase; depth:9; http_client_body; fast_pattern; content:"&feedbacknow="; nocase; distance:0; http_client_body; flowbits:set,ET.genericphish; pcre:"/=sent$/Ui"; classtype:credential-theft; sid:2024559; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AirCanada Android App"; ja3_hash; content:"d5169d6e19447685bf6f1af8c055d94d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027980; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Phish Yahoo Credentials Oct 1"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"yahoopassword="; depth:14; nocase; fast_pattern; http_client_body; classtype:credential-theft; sid:2021892; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Airmail 3"; ja3_hash; content:"561145462cfc7de1d6a97e93d3264786"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027981; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful BBVA Phish Jun 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"cuenta="; depth:7; nocase; http_client_body; fast_pattern; content:"&cuenta="; nocase; distance:0; http_client_body; content:"&nvoWizard="; nocase; distance:0; http_client_body; content:"&domain="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024372; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Alation Compose"; ja3_hash; content:"f6fd83a21f9f3c5f9ff7b5c63bbc179d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027982; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Successful Phish - Verify Email Error Message M2 Aug 14 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"ERROR! PLEASE CLICK BACK"; nocase; depth:24; fast_pattern; classtype:credential-theft; sid:2024542; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Amazon Music"; ja3_hash; content:"6003b52942a2e1e1ea72d802d153ec08"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027983; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Paypal Phish M1 Aug 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"_csrf="; depth:6; nocase; http_client_body; content:"&processSignin="; nocase; distance:0; http_client_body; content:"&login_email="; nocase; distance:0; http_client_body; content:"&rememberProfileCheck="; nocase; distance:0; http_client_body; content:"&login_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&rememberProfile="; nocase; distance:0; http_client_body; content:"&rememberProfileCheck="; nocase; distance:0; http_client_body; content:"&showTryPasswordlessButton="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024544; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_14, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Amazon Music,Dreamweaver,Spotify"; ja3_hash; content:"eb149984fc9c44d85ed7f12c90d818be"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027984; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Successful Bitstamp Cryptocurrency Exchange Phish Aug 30 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; content:"302"; http_stat_code; content:"Location|3a 20|https://www.bitstamp.net"; http_header; classtype:credential-theft; sid:2024639; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android App"; ja3_hash; content:"662fdc668dd6af994a0f903dbcf25d66"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027985; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Dropbox Phish (Locky) Sep 01 2017"; flow:to_server,established; content:"POST"; http_method; content:"is_xhr="; depth:7; nocase; http_client_body; content:"current_email"; nocase; distance:0; http_client_body; content:"&email_sig="; nocase; distance:0; http_client_body; content:"&login_sd="; nocase; distance:0; http_client_body; content:"&login_email="; nocase; distance:0; http_client_body; content:"&login_password="; nocase; distance:0; http_client_body; content:"&remember_me="; nocase; distance:0; http_client_body; content:"&specter_login_tm="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024657; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android Google API Access"; ja3_hash; content:"515601c4141e718865697050a7a1765f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027986; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Apple iCloud Phish Jan 23 2017"; flow:to_server,established; content:"POST"; http_method; content:"usuario="; depth:8; nocase; http_client_body; content:"&contrasena="; nocase; distance:0; http_client_body; content:"&hdtxt="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023758; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_24, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"1aab4c2c84b6979c707ed052f724734b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027987; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Vanguard Phish Mar 06 2017"; flow:to_server,established; content:"POST"; http_method; content:"dmform-0="; depth:9; nocase; http_client_body; content:"&label-dmform-0=User+name"; nocase; distance:0; http_client_body; content:"&label-dmform-1=Password"; nocase; distance:0; http_client_body; content:"&label-dmform-8=Account+Email"; nocase; distance:0; http_client_body; content:"&label-dmform-9=Password"; nocase; distance:0; http_client_body; content:"&dmformsubject=Vang"; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024032; rev:3; metadata:created_at 2017_03_06, former_category PHISHING, updated_at 2019_09_06;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"25b72c88f837567856118febcca761e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027988; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful ANZ Internet Banking Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"typ="; depth:4; nocase; http_client_body; content:"&cid="; nocase; distance:0; http_client_body; content:"&cpass="; nocase; distance:0; http_client_body; content:"&homepn="; nocase; distance:0; http_client_body; content:"&workpn="; nocase; distance:0; http_client_body; content:"&mobilepn="; nocase; distance:0; http_client_body; content:"&telepass="; nocase; distance:0; http_client_body; content:"&ccnumber="; nocase; distance:0; http_client_body; fast_pattern; content:"&cvv="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024050; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"5331a12866e19199b363f6e903381498"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027989; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M1 Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"act="; depth:4; nocase; http_client_body; content:"&command="; nocase; distance:16; within:9; http_client_body; fast_pattern; content:"&PIN="; nocase; distance:0; http_client_body; content:"&Go="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024102; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"855953256ecc8e2b6d2360aff8e5d337"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027990; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M2 Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"account="; depth:8; nocase; http_client_body; content:"&pin"; nocase; distance:16; within:4; http_client_body; content:"&command="; nocase; distance:0; http_client_body; content:"&PrimaryApplicant="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024103; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Adium 1.5.10 (a)"; ja3_hash; content:"93948924e733e9df15a3bb44404cd909"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027976; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Successful Google App Oauth Phish M1 Mar 3 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Chrome Alert</title>"; fast_pattern:7,20; nocase; content:"<script type=|22|text/javascript|22 20|src=|22|/alert.php?h="; nocase; distance:0; classtype:credential-theft; sid:2024266; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_03, deployment Perimeter, former_category PHISHING, tag Phishing, updated_at 2019_09_06;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"85bb8aa8e5ba373906348831bdbed41a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027991; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Google App Oauth Phish M2 Mar 3 2017"; flow:to_server,established; content:"GET"; http_method; content:"/alert.php?h="; depth:13; http_uri; fast_pattern; nocase; content:"/r.php?h="; http_header; content:"|0d 0a|"; distance:32; within:2; http_header; classtype:credential-theft; sid:2024267; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"99d8afeec9a4422120336ad720a5d692"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027992; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Successful Google App Oauth Phish M3 Mar 3 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/javascript"; http_header; content:"alert="; http_cookie; file_data; content:"navigator.languages"; nocase; content:"Your computer is infected"; nocase; distance:0; fast_pattern:5,20; content:"navegador contiene malware"; nocase; distance:0; content:"navigateur contient MALWARE"; nocase; distance:0; content:"&subid=alertyes"; nocase; distance:0; classtype:credential-theft; sid:2024268; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AnypointStudio"; ja3_hash; content:"8e3f1bf87bc652a20de63bfd4952b16a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027993; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Google App Oauth Phish M4 Mar 3 2017"; flow:to_server,established; content:"GET"; http_method; content:"/tds.php?h="; depth:11; http_uri; fast_pattern; nocase; content:"&subid=alert"; nocase; distance:32; within:12; http_uri; content:"/r.php?h="; http_header; content:"|0d 0a|"; distance:32; within:2; http_header; classtype:credential-theft; sid:2024269; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Push Notification System, apple.WebKit.Networking,CalendarAgent,Go for Gmail"; ja3_hash; content:"d4693422c5ce1565377aca25940ad80c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027994; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic XBALTI Phishing Landing"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 7c 20 20 20 20 5c 20 20 5c 20 42 59 20 58 42 41 4c 54 49 20 2f 20 2d 2d 3e|"; fast_pattern; classtype:social-engineering; sid:2027966; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_09, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_09;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight Search (OSX)"; ja3_hash; content:"3e404f1e1b5a79e614d7543a79f3a1da"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027995; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound"; flow:established,to_server; content:"xc3511"; fast_pattern; reference:url,github.com/tothi/pwn-hisilicon-dvr; classtype:default-login-attempt; sid:2027973; rev:2; metadata:affected_product DVR, attack_target IoT, created_at 2019_09_09, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2019_09_09;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight"; ja3_hash; content:"69b2859aec70e8934229873fe53902fd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027996; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [554,9527] (msg:"ET EXPLOIT HiSilicon DVR - Default Application Backdoor Password"; flow:established,to_server; content:"I0TO5Wv9"; fast_pattern; reference:url,github.com/tothi/pwn-hisilicon-dvr; classtype:default-login-attempt; sid:2027974; rev:2; metadata:affected_product DVR, attack_target IoT, created_at 2019_09_09, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2019_09_09;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight"; ja3_hash; content:"6b9b64bbe95ea112d02c8812fc2e7ef0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027997; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Malicious Redirect URL"; flow:established,to_server; content:"/8gcf744Waxolp752.php"; http_uri; classtype:trojan-activity; sid:2016919; rev:9; metadata:created_at 2013_05_24, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight"; ja3_hash; content:"e5e4c0eeb02fdcf30af8235b4de07780"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027998; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Adobe Flash Zero Day LadyBoyle Infection Campaign"; flow:established,to_client; file_data; content:"FWS"; distance:0; content:"LadyBoyle"; distance:0; reference:md5,3de314089db35af9baaeefc598f09b23; reference:md5,2568615875525003688839cb8950aeae; reference:url,blog.fireeye.com/research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html; reference:url,www.adobe.com/go/apsb13-04; reference:cve,2013-0633; reference:cve,2013-0633; classtype:trojan-activity; sid:2016391; rev:3; metadata:created_at 2013_02_08, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Apple SpotlightNetHelper (OSX)"; ja3_hash; content:"97827640b0c15c83379b7d71a3c2c5b4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027999; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fake DHL Kuluoz.B URI"; flow:established,to_server; content:".php?get"; http_uri; fast_pattern:only; pcre:"/\.php\?get[^=]*=\d_\d{5,}$/U"; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2016779; rev:5; metadata:created_at 2013_04_23, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Apple usbmuxd iOS socket multiplexer"; ja3_hash; content:"47e42b00af27b87721e526ff85fd2310"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028000; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Kuluoz.B Shipping Label Spam Campaign"; flow:established,to_server; content:".php?"; http_uri; content:"_info="; distance:1; within:6; http_uri; pcre:"/\.php\?[a-z]_info=[a-z0-9]{1,4}_\d+?$/Ui"; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2017002; rev:7; metadata:created_at 2013_06_12, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.geod"; ja3_hash; content:"5507277945374659a5b4572e1b6d9b9f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028001; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Kuluoz.B Spam Campaign Shipment_Label.exe in Zip"; flow:from_server,established; content:"Shipment_Label.zip"; nocase; fast_pattern:only; http_header; file_data; content:"PK"; within:2; content:".exe"; distance:0; classtype:trojan-activity; sid:2017003; rev:3; metadata:created_at 2013_06_12, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.geod"; ja3_hash; content:"f753495f2eab5155c61b760c838018f8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028002; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FlashPlayerSetup.x86.exe pull"; flow:established,to_server; content:"GET"; http_method; content:"FlashPlayerSetup.x86.exe"; http_uri; content:".swf|0d 0a|"; http_header; reference:url,blog.avast.com/2013/07/03/fake-flash-player-installer; classtype:trojan-activity; sid:2017107; rev:3; metadata:created_at 2013_07_05, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.geod/parsecd,apple.photomoments"; ja3_hash; content:"ba40fea2b2638908a3b3b482ac78d729"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028003; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FlashPlayerSetup.x86.exe checkin UA"; flow:established,to_server; content:"GET"; http_method; content:"risp"; http_user_agent; depth:4; flowbits:set,FlashPlayerSetupUA; reference:url,blog.avast.com/2013/07/03/fake-flash-player-installer; classtype:trojan-activity; sid:2017108; rev:4; metadata:created_at 2013_07_05, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking"; ja3_hash; content:"474e73aea21d1e0910f25c3e6c178535"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028004; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FlashPlayerSetup.x86.exe checkin response 2"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"var begenilecek_sayfalar"; depth:28; flowbits:isset,FlashPlayerSetupUA; reference:url,blog.avast.com/2013/07/03/fake-flash-player-installer; classtype:trojan-activity; sid:2017109; rev:3; metadata:created_at 2013_07_05, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking"; ja3_hash; content:"eeeb5e7485f5e10cbc39db4cfb69b264"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028005; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Compromised Wordpress Redirect"; flow:established,to_server; content:"GET"; http_method; content:"/mm.php?d=1"; http_uri; content:".rr.nu"; http_header; pcre:"/Host\x3A\x20[^\r\n]*.rr.nu/H"; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/02/mass-injection-of-wordpress-sites.aspx; classtype:attempted-user; sid:2014334; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_03_09, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2019_09_09;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking/Chatter/FieldServiceApp/socialstudio"; ja3_hash; content:"63de2b6188d5694e79b678f585b13264"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028006; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET DELETED RougeAV Wordpress Injection Campaign Compromised Page Served From Local Compromised Server"; flow:established,from_server; content:".rr.nu/mm.php?d=1|22|><|2F|script>"; nocase; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/05/mass-injection-of-wordpress-sites.aspx; classtype:successful-admin; sid:2014338; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_03_09, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2019_09_09;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking/itunesstored"; ja3_hash; content:"7b343af1092863fdd822d6f10645abfb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028007; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED RogueAV Wordpress Injection Campaign Compromised Page Served to Local Client"; flow:established,to_client; content:".rr.nu/mm.php?d=1|22|><|2F|script>"; nocase; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/05/mass-injection-of-wordpress-sites.aspx; classtype:attempted-user; sid:2014337; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_03_09, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2019_09_09;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking/Spotify/WhatsApp/Skype/iTunes"; ja3_hash; content:"a312f9162a08eeedf7feb7a13cd7e9bb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028008; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846)"; flow:established,to_server; content:"|16|"; depth:1; content:"|01|"; distance:4; within:1; content:"|5c 00|"; fast_pattern; distance:0; pcre:"/[\x20-\x7e]{5,}\x5c\x00[\x20-\x7e]{5,}/"; reference:cve,2019-15846; reference:url,exim.org/static/doc/security/CVE-2019-15846.txt; classtype:attempted-admin; sid:2027959; rev:2; metadata:created_at 2019_09_06, former_category EXPLOIT, performance_impact Significant, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/533.1 (KHTML like Gecko) Version/4.0 Mobile Safari/533.1"; ja3_hash; content:"1a6ef47ab8325fbb42c447048cea9167"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028009; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] BlackRAT Checkin"; flow:established,to_server; content:"Clientx|2c 20|Version="; fast_pattern; content:"ProClient.Data"; distance:0; content:"data|05|bytes"; distance:0; reference:md5,7aa313d007a538f7453a0f0f3b76ba1f; classtype:command-and-control; sid:2028564; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/533.1 (KHTML like Gecko) Version/4.0 Mobile Safari/533.1"; ja3_hash; content:"b677934e592ece9e09805bf36cd68d8a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028010; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [TGI] BlackRAT Checkin Response"; flow:established,to_client; content:"|2c 20|Version="; content:"BlackRAT.Data"; distance:0; fast_pattern; content:"data|05|bytes"; distance:0; reference:md5,7aa313d007a538f7453a0f0f3b76ba1f; classtype:command-and-control; sid:2028565; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.30 (KHTML like Gecko) Version/4.0 Safari & Safari Mobile/534.30, AppleWebKit/534.30"; ja3_hash; content:"ef323f542a99ab12d6b5348bf039b7b4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028011; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Karagany encrypted binary (1)"; flow:established,to_client; file_data; content:"|81 f2 90 00 cf a8 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016663; rev:3; metadata:created_at 2013_03_26, former_category EXPLOIT_KIT, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.30"; ja3_hash; content:"e1e03b911a28815836d79c5cdd900a20"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028012; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Postal Reciept EXE in Zip"; flow:from_server,established; file_data; content:"PK"; within:2; content:"Postal-Receipt.exe"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016654; rev:3; metadata:created_at 2013_03_22, former_category CURRENT_EVENTS, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.46 Mobile/9A334"; ja3_hash; content:"04e1f90d8719caabafb76d4a7b13c984"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028013; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Payload Filename Used in Various 2014-0322 Attacks"; flow:established,to_server; content:"/Erido.jpg"; nocase; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018329; rev:3; metadata:created_at 2014_03_28, former_category CURRENT_EVENTS, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.46, iOS AppleWebKit/534.46"; ja3_hash; content:"dc08cf4510f70bf16d4106ee22f89197"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028014; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED possible Sofacy encrypted binary (1)"; flow:established,to_client; file_data; content:"|57 46 e8 67 27 3d 66 1a|"; within:8; flowbits:set,et.exploitkitlanding; reference:url,labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/; reference:url,www.isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/; classtype:targeted-activity; sid:2021755; rev:3; metadata:created_at 2015_09_09, former_category EXPLOIT_KIT, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/535 & Ubuntu Product Search"; ja3_hash; content:"4049550d5f57eae67d958440bdc133e4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028015; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Lets Encrypt Free SSL Cert Observed in Possible Coinhive Javascript Cryptocurrency Mining"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; fast_pattern; content:"|55 04 03|"; distance:0; content:"coin-hive"; within:50; nocase; pcre:!"/#http:\/\/cert.*coinhive/i"; reference:url,coin-hive.com; classtype:policy-violation; sid:2024720; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2020_08_20;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/600.7.12 or 600.1.4"; ja3_hash; content:"ef75a13be2ed7a82f16eefe6e84bc375"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028016; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Unknown - Please wait..."; flow:established,to_client; file_data; content:"<title>Please wait...</title>"; nocase; content:"<div id="; content:"></div><div id="; distance:5; within:16; classtype:exploit-kit; sid:2016192; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/600.7.12"; ja3_hash; content:"eaa8a172289b09a6789a415d1faac4c9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028017; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Updatre SSL Certificate cardiffpower"; flow:established,from_server; content:"|55 04 03|"; content:"|10|cardiffpower.com"; distance:1; within:17; content:"|55 04 03|"; distance:0; content:"|10|cardiffpower.com"; distance:1; within:17; classtype:domain-c2; sid:2017977; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_25;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AT&T Connect"; ja3_hash; content:"c5c11e6105c56fd29cc72c3ac7a2b78b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028018; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Updatre Compromised SSL Certificate marchsf"; flow:established,from_server; content:"|02 07 04 81 e4 de 05 6a 5a|"; content:"|0b|marchsf.com"; distance:0; fast_pattern; classtype:trojan-activity; sid:2017978; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Atlassian SourceTree (git library?) (Tested v1.6.21.0)"; ja3_hash; content:"42215ee83bbf3a857a72ef42213cfbd6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028019; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Updatre Compromised SSL Certificate california89"; flow:established,from_server; content:"|02 07 2b 00 ee 19 5e ab 1f|"; content:"|10|california89.com"; distance:0; classtype:trojan-activity; sid:2017979; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Atlassian SourceTree (Tested v1.6.21.0)"; ja3_hash; content:"1c8a17e58c20b49e3786fc61e0533e50"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028020; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Updatre Compromised SSL Certificate thebostonshaker"; flow:established,from_server; content:"|02 07 27 7d 65 4a cd bf 4e|"; content:"|17|www.thebostonshaker.com"; distance:0; classtype:trojan-activity; sid:2017981; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - atom.io #1"; ja3_hash; content:"4e5e5d9fbc43697be755696191fe649a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028021; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Captcha Malware C2 SSL Certificate"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|Mojolicious"; distance:1; within:17; content:"|55 04 0a|"; distance:0; content:"|0b|Mojolicious"; distance:1; within:17; reference:url,community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/03/25/captcha-protected-malware-downloader; classtype:command-and-control; sid:2018322; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_03_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - atom.io #2"; ja3_hash; content:"c94858c6eb06de179493b3fac847143e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028022; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible W32/Zbot.InfoStealer SSL Cert Parallels.com"; flow:established,to_client; content:"|16 03 01|"; depth:3; content:"|16 03 01|"; distance:0; content:"|52 14 cb 90|"; distance:0; content:"|12|info@parallels.com"; distance:0; reference:md5,19e17898e99af83e5fff9c3bad553bb2; classtype:trojan-activity; sid:2018418; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_04_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Aviator (Mystery 3rd) (37.0.2062.99) (OS X)"; ja3_hash; content:"58360f4f663a0f5657f415ac2f47fe1b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028023; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Androm SSL Cert Sept 18 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; distance:0; content:"|09 00 bf 91 db e3 f1 fb 7c cc|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,ca2f3e2568ac5c01ecf2747f778e13a1; classtype:trojan-activity; sid:2019196; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Aviator Updates"; ja3_hash; content:"5149f53b5554a31116f9d86237552ee3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028024; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Spy.Zbot.ACB SSL Cert Sept 24 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 99 56 02 06 27 f8 97 08|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,2ceda25b44378583dfb6df64b92ac654; classtype:trojan-activity; sid:2019227; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Battle.net/Dropbox"; ja3_hash; content:"fa030dbcb2e3c7141d3c2803780ee8db"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028025; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackEnergy Possible SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 88 91 e8 ca 54 bb 7d 10|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0b|5.79.80.166"; distance:1; within:12; reference:md5,1821351d67a3dce1045be09e88461fe9; classtype:trojan-activity; sid:2019282; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - bitgo/ShapeShift"; ja3_hash; content:"0ef9ca1c10d3f186f5786e1ef3461a46"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028026; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Zbot SSL Cert Oct 9 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be cf d6 29 b3 79 8f e2|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,3a9f4fc34e121fc2e5c0d7775091714c; classtype:trojan-activity; sid:2019382; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BlackBerry Browser (Tested BB10)"; ja3_hash; content:"add211c763889c665ae4ab675165cbc4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028027; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Zbot SSL Cert Oct 17 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f6 a0 9e 7c 8c 25 3a d0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,ae773f234152fb5df1ab35116dbb82bd; classtype:trojan-activity; sid:2019470; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BlackBerry Mail Client"; ja3_hash; content:"a921515f014005af03fc1e2c4c9e66ce"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028028; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Zbot SSL Cert Oct 21 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ca 38 a4 ec ec c1 f1 9a|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1fedcd44951c3dfb861fa83ddcec2b84; classtype:trojan-activity; sid:2019485; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Blackberry Messenger (Android) 2"; ja3_hash; content:"4692263d4130929ae222ef50816527ca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028029; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d1 be 1b e1 6a 4d bf 01|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,f66bf24aa5516e335873c758d007ed3c; classtype:trojan-activity; sid:2019496; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Blackberry"; ja3_hash; content:"b5d42ca0e68a39d5c0a294134a21f020"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028030; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Trustezeb.J SSL Cert Oct 30 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|17|bestofthebestrussia.com"; distance:1; within:24; reference:md5,2d8211ad47b36893b6e1b3fdceb00012; classtype:trojan-activity; sid:2019605; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Blackbery Messenger (Android)"; ja3_hash; content:"32b0ae286d1612c82cad93b4880ee512"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028031; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32.Zbot.umpz SSL Cert Nov 4 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|16|boogermanshoptools.net"; distance:1; within:33; reference:md5,c6796076a24f35119ebe441725ec9da7; classtype:trojan-activity; sid:2019639; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_11_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BlueCoat Proxy"; ja3_hash; content:"5182f54f9c6e99d117d9dde3fa2b4cff"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028032; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Trustezeb.E SSL Cert Nov 05 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|easy-access.me"; distance:1; within:15; reference:md5,b648562ee817b3635fa7725afe28577c; classtype:trojan-activity; sid:2019652; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BlueJeans,CEPHtmlEngine"; ja3_hash; content:"cdec81515ccc75a5aa41eb3db22226e6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028033; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Zbot SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d1 9e 51 1d eb 97 c1 ea|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|08|Sometown"; distance:1; within:9; reference:md5,37f927437de627777c5b571fc46fb218; classtype:trojan-activity; sid:2019698; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BOT: Ahrefs, hola_svc"; ja3_hash; content:"5c1c89f930122bccc7a97d52f73bea2c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028034; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Gootkit SSL Cert Dec 10 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d2 a9 3c 29 28 ec b0 b1|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,c05453a18b6dc45bc258a377d2161b1c; classtype:trojan-activity; sid:2019907; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_12_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BOT: GoogleBot"; ja3_hash; content:"a1cb2295baf199acf82d11ba4553b4a8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028035; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Spy.Zbot.ACB SSL Cert Dec 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fe 69 db 33 70 71 2c 70|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,d271218da70d0bceb69c477e7d13dcc8; classtype:trojan-activity; sid:2019936; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_12_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BOT: Qwant"; ja3_hash; content:"706567223fbf37d112fba2d95b8ecac3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028036; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Zbot SSL Cert Dec 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cc c9 0f 16 44 47 71 3d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,417a42f5e244ce2f340f16fa2fed0412; classtype:trojan-activity; sid:2019955; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_12_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BrowserShots Script"; ja3_hash; content:"01aead19a1b1780978f732e056b183a6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028037; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Malicious Redirect SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|14|formationtraffic.com"; distance:1; within:21; classtype:trojan-activity; sid:2021146; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Browsershots"; ja3_hash; content:"a4dc1c39a68bffec1cc7767472ac85a8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028038; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Likely Malicious Redirect SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|10|mixticmotion.com"; distance:1; within:17; classtype:trojan-activity; sid:2021415; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (1.6.01)"; ja3_hash; content:"93fbcdadc1bf98ff0e3c03e7f921edd1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028039; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Cridex Self Signed SSL Certificate (TR Some-State Internet Widgits)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|55 04 06 13 02|TR"; content:"|55 04 08 13 0a|Some-State"; distance:0; content:"|13 18|Internet Widgits Pty"; within:35; classtype:trojan-activity; sid:2015559; rev:6; metadata:attack_target Client_Endpoint, created_at 2012_08_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (1.6.01)"; ja3_hash; content:"c3ca411515180e79c765dc2c3c8cea88"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028040; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Napolar / Shifu SSL Cert Oct 9 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|19|secure.barrentomedear.com"; distance:1; within:26; reference:md5,958804a1191cb281a3a967de17763cf4; classtype:trojan-activity; sid:2019376; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (tested: 1.6.32 Kali)"; ja3_hash; content:"15617351d807aa3145547d0ad0c976cc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028041; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Qtloader encrypted payload Oct 19 (1)"; flow:established,to_client; file_data; content:"|1a 3d d0 28 82 1a 6f 08|"; depth:8; fast_pattern; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024907; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (tested: 1.6.32 Kali)"; ja3_hash; content:"34f8cac266d07bfc6bd3966e99b54d00"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028042; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Qtloader encrypted check-in response Oct 19 (1)"; flow:established,to_client; file_data; content:"|0c 3c|"; depth:2; content:"|04 a3|"; distance:1; within:2; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024909; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_09_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (Tested: 1.7.03 on Windows 10), eclipse,JavaApplicationStub,idea"; ja3_hash; content:"8c5a50f1e833ed581e9cfc690814719a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028043; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [TGI] Cobalt Strike Malleable C2 Response (O365 Profile) M2"; flow:established,to_client; http.header; content:"16723708fc9|0d 0a|X-CalculatedBETarget|3a 20|BY2PR06MB549.namprd06.prod.outlook.com"; content:"X-FEServer|3a 20|CY4PR02CA0010"; distance:0; reference:md5,a26722fc7e5882b5a273239cddfe755f; reference:url,attack.mitre.org/groups/G0080/; classtype:command-and-control; sid:2028589; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2019_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Candy Crush (testing iOS 8.3)"; ja3_hash; content:"17a40616b856ec472714cd144471e0e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028044; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [TGI] Cobalt Strike Malleable C2 Response (YouTube Profile)"; flow:established,to_client; http.header; content:"Frontend Proxy|0d 0a|Set-Cookie|3a 20|YSC=LT4ZGGSgKoE|3b|"; fast_pattern; content:"X-FEServer|3a 20|CY4PR02CA0010"; distance:0; reference:md5,69c6e302cc4394cae7ed8c6f7b288e92; reference:url,attack.mitre.org/groups/G0080/; classtype:command-and-control; sid:2028590; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2019_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Charles/java/eclipse"; ja3_hash; content:"424008725394c634a4616b8b1f2828a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028045; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http any any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible GhostMiner CCBOT Component - CnC Checkin"; flow:established,to_server; content:"/Update/CC/CC.php"; startswith; endswith; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads/; classtype:command-and-control; sid:2028604; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family GhostMiner, performance_impact Low, signature_severity Major, updated_at 2019_09_19;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Choqok 1.5 (KDE 4.14.18 Qt 4.8.6 on OpenSUSE 42.1)"; ja3_hash; content:"64bb259b446fe13f66bcd62d1f0d33df"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028046; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PHPStudy Remote Code Execution Backdoor"; flow:established,to_server; http.method; content:"GET"; http.header; content:"Accept-Charset|3a 20|"; fast_pattern; nocase; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x0d\x0a/R"; reference:url,www.cnblogs.com/-qing-/p/11575622.html; reference:url,www.uedbox.com/post/59265/; classtype:attempted-admin; sid:2028629; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_09_25, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Significant, signature_severity Major, updated_at 2019_09_25;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (iOS)"; ja3_hash; content:"bec8267042d5885aa3acc07b4409cafc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028047; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Inbox Access"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/inbox/"; http_uri; reference:url,doc.emergingthreats.net/2007628; classtype:policy-violation; sid:2007628; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Possible 41.x)"; ja3_hash; content:"d54a0979516e607a1166e6efd157301c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028048; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Message Access"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/inbox/messages/"; http_uri; reference:url,doc.emergingthreats.net/2007629; classtype:policy-violation; sid:2007629; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #1"; ja3_hash; content:"ac67a2d0e3bd59459c32c996b5985979"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028049; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Compose Message"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"index.php?l1=mg"; http_uri; reference:url,doc.emergingthreats.net/2007630; classtype:policy-violation; sid:2007630; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #2"; ja3_hash; content:"34dfce2bb848da7c5dafa4d475f0ba41"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028050; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Message Submit"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/"; http_uri; content:"POST"; http_method; content:"/messages/"; http_uri; content:"postman_secret"; reference:url,doc.emergingthreats.net/2007631; classtype:policy-violation; sid:2007631; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #3"; ja3_hash; content:"937edefedb6fe13f26d1a425ef1c15a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028051; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>SYSTEM ERROR"; fast_pattern; nocase; content:"getURLParameter"; distance:0; content:"decodeURI"; distance:0; content:"loadNumber"; distance:0; content:"confirmExit"; distance:0; classtype:social-engineering; sid:2023039; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_09_26;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #4"; ja3_hash; content:"a342d14afad3a448029ec808295ccce9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028052; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocENG Payload DL"; flow:established,from_server; content:"|3b 20 66 69 6c 65 6e 61 6d 65 3d 43 68 72 ce bf 6d d0 b5 20 66 ce bf 6e e1 b9 ab 2e 65 78 65|"; http_header; nocase; file_data; content:"MZ"; within:2; classtype:social-engineering; sid:2024198; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, signature_severity Major, updated_at 2019_09_26;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #5"; ja3_hash; content:"71e74faaed87acd177bd3b47a543f476"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028053; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> [85.93.0.0/24,194.165.16.0/24,31.184.192.0/24] 80 (msg:"ET EXPLOIT_KIT EITest Flash Redirect Aug 09 2016"; flow:established,to_server; urilen:>20; content:"x-flash-version|3a 20|"; http_header; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; classtype:exploit-kit; sid:2023036; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_09_26;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (tested: Version 46.0.2490.86 (64-bit) - OS X)"; ja3_hash; content:"1d64ab25ad6f7258581d43077147b9b1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028054; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $HOME_NET 2555 (msg:"ET SCAN Internal to Internal UPnP Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/^[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//Ri"; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008092; classtype:attempted-recon; sid:2008092; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (tested: Version 46.0.2490.86 (64-bit) - OS X)"; ja3_hash; content:"230018e44608686b64907360b6def678"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028055; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/^[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//Ri"; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008093; classtype:attempted-recon; sid:2008093; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (tested: Version 46.0.2490.86 (64-bit) - OS X)"; ja3_hash; content:"dea05e8c68dfeb28003f21d22efc0aba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028056; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET WEB_SERVER Oracle Secure Enterprise Search 10.1.8 search Script XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/search/query/search"; nocase; content:"search_p_groups="; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?/i"; reference:url,dsecrg.com/pages/vul/show.php?id=125; reference:url,doc.emergingthreats.net/2009643; classtype:web-application-attack; sid:2009643; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 10, Chrome 10.0.648.82 (Chromium Portable 9.0)"; ja3_hash; content:"62351d5ea3cd4f21f697965b10a9bbbe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028057; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7011 (msg:"ET WEB_SERVER Oracle BEA Weblogic Server 10.3 searchQuery XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/consolehelp/console-help.portal"; nocase; content:"searchQuery="; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/i"; reference:url,dsecrg.com/pages/vul/show.php?id=131; reference:url,doc.emergingthreats.net/2009644; classtype:web-application-attack; sid:2009644; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 11 - 18, Chrome 11.0.696.16 - 18.0.1025.33  Chrome 11.0.696.16 (Chromium Portable 9.2)"; ja3_hash; content:"a9da823fe77cd3df081644249edbf395"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028058; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.iBryte.BO CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/impression.do/?event="; depth:22; fast_pattern; content:"&user_id="; distance:0; http.user_agent; content:"download manager"; reference:md5,be6363e960d9a40b8e8c5825b13645c7; classtype:pup-activity; sid:2028633; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, tag PUP, updated_at 2019_09_26;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 19 - 20, Chrome 19.0.1084.15 - 20.0.1132.57, Chrome 21.0.1180.89, Chrome 22.0.1229.96 - 23.0.1271.64 Safari/537.11"; ja3_hash; content:"df4a50323dfcaf1789f72e4946a7be44"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028059; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vaccineprogram.co.kr Related Spyware User Agent (pcsafe)"; flow:established,to_server; content:"User-Agent|3a| pcsafe"; reference:url,doc.emergingthreats.net/2006420; classtype:pup-activity; sid:2006420; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 22.0.1201.0, Chrome/22.0.1229.96"; ja3_hash; content:"3c8cb61208e191af38b1fbef4eacd502"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028060; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET P2P Soulseek"; flow: established; content:"slsknet"; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001188; classtype:policy-violation; sid:2001188; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 24.0.1312.57 - 28.0.1500.72 Safari/537.36"; ja3_hash; content:"1ef061c02d85b7e2654e11a9959096f4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028061; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN DEBUG Method Request with Command"; flow:established,to_server; content:"DEBUG "; depth:6; content:"|0d 0a|Command|3a| "; distance:0; reference:url,doc.emergingthreats.net/2008312; classtype:attempted-recon; sid:2008312; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 26.0.1410.43-27.0.1453.110 Safari/537.31"; ja3_hash; content:"89d37026246d4888e78e69af4f8d1147"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028062; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible Fast-Track Tool Spidering User-Agent Detected"; flow:established,to_server; content:"|0d 0a|User-Agent|3A| pymills-spider/"; reference:url,www.offensive-security.com/metasploit-unleashed/Fast-Track-Modes; reference:url,doc.emergingthreats.net/2011721; classtype:attempted-recon; sid:2011721; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 29.0.1547.0"; ja3_hash; content:"206ee819879457f7536d2614695a5029"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028063; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLBrute SQL Scan Detected"; flow:to_server,established; content:"AND not exists (select * from master..sysdatabases)"; offset:60; depth:60; reference:url,www.justinclarke.com/archives/2006/03/sqlbrute.html; reference:url,www.darknet.org.uk/2007/06/sqlbrute-sql-injection-brute-force-tool/; reference:url,doc.emergingthreats.net/2009477; classtype:attempted-recon; sid:2009477; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 29.0.1547.62"; ja3_hash; content:"76d36fc79db002baa1b5e741fcd863bb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028064; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL User Scan"; content:"?param=a"; flow:to_server,established; content:"if%20ascii%28substring%28%28select%20system%5Fuser"; distance:2; threshold: type threshold, track by_src, count 20, seconds 10; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009040; classtype:attempted-recon; sid:2009040; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 29.0.1547.62"; ja3_hash; content:"bbc3992faa92affc0d835717ea557e99"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028065; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL Database User Rights Scan"; flow:to_server,established; content:"?param=a"; content:"if%20is%5Fsrvrolemember%28%27sysadmin"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009041; classtype:attempted-recon; sid:2009041; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 30.0.0.0"; ja3_hash; content:"dc3eaee99a9221345698f8a8b2f4fc3f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028066; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL Authentication Mode Scan"; flow:to_server,established; content:"?param=a"; content:"if%20not%28%28select%20serverproperty%28%27IsIntegratedSecurityOnly"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009042; classtype:attempted-recon; sid:2009042; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 30.0.1599.101"; ja3_hash; content:"53c7ed581cbaf36951559878fcec4559"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028067; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja Attempt To Recreate xp_cmdshell Using sp_configure"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Esp%5Fconfigure%20%27show%20advanced%20options"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009043; classtype:attempted-admin; sid:2009043; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 31.0.1650.57 & 32.0.1700.76 Safari/537.36"; ja3_hash; content:"fb8a6d2441ee9eaee8b560d48a8f59df"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028068; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja Attempt To Create xp_cmdshell Session"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Exp%5Fcmdshell%20%27cmd%20%2FC%20%25TEMP"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009044; classtype:attempted-admin; sid:2009044; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 31.0.1650.63"; ja3_hash; content:"f7c4dc1d9595c27369a183a5df9f7b52"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028069; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Stompy Web Application Session Scan"; flow:to_server,established; content:"Session Stomper"; offset:100; depth:25; reference:url,www.darknet.org.uk/2007/03/stompy-the-web-application-session-analyzer-tool/; reference:url,doc.emergingthreats.net/2008605; classtype:attempted-recon; sid:2008605; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 33.0.1750.117"; ja3_hash; content:"16d7ebc398d772ef9969d2ed2a15f4c0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028070; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN w3af Scan In Progress ARGENTINA Req Method"; flow:to_server,established; content:"ARGENTINA "; depth:10; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2011027; classtype:attempted-recon; sid:2011027; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 33.0.1750.117"; ja3_hash; content:"f3136cf565acf70dd2f98ca652f43780"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028071; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN WhatWeb Web Application Fingerprint Scanner Default User-Agent Detected"; flow:established,to_server; content:"|0d 0a|User-Agent|3A| WhatWeb/"; reference:url,www.morningstarsecurity.com/research/whatweb; reference:url,doc.emergingthreats.net/2010960; classtype:attempted-recon; sid:2010960; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 33.0.1750.154"; ja3_hash; content:"af0ae1083ab10ac957e394c2e7ec4634"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028072; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX SendCommand Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"SendCommand"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011200; classtype:attempted-user; sid:2011200; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 34.0.1847.116 & 35.0.1916.114 Safari/537.36"; ja3_hash; content:"4807d61f519249470ebed0b633e707cf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028073; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Login Method Buffer Oveflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"Login"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011201; classtype:attempted-user; sid:2011201; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 34.0.1847.116 & 35.0.1916.114 Safari/537.36"; ja3_hash; content:"ef3364da4d76c98a669cb828f2e5283a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028074; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBOpen Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"_DownloadPBOpen"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011203; classtype:attempted-user; sid:2011203; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 36.0.1985.125 & 37.0.2062.102 Safari/537.36"; ja3_hash; content:"5b348680dec77f585cfe82513213ac3a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028075; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBClose Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"_DownloadPBClose"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011204; classtype:attempted-user; sid:2011204; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 36.0.1985.125 - 40.0.2214.93 Safari/537.36"; ja3_hash; content:"52be6e88840d2211a243d9356550c4a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028076; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Snapshot Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"Snapshot"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011202; classtype:attempted-user; sid:2011202; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 37.0.0.0 Safari & Mobile Safari/537.36"; ja3_hash; content:"5f775bbfc50459e900d464ca1cecd136"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028077; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBControl Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"_DownloadPBControl"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011205; classtype:attempted-user; sid:2011205; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 37.0.0.0"; ja3_hash; content:"a167568462b993d5787488ece82a439a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028078; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AVC781Viewer.CV781Object"; nocase; distance:0; pcre:"/(SendCommand|Login|Snapshot|_DownloadPBControl|_DownloadPBClose|_DownloadPBOpen)/i"; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011206; classtype:attempted-user; sid:2011206; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 37.0.2062.120"; ja3_hash; content:"98652faa7e0a4d85f91e37aa6b8c0135"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028079; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Adobe browser document ActiveX DoS Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"AcroPDFLib.AcroPDF"; distance:0; nocase; content:"src"; nocase; reference:url,www.packetstormsecurity.nl/0911-exploits/acropdf-dos.txt; reference:url,doc.emergingthreats.net/2010705; classtype:attempted-user; sid:2010705; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 41.0.2272.89"; ja3_hash; content:"8b8322bad90e8bfbd66e664839b7a037"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028080; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Adobe browser document ActiveX DoS Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"CA8A9780-280D-11CF-A24D-444553540000"; nocase; distance:0; content:"src"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CA8A9780-280D-11CF-A24D-444553540000/si"; reference:url,www.packetstormsecurity.nl/0911-exploits/acropdf-dos.txt; reference:url,doc.emergingthreats.net/2010726; classtype:attempted-user; sid:2010726; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 42.0.2311.135"; ja3_hash; content:"aa9074aa1ff31c65d01c35b9764762b6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028081; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Ask.com Toolbar askBar.dll ActiveX ShortFormat Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"5A074B2B-F830-49DE-A31B-5BB9D7F6B407"; nocase; distance:0; content:"ShortFormat"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5A074B2B-F830-49DE-A31B-5BB9D7F6B407/si"; reference:url,www.packetstormsecurity.nl/0911-exploits/ask_shortformat.rb.txt; reference:url,secunia.com/advisories/26960/; reference:url,doc.emergingthreats.net/2010921; classtype:web-application-attack; sid:2010921; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 42.0.2311.135"; ja3_hash; content:"de0963bc1f3a0f70096232b272774025"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028082; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Bot Search RFI Scan (ByroeNet/Casper-Like sun4u)"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Mozilla/4.76 [ru] (X11|3b| U|3b| SunOS 5.7 sun4u)"; nocase; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011244; classtype:web-application-attack; sid:2011244; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 43.0.2357.132 & 45.02454.94"; ja3_hash; content:"3bb36ec17fef5d3da04ceeb6287314c6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028083; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Bot Search RFI Scan (Casper-Like MaMa Cyber/ebes)"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| MaMa "; nocase; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011286; classtype:web-application-attack; sid:2011286; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 48.0.2564.116"; ja3_hash; content:"cd3f72760dfd5575b91213a8016c596b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028084; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of Service Attempt"; flow:established,to_server; content:"GET |2F|AUX HTTP|2F|1|2E|"; nocase; depth:16; reference:url,securitytracker.com/alerts/2009/Oct/1023095.html; reference:url,www.securityfocus.com/bid/36814/info; reference:url,www.securityfocus.com/archive/1/507456; reference:url,doc.emergingthreats.net/2010229; classtype:attempted-dos; sid:2010229; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 48.0.2564.97"; ja3_hash; content:"5406c4a87aa6cbcb7fc469fee526a206"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028085; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco ASA Appliance Clientless SSL VPN HTML Rewriting Security Bypass Attempt/Cross Site Scripting Attempt"; flow:to_client,established; content:"CSCO_WebVPN"; nocase; content:"csco_wrap_js"; within:100; nocase; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18442; reference:url,www.securityfocus.com/archive/1/504516; reference:url,www.securityfocus.com/bid/35476; reference:cve,2009-1201; reference:cve,2009-1202; reference:url,doc.emergingthreats.net/2010730; classtype:web-application-attack; sid:2010730; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 49.0.2623.75"; ja3_hash; content:"503fe06db7ef09b2cbd771c4e784c686"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028086; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 405 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 405 Method Not Allowed|0d 0a|"; depth:33; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010519; classtype:web-application-attack; sid:2010519; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 50.0.2661.102 1"; ja3_hash; content:"bd4267e1672f9df843ada7c963490a0d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028087; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 406 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 406 Not Acceptable|0d 0a|"; depth:29; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010521; classtype:web-application-attack; sid:2010521; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 50.0.2661.102 2"; ja3_hash; content:"caeb3b546fc7469776d51f1f54a792ca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028088; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 500 XSS Attempt (Internal Source)"; flow:from_server,established; content:"HTTP/1.1 500 Internal Server Error|0d 0a|"; depth:36; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010524; classtype:web-application-attack; sid:2010524; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.106 (test)"; ja3_hash; content:"aa84deda2a937ad225ef94161887b0cb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028089; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 503 XSS Attempt (Internal Source)"; flow:from_server,established; content:"HTTP/1.1 503 Service Unavailable|0d 0a|"; depth:34; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010526; classtype:web-application-attack; sid:2010526; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 1"; ja3_hash; content:"473e8bad0e8e1572197be80faa1795c3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028090; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL sp_password attempt"; flow:to_server,established; content:"sp_password"; nocase; reference:url,doc.emergingthreats.net/2000105; classtype:attempted-user; sid:2000105; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 2"; ja3_hash; content:"e0b0e6c934c686fd18a5727648b3ed4f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028091; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL sp_delete_alert attempt"; flow:to_server,established; content:"sp_delete_alert"; nocase; reference:url,doc.emergingthreats.net/2000106; classtype:attempted-user; sid:2000106; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 3"; ja3_hash; content:"7ddfe8d6f8b51a90d10ab3fe2587c581"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028092; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|#|20|This|20|is|20|a|20|sample|20|HOSTS|20|file|20|used|20|by|20|Microsoft|20|TCP/IP|20|for|20|Windows.|0d 0a|#|0d 0a|#|20|This|20|file|20|contains|20|the|20|mappings|20|of|20|IP|20|addresses|20|to|20|host|20|names."; reference:url,doc.emergingthreats.net/bin/view/Main/2008559; classtype:trojan-activity; sid:2008559; rev:8; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 4"; ja3_hash; content:"bc76a4185cc9bd4c72471620e552618c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028093; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE r57 phpshell footer detected"; flow:established,from_server; content:"r57shell - http-shell by RST/GHC"; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003535; classtype:web-application-activity; sid:2003535; rev:8; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 5"; ja3_hash; content:"8e3eea71cb5a932031d90cc0fba581bc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028094; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE x2300 phpshell detected"; flow:established,from_server; content:"x2300 Locus7Shell"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007651; classtype:web-application-activity; sid:2007651; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 6"; ja3_hash; content:"653924bcb1d6fd09a048a4978574e2c5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028095; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt"; flow:established,to_client; content:"|0d 0a|%FDF-"; depth:600; content:"/F(JavaScript|3a|"; nocase; distance:0; reference:url,www.securityfocus.com/bid/37763; reference:cve,2009-3956; reference:url,doc.emergingthreats.net/2010664; reference:url,www.stratsec.net/files/SS-2010-001_Stratsec_Acrobat_Script_Injection_Security_Advisory_v1.0.pdf; classtype:attempted-user; sid:2010664; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 7"; ja3_hash; content:"1ef652ecfb8e60e771a4710166afc262"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028096; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Wapiti Web Server Vulnerability Scan"; flow:to_server,established; content:"GET /"; depth:5; content:"?http|3A|//www.google."; within:100; nocase; content:"|0d 0a|User-Agent|3A 20|Python-httplib2"; distance:0; reference:url,wapiti.sourceforge.net/; reference:url,doc.emergingthreats.net/2008417; classtype:attempted-recon; sid:2008417; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 49.0.2623,87 (64-bit) Linux"; ja3_hash; content:"8a8159e6abf9fe493ca87efc38855149"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028097; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer URI Validation Remote Code Execution Attempt"; flow:established,to_client; content:"#|3A|../../"; content:"C|3A 5C|"; nocase; within:50; pcre:"/\x2E\x2E\x2F\x2E\x2E\x2F.+C\x3A\x5C[a-z]/si"; reference:url,www.securityfocus.com/bid/37884; reference:cve,2010-0027; reference:url,doc.emergingthreats.net/2010798; classtype:attempted-user; sid:2010798; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 49.0.2623,87 (64-bit) Linux"; ja3_hash; content:"a7f2d0376cdcfde3117bf6a8359b2ab8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028098; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER MSSQL Server OLEDB asp error"; flow: established,from_server; content:"Microsoft OLE DB Provider for SQL Server error"; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d42.htm; reference:url,doc.emergingthreats.net/2001768; classtype:web-application-activity; sid:2001768; rev:12; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 57.0.2987.110 (64-bit) Linux"; ja3_hash; content:"d551fafc4f40f1dec2bb45980bfa9492"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028099; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Containing Windows Commands Downloaded"; flow:established,to_client; content:"%PDF-"; content:"|3C 3C 0D 0A 20 2f|type|20 2F|action|0D 0A 20 2F|s|20 2F|launch|0D 0A 20 2F|win"; distance:0; nocase; reference:url,doc.emergingthreats.net/2011245; classtype:bad-unknown; sid:2011245; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 57.0.2987.110 (64-bit) Linux"; ja3_hash; content:"e330bca99c8a5256ae126a55c4c725c5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028100; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 406 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 406 Not Acceptable|0d 0a|"; depth:29; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010522; classtype:web-application-attack; sid:2010522; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 60/61.0.3163, Google Chrome"; ja3_hash; content:"94c485bca29d5392be53f2b8cf7f4304"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028101; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 500 Internal Server Error|0d 0a|"; depth:36; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010525; classtype:web-application-attack; sid:2010525; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 60/61.0.3163, Google Chrome"; ja3_hash; content:"bc6c386f480ee97b9d9e52d472b772d8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028102; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 503 Service Unavailable|0d 0a|"; depth:34; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010527; classtype:web-application-attack; sid:2010527; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 61.0.3163,100(64-bit) Win10"; ja3_hash; content:"d3b972883dfbd24fd20fc200ad8ab22a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028103; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Encoded javascriptdocument.write - usually hostile"; flow: established,to_client; content:"|313030|,111,99,117,109,101,110,116,46,119,114,105,116,101"; reference:url,doc.emergingthreats.net/2001811; classtype:misc-activity; sid:2001811; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome WebSockets (48.xxxx) - also TextSecure Desktop"; ja3_hash; content:"cafd1f84716def1a414c688943b99faf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028104; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Acrobat Reader Newclass Invalid Pointer Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|F2 3D 8D 23|"; reference:url,www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/; reference:cve,2010-1297; classtype:attempted-user; sid:2011519; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome WebSockets (48.xxxx)"; ja3_hash; content:"62d8823f52dd8e1ba75a9a83e8748313"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028105; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat newfunction Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|40 E8 D4 F1 FF 33|"; reference:url,www.adobe.com/support/security/bulletins/apsb10-15.html; reference:url,www.exploit-db.com/moaub-23-adobe-acrobat-and-reader-newfunction-remote-code-execution-vulnerability/; reference:bid,41236; reference:cve,2010-2168; classtype:attempted-user; sid:2011575; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/30.0.1599.101"; ja3_hash; content:"c405bbbe31c0e53ac4c8448355b2af5b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028106; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Cross-Origin Theft Attempt"; flow:established,to_client; content:"document.body.currentStyle.fontFamily"; nocase; content:".indexOf(|22|authenticity_token"; nocase; distance:0; reference:url,www.theregister.co.uk/2010/09/06/mystery_ie_bug/; reference:url,www.darknet.org.uk/2010/09/microsoft-investigate-ie-css-cross-origin-theft-vulnerability/; reference:url,seclists.org/fulldisclosure/2010/Sep/64; classtype:bad-unknown; sid:2011472; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/41.0.2272.89"; ja3_hash; content:"2c3221f495d5e4debbb34935e1717703"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028107; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT phoenix exploit kit - admin login page detected"; flow:established,to_client; content:"<title>Phoenix Exploit's Kit - Log In</title>"; classtype:exploit-kit; sid:2011281; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/49.0.2623.112 WinXP"; ja3_hash; content:"248bdbc3873396b05198a7e001fbd49a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028108; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Acrobat and Reader Pushstring Memory Corruption Attempt"; flow:established,to_client; flowbits:isset,ET.flash.pdf; content:"|2C E8 88 F0 FF 33|"; reference:url,www.exploit-db.com/moaub12-adobe-acrobat-and-reader-pushstring-memory-corruption/; reference:bugtraq,41237; reference:cve,2010-2201; classtype:attempted-user; sid:2011500; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/56.0.2924.87 Linux/Charles/Google Play Music Desktop Player/Postman/Slack/other desktop programs"; ja3_hash; content:"83e04bc58d402f9633983cbf22724b02"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028109; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Gootkit Website Infection Receiving FTP Credentials from Control Server"; flowbits:isset,ET.GOOTKIT; flow:established,from_server; content:"<acc><login>"; nocase; content:"</login><pass>"; nocase; distance:0; content:"</pass><serv>"; nocase; distance:0; content:"</serv><port>21</port>"; nocase; distance:0; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011287; classtype:web-application-attack; sid:2011287; rev:4; metadata:created_at 2010_09_28, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/59.0.3071.115 Win10, node.js"; ja3_hash; content:"9811c1bb9f0f6835d5c13a831cca4173"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028110; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Local Website Infected By Gootkit"; flow:established,from_server; content:"Gootkit iframer component"; nocase; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011285; classtype:web-application-attack; sid:2011289; rev:4; metadata:created_at 2010_09_28, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/60.0.3112.113 Win10, Chromium"; ja3_hash; content:"def8761e4bcaaf91d99801a22ac6f6d4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028111; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL SuperBuddy ActiveX Control Remote Code Execution Attempt"; flow:from_server,established; content:"189504B8-50D1-4AA8-B4D6-95C8F58A6414"; nocase; content:"SetSuperBuddy"; nocase; content:"//"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*189504B8-50D1-4AA8-B4D6-95C8F58A6414/si"; reference:url,www.securityfocus.com/bid/36580/info; reference:url,www.securityfocus.com/archive/1/506889; reference:url,doc.emergingthreats.net/2010039; classtype:attempted-user; sid:2010039; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chromium"; ja3_hash; content:"be9f1360cf52dc1f61ae025252f192a3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028112; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Awingsoft Web3D Player Remote Buffer Overflow"; flow:to_client,established; content:"17A54E7D-A9D4-11D8-9552-00E04CB09903"; nocase; content:"SceneURL"; nocase; reference:url,secunia.com/advisories/35764/; reference:url,milw0rm.com/exploits/9116; reference:url,shinnai.net/xplits/TXT_nsGUdeley3EHfKEV690p.html; reference:url,doc.emergingthreats.net/2009857; classtype:web-application-attack; sid:2009857; rev:8; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chromium"; ja3_hash; content:"fc5cb0985a5f5e295163cc8ffff8a6e1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028113; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite"; flow:to_client,established; content:"B973393F-27C7-4781-877D-8626AAEDF119"; nocase; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/Ri"; content:"SaveLastError"; nocase; reference:bugtraq,28546; reference:url,www.milw0rm.com/exploits/5338; reference:url,doc.emergingthreats.net/2008099; classtype:web-application-attack; sid:2008099; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Cisco AnyConnect Secure Mobility Client (3.1.09013)"; ja3_hash; content:"7f340e6caa1fa4c979df919227160ff6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028114; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow"; flow:to_client,established; content:"39FDA070-61BA-11D2-AD84-00105A17B608"; nocase; content:"%5F%DC%02%10%cc"; nocase; distance:0; content:"SecretKey"; nocase; reference:bugtraq,31814; reference:url,www.milw0rm.com/exploits/6793; reference:url,doc.emergingthreats.net/2008683; classtype:web-application-attack; sid:2008683; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Cisco AnyConnect Secure Mobility Client"; ja3_hash; content:"e7d46c98b078477c4324031e0d3b22f5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028115; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Avzhan DDOS Bot Outbound Hardcoded Malformed GET Request Denial Of Service Attack Detected"; flow:established,to_server; content:"GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm"; depth:49; nocase; threshold:type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; classtype:trojan-activity; sid:2011585; rev:4; metadata:created_at 2010_09_29, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Cisco AnyConnect Secure Mobility Client"; ja3_hash; content:"ed36017db541879619c399c95e22067d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028116; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Avaya CallPilot Unified Messaging ActiveX InstallFrom Method Access Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"7F14A9EE-6989-11D5-8152-00C04F191FCA"; nocase; distance:0; content:"InstallFrom"; nocase; reference:url,secunia.com/advisories/40184/; reference:bugtraq,40535; reference:url,doc.emergingthreats.net/10767; classtype:attempted-user; sid:2011692; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Citrix Receiver 4.4.0.8014"; ja3_hash; content:"203157ed9f587f0cfd265061bf309823"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028117; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Avaya CallPilot Unified Messaging ActiveX Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"NMWEBINST.NMWebInstCtrl.1"; nocase; distance:0; content:"InstallFrom"; nocase; reference:url,secunia.com/advisories/40184/; reference:bugtraq,40535; reference:url,doc.emergingthreats.net/2011681; classtype:attempted-user; sid:2011681; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Citrix Viewer"; ja3_hash; content:"5ee1a653fb824db7182714897fd3b5df"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028118; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Axis Media Controller ActiveX SetImage Method Remote Code Execution Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"DE625294-70E6-45ED-B895-CFFA13AEB044"; nocase; distance:0; content:"SetImage"; nocase; reference:bugtraq,41078; reference:url,doc.emergingthreats.net/2011722; classtype:attempted-user; sid:2011722; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Covenant Eyes"; ja3_hash; content:"a9d17f74e55dd53fcf7c234f8a240919"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028119; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX DjVu DjVu_ActiveX_MSOffice.dll ActiveX Component Heap Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"4A46B8CD-F7BD-11D4-B1D8-000102290E7C"; nocase; distance:0; content:"0x400000"; distance:0; content:"ImageURL"; nocase; reference:bugtraq,31987; reference:url,milw0rm.com/exploits/6878; reference:url,doc.emergingthreats.net/2008790; classtype:web-application-attack; sid:2008790; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - CRAWLER: facebookexternalhit/1.1"; ja3_hash; content:"111da7c75fee7fe934b35a8d88eb350a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028120; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Object SMTP Component Buffer Overflow Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"EasyMail.SMTP.6"; distance:0; nocase; pcre:"/(AddAttachment|SubmitToExpress)/i"; reference:url,secunia.com/advisories/24199/; reference:url,www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/oracle_dc_submittoexpress.rb; reference:url,doc.emergingthreats.net/2010657; classtype:web-application-attack; sid:2010657; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Creative Cloud"; ja3_hash; content:"c882d9444412c00e71b643f3f54145ff"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028121; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AoA Audio Extractor ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"125C3F0B-1073-4783-9A7B-D33E54269CA5"; nocase; distance:0; content:"InitLicenKeys"; nocase; reference:url,exploit-db.com/exploits/14599/; reference:url,packetstormsecurity.org/1010-exploits/aoaae-rop.txt; classtype:web-application-attack; sid:2011801; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - cscan"; ja3_hash; content:"bc0608d33dc64506b42f7f5f87958f37"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028122; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DirectX 9 ActiveX Control Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MSVidCtlLib.MSVidVMR9"; nocase; distance:0; content:".CustomCompositorClass"; nocase; reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt; classtype:attempted-user; sid:2011590; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_02, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - curl (tested: 7.22.0 on Linux)"; ja3_hash; content:"764b8952983230b0ac23dbd3741d2bb0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028123; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Softek Barcode Reader Toolkit ActiveX Control Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"SoftekATL.CBarcode"; nocase; distance:0; content:".DebugTraceFile"; nocase; reference:url,exploit-db.com/exploits/15071/; classtype:attempted-user; sid:2011870; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - curl (tested: 7.43.0 OS X)"; ja3_hash; content:"9f198208a855994e1b8ec82c892b7d37"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028124; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Softek Barcode Reader Toolkit ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"11E7DA45-B56D-4078-89F6-D3D651EC4CD6"; nocase; distance:0; content:".DebugTraceFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*11E7DA45-B56D-4078-89F6-D3D651EC4CD6/si"; reference:url,exploit-db.com/exploits/15071; classtype:web-application-attack; sid:2011869; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - curl 7.35.0 (tested Ubuntu 14.x  openssl 1.0.1f)"; ja3_hash; content:"c458ae71119005c8bc26d38a215af68f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028125; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code Execution Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"15DBC3F9-9F0A-472E-8061-043D9CEC52F0"; nocase; distance:0; content:"extSetOwner"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15DBC3F9-9F0A-472E-8061-043D9CEC52F0/si"; reference:url,www.exploit-db.com/trend-micro-internet-security-pro-2010-activex-extsetowner-remote-code-execution/; classtype:attempted-user; sid:2011867; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - curl 7.37.0 / links 2.8 / git 2.6.6 (openSUSE Leap 42.1)"; ja3_hash; content:"e14d427fab707af91e4bbd0bf03076f8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028126; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DirectX 9 msvidctl.dll ActiveX Control Code Execution Attempt"; flow:to_client,established; content:"24DC3975-09BF-4231-8655-3EE71F43837D"; nocase; content:".CustomCompositorClass"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*24DC3975-09BF-4231-8655-3EE71F43837D/si"; reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt; classtype:web-application-attack; sid:2011589; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_02, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - curl"; ja3_hash; content:"f672d8f0e827ca1e704a9489b14dd316"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028127; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JcomBand toolbar ActiveX Control isRegistered Property Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"952E3F80-0C34-48CD-829B-A45913B29670"; nocase; distance:0; content:"isRegistered"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*952E3F80-0C34-48CD-829B-A45913B29670/si"; reference:url,www.exploit-db.com/exploits/11059; reference:url,secunia.com/advisories/38081/; reference:url,doc.emergingthreats.net/2010976; classtype:attempted-user; sid:2010976; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"; ja3_hash; content:"e3891da2a758d67ba921e5eec0b9707d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028128; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT VLC Media Player .ass File Buffer Overflow Attempt"; flowbits:isset,ET.ass.request; flow:established,to_client; content:"Dialogue|3A|"; nocase; isdataat:60000,relative; content:!"|0A|"; within:60000; reference:url,www.securityfocus.com/bid/37832/info; reference:url,doc.emergingthreats.net/2010758; classtype:attempted-user; sid:2010758; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Customised Postfix - Damnit Matt"; ja3_hash; content:"f865de0807a17e9cb797e618162356db"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028129; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT VLC Media Player smb URI Handling Remote Buffer Overflow Attempt"; flow:established,to_client; content:"<location>"; nocase; content:"smb|3A|//"; within:20; nocase; content:!"|0A|"; within:1000; isdataat:1000,relative; pcre:"/\x3Clocation\x3D.+smb\x3A\x2F\x2F.{1000}.+\x3C\x2Flocation\x3E/smi"; reference:url,www.securityfocus.com/bid/35500/info; reference:url,doc.emergingthreats.net/2010813; classtype:attempted-user; sid:2010813; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dashlane"; ja3_hash; content:"0217dc3bd88c696cc15374db0d848de4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028130; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT eval String.fromCharCode String Which May Be Malicious"; flow:established,to_client; content:"eval|28|"; fast_pattern; nocase; content:"String.fromCharCode|28|"; nocase; within:40; pcre:"/eval\x28(String\x2EfromCharCode\x28|[a-z,0-9]{1,20}\x28String\x2EfromCharCode\x28)/i"; classtype:bad-unknown; sid:2012173; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Debian APT-CURL/1.0 (1.2.15)"; ja3_hash; content:"f7baf7d9da27449e823a4003e14cd623"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028131; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation"; flow:established,to_client; content:"unescape|28 22|"; content:!"|29|"; within:100; content:"|22| +|0a|"; within:80; content:"|22| +|0a|"; within:80; content:"|22| "; within:80; content:"|22| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012196; rev:4; metadata:created_at 2011_01_17, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Debian APT-CURL/1.0 (1.2.20+)"; ja3_hash; content:"ec2e8760003621ca668b5f03e616cd57"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028132; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation 2"; flow:established,to_client; content:"unescape|28 27|"; content:!"|29|"; within:100; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012197; rev:5; metadata:created_at 2011_01_17, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Deezer"; ja3_hash; content:"4fcd1770545298cc119865aeba81daba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028133; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture File Overwrite or Buffer Overflow Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"NCSECWLib.NCSRenderer"; nocase; distance:0; content:"WriteJPG"; nocase; distance:0; reference:cve,2010-3599; classtype:attempted-user; sid:2012234; rev:4; metadata:created_at 2011_01_27, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox (installer?)"; ja3_hash; content:"ede63467191e9a12300e252c41ca9004"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028134; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Encoded %90 NOP SLED"; flow:established,to_client; content:"%90%90%90%90"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012112; rev:5; metadata:created_at 2010_12_28, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - DropBox (tested: 3.12.5 - Ubuntu 14.04TS & Win 10)"; ja3_hash; content:"653d342bee5001569662198a672746af"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028135; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 %u90 NOP SLED"; flow:established,to_client; content:"%u90%u90"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012110; rev:4; metadata:created_at 2010_12_28, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox (Win 8.1)"; ja3_hash; content:"482a11a20da1629b77aaadf640478d13"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028136; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer srcElement Memory Corruption Attempt"; flow:established,to_client; content:"document.createEventObject"; nocase; content:".innerHTML"; within:100; nocase; content:"window.setInterval"; distance:0; nocase; content:"srcElement"; fast_pattern; nocase; distance:0; reference:url,www.microsoft.com/technet/security/bulletin/ms10-002.mspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19726; reference:url,www.kb.cert.org/vuls/id/492515; reference:cve,2010-0249; reference:url,doc.emergingthreats.net/2010799; classtype:attempted-user; sid:2010799; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Client"; ja3_hash; content:"21ed4c7ee1daeb84c72199ceaf119b24"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028137; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding"; flow:established,to_client; content:"%72%65%70%6c%61%63%65%28"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012398; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Client"; ja3_hash; content:"30b168d81e38d9a55c474c1e30eaf9f9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028138; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function %u UTF-8 Encoding"; flow:established,to_client; content:"%u72%u65%u70%u6c%u61%u63%u65%u28"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012399; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Client"; ja3_hash; content:"f8e42933ba5b3990858ba621489047e3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028139; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function %u UTF-16 Encoding"; flow:established,to_client; content:"%u7265%u706c%u6163%u6528"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012400; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Setup (tested: 3.10.11 on Win 8.x)"; ja3_hash; content:"2f8363419a9fb80ad46b380778d8eaf1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028140; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-8 Encoding"; flow:established,to_client; content:"%u3c%u73%u63%u72%u69%u70%u74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012264; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Splash Pages (Win 10)"; ja3_hash; content:"c1e8322501b4d56d484b50bd7273e798"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028141; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-16 Encoding"; flow:established,to_client; content:"%u3c73%u6372%u6970%u74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012265; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Windows"; ja3_hash; content:"6c141f98cd79d8b505123e555c1c3119"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028142; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape % Encoding"; flow:established,to_client; content:"%75%6e%65%73%63%61%70%65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012266; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox"; ja3_hash; content:"054c9f9d304b7a2add3d6fa75bc20ae4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028143; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-8 Encoding"; flow:established,to_client; content:"%u75%u6e%u65%u73%u63%u61%u70%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012267; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox"; ja3_hash; content:"36bc8c7e10647bbfea3f740e7f05c0f1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028144; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-16 Encoding"; flow:established,to_client; content:"%u756e%u6573%u6361%u7065"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012268; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dynalist/Postman/Google Chrome/Franz/GOG Galaxy"; ja3_hash; content:"4c40bf8baa7c301c5dba8a20bc4119e2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028145; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr % Encoding"; flow:established,to_client; content:"%73%75%62%73%74%72"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012269; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse"; ja3_hash; content:"0411bbb5ff27ad46e1874a7a8beedacb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028146; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr %u UTF-8 Encoding"; flow:established,to_client; content:"%u73%u75%u62%u73%u74%u72"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012270; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse"; ja3_hash; content:"4990c9da08f44a01ecd7ddc3837caf25"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028147; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr %u UTF-16 Encoding"; flow:established,to_client; content:"%u7375%u6273%u7472"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012271; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse"; ja3_hash; content:"fa106fe5beec443af7e211ef8902e7e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028148; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval % Encoding"; flow:established,to_client; content:"%65%76%61%6c"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012272; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse/java"; ja3_hash; content:"d74778f454e2b047e030b291b94dd698"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028149; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval %u UTF-8 Encoding"; flow:established,to_client; content:"%u65%u76%u61%u6c"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012273; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Facebook iOS"; ja3_hash; content:"576a1288426703ae0008c42f95499690"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028150; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval %u UTF-16 Encoding"; flow:established,to_client; content:"%u6576%u616c"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012274; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Feedly/1.0, java,eclipse,Cyberduck"; ja3_hash; content:"f22bdd57e3a52de86cda40da2d84e83b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028151; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a0a%u0a0a UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0a0a%u0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012254; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - fetchmail 6.3.26 (openSUSE Leap 42.1)"; ja3_hash; content:"a698fe6c52d210e3376bb6667729d4d2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028152; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a%u0a%u0a%u0a UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0a%u0a%u0a%u0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012255; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - FieldServiceApp/socialstudio"; ja3_hash; content:"1fbe5382f9d8430fe921df747c46d95f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028153; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String"; flow:established,to_client; content:"%0c%0c%0c%0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012257; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 24.0 Iceweasel24.3.0"; ja3_hash; content:"3d99dda4f6992b35fdb16d7ce1b6ccba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028154; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c0c%u0c0c UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0c0c%u0c0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012258; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 25.0"; ja3_hash; content:"c57914fadb301a73e712378023b4b177"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028155; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c%u0c%u0c%u0c UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0c%u0c%u0c%u0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012259; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 26.0, Firefox/26.0"; ja3_hash; content:"755cdaa3496eb8728247a639dee17aad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028156; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX ASUS Net4Switch ipswcom.dll ActiveX Stack Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"1B9E86D8-7CAF-46C8-9938-569B21E17A8E"; nocase; distance:0; content:"CxDbgPrint"; nocase; reference:url,packetstormsecurity.org/files/110296/ASUS-Net4Switch-ipswcom.dll-ActiveX-Stack-Buffer-Overflow.html; classtype:attempted-user; sid:2014325; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_06, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 27.0"; ja3_hash; content:"ff9223b5c9a5d44a8a423833751fa158"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028157; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Windows Executable CreateRemoteThread"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; content:"CreateRemoteThread"; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms682437%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015589; rev:6; metadata:created_at 2012_08_08, former_category POLICY, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 3.0.19"; ja3_hash; content:"df9bedd5713fe0cc2e9184d7c16a5913"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028158; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 %u9090 NOP SLED"; flow:established,to_client; content:"%u9090%u"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012111; rev:5; metadata:created_at 2010_12_28, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 3.5 - 3.6, Firefox 3.5.19  3.6.27  SeaMonkey 2.0.14"; ja3_hash; content:"4a9bd55341e1ffe6fedb06ad4d3010a0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028159; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Hostile _dsgweed.class JAR exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"_dsgweed.class"; classtype:trojan-activity; sid:2018031; rev:3; metadata:created_at 2014_01_28, former_category CURRENT_EVENTS, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 40.0.3 (tested Windows 8), Firefox/37.0"; ja3_hash; content:"2872afed8370401ec6fe92acb53e5301"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028160; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible Successful Juniper NetScreen ScreenOS Firmware Version Disclosure Attempt"; flow:established,from_server; content:"Juniper Networks, Inc"; content:"Version|3A|"; within:100; content:"ScreenOS"; distance:0; reference:url,securitytracker.com/alerts/2009/Apr/1022123.html; reference:url,www.securityfocus.com/bid/34710; reference:url,seclists.org/bugtraq/2009/Apr/242; reference:url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-05; reference:url,doc.emergingthreats.net/2010162; classtype:attempted-recon; sid:2010162; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 46.0"; ja3_hash; content:"46129449560e5731dc9c5106f111a3db"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028161; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Eclipse.DDOSBot CnC Beacon Response"; flow:established,to_client; file_data; content:"<base>PGNtZD"; within:12; reference:url,www.arbornetworks.com/asert/2014/04/trojan-eclipse-a-bad-moon-rising/; classtype:command-and-control; sid:2018423; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_04_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_09_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 46.0"; ja3_hash; content:"d06b3234356cb3df0983fc8dd02ece68"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028162; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL XPCmdShell Scan"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Exp%5Fcmdshell"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; classtype:attempted-recon; sid:2009039; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 47.0 2"; ja3_hash; content:"05ece02fb23acf2efbfff54ce4099a45"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028163; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M2"; flow:established,from_server; file_data; content:"pQGLlxyasMGLhxCco42bpR3YuVnZowWY2V"; classtype:exploit-kit; sid:2020427; rev:3; metadata:created_at 2015_02_16, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 47.x 1 / FireFox 47.x (Windows 7SP1)"; ja3_hash; content:"aa907c2c4720b6f54cd8b67a14cef0a3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028164; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - TH3BUG and Non-Targetted Groups Watering Hole Deobfuscation function"; flow:established,from_server; file_data; content:"Chr(CInt(ns(i)) Xor n)"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020563; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_25, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 49 (dev edition)"; ja3_hash; content:"f586111542f330901d9a3885a9c821b5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028165; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Unknown Exploit Pack URL Detected"; flow:to_server,established; content:"/imgurl"; nocase; http_uri; content:".php"; nocase; http_uri; content:"hl="; nocase; http_uri; classtype:bad-unknown; sid:2012324; rev:5; metadata:created_at 2011_02_21, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 49 (TLSv1.3 enabled - I think websockets)"; ja3_hash; content:"1996e434b11323df4e87f8fe0e702209"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028166; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (BSD style)"; flow:established,from_server; file_data; content:"root|3a|*|3a|0|3a|0|3a|"; nocase; content:"|3a|/root|3a|/bin"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003071; classtype:successful-recon-limited; sid:2003071; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 49 (TLSv1.3 enabled)"; ja3_hash; content:"8ed0a2cdcad81fc29313910eb94941d8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028167; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 12 2016"; flow:established,from_server; file_data; content:"|3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 2d 31|"; pcre:"/^\d{3}px\x3b\swidth\x3a3\d{2}px\x3b\sheight\x3a3\d{2}px\x3b\x22>[^<>]*?<iframe src=[\x22\x27][^\x22\x27]+[\x22\x27]\swidth=[\x22\x27]2\d{2}[\x22\x27]\sheight=[\x22\x27]2\d{2}[\x22\x27]><\/iframe>[^<>]*?\n[^<>]*?<\/span>/Rsi"; classtype:exploit-kit; sid:2022962; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_07_12, deployment Perimeter, malware_family PsuedoDarkLeech, signature_severity Major, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 49.0a2 Developer TLS 1.3 enabled"; ja3_hash; content:"8b18c5b0c54cba1ffb2438fe24792b63"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028168; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Embedded Executable File in PDF - This Program Cannot Be Run in DOS Mode"; flow:established,to_client; flowbits:isset,ET.pdf.in.http; file_data; content:"This program cannot be run in DOS mode"; nocase; classtype:bad-unknown; sid:2011865; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 63.0"; ja3_hash; content:"b20b44b18b853ef29ab773e921b03422"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028169; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B641"; flow:established,from_server; file_data; content:"VHJpZ2dlckZpbGxGcm9tUHJvdG90eXBlc0J1Z"; classtype:trojan-activity; sid:2023702; rev:3; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"0a81538cf247c104edb677bdb8902ed5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028170; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ProxyReconBot CONNECT method to Mail"; flow:established,to_server; content:"CONNECT "; depth:8; content:"|3A|25 HTTP/"; within:200; reference:url,doc.emergingthreats.net/2003869; classtype:misc-attack; sid:2003869; rev:9; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"0b6592fd91d4843c823b75e49b43838d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028171; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common 0a0a0a0a Heap Spray String"; flow:established,to_client; content:"0a0a0a0a"; nocase; reference:url,www.darkreading.com/vulnerabilities---threats/heap-spraying-attackers-latest-weapon-of-choice/d/d-id/1132487; classtype:shellcode-detect; sid:2012252; rev:5; metadata:created_at 2011_02_03, former_category SHELLCODE, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"1c15aca4a38bad90f9c40678f6aface9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028172; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access makeCall"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"makeCall"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017779; rev:4; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2019_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"5163bc7c08f57077bc652ec370459c2f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028173; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Galock Ransomware Command"; flow:established,from_server; file_data; content:"[LOCK]"; within:6; endswith; reference:url,twitter.com/kafeine/status/314859973064667136/photo/1; classtype:trojan-activity; sid:2016645; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"a88f1426c4603f2a8cd8bb41e875cb75"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028174; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Enchanim Check-in Response"; flow:established,to_client; file_data; content:"|3a|some_magic_code1"; distance:9; within:29; endswith; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:2016769; rev:3; metadata:created_at 2013_04_19, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"b03910cc6de801d2fcfa0c3b9f397df4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028175; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE njRAT Variant Outbound CnC Beacon"; flow:established,to_server; content:"|7c|nj-q8"; endswith; classtype:command-and-control; sid:2021057; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"bfcc1a3891601edb4f137ab7ab25b840"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028176; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE LuminosityLink - Inbound Data Channel CnC Delimiter"; flow:established,to_client; dsize:<25; content:"8_=_8"; fast_pattern; endswith; reference:md5,ab03070048fdbadbb901ec75b8f9f2e9; classtype:command-and-control; sid:2023241; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, malware_family Luminosity_Link, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"f15797a734d0b4f171a86fd35c9a5e43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028177; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE LuminosityLink - Outbound Data Channel CnC Delimiter"; flow:established,to_server; dsize:<25; content:"8_=_8"; fast_pattern; endswith; reference:md5,ab03070048fdbadbb901ec75b8f9f2e9; classtype:command-and-control; sid:2023242; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, malware_family Luminosity_Link, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/10.0.11esrpre Iceape/2.7.12"; ja3_hash; content:"55f2bd38d462d74fb6bb72d3630aae16"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028178; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Houdini/Hworm CnC Checkin M1"; flow:established,to_server; content:"new_houdini|0d 0a|"; fast_pattern; offset:4; depth:13; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; endswith; reference:md5,45009c70d362dcd253112c9cf1924f57; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance; classtype:command-and-control; sid:2023429; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category MALWARE, malware_family Houdini, malware_family Hworm, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/13.0-25.0"; ja3_hash; content:"85c420ab089dac5025034444789a8fb5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028179; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible DOUBLEPULSAR Beacon Response"; flow:from_server,established; content:"|00 00 00 23 ff|SMB2|02 00 00 c0 98 07 c0 00 00|"; depth:18; content:"|00 00 00 08 ff fe 00 08|"; distance:8; within:8; fast_pattern; pcre:"/^[\x50-\x59]/R"; content:"|00 00 00|"; distance:1; within:3; endswith; classtype:trojan-activity; sid:2024216; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_04_17, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag c2, updated_at 2019_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/14.0.1 Linux"; ja3_hash; content:"847b0c334fd0f6f85457054fabff3145"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028180; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALROMANCE MS17-010 Heap Spray"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18|"; offset:4; depth:10; content:"|07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 08|"; fast_pattern; within:16; content:"|00 08|"; distance:2; within:2; content:"|0e 00 00 40 00|"; distance:2; within:5; content:"|00 00 00 00 00 00 01 00 00 00 00 00 00 00 00|"; distance:2; within:15; content:"|00 00 00 00 00 00 00 00 00|"; endswith; threshold: type threshold, track by_src, count 20, seconds 1; classtype:trojan-activity; sid:2024219; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/25.0"; ja3_hash; content:"e98db583389531a37f2fe8d251f0f7ae"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028181; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"zugzwang.me"; nocase; endswith; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023599; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/27.0-32.0, IceWeasel 31.8.0"; ja3_hash; content:"cc9bcf019b339c01d200515d1cb39092"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028182; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] QRat.Java.RAT (state_alive)"; flow:established,to_server; content:"|00 11 7b 22 73 74 61 74 65 22 3a 22 61 6c 69 76 65 22 7d|"; depth:19; endswith; threshold: type both, track by_src, count 10, seconds 30; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:trojan-activity; sid:2025391; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category TROJAN, malware_family QRat, signature_severity Major, tag Qrat, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/28.0-30.0"; ja3_hash; content:"45d22e6403f053bfb2cc223755588533"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028183; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (MSF style)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18 01 28|"; offset:4; depth:12; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:2; within:10; content:"|23 00 00 00 07 00 5c 50 49 50 45 5c 00|"; fast_pattern; endswith; threshold: type limit, track by_src, count 1, seconds 30; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025649; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_11, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Metasploit, tag ETERNALBLUE, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/31 Linux, firefox"; ja3_hash; content:"ce694315cbb81ce95e6ae4ae8cbafde6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028184; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010"; flow:from_server,established; content:"|ff|SMB|25 05 02 00 c0 98 01|"; offset:4; depth:11; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:3; within:10; content:"|00 00 00|"; distance:8; within:3; endswith; threshold: type limit, track by_src, count 1, seconds 30; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025650; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_11, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Metasploit, tag ETERNALBLUE, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/32.0"; ja3_hash; content:"8df37d4e7430e2d9a291ae9ee500a1a9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028185; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (Generic Flags)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00|"; offset:4; depth:9; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:5; within:10; content:"|23 00 00 00 07 00 5c 50 49 50 45 5c 00|"; fast_pattern; endswith; threshold: type limit, track by_src, count 1, seconds 30; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025992; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_15, deployment Perimeter, former_category EXPLOIT, malware_family ETERNALBLUE, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/33.0"; ja3_hash; content:"5ba6ed04b246c96c6839e0268a8b826f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028186; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT CnC Init Activity"; flow:established,to_client; dsize:11; content:"AUT_packet_"; depth:11; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:command-and-control; sid:2026580; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category MALWARE, malware_family JavaRAT, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/33.0"; ja3_hash; content:"c5392af25feaf95cfefe858abd01c86b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028187; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT Keep-Alive (inbound)"; flow:established,to_client; dsize:11; content:"PNG_packet_"; depth:11; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026582; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/34.0-35.00"; ja3_hash; content:"9250f97ba65d86e7b0e60164c820d91a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028188; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT Keep-Alive (outbound)"; flow:established,to_server; dsize:11; content:"PNG_packet_"; depth:11; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026583; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/34.0-35.00"; ja3_hash; content:"ab834ac5135f2204d473878821979cea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028189; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT Requesting Screen Size"; flow:established,to_client; dsize:13; content:"SC.OP_packet_"; depth:13; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026586; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/37.0, Google Chrome 45.0.2454.85 or FireFox 41-42"; ja3_hash; content:"514058a66606ae870bcc670e95ca7e68"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028190; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Mirai Variant Checkin Response"; flow:established,to_client; content:"|21 2a 20|LOLNOBYE"; endswith; reference:url,www.stratosphereips.org/blog/2019/5/17/iot-malware-analysis-series-a-mirai-variant-in-ctu-iot-malware-capture-49-1; classtype:command-and-control; sid:2027366; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_05_20, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/38 Linux"; ja3_hash; content:"edf844351bc867631b5ebceda318669b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028191; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Emptiness v1 CnC Checkin"; flow:established,to_server; dsize:7; content:"ilove26"; depth:7; fast_pattern; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027834; rev:2; metadata:affected_product Linux, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, malware_family Emptiness, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/40.1 Windows 7"; ja3_hash; content:"05af1f5ca1b87cc9cc9b25185115607d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028192; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Emptiness v1.1 CnC Checkin"; flow:established,to_server; dsize:12; content:"aWxvdmUyNg=="; depth:12; fast_pattern; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027835; rev:2; metadata:affected_product Linux, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, malware_family Emptiness, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/45.0 Linux, firefox,thunderbird"; ja3_hash; content:"07b4162d4db57554961824a21c4a0fde"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028193; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR (b2bb01039307baa2) CnC Checkin"; flow:established,to_server; dsize:24; content:"d3ec7975f76aefdbfcdc3c3e"; depth:24; fast_pattern; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027836; rev:2; metadata:affected_product Linux, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, malware_family Emptiness, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/51.0 Windows 10, firefox,thunderbird"; ja3_hash; content:"61d0d709fe7ac199ef4b2c52bc8cef75"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028194; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain photogalaxyzone.com"; dns_query; content:"photogalaxyzone.com"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016606; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/52 Linux"; ja3_hash; content:"4e66f5ad78f3d9ad8d5c7c88d138db43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028195; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain insightpublicaffairs.org"; dns_query; content:"insightpublicaffairs.org"; depth:24; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016620; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/52"; ja3_hash; content:"ca0f3f4c08cbd372720beb1af7d2721f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028196; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain seyuieyahooapis.com"; dns_query; content:"seyuieyahooapis.com"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016624; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/55 Windows 10"; ja3_hash; content:"1885aa9927f99ed538ed895d9335995c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028197; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain dailynewsjustin.com"; dns_query; content:"dailynewsjustin.com"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016627; rev:4; metadata:created_at 2013_03_20, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/55/56 Mac/Win/Linux"; ja3_hash; content:"0ffee3ba8e615ad22535e7f771690a28"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028198; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain hi-tecsolutions.org"; dns_query; content:"hi-tecsolutions.org"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016628; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/56.0 Windows 10"; ja3_hash; content:"be1a7de97ea176604a3c70622189d78d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028199; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"njdyqrbioh.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018270; rev:9; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/6.0.1 - 12.0"; ja3_hash; content:"2aef69b4ba1938c3a400de4188743185"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028200; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"vqvsaergek.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018265; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Flux"; ja3_hash; content:"504ecb2d3e5e83a179316f098dadbaeb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028201; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"pbcgmmympm.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018266; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Franz/Google Chrome/Kiwi/Spotify/nwjs/Slack"; ja3_hash; content:"8498fe4268764dbf926a38283e9d3d8f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028202; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"tyixfhsfax.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018268; rev:9; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - FullTilt Poker v16.5 (OS X) #1"; ja3_hash; content:"a6090977601dc1345948f101e46d5759"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028203; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"qgjhmerjec.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018269; rev:9; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - FullTilt Poker v16.5 (OS X) or DropBox"; ja3_hash; content:"f1b9f86645cb839bd6992e848d943898"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028204; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"btloxcyrok.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018271; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Fuze"; ja3_hash; content:"900c1fa84b4ea86537e1d148ee16eae8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028205; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"afwyhvinmw.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018272; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - geod"; ja3_hash; content:"107144b88827da5da9ed42d8776ccdc5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028206; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"wyfxanxjeu.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018273; rev:11; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - geod"; ja3_hash; content:"c46941d4de99445aef6b497679474cf4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028207; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"qemyxsdigi.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018274; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - git commandline (tested: 1.9. Linux)"; ja3_hash; content:"3e765b7a69050906e5e48d020921b98e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028208; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for a known malware domain (regicsgf.net)"; dns_query; content:"regicsgf.net"; depth:12; fast_pattern; nocase; endswith; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014572; rev:7; metadata:created_at 2012_04_16, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Git-Bash (Tested v2.6.0) / curl 7.47.1 (cygwin)"; ja3_hash; content:"d0df7f7c9ca173059b2cd17ce5c2e5cc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028209; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.gowin7.com"; dns_query; content:".gowin7.com"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015597; rev:6; metadata:created_at 2012_08_10, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - GitHub Desktop (tested build 216 on OSX)"; ja3_hash; content:"f8c50bbee59c526ca66da05f3dc4b735"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028210; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.secuurity.net"; dns_query; content:".secuurity.net"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015598; rev:6; metadata:created_at 2012_08_10, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Glympse Location Tracking??"; ja3_hash; content:"c5cbafbbcf53dfbfc2a803ca3833fce2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028211; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.dataspotlight.net"; dns_query; content:".dataspotlight.net"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015601; rev:7; metadata:created_at 2012_08_10, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - GMail SMTP Relay"; ja3_hash; content:"a3b2fe29619fdcb7a9422b8fddb37a67"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028212; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.datajunction.org"; dns_query; content:".datajunction.org"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015618; rev:6; metadata:created_at 2012_08_13, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - GNU Wget 1.16.1 built on darwin14.0.0"; ja3_hash; content:"94b94048a438e77122fc4eee3a6a4a26"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028213; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup hotfix-update.com"; dns_query; content:"hotfix-update.com"; depth:17; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019570; rev:5; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - GNUTLS Commandline"; ja3_hash; content:"0267b752d6a8b5fd195096b41ea5839c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028214; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Cloud Atlas haarmannsi.cz"; dns_query; content:"haarmannsi.cz"; depth:13; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019910; rev:4; metadata:created_at 2014_12_11, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - golang (tested: 1.4.1)"; ja3_hash; content:"f11b0fca6c063aa69d8d39e0d68b6178"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028215; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Cloud Atlas sanygroup.co.uk"; dns_query; content:"sanygroup.co.uk"; depth:15; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019911; rev:5; metadata:created_at 2014_12_11, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Calendar Agent (Tested on OSX)"; ja3_hash; content:"07ef3a7f5f8ffef08affb186284f2af4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028216; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (casinoroyal7.ru)"; dns_query; content:"casinoroyal7.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020045; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (43.0.2357.130 64-bit OSX)"; ja3_hash; content:"abe568de919448adcd756aea9a136aea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028217; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (cryptdomain.dp.ua)"; dns_query; content:"cryptdomain.dp.ua"; depth:17; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020046; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (Android)"; ja3_hash; content:"400961c8161ba7661a7029d3f7e8bb95"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028218; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (it-newsblog.ru)"; dns_query; content:"it-newsblog.ru"; depth:14; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020049; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (tested: 43.0.2357.130 64-bit OSX)"; ja3_hash; content:"072c0469aa4f2f597bb38bcc17095c51"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028219; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (js-static.ru)"; dns_query; content:"js-static.ru"; depth:12; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020050; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (tested: 43.0.2357.130 64-bit OSX)"; ja3_hash; content:"696cd0c8c241e19e3d6336c3d3d9e2e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028220; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (lagosadventures.com)"; dns_query; content:"lagosadventures.com"; depth:19; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020051; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (tested: 43.0.2357.130 64-bit OSX)"; ja3_hash; content:"c40b51e2a59425b6a2b500d569962a60"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028221; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (lebanonwarrior.ru)"; dns_query; content:"lebanonwarrior.ru"; depth:17; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020052; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome 45.0.2454.101"; ja3_hash; content:"e8aabc4fe1fc8d47c648d37b2df7485f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028222; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (nigerianbrothers.net)"; dns_query; content:"nigerianbrothers.net"; depth:20; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020053; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome 46.0.2490.71 m"; ja3_hash; content:"7ea3e17d09294aee8425ae05588f0c66"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028223; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (princeofnigeria.net)"; dns_query; content:"princeofnigeria.net"; depth:19; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020055; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome 46.0.2490.71"; ja3_hash; content:"a9030ea4837810ce89fb8a3d39ca12ed"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028224; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (royalgourp.org)"; dns_query; content:"royalgourp.org"; depth:14; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020056; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome Helper"; ja3_hash; content:"0e46737668fe75092919ee047a0b5945"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028225; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (tweeter-stat.ru)"; dns_query; content:"tweeter-stat.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020060; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome Helper"; ja3_hash; content:"39fa85654105398ee7ef6a3a1c81d685"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028226; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy1-1-1.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy1-1-1.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020228; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome Helper"; ja3_hash; content:"4ba7b7022f5f5e1e500bb19199d8b1a4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028227; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy2-2-2.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy2-2-2.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020229; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"002205d0f96c37c5e660b9f041363c11"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028228; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy3-3-3.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy3-3-3.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020230; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"073eede15b2a5a0302d823ecbd5ad15b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028229; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy4-4-4.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy4-4-4.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020231; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"0b61c673ee71fe9ee725bd687c455809"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028230; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy5-5-5.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy5-5-5.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020232; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"6cd1b944f5885e2cfbe98a840b75eeb8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028231; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (blackblog.chatnook.com)"; dns_query; content:"blackblog.chatnook.com"; depth:22; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020246; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"b4f4e6164f938870486578536fc1ffce"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028232; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (bulldog.toh.info)"; dns_query; content:"bulldog.toh.info"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020247; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"b8f81673c0e1d29908346f3bab892b9b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028233; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (cew58e.xxxy.info)"; dns_query; content:"cew58e.xxxy.info"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020248; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"baaac9b6bf25ad098115c71c59d29e51"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028234; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (dynamic.ddns.mobi)"; dns_query; content:"dynamic.ddns.mobi"; depth:17; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020251; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"da949afd9bd6df820730f8f171584a71"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028235; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (football.mrbasic.com)"; dns_query; content:"football.mrbasic.com"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020253; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"fd6314b03413399e4f23d1524d206692"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028237; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (gjjb.flnet.org)"; dns_query; content:"gjjb.flnet.org"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020254; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome/Slack"; ja3_hash; content:"5498cef2cca704eb01cf2041cc1089c1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028238; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (imirnov.ddns.info)"; dns_query; content:"imirnov.ddns.info"; depth:17; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020255; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Drive (tested: 1.26.0707.2863 - Win 8.x & Win 10)"; ja3_hash; content:"c1741dd3d2eec548df0bcd89e08fa431"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028239; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (jingnan88.chatnook.com)"; dns_query; content:"jingnan88.chatnook.com"; depth:22; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020256; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Drive File Stream"; ja3_hash; content:"d27fb8deca6e3b9739db3fda2b229fe3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028240; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (lehnjb.epac.to)"; dns_query; content:"lehnjb.epac.to"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020257; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Earth Linux 7.1.4.1529"; ja3_hash; content:"b16614e71d26ba348c94bfc8e33b1767"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028241; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (logoff.25u.com)"; dns_query; content:"logoff.25u.com"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020258; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Earth"; ja3_hash; content:"ae340571b4fd0755c4a0821b18d8fa93"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028242; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (ls910329.my03.com)"; dns_query; content:"ls910329.my03.com"; depth:17; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020260; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Mail server starttls connection"; ja3_hash; content:"9af622c65a17a0bf90d6e9504be96a43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028243; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (mailru.25u.com)"; dns_query; content:"mailru.25u.com"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020261; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Photos Backup"; ja3_hash; content:"f059212ce3de94b1e8253a7522cb1b44"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028244; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (Markshell.etowns.net)"; dns_query; content:"Markshell.etowns.net"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020262; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - GoogleBot"; ja3_hash; content:"50dfee94717e9640b1c384e5bd78e61e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028245; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (mydear.ddns.info)"; dns_query; content:"mydear.ddns.info"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020263; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - gramblr"; ja3_hash; content:"fd10cc8cce9493a966c57249e074755f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028246; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (nazgul.zyns.com)"; dns_query; content:"nazgul.zyns.com"; depth:15; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020264; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Great Firewall of China Probe (via pcaps from https://nymity.ch/active-probing/)"; ja3_hash; content:"e76ac6872939f6ebfdf75f1ea73b4daf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028247; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (newdyndns.scieron.com)"; dns_query; content:"newdyndns.scieron.com"; depth:21; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020265; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - HipChat"; ja3_hash; content:"d9b07b9095590f4ff910ceee7b6af88a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028248; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (newoutlook.darktech.org)"; dns_query; content:"newoutlook.darktech.org"; depth:23; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020266; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"3e860202fc555b939e83e7a7ab518c38"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028249; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (photocard.4irc.com)"; dns_query; content:"photocard.4irc.com"; depth:18; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020267; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"54328bd36c14bd82ddaa0c04b25ed9ad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028250; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (pricetag.deaftone.com)"; dns_query; content:"pricetag.deaftone.com"; depth:21; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020268; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"56ac3a0bef0824c49e4b569941937088"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028251; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (rubberduck.gotgeeks.com)"; dns_query; content:"rubberduck.gotgeeks.com"; depth:23; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020269; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"8bd59c4b7f3193db80fd64318429bcec"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028252; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (shutdown.25u.com)"; dns_query; content:"shutdown.25u.com"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020270; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"d1f9f9b224387d2597f02095fcec96d7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028253; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (sorry.ns2.name)"; dns_query; content:"sorry.ns2.name"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020271; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"ff1040ba1e3d235855ef0d7cd9237fdc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028254; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (sskill.b0ne.com)"; dns_query; content:"sskill.b0ne.com"; depth:15; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020272; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - HTTRack"; ja3_hash; content:"a1ec6fd012b9ee6f84c50339c4205270"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028255; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (text-First.flnet.org)"; dns_query; content:"text-First.flnet.org"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020273; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - IDSyncDaemon"; ja3_hash; content:"5af143afdbf58ec11ab3b3d53dd4e5e3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028256; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (uudog.4pu.com)"; dns_query; content:"uudog.4pu.com"; depth:13; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020274; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - IE 11 Win10"; ja3_hash; content:"fee8ec956f324c71e58a8c0baf7223ef"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028257; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (will-smith.dtdns.net)"; dns_query; content:"will-smith.dtdns.net"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020275; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - IE 11"; ja3_hash; content:"4cafc7a0acf83a49317ca199b2f25c82"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028258; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (ndcinformation.acmetoy.com)"; dns_query; content:"ndcinformation.acmetoy.com"; depth:26; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020276; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - IE 11"; ja3_hash; content:"78273d33877a36c0c30e3fb7578ee9e7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028259; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (service.authorizeddns.net)"; dns_query; content:"service.authorizeddns.net"; depth:25; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020277; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - In all the malware samples - Java updater perhaps, java"; ja3_hash; content:"a61299f9b501adcf680b9275d79d4ac6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028260; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (text-first.trickip.org)"; dns_query; content:"text-first.trickip.org"; depth:22; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020278; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Inbox OSX"; ja3_hash; content:"d06acbe8ac31e753f40600a9d6717cba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028261; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious boltotor.com Domain - Possible CryptoWall Activity"; dns_query; content:"boltotor.com"; depth:12; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020285; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - inoreader.com-like FeedFetcher-Google, inoreader.com"; ja3_hash; content:"3ca5d63fa122552463772d3e87d276f2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028262; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious bonytor2.com Domain -Possible CryptoWall Activity"; dns_query; content:"bonytor2.com"; depth:12; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020286; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Internet Explorer 11 .0.9600.1731.(Win 8.1)"; ja3_hash; content:"a6776199188c09f5124b46b895772fa2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028263; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious speecostor.com Domain -Possible CryptoWall Activity"; dns_query; content:"speecostor.com"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020287; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Internet Explorer 11.0.9600.17959"; ja3_hash; content:"a264c0bb146b2fade4410bcd61744b69"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028264; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (expert.4irc.com)"; dns_query; content:"expert.4irc.com"; depth:15; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020252; rev:5; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Internet Explorer 11.0.9600.18349 / TeamViewer 10.0.47484P / Notepad++ Update Check / Softperfect Network Scanner Update Check / Wireshark 2.0.4 Update Check"; ja3_hash; content:"d54b3eb800cbeccf99fd5d5cdcd7b5b5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028265; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Careto Mask DNS Lookup (msupdate.ath.cx)"; dns_query; content:"msupdate.ath.cx"; depth:15; nocase; endswith; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021712; rev:4; metadata:created_at 2015_08_25, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - iOS AppleWebKit/536.26"; ja3_hash; content:"06d930b072bf052b10d0a9eea1554f60"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028266; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Careto Mask DNS Lookup (karpeskmon.dyndns.org)"; dns_query; content:"karpeskmon.dyndns.org"; depth:21; nocase; endswith; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021714; rev:4; metadata:created_at 2015_08_25, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - iOS Mail App (tested: iOS 9.3.3)"; ja3_hash; content:"99204897b101b15f87e9b07f67453f4e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028267; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Careto Mask DNS Lookup (isaserver.minrex.gov.cu)"; dns_query; content:"isaserver.minrex.gov.cu"; depth:23; nocase; endswith; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021715; rev:4; metadata:created_at 2015_08_25, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - iPad CPU OS 9_3_5 Safari 601.1 Used by many programs - apple.WebKit.Networking"; ja3_hash; content:"a9aecaa66ad9c6cfe1c361da31768506"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028268; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible PlugX DNS Lookup (operaa.net)"; dns_query; content:"operaa.net"; depth:10; nocase; endswith; fast_pattern; reference:url,volexity.com/blog/?p=179; classtype:trojan-activity; sid:2021936; rev:4; metadata:created_at 2015_10_08, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - iPhone OS 10_3_3 Safari 602.1, Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"7e72698146290dd68239f788a452e7d8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028269; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX or EvilGrab DNS Lookup (appeur.gnway.cc)"; dns_query; content:"appeur.gnway.cc"; depth:15; nocase; endswith; fast_pattern; reference:url,asert.arbornetworks.com/defending-the-white-elephant/; classtype:trojan-activity; sid:2021961; rev:4; metadata:created_at 2015_10_16, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - iTunes/iBooks #1"; ja3_hash; content:"c6ecc5ba2a6ab724a7430fa4890d957d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028270; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sakula DNS Lookup (mail.cbppnews.com)"; dns_query; content:"mail.cbppnews.com"; depth:17; nocase; endswith; fast_pattern; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf; classtype:trojan-activity; sid:2022272; rev:4; metadata:created_at 2015_12_17, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - iTunes/iBooks #2"; ja3_hash; content:"c07295da5465d5705a38f044e53ef7c4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028271; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bulta DNS Lookup (kugo.f3322.net)"; dns_query; content:"kugo.f3322.net"; depth:14; nocase; endswith; fast_pattern; reference:md5,8dd612b14a2a448e8b1b6f3d09909e45; classtype:trojan-activity; sid:2022346; rev:5; metadata:created_at 2016_01_09, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Java 8U91 Update Check, Windows Java Plugin (tested: v8 Update 60), BurpSuite Free (Tested: 1.7.03 on Windows 10), java,studio,eclipse"; ja3_hash; content:"2db6873021f2a95daa7de0d93a1d1bf2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028272; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bulta DNS Lookup (yk.ftwxw.com)"; dns_query; content:"yk.ftwxw.com"; depth:12; nocase; endswith; fast_pattern; reference:md5,5b9a9e363f46f09e7f40c5cde2c90361; classtype:trojan-activity; sid:2022347; rev:5; metadata:created_at 2016_01_09, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"093081b45872912be9a1f2a8163fe041"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028273; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 2"; dns_query; content:"aaa123.spdns.de"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022412; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"2080bf56cb87e64303e27fcd781e7efd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028274; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 3"; dns_query; content:"accounts.yourturbe.org"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022413; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"225a24b45f0f1adbc2e245d4624c6e08"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028275; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 4"; dns_query; content:"account.websurprisemail.com"; depth:27; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022414; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"3afe1fb5976d0999abe833b14b7d6485"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028276; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 5"; dns_query; content:"addi.apple.cloudns.org"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022415; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"3b844830bfbb12eb5d2f8dc281d349a9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028277; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 7"; dns_query; content:"apple.lenovositegroup.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022417; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"550628650380ff418de25d3d890e836e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028278; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 8"; dns_query; content:"bailee.alanna.cloudns.biz"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022418; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"5b270b309ad8c6478586a15dece20a88"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028279; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 9"; dns_query; content:"bee.aoto.cloudns.org"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022419; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"5d7abe53ae15b4272a34f10431e06bf3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028280; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 10"; dns_query; content:"bits.githubs.net"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022420; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"7c7a68b96d2aab15d678497a12119f4f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028281; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 11"; dns_query; content:"book.websurprisemail.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022421; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"88afa0dea1608e28f50acbad32d7f195"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028282; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 12"; dns_query; content:"clean.popqueen.cloudns.org"; depth:26; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022422; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"8ce6933b8c12ce931ca238e9420cc5dd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028283; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 13"; dns_query; content:"desk.websurprisemail.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022423; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"a9fead344bf3ac09f62df3cd9b22c268"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028284; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 14"; dns_query; content:"detail43.myfirewall.org"; depth:23; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022424; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java/eclipse/STS"; ja3_hash; content:"028563cffc7a3a2e32090aee0294d636"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028285; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 18"; dns_query; content:"economy.spdns.eu"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022428; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java/JavaApplicationStub"; ja3_hash; content:"5f9b53f0d39dc9d940a3b5568fe5f0bb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028286; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 19"; dns_query; content:"eemete.freetcp.com"; depth:18; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022429; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - JavaApplicationStub"; ja3_hash; content:"c376061f96329e1020865a1dc726927d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028287; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 21"; dns_query; content:"firewallupdate.firewall-gateway.net"; depth:35; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022431; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - K9 Mail (Android)"; ja3_hash; content:"ced7418dee422dd70d2a6f42bb042432"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028288; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 22"; dns_query; content:"fish.seafood.cloudns.org"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022432; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Kindle/stack/nextcloud"; ja3_hash; content:"e516ad69a423f8e0407307aa7bfd6344"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028289; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 23"; dns_query; content:"ftp112.lenta.cloudns.pw"; depth:23; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022433; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Konqueror 4.14.18 (openSUSE Leap 42.1) 2"; ja3_hash; content:"8194818a46f5533268472f2167ffec70"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028290; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 28"; dns_query; content:"mail.firewall-gateway.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022438; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Konqueror 4.14.18 / Kmail 4.14.18 (openSUSE Leap 42.1) 1"; ja3_hash; content:"78253eb48a1431a4bbbe6bb4358464ac"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028291; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 29"; dns_query; content:"mareva.catherine.cloudns.us"; depth:27; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022439; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Konqueror 4.8, OpenSSL s_client (tested: 1.0.1f - Ubuntu 14.04TS)"; ja3_hash; content:"0e0b798d0208ad365eec733b29da92a6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028292; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 30"; dns_query; content:"mm.lenovositegroup.com"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022440; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - LeagueClientUx"; ja3_hash; content:"3959d0a1344896e9fb5c0564ca0a2956"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028293; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 31"; dns_query; content:"muslim.islamhood.net"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022441; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - LINE Messaging"; ja3_hash; content:"0fe51fa93812c2ebb50a655222a57bf2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028294; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 32"; dns_query; content:"news.firewall-gateway.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022442; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - LINE Messaging"; ja3_hash; content:"2e094913d88f0ad8dc69447cb7d2ce65"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028295; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 35"; dns_query; content:"p.klark.cloudns.in"; depth:18; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022445; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - LogMeIn Client"; ja3_hash; content:"193349d34561d1d5d1a270172eb2d97e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028296; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 36"; dns_query; content:"ppcc.vasilevich.cloudns.info"; depth:28; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022446; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Mail app iOS"; ja3_hash; content:"0cbbafcdaf63cbf1e490c4a2d903f24b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028297; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 37"; dns_query; content:"press.ufoneconference.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022447; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Marble (KDE 5.21.0 QT 5.5.1 openSUSE Leap 42.1)"; ja3_hash; content:"fc5574de96793b73355ca9e555748225"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028298; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 38"; dns_query; content:"qq.yourturbe.org"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022448; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Maxthon"; ja3_hash; content:"d732ca39155f38942f90e9fc2b0f97f7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028299; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 39"; dns_query; content:"sys.firewall-gateway.net"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022449; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Messenger/Jumpshare"; ja3_hash; content:"c9dbeed362a32f9a50a26f4d9b32bbd8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028300; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 40"; dns_query; content:"vip.yahoo.cloudns.info"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022450; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Microsoft Smartscreen"; ja3_hash; content:"bedb7e0ff43a24272eb0a41993c65faf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028305; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 43"; dns_query; content:"www.angleegg.xxxy.info"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022453; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Microsoft Updater (Windows 7SP1) / TeamViewer 11.0.56083P"; ja3_hash; content:"bff2c7b5c666331bfe9afacefd1bdb51"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028306; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 48"; dns_query; content:"www.uyghuri.MrFace.com"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022458; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Microsoft Windows Socket (Tested: Windows 10)"; ja3_hash; content:"48cf5fb702315efbfc88ee3c8c94c6cb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028307; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 49"; dns_query; content:"youturbe.co.cc"; depth:14; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022459; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - mj12bot.com"; ja3_hash; content:"11e1137464a4343105031631d470cd92"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028310; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 50"; dns_query; content:"yycc.mrbonus.com"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022460; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Mobile Safari/537.35+ BB10"; ja3_hash; content:"87c6dda19108d68e526a72d9ae09fb9e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028311; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 45"; dns_query; content:"tally.myfirewall.org"; depth:20; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/03/shifting-tactics/; classtype:trojan-activity; sid:2022610; rev:4; metadata:created_at 2016_03_11, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - mono-sgen/Syncplicity/Axure RP 8/Amazon Drive"; ja3_hash; content:"6acb250ada693067812c3335705dae79"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028312; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 46"; dns_query; content:"accountgoogle.firewall-gateway.com"; depth:34; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/03/shifting-tactics/; classtype:trojan-activity; sid:2022611; rev:5; metadata:created_at 2016_03_11, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla Sync Services (Android)"; ja3_hash; content:"d65ddade944f9acfe4052b2c9435eb85"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028313; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 47"; dns_query; content:"filegoogle.firewall-gateway.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/03/shifting-tactics/; classtype:trojan-activity; sid:2022612; rev:5; metadata:created_at 2016_03_11, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla Thunderbird (tested: 31.5.0)"; ja3_hash; content:"c2116e5bb14394aafbefe12ade9bd8ab"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028314; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unknown PowerShell Loader DNS Lookup (spl.noip.me)"; dns_query; content:"spl.noip.me"; depth:11; nocase; endswith; fast_pattern; reference:url,fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html; classtype:trojan-activity; sid:2022747; rev:4; metadata:created_at 2016_04_19, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla Thunderbird (tested: 38.3.0), ThunderBird (v38.0.1 OS X)"; ja3_hash; content:"6fd163150b060dd7d07add280f42f4ed"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028315; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE PoisonIvy SPIVY DNS Lookup (leeh0m.org)"; dns_query; content:"leeh0m.org"; depth:10; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/; classtype:trojan-activity; sid:2022753; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_22, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla/4.0 MSIE 6.0 or MSIE 7.0 User-Agent"; ja3_hash; content:"de350869b8c85de67a350c8d186f11e6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028316; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Hidden-Tear Ransomware Variant (.bloccato) DNS Request to CnC Domain"; dns_query; content:"ur232dkkwpdkwp.xyz"; depth:18; nocase; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/; reference:md5,e586f208a724ba84369b72bc43d92057; classtype:command-and-control; sid:2022831; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - MS Edge"; ja3_hash; content:"5bf43fbca3454853c26df6d996954aca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028317; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (way2tor)"; dns_query; content:".way2tor"; fast_pattern; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2019982; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_12_20, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - MS Edge"; ja3_hash; content:"888ecd3b5821a497195932b0338f2f12"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028318; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor4life.com)"; dns_query; content:".tor4life.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020125; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - MS Edge"; ja3_hash; content:"8d2e46c9e2b1ee9b1503cab4905cb3e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028319; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (adjust-local-settings .com)"; dns_query; content:"adjust-local-settings.com"; depth:25; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023095; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - MS Office Components"; ja3_hash; content:"f66b0314f269695fe3528ef39a27c158"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028320; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (bbc-africa .com)"; dns_query; content:"bbc-africa.com"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023102; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - MSIE 10.0 Trident/6.0"; ja3_hash; content:"2201d8e006f8f005a6b415f61e677532"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028321; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (checkinonlinehere .com)"; dns_query; content:"checkinonlinehere.com"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:command-and-control; sid:2023104; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, former_category MALWARE, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - MSIE 10.0 Trident/6.0)"; ja3_hash; content:"7b3b37883b5e80065b35f27888ed2b04"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028322; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (googleplay-store .com)"; dns_query; content:"googleplay-store.com"; depth:20; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023109; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - MSIE 8.0 & 9.0 Trident/5.0)"; ja3_hash; content:"2baf01616e930d378df97576e2686df3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028323; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (turkeynewsupdates .com)"; dns_query; content:"turkeynewsupdates.com"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023124; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - mutt (tested: 1.5.23 OSX)"; ja3_hash; content:"dc7c914e1817944435dd6b82a8495fbb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028324; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (unonoticias .net)"; dns_query; content:"unonoticias.net"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023128; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - mutt"; ja3_hash; content:"6761a36cfa692fcd3bc7d570b23cc168"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028325; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE BartCrypt Payment DNS Query to .onion proxy Domain (s3clm4lufbmfhmeb)"; dns_query; content:".s3clm4lufbmfhmeb"; fast_pattern; endswith; nocase; classtype:trojan-activity; sid:2023154; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, performance_impact Low, signature_severity Major, tag DNS_Onion_Query, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - NetFlix App on AppleTV (possibly others also)"; ja3_hash; content:"146c6a6537ba4cc22d874bf8ff346144"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028326; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Adwind DNS Lookup (winmeif .myq-see.com)"; dns_query; content:"winmeif.myq-see.com"; depth:19; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023256; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - node-webkit/Kindle"; ja3_hash; content:"3ee4aaac7147ff2b80ada31686db660c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028330; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Netwire RAT DNS Lookup (samsung .ddns.me)"; dns_query; content:"samsung.ddns.me"; depth:15; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023259; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - node.js"; ja3_hash; content:"641df9d6dbe7fdb74f70c8ad93def8cc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028331; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH SSL Blacklist DNS Lookup (Gozi MITM) (gtldsfs .com )"; dns_query; content:"gtldsfs.com "; depth:12; nocase; endswith; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023297; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, malware_family Gozi, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - node.js/Postman/WhatsApp"; ja3_hash; content:"106ecbd3d14b4dc6e413494263720afe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028332; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH SSL Blacklist DNS Lookup (Gozi MITM) (cdnfastnetwork .com)"; dns_query; content:"cdnfastnetwork.com"; depth:18; nocase; endswith; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023298; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, malware_family Gozi, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Non-Specific Microsoft Socket"; ja3_hash; content:"1d095e68489d3c535297cd8dffb06cb9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028333; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH SSL Blacklist DNS Lookup (Gozi MITM) (sdpvss .com)"; dns_query; content:"sdpvss.com"; depth:10; nocase; endswith; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023310; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, malware_family Gozi, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - NVIDEA GeForce Experience, Windows Diagnostic and Telemetry (also Security Essentials and Microsoft Defender) (Tested Win7)"; ja3_hash; content:"4025f224557638ee81afc4f272fd7577"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028334; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoWall/TeslaCrypt Payment Domain"; dns_query; content:"aterdunst.com"; depth:13; nocase; endswith; fast_pattern; classtype:trojan-activity; sid:2023330; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - nwjs/Chromium"; ja3_hash; content:"49de9b1c7e60bd3b8e1d4f7a49ba362e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028335; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unknown AutoIt Bot DNS Lookup (webmail .duia.in)"; dns_query; content:"webmail.duia.in"; depth:15; nocase; endswith; fast_pattern; reference:url,cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishing-target-indian-government-organizations/; classtype:trojan-activity; sid:2023573; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, malware_family Ceatrg, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - One Drive"; ja3_hash; content:"388a4049af7e631f8d36eb0f909de65a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028336; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"vmdefmnsndoj.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023600; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - OpenConnect version v7.01"; ja3_hash; content:"a35c1457421bcfaf5edaccb910bfea1d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028337; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"lvfjcwwobycj.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023602; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - OpenConnect version v7.06 / wget 1.17.1-1 (cygwin)"; ja3_hash; content:"07aa6d7cac645c8845d6e96503f7d985"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028338; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"qjqubpciajoc.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023606; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - openssl s_client / msmtp 1.6.2 (openSUSE Leap 42.1)"; ja3_hash; content:"6fffa2be612102d25dbed5f433b8238c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028339; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"exvdaajegjur.support"; depth:20; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023607; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera 10.53  10.60  11.61  11.64  12.02, Presto 2.5.24  2.6.30  2.10.229  2.10.289"; ja3_hash; content:"4e6f7f036fb2b05a50ee8a686b1176a6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028340; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"tro69.online"; depth:12; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023608; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera 11.11  11.52, Presto 2.8.131  2.9.168"; ja3_hash; content:"ceee08c3603b53be80c8afdc98babdd6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028341; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"tro69.tech"; depth:10; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023609; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera 12.14 - 12.16, Presto 2.12.388"; ja3_hash; content:"561271bdcbfe68504ce78b38c957eef0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028342; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"tro69.support"; depth:13; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023610; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 (X11 Linux x86_64 U en) Presto/2.6.30 Version/10.60"; ja3_hash; content:"8b475d6105c72827a234fbd47e25b0a3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028343; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"nympompksmfx.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023630; rev:4; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.10.229 Version/11.62"; ja3_hash; content:"44f37c3ceccb551271bfe0ba6d39426c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028344; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"xpknpxmywqsrhe.online"; depth:21; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023631; rev:4; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.10.289 & Presto/2.10.229"; ja3_hash; content:"a16170ff03466c8ee703dd71feda9bfe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028345; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"binpt.pw"; depth:8; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023634; rev:4; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.10.289 Version/12.00"; ja3_hash; content:"b237ac4bcc16c142168df03a871677bd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028346; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE NEODYMIUM Wingbird DNS Lookup (srv601 .ddns.net)"; dns_query; content:"srv601.ddns.net"; depth:15; nocase; endswith; fast_pattern; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023641; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family NEODYMIUM_Wingbird, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.12.388"; ja3_hash; content:"07715901e2c6fe4c45e7c42587847d5d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028347; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; dns_query; content:"storegoogle.at"; depth:14; nocase; endswith; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023710; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_01_09, deployment Perimeter, tag Android, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.12.388"; ja3_hash; content:"329ff4616732b84de926caa7fd6777b0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028348; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (hostgatero .ddns.net)"; dns_query; content:"hostgatero.ddns.net"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023785; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - OS X WebSockets"; ja3_hash; content:"43bb6a18756587426681e4964e5ea4bf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028349; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 01"; dns_query; content:"account-google.serveftp.com"; depth:27; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023833; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - osc (python openSUSE Leap 42.1) 1"; ja3_hash; content:"3b6da2971936ac24457616e8ad46f362"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028350; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 02"; dns_query; content:"aramex-shipping.servehttp.com"; depth:29; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023834; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - osc (python openSUSE Leap 42.1) 2"; ja3_hash; content:"95baa3d2068d8c8da71990a353cf8453"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028351; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 03"; dns_query; content:"device-activation.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023835; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Outlook 2007 (Win 8.1)"; ja3_hash; content:"53eb89fe6147474039c1162e4d9d3dc0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028352; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 04"; dns_query; content:"dropbox-service.serveftp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023836; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - p4v/owncloud"; ja3_hash; content:"38cbe70b308f42da7c9980c0e1c89656"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028353; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 05"; dns_query; content:"dropbox-sign.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023837; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - PaleMoon Browser"; ja3_hash; content:"d82cbe0b93f2b02d490a14f6bc1d421a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028354; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 06"; dns_query; content:"dropboxsupport.servehttp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023838; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - parsecd/apple.geod/apple.photomoments/photoanalysisd/FreedomProxy"; ja3_hash; content:"62448833d8230241227c03b7d441e31b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028355; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 07"; dns_query; content:"fedex-mail.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023839; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - php script (tested 5.5.27)"; ja3_hash; content:"16765fe48127809dc0ca406769c9391e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028356; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 08"; dns_query; content:"fedex-shipping.servehttp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023840; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Pidgin (tested 2.10.11)"; ja3_hash; content:"b74f9ecf158e0575101c16c5265a85b0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028357; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 09"; dns_query; content:"fedex-sign.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023841; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Pocket/Slack/Duo (Android)"; ja3_hash; content:"6ea7cfa450ce959818178b420f59fec4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028358; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 10"; dns_query; content:"googledriver-sign.ddns.net"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023842; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Polycom IP Phone Directory Lookup"; ja3_hash; content:"9e41b6bf545347abccf0dc8fd76083a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028359; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 11"; dns_query; content:"googledrive-sign.servehttp.com"; depth:30; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023843; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] BlackRAT Checkin"; flow:established,to_server; content:"Clientx|2c 20|Version="; fast_pattern; content:"ProClient.Data"; distance:0; content:"data|05|bytes"; distance:0; reference:md5,7aa313d007a538f7453a0f0f3b76ba1f; classtype:command-and-control; sid:2028564; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_09_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 12"; dns_query; content:"google-maps.servehttp.com"; depth:25; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023844; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [TGI] BlackRAT Checkin Response"; flow:established,to_client; content:"|2c 20|Version="; content:"BlackRAT.Data"; distance:0; fast_pattern; content:"data|05|bytes"; distance:0; reference:md5,7aa313d007a538f7453a0f0f3b76ba1f; classtype:command-and-control; sid:2028565; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_09_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 13"; dns_query; content:"googlesecure-serv.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023845; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - postbox-bin"; ja3_hash; content:"e846898acc767ebeb2b4388e58a968d4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028404; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 14"; dns_query; content:"googlesignin.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023846; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Postfix with StartTLS"; ja3_hash; content:"26fa3da4032424ab61dc9be62c8e3ed0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028405; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 15"; dns_query; content:"googleverify-signin.servehttp.com"; depth:33; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023847; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - PubNub data stream #1 & Apteligent"; ja3_hash; content:"ef48bf8b2ccaab35642fd0a9f1bbe831"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028406; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 16"; dns_query; content:"mailgooglesign.servehttp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023848; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - PubNub data stream #2"; ja3_hash; content:"8cc24a6ff485c62e3eb213d2ca61cf12"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028407; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 17"; dns_query; content:"myaccount.servehttp.com"; depth:23; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023849; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Pusherapp API"; ja3_hash; content:"12ad03cb3faa2748e92c9a38faab949f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028408; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 18"; dns_query; content:"secure-team.servehttp.com"; depth:25; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023850; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - py2app application (including box.net & google drive clients)"; ja3_hash; content:"ba502b2f5d64ac3d1d54646c0d6dd4dc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028409; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 19"; dns_query; content:"security-myaccount.servehttp.com"; depth:32; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023851; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Python Requests Library 2.4.3"; ja3_hash; content:"c398c55518355639c5a866c15784f969"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028410; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 20"; dns_query; content:"verification-acc.servehttp.com"; depth:30; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023852; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - python-requests/2.7.0 CPython/2.6.6 Linux/2.6.32-504.23.4.el6.x86_64"; ja3_hash; content:"1a9fb04aa1b4439666672be8661f9386"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028411; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 21"; dns_query; content:"dropbox-verfy.servehttp.com"; depth:27; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023853; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Qsync Client"; ja3_hash; content:"a7823092705a5e91ce2b7f561b6e5b98"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028412; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 22"; dns_query; content:"fedex-s.servehttp.com"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023854; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Reported as -"; ja3_hash; content:"4b06b445e3e12cdae777cec815ab90f5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028414; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 23"; dns_query; content:"watchyoutube.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023855; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - RescueTime/Plantronics Hub"; ja3_hash; content:"c048d9f26a79e11ca7276499ef24daf3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028415; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 24"; dns_query; content:"verification-team.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023856; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - RingCentral App #2"; ja3_hash; content:"90f755509cba37094eb66be02335b932"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028416; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 25"; dns_query; content:"securityteam-notify.servehttp.com"; depth:33; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023857; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - RingCentral App"; ja3_hash; content:"7743db23afb26f18d632420e6c36e076"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028417; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 26"; dns_query; content:"secure-alert.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023858; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - RSiteAuditor"; ja3_hash; content:"35c0a31c481927f022a3b530255ac080"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028418; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 27"; dns_query; content:"quota-notification.servehttp.com"; depth:32; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023859; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - ruby script (tested: 2.0.0p481)"; ja3_hash; content:"688b34ca00a291ece0bc07b264b1344c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028419; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 28"; dns_query; content:"notification-team.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023860; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - ruby"; ja3_hash; content:"d219efd07cbb8fbe547e6a5335843f0f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028420; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 29"; dns_query; content:"fedex-notification.servehttp.com"; depth:32; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023861; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 525 - 533  534.57.2, Safari 525.21  525.29  531.22.7  533.21.1  534.57.2 / Adobe Reader DC 15.x Updater"; ja3_hash; content:"cbcd1d81f242de31fd683d5acbc70dca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028421; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 30"; dns_query; content:"docs-mails.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023862; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.34"; ja3_hash; content:"4c551900711d12c864cfe2f95e1c98c2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028422; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 31"; dns_query; content:"restricted-videos.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023863; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.34, rekonq1.1  Arora0.11.0"; ja3_hash; content:"30701f5050d504c31805594fb5c083b8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028423; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 32"; dns_query; content:"dropboxnotification.servehttp.com"; depth:33; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023864; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.34, Safari/537.21"; ja3_hash; content:"41ba55231de6643721fbe2ae25fab85d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028424; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 33"; dns_query; content:"moi-gov.serveftp.com"; depth:20; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023865; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.59.8"; ja3_hash; content:"fb1d89e16f4dd558ad99011070785cce"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028425; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 34"; dns_query; content:"activate-google.servehttp.com"; depth:29; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023866; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 536.30.1"; ja3_hash; content:"e2a482fbb281f7662f12ff6cc871cfe7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028426; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 35"; dns_query; content:"googlemaps.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023867; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 537.71"; ja3_hash; content:"cc5925c4720edb550491a12a35c15d4d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028427; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Banker.Win32.Alreay DNS Lookup (tradeboard .mefound .com)"; dns_query; content:"tradeboard.mefound.com"; depth:22; nocase; endswith; fast_pattern; reference:url,niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-oraz-kto-jeszcze-byl-na-celowniku-przestepcow/; classtype:trojan-activity; sid:2023884; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_08, deployment Perimeter, malware_family Alreay_Banking, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 537.78.2"; ja3_hash; content:"88770e3ad9e9d85b2e463be2b5c5a026"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028428; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Banker.Win32.Alreay DNS Lookup (movis-es .ignorelist .com)"; dns_query; content:"movis-es.ignorelist.com"; depth:23; nocase; endswith; fast_pattern; reference:url,niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-oraz-kto-jeszcze-byl-na-celowniku-przestepcow/; classtype:trojan-activity; sid:2023885; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_08, deployment Perimeter, malware_family Alreay_Banking, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari"; ja3_hash; content:"c36fb08942cf19508c08d96af22d4ffc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028429; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Banker.Win32.Alreay DNS Lookup (exbonus .mrbasic .com)"; dns_query; content:"exbonus.mrbasic.com"; depth:19; nocase; endswith; fast_pattern; reference:url,niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-oraz-kto-jeszcze-byl-na-celowniku-przestepcow/; classtype:trojan-activity; sid:2023886; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_08, deployment Perimeter, malware_family Alreay_Banking, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari/534.57.2, hola_svc"; ja3_hash; content:"77310efe11f1943306ee317cf02150b7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028430; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Qadars CnC DNS Lookup (bst2bgxin81a.org)"; dns_query; content:"bst2bgxin81a.org"; depth:16; fast_pattern; endswith; nocase; classtype:command-and-control; sid:2023893; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, former_category MALWARE, malware_family Qadars, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari/604.1.38 Macintosh, Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"c07cb55f88702033a8f52c046d23e0b2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028431; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns_query; content:"siteanalysto.com"; depth:16; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023938; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, tag Android, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari/604.3.1 Macintosh/apple.WebKit.Networking,itunesstored"; ja3_hash; content:"3e4e87dda5a3162306609b7e330441d2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028432; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known IoT Malware Domain"; dns_query; content:"load.gtpnet.ir"; depth:14; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; classtype:trojan-activity; sid:2024245; rev:4; metadata:attack_target IoT, created_at 2017_04_25, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Salesforce Files"; ja3_hash; content:"844166382cc98d98595e6778c470f5d5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028433; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spora Ransomware DNS Query"; dns_query; content:"spora.li"; depth:8; nocase; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; reference:md5,906c51a18073112c4479b3fe4ea329ca; classtype:trojan-activity; sid:2024324; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - SCANNER: hoax Firefox/40.1"; ja3_hash; content:"9a35e493f961ac377f948690b5334a9c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028434; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/5.0|3b 20|BOIE9|3b|ENGB)"; bsize:82; classtype:trojan-activity; sid:2028598; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - SCANNER: wordpress wp-login Firefox/40.1"; ja3_hash; content:"ce5f3254611a8c095a3d821d44539877"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028435; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to Jaff Domain (comboratiogferrdto . com)"; dns_query; content:"comboratiogferrdto.com"; depth:22; fast_pattern; endswith; nocase; reference:md5,51cf3452feb218a4b1295cebf3b2130e; reference:url,blog.dynamoo.com/2017/05/malware-spam-with-nmpdf-attachment.html; classtype:trojan-activity; sid:2024341; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category TROJAN, malware_family Jaff_Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - SCRAPER: DotBot"; ja3_hash; content:"d8844f000e5571807e9094e0fcd795fe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028436; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns_query; content:"epochatimes.com"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024478; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - SeznamBot/3.2"; ja3_hash; content:"6cc3c7debc31952d05ecaacb6021925f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028438; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns_query; content:"strangelol.com"; depth:14; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024852; rev:4; metadata:created_at 2017_10_18, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - ShadowServer Scanner 1"; ja3_hash; content:"fa8b8ed07b1dd0e4a262bd44d31251ec"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028439; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Malicious Chrome Ext. DNS Query For Adware CnC (go.querymo)"; dns_query; content:"go.querymo.com"; depth:14; fast_pattern; endswith; nocase; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024724; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2019_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - ShadowServer Scanner 2"; ja3_hash; content:"c05809230e9f7a6bf627a48b72dc4e1c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028440; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible EXIM DoS (CVE-2019-16928)"; flow:established,to_server; content:"EHLO "; depth:5; isdataat:5000,relative; content:!"|0a|"; within:500; reference:cve,2019-16928; reference:url,bugs.exim.org/show_bug.cgi?id=2449; reference:url,git.exim.org/exim.git/patch/478effbfd9c3cc5a627fc671d4bf94d13670d65f; classtype:attempted-admin; sid:2028636; rev:3; metadata:attack_target SMTP_Server, created_at 2019_09_30, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2019_10_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - ShadowServer Scanner 3"; ja3_hash; content:"0ad94fcb7d3a2c56679fbd004f6b12cd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028441; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Passwords"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|PSWD|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1178824123293868033; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028643; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"0add6ceb611a7613f97329af3b6828d9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028442; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger Exfil via SMTP - Generic"; flow:established,to_server; content:"-- Client Info --"; fast_pattern; nocase; content:"IP|3a 20|"; content:"HWID|3a 20|"; content:"OS Platform|3a 20|"; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1178824123293868033; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028644; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"0b63812a99e66c82a20d30c3b9ba6e06"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028443; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Logs"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|Logs|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028645; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"109dbd9238634b21363c3d62793c029c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028444; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Clipboard"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|Clipboard|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028646; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"11e49581344c117df2c9ceb46e5594c4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028445; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Screenshot"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|Screenshot|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028647; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"302579fd4ba13eca27932664f66725ad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028446; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemours/Proyecto RAT CnC Checkin"; flow:established,to_server; content:"0|7c|New|20|-|20|"; depth:8; fast_pattern; content:"|7c|"; distance:0; content:"|7c|Windows"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; reference:md5,50a9218c891453c00b498029315ac680; classtype:command-and-control; sid:2028648; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_30, deployment Perimeter, former_category MALWARE, malware_family Nemours, performance_impact Moderate, signature_severity Major, updated_at 2019_10_04;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"badc09d74edf43c0204c4827a038c2fa"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028447; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET [!37018,!37039,1024:65535] (msg:"ET DELETED Possible NanoCore C2 64B"; flow:established,to_server; dsize:68; content:"|40 00 00 00|"; depth:5; pcre:"/^(?!.{0,63}\x00.{0,62}\x00.{0,61}\x00.{0,60}\x00)(?!.{0,62}\x00{2})(?!.{0,59}[A-Za-z0-9]{5})(?!(?P<b1>.).{0,63}(?P=b1).{0,62}(?P=b1).{0,61}(?P=b1).{0,60}(?P=b1))(?!.(?P<b2>.).{0,62}(?P=b2).{0,61}(?P=b2).{0,60}(?P=b2).{0,59}(?P=b2))(?!..(?P<b3>.).{0,61}(?P=b3).{0,60}(?P=b3).{0,59}(?P=b3).{0,58}(?P=b3))(?!...(?P<b4>.).{0,60}(?P=b4).{0,59}(?P=b4).{0,58}(?P=b4).{0,57}(?P=b4))(?!....(?P<b5>.).{0,59}(?P=b5).{0,58}(?P=b5).{0,57}(?P=b5).{0,56}(?P=b5))(?!.....(?P<b6>.).{0,58}(?P=b6).{0,57}(?P=b6).{0,56}(?P=b6).{0,55}(?P=b6))(?!......(?P<b7>.).{0,57}(?P=b7).{0,56}(?P=b7).{0,55}(?P=b7).{0,54}(?P=b7))(?!.......(?P<b8>.).{0,56}(?P=b8).{0,55}(?P=b8).{0,54}(?P=b8).{0,53}(?P=b8))(?!........(?P<b9>.).{0,55}(?P=b9).{0,54}(?P=b9).{0,53}(?P=b9).{0,52}(?P=b9))(?!.........(?P<b10>.).{0,54}(?P=b10).{0,53}(?P=b10).{0,52}(?P=b10).{0,51}(?P=b10))/Rs"; classtype:command-and-control; sid:2025018; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MALWARE, malware_family NanoCore, tag Nanocore, updated_at 2019_10_04;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"f59a024cf47fdb835053ebf144189a47"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028448; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-03"; flow:established,to_client; tls.cert_subject; bsize:23; content:"CN=worldmasterclass.com"; fast_pattern; reference:md5,fe9caf2568d7bbf2bb0e20b8e7dc8971; reference:md5,c5a460fd87ffd50c114fffa684688d01; classtype:domain-c2; sid:2028653; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"f8f522671d2d2eba5803e6c002760c05"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028449; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-07"; flow:established,to_client; tls.cert_subject; bsize:17; content:"CN=mailfueler.com"; fast_pattern; reference:md5,c189cdadd96c148e64912c55c5129d3e; classtype:domain-c2; sid:2028652; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan, mutt (tested: 1.5.23 - OS X)"; ja3_hash; content:"9d5869f950eeca2e39196c61fdf510c8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028450; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-03"; flow:established,to_client; tls.cert_subject; bsize:17; content:"CN=corpcougar.com"; fast_pattern; reference:md5,73fad17f8054d01488c3ddd67e355bf1; reference:md5,a25591dbf57ac687e2a03f94dcccc35a; classtype:domain-c2; sid:2028654; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan, mutt (tested: 1.6.2 OS X)"; ja3_hash; content:"3fcc12d9ee1f75a0212d1d16f7b9f8ad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028451; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-02"; flow:established,to_client; tls.cert_subject; bsize:18; content:"CN=adityebirla.com"; fast_pattern; reference:md5,61b34d02bb09e5a547251a625ce81f9c; reference:md5,cab127c5b8582c1e3ea8860a239a060b; classtype:domain-c2; sid:2028655; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Signal (tested: 3.16.0 - Android)"; ja3_hash; content:"7dde4e4f0dceb29f711fb34b4bdbf420"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028452; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-01"; flow:established,to_client; tls.cert_subject; bsize:63; content:"OU=Domain Control Validated, OU=PositiveSSL, CN=www.livdecor.pt"; fast_pattern; reference:md5,7baca517af0b93bd3f94910c7b8f10db; reference:md5,efb4951e11baf306f5680a041c214e5b; classtype:domain-c2; sid:2028656; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Signal Chrome App"; ja3_hash; content:"07931ada5b9dd93ec706e772ee60782d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028453; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-09-30"; flow:established,to_client; tls.cert_subject; bsize:12; content:"CN=flozzy.uk"; fast_pattern; reference:md5,6a333c3f54d7fb6efb276cf6e33315c0; reference:md5,ab578cff6c06157aadd5f324a3413973; classtype:domain-c2; sid:2028657; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - SkipFish (tested: v2.10b kali)"; ja3_hash; content:"cfb6d1c72d09d4eaa4c7d2c0b1ecbce7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028454; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult Cnc Server) 2019-09-27"; flow:established,to_client; tls.cert_subject; bsize:18; content:"CN=evershinebd.net"; fast_pattern; reference:md5,c93a2d16dd0cf8dd3afa5ecba111e7c4; reference:md5,23aff33025681263adcdcb480d0e9a95; classtype:domain-c2; sid:2028658; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Skype (additional Win 10)"; ja3_hash; content:"7a75198d3e18354a6763860d331ff46a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028455; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) in SNI 2019-09-27"; flow:established,to_server; tls.sni; bsize:11; content:"techxim.com"; reference:md5,5c4e395fc545b5e0c03f960a4145f4ea; classtype:domain-c2; sid:2028659; rev:2; metadata:attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Skype (multiple platforms)"; ja3_hash; content:"06207a1730b5deeb207b0556e102ded2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028456; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Easewe FTP OCX ActiveX Control EaseWeFtp.ocx Remote Code Execution Attempt"; flow:established,to_client; content:"31AE647D-11D1-4E6A-BE2D-90157640019A"; nocase; fast_pattern; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*31AE647D-11D1-4E6A-BE2D-90157640019A.+(Execute|Run|CreateLocalFile|CreateLocalFolder|DeleteLocalFile)/smi"; reference:bid,48393; classtype:attempted-user; sid:2013119; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_06_24, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Skype (tested 7.18(341) on OSX)"; ja3_hash; content:"5ef08bc989a9fcc18d5011f07d953c14"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028457; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt"; flow:established,to_client; content:"%41%41%41%41"; fast_pattern; classtype:shellcode-detect; sid:2013145; rev:3; metadata:created_at 2011_06_30, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Skype"; ja3_hash; content:"49a341a21f4fd4ac63b027ff2b1a331f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028458; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u41%u41%u41%u41 UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u41%u41%u41%u41"; nocase; fast_pattern; classtype:shellcode-detect; sid:2013146; rev:3; metadata:created_at 2011_06_30, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Slack Desktop App"; ja3_hash; content:"c8ada45922a3e7857e4bfd4fc13e8f64"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028459; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u4141%u4141 UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u4141%u4141"; nocase; fast_pattern; classtype:shellcode-detect; sid:2013147; rev:3; metadata:created_at 2011_06_30, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Slack"; ja3_hash; content:"3d72e4827837391cd5b6f5c6b2d5b1e1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028460; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Util.printf Buffer Overflow Attempt"; flow:established,to_client; content:"util.printf|28 22 25|"; nocase; fast_pattern; pcre:"/util.printf\x28\x22\x25[^\x2C\x29]*f\x22\x2C/i"; reference:url,www.coresecurity.com/content/adobe-reader-buffer-overflow; reference:bid,30035; reference:cve,2008-2992; classtype:attempted-user; sid:2013152; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Slack"; ja3_hash; content:"a5aa6e939e4770e3b8ac38ce414fd0d5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028461; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt"; flow:established,to_client; content:"Colors 1073741838"; fast_pattern; pcre:"/<<[^>]*\x2FPredictor[^>]*\x2FColors\x201073741838/smi"; reference:url,www.fortiguard.com/analysis/pdfanalysis.html; reference:bid,36600; reference:cve,2009-3459; classtype:attempted-user; sid:2013153; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Slack"; ja3_hash; content:"cdd8179dc9c0e4802f557b62bae73d43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028462; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C 5C|x41|5C 5C|x41|5C 5C|x41|5C 5C|x41"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013279; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Slackbot Link Expander"; ja3_hash; content:"22cca8ed59288f4984724f0ee03484ea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028463; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C 5C|x90|5C 5C|x90|5C 5C|x90|5C 5C|x90"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013278; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Spark"; ja3_hash; content:"116ffc8889873efad60457cd55eaf543"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028464; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013277; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - SpiderOak (tested: 6.0.1)"; ja3_hash; content:"f51156bcd5033603e750c8bd4db254e3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028465; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013276; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - SpotlightNetHelper/Safari"; ja3_hash; content:"8db4b0f8e9dd8f2fff38ee7c5a1e4496"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028466; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; content:"|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013275; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 1"; ja3_hash; content:"24339ea346521d98a8c50fd3713090c9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028469; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; content:"|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013274; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 2"; ja3_hash; content:"ad5d6f490f3819dc60b2a2fbe5bd1cba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028470; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C|x90|5C|x90|5C|x90|5C|x90"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013271; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 3"; ja3_hash; content:"1e9557c377f8ff50b80b7f87b60b1054"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028471; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C|x0d|5C|x0d|5C|x0d|5C|x0d"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013270; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 4"; ja3_hash; content:"c3c59ec21835721c92571e7742fadb88"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028472; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C|x0c|5C|x0c|5C|x0c|5C|x0c"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013269; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Steam OSX"; ja3_hash; content:"39cf5b7a13a764494de562add874f016"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028473; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Sality Executable Pack Digital Signature ASCII Marker"; flow:established,from_server; content:"e#o203kjl,!"; fast_pattern; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf; classtype:trojan-activity; sid:2013381; rev:3; metadata:created_at 2011_08_09, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Synology DDNS Beacon"; ja3_hash; content:"cab4a6a0c7ac91c2bd9e93cb0507ad4e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028474; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category JA3, signature_severity Major, tag c2, updated_at 2019_10_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fakealert.Rena CnC Checkin 2"; flow:established,to_server; content:"/images/img.php?id="; content:"HTTP/1.1|0d 0a|User-Agent"; fast_pattern; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; reference:url,www.malware-control.com/statics-pages/24b9c5f59a4706689d4f9bb5f510ec35.php; classtype:command-and-control; sid:2013382; rev:4; metadata:created_at 2011_08_09, former_category MALWARE, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tableau"; ja3_hash; content:"2d3854d1cbcdceece83eabd85bdcc056"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028475; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC Potential bot update/download via ftp command"; flowbits:isset,is_proto_irc; flow:established,to_client; content:"ftp|3a|//"; fast_pattern; pcre:"/\.(upda|getfile|dl\dx|dl|download|execute)\w*\s+ftp\x3a\x2f\x2f/i"; reference:url,doc.emergingthreats.net/2011162; classtype:trojan-activity; sid:2011162; rev:6; metadata:created_at 2010_07_30, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tableau"; ja3_hash; content:"a585c632a2b49be1256881fb0c16c864"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028476; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP iss scan"; flow:to_server,established; content:"pass -iss@iss"; fast_pattern; reference:arachnids,331; classtype:suspicious-login; sid:2100354; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tableau"; ja3_hash; content:"cd7c06b9459c9cfd4af2dba5696ea930"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028477; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP pass wh00t"; flow:to_server,established; content:"pass wh00t"; nocase; fast_pattern; reference:arachnids,324; classtype:suspicious-login; sid:2100355; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tenable Passive Vulnerability Scanner Plugin Updater"; ja3_hash; content:"24993abb75ddda7eaf0709395e47ab4e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028478; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP piss scan"; flow:to_server,established; content:"pass -cklaus"; fast_pattern; classtype:suspicious-login; sid:2100357; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - TextSecure Name Lookup (Tested: Android)"; ja3_hash; content:"97d3b9036d5a4d7f1fe33fe730f38231"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028479; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP saint scan"; flow:to_server,established; content:"pass -saint"; fast_pattern; reference:arachnids,330; classtype:suspicious-login; sid:2100358; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - ThunderBird (v17.0 OS X)"; ja3_hash; content:"207409c2b30e670ca50e1eac016a4831"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028480; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP satan scan"; flow:to_server,established; content:"pass -satan"; fast_pattern; reference:arachnids,329; classtype:suspicious-login; sid:2100359; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - ThunderBird (v38.0.1 OS X), Thunderbird 38.7.0 (openSUSE Leap 42.1)"; ja3_hash; content:"4623da8b4586a8a4b86e31d689aa0c15"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028481; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP tar parameters"; flow:to_server,established; content:" --use-compress-program "; nocase; fast_pattern; reference:arachnids,134; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:2100362; rev:15; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Browser (tested: 5.0.1f - May clash with FF38)"; ja3_hash; content:"0ed768d6e3bc66af60d31315afd423f2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028482; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET 1024: -> any 6783 (msg:"ET POLICY Splashtop Remote Control Checkin"; flow:established,to_server; dsize:12; content:"|00 01 00 08 00 00 00 00 00 02 01 00|"; fast_pattern; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014127; rev:2; metadata:created_at 2012_01_16, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Browser (v4.5.3 OS X - based on FF 31.8.0)"; ja3_hash; content:"8c9a7fe81ba61dab1454e08f42f0a004"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028483; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET 1024: -> any 6784 (msg:"ET POLICY Splashtop Remote Control Session Start Request"; flow:established,to_server; dsize:4; content:"|01 00 34 12|"; fast_pattern; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014128; rev:2; metadata:created_at 2012_01_16, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Relay Traffic (tested 0.2.7.6)"; ja3_hash; content:"5b3eee2766b876e623ba05508d269830"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028484; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET 1024: -> any 6784 (msg:"ET POLICY Splashtop Remote Control Session Keepalive"; flow:established,to_server; dsize:4; content:"|00 00 34 12|"; fast_pattern; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014129; rev:2; metadata:created_at 2012_01_16, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Relay Traffic (tested 0.2.7.6), Tor Uplink (via Tails distro)"; ja3_hash; content:"79f0842a32b359d1b683c569bd07f23b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028485; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102599; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - tor uplink (tested 0.2.2.35)"; ja3_hash; content:"3b8f3ace50a7c7cd5205af210f17bb70"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028486; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Dadong Exploit Kit Downloaded"; flow:established,from_server; flowbits:set,et.exploitkitlanding; content:"indexOf(|22|dadong=|22|)=="; fast_pattern; reference:url,www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/; classtype:exploit-kit; sid:2025037; rev:3; metadata:created_at 2012_03_01, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tor uplink (tested: 0.2.6.10)"; ja3_hash; content:"659007d8bae74d1053f6ca4a329d25a7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028487; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hostile Microsoft Rich Text File (RTF) with corrupted listoverride"; flow:from_server,established; flowbits:set,ETPRO.RTF; content:"|7b 5c 2a 5c|listoverridetable"; content:"|5c|listoverride|5c|"; fast_pattern; pcre:"/\x5clistoverride\x5c((?!\x5cls\d{1,4}\s*\}).)+?\x5clistoverride\x5c/s"; reference:cve,2012-0183; classtype:attempted-user; sid:2025085; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_05_08, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tracking something (noted with Dropbox Installer & Skype - Win 10)"; ja3_hash; content:"bc329d2a71e749067424502f1f72e13a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028488; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP private access udp"; content:"private"; fast_pattern; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101413; rev:12; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Trident/7.0"; ja3_hash; content:"2a458dd9c65afbcf591cd8c2a194b804"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028489; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP public access udp"; content:"public"; fast_pattern; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101411; rev:13; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Trident/7.0"; ja3_hash; content:"aea96546ac042f29fed1e2203a9b4c3f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028490; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|"; fast_pattern; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:2101427; rev:6; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - True Key"; ja3_hash; content:"df65746370dcabc9b4f370c6e14a8156"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028491; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP SNMP NT UserList"; content:"+|06 10|@|14 D1 02 19|"; fast_pattern; reference:nessus,10546; classtype:attempted-recon; sid:2100516; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Twitterbot/1.0"; ja3_hash; content:"edcf2fd479271286879efebd22bc8d16"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028492; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL EXPLOIT rsh froot"; flow:to_server,established; content:"-froot|00|"; fast_pattern; reference:arachnids,387; classtype:attempted-admin; sid:2100604; rev:7; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Software Center"; ja3_hash; content:"633e9558d4b25b46e8b1c49e10faaff4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028493; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM"; fast_pattern; nocase; pcre:"/^MDTM \d+[-+]\D/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; classtype:attempted-admin; sid:2102416; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Software Center"; ja3_hash; content:"b9b4d1f7283b5ddc59d0b8d15e386106"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028494; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Yszz JS/Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"|2f 2a|Yszz 0.7 vip|2a 2f|"; fast_pattern; nocase; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2015573; rev:3; metadata:created_at 2012_08_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #1"; ja3_hash; content:"ac206b75530d569a0a64cec378eb4b66"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028495; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Unknown TDS /rem2.html"; flow:established,to_server; urilen:10; content:"/rem2.html"; http_uri; fast_pattern; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:exploit-kit; sid:2015479; rev:4; metadata:created_at 2012_07_17, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #2"; ja3_hash; content:"94feb9008aeb393e76bac31b30af6ad0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028496; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SPL - Java Exploit Requested .jar Naming Pattern"; flow:established,to_server; content:"-a."; http_uri; content:".jar"; http_uri; fast_pattern; content:" Java/"; http_header; pcre:"/\/[a-z]{4,20}-a\.[a-z]{4,20}\.jar$/U"; classtype:exploit-kit; sid:2015604; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #3"; ja3_hash; content:"f1b7bbeb8b79cecd728c72bba350d173"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028497; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO WinUpack Modified PE Header Inbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003614; rev:6; metadata:created_at 2010_07_30, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #4"; ja3_hash; content:"3f00755c412442e642f5572ed4f2eaf2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028498; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO WinUpack Modified PE Header Outbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003615; rev:7; metadata:created_at 2010_07_30, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - UMich Scanner (can use: zgrab)"; ja3_hash; content:"0e580f864235348848418123f96bbaa0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028499; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura exploit kit exploit download request /view.php"; flow:established,to_server; content:"/view.php?i="; http_uri; fast_pattern; pcre:"/\/view.php\?i=\d&key=[0-9a-f]{32}$/U"; classtype:exploit-kit; sid:2015678; rev:3; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - UMich Scanner (can use: zgrab)"; ja3_hash; content:"9a1c3fed39b016b8d81cc77dae70f60f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028500; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY NeoSploit - Java Exploit Requested"; flow:established,to_server; urilen:>89; content:".jar"; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.jar$/U"; classtype:exploit-kit; sid:2015689; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_09_11, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - UMich Scanner (can use: zgrab)"; ja3_hash; content:"dc76bc3a4e3bc38939dfd90d8b7214b7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028501; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:exploit-kit; sid:2015690; rev:3; metadata:created_at 2012_09_11, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Unidentified attack tool"; ja3_hash; content:"90f6c4b0577fb24a31bea0acc1fcc27d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028502; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT  NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; fast_pattern; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.pdf$/U"; classtype:exploit-kit; sid:2015691; rev:3; metadata:created_at 2012_09_11, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown BrowserStack timeframe SMTP STARTLS"; ja3_hash; content:"7bc3475b771c44c764614397da069d28"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028503; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; fast_pattern; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:exploit-kit; sid:2015694; rev:3; metadata:created_at 2012_09_11, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown SMTP server (207.46.100.103)"; ja3_hash; content:"23a9b0eb3584e358816a123c208a2c8b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028504; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SHELLCODE MSSQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; fast_pattern; classtype:shellcode-detect; sid:2100691; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown SMTP Server (used by Facebook)"; ja3_hash; content:"26cdef14ec70c2d6ebd943fe8069c4da"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028505; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Telnet Root not on console"; flow:from_server,established; content:"not on system console"; fast_pattern; nocase; reference:arachnids,365; classtype:bad-unknown; sid:2100717; rev:10; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown Something on Android that talks to Google Analytics"; ja3_hash; content:"335ec05b3ddb3800a8df47641c2d8e33"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028506; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET root login"; flow:from_server,established; content:"login|3a 20|root"; fast_pattern; classtype:suspicious-login; sid:2100719; rev:9; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown TLS Scanner"; ja3_hash; content:"18e9afaf91db6f8a2470e7435c2a1d6b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028507; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; fast_pattern; classtype:shellcode-detect; sid:2101424; rev:9; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - UNVERIFIED: May be BlueCoat proxy"; ja3_hash; content:"f6bae8bacf93b5e97e80b594ffeba859"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028508; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL ctx_output.start_log buffer overflow attempt"; flow:to_server,established; content:"ctx_output.start_log"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102678; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - urlgrabber/3.10 yum/3.4.3"; ja3_hash; content:"37f691b063c10372135db21579643bf1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028509; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL alter file buffer overflow attempt"; flow:to_server,established; content:"alter"; nocase; fast_pattern; pcre:"/ALTER\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2102697; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many desktop apps,Quip,Spotify,GitHub Desktop"; ja3_hash; content:"84071ea96fc8a60c55fc8a405e214c0f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028510; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_flavor_change"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102708; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"40fd0a5e81ebdcf0ec82a4710a12dec1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028511; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102709; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"618ee2509ef52bf0b8216e1564eea909"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028512; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102652; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"799135475da362592a4be9199d258726"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028513; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_flavor_change"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102711; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"7b530a25af9016a9d12de5abc54d9e74"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028514; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102712; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"c05de18b01a054f2f6900ffe96b3da7a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028515; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102713; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"e4d448cdfe06dc1243c1eb026c74ac9a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028516; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.resume_subset_of_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.resume_subset_of_masters"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102714; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"f1c5cf087b959cec31bd6285407f689a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028517; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.begin_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102715; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Python/PHP/Git/dotnet/Adobe"; ja3_hash; content:"488b6b601cb141b062d4da7f524b4b22"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028518; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102635; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Quip/Aura/Spotify/Chatty"; ja3_hash; content:"f28d34ce9e732f644de2350027d74c3f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028519; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.differences"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){10}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102717; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Quip/Spotify/Dropbox/GitHub Desktop/etc"; ja3_hash; content:"190dfb280fe3b541acc6a2e5f00690e6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028520; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.rectify"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){8}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102718; rev:3; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Slack/Postman/Spotify/Google Chrome"; ja3_hash; content:"20dd18bdd3209ea718989030a6f93364"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028521; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.abort_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102719; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Valve Steam Client #1"; ja3_hash; content:"2d96ffb535c7c7a30cad924b9b9f2b52"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028522; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_column_group_to_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102720; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Valve Steam Client #2"; ja3_hash; content:"ab1fa6468096ab057291aa381d5de2b7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028523; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_columns_to_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102721; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Viber"; ja3_hash; content:"e0224fc1c33658f2d3d963bfb0a76a85"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028524; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_delete_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102674; rev:3; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - VirtualBox Update Poll (tested 5.0.8 r103449)"; ja3_hash; content:"41e3681b7c8c915e33b1f80d275c19d5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028525; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_object_to_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102722; rev:3; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - VLC"; ja3_hash; content:"81fb3e51bf3f18c5755146c28d07431b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028526; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102723; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - VMWare Fusion / Workstation / Player Update Check 8.x-12.x"; ja3_hash; content:"cff90930827e8b0f4e5a6fcc17319954"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028527; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_date"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102724; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - VMWare Update Check 6.x"; ja3_hash; content:"a50a861119aceb0ccc74902e8fddb618"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028528; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nchar"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102725; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - VMware vSphere Client (Tested v4.1.0)"; ja3_hash; content:"48e69b57de145720885af2894f2ab9e7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028529; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102727; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - vpnkit"; ja3_hash; content:"01319090aea981dde6fc8d6ae71ead54"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028530; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102728; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3af (tested: v1.6.54 Kali 1)"; ja3_hash; content:"10a686de1c41107df06c21df245e24cd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028531; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102729; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3af (tested: v1.6.54 Kali 2)"; ja3_hash; content:"f13e6d84b915e17f76fdf4ea8c959b4d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028532; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102730; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3af (tested: v1.6.54 Kali 3)"; ja3_hash; content:"345b5717dae9006a8bcd4cb1a5f09891"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028533; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_unique_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102731; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3c HTML Validator"; ja3_hash; content:"74ebac04b642a0cab032dd46e8099fdc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028534; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_update_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102732; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3c HTML Validator, java,eclipse"; ja3_hash; content:"4056657a50a8a4e5cfac40ba48becfa2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028535; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_propagation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102733; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3m (tested: 0.5.3 OS X)"; ja3_hash; content:"975ef0826e8485f2335db71873cb34c6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028536; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102619; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3m 0.5.3 (OS X version)"; ja3_hash; content:"6b4b535249a1dcd95e3b4b6e9e572e5e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028537; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102734; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3m 0.5.3 / lynx 3.2 / svn 1.8.10 (openSUSE Leap 42.1)"; ja3_hash; content:"575771dbc723df24b764ac0303c19d10"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028538; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102741; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Web"; ja3_hash; content:"0172e9e41a8940e6a809967e4835214a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028539; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102735; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - WebKit per Safari 9.0.1 (11601.2.7.2)"; ja3_hash; content:"58d97971a14d0520c5c56caa75470948"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028540; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_date"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102736; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - WebKit per Safari 9.0.1 (11601.2.7.2)"; ja3_hash; content:"9ef7a86952e78eeb83590ff4d82a5538"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028541; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nchar"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102737; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - WeeChat"; ja3_hash; content:"8e1172bd5dcc4698928c7eb454a2c3de"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028542; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_number"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102738; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - wget (tested GNU Wget 1.16.1 & 1.17 on OS X)"; ja3_hash; content:"5f1d4c631ddedf942033c9ae919158b8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028543; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nvarchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102739; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - wget 1.14 (openSUSE Leap 42.1)"; ja3_hash; content:"70663c6da28b3b9ac281d7b31d6b97c3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028544; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102740; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Wii-U"; ja3_hash; content:"444434ebe3f52b8453c3803bff077ebd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028545; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102742; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Win default thing a la webkit"; ja3_hash; content:"c8d1364bba308db5a4a20c65c58ffde1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028546; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102744; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Win10 Mail Client"; ja3_hash; content:"123b8f4705d525caffa3f2b36447f481"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028547; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102743; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 10 Native Connection"; ja3_hash; content:"aee020803d10a4d39072817184c8eedc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028548; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_snapshot_propagation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102745; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 10 WebSockets (inc Edge) #1"; ja3_hash; content:"205200cdaac61b110838556b834070d1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028549; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.begin_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102747; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 10 WebSockets (inc Edge) #2"; ja3_hash; content:"5a0fa8873e5ffe7d9385647adc8912d7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028550; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102609; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 8.x Apps Store thing (unconfirmed)"; ja3_hash; content:"a7b2f0639f58f97aec151e015be1f684"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028551; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102748; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 8.x Builtin Mail Client"; ja3_hash; content:"0d15924fe8f8950a3ec3a916e97c8498"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028552; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_delete_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102749; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 8.x TLS Socket"; ja3_hash; content:"a8ee937cf82bb0972fecc23d63c9cd82"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028553; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_mview_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_mview_repsites"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gowner|gname)[\r\n\s]*=>[\r\n\s]*\2|(gowner|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102750; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Windows Watson WCEI Telemetry Gather"; ja3_hash; content:"2c14bfb3f8a2067fbc88d8345e9f97f3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028554; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_priority_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102751; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - wineserver"; ja3_hash; content:"84607748f3887541dd60fe974a042c71"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028555; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102752; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Yahoo! Slurp Indexer"; ja3_hash; content:"1202a58b454f54a47d2c216567ebd4fb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028557; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102606; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Yahoo! Slurp Indexer"; ja3_hash; content:"de364c46b0dfc283b5e38c79ceae3f8f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028558; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repsites"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102753; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Yandex Bot, wget 1.18"; ja3_hash; content:"d83881675de3f6aacbcc0b2bae6f8923"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028559; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102754; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - youtube-dl 2016.06.03 (openSUSE Leap 42.1)"; ja3_hash; content:"11404429d240670cc018bed04e918b6f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028560; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_unique_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102755; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Zite (Android) 1 - May collide with Chrome"; ja3_hash; content:"f8f5b71e02603b283e55b50d17ede861"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028561; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_update_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102756; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Zite (Android) 2 - May collide with Chome"; ja3_hash; content:"5ae88f37a16f1b054f2edff1c8730471"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028562; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.compare_old_values"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2102605; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - ZwiftApp"; ja3_hash; content:"c2b4710c6888a5d47befe865c8e6fb19"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028563; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102757; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Lets Encrypt Free SSL Cert Observed in Possible Coinhive Javascript Cryptocurrency Mining"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; fast_pattern; content:"|55 04 03|"; distance:0; content:"coin-hive"; within:50; nocase; pcre:!"/#http:\/\/cert.*coinhive/i"; reference:url,coin-hive.com; classtype:policy-violation; sid:2024720; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2020_08_20;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102758; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [TGI] Cobalt Strike Malleable C2 Response (O365 Profile) M2"; flow:established,to_client; http.header; content:"16723708fc9|0d 0a|X-CalculatedBETarget|3a 20|BY2PR06MB549.namprd06.prod.outlook.com"; content:"X-FEServer|3a 20|CY4PR02CA0010"; distance:0; reference:md5,a26722fc7e5882b5a273239cddfe755f; reference:url,attack.mitre.org/groups/G0080/; classtype:command-and-control; sid:2028589; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2019_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*fname[\r\n\s]*=>[\r\n\s]*\2|fname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102603; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [TGI] Cobalt Strike Malleable C2 Response (YouTube Profile)"; flow:established,to_client; http.header; content:"Frontend Proxy|0d 0a|Set-Cookie|3a 20|YSC=LT4ZGGSgKoE|3b|"; fast_pattern; content:"X-FEServer|3a 20|CY4PR02CA0010"; distance:0; reference:md5,69c6e302cc4394cae7ed8c6f7b288e92; reference:url,attack.mitre.org/groups/G0080/; classtype:command-and-control; sid:2028590; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2019_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102850; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http any any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible GhostMiner CCBOT Component - CnC Checkin"; flow:established,to_server; content:"/Update/CC/CC.php"; startswith; endswith; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads/; classtype:command-and-control; sid:2028604; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family GhostMiner, performance_impact Low, signature_severity Major, updated_at 2019_09_19;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102759; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PHPStudy Remote Code Execution Backdoor"; flow:established,to_server; http.method; content:"GET"; http.header; content:"Accept-Charset|3a 20|"; fast_pattern; nocase; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x0d\x0a/R"; reference:url,www.cnblogs.com/-qing-/p/11575622.html; reference:url,www.uedbox.com/post/59265/; classtype:attempted-admin; sid:2028629; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_09_25, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Significant, signature_severity Major, updated_at 2019_09_25;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102851; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Inbox Access"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/inbox/"; http_uri; reference:url,doc.emergingthreats.net/2007628; classtype:policy-violation; sid:2007628; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102760; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Message Access"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/inbox/messages/"; http_uri; reference:url,doc.emergingthreats.net/2007629; classtype:policy-violation; sid:2007629; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_priority_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102761; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Compose Message"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"index.php?l1=mg"; http_uri; reference:url,doc.emergingthreats.net/2007630; classtype:policy-violation; sid:2007630; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102762; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Message Submit"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/"; http_uri; content:"POST"; http_method; content:"/messages/"; http_uri; content:"postman_secret"; reference:url,doc.emergingthreats.net/2007631; classtype:policy-violation; sid:2007631; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.do_deferred_repcat_admin"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102763; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>SYSTEM ERROR"; fast_pattern; nocase; content:"getURLParameter"; distance:0; content:"decodeURI"; distance:0; content:"loadNumber"; distance:0; content:"confirmExit"; distance:0; classtype:social-engineering; sid:2023039; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_09_26;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group_from_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102764; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocENG Payload DL"; flow:established,from_server; content:"|3b 20 66 69 6c 65 6e 61 6d 65 3d 43 68 72 ce bf 6d d0 b5 20 66 ce bf 6e e1 b9 ab 2e 65 78 65|"; http_header; nocase; file_data; content:"MZ"; within:2; classtype:social-engineering; sid:2024198; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, signature_severity Major, updated_at 2019_09_26;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102765; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tcp $HOME_NET any -> [85.93.0.0/24,194.165.16.0/24,31.184.192.0/24] 80 (msg:"ET EXPLOIT_KIT EITest Flash Redirect Aug 09 2016"; flow:established,to_server; urilen:>20; content:"x-flash-version|3a 20|"; http_header; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; classtype:exploit-kit; sid:2023036; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_09_26;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_columns_from_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102766; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert tcp $HOME_NET any -> $HOME_NET 2555 (msg:"ET SCAN Internal to Internal UPnP Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/^[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//Ri"; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008092; classtype:attempted-recon; sid:2008092; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_delete_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102767; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/^[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//Ri"; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008093; classtype:attempted-recon; sid:2008093; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102601; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET WEB_SERVER Oracle Secure Enterprise Search 10.1.8 search Script XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/search/query/search"; nocase; content:"search_p_groups="; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?/i"; reference:url,dsecrg.com/pages/vul/show.php?id=125; reference:url,doc.emergingthreats.net/2009643; classtype:web-application-attack; sid:2009643; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102637; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7011 (msg:"ET WEB_SERVER Oracle BEA Weblogic Server 10.3 searchQuery XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/consolehelp/console-help.portal"; nocase; content:"searchQuery="; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/i"; reference:url,dsecrg.com/pages/vul/show.php?id=131; reference:url,doc.emergingthreats.net/2009644; classtype:web-application-attack; sid:2009644; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102639; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.iBryte.BO CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/impression.do/?event="; depth:22; fast_pattern; content:"&user_id="; distance:0; http.user_agent; content:"download manager"; reference:md5,be6363e960d9a40b8e8c5825b13645c7; classtype:pup-activity; sid:2028633; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, tag PUP, updated_at 2019_09_26;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102769; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"f58966d34ff9488a83797b55c804724d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028236; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_object_from_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102770; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vaccineprogram.co.kr Related Spyware User Agent (pcsafe)"; flow:established,to_server; content:"User-Agent|3a| pcsafe"; reference:url,doc.emergingthreats.net/2006420; classtype:pup-activity; sid:2006420; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102777; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET P2P Soulseek"; flow: established; content:"slsknet"; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001188; classtype:policy-violation; sid:2001188; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102771; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN DEBUG Method Request with Command"; flow:established,to_server; content:"DEBUG "; depth:6; content:"|0d 0a|Command|3a| "; distance:0; reference:url,doc.emergingthreats.net/2008312; classtype:attempted-recon; sid:2008312; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102779; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible Fast-Track Tool Spidering User-Agent Detected"; flow:established,to_server; content:"|0d 0a|User-Agent|3A| pymills-spider/"; reference:url,www.offensive-security.com/metasploit-unleashed/Fast-Track-Modes; reference:url,doc.emergingthreats.net/2011721; classtype:attempted-recon; sid:2011721; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_date"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102772; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLBrute SQL Scan Detected"; flow:to_server,established; content:"AND not exists (select * from master..sysdatabases)"; offset:60; depth:60; reference:url,www.justinclarke.com/archives/2006/03/sqlbrute.html; reference:url,www.darknet.org.uk/2007/06/sqlbrute-sql-injection-brute-force-tool/; reference:url,doc.emergingthreats.net/2009477; classtype:attempted-recon; sid:2009477; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nchar"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102773; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL User Scan"; content:"?param=a"; flow:to_server,established; content:"if%20ascii%28substring%28%28select%20system%5Fuser"; distance:2; threshold: type threshold, track by_src, count 20, seconds 10; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009040; classtype:attempted-recon; sid:2009040; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_number"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102774; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL Database User Rights Scan"; flow:to_server,established; content:"?param=a"; content:"if%20is%5Fsrvrolemember%28%27sysadmin"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009041; classtype:attempted-recon; sid:2009041; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nvarchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102775; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL Authentication Mode Scan"; flow:to_server,established; content:"?param=a"; content:"if%20not%28%28select%20serverproperty%28%27IsIntegratedSecurityOnly"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009042; classtype:attempted-recon; sid:2009042; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102776; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja Attempt To Recreate xp_cmdshell Using sp_configure"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Esp%5Fconfigure%20%27show%20advanced%20options"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009043; classtype:attempted-admin; sid:2009043; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102778; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja Attempt To Create xp_cmdshell Session"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Exp%5Fcmdshell%20%27cmd%20%2FC%20%25TEMP"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009044; classtype:attempted-admin; sid:2009044; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102780; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Stompy Web Application Session Scan"; flow:to_server,established; content:"Session Stomper"; offset:100; depth:25; reference:url,www.darknet.org.uk/2007/03/stompy-the-web-application-session-analyzer-tool/; reference:url,doc.emergingthreats.net/2008605; classtype:attempted-recon; sid:2008605; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102781; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN w3af Scan In Progress ARGENTINA Req Method"; flow:to_server,established; content:"ARGENTINA "; depth:10; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2011027; classtype:attempted-recon; sid:2011027; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102782; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN WhatWeb Web Application Fingerprint Scanner Default User-Agent Detected"; flow:established,to_server; content:"|0d 0a|User-Agent|3A| WhatWeb/"; reference:url,www.morningstarsecurity.com/research/whatweb; reference:url,doc.emergingthreats.net/2010960; classtype:attempted-recon; sid:2010960; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_unique_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102783; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX SendCommand Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"SendCommand"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011200; classtype:attempted-user; sid:2011200; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_update_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102784; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Login Method Buffer Oveflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"Login"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011201; classtype:attempted-user; sid:2011201; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.execute_ddl buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.execute_ddl"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102785; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBOpen Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"_DownloadPBOpen"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011203; classtype:attempted-user; sid:2011203; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_mview_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_mview_support"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102852; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBClose Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"_DownloadPBClose"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011204; classtype:attempted-user; sid:2011204; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_package"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102786; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Snapshot Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"Snapshot"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011202; classtype:attempted-user; sid:2011202; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_trigger buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_trigger"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102853; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBControl Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"_DownloadPBControl"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011205; classtype:attempted-user; sid:2011205; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_snapshot_support"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102854; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AVC781Viewer.CV781Object"; nocase; distance:0; pcre:"/(SendCommand|Login|Snapshot|_DownloadPBControl|_DownloadPBClose|_DownloadPBOpen)/i"; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011206; classtype:attempted-user; sid:2011206; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.make_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.make_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102788; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Adobe browser document ActiveX DoS Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"AcroPDFLib.AcroPDF"; distance:0; nocase; content:"src"; nocase; reference:url,www.packetstormsecurity.nl/0911-exploits/acropdf-dos.txt; reference:url,doc.emergingthreats.net/2010705; classtype:attempted-user; sid:2010705; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.obsolete_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102789; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Adobe browser document ActiveX DoS Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"CA8A9780-280D-11CF-A24D-444553540000"; nocase; distance:0; content:"src"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CA8A9780-280D-11CF-A24D-444553540000/si"; reference:url,www.packetstormsecurity.nl/0911-exploits/acropdf-dos.txt; reference:url,doc.emergingthreats.net/2010726; classtype:attempted-user; sid:2010726; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.publish_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102790; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Ask.com Toolbar askBar.dll ActiveX ShortFormat Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"5A074B2B-F830-49DE-A31B-5BB9D7F6B407"; nocase; distance:0; content:"ShortFormat"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5A074B2B-F830-49DE-A31B-5BB9D7F6B407/si"; reference:url,www.packetstormsecurity.nl/0911-exploits/ask_shortformat.rb.txt; reference:url,secunia.com/advisories/26960/; reference:url,doc.emergingthreats.net/2010921; classtype:web-application-attack; sid:2010921; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102791; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Bot Search RFI Scan (ByroeNet/Casper-Like sun4u)"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Mozilla/4.76 [ru] (X11|3b| U|3b| SunOS 5.7 sun4u)"; nocase; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011244; classtype:web-application-attack; sid:2011244; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_master_log"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102792; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Bot Search RFI Scan (Casper-Like MaMa Cyber/ebes)"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| MaMa "; nocase; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011286; classtype:web-application-attack; sid:2011286; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_statistics"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102793; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of Service Attempt"; flow:established,to_server; content:"GET |2F|AUX HTTP|2F|1|2E|"; nocase; depth:16; reference:url,securitytracker.com/alerts/2009/Oct/1023095.html; reference:url,www.securityfocus.com/bid/36814/info; reference:url,www.securityfocus.com/archive/1/507456; reference:url,doc.emergingthreats.net/2010229; classtype:attempted-dos; sid:2010229; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102631; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco ASA Appliance Clientless SSL VPN HTML Rewriting Security Bypass Attempt/Cross Site Scripting Attempt"; flow:to_client,established; content:"CSCO_WebVPN"; nocase; content:"csco_wrap_js"; within:100; nocase; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18442; reference:url,www.securityfocus.com/archive/1/504516; reference:url,www.securityfocus.com/bid/35476; reference:cve,2009-1201; reference:cve,2009-1202; reference:url,doc.emergingthreats.net/2010730; classtype:web-application-attack; sid:2010730; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102795; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 405 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 405 Method Not Allowed|0d 0a|"; depth:33; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010519; classtype:web-application-attack; sid:2010519; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102796; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 406 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 406 Not Acceptable|0d 0a|"; depth:29; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010521; classtype:web-application-attack; sid:2010521; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102797; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 500 XSS Attempt (Internal Source)"; flow:from_server,established; content:"HTTP/1.1 500 Internal Server Error|0d 0a|"; depth:36; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010524; classtype:web-application-attack; sid:2010524; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_statistics"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102798; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 503 XSS Attempt (Internal Source)"; flow:from_server,established; content:"HTTP/1.1 503 Service Unavailable|0d 0a|"; depth:34; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010526; classtype:web-application-attack; sid:2010526; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.relocate_masterdef"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102799; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL sp_password attempt"; flow:to_server,established; content:"sp_password"; nocase; reference:url,doc.emergingthreats.net/2000105; classtype:attempted-user; sid:2000105; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.remove_master_databases buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.remove_master_databases"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102855; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL sp_delete_alert attempt"; flow:to_server,established; content:"sp_delete_alert"; nocase; reference:url,doc.emergingthreats.net/2000106; classtype:attempted-user; sid:2000106; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.rename_shadow_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102800; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|#|20|This|20|is|20|a|20|sample|20|HOSTS|20|file|20|used|20|by|20|Microsoft|20|TCP/IP|20|for|20|Windows.|0d 0a|#|0d 0a|#|20|This|20|file|20|contains|20|the|20|mappings|20|of|20|IP|20|addresses|20|to|20|host|20|names."; reference:url,doc.emergingthreats.net/bin/view/Main/2008559; classtype:trojan-activity; sid:2008559; rev:8; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102627; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE r57 phpshell footer detected"; flow:established,from_server; content:"r57shell - http-shell by RST/GHC"; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003535; classtype:web-application-activity; sid:2003535; rev:8; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.resume_master_activity"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102801; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE x2300 phpshell detected"; flow:established,from_server; content:"x2300 Locus7Shell"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007651; classtype:web-application-activity; sid:2007651; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_and_compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_and_compare_old_values"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102804; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt"; flow:established,to_client; content:"|0d 0a|%FDF-"; depth:600; content:"/F(JavaScript|3a|"; nocase; distance:0; reference:url,www.securityfocus.com/bid/37763; reference:cve,2009-3956; reference:url,doc.emergingthreats.net/2010664; reference:url,www.stratsec.net/files/SS-2010-001_Stratsec_Acrobat_Script_Injection_Security_Advisory_v1.0.pdf; classtype:attempted-user; sid:2010664; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_old_values"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2102626; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Wapiti Web Server Vulnerability Scan"; flow:to_server,established; content:"GET /"; depth:5; content:"?http|3A|//www.google."; within:100; nocase; content:"|0d 0a|User-Agent|3A 20|Python-httplib2"; distance:0; reference:url,wapiti.sourceforge.net/; reference:url,doc.emergingthreats.net/2008417; classtype:attempted-recon; sid:2008417; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_columns buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_columns"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102805; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer URI Validation Remote Code Execution Attempt"; flow:established,to_client; content:"#|3A|../../"; content:"C|3A 5C|"; nocase; within:50; pcre:"/\x2E\x2E\x2F\x2E\x2E\x2F.+C\x3A\x5C[a-z]/si"; reference:url,www.securityfocus.com/bid/37884; reference:cve,2010-0027; reference:url,doc.emergingthreats.net/2010798; classtype:attempted-user; sid:2010798; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_local_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102806; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER MSSQL Server OLEDB asp error"; flow: established,from_server; content:"Microsoft OLE DB Provider for SQL Server error"; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d42.htm; reference:url,doc.emergingthreats.net/2001768; classtype:web-application-activity; sid:2001768; rev:12; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.specify_new_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.specify_new_masters"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102807; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Containing Windows Commands Downloaded"; flow:established,to_client; content:"%PDF-"; content:"|3C 3C 0D 0A 20 2f|type|20 2F|action|0D 0A 20 2F|s|20 2F|launch|0D 0A 20 2F|win"; distance:0; nocase; reference:url,doc.emergingthreats.net/2011245; classtype:bad-unknown; sid:2011245; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.suspend_master_activity"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102808; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 406 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 406 Not Acceptable|0d 0a|"; depth:29; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010522; classtype:web-application-attack; sid:2010522; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_mview_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_mview_master"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102856; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 500 Internal Server Error|0d 0a|"; depth:36; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010525; classtype:web-application-attack; sid:2010525; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_snapshot_master"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1073,}\x27|\x22[^\x22]{1073,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,})|\(\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102857; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 503 Service Unavailable|0d 0a|"; depth:34; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010527; classtype:web-application-attack; sid:2010527; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102809; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Encoded javascriptdocument.write - usually hostile"; flow: established,to_client; content:"|313030|,111,99,117,109,101,110,116,46,119,114,105,116,101"; reference:url,doc.emergingthreats.net/2001811; classtype:misc-activity; sid:2001811; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102810; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Acrobat Reader Newclass Invalid Pointer Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|F2 3D 8D 23|"; reference:url,www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/; reference:cve,2010-1297; classtype:attempted-user; sid:2011519; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102811; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat newfunction Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|40 E8 D4 F1 FF 33|"; reference:url,www.adobe.com/support/security/bulletins/apsb10-15.html; reference:url,www.exploit-db.com/moaub-23-adobe-acrobat-and-reader-newfunction-remote-code-execution-vulnerability/; reference:bid,41236; reference:cve,2010-2168; classtype:attempted-user; sid:2011575; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_for_local_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102812; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Cross-Origin Theft Attempt"; flow:established,to_client; content:"document.body.currentStyle.fontFamily"; nocase; content:".indexOf(|22|authenticity_token"; nocase; distance:0; reference:url,www.theregister.co.uk/2010/09/06/mystery_ie_bug/; reference:url,www.darknet.org.uk/2010/09/microsoft-investigate-ie-css-cross-origin-theft-vulnerability/; reference:url,seclists.org/fulldisclosure/2010/Sep/64; classtype:bad-unknown; sid:2011472; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.register_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102629; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT phoenix exploit kit - admin login page detected"; flow:established,to_client; content:"<title>Phoenix Exploit's Kit - Log In</title>"; classtype:exploit-kit; sid:2011281; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102624; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Acrobat and Reader Pushstring Memory Corruption Attempt"; flow:established,to_client; flowbits:isset,ET.flash.pdf; content:"|2C E8 88 F0 FF 33|"; reference:url,www.exploit-db.com/moaub12-adobe-acrobat-and-reader-pushstring-memory-corruption/; reference:bugtraq,41237; reference:cve,2010-2201; classtype:attempted-user; sid:2011500; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102746; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Gootkit Website Infection Receiving FTP Credentials from Control Server"; flowbits:isset,ET.GOOTKIT; flow:established,from_server; content:"<acc><login>"; nocase; content:"</login><pass>"; nocase; distance:0; content:"</pass><serv>"; nocase; distance:0; content:"</serv><port>21</port>"; nocase; distance:0; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011287; classtype:web-application-attack; sid:2011287; rev:4; metadata:created_at 2010_09_28, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.drop_site_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102641; rev:6; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Local Website Infected By Gootkit"; flow:established,from_server; content:"Gootkit iframer component"; nocase; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011285; classtype:web-application-attack; sid:2011289; rev:4; metadata:created_at 2010_09_28, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_offline"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102645; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL SuperBuddy ActiveX Control Remote Code Execution Attempt"; flow:from_server,established; content:"189504B8-50D1-4AA8-B4D6-95C8F58A6414"; nocase; content:"SetSuperBuddy"; nocase; content:"//"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*189504B8-50D1-4AA8-B4D6-95C8F58A6414/si"; reference:url,www.securityfocus.com/bid/36580/info; reference:url,www.securityfocus.com/archive/1/506889; reference:url,doc.emergingthreats.net/2010039; classtype:attempted-user; sid:2010039; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102647; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Awingsoft Web3D Player Remote Buffer Overflow"; flow:to_client,established; content:"17A54E7D-A9D4-11D8-9552-00E04CB09903"; nocase; content:"SceneURL"; nocase; reference:url,secunia.com/advisories/35764/; reference:url,milw0rm.com/exploits/9116; reference:url,shinnai.net/xplits/TXT_nsGUdeley3EHfKEV690p.html; reference:url,doc.emergingthreats.net/2009857; classtype:web-application-attack; sid:2009857; rev:8; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(object_type|user_name)[\r\n\s]*=>[\r\n\s]*\2|(object_type|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102802; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite"; flow:to_client,established; content:"B973393F-27C7-4781-877D-8626AAEDF119"; nocase; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/Ri"; content:"SaveLastError"; nocase; reference:bugtraq,28546; reference:url,www.milw0rm.com/exploits/5338; reference:url,doc.emergingthreats.net/2008099; classtype:web-application-attack; sid:2008099; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102676; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow"; flow:to_client,established; content:"39FDA070-61BA-11D2-AD84-00105A17B608"; nocase; content:"%5F%DC%02%10%cc"; nocase; distance:0; content:"SecretKey"; nocase; reference:bugtraq,31814; reference:url,www.milw0rm.com/exploits/6793; reference:url,doc.emergingthreats.net/2008683; classtype:web-application-attack; sid:2008683; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_offline"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102675; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Avzhan DDOS Bot Outbound Hardcoded Malformed GET Request Denial Of Service Attack Detected"; flow:established,to_server; content:"GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm"; depth:49; nocase; threshold:type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; classtype:trojan-activity; sid:2011585; rev:4; metadata:created_at 2010_09_29, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_online"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102677; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Avaya CallPilot Unified Messaging ActiveX InstallFrom Method Access Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"7F14A9EE-6989-11D5-8152-00C04F191FCA"; nocase; distance:0; content:"InstallFrom"; nocase; reference:url,secunia.com/advisories/40184/; reference:bugtraq,40535; reference:url,doc.emergingthreats.net/10767; classtype:attempted-user; sid:2011692; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102623; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Avaya CallPilot Unified Messaging ActiveX Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"NMWEBINST.NMWebInstCtrl.1"; nocase; distance:0; content:"InstallFrom"; nocase; reference:url,secunia.com/advisories/40184/; reference:bugtraq,40535; reference:url,doc.emergingthreats.net/2011681; classtype:attempted-user; sid:2011681; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.register_flavor_change"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102621; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Axis Media Controller ActiveX SetImage Method Remote Code Execution Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"DE625294-70E6-45ED-B895-CFFA13AEB044"; nocase; distance:0; content:"SetImage"; nocase; reference:bugtraq,41078; reference:url,doc.emergingthreats.net/2011722; classtype:attempted-user; sid:2011722; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_utl.drop_an_object"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102622; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX DjVu DjVu_ActiveX_MSOffice.dll ActiveX Component Heap Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"4A46B8CD-F7BD-11D4-B1D8-000102290E7C"; nocase; distance:0; content:"0x400000"; distance:0; content:"ImageURL"; nocase; reference:bugtraq,31987; reference:url,milw0rm.com/exploits/6878; reference:url,doc.emergingthreats.net/2008790; classtype:web-application-attack; sid:2008790; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102859; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Object SMTP Component Buffer Overflow Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"EasyMail.SMTP.6"; distance:0; nocase; pcre:"/(AddAttachment|SubmitToExpress)/i"; reference:url,secunia.com/advisories/24199/; reference:url,www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/oracle_dc_submittoexpress.rb; reference:url,doc.emergingthreats.net/2010657; classtype:web-application-attack; sid:2010657; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102877; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AoA Audio Extractor ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"125C3F0B-1073-4783-9A7B-D33E54269CA5"; nocase; distance:0; content:"InitLicenKeys"; nocase; reference:url,exploit-db.com/exploits/14599/; reference:url,packetstormsecurity.org/1010-exploits/aoaae-rop.txt; classtype:web-application-attack; sid:2011801; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102893; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DirectX 9 ActiveX Control Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MSVidCtlLib.MSVidVMR9"; nocase; distance:0; content:".CustomCompositorClass"; nocase; reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt; classtype:attempted-user; sid:2011590; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_02, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102895; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Softek Barcode Reader Toolkit ActiveX Control Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"SoftekATL.CBarcode"; nocase; distance:0; content:".DebugTraceFile"; nocase; reference:url,exploit-db.com/exploits/15071/; classtype:attempted-user; sid:2011870; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102830; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Softek Barcode Reader Toolkit ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"11E7DA45-B56D-4078-89F6-D3D651EC4CD6"; nocase; distance:0; content:".DebugTraceFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*11E7DA45-B56D-4078-89F6-D3D651EC4CD6/si"; reference:url,exploit-db.com/exploits/15071; classtype:web-application-attack; sid:2011869; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Bad Login"; flow:from_server,established; content:"Login incorrect"; nocase; fast_pattern; classtype:bad-unknown; sid:2101251; rev:10; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code Execution Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"15DBC3F9-9F0A-472E-8061-043D9CEC52F0"; nocase; distance:0; content:"extSetOwner"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15DBC3F9-9F0A-472E-8061-043D9CEC52F0/si"; reference:url,www.exploit-db.com/trend-micro-internet-security-pro-2010-activex-extsetowner-remote-code-execution/; classtype:attempted-user; sid:2011867; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert udp $EXTERNAL_NET any -> $HOME_NET [137,138,139,445] (msg:"ET SCAN Nessus Netbios Scanning"; content:"n|00|e|00|s|00|s|00|u|00|s"; fast_pattern; reference:url,www.tenable.com/products/nessus/nessus-product-overview; classtype:attempted-recon; sid:2015754; rev:3; metadata:created_at 2012_10_01, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DirectX 9 msvidctl.dll ActiveX Control Code Execution Attempt"; flow:to_client,established; content:"24DC3975-09BF-4231-8655-3EE71F43837D"; nocase; content:".CustomCompositorClass"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*24DC3975-09BF-4231-8655-3EE71F43837D/si"; reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt; classtype:web-application-attack; sid:2011589; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_02, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert udp any any -> any 161 (msg:"ET SNMP Attempt to retrieve Cisco Config via TFTP (CISCO-CONFIG-COPY)"; content:"|2b 06 01 04 01 09 09 60 01 01 01 01|"; fast_pattern; classtype:policy-violation; sid:2015856; rev:6; metadata:created_at 2012_11_01, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JcomBand toolbar ActiveX Control isRegistered Property Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"952E3F80-0C34-48CD-829B-A45913B29670"; nocase; distance:0; content:"isRegistered"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*952E3F80-0C34-48CD-829B-A45913B29670/si"; reference:url,www.exploit-db.com/exploits/11059; reference:url,secunia.com/advisories/38081/; reference:url,doc.emergingthreats.net/2010976; classtype:attempted-user; sid:2010976; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Cool Exploit Kit Requesting Payload"; flow:established,to_server; content:"/f.php?k="; http_uri; fast_pattern; pcre:"/^\/[a-z]\/f\.php\?k=\d(&e=\d&f=\d)?$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015873; rev:6; metadata:created_at 2012_11_09, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT VLC Media Player .ass File Buffer Overflow Attempt"; flowbits:isset,ET.ass.request; flow:established,to_client; content:"Dialogue|3A|"; nocase; isdataat:60000,relative; content:!"|0A|"; within:60000; reference:url,www.securityfocus.com/bid/37832/info; reference:url,doc.emergingthreats.net/2010758; classtype:attempted-user; sid:2010758; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Excel file download - SET 1"; flow:established,from_server; flowbits:isset,OLE.CompoundFile; file_data; content:"|09 08 10 00 00 06 05 00|"; distance:512; content:"|57006F0072006B0062006F006F006B00|"; fast_pattern; flowbits:set,ETPRO.Microsoft.Excel; flowbits:noalert; reference:cve,2012-0185; classtype:attempted-user; sid:2025086; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_05_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT VLC Media Player smb URI Handling Remote Buffer Overflow Attempt"; flow:established,to_client; content:"<location>"; nocase; content:"smb|3A|//"; within:20; nocase; content:!"|0A|"; within:1000; isdataat:1000,relative; pcre:"/\x3Clocation\x3D.+smb\x3A\x2F\x2F.{1000}.+\x3C\x2Flocation\x3E/smi"; reference:url,www.securityfocus.com/bid/35500/info; reference:url,doc.emergingthreats.net/2010813; classtype:attempted-user; sid:2010813; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit Java Request to Recent jar (2)"; flow:established,to_server; content:"/887.jar"; fast_pattern; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015929; rev:4; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT eval String.fromCharCode String Which May Be Malicious"; flow:established,to_client; content:"eval|28|"; fast_pattern; nocase; content:"String.fromCharCode|28|"; nocase; within:40; pcre:"/eval\x28(String\x2EfromCharCode\x28|[a-z,0-9]{1,20}\x28String\x2EfromCharCode\x28)/i"; classtype:bad-unknown; sid:2012173; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit Java Request to Recent jar (1)"; flow:established,to_server; content:"/332.jar"; fast_pattern; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015928; rev:4; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation"; flow:established,to_client; content:"unescape|28 22|"; content:!"|29|"; within:100; content:"|22| +|0a|"; within:80; content:"|22| +|0a|"; within:80; content:"|22| "; within:80; content:"|22| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012196; rev:4; metadata:created_at 2011_01_17, updated_at 2019_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit .blogsite. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".blogsite."; http_header; nocase; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015939; rev:4; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation 2"; flow:established,to_client; content:"unescape|28 27|"; content:!"|29|"; within:100; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012197; rev:5; metadata:created_at 2011_01_17, updated_at 2019_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Propack Payload Request"; flow:established,to_server; content:".php?j=1&k="; http_uri; nocase; fast_pattern; content:" Java/1"; http_header; pcre:"/\.php\?j=1&k=[0-9](i=[0-9])?$/U"; classtype:exploit-kit; sid:2015950; rev:3; metadata:created_at 2012_11_28, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture File Overwrite or Buffer Overflow Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"NCSECWLib.NCSRenderer"; nocase; distance:0; content:"WriteJPG"; nocase; distance:0; reference:cve,2010-3599; classtype:attempted-user; sid:2012234; rev:4; metadata:created_at 2011_01_27, updated_at 2019_09_27;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Samsung Printer SNMP Hardcode RW Community String"; content:"s!a@m#n$p%c"; fast_pattern; reference:url,www.l8security.com/post/36715280176/vu-281284-samsung-printer-snmp-backdoor; classtype:attempted-admin; sid:2015959; rev:3; metadata:created_at 2012_11_29, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Encoded %90 NOP SLED"; flow:established,to_client; content:"%90%90%90%90"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012112; rev:5; metadata:created_at 2010_12_28, updated_at 2019_09_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE SCardForgetReaderGroupA (Used in Malware Anti-Debugging)"; flow:established,to_client; file_data; flowbits:isset,ET.http.binary; content:"SCardForgetReaderGroupA"; fast_pattern; reference:url,www.trusteer.com/blog/evading-malware-researchers-shylock%E2%80%99s-new-trick; classtype:misc-activity; sid:2015965; rev:5; metadata:created_at 2012_11_30, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 %u90 NOP SLED"; flow:established,to_client; content:"%u90%u90"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012110; rev:4; metadata:created_at 2010_12_28, updated_at 2019_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Zuponcic Hostile Jar"; flow:established,to_server; content:"Host|3a 20|"; http_header; content:"."; http_header; distance:2; within:1; content:"Java/"; http_header; content:".jar"; http_uri; fast_pattern; pcre:"/^Host\x3a\x20[a-z]{2}\./Hm"; pcre:"/^\/[a-zA-Z]{7}\.jar$/U"; classtype:exploit-kit; sid:2015981; rev:3; metadata:created_at 2012_12_04, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer srcElement Memory Corruption Attempt"; flow:established,to_client; content:"document.createEventObject"; nocase; content:".innerHTML"; within:100; nocase; content:"window.setInterval"; distance:0; nocase; content:"srcElement"; fast_pattern; nocase; distance:0; reference:url,www.microsoft.com/technet/security/bulletin/ms10-002.mspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19726; reference:url,www.kb.cert.org/vuls/id/492515; reference:cve,2010-0249; reference:url,doc.emergingthreats.net/2010799; classtype:attempted-user; sid:2010799; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Robopak - Landing Page Received"; flow:established,to_client; file_data; content:"|22|ors.class|22|"; fast_pattern; content:"|22|bhjwfffiorjwe|22|"; classtype:exploit-kit; sid:2015991; rev:5; metadata:created_at 2012_12_06, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding"; flow:established,to_client; content:"%72%65%70%6c%61%63%65%28"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012398; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL User Account Enumeration"; flow:from_server,established; content:"|02|"; offset:3; depth:4; content:"|15 04|Access denied for user"; fast_pattern; threshold:type both,track by_dst,count 10,seconds 1; reference:url,seclists.org/fulldisclosure/2012/Dec/att-9/; classtype:protocol-command-decode; sid:2015993; rev:3; metadata:created_at 2012_12_06, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function %u UTF-8 Encoding"; flow:established,to_client; content:"%u72%u65%u70%u6c%u61%u63%u65%u28"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012399; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack PDF Request (2)"; flow:established,to_server; content:"/lpdf.php?i="; http_uri; fast_pattern; pcre:"/\/lpdf\.php\?i=[a-zA-Z0-9]+&?$/U"; classtype:exploit-kit; sid:2016012; rev:5; metadata:created_at 2012_12_08, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function %u UTF-16 Encoding"; flow:established,to_client; content:"%u7265%u706c%u6163%u6528"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012400; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Escaped Unicode Char in Window Location CVE-2012-4792 EIP"; flow:established,from_server; file_data; content:"<form"; nocase; content:"button"; nocase; content:"CollectGarbage("; nocase; fast_pattern; content:".location"; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*unescape\(\s*[\x22\x27][\\%]u/Ri"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016132; rev:4; metadata:created_at 2012_12_30, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-8 Encoding"; flow:established,to_client; content:"%u3c%u73%u63%u72%u69%u70%u74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012264; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT g01pack - Landing Page Received - applet and 32AlphaNum.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern; content:".jar"; pcre:"/[a-z0-9]{32}\.jar/"; classtype:exploit-kit; sid:2016027; rev:6; metadata:created_at 2012_12_13, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-16 Encoding"; flow:established,to_client; content:"%u3c73%u6372%u6970%u74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012265; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET INFO Possible TURKTRUST Spoofed Google Cert"; flow:established,from_server; content:"|16 03|"; depth:2; content:"*.EGO.GOV.TR"; nocase; fast_pattern; content:"*.google.com"; classtype:policy-violation; sid:2016154; rev:2; metadata:created_at 2013_01_04, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape % Encoding"; flow:established,to_client; content:"%75%6e%65%73%63%61%70%65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012266; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT JDB Exploit Kit Landing URL structure"; flow:established,from_client; content:"/inf.php?id="; http_uri; nocase; fast_pattern; pcre:"/\/inf\.php\?id=[a-f0-9]{32}$/Ui"; classtype:exploit-kit; sid:2016306; rev:3; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-8 Encoding"; flow:established,to_client; content:"%u75%u6e%u65%u73%u63%u61%u70%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012267; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 1"; content:"miniupnpd/1."; fast_pattern; pcre:"/^Server\x3a[^\r\n]*miniupnpd\/1\.[0-3]/mi"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2013-0229; classtype:successful-recon-limited; sid:2016302; rev:6; metadata:created_at 2013_01_30, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-16 Encoding"; flow:established,to_client; content:"%u756e%u6573%u6361%u7065"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012268; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"<applet"; fast_pattern; content:"value"; pcre:"/^\s*=\s*[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"|3a|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:exploit-kit; sid:2016319; rev:3; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr % Encoding"; flow:established,to_client; content:"%73%75%62%73%74%72"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012269; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5958 ST DeviceType Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern; reference:cve,CVE_2012-5958; reference:cve,CVE-2012-5962; classtype:attempted-dos; sid:2016322; rev:2; metadata:created_at 2013_01_31, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr %u UTF-8 Encoding"; flow:established,to_client; content:"%u73%u75%u62%u73%u74%u72"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012270; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5964 ST URN ServiceType Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*urn\x3aservice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|service"; nocase; fast_pattern; reference:cve,CVE-2012-5964; classtype:attempted-dos; sid:2016324; rev:2; metadata:created_at 2013_01_31, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr %u UTF-16 Encoding"; flow:established,to_client; content:"%u7375%u6273%u7472"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012271; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5965 ST URN DeviceType Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*urn\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|device"; nocase; fast_pattern; reference:cve,CVE-2012-5965; classtype:attempted-dos; sid:2016325; rev:2; metadata:created_at 2013_01_31, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval % Encoding"; flow:established,to_client; content:"%65%76%61%6c"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012272; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5961 ST UDN Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{1,180}\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern; reference:cve,CVE-2012-5961; classtype:attempted-dos; sid:2016326; rev:2; metadata:created_at 2013_01_31, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval %u UTF-8 Encoding"; flow:established,to_client; content:"%u65%u76%u61%u6c"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012273; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET MALWARE W32/Jabberbot.A Trednet XMPP CnC Beacon"; flow:established,to_server; content:"trednet@jabber.ru"; fast_pattern; reference:url,blog.eset.com/2013/01/30/walking-through-win32jabberbot-a-instant-messaging-cc; classtype:command-and-control; sid:2016331; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_02_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval %u UTF-16 Encoding"; flow:established,to_client; content:"%u6576%u616c"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012274; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack Payload Request"; flow:established,to_server; content:"/load.php?e="; http_uri; fast_pattern; content:"&token="; http_uri; classtype:exploit-kit; sid:2015962; rev:12; metadata:created_at 2012_11_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a0a%u0a0a UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0a0a%u0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012254; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT TDS Vdele"; flow:established,to_server; content:"GET"; nocase; http_method; urilen:>37; content:"/vd/"; http_uri; nocase; fast_pattern; pcre:"/\/vd\/\d+\x3b[a-f0-9]{32}/Ui"; classtype:exploit-kit; sid:2016412; rev:3; metadata:created_at 2013_02_15, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a%u0a%u0a%u0a UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0a%u0a%u0a%u0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012255; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Serialized Java Applet (Used by some EKs in the Wild)"; flow:established,from_server; file_data; content:"<embed"; nocase; content:"object"; distance:0; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*[\x22\x27][^\x22\x27]+\.ser[\x22\x27]/Ri"; content:"application/x-java-"; fast_pattern; classtype:exploit-kit; sid:2016510; rev:5; metadata:created_at 2013_02_27, former_category INFO, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String"; flow:established,to_client; content:"%0c%0c%0c%0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012257; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Portal TDS Kit GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?pprec"; nocase; fast_pattern; http_uri; pcre:"/\.php\?pprec$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:exploit-kit; sid:2016542; rev:4; metadata:created_at 2013_03_06, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c0c%u0c0c UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0c0c%u0c0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012258; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Portal TDS Kit GET (2)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?c002"; nocase; fast_pattern; http_uri; pcre:"/\.php\?c002$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:exploit-kit; sid:2016543; rev:3; metadata:created_at 2013_03_06, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c%u0c%u0c%u0c UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0c%u0c%u0c%u0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012259; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
+alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.net"; content:"|0a|micorsofts|03|net|00|"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016569; rev:4; metadata:created_at 2013_03_14, former_category DNS, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX ASUS Net4Switch ipswcom.dll ActiveX Stack Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"1B9E86D8-7CAF-46C8-9938-569B21E17A8E"; nocase; distance:0; content:"CxDbgPrint"; nocase; reference:url,packetstormsecurity.org/files/110296/ASUS-Net4Switch-ipswcom.dll-ActiveX-Stack-Buffer-Overflow.html; classtype:attempted-user; sid:2014325; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_06, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain hotmal1.com"; content:"|07|hotmal1|03|com|00|"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016571; rev:2; metadata:created_at 2013_03_14, former_category DNS, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Windows Executable CreateRemoteThread"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; content:"CreateRemoteThread"; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms682437%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015589; rev:6; metadata:created_at 2012_08_08, former_category POLICY, updated_at 2019_09_27;)
+alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.com"; content:"|0a|micorsofts|03|com|00|"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016570; rev:3; metadata:created_at 2013_03_14, former_category DNS, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 %u9090 NOP SLED"; flow:established,to_client; content:"%u9090%u"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012111; rev:5; metadata:created_at 2010_12_28, updated_at 2019_09_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NuclearPack - Landing Page Received - applet and 32HexChar.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern; content:".jar"; content:"param"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:exploit-kit; sid:2016026; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_13, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Hostile _dsgweed.class JAR exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"_dsgweed.class"; classtype:trojan-activity; sid:2018031; rev:3; metadata:created_at 2014_01_28, former_category CURRENT_EVENTS, updated_at 2019_09_27;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BHEK q.php iframe outbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016718; rev:5; metadata:created_at 2013_04_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible Successful Juniper NetScreen ScreenOS Firmware Version Disclosure Attempt"; flow:established,from_server; content:"Juniper Networks, Inc"; content:"Version|3A|"; within:100; content:"ScreenOS"; distance:0; reference:url,securitytracker.com/alerts/2009/Apr/1022123.html; reference:url,www.securityfocus.com/bid/34710; reference:url,seclists.org/bugtraq/2009/Apr/242; reference:url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-05; reference:url,doc.emergingthreats.net/2010162; classtype:attempted-recon; sid:2010162; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BHEK q.php iframe inbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016716; rev:6; metadata:created_at 2013_04_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Eclipse.DDOSBot CnC Beacon Response"; flow:established,to_client; file_data; content:"<base>PGNtZD"; within:12; reference:url,www.arbornetworks.com/asert/2014/04/trojan-eclipse-a-bad-moon-rising/; classtype:command-and-control; sid:2018423; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_04_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_09_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BHEK ff.php iframe inbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016717; rev:5; metadata:created_at 2013_04_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL XPCmdShell Scan"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Exp%5Fcmdshell"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; classtype:attempted-recon; sid:2009039; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BHEK ff.php iframe outbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016719; rev:5; metadata:created_at 2013_04_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M2"; flow:established,from_server; file_data; content:"pQGLlxyasMGLhxCco42bpR3YuVnZowWY2V"; classtype:exploit-kit; sid:2020427; rev:3; metadata:created_at 2015_02_16, updated_at 2019_09_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Metasploit Java Exploit"; flow:established,to_client; file_data; flowbits:isset,ET.http.javaclient; content:"xploit.class"; nocase; fast_pattern; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015658; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_08_29, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - TH3BUG and Non-Targetted Groups Watering Hole Deobfuscation function"; flow:established,from_server; file_data; content:"Chr(CInt(ns(i)) Xor n)"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020563; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_25, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_09_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Metasploit Java Payload"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"Payload.class"; nocase; fast_pattern; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015657; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_08_29, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Unknown Exploit Pack URL Detected"; flow:to_server,established; content:"/imgurl"; nocase; http_uri; content:".php"; nocase; http_uri; content:"hl="; nocase; http_uri; classtype:bad-unknown; sid:2012324; rev:5; metadata:created_at 2011_02_21, updated_at 2019_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NuclearPack Java exploit binary get request"; flow:established,to_server; content:"GET"; http_method; nocase; content:"Java/1."; fast_pattern; http_user_agent; pcre:"/[a-f0-9]{32,64}\/[a-f0-9]{32,64}/\w$/U"; classtype:exploit-kit; sid:2015000; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (BSD style)"; flow:established,from_server; file_data; content:"root|3a|*|3a|0|3a|0|3a|"; nocase; content:"|3a|/root|3a|/bin"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003071; classtype:successful-recon-limited; sid:2003071; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK UAC Disable in Uncompressed JAR"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"UACDisableNotify"; fast_pattern; classtype:exploit-kit; sid:2016805; rev:4; metadata:created_at 2013_05_01, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 12 2016"; flow:established,from_server; file_data; content:"|3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 2d 31|"; pcre:"/^\d{3}px\x3b\swidth\x3a3\d{2}px\x3b\sheight\x3a3\d{2}px\x3b\x22>[^<>]*?<iframe src=[\x22\x27][^\x22\x27]+[\x22\x27]\swidth=[\x22\x27]2\d{2}[\x22\x27]\sheight=[\x22\x27]2\d{2}[\x22\x27]><\/iframe>[^<>]*?\n[^<>]*?<\/span>/Rsi"; classtype:exploit-kit; sid:2022962; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_07_12, deployment Perimeter, malware_family PsuedoDarkLeech, signature_severity Major, updated_at 2019_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sibhost Status Check"; flow:established,to_server; content:"POST"; http_method; content:"|29 20|Java/1"; http_user_agent; fast_pattern; content:"text="; http_client_body; depth:5; pcre:"/\?(s|page|id)=\d+$/U"; classtype:exploit-kit; sid:2015974; rev:15; metadata:created_at 2012_11_30, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Embedded Executable File in PDF - This Program Cannot Be Run in DOS Mode"; flow:established,to_client; flowbits:isset,ET.pdf.in.http; file_data; content:"This program cannot be run in DOS mode"; nocase; classtype:bad-unknown; sid:2011865; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, updated_at 2019_09_27;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Greencat SSL Certificate"; flow:established,from_server; content:"|55 04 08 13 05|Ocean"; fast_pattern; classtype:trojan-activity; sid:2016812; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_05_03, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B641"; flow:established,from_server; file_data; content:"VHJpZ2dlckZpbGxGcm9tUHJvdG90eXBlc0J1Z"; classtype:trojan-activity; sid:2023702; rev:3; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2019_09_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1347 IE 0-day used in DOL attack"; flow:established,to_client; file_data; content:".offsetParent"; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(\x22{2}|\x27{2}|null)/Ri"; content:"datalist"; nocase; pcre:"/^[\x22\x27\s\>]/R"; content:".innerHTML"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(\x22{2}|\x27{2}|null)/Ri"; content:"<!doctype html"; nocase; pcre:"/[\x22\x27\<]table[\x22\x27\>]/"; pcre:"/[\x22\x27\<]hr[\x22\x27\>]/"; content:"CollectGarbage"; nocase; fast_pattern; reference:cve,2013-1347; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,technet.microsoft.com/en-us/security/advisory/2847140; classtype:attempted-user; sid:2016822; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_05_04, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ProxyReconBot CONNECT method to Mail"; flow:established,to_server; content:"CONNECT "; depth:8; content:"|3A|25 HTTP/"; within:200; reference:url,doc.emergingthreats.net/2003869; classtype:misc-attack; sid:2003869; rev:9; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2019_09_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT IE HTML+TIME ANIMATECOLOR with eval as seen in unknown EK"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern; content:"eval("; nocase; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; classtype:exploit-kit; sid:2016833; rev:6; metadata:created_at 2013_05_08, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common 0a0a0a0a Heap Spray String"; flow:established,to_client; content:"0a0a0a0a"; nocase; reference:url,www.darkreading.com/vulnerabilities---threats/heap-spraying-attackers-latest-weapon-of-choice/d/d-id/1132487; classtype:shellcode-detect; sid:2012252; rev:5; metadata:created_at 2011_02_03, former_category SHELLCODE, updated_at 2019_09_27;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Exim/Dovecot Possible MAIL FROM Command Execution"; flow:to_server,established; content:"${IFS}"; fast_pattern; content:"mail from|3a|"; nocase; pcre:"/^[^\r\n]*?\x60[^\x60]*?\$\{IFS\}/R"; reference:url,redteam-pentesting.de/de/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution; classtype:attempted-admin; sid:2016835; rev:3; metadata:created_at 2013_05_08, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access makeCall"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"makeCall"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017779; rev:4; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2019_09_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Java Class 2 May 24 2013"; flow:to_client,established; file_data; content:"20130422.class"; fast_pattern; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016924; rev:12; metadata:created_at 2013_05_25, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Galock Ransomware Command"; flow:established,from_server; file_data; content:"[LOCK]"; within:6; endswith; reference:url,twitter.com/kafeine/status/314859973064667136/photo/1; classtype:trojan-activity; sid:2016645; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HellSpawn EK Landing 2 May 24 2013"; flow:to_client,established; file_data; content:"FlashPlayer.cpl"; nocase; fast_pattern; content:"window.location"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?(?P<func>[_a-zA-Z][a-zA-Z0-9_-]+)\([\r\n\s]*?[\x22\x27](?!http\x3a\/\/)(?P<h>[^\x22\x27])(?P<t>(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P<slash>(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]*?[\x22\x27][\r\n\s]*?,[\r\n\s]*?[\x22\x27][^\x22\x27]+[\x22\x27][\r\n\s]*?\)\+(?P=func)/Rsi"; classtype:exploit-kit; sid:2016928; rev:3; metadata:created_at 2013_05_25, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Enchanim Check-in Response"; flow:established,to_client; file_data; content:"|3a|some_magic_code1"; distance:9; within:29; endswith; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:2016769; rev:3; metadata:created_at 2013_04_19, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible HellSpawn EK Fake Flash May 24 2013"; flow:to_server,established; content:"/FlashPlayer.cpl"; http_uri; nocase; fast_pattern; pcre:"/\/FlashPlayer\.cpl$/U"; classtype:exploit-kit; sid:2016929; rev:12; metadata:created_at 2013_05_25, updated_at 2019_10_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE njRAT Variant Outbound CnC Beacon"; flow:established,to_server; content:"|7c|nj-q8"; endswith; classtype:command-and-control; sid:2021057; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Landing Page 2 May 24 2013"; flow:to_client,established; file_data; content:"1337.exe"; nocase; fast_pattern; content:"<APPLET"; nocase; pcre:"/^((?!<\/applet>).)+?[\x22\x27]1337\.exe/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016926; rev:3; metadata:created_at 2013_05_25, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE LuminosityLink - Inbound Data Channel CnC Delimiter"; flow:established,to_client; dsize:<25; content:"8_=_8"; fast_pattern; endswith; reference:md5,ab03070048fdbadbb901ec75b8f9f2e9; classtype:command-and-control; sid:2023241; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, malware_family Luminosity_Link, signature_severity Major, updated_at 2019_09_28;)
+#alert http $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura - Payload Downloaded"; flow:established,to_client; flowbits:isset,ET.http.javaclient; content:".txt|0d 0a|"; http_header; fast_pattern; pcre:"/filename=[a-z]{4}\.txt\x0D\x0A/H"; classtype:exploit-kit; sid:2016787; rev:4; metadata:created_at 2013_04_26, updated_at 2019_10_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE LuminosityLink - Outbound Data Channel CnC Delimiter"; flow:established,to_server; dsize:<25; content:"8_=_8"; fast_pattern; endswith; reference:md5,ab03070048fdbadbb901ec75b8f9f2e9; classtype:command-and-control; sid:2023242; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, malware_family Luminosity_Link, signature_severity Major, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack Reporting Plugin Detect Data June 03 2013"; flow:established,to_server; content:"/gate.php?ver="; http_uri; nocase; fast_pattern; pcre:"/&p=\d+\.\d+\.\d+\.\d+&j=\d+\.\d+\.\d+\.\d+&f=\d+\.\d+\.\d+\.\d+$/U"; classtype:exploit-kit; sid:2016964; rev:3; metadata:created_at 2013_06_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Houdini/Hworm CnC Checkin M1"; flow:established,to_server; content:"new_houdini|0d 0a|"; fast_pattern; offset:4; depth:13; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; endswith; reference:md5,45009c70d362dcd253112c9cf1924f57; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance; classtype:command-and-control; sid:2023429; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category MALWARE, malware_family Houdini, malware_family Hworm, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit Specific"; flow:established,to_client; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"IHDR"; distance:0; content:"tEXt"; distance:13; content:"db.php?j="; distance:0; content:"msnmusax.ninn"; fast_pattern; classtype:attempted-user; sid:2017008; rev:6; metadata:created_at 2013_06_12, updated_at 2019_10_08;)
 
-alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible DOUBLEPULSAR Beacon Response"; flow:from_server,established; content:"|00 00 00 23 ff|SMB2|02 00 00 c0 98 07 c0 00 00|"; depth:18; content:"|00 00 00 08 ff fe 00 08|"; distance:8; within:8; fast_pattern; pcre:"/^[\x50-\x59]/R"; content:"|00 00 00|"; distance:1; within:3; endswith; classtype:trojan-activity; sid:2024216; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_04_17, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag c2, updated_at 2019_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit Landing"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; fast_pattern; content:"</applet>"; content:"<applet"; within:20; content:"archive"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(?P<q>[\x22\x27])[a-f0-9]{9,16}\.(jar|zip)(?P=q)/R"; classtype:exploit-kit; sid:2016840; rev:6; metadata:created_at 2013_05_09, updated_at 2019_10_08;)
 
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALROMANCE MS17-010 Heap Spray"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18|"; offset:4; depth:10; content:"|07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 08|"; fast_pattern; within:16; content:"|00 08|"; distance:2; within:2; content:"|0e 00 00 40 00|"; distance:2; within:5; content:"|00 00 00 00 00 00 01 00 00 00 00 00 00 00 00|"; distance:2; within:15; content:"|00 00 00 00 00 00 00 00 00|"; endswith; threshold: type threshold, track by_src, count 20, seconds 1; classtype:trojan-activity; sid:2024219; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible 2012-1533 altjvm RCE via JNLP command injection"; flow:established,from_server; file_data; content:"<jnlp"; nocase; content:"initial-heap-size"; nocase; content:"max-heap-size"; content:"-XXaltjvm"; nocase; fast_pattern; reference:cve,2012-1533; classtype:trojan-activity; sid:2017013; rev:3; metadata:created_at 2013_06_13, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"zugzwang.me"; nocase; endswith; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023599; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Dotka Chef EK .cache request"; flow:established,to_server; content:"Java/1"; http_user_agent; content:"/.cache/?f|3d|"; fast_pattern; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017019; rev:3; metadata:created_at 2013_06_15, updated_at 2019_10_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] QRat.Java.RAT (state_alive)"; flow:established,to_server; content:"|00 11 7b 22 73 74 61 74 65 22 3a 22 61 6c 69 76 65 22 7d|"; depth:19; endswith; threshold: type both, track by_src, count 10, seconds 30; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:trojan-activity; sid:2025391; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category TROJAN, malware_family QRat, signature_severity Major, tag Qrat, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SolusVM WHMCS CURL Multi-part Boundary Issue"; flow:established,to_server; content:"POST"; http_method; content:"/rootpassword.php?"; http_uri; fast_pattern; content:"name=action"; content:"name=action"; distance:0; content:"name=action"; distance:0; reference:url,localhost.re/p/solusvm-whmcs-module-316-vulnerability; classtype:trojan-activity; sid:2017063; rev:4; metadata:created_at 2013_06_25, former_category EXPLOIT, updated_at 2019_10_08;)
 
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (MSF style)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18 01 28|"; offset:4; depth:12; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:2; within:10; content:"|23 00 00 00 07 00 5c 50 49 50 45 5c 00|"; fast_pattern; endswith; threshold: type limit, track by_src, count 1, seconds 30; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025649; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_11, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Metasploit, tag ETERNALBLUE, updated_at 2019_09_28;)
+alert http $HOME_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SolusVM 1.13.03 Access to solusvmc-node setuid bin"; flow:established,to_server; content:"solusvmc-node"; fast_pattern; pcre:"/\bsolusvmc-node\b/"; classtype:trojan-activity; sid:2017061; rev:4; metadata:created_at 2013_06_25, updated_at 2019_10_08;)
 
-alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010"; flow:from_server,established; content:"|ff|SMB|25 05 02 00 c0 98 01|"; offset:4; depth:11; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:3; within:10; content:"|00 00 00|"; distance:8; within:3; endswith; threshold: type limit, track by_src, count 1, seconds 30; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025650; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_11, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Metasploit, tag ETERNALBLUE, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Neutrino Exploit Kit Clicker.php TDS"; flow:established,to_server; content:"/clicker.php"; http_uri; fast_pattern; pcre:"/^\x2Fclicker\x2Ephp$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:exploit-kit; sid:2017069; rev:3; metadata:created_at 2013_06_27, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (Generic Flags)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00|"; offset:4; depth:9; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:5; within:10; content:"|23 00 00 00 07 00 5c 50 49 50 45 5c 00|"; fast_pattern; endswith; threshold: type limit, track by_src, count 1, seconds 30; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025992; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_15, deployment Perimeter, former_category EXPLOIT, malware_family ETERNALBLUE, signature_severity Major, updated_at 2019_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Applet tag in jjencode as (as seen in Dotka Chef EK)"; flow:established,from_server; file_data; content:",$$$$|3a|(![]+|22 22|)"; fast_pattern; content:"<|22|+"; pcre:"/^(?P<var>.{1,10})\.\$\_\$\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\(\!\[\]\+\x22\x22\)\[(?P=var)\.\_\$\_\]\+(?P=var)\.\$\$\$\_\+(?P=var)\.\_\_\+/R"; classtype:exploit-kit; sid:2017070; rev:3; metadata:created_at 2013_06_27, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT CnC Init Activity"; flow:established,to_client; dsize:11; content:"AUT_packet_"; depth:11; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:command-and-control; sid:2026580; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category MALWARE, malware_family JavaRAT, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sibhost Status Check GET Jul 01 2013"; flow:established,to_server; content:"GET"; http_method; content:"|29 20|Java/1"; http_user_agent; fast_pattern; content:"text="; http_uri; pcre:"/\?(s|page|id)=\d+&text=\d+$/U"; classtype:exploit-kit; sid:2017079; rev:4; metadata:created_at 2013_07_02, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT Keep-Alive (inbound)"; flow:established,to_client; dsize:11; content:"PNG_packet_"; depth:11; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026582; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack Jar Download Jul 01 2013"; flow:established,to_client; content:"j51"; http_header; nocase; content:".jar"; http_header; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]+?=\s*?(?P<q>[\x22\x27]?)j51[a-f0-9]{21}\.jar(?P=q)\r?$/Hm"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017092; rev:3; metadata:created_at 2013_07_02, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT Keep-Alive (outbound)"; flow:established,to_server; dsize:11; content:"PNG_packet_"; depth:11; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026583; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack EXE Download Jul 01 2013"; flow:established,to_client; content:"e51"; http_header; nocase; content:".exe"; http_header; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]+?=\s*?(?P<q>[\x22\x27]?)e51[a-f0-9]{21}\.exe(?P=q)\r?$/Hm"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017093; rev:3; metadata:created_at 2013_07_03, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT Requesting Screen Size"; flow:established,to_client; dsize:13; content:"SC.OP_packet_"; depth:13; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026586; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Lucky7 EK IE Exploit"; flow:established,from_server; file_data; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern; content:"JTQzJTZmJTZjJTZjJTY1JTYzJTc0JTQ3JTYxJTcyJTYyJTYxJTY3JTY1"; classtype:exploit-kit; sid:2017099; rev:3; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Mirai Variant Checkin Response"; flow:established,to_client; content:"|21 2a 20|LOLNOBYE"; endswith; reference:url,www.stratosphereips.org/blog/2019/5/17/iot-malware-analysis-series-a-mirai-variant-in-ctu-iot-malware-capture-49-1; classtype:command-and-control; sid:2027366; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_05_20, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3163 2"; flow:established,from_server; file_data; content:"CollectGarbage("; fast_pattern; nocase; content:".contentEditable"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?true/Ri"; content:"var"; pcre:"/^[\r\n\s\+]+?(?P<var>[^\r\n\s\+\x3d]+)[\r\n\s\+]*?=[\r\n\s\+]*?[^\)]+\.createElement\(.+?\.appendChild\([\r\n\s]*?[\x22\x27]?(?P=var)[\x22\x27]?[\r\n\s]*?\).+\b(?P=var)\.innerHTML[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])(?P=q).+?CollectGarbage\(.+?\b(?P=var)\./Rsi"; reference:cve,2013-3163; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017130; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_07_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Emptiness v1 CnC Checkin"; flow:established,to_server; dsize:7; content:"ilove26"; depth:7; fast_pattern; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027834; rev:2; metadata:affected_product Linux, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, malware_family Emptiness, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack - Java JNLP Requested"; flow:established,to_server; urilen:>70; content:".jnlp"; http_uri; fast_pattern; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jnlp$/Ui"; classtype:exploit-kit; sid:2017138; rev:4; metadata:created_at 2013_07_13, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Emptiness v1.1 CnC Checkin"; flow:established,to_server; dsize:12; content:"aWxvdmUyNg=="; depth:12; fast_pattern; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027835; rev:2; metadata:affected_product Linux, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, malware_family Emptiness, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DotkaChef JJencode Script URI Struct"; flow:established,to_server; content:"voDc0RHa8NnZ"; http_uri; fast_pattern; pcre:"/\/\?={0,2}[A-Za-z0-9\+\/]+?voDc0RHa8NnZ$/U"; classtype:exploit-kit; sid:2017139; rev:3; metadata:created_at 2013_07_13, updated_at 2019_10_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR (b2bb01039307baa2) CnC Checkin"; flow:established,to_server; dsize:24; content:"d3ec7975f76aefdbfcdc3c3e"; depth:24; fast_pattern; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027836; rev:2; metadata:affected_product Linux, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, malware_family Emptiness, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2019_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx PDF July 15 2013"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".exe?"; fast_pattern; nocase; content:"<script"; nocase; content:"http|3a 2f 2f|"; distance:0; pcre:"/^[^\x3b\r\n\x22\x27]+?[A-Za-z0-9\/\_\-]{60,}\.exe\?/R"; classtype:exploit-kit; sid:2017151; rev:13; metadata:created_at 2013_07_16, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain photogalaxyzone.com"; dns_query; content:"photogalaxyzone.com"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016606; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool PDF July 15 2013"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".txt?e="; fast_pattern; nocase; content:"<script"; nocase; content:"http|3a 2f 2f|"; distance:0; pcre:"/^[^\x3b\r\n\x22\x27]+?\.txt\?e=\d+(&[fh]=\d)?/R"; classtype:exploit-kit; sid:2017150; rev:13; metadata:created_at 2013_07_16, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain insightpublicaffairs.org"; dns_query; content:"insightpublicaffairs.org"; depth:24; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016620; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit Landing Applet Jul 05 2013"; flow:established,to_client; file_data; content:"<applet "; nocase; fast_pattern; content:"|3b|document.write("; nocase; pcre:"/^[^\x3b]+?\+[a-z]+?\.substring([^)]+?)[^\x3b]+?\+[a-z]+?\.substring([^)]+?)[^\x3b]+?\+[a-z]+?\.substring([^)]+?)/Rsi"; classtype:exploit-kit; sid:2017106; rev:4; metadata:created_at 2013_07_05, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain seyuieyahooapis.com"; dns_query; content:"seyuieyahooapis.com"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016624; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlimKit JNLP URI Struct"; flow:established,to_server; content:".pl|0d 0a|"; http_header; content:" Java/1."; http_header; content:".jnlp"; http_uri; fast_pattern; pcre:"/^[^\/]*?\/[a-z0-9]{9,16}\.jnlp$/U"; pcre:"/\d/U"; pcre:"/[a-z]/U"; classtype:exploit-kit; sid:2017153; rev:3; metadata:created_at 2013_07_17, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain dailynewsjustin.com"; dns_query; content:"dailynewsjustin.com"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016627; rev:4; metadata:created_at 2013_03_20, updated_at 2019_09_28;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SipCLI VOIP Scan - TCP"; flow:established,to_server; content:"|0D 0A|User-Agent|3A 20|sipcli/"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.yasinkaplan.com/SipCli/; classtype:attempted-recon; sid:2017161; rev:2; metadata:created_at 2013_07_17, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain hi-tecsolutions.org"; dns_query; content:"hi-tecsolutions.org"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016628; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SipCLI VOIP Scan"; content:"|0D 0A|User-Agent|3A 20|sipcli/"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.yasinkaplan.com/SipCli/; classtype:attempted-recon; sid:2017162; rev:3; metadata:created_at 2013_07_17, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"njdyqrbioh.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018270; rev:9; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Possible Java Payload Download"; flow:to_server,established; content:".exe?"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/\.exe\?(e=)?\d+$/U"; classtype:exploit-kit; sid:2016427; rev:8; metadata:created_at 2013_02_19, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"vqvsaergek.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018265; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack Jar Request (2)"; flow:established,to_server; content:".php?i="; http_uri; pcre:"/\/j\d{2}\.php\?i=/U"; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016013; rev:7; metadata:created_at 2012_12_08, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"pbcgmmympm.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018266; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Class Request (3)"; flow:established,to_server; content:"/Vlast.class"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016299; rev:11; metadata:created_at 2013_01_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"tyixfhsfax.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018268; rev:9; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT WhiteHole Exploit Kit Payload Download"; flow:established,to_server; content:"/?whole="; nocase; http_uri; fast_pattern; content:"Java/1."; http_user_agent; pcre:"/\/\?whole=\d+$/Ui"; classtype:exploit-kit; sid:2016350; rev:5; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"qgjhmerjec.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018269; rev:9; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedDotv2 Java Check-in"; flow:established,to_server; content:"/search/"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/^\/search\/[0-9]{64}/U"; classtype:exploit-kit; sid:2016593; rev:9; metadata:created_at 2013_03_19, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"btloxcyrok.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018271; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss Recent Jar (3)"; flow:established,to_server; content:"/m1"; http_uri; nocase; content:".jar"; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/\/m1[1-6]\.jar$/U"; classtype:exploit-kit; sid:2016708; rev:9; metadata:created_at 2013_04_02, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"afwyhvinmw.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018272; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss Recent Jar (4)"; flow:established,to_server; content:"/cmm.jar"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016709; rev:9; metadata:created_at 2013_04_02, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"wyfxanxjeu.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018273; rev:11; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 81:90 (msg:"ET EXPLOIT_KIT Sakura - Payload Requested"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".html"; http_uri; pcre:"/\/[0-9]{4}\.html$/Ui"; classtype:exploit-kit; sid:2016786; rev:6; metadata:created_at 2013_04_26, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"qemyxsdigi.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018274; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Java Exploit - jreg.jar"; flow:established,to_server; content:"/jreg.jar"; http_uri; fast_pattern; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016804; rev:5; metadata:created_at 2013_05_01, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for a known malware domain (regicsgf.net)"; dns_query; content:"regicsgf.net"; depth:12; fast_pattern; nocase; endswith; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014572; rev:7; metadata:created_at 2012_04_16, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura - Payload Requested"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".pkg"; http_uri; nocase; pcre:"/\/\d+\.pkg$/Ui"; classtype:exploit-kit; sid:2016943; rev:9; metadata:created_at 2013_05_29, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.gowin7.com"; dns_query; content:".gowin7.com"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015597; rev:6; metadata:created_at 2012_08_10, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Metasploit Based Unknown EK Jar Download June 03 2013"; flow:established,to_server; content:"/j_"; http_uri; pcre:"/\/j_[a-z0-9]+_(?:0422|1723|3544|5076)\.jar$/U"; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016965; rev:8; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_06_04, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.secuurity.net"; dns_query; content:".secuurity.net"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015598; rev:6; metadata:created_at 2012_08_10, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Jar Download June 20 2013"; flow:established,to_server; content:"/contacts.asp"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2017038; rev:5; metadata:created_at 2013_06_20, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.dataspotlight.net"; dns_query; content:".dataspotlight.net"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015601; rev:7; metadata:created_at 2012_08_10, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.7.x"; flow:established,to_server; content:"/frozen.jar"; http_uri; fast_pattern; content:"Java/1.7"; http_user_agent; classtype:exploit-kit; sid:2017041; rev:5; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.datajunction.org"; dns_query; content:".datajunction.org"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015618; rev:6; metadata:created_at 2012_08_13, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.6 (Old)"; flow:established,to_server; content:"/arina.jar"; http_uri; fast_pattern; content:"Java/1.6"; http_user_agent; classtype:exploit-kit; sid:2017042; rev:5; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup hotfix-update.com"; dns_query; content:"hotfix-update.com"; depth:17; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019570; rev:5; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/sigwer.jar"; http_uri; fast_pattern; content:"Java/1.6"; http_user_agent; classtype:exploit-kit; sid:2017043; rev:5; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Cloud Atlas haarmannsi.cz"; dns_query; content:"haarmannsi.cz"; depth:13; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019910; rev:4; metadata:created_at 2014_12_11, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/dubstep.jar"; http_uri; fast_pattern; content:"Java/1.6"; http_user_agent; classtype:exploit-kit; sid:2017044; rev:5; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Cloud Atlas sanygroup.co.uk"; dns_query; content:"sanygroup.co.uk"; depth:15; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019911; rev:5; metadata:created_at 2014_12_11, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack Java Exploit Payload June 03 2013"; flow:established,to_server; content:"Java/1."; nocase; http_user_agent; content:".php?"; http_uri; nocase; fast_pattern; pcre:"/\/[a-z0-9]{3}\.php\?[a-z]=[a-zA-Z0-9]{10}$/U"; classtype:exploit-kit; sid:2017119; rev:5; metadata:created_at 2013_07_09, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (casinoroyal7.ru)"; dns_query; content:"casinoroyal7.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020045; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Java Exploit - Recent Jar (1)"; flow:established,to_server; content:"/amor"; http_uri; content:".jar"; http_uri; within:6; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/amor\d{0,2}\.jar/U"; classtype:exploit-kit; sid:2015941; rev:5; metadata:created_at 2012_11_27, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (cryptdomain.dp.ua)"; dns_query; content:"cryptdomain.dp.ua"; depth:17; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020046; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Java Exploit - Recent Jar (2)"; flow:established,to_server; content:"/java7.jar?r="; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2015942; rev:5; metadata:created_at 2012_11_27, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (it-newsblog.ru)"; dns_query; content:"it-newsblog.ru"; depth:14; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020049; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlimKit Jar URI Struct"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".jar"; http_uri; fast_pattern; pcre:"/^[^\/]*?\/[a-f0-9]{8}[a-z0-9]+\.jar$/U"; pcre:"/\d/U"; pcre:"/[a-f]/U"; classtype:exploit-kit; sid:2017152; rev:6; metadata:created_at 2013_07_17, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (js-static.ru)"; dns_query; content:"js-static.ru"; depth:12; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020050; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java (Old) /golem.jar"; flow:established,to_server; content:"/golem.jar"; fast_pattern; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017272; rev:5; metadata:created_at 2013_08_03, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (lagosadventures.com)"; dns_query; content:"lagosadventures.com"; depth:19; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020051; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java 1.7 /caramel.jar"; flow:established,to_server; content:"/caramel.jar"; fast_pattern; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017273; rev:4; metadata:created_at 2013_08_03, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (lebanonwarrior.ru)"; dns_query; content:"lebanonwarrior.ru"; depth:17; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020052; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack URI Format June 17 2013 1"; flow:established,to_server; content:".php?"; http_uri; content:"3a313"; http_uri; fast_pattern; pcre:"/=(3[0-9a]|2e)+3a313[3-9](3[0-9]){8}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017022; rev:4; metadata:created_at 2013_06_18, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (nigerianbrothers.net)"; dns_query; content:"nigerianbrothers.net"; depth:20; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020053; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Firefox CVE-2013-1690"; flow:established,from_server; file_data; content:"window.stop("; fast_pattern; nocase; content:"ownerDocument.write("; nocase; content:"addEventListener("; nocase; content:"readystatechange"; distance:0; nocase; content:"Array"; nocase; reference:cve,2013-1690; classtype:attempted-user; sid:2017298; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_08_08, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (princeofnigeria.net)"; dns_query; content:"princeofnigeria.net"; depth:19; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020055; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit obfuscated hex-encoded jnlp_embedded Aug 08 2013"; flow:established,from_server; file_data; content:"fromCh"; pcre:"/(?P<m>[0-9a-f]{2})(?P<sep>[^0-9a-f])(?P<e>(?!(?P=m))[0-9a-f]{2})(?P=sep)([0-9a-f]{2}(?P=sep)){7}(?P=e)(?P=sep)(?P=m)(?P=sep)[0-9a-f]{2}(?P=sep)(?P=e)(?P=sep)(?P<d>(?!(?P=e))[0-9a-f]{2})(?P=sep)(?P=d)(?P=sep)(?P=e)(?P=sep)(?P=d)/R"; content:"<applet"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017324; rev:3; metadata:created_at 2013_08_13, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (royalgourp.org)"; dns_query; content:"royalgourp.org"; depth:14; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020056; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT X20 EK Payload Download"; flow:established,to_server; content:"/download.asp?p=1"; http_uri; content:" Java/1."; http_header; fast_pattern; classtype:exploit-kit; sid:2017039; rev:4; metadata:created_at 2013_06_20, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (tweeter-stat.ru)"; dns_query; content:"tweeter-stat.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020060; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing with Applet Aug 26 2013"; flow:established,from_server; file_data; content:"Australian Holiday|22|"; fast_pattern; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017372; rev:6; metadata:created_at 2013_08_26, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy1-1-1.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy1-1-1.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020228; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of base64_decode"; flow:established,from_server; file_data; content:"base64_decode"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?base64_decode/Rsi"; classtype:trojan-activity; sid:2017399; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy2-2-2.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy2-2-2.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020229; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of gzinflate"; flow:established,from_server; file_data; content:"gzinflate"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?gzinflate/Rsi"; classtype:trojan-activity; sid:2017400; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy3-3-3.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy3-3-3.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020230; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of str_rot13"; flow:established,from_server; file_data; content:"str_rot13"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?str_rot13/Rsi"; classtype:trojan-activity; sid:2017401; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy4-4-4.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy4-4-4.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020231; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of gzuncompress"; flow:established,from_server; file_data; content:"gzuncompress"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?gzuncompress/Rsi"; classtype:trojan-activity; sid:2017402; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy5-5-5.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy5-5-5.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020232; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of convert_uudecode"; flow:established,from_server; file_data; content:"convert_uudecode"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?convert_uudecode/Rsi"; classtype:trojan-activity; sid:2017403; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (blackblog.chatnook.com)"; dns_query; content:"blackblog.chatnook.com"; depth:22; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020246; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java /victoria.jar"; flow:established,to_server; content:"/victoria.jar"; fast_pattern; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017406; rev:6; metadata:created_at 2013_09_03, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (bulldog.toh.info)"; dns_query; content:"bulldog.toh.info"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020247; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Bleeding EK Variant Landing Sep 06 2013"; flow:established,from_server; file_data; content:"DoCake()"; fast_pattern; nocase; content:"applet"; nocase; content:".php?e="; content:".php?e="; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017434; rev:3; metadata:created_at 2013_09_07, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (cew58e.xxxy.info)"; dns_query; content:"cew58e.xxxy.info"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020248; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura EK Landing Sep 06 2013"; flow:established,from_server; file_data; content:"/deployJava.js"; fast_pattern; nocase; content:!"<applet"; nocase; content:" RegExp"; pcre:"/^[\r\n\s]*?\([\r\n\s]*?(?P<q>[\x22\x27])(?P<m>((?!(?P=q)).)+)(?P=q).+?<(?P=m)?a(?P=m)?p(?P=m)?p(?P=m)l(?P=m)?e(?P=m)?t/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017433; rev:4; metadata:created_at 2013_09_07, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (dynamic.ddns.mobi)"; dns_query; content:"dynamic.ddns.mobi"; depth:17; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020251; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Fake Microsoft Security Update Applet Sep 16 2013"; flow:established,from_server; file_data; content:"JTNDJTNGeG1sJTIwdmVyc2lvbiUzRCUy"; content:"/microsoft.jnlp"; fast_pattern; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017468; rev:3; metadata:created_at 2013_09_17, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (football.mrbasic.com)"; dns_query; content:"football.mrbasic.com"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020253; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Other Java Exploit Kit 32-32 byte hex hostile jar"; flow:established,to_server; content:".jar"; http_uri; fast_pattern; urilen:70; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$/U"; classtype:exploit-kit; sid:2015782; rev:6; metadata:created_at 2012_10_05, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (gjjb.flnet.org)"; dns_query; content:"gjjb.flnet.org"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020254; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Java JNLP Requested"; flow:established,to_server; flowbits:isset,ET.http.javaclient; urilen:71; content:".jnlp"; http_uri; fast_pattern; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.jnlp$/Ui"; classtype:exploit-kit; sid:2016798; rev:4; metadata:created_at 2013_04_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (imirnov.ddns.info)"; dns_query; content:"imirnov.ddns.info"; depth:17; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020255; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 Possible IE Memory Corruption Vulnerability with HXDS ASLR Bypass"; flow:established,to_client; file_data; content:"ms-help|3a|//"; nocase; content:"onlosecapture"; nocase; fast_pattern; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017477; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (jingnan88.chatnook.com)"; dns_query; content:"jingnan88.chatnook.com"; depth:22; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020256; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT WhiteHole Exploit Kit Jar Request"; flow:to_server,established; content:".jar?java="; http_uri; fast_pattern; nocase; content:"Java/1."; http_user_agent; pcre:"/\.jar\?java=\d+$/Ui"; classtype:exploit-kit; sid:2016349; rev:6; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (lehnjb.epac.to)"; dns_query; content:"lehnjb.epac.to"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020257; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT WhiteHole Exploit Landing Page"; flow:established,from_server; file_data; content:".jar?java="; nocase; fast_pattern; content:"<applet"; pcre:"/^((?!<\/applet>).)+?\.jar\?java=\d+/R"; content:" name="; content:"http"; within:5; content:" name="; content:"ftp"; within:4; classtype:exploit-kit; sid:2016348; rev:8; metadata:created_at 2013_02_05, updated_at 2022_05_03;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (logoff.25u.com)"; dns_query; content:"logoff.25u.com"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020258; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit CVE-2013-3205 Exploit Specific"; flow:established,to_client; file_data; content:"function putPayload("; nocase; fast_pattern; classtype:attempted-user; sid:2017510; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_09_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (ls910329.my03.com)"; dns_query; content:"ls910329.my03.com"; depth:17; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020260; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command (/iam-ready)"; flow:established,to_server; content:"POST"; http_method; content:"/iam-ready"; fast_pattern; nocase; content:"|3c 7c 3e|"; http_header; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017518; rev:3; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (mailru.25u.com)"; dns_query; content:"mailru.25u.com"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020261; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing with Applet Sep 30 2013"; flow:established,from_server; file_data; content:"New Zealandn Holiday"; fast_pattern; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017545; rev:7; metadata:created_at 2013_09_30, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (Markshell.etowns.net)"; dns_query; content:"Markshell.etowns.net"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020262; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text|Html)/Ri"; content:"onlosecapture"; nocase; fast_pattern; content:"function"; pcre:"/^[\r\n\s]+(?P<func>[^\r\n\s]+)[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{((?!function).)*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(?:\x22\x22|\x27\x27))?((?!function).)*?document\.write\([\r\n\s]*?(?:\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\).+?onlosecapture(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?(?P=func)\b/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017479; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (mydear.ddns.info)"; dns_query; content:"mydear.ddns.info"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020263; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake MS Security Update (Jar)"; flow:established,from_server; file_data; content:"Microsoft Security Update"; content:"applet_ssv_validated"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017549; rev:3; metadata:created_at 2013_10_02, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (nazgul.zyns.com)"; dns_query; content:"nazgul.zyns.com"; depth:15; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020264; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HiMan EK Landing Oct 1 2013"; flow:established,from_server; file_data; content:"java3()|3b|"; fast_pattern; content:"java2()|3b|"; content:"pdf()|3b|"; content:"ie()|3b|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017550; rev:3; metadata:created_at 2013_10_02, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (newdyndns.scieron.com)"; dns_query; content:"newdyndns.scieron.com"; depth:21; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020265; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Base64 http argument in applet (Neutrino/Angler)"; flow:established,from_server; file_data; content:"<applet "; pcre:"/^((?!<\/applet>).)+?[\x22\x27]aHR0cDov/Rs"; content:"aHR0cDov"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016549; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_07, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (newoutlook.darktech.org)"; dns_query; content:"newoutlook.darktech.org"; depth:23; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020266; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Use-After-Free CVE-2013-3897"; flow:established,from_server; file_data; content:"onpropertychange"; fast_pattern; nocase; content:".execCommand("; nocase; pcre:"/^[\r\n\s]*?[\x27\x22]Unselect[\x27\x22]/Rsi"; content:"appendChild("; nocase; content:"textarea"; nocase; content:".select("; nocase; content:".onselect"; reference:cve,2013-3897; classtype:attempted-user; sid:2017572; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_10_08, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (photocard.4irc.com)"; dns_query; content:"photocard.4irc.com"; depth:18; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020267; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Magnitude EK (formerly Popads) IE Exploit with IE UA Oct 16 2013"; flow:established,to_server; urilen:66; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}$/Ui"; content:"Referer|3a 20|http|3a|//"; http_header; pcre:"/^[^\/\r\n]+/HR"; content:"/?"; http_header; within:2; pcre:"/^[a-f0-9]{32}=\d{1,10}\r\n/HR"; content:" MSIE "; http_user_agent; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017613; rev:10; metadata:created_at 2013_10_17, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (pricetag.deaftone.com)"; dns_query; content:"pricetag.deaftone.com"; depth:21; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020268; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit CVE-2013-0422 Jar"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"B.class"; fast_pattern; pcre:"/[^a-zA-Z0-9_\-.]B\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; content:!"Browser.class"; classtype:attempted-user; sid:2016228; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_17, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (rubberduck.gotgeeks.com)"; dns_query; content:"rubberduck.gotgeeks.com"; depth:23; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020269; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS JS Multiple Debug Math.atan2 calls with CollectGarbage"; flow:established,from_server; file_data; content:"CollectGarbage"; nocase; fast_pattern; content:"Math.atan2"; nocase; content:"Math.atan2"; nocase; distance:0; content:"Math.atan2"; nocase; distance:0; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; reference:url,cyvera.com/cve-2013-3897-analysis-of-yet-another-ie-0-day/; classtype:attempted-user; sid:2017657; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_11_04, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (shutdown.25u.com)"; dns_query; content:"shutdown.25u.com"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020270; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Botnet Login Request CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/operator/login.php"; fast_pattern; http_uri; pcre:"/\/operator\/login\.php$/U"; content:!"Referer|3a 20|"; content:!"|0d 0a|Accept"; http_header; content:"Mozilla/4.0 (SEObot)"; depth:20; http_user_agent; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:command-and-control; sid:2017718; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_11_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (sorry.ns2.name)"; dns_query; content:"sorry.ns2.name"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020271; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 IE Exploit URI Struct"; flow:established,to_server; content:".tpl"; http_uri; fast_pattern; pcre:"/\/1[34]\d{8}\.tpl$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017601; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_17, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (sskill.b0ne.com)"; dns_query; content:"sskill.b0ne.com"; depth:15; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020272; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK IE Exploit CVE-2013-2551"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"stroke"; nocase; content:"visibility"; nocase; content:"hidden"; nocase; distance:0; content:"Array"; nocase; pcre:"/^[\r\n\s]*?\([\r\n\s]*?[\x22\x27]f([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?r([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?o([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?m([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?C([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?h([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?a([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?r([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?c([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?o([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?d([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?e[\x22\x27]/Ri"; classtype:exploit-kit; sid:2017785; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_27, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (text-First.flnet.org)"; dns_query; content:"text-First.flnet.org"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020273; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Adobe PDF CVE-2013-0640"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".keep.previous"; nocase; fast_pattern; content:".resolveNode"; nocase; pcre:"/^[\r\n\s]*?\\?\(.+?\\?\)\.keep\.previous[\r\n\s]*?=[\r\n\s]*?[\x22\x27]contentArea/Rsi"; reference:url,www.exploit-db.com/exploits/29881/; classtype:attempted-user; sid:2017790; rev:3; metadata:created_at 2013_11_30, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (uudog.4pu.com)"; dns_query; content:"uudog.4pu.com"; depth:13; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020274; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Grandsoft/SofosFO EK PDF URI Struct"; flow:established,to_server; content:".pdf"; http_uri; fast_pattern; pcre:"/^\/\d{1,2}(?P<l>[A-Z])\d{1,2}(?P=l)\d{1,2}(?P=l)\d{1,2}\.pdf$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017699; rev:4; metadata:created_at 2013_11_09, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (will-smith.dtdns.net)"; dns_query; content:"will-smith.dtdns.net"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020275; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack Java Exploit"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/java.php?eid="; http_uri; fast_pattern; content:"type="; http_uri; pcre:"/\/java\.php\?eid=[a-f0-9]{32}&/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017863; rev:5; metadata:created_at 2013_12_16, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (ndcinformation.acmetoy.com)"; dns_query; content:"ndcinformation.acmetoy.com"; depth:26; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020276; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack PDF Exploit"; flow:established,to_server; content:"/pdf.php?pdf="; http_uri; fast_pattern; content:"type="; http_uri; pcre:"/\/pdf\.php\?pdf=[a-f0-9]{32}&/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017862; rev:4; metadata:created_at 2013_12_16, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (service.authorizeddns.net)"; dns_query; content:"service.authorizeddns.net"; depth:25; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020277; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack HCP Exploit"; flow:established,to_server; content:"/hcp.php?"; http_uri; fast_pattern; content:"type="; nocase; http_uri; content:"o="; nocase; http_uri; content:"b="; nocase; http_uri; pcre:"/[&?]type=\d+(?:$|&)/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017864; rev:3; metadata:created_at 2013_12_17, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (text-first.trickip.org)"; dns_query; content:"text-first.trickip.org"; depth:22; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020278; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack Jar 1 Dec 16 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/cp.jar"; http_uri; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017865; rev:4; metadata:created_at 2013_12_17, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious boltotor.com Domain - Possible CryptoWall Activity"; dns_query; content:"boltotor.com"; depth:12; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020285; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack Jar 2 Dec 16 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/serial.jar"; http_uri; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017866; rev:4; metadata:created_at 2013_12_17, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious bonytor2.com Domain -Possible CryptoWall Activity"; dns_query; content:"bonytor2.com"; depth:12; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020286; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache Solr Arbitrary XSLT inclusion attack"; flow:to_server,established; content:"../../"; fast_pattern; content:"&wt=xslt"; nocase; content:"&tr="; reference:cve,CVE-2013-6397; reference:url,www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html; classtype:attempted-user; sid:2017882; rev:3; metadata:created_at 2013_12_18, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious speecostor.com Domain -Possible CryptoWall Activity"; dns_query; content:"speecostor.com"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020287; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for whoismama.ru"; flow:established,to_client; content:"www.whoismama.ru"; fast_pattern; nocase; reference:md5,cca1713888b0534954234cf31dd5a7d4; classtype:trojan-activity; sid:2017940; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (expert.4irc.com)"; dns_query; content:"expert.4irc.com"; depth:15; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020252; rev:5; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for dewart.ru"; flow:established,to_client; content:"www.deweart.ru"; fast_pattern; nocase; reference:md5,6e0a6c4a06a446f70ae1463129711122; classtype:trojan-activity; sid:2017941; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Careto Mask DNS Lookup (msupdate.ath.cx)"; dns_query; content:"msupdate.ath.cx"; depth:15; nocase; endswith; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021712; rev:4; metadata:created_at 2015_08_25, updated_at 2019_09_28;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for anlogtewron.ru"; flow:established,to_client; content:"www.anlogtewron.ru"; fast_pattern; nocase; reference:md5,c13c3e331f05d61a7204fb4599b07709; classtype:trojan-activity; sid:2017942; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Careto Mask DNS Lookup (karpeskmon.dyndns.org)"; dns_query; content:"karpeskmon.dyndns.org"; depth:21; nocase; endswith; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021714; rev:4; metadata:created_at 2015_08_25, updated_at 2019_09_28;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for erjentronem.ru"; flow:established,to_client; content:"www.erjentronem.ru"; fast_pattern; nocase; reference:md5,05ddaa5b6b56123e792fd67bb03376bc; classtype:trojan-activity; sid:2017943; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Careto Mask DNS Lookup (isaserver.minrex.gov.cu)"; dns_query; content:"isaserver.minrex.gov.cu"; depth:23; nocase; endswith; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021715; rev:4; metadata:created_at 2015_08_25, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CookieBomb 2.0 In Server Response Jan 29 2014"; flow:from_server,established; file_data; content:"%66%75%6e%63%74%69%6f%6e%20%72%65%64%69%72%65%63%74"; nocase; content:"%66%75%6e%63%74%69%6f%6e%20%63%72%65%61%74%65%43%6f%6f%6b%69%65"; nocase; content:"%64%6f%52%65%64%69%72%65%63%74"; nocase; fast_pattern; reference:url,malwaremustdie.blogspot.jp/2014/01/and-another-detonating-method-of-todays.html; classtype:trojan-activity; sid:2018037; rev:5; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible PlugX DNS Lookup (operaa.net)"; dns_query; content:"operaa.net"; depth:10; nocase; endswith; fast_pattern; reference:url,volexity.com/blog/?p=179; classtype:trojan-activity; sid:2021936; rev:4; metadata:created_at 2015_10_08, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 3"; dsize:>11; content:"|7b 9e|"; fast_pattern; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]+?\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,2eed956920934a78200899ef05ace0d8; classtype:command-and-control; sid:2017548; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_30, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2022_04_18;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX or EvilGrab DNS Lookup (appeur.gnway.cc)"; dns_query; content:"appeur.gnway.cc"; depth:15; nocase; endswith; fast_pattern; reference:url,asert.arbornetworks.com/defending-the-white-elephant/; classtype:trojan-activity; sid:2021961; rev:4; metadata:created_at 2015_10_16, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET FTP Outbound Java Downloading jar over FTP"; flow:to_server,established; flowbits:isset,ET.Java.FTP.Logon; content:".jar"; nocase; fast_pattern; content:"RETR "; pcre:"/^[^\r\n]+\.jar/Ri"; classtype:misc-activity; sid:2016688; rev:3; metadata:created_at 2013_03_29, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sakula DNS Lookup (mail.cbppnews.com)"; dns_query; content:"mail.cbppnews.com"; depth:17; nocase; endswith; fast_pattern; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf; classtype:trojan-activity; sid:2022272; rev:4; metadata:created_at 2015_12_17, updated_at 2019_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT BeEF Cookie Outbound"; flow:to_server,established; content:"Cookie|3a 20|BEEFSESSION="; fast_pattern; threshold: type limit, track by_src, seconds 300, count 1; reference:url,beefproject.com; classtype:attempted-user; sid:2018088; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_07, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bulta DNS Lookup (kugo.f3322.net)"; dns_query; content:"kugo.f3322.net"; depth:14; nocase; endswith; fast_pattern; reference:md5,8dd612b14a2a448e8b1b6f3d09909e45; classtype:trojan-activity; sid:2022346; rev:5; metadata:created_at 2016_01_09, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JoomSocial AvatarUpload RCE"; flow:established,to_server; content:"func="; nocase; content:"photo"; nocase; distance:0; content:"ajaxUploadAvatar"; nocase; fast_pattern; content:"CStringHelper"; nocase; content:"escape"; nocase; distance:0; reference:url,blog.sucuri.net/2014/02/joomla-jomsocial-remote-code-execution-vulnerability.html; classtype:web-application-attack; sid:2018107; rev:9; metadata:created_at 2014_02_11, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bulta DNS Lookup (yk.ftwxw.com)"; dns_query; content:"yk.ftwxw.com"; depth:12; nocase; endswith; fast_pattern; reference:md5,5b9a9e363f46f09e7f40c5cde2c90361; classtype:trojan-activity; sid:2022347; rev:5; metadata:created_at 2016_01_09, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE10 Use After Free CVE-2014-0322"; flow:established,to_client; file_data; content:"onpropertychange"; nocase; fast_pattern; content:".outerHTML"; pcre:"/^\s*?=\s*?[^\s]+?\.outerHTML/Rsi"; content:"appendChild"; nocase; content:"getElementsByTagName"; nocase; pcre:"/^\s*?\(\s*?[\x22\x27]script[\x22\x27].+?\s(?P<vname>[^\s]+)\.onpropertychange\s*=.+?\s(?P<vname2>[^\s\x3d]+)\s*?=\s*?[^\s]*?createElement\s*?\(\s*?[\x22\x27]select[\x22\x27].+?(?P=vname)\.appendChild\(\s*?[\x22\x27]?(?P=vname2)[\x22\x27]?/Rsi"; reference:cve,2014-0322; classtype:attempted-user; sid:2018147; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 2"; dns_query; content:"aaa123.spdns.de"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022412; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT EMET Detection Via XMLDOM"; flow:established,from_server; file_data; content:"loadXML"; nocase; content:"parseError"; nocase; content:"res:/"; content:"AppPatch"; nocase; distance:0; pcre:"/^.+?\bEMET\.DLL/Rsi"; content:"EMET.DLL"; nocase; fast_pattern; classtype:attempted-user; sid:2018152; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 3"; dns_query; content:"accounts.yourturbe.org"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022413; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Lang Runtime in Response"; flow:from_server,established; file_data; content:!"|CA FE BA BE|"; within:4; content:"getClass"; nocase; content:"java.lang.Runtime"; nocase; fast_pattern; content:"getRuntime"; nocase; content:"exec"; nocase; content:"script"; nocase; classtype:exploit-kit; sid:2018172; rev:3; metadata:created_at 2014_02_25, former_category WEB_CLIENT, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 4"; dns_query; content:"account.websurprisemail.com"; depth:27; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022414; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Obfuscation Technique Used in CVE-2014-0322 Attacks"; flow:established,from_server; file_data; content:"|2f|%u([0-9a-fA-F]{1,4}"; nocase; fast_pattern; content:"decode"; nocase; pcre:"/^\s*?\(\s*?key\s*?,\s*?js\s*?/Rsi"; content:"decode"; nocase; pcre:"/^\s*?\(\s*?[^,\s]*?\s*?,\s*?[\x22\x27][a-f0-9]{100}/Rsi"; classtype:trojan-activity; sid:2018179; rev:5; metadata:created_at 2014_02_26, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 5"; dns_query; content:"addi.apple.cloudns.org"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022415; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER log4jAdmin access from non-local network Page Body (can modify logging levels)"; flow:established,from_server; file_data; content:"<title>Log4J Administration</title>"; fast_pattern; content:"Change Log Level To"; reference:url,gist.github.com/iamkristian/943918; classtype:web-application-activity; sid:2018203; rev:3; metadata:created_at 2014_03_04, former_category WEB_SERVER, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 7"; dns_query; content:"apple.lenovositegroup.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022417; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013"; flow:established,to_server; content:".htm"; http_uri; fast_pattern; pcre:"/^\/\d{8,11}(\/\d)?\/1[34]\d{8}\.htm$/U"; pcre:"/^Referer\x3a[^\r\n]+?\/[a-f0-9A-Z\_\-]{32,}\.html(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017774; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_27, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 8"; dns_query; content:"bailee.alanna.cloudns.biz"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022418; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK IE Exploit CVE-2013-2551 March 12 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"stroke"; nocase; content:"visibility"; nocase; content:"hidden"; nocase; distance:0; content:"|22|f"; nocase; pcre:"/^\d+([\x22\x27]\s*?,\s*[\x22\x27])?r\d+([\x22\x27]\s*?,\s*[\x22\x27])?o\d+([\x22\x27]\s*?,\s*[\x22\x27])?m\d+([\x22\x27]\s*?,\s*[\x22\x27])?C\d+([\x22\x27]\s*?,\s*[\x22\x27])?h\d+([\x22\x27]\s*?,\s*[\x22\x27])?a\d+([\x22\x27]\s*?,\s*[\x22\x27])?r\d+([\x22\x27]\s*?,\s*[\x22\x27])?c\d+([\x22\x27]\s*?,\s*[\x22\x27])?o\d+([\x22\x27]\s*?,\s*[\x22\x27])?d\d+([\x22\x27]\s*?,\s*[\x22\x27])?e\d+[\x22\x27]/Ri"; classtype:exploit-kit; sid:2018262; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_03_13, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 9"; dns_query; content:"bee.aoto.cloudns.org"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022419; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic HeapSpray Construct"; flow:established,from_server; file_data; content:"createElement(|22|div|22|)"; fast_pattern; content:"for("; pcre:"/^\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b(?P=var)\s*?\<\s*?(?:0x)?\d{3,4}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b[^\x7d]+?\[\s*?(?P=var)\s*?\]\s*?=\s*?document\.createElement\([\x22]div[\x22]\)[^\x7d]+?\[\s*?(?P=var)\s*?\]/Rsi"; classtype:trojan-activity; sid:2018299; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_03_20, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 10"; dns_query; content:"bits.githubs.net"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022420; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File .RTF File download with invalid listoverridecount"; flow:from_server,established; file_data; content:"|5c|listoverridetable"; distance:0; content:"|5c|listoverride|5c|"; fast_pattern; content:"|5c|listoverridecount"; isdataat:2,relative; pcre:"/^(?:0*?[19]\d|[^190])/R"; reference:cve,2012-2539; classtype:attempted-user; sid:2018315; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_12_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 11"; dns_query; content:"book.websurprisemail.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022421; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF Struct"; flow:established,to_server; content:"/13"; http_uri; fast_pattern; content:".swf"; http_uri; pcre:"/\/13[89]\d{7}.swf$/U"; flowbits:set,et.Nuclear.SWF; flowbits:noalert; classtype:exploit-kit; sid:2018360; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_04, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 12"; dns_query; content:"clean.popqueen.cloudns.org"; depth:26; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022422; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Lucky7 Java Exploit URI Struct June 28 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".php?"; http_uri; pcre:"/\/[a-z]+\.php\?[a-z]+?=\d{7}&[a-z]+?=\d{7,8}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017078; rev:7; metadata:created_at 2013_06_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 13"; dns_query; content:"desk.websurprisemail.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022423; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY EL8 EK Landing"; flow:established,from_server; file_data; content:"lady8vhc"; nocase; fast_pattern; content:"eval(function("; classtype:exploit-kit; sid:2018405; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_04_22, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 14"; dns_query; content:"detail43.myfirewall.org"; depth:23; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022424; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+alert udp $HOME_NET any -> any 53 (msg:"ET POLICY Possible Grams DarkMarket Search DNS Domain Lookup"; content:"|10|grams7enufi7jmdl"; nocase; fast_pattern; classtype:policy-violation; sid:2018406; rev:4; metadata:created_at 2014_04_22, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 18"; dns_query; content:"economy.spdns.eu"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022428; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ftpchk3.php upload attempted"; flow:to_server,established; content:"STOR ftpchk3.php|0d 0a|"; nocase; fast_pattern; reference:url,digitalpbk.blogspot.com/2009/10/ftpchk3-virus-php-pl-hacked-website.html; reference:url,labs.mwrinfosecurity.com/system/assets/131/original/Journey-to-the-Centre-of-the-Breach.pdf; classtype:attempted-admin; sid:2018416; rev:5; metadata:created_at 2014_04_24, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 19"; dns_query; content:"eemete.freetcp.com"; depth:18; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022429; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack 2013-2551 May 13 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"|3a|stroke"; nocase; content:"|3a|oval"; nocase; content:"66"; pcre:"/^(?P<sep>[^\x22\x27]{0,10})75(?P=sep)6e(?P=sep)63(?P=sep)74(?P=sep)69(?P=sep)6f(?P=sep)6e(?P=sep)20/Rsi"; classtype:exploit-kit; sid:2018469; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 21"; dns_query; content:"firewallupdate.firewall-gateway.net"; depth:35; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022431; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Goon/Infinity EK Landing May 05 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"/*"; pcre:"/^\d+?\*\/\s*?(?P<vname>[^\s\(\x3b]{1,20})\s*?\([^\)]+\)\s*?(?:\/\*\d+?\*\/\s*?)?\x3b\s*?(?:\/\*\d+?\*\/)?(?P=vname)\s*?(?:\/\*\d+?\*\/\s*?)?\([^\)]+\)\s*?(?:\/\*\d+?\*\/\s*?)?\x3b\s*?(?:\/\*\d+?\*\/)?(?P=vname)/Rs"; classtype:exploit-kit; sid:2018440; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_02, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 22"; dns_query; content:"fish.seafood.cloudns.org"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022432; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+alert udp $EXTERNAL_NET 10000: -> $HOME_NET 10000: (msg:"ET SCAN NMAP OS Detection Probe"; dsize:300; content:"CCCCCCCCCCCCCCCCCCCC"; fast_pattern; content:"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"; depth:255; content:"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"; within:45; classtype:attempted-recon; sid:2018489; rev:4; metadata:created_at 2014_05_21, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 23"; dns_query; content:"ftp112.lenta.cloudns.pw"; depth:23; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022433; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Urausy.C response"; flow:from_server,established; file_data; content:"|0d 0a|<?xml version="; depth:16; content:"<interval>"; distance:0; content:"</interval>"; distance:0; content:"<timeout>"; distance:0; content:"</timeout>"; distance:0; content:"|d1 81 d1 81 d1 8b d0 bb d0 be d0 ba 20|c&c -->"; fast_pattern; reference:md5,6213597f40ecb3e7cf2ab3ee5c8b1c70; classtype:trojan-activity; sid:2018499; rev:4; metadata:created_at 2014_05_23, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 28"; dns_query; content:"mail.firewall-gateway.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022438; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Various Java Exploit Common Class name"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PayloadX.class"; nocase; fast_pattern; classtype:attempted-user; sid:2018500; rev:7; metadata:affected_product Any, attack_target Client_and_Server, created_at 2014_05_27, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 29"; dns_query; content:"mareva.catherine.cloudns.us"; depth:27; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022439; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SSL Cert Observed with Unkown Trojan (statswas)"; flow:established,from_server; content:"|0c|statswas.com"; nocase; fast_pattern; reference:md5,9c087d528beefd22743666af772465fc; classtype:trojan-activity; sid:2018515; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_06_03, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 30"; dns_query; content:"mm.lenovositegroup.com"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022440; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Adware.Wapsx.A"; flow:established, to_server; content:"/fengmian/"; fast_pattern; content:"meinv6.4.0 qiu shou gou, zhi mai 503 wan ren min bi"; http_user_agent; depth:51; content:!"Referer|3a|"; http_header; reference:md5,37e36531e6dbc3ad0954fd9bb4588fad; classtype:trojan-activity; sid:2018533; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_06_05, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 31"; dns_query; content:"muslim.islamhood.net"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022441; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack Flash Exploit flash0515.php"; flow:established,to_server; content:"/flash0515.php"; fast_pattern; http_uri; nocase; classtype:exploit-kit; sid:2018540; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_06_06, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 32"; dns_query; content:"news.firewall-gateway.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022442; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 3"; flow:established,to_server; content:"/PMConfig.dat"; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018587; rev:5; metadata:created_at 2014_06_20, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 35"; dns_query; content:"p.klark.cloudns.in"; depth:18; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022445; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Multiple EKs CVE-2013-3918"; flow:established,from_server; file_data; content:"C|3a 5c|rock.png"; nocase; fast_pattern; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; classtype:exploit-kit; sid:2018592; rev:3; metadata:created_at 2014_06_20, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 36"; dns_query; content:"ppcc.vasilevich.cloudns.info"; depth:28; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022446; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER c99 Shell Backdoor Var Override Cookie"; flow:to_server,established; content:"c99shcook"; nocase; fast_pattern; pcre:"/c99shcook/Ci"; reference:url,thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/; classtype:trojan-activity; sid:2018602; rev:3; metadata:created_at 2014_06_24, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 37"; dns_query; content:"press.ufoneconference.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022447; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sharik Checkin"; flow:established,to_server; dsize:10; content:"34feGaeRAd"; fast_pattern; reference:md5,f9f30307ca22d092c02701c108aa6402; classtype:command-and-control; sid:2018614; rev:2; metadata:created_at 2014_06_30, former_category MALWARE, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 38"; dns_query; content:"qq.yourturbe.org"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022448; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sharik C2 Incoming Traffic"; flow:established,from_server; dsize:18; content:"|0d 00 07 01 00 81 7c e4 04 c0 d4 01 00 19 c0 c2 04 00|"; fast_pattern; reference:md5,f9f30307ca22d092c02701c108aa6402; classtype:command-and-control; sid:2018615; rev:2; metadata:created_at 2014_06_30, former_category MALWARE, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 39"; dns_query; content:"sys.firewall-gateway.net"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022449; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Infostealer.Bancos Checkin via SMTP"; flow:to_server,established; content:"Subject|3a 20|"; content:"Foi Instalado"; nocase; fast_pattern; pcre:"/^Subject\x3a [^\r\n]+?Foi Instalado/mi"; reference:md5,7f5709c924bb1417a180a4fa8311a2e9; classtype:command-and-control; sid:2018646; rev:2; metadata:created_at 2014_07_07, former_category MALWARE, malware_family Bancos, tag Banking_Trojan, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 40"; dns_query; content:"vip.yahoo.cloudns.info"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022450; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed CWS"; flow:established,from_server; content:"callback=CWS"; nocase; fast_pattern; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=CWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018656; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_07_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 43"; dns_query; content:"www.angleegg.xxxy.info"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022453; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed FWS"; flow:established,from_server; content:"callback=FWS"; nocase; fast_pattern; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=FWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018657; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_07_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 48"; dns_query; content:"www.uyghuri.MrFace.com"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022458; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed ZWS"; flow:established,from_server; content:"callback=ZWS"; nocase; fast_pattern; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=ZWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018658; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_07_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 49"; dns_query; content:"youturbe.co.cc"; depth:14; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022459; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|04|kreb"; distance:1; within:5; content:"|0d|kreb|40|kreb.com"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018902; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 50"; dns_query; content:"yycc.mrbonus.com"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022460; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Malicious Plugin Detect URI struct"; flow:established,to_server; content:"v_ja="; http_uri; nocase; fast_pattern; content:"v_f="; http_uri; nocase; content:"v_m="; http_uri; nocase; content:"v_s="; http_uri; nocase; content:"v_a="; http_uri; nocase; content:"v_q="; http_uri; nocase; content:"js="; nocase; http_uri; content:"ref="; http_uri; nocase; pcre:"/[&?]v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=/Ui"; classtype:exploit-kit; sid:2018920; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_23, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 45"; dns_query; content:"tally.myfirewall.org"; depth:20; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/03/shifting-tactics/; classtype:trojan-activity; sid:2022610; rev:4; metadata:created_at 2016_03_11, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Trojan Dropped By Archie.EK"; flow:established,to_server; content:".exe"; http_uri; fast_pattern; pcre:"/^\/[56]\d{4}\x2c.*?\x2c[A-Z]\x3a[\x2f\x5c].+?\.exe/Ui"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; reference:md5,e6c91ab176887e5c79bb59277c651dfd; classtype:exploit-kit; sid:2018928; rev:4; metadata:created_at 2014_08_13, former_category MALWARE, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 46"; dns_query; content:"accountgoogle.firewall-gateway.com"; depth:34; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/03/shifting-tactics/; classtype:trojan-activity; sid:2022611; rev:5; metadata:created_at 2016_03_11, updated_at 2019_09_28;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious X-mailer Synapse"; flow:established,to_server; content:"produced by Synapse"; fast_pattern; content:"X|2d|mailer|3a 20|Synapse|20 2d 20|Pascal TCP|2f|IP library by Lukas Gebauer"; reference:md5,954acc71ffaa7010c603d74e76dfc70b; reference:url,www.joewein.net/spam/spam-joejob.htm; classtype:trojan-activity; sid:2018936; rev:3; metadata:created_at 2014_08_14, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 47"; dns_query; content:"filegoogle.firewall-gateway.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/03/shifting-tactics/; classtype:trojan-activity; sid:2022612; rev:5; metadata:created_at 2016_03_11, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Social Engineering Toolkit JAR filename detected"; flow:established,to_client; content:"<applet"; content:"Signed_Update.jar"; fast_pattern; reference:url,trustedsec.com/downloads/social-engineer-toolkit/; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:2018970; rev:4; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_08_20, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, tag DriveBy, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unknown PowerShell Loader DNS Lookup (spl.noip.me)"; dns_query; content:"spl.noip.me"; depth:11; nocase; endswith; fast_pattern; reference:url,fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html; classtype:trojan-activity; sid:2022747; rev:4; metadata:created_at 2016_04_19, updated_at 2019_09_28;)
+alert tcp any 873 -> any any (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys successful exfiltration"; flow:from_server,established; content:"ssh-rsa"; fast_pattern; flowbits:isset,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019089; rev:3; metadata:created_at 2014_08_29, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE PoisonIvy SPIVY DNS Lookup (leeh0m.org)"; dns_query; content:"leeh0m.org"; depth:10; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/; classtype:trojan-activity; sid:2022753; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_22, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2019_09_28;)
+alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys successful upload"; flow:to_server,established; content:"ssh-rsa"; fast_pattern; flowbits:isset,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019090; rev:3; metadata:created_at 2014_08_29, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Hidden-Tear Ransomware Variant (.bloccato) DNS Request to CnC Domain"; dns_query; content:"ur232dkkwpdkwp.xyz"; depth:18; nocase; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/; reference:md5,e586f208a724ba84369b72bc43d92057; classtype:command-and-control; sid:2022831; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi access attempt"; flow:to_server,established; dsize:4; content:"cmi|0a|"; fast_pattern; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019087; rev:5; metadata:created_at 2014_08_29, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (way2tor)"; dns_query; content:".way2tor"; fast_pattern; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2019982; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_12_20, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2019_09_28;)
+alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys access attempt"; flow:to_server,established; content:"cmi/var/ssh/root/authorized_keys"; fast_pattern; flowbits:set,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019088; rev:4; metadata:created_at 2014_08_29, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor4life.com)"; dns_query; content:".tor4life.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020125; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe guessing router password 2"; flow:established,from_server; file_data; content:"dnsPrimary="; nocase; fast_pattern; content:"dnsSecondary="; nocase; content:"dnsDynamic="; nocase; content:"rebootinfo.cgi"; nocase; reference:url,securelist.com/blog/incidents/66358/web-based-attack-targeting-home-routers-the-brazilian-way/; classtype:attempted-user; sid:2019112; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_09_04, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (adjust-local-settings .com)"; dns_query; content:"adjust-local-settings.com"; depth:25; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023095; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Silverlight URI Struct"; flow:established,to_server; content:".xap"; http_uri; fast_pattern; content:"/1"; http_uri; pcre:"/\/1(?:3[89]\d{7}|4\d{8})\.xap$/U"; classtype:exploit-kit; sid:2019167; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_12, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (bbc-africa .com)"; dns_query; content:"bbc-africa.com"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023102; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|02|eu|00|"; fast_pattern; pcre:"/\x00\x07[a-z0-9]{7}\x02eu\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:command-and-control; sid:2014372; rev:6; metadata:created_at 2012_03_14, former_category MALWARE, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (checkinonlinehere .com)"; dns_query; content:"checkinonlinehere.com"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:command-and-control; sid:2023104; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, former_category MALWARE, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"|02|ru|00|"; fast_pattern; pcre:"/[^a-z0-9\-\.][a-z]{32,48}\x02ru\x00\x00/"; classtype:command-and-control; sid:2014376; rev:4; metadata:created_at 2012_03_14, former_category MALWARE, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (googleplay-store .com)"; dns_query; content:"googleplay-store.com"; depth:20; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023109; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Redirect Sept 18 2014"; flow:established,to_server; content:".php?ds="; http_uri; fast_pattern; content:"&dr="; http_uri; pcre:"/&dr=\d+$/U"; reference:url,blog.malwarebytes.org/exploits-2/2014/07/socialblade-com-compromised-starts-redirection-chain-to-nuclear-pack-exploit-kit/; classtype:exploit-kit; sid:2019194; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_18, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (turkeynewsupdates .com)"; dns_query; content:"turkeynewsupdates.com"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023124; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Redirect Sept 18 2014"; flow:established,to_server; content:".php?acc="; http_uri; fast_pattern; content:"&nrk="; http_uri; pcre:"/&nrk=\d+$/U"; classtype:exploit-kit; sid:2019195; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_18, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (unonoticias .net)"; dns_query; content:"unonoticias.net"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023128; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit"; flow:established,to_client; file_data; content:".execCommand|28|"; nocase; pcre:"/^[\r\n\s]*[\x22\x27]selectAll/Ri"; content:"YMjf\\u0c08\\u0c0cKDog"; fast_pattern; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2015712; rev:6; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, created_at 2012_09_18, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Web_Client_Attacks, tag Metasploit, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE BartCrypt Payment DNS Query to .onion proxy Domain (s3clm4lufbmfhmeb)"; dns_query; content:".s3clm4lufbmfhmeb"; fast_pattern; endswith; nocase; classtype:trojan-activity; sid:2023154; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, performance_impact Low, signature_severity Major, tag DNS_Onion_Query, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OneLouder EXE download possibly installing Zeus P2P"; flow:to_client,established; flowbits:isset,ET.OneLouderHeader; file_data; content:"MZ"; within:2; content:"PE|00 00|"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019103; rev:5; metadata:created_at 2014_09_03, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Adwind DNS Lookup (winmeif .myq-see.com)"; dns_query; content:"winmeif.myq-see.com"; depth:19; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023256; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2019_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK PDF"; flow:established,from_server; flowbits:isset,et.Nuclear.PDF; content:"Content-Disposition|3a|"; http_header; content:".pdf|0d 0a|"; http_header; fast_pattern; content:"X-Powered-By|3a|"; http_header; content:"nginx"; http_header; nocase; pcre:"/^Content-Disposition\x3a[^\r\n]+(?<!\W14\d{8})\.pdf\r?$/Hm"; file_data; content:"|25|PDF-1.6"; within:8; classtype:exploit-kit; sid:2019210; rev:14; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_22, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Netwire RAT DNS Lookup (samsung .ddns.me)"; dns_query; content:"samsung.ddns.me"; depth:15; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023259; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Gate Sep 16 2014"; flow:established,from_server; file_data; content:"16.html"; fast_pattern; content:"etCookie"; content:"document.write(|27|<iframe"; pcre:"/^(?=(?:(?!<\/iframe>).)+?src\s*?=\s*?\x22http\x3a[^\x22]+16\.html\x22)(?=(?:(?!<\/iframe>).)+?left\s*?[\x3a\x3d]\s*?[\x22\x27]?\-)(?=(?:(?!<\/iframe>).)+?top\s*?[\x3a\x3d]\s*?[\x22\x27]?\-)(?:(?!<\/iframe>).)+?<\/iframe>\x27\x29/Rsi"; classtype:exploit-kit; sid:2019185; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_16, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH SSL Blacklist DNS Lookup (Gozi MITM) (gtldsfs .com )"; dns_query; content:"gtldsfs.com "; depth:12; nocase; endswith; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023297; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, malware_family Gozi, signature_severity Major, updated_at 2019_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK 2013-3918"; flow:established,from_server; content:"X-Powered-By|3a|"; http_header; file_data; content:"C|3a 5c|Rock.png"; nocase; fast_pattern; content:"|7b|return"; pcre:"/^\s*?[A-Z0-9a-z\+]+?\s*?\x7d/R"; content:"|7d|function"; content:"|3b|function"; classtype:exploit-kit; sid:2019226; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_24, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH SSL Blacklist DNS Lookup (Gozi MITM) (cdnfastnetwork .com)"; dns_query; content:"cdnfastnetwork.com"; depth:18; nocase; endswith; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023298; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, malware_family Gozi, signature_severity Major, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible Job314 EK JAR URI Struct"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".pack.gz"; http_uri; pcre:"/^(?=(?:\/[a-z]+?)*?\/\d+\/)(?=(?:\/\d+?)*?\/[a-z]+?\/)(?:\/(?:[a-z]+|\d+)){4,}\/[a-z]+\.pack\.gz$/U"; classtype:exploit-kit; sid:2019288; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_09_27, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH SSL Blacklist DNS Lookup (Gozi MITM) (sdpvss .com)"; dns_query; content:"sdpvss.com"; depth:10; nocase; endswith; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023310; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, malware_family Gozi, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion LF"; flow:to_server,established; content:"|28 29 0a 20 7b|"; fast_pattern; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; classtype:attempted-admin; sid:2019291; rev:3; metadata:created_at 2014_09_28, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoWall/TeslaCrypt Payment Domain"; dns_query; content:"aterdunst.com"; depth:13; nocase; endswith; fast_pattern; classtype:trojan-activity; sid:2023330; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2019_09_28;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion CRLF"; flow:to_server,established; content:"|28 29 0d 0a 20 7b|"; fast_pattern; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; classtype:attempted-admin; sid:2019292; rev:4; metadata:created_at 2014_09_28, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unknown AutoIt Bot DNS Lookup (webmail .duia.in)"; dns_query; content:"webmail.duia.in"; depth:15; nocase; endswith; fast_pattern; reference:url,cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishing-target-indian-government-organizations/; classtype:trojan-activity; sid:2023573; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, malware_family Ceatrg, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Job314 EK Landing"; flow:established,from_server; file_data; content:"|22|container|22|,|20 22|10|22|,"; fast_pattern; content:"swfobject.embedSWF"; nocase; pcre:"/^\s*?\x28\s*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?(?P=q)\s*?\,\s*?[\x22\x27]container[\x22\x27]\s*?,\s*?[\x22\x27]10[\x22\x27]\s*?,\s*?[\x22\x27]10[\x22\x27],\s*?[\x22\x27]9\.0\.0[\x22\x27]\s*?,\s*?false\s*?,\s*?flashvars,\s*?params\s*?,\s*?attributes\s*?\x29\s*?\x3b\s*?<\/script>\s*?<\/head>/Rs"; classtype:exploit-kit; sid:2019287; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_09_27, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"vmdefmnsndoj.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023600; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible bash shell piped to dev udp Inbound to WebServer"; flow:established,to_server; content:"/dev/udp/"; fast_pattern; classtype:bad-unknown; sid:2019314; rev:4; metadata:created_at 2014_09_29, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"lvfjcwwobycj.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023602; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible bash shell piped to dev tcp Inbound to WebServer"; flow:established,to_server; content:"/dev/tcp/"; fast_pattern; classtype:bad-unknown; sid:2019285; rev:4; metadata:created_at 2014_09_26, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"qjqubpciajoc.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023606; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+alert udp any 67 -> any 68 (msg:"ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK"; content:"|02 01|"; depth:2; content:"|28 29 20 7b|"; fast_pattern; reference:url,access.redhat.com/articles/1200223; reference:cve,2014-6271; classtype:attempted-admin; sid:2019237; rev:5; metadata:created_at 2014_09_25, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"exvdaajegjur.support"; depth:20; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023607; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+alert udp any any -> $HOME_NET [5060,5061] (msg:"ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy"; flow:to_server; content:"|28 29 20 7b|"; fast_pattern; reference:url,github.com/zaf/sipshock; classtype:attempted-admin; sid:2019289; rev:4; metadata:created_at 2014_09_27, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"tro69.online"; depth:12; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023608; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+alert tcp any any -> $HOME_NET [5060,5061] (msg:"ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; reference:url,github.com/zaf/sipshock; classtype:attempted-admin; sid:2019290; rev:3; metadata:created_at 2014_09_27, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"tro69.tech"; depth:10; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023609; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+alert tcp any any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible Qmail CVE-2014-6271 Mail From attempt"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; pcre:"/^mail\s*?from\s*?\x3a\s*?[^\r\n]*?\x28\x29\x20\x7b/mi"; reference:url,marc.info/?l=qmail&m=141183309314366&w=2; classtype:attempted-admin; sid:2019293; rev:3; metadata:created_at 2014_09_29, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"tro69.support"; depth:13; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023610; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+alert udp any any -> $HOME_NET 1194 (msg:"ET EXPLOIT Possible OpenVPN CVE-2014-6271 attempt"; flow:to_server; content:"|20|"; depth:1; content:"|28 29 20 7b|"; fast_pattern; reference:url,news.ycombinator.com/item?id=8385332; classtype:attempted-admin; sid:2019322; rev:3; metadata:created_at 2014_09_30, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"nympompksmfx.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023630; rev:4; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
+alert tcp any any -> $HOME_NET 1194 (msg:"ET EXPLOIT Possible OpenVPN CVE-2014-6271 attempt"; flow:to_server,established; content:"|20|"; depth:1; content:"|28 29 20 7b|"; fast_pattern; reference:url,news.ycombinator.com/item?id=8385332; classtype:attempted-admin; sid:2019323; rev:3; metadata:created_at 2014_09_30, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"xpknpxmywqsrhe.online"; depth:21; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023631; rev:4; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
+alert tcp any any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible Pure-FTPd CVE-2014-6271 attempt"; flow:to_server,established; content:"|28 29 20 7b 20|"; fast_pattern; reference:url,gist.github.com/jedisct1/88c62ee34e6fa92c31dc; reference:cve,2014-6271; classtype:attempted-admin; sid:2019335; rev:2; metadata:created_at 2014_10_02, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"binpt.pw"; depth:8; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023634; rev:4; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
+alert smtp any any -> any any (msg:"ET SMTP Possible ComputerCop Log Transmitted via SMTP"; flow:to_server,established; content:"Subject|3a 20|CCOP|20|"; nocase; fast_pattern; reference:url,www.eff.org/deeplinks/2014/09/computercop-dangerous-internet-safety-software-hundreds-police-agencies; classtype:trojan-activity; sid:2019340; rev:3; metadata:created_at 2014_10_02, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE NEODYMIUM Wingbird DNS Lookup (srv601 .ddns.net)"; dns_query; content:"srv601.ddns.net"; depth:15; nocase; endswith; fast_pattern; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023641; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family NEODYMIUM_Wingbird, signature_severity Major, updated_at 2019_09_28;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Reply Sinkhole - irc-sinkhole.cert.pl"; flow:established,from_server; content:"|3a|irc|2d|sinkhole|2e|cert|2e|pl"; nocase; fast_pattern; content:"|3a|End of MOTD command|2e|"; classtype:trojan-activity; sid:2019354; rev:2; metadata:created_at 2014_10_06, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; dns_query; content:"storegoogle.at"; depth:14; nocase; endswith; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023710; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_01_09, deployment Perimeter, tag Android, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF Struct"; flow:established,to_server; content:"/14"; fast_pattern; http_uri; pcre:"/\/14\d{8}(?:\.swf)?$/U"; flowbits:set,et.Nuclear.SWF; flowbits:noalert; classtype:exploit-kit; sid:2018361; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_04, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (hostgatero .ddns.net)"; dns_query; content:"hostgatero.ddns.net"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023785; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK PDF Struct (no alert)"; flow:established,to_server; content:"/14"; http_uri; fast_pattern; pcre:"/\/14\d{8}(?:\.pdf)?$/U"; flowbits:set,et.Nuclear.PDF; flowbits:noalert; classtype:exploit-kit; sid:2019209; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_22, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 01"; dns_query; content:"account-google.serveftp.com"; depth:27; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023833; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Payload URI Struct Oct 5 2014"; flow:established,from_server; flowbits:isset,et.Nuclear.Payload; content:".exe"; http_header; fast_pattern; content:"Content-Disposition|3a|"; http_header; pcre:"/^Content-Disposition\x3a.+?filename\s*?=\s*?[\x22\x27]?\d\.exe/Hm"; classtype:exploit-kit; sid:2019359; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 02"; dns_query; content:"aramex-shipping.servehttp.com"; depth:29; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023834; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-1347 M1"; flow:established,from_server; file_data; content:"SharePoint.OpenDocuments.3"; nocase; content:"SharePoint.OpenDocuments.4"; nocase; content:"|3a|ANIMATECOLOR "; nocase; content:"ms-help|3a 2f 2f|"; fast_pattern; nocase; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019371; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 03"; dns_query; content:"device-activation.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023835; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M1"; flow:established,from_server; file_data; content:"#default#VML"; fast_pattern; content:"dword2data"; content:"localhost"; content:".swf"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019368; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 04"; dns_query; content:"dropbox-service.serveftp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023836; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6271 malicious DNS response"; byte_test:1,&,128,2; content:"|28 29 20 7b|"; fast_pattern; reference:cve,2014-6271; reference:url,packetstormsecurity.com/files/128650; classtype:attempted-admin; sid:2019402; rev:2; metadata:created_at 2014_10_15, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 05"; dns_query; content:"dropbox-sign.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023837; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DNS"; byte_test:1,&,128,4; content:"|28 29 20 7b|"; fast_pattern; reference:cve,2014-6271; reference:url,packetstormsecurity.com/files/128650; classtype:attempted-admin; sid:2019403; rev:2; metadata:created_at 2014_10_15, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 06"; dns_query; content:"dropboxsupport.servehttp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023838; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download with Hurricane Panda IOC"; flow:to_client,established; flowbits:isset,ET.http.binary; file_data; content:"woqunimalegebi"; fast_pattern; reference:url,blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/; reference:cve,2014-4113; classtype:attempted-user; sid:2019421; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 07"; dns_query; content:"fedex-mail.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023839; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JST Perl IrcBot download"; flow:to_client,established; file_data; content:"JST Perl IrcBot"; fast_pattern; content:!"<html"; reference:url,pastebin.com/HK8riv9Q; reference:url,www.binarydefense.com/bds/active-shellshock-smtp-botnet-campaign/; reference:md5,77a6c50a06b59df0f3d099b1819a01d9; classtype:trojan-activity; sid:2019509; rev:3; metadata:created_at 2014_10_27, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 08"; dns_query; content:"fedex-shipping.servehttp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023840; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32/Chanitor.A Domain in SNI"; flow:established,to_server; content:"svcz25e3m4mwlauz."; fast_pattern; classtype:trojan-activity; sid:2019518; rev:3; metadata:created_at 2014_10_27, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 09"; dns_query; content:"fedex-sign.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023841; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP SNMP trap Format String detected"; content:"%s"; fast_pattern; reference:bugtraq,16267; reference:cve,2006-0250; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=22493; classtype:attempted-recon; sid:2100227; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 10"; dns_query; content:"googledriver-sign.ddns.net"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023842; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoExec Macro"; flow:established,to_client; file_data; content:"A|00|u|00|t|00|o|00|E|00|x|00|e|00|c"; nocase; fast_pattern; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019614; rev:3; metadata:created_at 2014_10_31, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 11"; dns_query; content:"googledrive-sign.servehttp.com"; depth:30; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023843; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Hikit Server Authentication Response"; flow:established; content:"ETag|3a 20|"; content:"75BCD15"; fast_pattern; pcre:"/^ETag\x3a\x20\x22\d+75BCD15\d+\x3a[a-f0-9]{1,6}/mi"; reference:url,www.novetta.com/files/9914/1446/8050/Hikit_Analysis-Final.pdf; classtype:trojan-activity; sid:2019621; rev:3; metadata:created_at 2014_10_31, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 12"; dns_query; content:"google-maps.servehttp.com"; depth:25; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023844; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bedep SSL Cert"; flow:established,from_server; content:"|09 00 c9 80 9a 85 50 97 cc 97|"; fast_pattern; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"|0b|Company Ltd"; distance:1; within:12; content:"|55 04 0b|"; content:"|06|office"; distance:1; within:7; reference:url,malware-traffic-analysis.net/2014/11/02/index.html; reference:md5,11837229f834d296342b205433e9bc48; classtype:trojan-activity; sid:2019646; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 13"; dns_query; content:"googlesecure-serv.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023845; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Archie.EK Landing"; flow:established,to_client; file_data; content:"|2f|Trident|5c 2f|(|5c|d)|2f|i"; content:"Exploit.class"; nocase; fast_pattern; reference:cve,2014-2820; classtype:exploit-kit; sid:2018933; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 14"; dns_query; content:"googlesignin.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023846; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe guessing router password 1"; flow:established,from_server; file_data; content:"dnsPrimary="; nocase; fast_pattern; content:"dnsSecondary="; nocase; content:"dnsDynamic="; nocase; content:"dnsconfig.cgi"; nocase; reference:url,securelist.com/blog/incidents/66358/web-based-attack-targeting-home-routers-the-brazilian-way/; classtype:attempted-user; sid:2019111; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_09_04, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 15"; dns_query; content:"googleverify-signin.servehttp.com"; depth:33; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023847; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Payload URI Struct Nov 07 2014"; flow:established,from_server; flowbits:isset,et.Nuclear.Payload; content:".dll"; http_header; fast_pattern; content:"Content-Disposition|3a|"; http_header; pcre:"/^Content-Disposition\x3a.+?filename\s*?=\s*?[\x22\x27]?\d\.dll/Hm"; classtype:exploit-kit; sid:2019676; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_11_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 16"; dns_query; content:"mailgooglesign.servehttp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023848; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Archie EK Payload Checkin POST"; flow:established,to_server; content:"POST"; http_method; content:"integritylvl="; depth:13; http_client_body; content:"&osversion="; distance:0; http_client_body; content:"&iselevated="; distance:0; http_client_body; content:"&iever="; distance:0; http_client_body; content:"&isnet20inst="; http_client_body; fast_pattern; content:!"Referer|3a|"; http_header; reference:md5,41c0cdde6be5166606008b2d02f3a128; classtype:exploit-kit; sid:2019679; rev:4; metadata:created_at 2014_11_08, former_category MALWARE, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 17"; dns_query; content:"myaccount.servehttp.com"; depth:23; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023849; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Payload URI Struct Oct 5 2014 (no alert)"; flow:established,to_server; content:"/14"; http_uri; fast_pattern; pcre:"/\/14\d{8}(?:\/\d+)*?(?:\/x[a-f0-9]+[\x3b0-9]*)?$/U"; flowbits:set,et.Nuclear.Payload; flowbits:noalert; classtype:exploit-kit; sid:2019358; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 18"; dns_query; content:"secure-team.servehttp.com"; depth:25; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023850; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT GENERIC VB ShellExecute Function Inside of VBSCRIPT tag"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"shellexecute"; nocase; fast_pattern; content:"<script "; nocase; pcre:"/^[^>]*?(?:language\s*?=\s*?[\x22\x27]vbscript[\x22\x27]|type\s*?=\s*?[\x22\x27]text/vbscript[\x22\x27](?:(?!<\/script>).)+?\WShellExecute)/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019707; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_14, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 19"; dns_query; content:"security-myaccount.servehttp.com"; depth:32; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023851; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure obfuscated CVE-2014-6332"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"Xor"; nocase; pcre:"/^\W/R"; content:"Execute"; nocase; content:"&chr"; nocase; content:"UBound"; fast_pattern; nocase; content:"Cint"; nocase; pcre:"/^\W/R"; content:"Split"; nocase; pcre:"/^\W/R"; content:"Mid"; pcre:"/^\W/R"; content:"Len"; pcre:"/^\W/R"; reference:cve,2014-6332; classtype:attempted-user; sid:2019715; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 20"; dns_query; content:"verification-acc.servehttp.com"; depth:30; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023852; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT GENERIC Possible IE Memory Corruption CollectGarbage with DOM Reset"; flow:established,to_client; file_data; content:"unescape"; nocase; content:"%u"; nocase; content:"CollectGarbage"; nocase; fast_pattern; content:"innerHTML"; nocase; pcre:"/^\s*?=\s*?(?:undefined|false|null|-?0|NaN|\x22\x22|\x27\x27)/Rsi"; classtype:attempted-user; sid:2019730; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 21"; dns_query; content:"dropbox-verfy.servehttp.com"; depth:27; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023853; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bamital Checkin Response 2"; flow:established,from_server; file_data; content:"$$$$"; fast_pattern; pcre:"/^<(?P<var1>[a-z])>[a-z0-9/]+<\/(?P=var1)><(?P<var2>[a-z])>[a-z0-9/]+<\/(?P=var2)>$$$$/i"; classtype:command-and-control; sid:2019758; rev:3; metadata:created_at 2014_11_20, former_category MALWARE, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 22"; dns_query; content:"fedex-s.servehttp.com"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023854; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a *.cvredirect.no-ip.net domain - CoinLocker Domain"; flow:to_server,established; content:"cvredirect.no-ip.net"; fast_pattern; http_header; pcre:"/^Host\x3a[^\r\n]+?cvredirect.no-ip.net/Hmi"; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:bad-unknown; sid:2019789; rev:5; metadata:created_at 2014_11_24, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 23"; dns_query; content:"watchyoutube.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023855; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a *.cvredirect.ddns.net domain - CoinLocker Domain"; flow:to_server,established; content:"cvredirect.ddns.net"; fast_pattern; http_header; pcre:"/^Host\x3a[^\r\n]+?cvredirect.ddns.net/Hmi"; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:bad-unknown; sid:2019791; rev:3; metadata:created_at 2014_11_24, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 24"; dns_query; content:"verification-team.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023856; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VirRansom/VirLock Checkin"; flow:established,to_server; dsize:4; content:"|94 00 00 00|"; fast_pattern; flowbits:set,ET.VirLock; flowbits:noalert; reference:md5,fbeb6ebd498d85b1f404d7bb4acc3b89; classtype:command-and-control; sid:2019901; rev:2; metadata:created_at 2014_12_10, former_category MALWARE, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 25"; dns_query; content:"securityteam-notify.servehttp.com"; depth:33; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023857; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE VirRansom/VirLock Checkin Response"; flow:established,from_server; dsize:4; content:"|74 01 00 00|"; fast_pattern; flowbits:isset,ET.VirLock; reference:md5,fbeb6ebd498d85b1f404d7bb4acc3b89; classtype:command-and-control; sid:2019902; rev:2; metadata:created_at 2014_12_10, former_category MALWARE, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 26"; dns_query; content:"secure-alert.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023858; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Trojan.SpamBanker Report via SMTP"; flow:established,to_server; content:"From|3a|"; content:"Subject|3a 20|Keylogger"; fast_pattern; nocase; content:"X-Library|3a 20|Indy"; pcre:"/^Keylogger\r$/m"; reference:md5,9c1aac05bd3212a3abcd7cce9c6c4c77; classtype:trojan-activity; sid:2019931; rev:2; metadata:created_at 2014_12_13, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 27"; dns_query; content:"quota-notification.servehttp.com"; depth:32; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023859; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Trojan/Downloader.Fosniw.sap Reporting via SMTP"; flow:established,to_server; content:"From|3a|"; content:"Subject|3a 20|keylogger(v0."; fast_pattern; nocase; content:"@UserName"; content:"@ComputerName"; reference:md5,e36469241764b8c954a700146ca4c43f; classtype:trojan-activity; sid:2019933; rev:2; metadata:created_at 2014_12_13, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 28"; dns_query; content:"notification-team.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023860; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE SpamBanker message"; flow:to_server,established; content:"NEGOCIO_ONLINE|2e|"; fast_pattern; nocase; content:"|0d 0a|Content-Disposition|3a 20|attachment"; content:"filename|3d|"; nocase; distance:0; pcre:"/^[\x22\x27]NEGOCIO_ONLINE(\.(?:zip|exe))[\x27\x22]\x0d\x0a/Ri"; reference:url,tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=36677; classtype:trojan-activity; sid:2019937; rev:4; metadata:created_at 2014_12_15, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 29"; dns_query; content:"fedex-notification.servehttp.com"; depth:32; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023861; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Infostealer.Bancos Sending Stolen info SMTP"; flow:to_server,established; content:"X-Library|3a 20|Indy"; content:"BIGFONE TOCOU"; fast_pattern; content:"Nome Comp"; reference:md5,f71c41b816eadf221e188f6618798969; classtype:trojan-activity; sid:2019938; rev:2; metadata:created_at 2014_12_15, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 30"; dns_query; content:"docs-mails.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023862; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Sep 29 2014"; flow:from_server,established; file_data; content:"|28 2f 5b 40 5c 2a 5c 2d 5d 2f 67 2c 27 27 29|"; fast_pattern; content:"return"; pcre:"/^\s[^\r\n]*?[\x28\x5b]\s*?[\x22\x27][^\x22\x27]?s[^\x22\x27]?u[^\x22\x27]?b[^\x22\x27]?s[^\x22\x27]?t[^\x22\x27]?r[^\x22\x27]?[\x22\x27]\s*?[\x29\x5d]\s*?(?:\x5d\s*?)?\x28/R"; classtype:exploit-kit; sid:2019315; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_30, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 31"; dns_query; content:"restricted-videos.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023863; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET MALWARE ZhCAT.HackTool Operation Cleaver HTTP CnC Beacon"; flow:established,to_server; content:"POST file.php HTTP/1."; depth:21; content:"|20 28 20|compatible"; fast_pattern; reference:url,www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:command-and-control; sid:2019943; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_12_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 32"; dns_query; content:"dropboxnotification.servehttp.com"; depth:33; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023864; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 22 2014 Video"; flow:established,to_server; content:"/video.php?id="; fast_pattern; http_uri; pcre:"/\/video.php\?id=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2019989; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 33"; dns_query; content:"moi-gov.serveftp.com"; depth:20; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023865; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 22 2014 Player"; flow:established,to_server; content:"/player.php?pid="; fast_pattern; http_uri; pcre:"/\/player.php\?pid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2019990; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 34"; dns_query; content:"activate-google.servehttp.com"; depth:29; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023866; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 22 2014 Search"; flow:established,to_server; content:"/search.php?pid="; fast_pattern; http_uri; pcre:"/\/search.php\?pid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2019991; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 35"; dns_query; content:"googlemaps.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023867; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 6"; flow:established; content:"|09 22 33 30 28 35 2c|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020000; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Banker.Win32.Alreay DNS Lookup (tradeboard .mefound .com)"; dns_query; content:"tradeboard.mefound.com"; depth:22; nocase; endswith; fast_pattern; reference:url,niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-oraz-kto-jeszcze-byl-na-celowniku-przestepcow/; classtype:trojan-activity; sid:2023884; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_08, deployment Perimeter, malware_family Alreay_Banking, signature_severity Major, updated_at 2019_09_28;)
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 7"; flow:established; content:"|13 2f 22 35 22 67 26 35 22 29 27 33 67 28 37 22 29 67 37 28 35 33 34 69|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020001; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Banker.Win32.Alreay DNS Lookup (movis-es .ignorelist .com)"; dns_query; content:"movis-es.ignorelist.com"; depth:23; nocase; endswith; fast_pattern; reference:url,niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-oraz-kto-jeszcze-byl-na-celowniku-przestepcow/; classtype:trojan-activity; sid:2023885; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_08, deployment Perimeter, malware_family Alreay_Banking, signature_severity Major, updated_at 2019_09_28;)
+alert tcp any 488 -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 1"; flow:established,from_server; content:"|60 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020007; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Banker.Win32.Alreay DNS Lookup (exbonus .mrbasic .com)"; dns_query; content:"exbonus.mrbasic.com"; depth:19; nocase; endswith; fast_pattern; reference:url,niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-oraz-kto-jeszcze-byl-na-celowniku-przestepcow/; classtype:trojan-activity; sid:2023886; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_08, deployment Perimeter, malware_family Alreay_Banking, signature_severity Major, updated_at 2019_09_28;)
+alert tcp any any -> any 488 (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 2"; flow:established,to_server; content:"|60 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020008; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Qadars CnC DNS Lookup (bst2bgxin81a.org)"; dns_query; content:"bst2bgxin81a.org"; depth:16; fast_pattern; endswith; nocase; classtype:command-and-control; sid:2023893; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, former_category MALWARE, malware_family Qadars, signature_severity Major, updated_at 2019_09_28;)
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 4"; flow:established; content:"|8a 10 80 c2 67 80 f2 24 88 10|"; fast_pattern; content:"|8a 10 80 f2 24 80 ea 67 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020010; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns_query; content:"siteanalysto.com"; depth:16; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023938; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, tag Android, updated_at 2019_09_28;)
+alert tcp any 488 -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 5"; flow:established,from_server; content:"|65 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020011; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known IoT Malware Domain"; dns_query; content:"load.gtpnet.ir"; depth:14; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; classtype:trojan-activity; sid:2024245; rev:4; metadata:attack_target IoT, created_at 2017_04_25, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2019_09_28;)
+alert tcp any any -> any 488 (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 6"; flow:established,to_server; content:"|65 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020012; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spora Ransomware DNS Query"; dns_query; content:"spora.li"; depth:8; nocase; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; reference:md5,906c51a18073112c4479b3fe4ea329ca; classtype:trojan-activity; sid:2024324; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 8"; flow:established; content:"|8a 10 80 ea 62 80 f2 b4 88 10|"; fast_pattern; content:"|8a 10 80 f2 b4 80 c2 62 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020014; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/5.0|3b 20|BOIE9|3b|ENGB)"; bsize:82; classtype:trojan-activity; sid:2028598; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 9"; flow:established; content:"|8a 10 80 c2 4e 80 f2 79 88 10|"; fast_pattern; content:"|8a 10 80 f2 79 80 ea 4e 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020015; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to Jaff Domain (comboratiogferrdto . com)"; dns_query; content:"comboratiogferrdto.com"; depth:22; fast_pattern; endswith; nocase; reference:md5,51cf3452feb218a4b1295cebf3b2130e; reference:url,blog.dynamoo.com/2017/05/malware-spam-with-nmpdf-attachment.html; classtype:trojan-activity; sid:2024341; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category TROJAN, malware_family Jaff_Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2019_09_28;)
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Proxy Tool 1"; flow:established; content:"|8a 10 80 c2 3a 80 f2 73 88 10|"; fast_pattern; content:"|8a 10 80 f2 73 80 ea 3a 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020017; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns_query; content:"epochatimes.com"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024478; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT TCP Checkin 1"; flow:established,to_server; dsize:24; content:"|08 00 1b 00 00 00 1b 00 00 00 02 00 00 00 00 00 00 00 00 00|"; fast_pattern; content:"|00 00 00 00 |"; offset:20; depth:4; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020024; rev:3; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns_query; content:"strangelol.com"; depth:14; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024852; rev:4; metadata:created_at 2017_10_18, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Dropped by RIG EK"; flow:established,to_server; content:"/Prack"; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|InetURL/1.0|0d 0a|"; http_header; reference:md5,18fa3ab45c6fa9da218dd4c35688c5f4; classtype:exploit-kit; sid:2020070; rev:4; metadata:created_at 2014_12_26, former_category MALWARE, updated_at 2019_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Malicious Chrome Ext. DNS Query For Adware CnC (go.querymo)"; dns_query; content:"go.querymo.com"; depth:14; fast_pattern; endswith; nocase; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024724; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2019_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Dec 29 2014"; flow:from_server,established; file_data; content:"|2f 67 2c 27 27 29 3b 7d 65 6c 73 65 7b 72 65 74 75 72 6e|"; fast_pattern; content:"Function"; pcre:"/^\s*?\x28\s*?[\x22\x27](?P<var1>[^\x22\x27]+)[\x22\x27]\s*,\s*[\x22\x27]if\s*?\x28(?P=var1)\s*\!\s*=\s*[\x27\x22][\x22\x27]\s*?\x29\s*?\{\s*?(?P<var2>[^\s\x3d]+)\s*?=\s*?(?P=var1)\s*?\[/Rs"; classtype:exploit-kit; sid:2020082; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_30, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Scraper: yandex.ru based Mozilla 4.0"; ja3_hash; content:"05e15a226e00230c416a8cdefeb483c7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:misc-activity; sid:2028437; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Cushion Redirection URI Struct Mon Jan 05 2015"; flow:established,to_server; urilen:13; content:"/get_gift.php"; http_uri; fast_pattern; classtype:trojan-activity; sid:2020091; rev:3; metadata:created_at 2015_01_05, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Get2 Downloader Activity"; flow:established,to_server; http.user_agent; content:"CIBA|3b 20|MS-RTC LM 8|29|"; endswith; classtype:trojan-activity; sid:2028642; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_10_01;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.A Checkin x86"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 32 32|"; fast_pattern; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:command-and-control; sid:2020150; rev:2; metadata:created_at 2015_01_07, former_category MALWARE, updated_at 2019_10_08;)
 
-alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible EXIM DoS (CVE-2019-16928)"; flow:established,to_server; content:"EHLO "; depth:5; isdataat:5000,relative; content:!"|0a|"; within:500; reference:cve,2019-16928; reference:url,bugs.exim.org/show_bug.cgi?id=2449; reference:url,git.exim.org/exim.git/patch/478effbfd9c3cc5a627fc671d4bf94d13670d65f; classtype:attempted-admin; sid:2028636; rev:3; metadata:attack_target SMTP_Server, created_at 2019_09_30, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2019_10_01;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.A Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 64 32|"; fast_pattern; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:command-and-control; sid:2020151; rev:2; metadata:created_at 2015_01_07, former_category MALWARE, updated_at 2019_10_08;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Passwords"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|PSWD|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1178824123293868033; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028643; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 9000:10000 (msg:"ET MALWARE Win32/Recslurp.D C2 Request (no alert)"; flow:established,to_server; dsize:4; content:"|e8 03 00 00|"; fast_pattern; flowbits:set,ET.Reslurp.D.Client; flowbits:noalert; reference:md5,fcf364abd9c82d89f8d0b4b091276b41; classtype:command-and-control; sid:2020154; rev:3; metadata:created_at 2015_01_08, former_category MALWARE, updated_at 2019_10_08;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger Exfil via SMTP - Generic"; flow:established,to_server; content:"-- Client Info --"; fast_pattern; nocase; content:"IP|3a 20|"; content:"HWID|3a 20|"; content:"OS Platform|3a 20|"; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1178824123293868033; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028644; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mini/Cosmic Duke variant FTP upload"; flow:established,to_server; content:"STOR "; pcre:"/^[A-F0-9]{48}\.bin\r\n/R"; content:".bin|0d 0a|"; fast_pattern; reference:url,f-secure.com/weblog/archives/00002780.html; classtype:targeted-activity; sid:2020158; rev:3; metadata:created_at 2015_01_08, former_category MALWARE, updated_at 2019_10_08;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Logs"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|Logs|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028645; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Probable malicious download from e-mail link /1.php"; flow:established,to_server; content:"GET"; http_method; content:"/1.php?r"; http_uri; fast_pattern; content:!"Referer|3a 20|"; http_header; pcre:"/\/1\.php\?r$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019894; rev:4; metadata:created_at 2014_12_09, updated_at 2019_10_08;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Clipboard"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|Clipboard|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028646; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Jan 19 2014"; flow:established,from_server; file_data; content:"|73 74 61 72 74 7C 7C 30|"; nocase; fast_pattern; content:"|24 2c|"; pcre:"/^\s*?\x73\x74\x61\x72\x74\s*?\x29\s*?\x7b\s*?for\s*?\x28\s*?var\s+?[^\s]+?\s*?=\s*?\x73\x74\x61\x72\x74\x7C\x7C\x30\s*\x2c/Rsi"; content:"|22 6c|"; distance:0; pcre:"/^[^a-z]?\x65[^a-z]?\x6e[^a-z]?\x67[^a-z]?\x74[^a-z]?\x68/Ri"; classtype:exploit-kit; sid:2020207; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_19, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Screenshot"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|Screenshot|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028647; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Jan 21 2014"; flow:established,from_server; file_data; content:"|3d 20 20 20 20 20 20 20 20 20 20|"; fast_pattern; content:".replace|28|"; content:"<script>"; content:"|3d 20 20 20 20 20 20|"; distance:0; pcre:"/^\s*?[\x22\x27](?P<char>[^\x22\x27]+)[\x22\x27]\.replace\x28\s*?[\x22\x27](?P=char)[\x22\x27]\s*?,/R"; content:"|3d 20 20 20 20 20 20|"; distance:0; pcre:"/^\s*?[\x22\x27](?P<char>[^\x22\x27]+)[\x22\x27]\.replace\x28\s*?[\x22\x27](?P=char)[\x22\x27]\s*?,/R"; classtype:exploit-kit; sid:2020236; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_22, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemours/Proyecto RAT CnC Checkin"; flow:established,to_server; content:"0|7c|New|20|-|20|"; depth:8; fast_pattern; content:"|7c|"; distance:0; content:"|7c|Windows"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; reference:md5,50a9218c891453c00b498029315ac680; classtype:command-and-control; sid:2028648; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_30, deployment Perimeter, former_category MALWARE, malware_family Nemours, performance_impact Moderate, signature_severity Major, updated_at 2019_10_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KL-Remote / Cryp_Banker14 RAT connection"; flow:established,to_server; dsize:13; content:"|3c 7c|PRINCIPAL|7c 3e|"; fast_pattern; flowbits:set,ET.KLRemote; reference:md5,636edeba541483421e29b81b35f92841; reference:md5,c5763d0ef12dffa213d265596bd1acf9; reference:md5,5e01557b8650616e005a9949cbf5459a; classtype:trojan-activity; sid:2020315; rev:2; metadata:created_at 2015_01_27, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-03"; flow:established,to_client; tls.cert_subject; bsize:23; content:"CN=worldmasterclass.com"; fast_pattern; reference:md5,fe9caf2568d7bbf2bb0e20b8e7dc8971; reference:md5,c5a460fd87ffd50c114fffa684688d01; classtype:domain-c2; sid:2028653; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE KL-Remote / Cryp_Banker14 RAT response"; flow:established,from_server; dsize:6; content:"|3c 7c|OK|7c 3e|"; fast_pattern; flowbits:isset,ET.KLRemote; reference:md5,636edeba541483421e29b81b35f92841; reference:md5,c5763d0ef12dffa213d265596bd1acf9; reference:md5,5e01557b8650616e005a9949cbf5459a; classtype:trojan-activity; sid:2020316; rev:2; metadata:created_at 2015_01_27, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-07"; flow:established,to_client; tls.cert_subject; bsize:17; content:"CN=mailfueler.com"; fast_pattern; reference:md5,c189cdadd96c148e64912c55c5129d3e; classtype:domain-c2; sid:2028652; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SilverLight M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; content:"X-Powered-By|3a 20|"; http_header; content:"Server|3a 20|nginx"; http_header; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2020317; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_27, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-03"; flow:established,to_client; tls.cert_subject; bsize:17; content:"CN=corpcougar.com"; fast_pattern; reference:md5,73fad17f8054d01488c3ddd67e355bf1; reference:md5,a25591dbf57ac687e2a03f94dcccc35a; classtype:domain-c2; sid:2028654; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.PYO Possible net.tcp CnC Beacon (stat)"; flow:established,to_server; content:"net.tcp|3a|//"; offset:7; depth:10; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d+\/stat\x03\x08\x0c$/R"; content:"/stat|03 08 0c|"; fast_pattern; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:command-and-control; sid:2020336; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-02"; flow:established,to_client; tls.cert_subject; bsize:18; content:"CN=adityebirla.com"; fast_pattern; reference:md5,61b34d02bb09e5a547251a625ce81f9c; reference:md5,cab127c5b8582c1e3ea8860a239a060b; classtype:domain-c2; sid:2028655; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.PYO Possible net.tcp CnC Beacon (control)"; flow:established,to_server; content:"net.tcp|3a|//"; offset:7; depth:10; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d+\/control\x03\x08\x0c$/R"; content:"/control|03 08 0c|"; fast_pattern; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:command-and-control; sid:2020337; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-01"; flow:established,to_client; tls.cert_subject; bsize:63; content:"OU=Domain Control Validated, OU=PositiveSSL, CN=www.livdecor.pt"; fast_pattern; reference:md5,7baca517af0b93bd3f94910c7b8f10db; reference:md5,efb4951e11baf306f5680a041c214e5b; classtype:domain-c2; sid:2028656; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE f0xy Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?admin="; fast_pattern; content:"&id="; http_uri; content:"&nat="; http_uri; content:"&os="; http_uri; content:"&video="; http_uri; content:"&arch_type="; http_uri; content:"&v="; http_uri; content:"&av_list="; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a[^\r\n]+?\r\n(?:\r\n)?$/Hi"; reference:md5,160634d784c256d29563117554685c31; reference:url,community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx; classtype:command-and-control; sid:2020340; rev:6; metadata:created_at 2015_01_30, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-09-30"; flow:established,to_client; tls.cert_subject; bsize:12; content:"CN=flozzy.uk"; fast_pattern; reference:md5,6a333c3f54d7fb6efb276cf6e33315c0; reference:md5,ab578cff6c06157aadd5f324a3413973; classtype:domain-c2; sid:2028657; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Xnote Keep-Alive"; flow:established,to_server; dsize:17; content:"|11 00 00 00 01 00 00 00 78 9c 4b 05 00 00 66 00 66|"; fast_pattern; reference:url,deependresearch.org/2015/02/linuxbackdoorxnote1-indicators.html; classtype:trojan-activity; sid:2020389; rev:2; metadata:created_at 2015_02_11, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult Cnc Server) 2019-09-27"; flow:established,to_client; tls.cert_subject; bsize:18; content:"CN=evershinebd.net"; fast_pattern; reference:md5,c93a2d16dd0cf8dd3afa5ecba111e7c4; reference:md5,23aff33025681263adcdcb480d0e9a95; classtype:domain-c2; sid:2028658; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Android RCE via XSS and Play Store XFO"; flow:from_server,established; file_data; content:"|5c|u00"; byte_test:2,<,0x21,0,relative,string,hex; content:"javascript|3a|"; nocase; within:11; distance:2; content:"/store/apps/details?id="; nocase; fast_pattern; reference:url,1337day.com/exploit/22581; reference:cve,2014-6041; reference:url,github.com/rapid7/metasploit-framework/commit/7f2add2ce30f33e7787310d7abcb1781e8ea8f43; classtype:attempted-user; sid:2020393; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_02_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) in SNI 2019-09-27"; flow:established,to_server; tls.sni; bsize:11; content:"techxim.com"; reference:md5,5c4e395fc545b5e0c03f960a4145f4ea; classtype:domain-c2; sid:2028659; rev:2; metadata:attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 11 2015 Banner"; flow:established,to_server; content:"/banner.php?sid="; fast_pattern; http_uri; pcre:"/\/banner.php\?sid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2020408; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Easewe FTP OCX ActiveX Control EaseWeFtp.ocx Remote Code Execution Attempt"; flow:established,to_client; content:"31AE647D-11D1-4E6A-BE2D-90157640019A"; nocase; fast_pattern; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*31AE647D-11D1-4E6A-BE2D-90157640019A.+(Execute|Run|CreateLocalFile|CreateLocalFolder|DeleteLocalFile)/smi"; reference:bid,48393; classtype:attempted-user; sid:2013119; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_06_24, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 11 2015 Blog"; flow:established,to_server; content:"/blog.php?id="; fast_pattern; http_uri; pcre:"/\/blog.php\?id=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2020409; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt"; flow:established,to_client; content:"%41%41%41%41"; fast_pattern; classtype:shellcode-detect; sid:2013145; rev:3; metadata:created_at 2011_06_30, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Function Name"; flow:to_client,established; file_data; content:"function"; pcre:"/^(?:\x25(?:25)*?20|\s)*?runmumaa\W/Rs"; content:"runmumaa"; fast_pattern; reference:cve,2014-6332; classtype:attempted-user; sid:2019733; rev:6; metadata:created_at 2014_11_18, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u41%u41%u41%u41 UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u41%u41%u41%u41"; nocase; fast_pattern; classtype:shellcode-detect; sid:2013146; rev:3; metadata:created_at 2011_06_30, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:to_server,established; content:"/main.html"; http_uri; fast_pattern; pcre:"/\/main\.html$/U"; content:"/connector.html|0d 0a|"; http_header; classtype:exploit-kit; sid:2020570; rev:4; metadata:created_at 2015_02_25, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u4141%u4141 UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u4141%u4141"; nocase; fast_pattern; classtype:shellcode-detect; sid:2013147; rev:3; metadata:created_at 2011_06_30, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malicious Second Stage Download URI Struct M1 Feb 06 2015"; flow:established,to_server; content:".php?id="; http_uri; fast_pattern; content:"&rnd="; http_uri; pcre:"/\.php\?id=[0-9A-F]{44,54}&rnd=[0-9]{3,7}$/U"; classtype:exploit-kit; sid:2020643; rev:4; metadata:created_at 2015_03_07, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Util.printf Buffer Overflow Attempt"; flow:established,to_client; content:"util.printf|28 22 25|"; nocase; fast_pattern; pcre:"/util.printf\x28\x22\x25[^\x2C\x29]*f\x22\x2C/i"; reference:url,www.coresecurity.com/content/adobe-reader-buffer-overflow; reference:bid,30035; reference:cve,2008-2992; classtype:attempted-user; sid:2013152; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Checkin 1"; flow:to_server,established; content:"/rico.php"; fast_pattern; content:".asia|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+\.asia\r\n/Hmi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:command-and-control; sid:2020654; rev:4; metadata:created_at 2015_03_09, former_category MALWARE, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt"; flow:established,to_client; content:"Colors 1073741838"; fast_pattern; pcre:"/<<[^>]*\x2FPredictor[^>]*\x2FColors\x201073741838/smi"; reference:url,www.fortiguard.com/analysis/pdfanalysis.html; reference:bid,36600; reference:cve,2009-3459; classtype:attempted-user; sid:2013153; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Checkin 2"; flow:to_server,established; content:"/rico.php"; fast_pattern; content:".ru|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+\.ru\r\n/Hmi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:command-and-control; sid:2020655; rev:4; metadata:created_at 2015_03_09, former_category MALWARE, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C 5C|x41|5C 5C|x41|5C 5C|x41|5C 5C|x41"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013279; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing URI Struct March 6 2015"; flow:established,to_server; urilen:>40; content:"GET"; http_method; content:"/tdstest/"; http_uri; fast_pattern; pcre:"/^\/tdstest\/[a-f0-9]{32,}\/?$/U"; classtype:exploit-kit; sid:2020626; rev:4; metadata:created_at 2015_03_06, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C 5C|x90|5C 5C|x90|5C 5C|x90|5C 5C|x90"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013278; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 10"; flow:established; content:"Sleepy!@#qaz13402scvsde890"; fast_pattern; content:"BC435@PRO62384923412!@3!"; nocase; content:!"content|3a 22|BC435@PRO62384923412!@3!|22 3b|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020016; rev:3; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013277; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Cryptolocker .onion Proxy Domain in SNI"; flow:established,to_server; content:"erhitnwfvpgajfbu."; fast_pattern; nocase; reference:url,www.welivesecurity.com/2014/09/04/torrentlocker-now-targets-uk-royal-mail-phishing/; classtype:trojan-activity; sid:2019124; rev:3; metadata:created_at 2014_09_05, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013276; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Server Response"; flow:established,from_server; content:"|0d 0a 0d 0a|ok"; fast_pattern; file_data; content:"ok"; within:2; byte_test:1,<,0x1b,0,relative; content:"|00|"; distance:1; within:1; flowbits:isset,ET.Vawtrak; classtype:trojan-activity; sid:2019499; rev:5; metadata:created_at 2014_10_24, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; content:"|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013275; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Chroject.B Receiving ClickFraud Commands from CnC 2"; flow:from_server,established; file_data; content:"<html><title>"; within:13; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/title><\/html>$/R"; content:"</title></html>"; fast_pattern; flowbits:isset,ET.Chroject; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:command-and-control; sid:2020749; rev:5; metadata:created_at 2015_03_26, former_category MALWARE, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; content:"|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013274; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT VBScript Driveby MAR 31 2015"; flow:established,to_server; content:"/content/dl.php?sl=vbs"; http_uri; fast_pattern; pcre:"/\/content\/dl\.php\?sl=vbs[a-z0-9]{32}$/U"; classtype:exploit-kit; sid:2020823; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_01, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C|x90|5C|x90|5C|x90|5C|x90"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013271; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT VBScript Driveby Related TDS MAR 31 2015"; flow:established,to_server; content:"/content/getvbslink.php?d="; http_uri; fast_pattern; pcre:"/\/content\/getvbslink\.php\?d=[a-z0-9]{32}$/U"; classtype:exploit-kit; sid:2020824; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_01, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C|x0d|5C|x0d|5C|x0d|5C|x0d"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013270; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; http_header; content:"Server|3a 20|nginx"; http_header; pcre:"/Content-Disposition\x3a\x20inline\x3b\x20filename=(?:[a-z0-9]{4})?\r\n/H"; file_data; content:"CWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2020312; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_26, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C|x0c|5C|x0c|5C|x0c|5C|x0c"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013269; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK SilverLight Exploit"; flow:established,from_server; flowbits:isset,et.Nuclear.Exploit; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/^[a-z0-9]*\r\n/HR"; file_data; content:"AppManifest.xaml"; fast_pattern; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2019917; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_11, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Sality Executable Pack Digital Signature ASCII Marker"; flow:established,from_server; content:"e#o203kjl,!"; fast_pattern; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf; classtype:trojan-activity; sid:2013381; rev:3; metadata:created_at 2011_08_09, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Apr 03 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"eval|3b|"; fast_pattern; content:"replace"; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:exploit-kit; sid:2020841; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fakealert.Rena CnC Checkin 2"; flow:established,to_server; content:"/images/img.php?id="; content:"HTTP/1.1|0d 0a|User-Agent"; fast_pattern; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; reference:url,www.malware-control.com/statics-pages/24b9c5f59a4706689d4f9bb5f510ec35.php; classtype:command-and-control; sid:2013382; rev:4; metadata:created_at 2011_08_09, former_category MALWARE, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Apr 03 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"return eval"; fast_pattern; content:"replace"; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:exploit-kit; sid:2020842; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC Potential bot update/download via ftp command"; flowbits:isset,is_proto_irc; flow:established,to_client; content:"ftp|3a|//"; fast_pattern; pcre:"/\.(upda|getfile|dl\dx|dl|download|execute)\w*\s+ftp\x3a\x2f\x2f/i"; reference:url,doc.emergingthreats.net/2011162; classtype:trojan-activity; sid:2011162; rev:6; metadata:created_at 2010_07_30, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Chrome Cookie Data Theft April 06 2015"; flow:established,to_server; content:".php?type=cookie&site="; fast_pattern; http_uri; reference:url,ocelot.li/the-malware-campaign-that-went-unnoticed/; classtype:trojan-activity; sid:2020848; rev:3; metadata:created_at 2015_04_07, updated_at 2019_10_08;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP iss scan"; flow:to_server,established; content:"pass -iss@iss"; fast_pattern; reference:arachnids,331; classtype:suspicious-login; sid:2100354; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B1 Checkin x86"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 32|"; fast_pattern; reference:md5,bd69714997e839618a7db82484819552; classtype:command-and-control; sid:2020849; rev:3; metadata:created_at 2015_04_08, former_category MALWARE, updated_at 2019_10_08;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP pass wh00t"; flow:to_server,established; content:"pass wh00t"; nocase; fast_pattern; reference:arachnids,324; classtype:suspicious-login; sid:2100355; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B1 Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 86|"; fast_pattern; reference:md5,bd69714997e839618a7db82484819552; classtype:command-and-control; sid:2020850; rev:2; metadata:created_at 2015_04_08, former_category MALWARE, updated_at 2019_10_08;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP piss scan"; flow:to_server,established; content:"pass -cklaus"; fast_pattern; classtype:suspicious-login; sid:2100357; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B2 Checkin no architecture"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 84|"; fast_pattern; reference:md5,b4ce43e1c9e74c549e2bae8cd77d5af1; classtype:command-and-control; sid:2020851; rev:2; metadata:created_at 2015_04_08, former_category MALWARE, updated_at 2019_10_08;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP saint scan"; flow:to_server,established; content:"pass -saint"; fast_pattern; reference:arachnids,330; classtype:suspicious-login; sid:2100358; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B1 Sending Processes"; content:"Sy|5c|"; content:"wininit|5c|"; distance:0; content:"winlogon|5c|"; fast_pattern; reference:md5,bd69714997e839618a7db82484819552; classtype:trojan-activity; sid:2020852; rev:2; metadata:created_at 2015_04_08, updated_at 2019_10_08;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP satan scan"; flow:to_server,established; content:"pass -satan"; fast_pattern; reference:arachnids,329; classtype:suspicious-login; sid:2100359; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Secondary Landing Apr 20 2015"; flow:established,from_server; file_data; content:"2147023083"; content:"BlackList"; nocase; content:"lenBadFiles"; nocase; fast_pattern; content:"ProgFilePath"; nocase; content:"lenProgFiles"; nocase; classtype:exploit-kit; sid:2020985; rev:3; metadata:created_at 2015_04_24, updated_at 2019_10_08;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP tar parameters"; flow:to_server,established; content:" --use-compress-program "; nocase; fast_pattern; reference:arachnids,134; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:2100362; rev:15; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK URI Struct T1 Apr 24 2015"; flow:established,to_server; content:"/street"; http_uri; fast_pattern; pcre:"/\/street[1-5]\.php$/U"; classtype:exploit-kit; sid:2020988; rev:3; metadata:created_at 2015_04_24, updated_at 2019_10_08;)
 
-alert tcp $HOME_NET 1024: -> any 6783 (msg:"ET POLICY Splashtop Remote Control Checkin"; flow:established,to_server; dsize:12; content:"|00 01 00 08 00 00 00 00 00 02 01 00|"; fast_pattern; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014127; rev:2; metadata:created_at 2012_01_16, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK Payload Struct T1 Apr 24 2015"; flow:established,to_server; content:".exe"; http_uri; content:"/XV-"; fast_pattern; pcre:"/\/XV-\d+\.exe$/U"; classtype:exploit-kit; sid:2020989; rev:3; metadata:created_at 2015_04_24, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert tcp $HOME_NET 1024: -> any 6784 (msg:"ET POLICY Splashtop Remote Control Session Start Request"; flow:established,to_server; dsize:4; content:"|01 00 34 12|"; fast_pattern; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014128; rev:2; metadata:created_at 2012_01_16, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK Payload Struct T2 M2 Apr 24 2015"; flow:established,to_server; content:"/BrowserUpdate.lnk"; http_uri; fast_pattern; classtype:exploit-kit; sid:2020992; rev:3; metadata:created_at 2015_04_24, updated_at 2019_10_08;)
 
-alert tcp $HOME_NET 1024: -> any 6784 (msg:"ET POLICY Splashtop Remote Control Session Keepalive"; flow:established,to_server; dsize:4; content:"|00 00 34 12|"; fast_pattern; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014129; rev:2; metadata:created_at 2012_01_16, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sundown EK Flash Exploit Apr 20 2015"; flow:established,to_server; content:"/bad/"; http_uri; fast_pattern; pcre:"/\/bad\/[A-Z0-9]+\.swf$/U"; classtype:exploit-kit; sid:2020951; rev:4; metadata:created_at 2015_04_21, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102599; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK SilverLight Exploit April 30 2015"; flow:established,from_server; file_data; content:"AppManifest.xaml"; fast_pattern; flowbits:isset,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021045; rev:3; metadata:created_at 2015_05_01, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Dadong Exploit Kit Downloaded"; flow:established,from_server; flowbits:set,et.exploitkitlanding; content:"indexOf(|22|dadong=|22|)=="; fast_pattern; reference:url,www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/; classtype:exploit-kit; sid:2025037; rev:3; metadata:created_at 2012_03_01, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Exploit Struct April 30 2015"; flow:established,to_server; content:"GET"; http_method; pcre:"/\/\d\/[A-Z]+\/[a-f0-9]{32}\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/?$/U"; content:"/%20http%3A"; http_header; fast_pattern; flowbits:set,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021042; rev:6; metadata:created_at 2015_05_01, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hostile Microsoft Rich Text File (RTF) with corrupted listoverride"; flow:from_server,established; flowbits:set,ETPRO.RTF; content:"|7b 5c 2a 5c|listoverridetable"; content:"|5c|listoverride|5c|"; fast_pattern; pcre:"/\x5clistoverride\x5c((?!\x5cls\d{1,4}\s*\}).)+?\x5clistoverride\x5c/s"; reference:cve,2012-0183; classtype:attempted-user; sid:2025085; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_05_08, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK IE Exploit Apr 23 2015"; flow:established,from_server; file_data; content:"<title>some"; fast_pattern; content:"<style>"; content:"|5c 3a|*{display|3a|inline-block|3b|behavior|3a|url(#default#VML)|3b|}</style>"; distance:3; within:65; classtype:exploit-kit; sid:2020980; rev:4; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP private access udp"; content:"private"; fast_pattern; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101413; rev:12; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing Apr 23 2015"; flow:established,from_server; file_data; content:"=window|3b|"; fast_pattern; content:"String.fromCharCode"; content:"|28 2f|Win64|3b 2f|i,"; nocase; content:"function"; pcre:"/^\s*?[^\x28\s]*?\x28\s*?(?P<a1>[^\s,\x29]+)\s*?,\s*?(?P<a2>[^\s,\x29]+)\s*?\x29\{[^\r\n]*?[\+=]String.fromCharCode\((?P=a2)\)[^\r\n]*?\}/Rs"; classtype:exploit-kit; sid:2020979; rev:4; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP public access udp"; content:"public"; fast_pattern; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101411; rev:13; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Java Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".jar"; http_header; fast_pattern; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.jar\r\n/Hm"; file_data; content:"PK"; within:2; classtype:exploit-kit; sid:2020983; rev:4; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|"; fast_pattern; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:2101427; rev:6; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1710/CVE-2012-3993 Firefox Exploit Attempt"; flow:established,to_client; file_data; content:"generateCRMFRequest"; nocase; fast_pattern; content:"InstallTrigger"; nocase; content:"__exposedProps__"; nocase; content:"__defineGetter__"; nocase; content:"getInstallForURL"; nocase; content:".install|28|"; nocase; content:"x-xpinstall"; nocase; reference:cve,CVE-2013-1710; reference:cve,CVE-2012-3993; classtype:attempted-user; sid:2021078; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_05_08, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP SNMP NT UserList"; content:"+|06 10|@|14 D1 02 19|"; fast_pattern; reference:nessus,10546; classtype:attempted-recon; sid:2100516; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VaultCrypt Uploading Files"; flow:to_server,established; content:"POST"; http_method; urilen:6; content:"/v.php"; http_uri; fast_pattern; content:"|0d 0a|UA-CPU|3a 20|"; http_header; content:"Content-Type|3a 20|application/upload|0d 0a|"; content:"boundary=---------------------------0123456789012"; http_header; content:"name=|22|pf|22 3b|"; http_client_body; reference:url,www.bleepingcomputer.com/forums/t/570390/vaultcrypt-uses-batch-files-and-open-source-gnupg-to-hold-your-files-hostage; classtype:trojan-activity; sid:2020707; rev:4; metadata:created_at 2015_03_18, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL EXPLOIT rsh froot"; flow:to_server,established; content:"-froot|00|"; fast_pattern; reference:arachnids,387; classtype:attempted-admin; sid:2100604; rev:7; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET HUNTING Suspicious X-mailer Synapse Inbound to SMTP Server"; flow:established,to_server; content:"produced by Synapse"; fast_pattern; content:"X|2d|mailer|3a 20|Synapse|20 2d 20|Pascal TCP|2f|IP library by Lukas Gebauer"; reference:url,www.joewein.net/spam/spam-joejob.htm; classtype:trojan-activity; sid:2021135; rev:2; metadata:created_at 2015_05_21, former_category MALWARE, updated_at 2019_10_08;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM"; fast_pattern; nocase; pcre:"/^MDTM \d+[-+]\D/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; classtype:attempted-admin; sid:2102416; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Landing May 21 2015 M1"; flow:from_server,established; file_data; content:"|3c 21 2d 2d 20 53 45 45 44 3a|"; nocase; fast_pattern; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; classtype:exploit-kit; sid:2021136; rev:3; metadata:created_at 2015_05_22, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Yszz JS/Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"|2f 2a|Yszz 0.7 vip|2a 2f|"; fast_pattern; nocase; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2015573; rev:3; metadata:created_at 2012_08_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Moose NAT Traversal CnC Beacon set"; flow:established,to_server; dsize:4; content:"|18 00 00 00|"; fast_pattern; flowbits:set,ET.Linux.Moose; flowbits:noalert; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021150; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Unknown TDS /rem2.html"; flow:established,to_server; urilen:10; content:"/rem2.html"; http_uri; fast_pattern; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:exploit-kit; sid:2015479; rev:4; metadata:created_at 2012_07_17, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:to_server,established; content:"/main.html"; http_uri; fast_pattern; pcre:"/\/main\.html$/U"; content:"/index.html"; http_header; pcre:"/\b[a-z]{2}\d+\s*?=\s*?Yes/C"; classtype:exploit-kit; sid:2020392; rev:6; metadata:created_at 2015_02_11, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SPL - Java Exploit Requested .jar Naming Pattern"; flow:established,to_server; content:"-a."; http_uri; content:".jar"; http_uri; fast_pattern; content:" Java/"; http_header; pcre:"/\/[a-z]{4,20}-a\.[a-z]{4,20}\.jar$/U"; classtype:exploit-kit; sid:2015604; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Jun 09 2015"; flow:established,to_server; content:"/main.html"; http_uri; nocase; fast_pattern; content:"/index.html"; http_header; nocase; content:"cck_lasttime"; http_cookie; nocase; classtype:exploit-kit; sid:2021219; rev:5; metadata:created_at 2015_06_09, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO WinUpack Modified PE Header Inbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003614; rev:6; metadata:created_at 2010_07_30, updated_at 2019_10_08;)
+alert tcp any any -> $HOME_NET 443 (msg:"ET MALWARE Possible Duqu 2.0 Accessing backdoor over 443"; flow:to_server,established; content:"romanian.antihacker"; fast_pattern; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021242; rev:2; metadata:created_at 2015_06_10, updated_at 2019_10_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO WinUpack Modified PE Header Outbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003615; rev:7; metadata:created_at 2010_07_30, updated_at 2019_10_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Torrentlocker C2 Domain in SNI"; flow:established,to_server; content:"|00 00 0d|krusperon.net"; fast_pattern; nocase; reference:url,www.hybrid-analysis.com/sample/3ebc6999da89eaf44d94195b588cb869d894ca754a248b074893d11f6dd19188?environmentId=4; reference:md5,2c339dbb40b3b19ee275e4c7c1c17a18; classtype:command-and-control; sid:2021254; rev:3; metadata:created_at 2015_06_11, former_category MALWARE, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura exploit kit exploit download request /view.php"; flow:established,to_server; content:"/view.php?i="; http_uri; fast_pattern; pcre:"/\/view.php\?i=\d&key=[0-9a-f]{32}$/U"; classtype:exploit-kit; sid:2015678; rev:3; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"base64decode"; nocase; content:"xxtea_decrypt"; nocase; fast_pattern; content:"long2str"; nocase; content:"str2long"; nocase; classtype:exploit-kit; sid:2021218; rev:4; metadata:created_at 2015_06_09, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY NeoSploit - Java Exploit Requested"; flow:established,to_server; urilen:>89; content:".jar"; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.jar$/U"; classtype:exploit-kit; sid:2015689; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_09_11, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing URI Struct April 29 2015 M1"; flow:established,to_server; content:"GET"; http_method; content:"/|20|http|3a|/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[a-f0-9]{32}(?:[a-f0-9]{8})?\/\x20http\x3a\x2f/U"; classtype:exploit-kit; sid:2021033; rev:4; metadata:created_at 2015_04_30, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:exploit-kit; sid:2015690; rev:3; metadata:created_at 2012_09_11, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Java Exploit URI Struct April 29 2015"; flow:established,to_server; content:"Java/"; http_user_agent; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?(?:\.[a-z]+)?$/U"; classtype:exploit-kit; sid:2021035; rev:4; metadata:created_at 2015_04_30, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT  NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; fast_pattern; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.pdf$/U"; classtype:exploit-kit; sid:2015691; rev:3; metadata:created_at 2012_09_11, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Payload April 29 2015"; flow:established,to_server; content:"/5/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/5\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?$/U"; content:"Referer|3a 20|"; http_header; pcre:"/^[^\r\n]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\r?/RH"; classtype:exploit-kit; sid:2021037; rev:4; metadata:created_at 2015_04_30, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; fast_pattern; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:exploit-kit; sid:2015694; rev:3; metadata:created_at 2012_09_11, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing URI Struct June 19 2015 M3"; flow:established,to_server; content:"GET"; http_method; content:"/|3a|http|3a|/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[a-f0-9]{32}(?:[a-f0-9]{8})?\/\x3ahttp\x3a\x2f/U"; classtype:exploit-kit; sid:2021305; rev:3; metadata:created_at 2015_06_19, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SHELLCODE MSSQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; fast_pattern; classtype:shellcode-detect; sid:2100691; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Payload June 19 2015"; flow:established,to_server; content:"/4/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/4\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?$/U"; content:"Referer|3a 20|"; http_header; pcre:"/^Referer\x3a[^\r\n]+\/4\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\r?$/Hm"; classtype:exploit-kit; sid:2021308; rev:3; metadata:created_at 2015_06_19, updated_at 2019_10_08;)
 
-alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Telnet Root not on console"; flow:from_server,established; content:"not on system console"; fast_pattern; nocase; reference:arachnids,365; classtype:bad-unknown; sid:2100717; rev:10; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing June 19 2015"; flow:established,from_server; file_data; content:"ScriptEngineMajorVersion"; nocase; content:"ScriptEngineMinorVersion"; nocase; content:"ScriptEngineBuildVersion"; nocase; content:"javafx_version"; nocase; content:"ip"; pcre:"/^\s*?=\s*?[\x22\x27]8\.8\.8\.8[\x22\x27]/Rsi"; content:"8.8.8.8"; fast_pattern; classtype:exploit-kit; sid:2021310; rev:4; metadata:created_at 2015_06_19, updated_at 2019_10_08;)
 
-alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET root login"; flow:from_server,established; content:"login|3a 20|root"; fast_pattern; classtype:suspicious-login; sid:2100719; rev:9; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Landing May 21 2015 M2"; flow:from_server,established; file_data; content:"|5e 23 7e 40|"; nocase; fast_pattern; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2021137; rev:4; metadata:created_at 2015_05_22, updated_at 2019_10_08;)
 
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; fast_pattern; classtype:shellcode-detect; sid:2101424; rev:9; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude CVE-2015-3113 Jun 29 2015 M1"; flow:established,to_server; urilen:10; content:"/video.flv"; nocase; http_uri; fast_pattern; pcre:"/Referer\x3a\x20http\x3a\x2f+?(?:[\x2eg-z]*[a-f0-9][\x2eg-z]*){32}\.[^\x2f\r\n]*?\x2f+\[\[DYNAMIC\]\]\x2f\d*?\r\n?/H"; pcre:"/Host\x3a\x20(?:[\x2eg-z]*[a-f0-9][\x2eg-z]*){32}\./H"; classtype:exploit-kit; sid:2021364; rev:3; metadata:created_at 2015_06_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL ctx_output.start_log buffer overflow attempt"; flow:to_server,established; content:"ctx_output.start_log"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102678; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NullHole EK Landing URI struct"; flow:established,to_server; content:"/e.html"; http_uri; fast_pattern; pcre:"/\/e\.html$/U"; content:"nhweb="; http_cookie; classtype:exploit-kit; sid:2021373; rev:3; metadata:created_at 2015_07_02, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL alter file buffer overflow attempt"; flow:to_server,established; content:"alter"; nocase; fast_pattern; pcre:"/ALTER\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2102697; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 08"; flow:established,from_server; file_data; content:"></script><!--|2f|"; fast_pattern; content:"<!--"; pcre:"/^(?P<var>[a-f0-9]{6})-->\s*?<script\s*?type=[\x22\x27]text\/javascript[\x22\x27]\s*?src=[\x22\x27]http\x3a\x2f[^\x22\x27]*?\/[a-z\d]{8}\.php\?id=\d+[\x22\x27]\s*?><\/script><!--\/(?P=var)-->/Rs"; classtype:exploit-kit; sid:2021394; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_09, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_flavor_change"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102708; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Targeted Attack from APT Actor Delivering HT SWF Exploit RIP"; flow:established,from_server; file_data; content:"|67 5f 6f 3d 69 65 56 65 72 73 69 6f 6e 28 29 3b|"; nocase; fast_pattern; content:"|67 65 74 42 69 74 73 28 29 3b|"; nocase; content:"var "; pcre:"/^\s*?(?P<var>[^=\s\x3b]+)\s*?=\s*?getBits\(\s*?\)\x3b.+?flashvars\s*?=\s*?\x5c\x22(?P=var)\s*?=\s*?\x22\s*?\+\s*?(?P=var)\s*?\+\s*?\x22\x5c\x22/Rsi"; classtype:targeted-activity; sid:2021405; rev:5; metadata:created_at 2015_07_13, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102709; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IE MSMXL Detection of Local DLL (Likely Malicious)"; flow:established,from_server; file_data; content:"res|3a|"; nocase; content:"loadXML"; nocase; content:"parseError"; nocase; content:"errorCode"; nocase; content:"-2147023083"; fast_pattern; content:".dll"; classtype:trojan-activity; sid:2021429; rev:3; metadata:created_at 2015_07_16, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102652; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 17"; flow:to_server,established; content:"fare="; http_uri; nocase; content:".asp?"; http_uri; nocase; content:".pw|0d 0a|"; http_header; nocase; fast_pattern; pcre:"/[&?]fare=/Ui"; pcre:"/[&?]c=/Ui"; pcre:"/[&?]t=[a-f0-9]{32}(?:&|$)/Ui"; classtype:exploit-kit; sid:2021435; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_flavor_change"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102711; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NullHole URI Struct Jul 22 2015 M3"; flow:established,from_server; content:"302"; http_stat_code; content:"/e.html"; http_header; fast_pattern; pcre:"/^Location\x3a\x20[a-f0-9]{32}\/e\.html\r$/Hm"; content:"Set-Cookie|3a|"; classtype:trojan-activity; sid:2021508; rev:3; metadata:created_at 2015_07_22, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102712; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK URI Struct April 29 2015"; flow:established,to_server; content:"/5/"; http_uri; fast_pattern; pcre:"/\/5\/[A-Z]{3,}\/[a-f0-9]{32}(?:\.[^\x2f]+|\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/?|\/\d+\/?)?$/U"; classtype:exploit-kit; sid:2021036; rev:5; metadata:created_at 2015_04_30, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102713; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT ScanBox Jun 06 2015 M1 T1"; flow:established,from_server; file_data; content:"_=window|3b|"; nocase; fast_pattern; content:"var "; nocase; pcre:"/^\s*?[$_]+w[$_]+i[$_]+=window\x3b/Rsi"; content:"function "; pcre:"/^\s*?[_$]+\x28\x29/Rsi"; classtype:exploit-kit; sid:2021542; rev:3; metadata:created_at 2015_07_28, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.resume_subset_of_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.resume_subset_of_masters"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102714; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT ScanBox Jun 06 2015 M2 T1"; flow:established,from_server; file_data; content:"$=window|3b|"; nocase; fast_pattern; content:"var "; nocase; pcre:"/^\s*?[$_]+w[$_]+i[$_]+=window\x3b/Rsi"; content:"function "; pcre:"/^\s*?[_$]+\x28\x29/Rsi"; classtype:exploit-kit; sid:2021543; rev:3; metadata:created_at 2015_07_28, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.begin_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102715; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 8"; flow:to_server,established; content:"GET"; http_method; content:"/viewphoto.asp?photoid="; http_uri; fast_pattern; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/; classtype:command-and-control; sid:2021571; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102635; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible DarkHotel Landing M2"; flow:established,to_client; file_data; content:"HTA|3a|APPLICATION"; nocase; fast_pattern; content:"|22|&#x"; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:targeted-activity; sid:2021611; rev:4; metadata:created_at 2015_08_11, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.differences"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){10}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102717; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible DarkHotel Landing M3"; flow:established,to_client; file_data; content:"HTA|3a|APPLICATION"; nocase; fast_pattern; content:"|27|&#x"; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:targeted-activity; sid:2021612; rev:3; metadata:created_at 2015_08_11, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.rectify"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){8}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102718; rev:3; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Exploit URI Struct Aug 12"; flow:to_server,established; urilen:>100; content:!"|20|"; http_uri; content:!"+"; http_uri; content:!"_"; http_uri; content:!"-"; http_uri; content:"search?q="; http_header; fast_pattern; pcre:"/\/(?:[^?]+\?)(?=[A-Z&=\d]*?[a-z])(?=[a-zA-Z\d&=]*?[A-Za-z=&]\d[A-Za-z])(?=[a-zA-Z\d&=]*?[a-z\d][A-Z][A-Za-z\d])[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+[&=A-Za-z0-9]*?$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?!www\.)(?P<refhost>[^\x3a\x2f\r\n]+)[^\r\n]*?\/search\?q=(?=[A-Z&=\d]*?[a-z])(?=[a-zA-Z\d&=]*?[A-Za-z=&]\d[A-Za-z])(?=[a-zA-Z\d&=]*?[a-z\d][A-Z][A-Za-z\d])[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+[&=A-Za-z0-9]*?\r\n.*?Host\x3a\x20(?P=refhost)/Hsi"; pcre:!"/^Host\x3a\x20(?:[^\r\n]+\.)?(?:ya(?:ndex|hoo)|google|bing)\.(?:com?)?(?:\.[a-z]{2})?(:?\x3a\d{1,5})?\r$/Hmi"; content:!"Cookie|3a 20|"; flowbits:set,NuclearEK; classtype:exploit-kit; sid:2021620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_08_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.abort_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102719; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Secondary Landing Aug 17 2015"; flow:established,from_server; file_data; content:"fromCharCode"; nocase; content:"charCodeAt"; nocase; content:"fontFamily"; nocase; content:"style"; nocase; content:"language"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]vb[\x22\x27]/Rsi"; content:"^"; pcre:"/^\s*?\w+\s*?\.\s*?charCodeAt/Rsi"; content:"decodeURIComponent"; nocase; fast_pattern; classtype:exploit-kit; sid:2021637; rev:3; metadata:created_at 2015_08_17, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_column_group_to_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102720; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Magnitude EK Landing URI Struct Aug 21 2015"; flow:established,to_server; urilen:33<>67; content:"/?"; http_uri; depth:2; content:".pw|0d 0a|"; http_header; fast_pattern; pcre:"/^\/\?[a-f0-9]{32,64}$/U"; classtype:exploit-kit; sid:2021698; rev:3; metadata:created_at 2015_08_21, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_columns_to_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102721; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Landing Aug 21 2015"; flow:established,from_server; file_data; content:"/x-silverlight-2"; nocase; fast_pattern; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][a-z]+\.xap[\x22\x27]/Rs"; content:"/x-shockwave-flash"; nocase; content:!".swf"; nocase; content:"<div"; pcre:"/^[^>]*?id\s*?=[\x22\x27][a-z0-9]+[\x22\x27][^>]*?>\s*?[\x2a\d]{100}/R"; classtype:exploit-kit; sid:2021699; rev:3; metadata:created_at 2015_08_21, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_delete_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102674; rev:3; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude Flash Exploit (IE) M2"; flow:established,to_server; urilen:<70; content:!".swf"; nocase; http_uri; content:"x-flash-version"; http_header; fast_pattern; pcre:"/^\/(?:\??[a-f0-9]{32,64}\/?)?$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<dl1>[^\x2e\r\n]+)\x2e[^\x2f\r\n]*?(?P<dl2>\x2e[^\x2e\r\n\x2f]+\x2e[^\x2e\x2f\r\n]+)\x2f(?:\??[a-f0-9]{32,64}\/?)?\r\n.*?Host\x3a\x20(?!(?P=dl1))[^\r\n]*?(?P=dl2)\r\n/Hsm"; classtype:exploit-kit; sid:2020895; rev:7; metadata:created_at 2015_04_11, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_object_to_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102722; rev:3; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - Shell"; flow:established,from_server; file_data; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; content:"/system/bin/sh"; fast_pattern; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021757; rev:3; metadata:created_at 2015_09_10, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102723; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Spartan EK Secondary Flash Exploit DL M2"; flow:established,to_server; urilen:>13; content:"GET /"; byte_test:1,>,64,0,relative; byte_test:1,<,91,0,relative; content:".xml"; http_uri; offset:11; pcre:"/^\/[A-Z](?=[a-z0-9]*?[A-Z][a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z][A-Z0-9]*?[a-z])[A-Za-z0-9]{9,}\.xml$/U"; content:"x-flash-version|3a|"; http_header; fast_pattern; content:".swf"; http_header; nocase; pcre:"/Referer\x3a\x20[^\r\n]*?\/[a-f0-9]{32,64}\.swf/H"; classtype:exploit-kit; sid:2021764; rev:3; metadata:created_at 2015_09_14, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_date"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102724; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malicious Second Stage Download URI Struct Sept 15 2015"; flow:established,to_server; urilen:>46; content:".php?id="; http_uri; fast_pattern; content:"&rnd="; http_uri; pcre:"/\.php\?id=[0-9A-F]{32,}&rnd=\d+$/U"; content:!"Referer|3a|"; http_header; classtype:exploit-kit; sid:2021787; rev:3; metadata:created_at 2015_09_16, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nchar"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102725; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Possible Passthru/Kshell Port Redirection Initiation"; flow:to_server,established; dsize:11; content:"chkroot2007"; fast_pattern; reference:md5,f7146691adea573548fa040fb182f4fe; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021796; rev:2; metadata:created_at 2015_09_17, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102727; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CosmicDuke Exfiltrating Data via FTP STOR"; flow:established,to_server; dsize:55<>65; content:"STOR|20|"; depth:5; pcre:"/^[a-z0-9]{1,10}[A-F0-9]+\.bin\r\n$/R"; content:".bin|0d 0a|"; fast_pattern; reference:md5,5080bc705217c614b9cbf67a679979a8; classtype:targeted-activity; sid:2023910; rev:5; metadata:created_at 2015_07_17, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102728; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sept 25 2015"; flow:to_client,established; content:"<div style="; pcre:"/^(?:(?!<\/div).)+?top\x3a\s*?\x2d[0-9]+px\x3b.+left\x3a\s*?\x2d[0-9]+px\x3b.+<iframe\x20.+?stack=\d+/Rsi"; content:"absolute|3b|"; content:"<iframe src="; distance:0; content:" stack="; fast_pattern; classtype:exploit-kit; sid:2021841; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_25, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102729; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M5 1 Oct 05 2015"; flow:established,from_server; file_data; content:"str2long"; fast_pattern; content:"long2str"; content:"0xffffffff"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)str2long(?P=sep)).+?(?P=sep)long2str(?P=sep)/Rs"; classtype:exploit-kit; sid:2021905; rev:3; metadata:created_at 2015_10_06, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102730; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M5 2 Oct 05 2015"; flow:established,from_server; file_data; content:"str2long"; fast_pattern; content:"0xffffffff"; content:"long2str"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)0xffffffff(?P=sep)).+?(?P=sep)str2long(?P=sep)/Rs"; classtype:exploit-kit; sid:2021906; rev:3; metadata:created_at 2015_10_06, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_unique_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102731; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M5 3 Oct 05 2015"; flow:established,from_server; file_data; content:"long2str"; fast_pattern; content:"0xffffffff"; content:"str2long"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)0xffffffff(?P=sep)).+?(?P=sep)long2str(?P=sep)/Rs"; classtype:exploit-kit; sid:2021907; rev:3; metadata:created_at 2015_10_06, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_update_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102732; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (STOP)"; flow:established,from_server; content:"PRIVMSG"; content:"{STOP} Stop command ->"; fast_pattern; nocase; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021879; rev:4; metadata:created_at 2015_10_01, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_propagation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102733; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Landing Oct 08 2015"; flow:established,from_server; file_data; content:"/x-silverlight-2"; nocase; fast_pattern; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][a-z\d]+\.xap[\x22\x27]/Rs"; content:"/x-shockwave-flash"; nocase; content:!".swf"; nocase; content:"<param"; nocase; pcre:"/^(?=[^>]*?\sname\s*?\x3d\s*?[\x22\x27]?movie[\x22\x27]?)[^>]*?\svalue\s*?\x3d\s*?[\x22\x27][^\x22\x27]+\/(?:\??[a-f0-9]+)?[\x22\x27]/Ri"; classtype:exploit-kit; sid:2021939; rev:6; metadata:created_at 2015_10_09, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102619; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible click2play bypass Oct 19 2015 as observed in PawnStorm"; flow:established,from_server; file_data; content:"javax.naming.InitialContext"; fast_pattern; content:"progress-class"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]javax.naming.InitialContext/Rsi"; content:"</jnlp>"; nocase; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:targeted-activity; sid:2021985; rev:4; metadata:created_at 2015_10_21, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102734; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Reversed Pastebin Injection in Magento DB"; flow:established,from_server; file_data; content:"<script"; content:"=i?php.war/moc.nibetsap"; fast_pattern; content:".reverse("; reference:url,labs.sucuri.net/?note=2015-11-02; classtype:web-application-attack; sid:2022014; rev:3; metadata:created_at 2015_11_02, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102741; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt"; flow:established,to_server; content:" HTTP/1."; pcre:"/^[^\r\n]*?HTTP\/1(?:(?!\r?\n\r?\n)[\x20-\x7e\s]){1,500}\n[\x20-\x7e]{1,100}\x3a[\x20-\x7e]{0,500}\x28\x29\x20\x7b/s"; content:"|28 29 20 7b|"; fast_pattern; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2022028; rev:2; metadata:created_at 2015_11_04, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102735; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leadking to EK Nov 2015"; flow:to_server,established; content:".pw|0d 0a|"; nocase; http_header; fast_pattern; content:"/?id="; http_uri; nocase; content:"&keyword="; nocase; http_uri; pcre:"/^Host\x3a[^\r\n]*?\.pw\r$/Hmi"; classtype:exploit-kit; sid:2022040; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_date"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102736; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE KilerRAT CnC - Remote Shell"; flow:from_server,established; content:"rs|7c 4b 69 6c 65 72 7c|"; fast_pattern; pcre:"/\x7c(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})$/"; reference:md5,51409b4216065c530a94cd7a5687c0d6; reference:url,alienvault.com/open-threat-exchange/blog/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off; classtype:command-and-control; sid:2022068; rev:3; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nchar"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102737; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B2 Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 BA|"; fast_pattern; reference:md5,b4ce43e1c9e74c549e2bae8cd77d5af1; classtype:command-and-control; sid:2022072; rev:2; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_number"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102738; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO form-data flowbit set (noalert)"; flow:to_server,established; dsize:>0; content:"Content-Type|3a 20|multipart|2f|form-data"; fast_pattern; flowbits:set,ET.formdata; flowbits:noalert; classtype:not-suspicious; sid:2022080; rev:2; metadata:created_at 2015_11_12, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nvarchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102739; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Nuclear EK Nov 13 2015 Landing URI struct"; flow:established,to_server; urilen:>25; content:"_id="; http_uri; fast_pattern; pcre:"/^\/(?:[a-z0-9]+\/)?[^\x2f]+\?[a-z]{1,40}_id=\d{2,5}(?:&[a-z]{1,40}_id=\d{2,5})?&[^&\x3d]+=(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{15,}\x2e{0,2}?$/U"; pcre:"/^Host\x3a\x20[a-z0-9]+\.(?:g[aq]|cf|ml|tk|xyz|info|space)(?:\x3a\d{1,5})?\r$/Hm"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:exploit-kit; sid:2022090; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102740; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp any any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible Postfix CVE-2014-6271 attempt"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; pcre:"/^[a-z-]+\s*?\x3a\s*?[^\r\n]*?\x28\x29\x20\x7b.*\x3b.*\x7d\s*\x3b(?!=[\r\n])/mi"; reference:url,exploit-db.com/exploits/34896/; reference:cve,2014-6271; classtype:attempted-admin; sid:2019389; rev:5; metadata:created_at 2014_10_10, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102742; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matryoshka CnC Beacon 2"; flow:established,to_server; urilen:>50; content:"GET"; http_method; content:"/img/"; depth:5; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/n"; distance:0; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/img\/[a-f0-9]{32}\/[a-f0-9]+\/n\d+\.png$/U"; content:".png|20|HTTP/1.1|0d 0a|"; fast_pattern; reference:md5,9853fc1f4d7ba23d728f4ee80842faf9; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:command-and-control; sid:2022147; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102744; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Java Class 1 May 24 2013"; flow:to_client,established; file_data; content:"gonagExp.class"; fast_pattern; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016923; rev:15; metadata:created_at 2013_05_25, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102743; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible HanJuan Landing March 20 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:!"<body>"; content:!"<html>"; content:"<script>"; depth:8; pcre:"/^\s*[a-z]+\s*?=\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]\/g,\x27\x27\)\.substr\(\s*?\d+\s*?,\s*?\d+\s*?\)\s*?\x3b\s*?[a-z]+\s*?=\s*?(?P<q2>[\x22\x27])(?:(?!(?P=q2)).)+?(?P=q2)\.replace\(\/\[[A-Za-z]{10,}\]\/g,\x27\x27\)\.substr/Rs"; content:"]/g,|27 27|).substr|28|"; fast_pattern; classtype:exploit-kit; sid:2020719; rev:5; metadata:created_at 2015_03_20, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_snapshot_propagation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102745; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/lizkebab CnC Activity (Flooding 1)"; flow:established,to_server; content:"|20|Flooding|20|"; fast_pattern; content:"|20|for|20|"; content:"|20|seconds."; distance:0; pcre:"/(?:JUNK|HOLD) Flooding (?:\d{1,3}\.){3}\d{1,3} for \d+ seconds.\r?\n/"; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:command-and-control; sid:2022213; rev:2; metadata:created_at 2015_12_03, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.begin_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102747; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Facebook password stealing inject Jan 04"; flow:from_server,established; file_data; content:"facebook.com"; nocase; content:"localStorage"; fast_pattern; nocase; content:"email"; nocase; content:"pass"; nocase; content:"login_form"; nocase; content:"location"; nocase; pcre:"/^\s*\.\s*hostname\s*.indexOf\s*\([\x22\x27]facebook\.com[\x22\x27]/Rsi"; content:"getElementById"; distance:0; pcre:"/^\s*\(\s*[\x22\x27]login_form[\x22\x27]/Rsi"; content:"getElementById"; distance:0; pcre:"/\s*\(\s*[\x22\x27](email|pass)[\x22\x27]/Rsi"; content:"image"; nocase; pcre:"/[^.]*\.\s*src\s*\=[\x22\x27][^\x22\x27]*\.php\?[ -~]+?\=[\x22\x27]\s*\+localStorage\./Rsi"; classtype:web-application-attack; sid:2022221; rev:4; metadata:created_at 2015_12_05, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102609; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 09"; flow:established,from_server; file_data; content:"<!--/"; fast_pattern; content:"<!--"; pcre:"/^(?P<ccode>[a-f0-9]{6})-->.*?<script.+?<\/script>.*?<!--/(?P=ccode)-->/Rsi"; classtype:exploit-kit; sid:2022242; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_10, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102748; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Reversed Pastebin Injection in Magento DB 2"; flow:established,from_server; file_data; content:"<script"; content:"ptth|22|=crs tpircs"; fast_pattern; content:".reverse("; reference:url,labs.sucuri.net/?note=2015-11-02; classtype:web-application-attack; sid:2022015; rev:4; metadata:created_at 2015_11_02, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_delete_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102749; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Derusbi/Winnti Receiving Configuration"; flow:established,from_server; file_data; content:"$$$--Hello"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})Wrod--\$\$\$/R"; content:"Wrod--$$$"; fast_pattern; reference:url,blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family; classtype:trojan-activity; sid:2022269; rev:3; metadata:created_at 2015_12_16, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_mview_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_mview_repsites"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gowner|gname)[\r\n\s]*=>[\r\n\s]*\2|(gowner|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102750; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Dec 22 2015 (Proxy Filtering)"; flow:established,to_server; content:"POST"; http_method; content:"content-types|3a|"; http_header; nocase; fast_pattern; content:"Referer|3a|"; http_header; content:"content-type|3a|"; http_header; nocase; classtype:exploit-kit; sid:2022304; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_23, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_priority_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102751; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Archive Download"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".class"; nocase; fast_pattern; classtype:trojan-activity; sid:2014472; rev:8; metadata:created_at 2012_04_04, updated_at 2022_05_03;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102752; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js HTTP RCE Exploit Inbound (openUrlInDefaultBrowser)"; flow:from_server,established; file_data; content:"XMLHttpRequest"; nocase; content:"|3a|49155/api/openUrlInDefaultBrowser?"; fast_pattern; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:2022352; rev:3; metadata:created_at 2016_01_13, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102606; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js HTTP RCE Exploit Inbound (showSB)"; flow:from_server,established; file_data; content:"XMLHttpRequest"; nocase; content:"|3a|49155/api/showSB?url="; fast_pattern; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:2022353; rev:3; metadata:created_at 2016_01_13, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repsites"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102753; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrochilusRAT CnC Beacon 1"; flow:established,to_server; dsize:8; content:"|bf bf af af 7e 00 00 00|"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:command-and-control; sid:2022360; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102754; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrochilusRAT CnC Beacon 2"; flow:established,to_server; dsize:13; content:"|07 0d 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:command-and-control; sid:2022361; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_unique_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102755; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Script Loaded from Pastebin"; flow:established,to_client; file_data; content:"pastebin.com/raw"; fast_pattern; content:"<script "; pcre:"/^(?:(?!<\/script>).)*?src\s*=\s*\x5c?[\x22\x27]https?\x3a\/\/(?:www\.)?pastebin\.com\/raw(?:\/|\.php\?i=)[A-Z-a-z0-9]{8}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2022376; rev:3; metadata:created_at 2016_01_20, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_update_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102756; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN MySQL Malicious Scanning 1"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"GRANT ALTER, ALTER ROUTINE"; distance:0; nocase; within:30; content:"TO root@% WITH"; fast_pattern; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022579; rev:2; metadata:created_at 2016_03_01, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.compare_old_values"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2102605; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN MySQL Malicious Scanning 2"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"set global log_bin_trust_function_creators=1"; fast_pattern; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022580; rev:2; metadata:created_at 2016_03_01, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102757; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Generic HeapSpray Construct"; flow:established,to_client; file_data; content:"CollectGarbage"; nocase; fast_pattern; content:"var"; pcre:"/^\s+?(?P<vname>[^\s\x3d]+)\s*?=\s*?(?:0x(?:(6[4-9a-f]|[7-9a-f])|\d{3,})|\d{3,}).+?[\s\x3b]for\s*?\([^\x3b\)]*?\x3b[^\x3b\)]+?<=?\s*?(?P=vname)[^\)]+?\)\s*?(?:\{[^}]*?|[^\r\n]*?)document\s*\.\s*createElement/Rsi"; classtype:bad-unknown; sid:2018145; rev:5; metadata:created_at 2014_02_15, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102758; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.ServStart.D Checkin"; flow:to_server,established; content:"Win|20|"; pcre:"/^(:?[78]|XP)/Ri"; content:"MB|00|"; distance:0; content:"MHz|00|"; distance:0; content:"|20|Mbps|00|"; fast_pattern; reference:md5,ad906500dd344cbbdf37997a4b27389f; reference:url,blog.netlab.360.com/public-cloud-threat-intelligence-202203/; classtype:command-and-control; sid:2036415; rev:2; metadata:created_at 2016_03_15, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*fname[\r\n\s]*=>[\r\n\s]*\2|fname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102603; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Single JS file inside of ZIP Download (Observed as lure in malspam campaigns)"; flow:established,to_client; file_data; content:"PK"; within:2; content:"PK|01 02|"; distance:0; pcre:"/^.{42}[\x20-\x7f]{1,500}\.jsPK\x05\x06.{4}\x01\x00\x01\x00/Rsi"; content:".jsPK|05 06|"; nocase; fast_pattern; classtype:misc-activity; sid:2022636; rev:4; metadata:created_at 2016_03_22, former_category INFO, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102850; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 27 2016 (fbset)"; flow:established,to_server; urilen:11<>57; content:".js"; http_uri; fast_pattern; pcre:"/^\/[a-z]{2,20}\/[a-z]{2,20}\/(?:(?:(?:featur|quot)e|ip)s|d(?:ropdown|etect)|co(?:mpiled|re)|header|jquery|lang|min|ga)\.js$/U"; flowbits:set,ET.WordJS; flowbits:noalert; reference:url,research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html; classtype:exploit-kit; sid:2022770; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_27, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102759; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 28 2016"; flow:established,from_server; file_data; content:"|3d 22 5c 78 32|"; content:"|3d 22 5c 78 36|"; content:"|3d 22 5c 78 37|"; fast_pattern; content:"</span>"; content:!"<span>"; distance:-500; within:500; pcre:"/^\s*?<script>\s*?(?:[A-Za-z][A-Za-z\d+]+\s*?\+?=\s*(?:[A-Za-z][A-Za-z\d]+|[\x22\x27]\\x[2-7][0-9a-fA-F](?:\\x[2-7][0-9a-fA-F]){0,4}[\x22\x27])\s*?\x3b){20}/Rs"; reference:url,researchcenter.paloaltonetworks.com/2016/03/unit42-campaign-evolution-darkleech-to-pseudo-darkleech-and-beyond/; classtype:exploit-kit; sid:2022772; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102851; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 29 2016"; flow:established,from_server; file_data; content:"|69 32 33 33 36 20 3d 3d 20 6e 75 6c 6c|"; nocase; fast_pattern; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 44 49 56 20 69 64 3d 63 68 65 63 6b 35 32 34 20 73 74 79 6c 65 3d 22 44 49 53 50 4c 41 59 3a 20 6e 6f 6e 65 22 3e|"; content:"|3c 69 66 72 61 6d 65 20 73 72 63 3d 22|"; classtype:exploit-kit; sid:2022774; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_29, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102760; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct M2"; flow:established,from_server; file_data; content:"redim"; nocase; fast_pattern; content:"Preserve"; nocase; content:"VBScript"; nocase; content:"chrw"; content:"32767"; distance:0; content:"chrw"; content:"2176"; distance:0; classtype:attempted-admin; sid:2022797; rev:3; metadata:created_at 2016_05_06, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_priority_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102761; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jun 15 2016"; flow:established,from_server; content:"Set-Cookie|3a 20|bc3ad="; fast_pattern; content:"campaigns"; http_cookie; classtype:exploit-kit; sid:2022904; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_16, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102762; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Jun 22 2016 M1"; flow:established,to_server; content:"/js/analytic.php?id="; http_uri; fast_pattern; pcre:"/^\/js\/analytic\.php\?id=\d+&tz=\-?\d+&rs=\d+x\d+$/Ui"; classtype:exploit-kit; sid:2022909; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.do_deferred_repcat_admin"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102763; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Jun 22 2016 M2"; flow:established,from_server; file_data; content:"&tz=|27|+tzSignature()+|27|&rs=|27|+rsSignature()+"; fast_pattern; content:"document.write("; pcre:"/^[\x22\x27](?!<script)[\x22\x27+\s]*<[\x22\x27+\s]*s[\x22\x27+\s]*c[\x22\x27+\s]*r[\x22\x27+\s]*i[\x22\x27+\s]*p[\x22\x27+\s]*t[^\r\n]+\.php\?id=\d+&tz=\x27\+tzSignature\x28\x29\+\x27&rs=/R"; classtype:exploit-kit; sid:2022910; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group_from_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102764; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert udp any any -> $HOME_NET 137 (msg:"ET INFO NBNS Name Query Response Possible WPAD Spoof BadTunnel"; byte_test:1,&,0x80,2; byte_test:1,!&,0x40,2; byte_test:1,!&,0x20,2; byte_test:1,!&,0x10,2; byte_test:1,=,0x00,3; content:"|00 00|"; offset:4; depth:2; content:"|46 48 46 41 45 42 45|"; fast_pattern; reference:url,tools.ietf.org/html/draft-ietf-wrec-wpad-01; reference:url,ietf.org/rfc/rfc1002.txt; classtype:protocol-command-decode; sid:2022914; rev:2; metadata:created_at 2016_06_23, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102765; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (exe generic custom headers)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern; content:"GET"; http_method; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"MSIE 7"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022942; rev:3; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_columns_from_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102766; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT LastPass RCE Attempt"; flow:from_server,established; file_data; content:"getBoundingClientRect"; nocase; content:"MouseEvent"; fast_pattern; content:"dispatchEvent"; nocase; pcre:"/^\s*\x28\s*new\s*MouseEvent\s*\x28\s*[\x22\x27]\s*click/Rsi"; content:"addEventListener"; nocase; pcre:"/^\s*\x28\s*[\x22\x27]\s*message/Rsi"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=884; classtype:trojan-activity; sid:2022989; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_07_28, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_delete_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102767; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Metasploit Browser Autopwn Aug1 2016"; flow:established,from_server; file_data; content:"|65 78 70 6c 6f 69 74 4c 69 73 74 2e 73 70 6c 69 63 65|"; nocase; fast_pattern; content:"|73 65 74 54 69 6d 65 6f 75 74 28 22 6c 6f 61 64 45 78 70 6c 6f 69 74 28 29 22|"; nocase; classtype:attempted-admin; sid:2023014; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102601; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Mobile Virus Scam M2 Aug 18 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"navigator.vibrate"; fast_pattern; content:"getURLParameter"; content:"gotooffer"; nocase; distance:0; content:"brandmodel"; nocase; distance:0; content:"countDown"; nocase; distance:0; content:"PreventExitPop"; nocase; distance:0; classtype:social-engineering; sid:2023080; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102637; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 12 2016 (Flash)"; flow:established,to_server; content:"/promo"; http_uri; nocase; depth:6; content:"/promo.swf?t="; http_uri; nocase; fast_pattern; pcre:"/^\/promo\d+(?:x\d+)?\/promo\.swf\?t=\d+$/Ui"; classtype:exploit-kit; sid:2023186; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family EvilTDS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102639; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; http_header; content:"Server|3a 20|nginx"; http_header; pcre:"/Content-Disposition\x3a\x20inline\x3b\x20filename=(?:[a-z0-9]{4})?\r\n/H"; file_data; content:"ZWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2020311; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_26, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102769; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp any any -> $HOME_NET 3306 (msg:"ET EXPLOIT Possible MySQL cnf overwrite CVE-2016-6662 Attempt"; flow:established,to_server; content:"|03|"; offset:4; content:"global_log_dir"; nocase; distance:0; content:".cnf"; nocase; distance:0; content:"nmalloc_lib"; fast_pattern; reference:cve,2016-6662; reference:url,legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html; classtype:attempted-admin; sid:2023202; rev:2; metadata:affected_product MySQL, attack_target Server, created_at 2016_09_13, deployment Datacenter, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_object_from_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102770; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows netsh advfirewall show allprofiles Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Domain Profile Settings|3a|"; fast_pattern; content:"Firewall Policy"; classtype:trojan-activity; sid:2023216; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102777; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC SERVICE get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AcceptPause"; fast_pattern; content:"AcceptStop"; content:"Caption"; content:"ExecutablePath"; classtype:trojan-activity; sid:2023223; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102771; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BleedingLife EK CVE-2014-6332 Exploit"; flow:to_server,established; content:"GET"; http_method; content:"|2f 32 30 31 34 2d 36 33 33 32 2e 70 68 70 3f|"; http_uri; fast_pattern; content:"/index.php?ss="; http_header; pcre:"/\.php\?\d{1,4}$/Ui"; classtype:exploit-kit; sid:2023288; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Exploit_Kit, malware_family BleedingLife, signature_severity Major, tag BleedingLifeEK, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102779; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BleedingLife EK CVE-2016-0189 Exploit"; flow:to_server,established; content:"GET"; http_method; content:"|2f 32 30 31 36 2d 30 31 38 39 2e 70 68 70 3f|"; http_uri; fast_pattern; content:"/index.php?ss="; http_header; pcre:"/\.php\?\d{1,4}$/Ui"; classtype:exploit-kit; sid:2023289; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Exploit_Kit, malware_family BleedingLife, signature_severity Major, tag BleedingLifeEK, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_date"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102772; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Sep 26 2016"; flow:established,from_server; file_data; content:"document.write"; within:14; pcre:"/^\s*\x28\s*[\x22\x27]<div\s*style\s*=\s*[\x22\x27](?=[^\x22\x27\r\n]*position\x3aabsolute\x3b)(?=[^\x22\x27\r\n]*top\x3a\s\-\d+px\x3b)(?=[^\x22\x27\r\n]*left\x3a\s0px\x3b)[^\r\n]*?<iframe[^\r\n>]*\s><\/i[\x22\x27]\+[\x22\x27]frame>[^\r\n]*<\/div>[\x22\x27]\s*\x29\x3b$/R"; content:"|3c 2f 69 27 2b 27 66 72 61 6d 65 3e|"; fast_pattern; classtype:exploit-kit; sid:2023302; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, malware_family AfraidGate, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nchar"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102773; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TheTrick Banking Trojan User-Agent"; flow:to_server,established; content:"User-Agent|3a 20 54 72 69 63 6b 4c 6f 61 64 65 72|"; fast_pattern; reference:md5,f26649fc31ede7594b18f8cd7cdbbc15; classtype:trojan-activity; sid:2023338; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_13, deployment Perimeter, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_number"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102774; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IE MSMXL Detection of Local SYS (Likely Malicious)"; flow:established,from_server; file_data; content:"res|3a|"; nocase; content:"loadXML"; nocase; content:"parseError"; nocase; content:"errorCode"; nocase; content:"-2147023083"; fast_pattern; content:".sys"; classtype:trojan-activity; sid:2021430; rev:4; metadata:created_at 2015_07_16, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nvarchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102775; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS Pegasus Safari Exploit (CVE-2016-4657)"; flow:established,from_server; file_data; content:"+="; pcre:"/^\s*?\x27try\s*?{}\s*?catch\x28e\x29\s*?{}\x3b/Rsi"; content:"Object"; pcre:"/^(?:\.|\[\s*?[\x22\x27])defineProperties\s*?\x28/Rsi"; content:"defineProperties"; fast_pattern; reference:cve,2016-4657; reference:url,blog.lookout.com/blog/2016/11/02/trident-pegasus-technical-details/; classtype:attempted-admin; sid:2023484; rev:3; metadata:affected_product iOS, affected_product Safari, attack_target Mobile_Client, created_at 2016_11_07, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102776; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Applet Tag In Edwards Packed JavaScript"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|applet|7C|"; nocase; fast_pattern; content:!"|7C|_dynarch_popupCalendar|7C|"; classtype:bad-unknown; sid:2015708; rev:6; metadata:created_at 2012_09_18, former_category INFO, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102778; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M1 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern; content:"/#24/"; pcre:"/^#?\d+/R"; content:".exe"; content:"|5c 5c|Progra"; nocase; classtype:exploit-kit; sid:2023586; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, malware_family Exploit_Kit_RIG, signature_severity Major, tag Exploit_kit_RIG, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102780; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M2 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern; content:"/#16/"; pcre:"/^#?\d+/R"; content:".exe"; nocase; content:"|5c 5c|Progra"; nocase; classtype:exploit-kit; sid:2023587; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, malware_family Exploit_Kit_RIG, signature_severity Major, tag Exploit_kit_RIG, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102781; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK EITest Inject Oct 17 2016 M2"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern; content:"<script type=|22|text/javascript|22|>"; pcre:"/^\s*var\s*(?P<var>[^\s=]+)\s*=\s*document.createElement\(\s*[\x22\x27]iframe[\x22\x27](?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:exploit-kit; sid:2023482; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_03, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102782; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 M1"; flow:established,from_server; file_data; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65 2e 77 65 62 73 74 6f 72 65|"; nocase; content:"|2e 6d 61 74 63 68 28 2f 3e 28 5c 77 3f 5c 73 3f 2e 2a 3f 29 3c 2f 67 29|"; nocase; fast_pattern; content:"|5b 69 5d 2e 72 65 70 6c 61 63 65 28 65 76 61 6c 28|"; content:"unescape"; nocase; pcre:"/^\s*\([^\x29]*(?:\%2F|\/)(?:\%5B|\[)(?:\%5E|^)(?=[^\x29]*(?:%3C|\<))(?=[^\x29]*(?:%3E|\>))(?=[^\x29]*(?:\%5C|\\)(?:\%6E|n))/Rsi"; classtype:social-engineering; sid:2023743; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, signature_severity Major, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_unique_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102783; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]+type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]+name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]+value\s*=\s*[\x22\x27](?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)[\x22\x27]/Rsi"; content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:social-engineering; sid:2023744; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, signature_severity Major, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_update_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102784; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 EXE Download"; flow:established,from_server; content:"Chrome_Font.exe"; http_header; nocase; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]+filename\s*=\s*[\x22\x27]?Chrome_Font\.exe/Hmi"; classtype:social-engineering; sid:2023745; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, signature_severity Major, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.execute_ddl buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.execute_ddl"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102785; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK EITest Inject Oct 17 2016 M3"; flow:established,from_server; file_data; content:"oq="; fast_pattern; content:"|22|frameBorder|22 2c 20 22|0|22|"; nocase; content:" document.body.appendChild"; nocase; content:"http|3a 2f 2f|"; nocase; pcre:"/^[^\x2f\x22\x27]+\/(?=[^\x22\x27]*?[?&]oq=[A-Za-z0-9+\x2f_-]+(?:[\x22\x27]|&))(?=[^\x22\x27]*?[&?][a-z]+_[a-z]+=\d+)(?=[^\x22\x27]*?[&?]q=)/Ri"; classtype:exploit-kit; sid:2023547; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_mview_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_mview_support"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102852; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Lock Emoji In Title - Possible Social Engineering Attempt"; flow:from_server,established; file_data; content:"<title>"; nocase; pcre:"/^(?:(?!<\/title).)*\x26\x23x1F512/Ri"; content:"|26 23|x1F512"; fast_pattern; classtype:trojan-activity; sid:2023749; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_19, deployment Perimeter, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_package"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102786; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Unknown Trojan Checkin Jan 26 2017"; flow:to_server,established; content:"GET"; http_method; content:"/config.php?id="; http_uri; fast_pattern; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent"; http_header; pcre:"/\/config\.php\?id=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+/U"; reference:md5,2ccd95bb2e9d8c6e6b6eb68963461f08; classtype:command-and-control; sid:2023769; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_trigger buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_trigger"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102853; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing M1 Feb 07 2016 M1"; flow:established,from_server; file_data; content:"value"; nocase; pcre:"/^\s*=\s*[\x27\x22](?:sh(?:ell(?:32)?)?|exec)=6wLrBej5\x2f\x2f/Rsi"; content:"6wLrBej5"; fast_pattern; classtype:exploit-kit; sid:2023878; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_snapshot_support"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102854; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing M1 Feb 07 2016 M2"; flow:established,from_server; file_data; content:"EB02EB05E8F9FFFFFF"; nocase; fast_pattern; pcre:"/(?:value=[\x22\x27](?:sh(?:ell(?:32)?)?|exec)=|unescape\(EscapeHexString\(.)EB02EB05E8F9FFFFFF/si"; classtype:exploit-kit; sid:2023879; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.make_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.make_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102788; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Chrome Form Data Theft April 06 2015"; flow:established,to_server; content:".php?type=form&site="; fast_pattern; http_uri; reference:url,ocelot.li/the-malware-campaign-that-went-unnoticed/; classtype:trojan-activity; sid:2020847; rev:3; metadata:created_at 2015_04_07, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.obsolete_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102789; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Request to malicious SutraTDS - lonly= in cookie"; flow:established,to_server; content:" lonly="; fast_pattern; content:" lonly="; http_cookie; classtype:exploit-kit; sid:2014884; rev:3; metadata:created_at 2012_06_09, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.publish_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102790; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Polymorphic Flush IPTables Shellcode"; content:"|6a 52 58 99 52 66 68 2d 46 54 5b 52 48 b9 69 70 74 61 62 6c 65 73 51 d0 e0 28 c8 48 b9 2f 2f 73 62 69 6e 2f 2f 51 54 5f 52 53 57 54 5e 0f 05|"; fast_pattern; reference:url,a41l4.blogspot.ca/2017/03/polyflushiptables1434.html; classtype:shellcode-detect; sid:2024057; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2017_03_15, deployment Perimeter, former_category SHELLCODE, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102791; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Polymorphic Setuid(0) & Execve(/bin/sh) Shellcode"; content:"|31 ff 57 6a 69 58 48 bb 5e c4 d2 dc 5e 5e e6 d0 0f 05 48 d1 cb b0 3b 53 87 f7 54 99 5f 0f 05|"; fast_pattern; reference:url,a41l4.blogspot.ca/2017/03/polysetuidexecve1434.html; classtype:shellcode-detect; sid:2024058; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2017_03_15, deployment Perimeter, former_category SHELLCODE, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_master_log"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102792; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8880 (msg:"ET EXPLOIT IBM WebSphere - RCE Java Deserialization"; flow:to_server,established; content:"SOAPAction|3a 20||22|urn:AdminService|22|"; content:"<objectname xsi|3a|type=|22|ns1|3a|javax.management.ObjectName|22|>"; content:"vcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbn"; fast_pattern; reference:cve,2015-7450; classtype:attempted-user; sid:2024062; rev:3; metadata:affected_product IBM_Websphere, attack_target Server, created_at 2017_03_15, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_statistics"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102793; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Reverse Shell Shellcode"; content:"|6a 02 6a 2a 6a 10 6a 29 6a 01 6a 02|"; content:"|48 bf 2f 2f 62 69 6e 2f 73 68|"; fast_pattern; reference:url,exploit-db.com/exploits/41477/; classtype:shellcode-detect; sid:2024065; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category SHELLCODE, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102631; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK March 15 2017"; flow:established,from_server; file_data; content:"iframe"; nocase; content:"src"; nocase; pcre:"/^\s*=\s*[\x22\x27][Hh][Tt][Tt][Pp][Ss]?\x3a\x2f\x2f[^\x2f]+\x2f(?=[^\x2f\x22\x27]+=[^\x2f\x22\x27&]{0,5}QMvXcJ)[^\x2f\x22\x27]{90}/Rs"; content:"QMvXcJ"; fast_pattern; classtype:exploit-kit; sid:2024092; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_17, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102795; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK EITest Inject Oct 17 2016 M4"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern; content:"<script type=|22|text|2f|"; pcre:"/^(?:rocket|java)script\x22>\s*var\s*(?P<ifr>[^\s=]+)\s*=\s*[\x22\x27]iframe[\x22\x27].*?\s*var\s*(?P<var>[^\s=]+)\s*=\s*document\.createElement\(\s*(?P=ifr)(?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:exploit-kit; sid:2023748; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_19, deployment Perimeter, malware_family EITest, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102796; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK CVE-2016-0189 Exploit"; flow:established,from_server; file_data; content:"dllcode"; nocase; fast_pattern; content:"|28 26 68 34 64 2c 26 68 35 61 2c 26 68 38 30 2c 30 2c 31 2c 30 2c 30 2c 30|"; nocase; content:"GetSpecialFolder"; nocase; reference:cve,2016-0189; classtype:exploit-kit; sid:2024168; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102797; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET INFO SMTP PDF Attachment Flowbit Set"; flow:established,from_server; content:"|0d 0a 0d 0a|JVBERi"; fast_pattern; flowbits:set,ET.pdf.in.smtp.attachment; flowbits:noalert; classtype:bad-unknown; sid:2024236; rev:3; metadata:attack_target SMTP_Server, created_at 2017_04_21, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_statistics"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102798; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kazuar CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:!"Accept"; http_header; content:"Referer|3a|"; http_header; content:"AuthToken="; depth:10; http_cookie; pcre:"/^AuthToken=[A-Za-z0-9+/]{43}=$/C"; content:"Cookie|3a 20|AuthToken="; fast_pattern; reference:md5,7a778e076e48ff269e91f17a15ea97d5; reference:url,researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/; classtype:command-and-control; sid:2024270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, former_category MALWARE, malware_family Turla, malware_family Kazuar, signature_severity Major, tag APT, tag RUAPT, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.relocate_masterdef"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102799; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT WindowBase64.atob Function In Edwards Packed JavaScript - Possible iFrame Injection Detected"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|atob|7C|"; nocase; content:"|7C|iframe|7C|"; nocase; fast_pattern; reference:url,blog.malwarebytes.org/exploits-2/2015/02/celebrity-chef-jamie-olivers-website-hacked-redirects-to-exploit-kit/; classtype:exploit-kit; sid:2020605; rev:6; metadata:created_at 2015_03_04, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.remove_master_databases buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.remove_master_databases"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102855; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Bingo Exploit Kit Landing May 08 2017"; flow:established,from_server; file_data; content:"+=String.fromCharCode("; pcre:"/^[a-z]\d{3}\[[a-z]\d{3}\]\^[a-z]\d{3}\)\x3breturn [a-z]\d{3}\x3b\}/R"; content:"|29 29 29 5e|"; fast_pattern; content:".text="; pcre:"/^[a-z]\d{3}\x3b[a-z]\d{3}\.getElementsByTagName\([a-z]\d{3}\(new Array\(\d+\,/R"; content:".type="; pcre:"/^[a-z]\d{3}\(new Array\(/R"; flowbits:set,ET.Fiesta.Exploit.URI; classtype:exploit-kit; sid:2025071; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_05_10, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.rename_shadow_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102800; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Tor based locker .onion Proxy domain in SNI July 31 2014"; flow:established,to_server; content:"iet7v4dciocgxhdv."; fast_pattern; nocase; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:trojan-activity; sid:2018872; rev:3; metadata:created_at 2014_08_01, former_category TROJAN, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102627; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish Jun 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"AppleSession"; http_cookie; content:"Cookie|3a 20|AppleSession"; fast_pattern; classtype:credential-theft; sid:2024374; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_10_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.resume_master_activity"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102801; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET EXPLOIT Suspicious FTP RETR to .hta file possible exploit (CVE-2017-0199)"; flow:established,to_server; content:"|2e|hta|0d 0a|"; nocase; fast_pattern; content:"RETR "; pcre:"/^[^\r\n]+\.hta\r?\n/Ri"; classtype:bad-unknown; sid:2024434; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_06_29, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_and_compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_and_compare_old_values"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102804; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoOpen Macro"; flow:established,to_client; file_data; content:!"oct8ne"; content:"A|00|u|00|t|00|o|00|O|00|p|00|e|00|n"; nocase; fast_pattern; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019613; rev:4; metadata:created_at 2014_10_31, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_old_values"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2102626; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Rip Sep 05 2017"; flow:established,from_server; file_data; content:"iddq"; fast_pattern; content:"<param"; nocase; pcre:"/^(?=(?:(?!<\/>).)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27]iddqd?\s*=/Rsi"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2024660; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, performance_impact Moderate, signature_severity Major, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_columns buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_columns"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102805; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Rip Sep 05 2017 M2"; flow:established,from_server; file_data; content:"iddq"; fast_pattern; content:"<param"; nocase; pcre:"/^(?=(?:(?!<\/>).)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27][^=]*\s*=EB02EB05E8F9FFFFFF/Rsi"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2024661; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, performance_impact Moderate, signature_severity Major, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_local_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102806; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-8759 Soap File DL"; flow:established,from_server; file_data; content:"process.start"; nocase; fast_pattern; content:"<service"; nocase; pcre:"/^(?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*[\x22\x27](?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*?\x22[^\x22]*\r?\n[^\x22]*?process\.start/Rsi"; classtype:attempted-admin; sid:2024702; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_13, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.specify_new_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.specify_new_masters"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102807; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-8759 Soap File DL"; flow:established,from_server; file_data; content:"process.start"; nocase; fast_pattern; content:"<service"; nocase; pcre:"/^(?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*[\x22\x27](?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*?\x22[^\x22]*\r?\n[^\x22]*?process\.start/Rsi"; classtype:attempted-admin; sid:2024706; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_15, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.suspend_master_activity"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102808; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing Jul 24 2015"; flow:to_client,established; file_data; content:"GOOGLE.com?</title>"; fast_pattern; content:"view shared document"; content:"ValidateFormYahoo"; distance:0; content:"ValidateFormGmail"; distance:0; content:"ValidateFormHotmail"; distance:0; content:"ValidateFormAol"; distance:0; content:"ValidateFormOther"; distance:0; classtype:social-engineering; sid:2025682; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_mview_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_mview_master"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102856; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android JadeRAT CnC Beacon"; flow:to_server,established; dsize:<500; content:"@!MyID|3a|"; depth:7; content:"IMEI|3a|"; distance:0; content:"Mobile|20|ID|3a|"; content:"SIM|3a|"; content:"IMSI|3a|"; content:"Android|20|version|3a|"; content:"Model|3a|"; content:"All|20|SD|20|Size|3a|"; fast_pattern; content:"Free|20|SD|20|Size|3a|"; content:"Network|20|type|3a|"; reference:md5,9027f111377598362972745478e40311; reference:url,blog.lookout.com/mobile-threat-jaderat; classtype:command-and-control; sid:2024895; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_JadeRAT, signature_severity Major, tag Android, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_snapshot_master"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1073,}\x27|\x22[^\x22]{1073,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,})|\(\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102857; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Safari UXSS (CVE-2017-7089)"; flow:from_server,established; file_data; content:"parent-tab://"; fast_pattern; content:"open"; pcre:"/\b(?P<varname>[^\s\x3d]+)\s*\x3d\s*open\s*\x28\s*[^\x29]+parent-tab:\/\/.+(?P=varname)\s*\.\s*document\s*\.\s*body\s*.\s*innerHTML\s*=/si"; reference:cve,2017-7089; classtype:attempted-user; sid:2024995; rev:3; metadata:affected_product Safari, attack_target Client_Endpoint, created_at 2017_11_15, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102809; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell commands sent B64 1"; flow:established,from_server; content:"UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAc"; fast_pattern; classtype:trojan-activity; sid:2025010; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102810; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell commands sent B64 2"; flow:established,from_server; content:"MAdABhAHIAdAAtAFAAcgBvAGMAZQBzAH"; fast_pattern; classtype:trojan-activity; sid:2025011; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102811; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell commands sent B64 3"; flow:established,from_server; content:"TAHQAYQByAHQALQBQAHIAbwBjAGUAcwBz"; fast_pattern; classtype:trojan-activity; sid:2025012; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_for_local_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102812; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Doc Download EXE Primer (flowbits set)"; flow:established,to_server; content:"?id="; http_uri; content:"&act="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\.[^\x3F]+\?id=\d+&act=\d+$/U"; flowbits:set,ET.MalDocEXEPrimer; flowbits:noalert; reference:url,fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2020837; rev:6; metadata:created_at 2015_04_03, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.register_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102629; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GrandSoft EK IE Exploit Jan 30 2018"; flow:established,from_server; file_data; content:"|3d 20 22 2c|&h|22|"; nocase; fast_pattern; content:"4d"; nocase; content:"5a"; nocase; within:20; content:"responseBody"; nocase; content:"Dim "; nocase; content:"Dim "; nocase; distance:0; content:"Win32_OperatingSystem"; nocase; classtype:exploit-kit; sid:2025272; rev:3; metadata:created_at 2018_01_30, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102624; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Spectre Exploit Javascript"; flow:from_server,established; file_data; content:"0x1000000"; fast_pattern; pcre:"/(?<var1>[^=\s]*)\s*=\s*0x1000000.+?\x28\s*\x28\s*\x28\s*\w+\s*<<\s*12\s*\x29\s*\|\s*0\s*\x29\s*\+\s*(?P=var1)\s*\x29\s*\|\s*0/s"; reference:cve,2017-5753; reference:cve,2017-5715; reference:url,github.com/cgvwzq/spectre; classtype:attempted-user; sid:2025188; rev:6; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category WEB_CLIENT, performance_impact Moderate, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102746; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT VBscript UAF (CVE-2018-8373)"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"class_initialize"; nocase; fast_pattern; content:"<script "; nocase; content:"Redim"; nocase; content:"private"; nocase; pcre:"/^\s+sub\s+class_initialize\b(?:(?!end\s*sub).)*?\bReDim\s+array\b/Rsi"; content:"Public"; pcre:"/^\s+Default\s+Property\b(?:(?!end\s*property).)*?\bReDim\s+Preserve\s+array\b/Rsi"; reference:cve,2018-8373; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-cve-2018-8373-exploit-spotted-in-the-wild/; classtype:attempted-user; sid:2026411; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_26, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.drop_site_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102641; rev:6; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Reverse HTTPS certificate"; flow:from_server,established; content:"|A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00|"; fast_pattern; content:"|16 03 03|"; pcre:"/^..\x0B.{9}\x30\x82..\x30\x82..\xA0\x03\x02\x01\x02\x02(?:\x09.{9}|\x08.{8})/Rs"; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30|"; within:16; pcre:"/^.\x31.\x30.\x06\x03\x55\x04\x03\x0C.([a-z]{2,9})\x30.\x17\x0D[0-9]{12}Z\x17\x0D[0-9]{12}Z\x30.\x31.\x30.\x06\x03\x55\x04\x03\x0C.\g{1}\x30\x82../Rs"; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; pcre:"/^...\x30\x82..\x02\x82...{256,257}/Rs"; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|"; within:36; content:!"|06|ubuntu"; content:!"|04|mint"; content:!"|a9 d5 73 d2 a0 a5 a1 69|"; reference:url,blog.didierstevens.com/2015/05/11/detecting-network-traffic-from-metasploits-meterpreter-reverse-http-module; classtype:trojan-activity; sid:2021178; rev:7; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_06_03, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_offline"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102645; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u0020javascript|3a|"; nocase; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:attempted-user; sid:2020398; rev:5; metadata:created_at 2015_02_12, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102647; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Upatre/Dyre/Kegotip SSL Cert Sept 14 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 03|"; pcre:"/^.{2}[A-Z]?[a-z]+ [A-Z]?[a-z]+/Rs"; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; pcre:"/^.{2}[A-Z]?[a-z]+\.[A-Z]?[a-z]+@gmail\.com[01]/Rs"; content:"@gmail.com"; fast_pattern; reference:md5,f22cad1a3985a5183a76324b448e06f2; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021773; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(object_type|user_name)[\r\n\s]*=>[\r\n\s]*\2|(object_type|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102802; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT QNAP Shellshock script retrieval"; flow:established,from_server; file_data; content:"|2f|share|2f|MD0_DATA|2f|optware|2f|.xpl|2f|"; fast_pattern; content:"unset HISTFIE"; reference:url,www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; reference:cve,2014-6271; classtype:attempted-admin; sid:2019905; rev:4; metadata:created_at 2014_12_10, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102676; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Exodus Intel IE HTML+TIME EIP Control Technique"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern; content:"CollectGarbage"; nocase; content:"try"; distance:0; nocase; content:".values"; distance:0; nocase; pcre:"/^[\r\n\s\+]*?=.+?\}[\r\n\s]*?catch/Rsi"; reference:cve,2012-4792; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; classtype:attempted-user; sid:2016138; rev:6; metadata:created_at 2013_01_03, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_offline"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102675; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M2"; flow:established,to_server; content:"GET"; http_method; content:".dill/"; fast_pattern; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/[a-z]+\.dill\/$/U"; classtype:social-engineering; sid:2021968; rev:4; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_online"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102677; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerShell/Agent.A DNS File Transfer CnC Beacon"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"00"; distance:1; within:2; content:"00000"; distance:0; pcre:"/^[0-9A-Z]+232A/R"; content:"232A"; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html; classtype:command-and-control; sid:2022837; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102623; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT X20 EK Download Aug 07 2013"; flow:established,from_server; content:"filename=app.jar|0d 0a|"; http_header; fast_pattern; file_data; content:"PK"; within:2; content:"|CA FE BA BE|"; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017299; rev:8; metadata:created_at 2013_08_08, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.register_flavor_change"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102621; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT echo command attempt"; flow:to_server,established; content:"/bin/echo"; nocase; fast_pattern; classtype:web-application-attack; sid:2101334; rev:11; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_utl.drop_an_object"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102622; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura Exploit Kit Version 1.1 Applet Value lxxt"; flow:established,to_client; file_data; content:"value=|22|lxxt>33"; fast_pattern; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:exploit-kit; sid:2014853; rev:6; metadata:created_at 2012_06_05, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102859; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing (Payload Downloaded Via Dropbox)"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; content:"6u27.jar"; content:"6u41.jar"; fast_pattern; classtype:exploit-kit; sid:2017014; rev:4; metadata:created_at 2013_06_13, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102877; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)"; flow:from_server,established; file_data; content:"<style"; nocase; pcre:"/^[^>]*?>\s*?form\s*?\{\s*?-ms-behavior\s*?\x3a\s*?url/Rsi"; content:"x-ua-compatible"; nocase; pcre:"/^[\x22\x27]\s*content\s*=\s*[\x22\x27]\s*IE\s*=\s*10/Rsi"; content:"<button"; nocase; content:"<label"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"<optgroup"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"-ms-behavior"; nocase; fast_pattern; reference:cve,2015-2444; classtype:attempted-user; sid:2021709; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_08_24, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102893; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Geost CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/geost.php?bid="; fast_pattern; classtype:command-and-control; sid:2028661; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_10_08, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Geost, updated_at 2019_10_08, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102895; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT EgyPack Exploit Kit Post-Infection Request"; flow:established,to_server; content:"Egypack"; nocase; http_user_agent; depth:7; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:exploit-kit; sid:2013176; rev:7; metadata:created_at 2011_07_04, former_category EXPLOIT_KIT, updated_at 2019_10_11;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102830; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ddns .net"; dns.query; content:".ddns.net"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028675; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_12;)
 
-alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Bad Login"; flow:from_server,established; content:"Login incorrect"; nocase; fast_pattern; classtype:bad-unknown; sid:2101251; rev:10; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ddnsking .com"; dns.query; content:".ddnsking.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028676; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".dyndns"; http_header; nocase; fast_pattern; classtype:exploit-kit; sid:2015548; rev:8; metadata:created_at 2012_07_31, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.3utilities .com"; dns.query; content:".3utilities.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028677; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_12;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET [137,138,139,445] (msg:"ET SCAN Nessus Netbios Scanning"; content:"n|00|e|00|s|00|s|00|u|00|s"; fast_pattern; reference:url,www.tenable.com/products/nessus/nessus-product-overview; classtype:attempted-recon; sid:2015754; rev:3; metadata:created_at 2012_10_01, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for addons.mozilla.org"; flow:established,from_server; content:"|00 92 39 d5 34 8f 40 d1 69 5a 74 54 70 e1 f2 3f|"; content:"addons.mozilla.org"; within:250; classtype:misc-activity; sid:2012546; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
 
-alert udp any any -> any 161 (msg:"ET SNMP Attempt to retrieve Cisco Config via TFTP (CISCO-CONFIG-COPY)"; content:"|2b 06 01 04 01 09 09 60 01 01 01 01|"; fast_pattern; classtype:policy-violation; sid:2015856; rev:6; metadata:created_at 2012_11_01, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for Global Trustee"; flow:established,from_server; content:"|00 d8 f3 5f 4e b7 87 2b 2d ab 06 92 e3 15 38 2f b0|"; classtype:misc-activity; sid:2012547; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Cool Exploit Kit Requesting Payload"; flow:established,to_server; content:"/f.php?k="; http_uri; fast_pattern; pcre:"/^\/[a-z]\/f\.php\?k=\d(&e=\d&f=\d)?$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015873; rev:6; metadata:created_at 2012_11_09, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.live.com"; flow:established,from_server; content:"|00 b0 b7 13 3e d0 96 f9 b5 6f ae 91 c8 74 bd 3a c0|"; content:"login.live.com"; within:250; classtype:misc-activity; sid:2012548; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Excel file download - SET 1"; flow:established,from_server; flowbits:isset,OLE.CompoundFile; file_data; content:"|09 08 10 00 00 06 05 00|"; distance:512; content:"|57006F0072006B0062006F006F006B00|"; fast_pattern; flowbits:set,ETPRO.Microsoft.Excel; flowbits:noalert; reference:cve,2012-0185; classtype:attempted-user; sid:2025086; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_05_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.skype.com"; flow:established,from_server; content:"|00 e9 02 8b 95 78 e4 15 dc 1a 71 0a 2b 88 15 44 47|"; content:"login.skype.com"; within:250; classtype:misc-activity; sid:2012549; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit Java Request to Recent jar (2)"; flow:established,to_server; content:"/887.jar"; fast_pattern; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015929; rev:4; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.yahoo.com 1"; flow:established,from_server; content:"|00 d7 55 8f da f5 f1 10 5b b2 13 28 2b 70 77 29 a3|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012550; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit Java Request to Recent jar (1)"; flow:established,to_server; content:"/332.jar"; fast_pattern; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015928; rev:4; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.yahoo.com 2"; flow:established,from_server; content:"|39 2a 43 4f 0e 07 df 1f 8a a3 05 de 34 e0 c2 29|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012551; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit .blogsite. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".blogsite."; http_header; nocase; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015939; rev:4; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.yahoo.com 3"; flow:established,from_server; content:"|3e 75 ce d4 6b 69 30 21 21 88 30 ae 86 a8 2a 71|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012552; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Propack Payload Request"; flow:established,to_server; content:".php?j=1&k="; http_uri; nocase; fast_pattern; content:" Java/1"; http_header; pcre:"/\.php\?j=1&k=[0-9](i=[0-9])?$/U"; classtype:exploit-kit; sid:2015950; rev:3; metadata:created_at 2012_11_28, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for mail.google.com"; flow:established,from_server; content:"|04 7e cb e9 fc a5 5f 7b d0 9e ae 36 e1 0c ae 1e|"; content:"mail.google.com"; within:250; classtype:misc-activity; sid:2012553; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Samsung Printer SNMP Hardcode RW Community String"; content:"s!a@m#n$p%c"; fast_pattern; reference:url,www.l8security.com/post/36715280176/vu-281284-samsung-printer-snmp-backdoor; classtype:attempted-admin; sid:2015959; rev:3; metadata:created_at 2012_11_29, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for www.google.com"; flow:established,from_server; content:"|00 f5 c8 6a f3 61 62 f1 3a 64 f5 4f 6d c9 58 7c 06|"; content:"www.google.com"; within:250; classtype:misc-activity; sid:2012554; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE SCardForgetReaderGroupA (Used in Malware Anti-Debugging)"; flow:established,to_client; file_data; flowbits:isset,ET.http.binary; content:"SCardForgetReaderGroupA"; fast_pattern; reference:url,www.trusteer.com/blog/evading-malware-researchers-shylock%E2%80%99s-new-trick; classtype:misc-activity; sid:2015965; rev:5; metadata:created_at 2012_11_30, updated_at 2019_10_08;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Known Fraudulent DigiNotar SSL Certificate for google.com"; flow:established,from_server; content:"|0C 76 DA 9C 91 0C 4E 2C 9E FE 15 D0 58 93 3C 4C|"; content:"google.com"; within:250; reference:url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx; classtype:misc-activity; sid:2013500; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Zuponcic Hostile Jar"; flow:established,to_server; content:"Host|3a 20|"; http_header; content:"."; http_header; distance:2; within:1; content:"Java/"; http_header; content:".jar"; http_uri; fast_pattern; pcre:"/^Host\x3a\x20[a-z]{2}\./Hm"; pcre:"/^\/[a-zA-Z]{7}\.jar$/U"; classtype:exploit-kit; sid:2015981; rev:3; metadata:created_at 2012_12_04, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AcroCEF"; ja3_hash; content:"61d50e7771aee7f2f4b89a7200b4d45e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027975; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Robopak - Landing Page Received"; flow:established,to_client; file_data; content:"|22|ors.class|22|"; fast_pattern; content:"|22|bhjwfffiorjwe|22|"; classtype:exploit-kit; sid:2015991; rev:5; metadata:created_at 2012_12_06, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Adium 1.5.10 (a)"; ja3_hash; content:"93948924e733e9df15a3bb44404cd909"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027976; rev:3; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL User Account Enumeration"; flow:from_server,established; content:"|02|"; offset:3; depth:4; content:"|15 04|Access denied for user"; fast_pattern; threshold:type both,track by_dst,count 10,seconds 1; reference:url,seclists.org/fulldisclosure/2012/Dec/att-9/; classtype:protocol-command-decode; sid:2015993; rev:3; metadata:created_at 2012_12_06, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Adium 1.5.10 (b)"; ja3_hash; content:"e4adf57bf4a7a2dc08e9495f1b05c0ea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027977; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack PDF Request (2)"; flow:established,to_server; content:"/lpdf.php?i="; http_uri; fast_pattern; pcre:"/\/lpdf\.php\?i=[a-zA-Z0-9]+&?$/U"; classtype:exploit-kit; sid:2016012; rev:5; metadata:created_at 2012_12_08, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AIM"; ja3_hash; content:"49a6cf42956937669a01438f26e7c609"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027978; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Escaped Unicode Char in Window Location CVE-2012-4792 EIP"; flow:established,from_server; file_data; content:"<form"; nocase; content:"button"; nocase; content:"CollectGarbage("; nocase; fast_pattern; content:".location"; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*unescape\(\s*[\x22\x27][\\%]u/Ri"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016132; rev:4; metadata:created_at 2012_12_30, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AirCanada Android App"; ja3_hash; content:"0bb402a703d08a608bf82763b1b63313"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027979; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT g01pack - Landing Page Received - applet and 32AlphaNum.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern; content:".jar"; pcre:"/[a-z0-9]{32}\.jar/"; classtype:exploit-kit; sid:2016027; rev:6; metadata:created_at 2012_12_13, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AirCanada Android App"; ja3_hash; content:"d5169d6e19447685bf6f1af8c055d94d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027980; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET INFO Possible TURKTRUST Spoofed Google Cert"; flow:established,from_server; content:"|16 03|"; depth:2; content:"*.EGO.GOV.TR"; nocase; fast_pattern; content:"*.google.com"; classtype:policy-violation; sid:2016154; rev:2; metadata:created_at 2013_01_04, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Airmail 3"; ja3_hash; content:"561145462cfc7de1d6a97e93d3264786"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027981; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT JDB Exploit Kit Landing URL structure"; flow:established,from_client; content:"/inf.php?id="; http_uri; nocase; fast_pattern; pcre:"/\/inf\.php\?id=[a-f0-9]{32}$/Ui"; classtype:exploit-kit; sid:2016306; rev:3; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Alation Compose"; ja3_hash; content:"f6fd83a21f9f3c5f9ff7b5c63bbc179d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027982; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 1"; content:"miniupnpd/1."; fast_pattern; pcre:"/^Server\x3a[^\r\n]*miniupnpd\/1\.[0-3]/mi"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2013-0229; classtype:successful-recon-limited; sid:2016302; rev:6; metadata:created_at 2013_01_30, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Amazon Music"; ja3_hash; content:"6003b52942a2e1e1ea72d802d153ec08"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027983; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"<applet"; fast_pattern; content:"value"; pcre:"/^\s*=\s*[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"|3a|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:exploit-kit; sid:2016319; rev:3; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Amazon Music,Dreamweaver,Spotify"; ja3_hash; content:"eb149984fc9c44d85ed7f12c90d818be"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027984; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5958 ST DeviceType Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern; reference:cve,CVE_2012-5958; reference:cve,CVE-2012-5962; classtype:attempted-dos; sid:2016322; rev:2; metadata:created_at 2013_01_31, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android App"; ja3_hash; content:"662fdc668dd6af994a0f903dbcf25d66"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027985; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5964 ST URN ServiceType Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*urn\x3aservice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|service"; nocase; fast_pattern; reference:cve,CVE-2012-5964; classtype:attempted-dos; sid:2016324; rev:2; metadata:created_at 2013_01_31, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android Google API Access"; ja3_hash; content:"515601c4141e718865697050a7a1765f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027986; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5965 ST URN DeviceType Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*urn\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|device"; nocase; fast_pattern; reference:cve,CVE-2012-5965; classtype:attempted-dos; sid:2016325; rev:2; metadata:created_at 2013_01_31, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"1aab4c2c84b6979c707ed052f724734b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027987; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5961 ST UDN Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{1,180}\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern; reference:cve,CVE-2012-5961; classtype:attempted-dos; sid:2016326; rev:2; metadata:created_at 2013_01_31, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"25b72c88f837567856118febcca761e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027988; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET MALWARE W32/Jabberbot.A Trednet XMPP CnC Beacon"; flow:established,to_server; content:"trednet@jabber.ru"; fast_pattern; reference:url,blog.eset.com/2013/01/30/walking-through-win32jabberbot-a-instant-messaging-cc; classtype:command-and-control; sid:2016331; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_02_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"5331a12866e19199b363f6e903381498"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027989; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack Payload Request"; flow:established,to_server; content:"/load.php?e="; http_uri; fast_pattern; content:"&token="; http_uri; classtype:exploit-kit; sid:2015962; rev:12; metadata:created_at 2012_11_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"855953256ecc8e2b6d2360aff8e5d337"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027990; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT TDS Vdele"; flow:established,to_server; content:"GET"; nocase; http_method; urilen:>37; content:"/vd/"; http_uri; nocase; fast_pattern; pcre:"/\/vd\/\d+\x3b[a-f0-9]{32}/Ui"; classtype:exploit-kit; sid:2016412; rev:3; metadata:created_at 2013_02_15, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"85bb8aa8e5ba373906348831bdbed41a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027991; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Serialized Java Applet (Used by some EKs in the Wild)"; flow:established,from_server; file_data; content:"<embed"; nocase; content:"object"; distance:0; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*[\x22\x27][^\x22\x27]+\.ser[\x22\x27]/Ri"; content:"application/x-java-"; fast_pattern; classtype:exploit-kit; sid:2016510; rev:5; metadata:created_at 2013_02_27, former_category INFO, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"99d8afeec9a4422120336ad720a5d692"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027992; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Portal TDS Kit GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?pprec"; nocase; fast_pattern; http_uri; pcre:"/\.php\?pprec$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:exploit-kit; sid:2016542; rev:4; metadata:created_at 2013_03_06, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AnypointStudio"; ja3_hash; content:"8e3f1bf87bc652a20de63bfd4952b16a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027993; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Portal TDS Kit GET (2)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?c002"; nocase; fast_pattern; http_uri; pcre:"/\.php\?c002$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:exploit-kit; sid:2016543; rev:3; metadata:created_at 2013_03_06, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Push Notification System, apple.WebKit.Networking,CalendarAgent,Go for Gmail"; ja3_hash; content:"d4693422c5ce1565377aca25940ad80c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027994; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.net"; content:"|0a|micorsofts|03|net|00|"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016569; rev:4; metadata:created_at 2013_03_14, former_category DNS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight Search (OSX)"; ja3_hash; content:"3e404f1e1b5a79e614d7543a79f3a1da"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027995; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain hotmal1.com"; content:"|07|hotmal1|03|com|00|"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016571; rev:2; metadata:created_at 2013_03_14, former_category DNS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight"; ja3_hash; content:"69b2859aec70e8934229873fe53902fd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027996; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.com"; content:"|0a|micorsofts|03|com|00|"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016570; rev:3; metadata:created_at 2013_03_14, former_category DNS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight"; ja3_hash; content:"6b9b64bbe95ea112d02c8812fc2e7ef0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027997; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NuclearPack - Landing Page Received - applet and 32HexChar.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern; content:".jar"; content:"param"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:exploit-kit; sid:2016026; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_13, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight"; ja3_hash; content:"e5e4c0eeb02fdcf30af8235b4de07780"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027998; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BHEK q.php iframe outbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016718; rev:5; metadata:created_at 2013_04_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Apple SpotlightNetHelper (OSX)"; ja3_hash; content:"97827640b0c15c83379b7d71a3c2c5b4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027999; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BHEK q.php iframe inbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016716; rev:6; metadata:created_at 2013_04_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Apple usbmuxd iOS socket multiplexer"; ja3_hash; content:"47e42b00af27b87721e526ff85fd2310"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028000; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BHEK ff.php iframe inbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016717; rev:5; metadata:created_at 2013_04_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.geod"; ja3_hash; content:"5507277945374659a5b4572e1b6d9b9f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028001; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BHEK ff.php iframe outbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016719; rev:5; metadata:created_at 2013_04_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.geod"; ja3_hash; content:"f753495f2eab5155c61b760c838018f8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028002; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Metasploit Java Exploit"; flow:established,to_client; file_data; flowbits:isset,ET.http.javaclient; content:"xploit.class"; nocase; fast_pattern; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015658; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_08_29, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.geod/parsecd,apple.photomoments"; ja3_hash; content:"ba40fea2b2638908a3b3b482ac78d729"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028003; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Metasploit Java Payload"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"Payload.class"; nocase; fast_pattern; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015657; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_08_29, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking"; ja3_hash; content:"474e73aea21d1e0910f25c3e6c178535"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028004; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NuclearPack Java exploit binary get request"; flow:established,to_server; content:"GET"; http_method; nocase; content:"Java/1."; fast_pattern; http_user_agent; pcre:"/[a-f0-9]{32,64}\/[a-f0-9]{32,64}/\w$/U"; classtype:exploit-kit; sid:2015000; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking"; ja3_hash; content:"eeeb5e7485f5e10cbc39db4cfb69b264"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028005; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK UAC Disable in Uncompressed JAR"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"UACDisableNotify"; fast_pattern; classtype:exploit-kit; sid:2016805; rev:4; metadata:created_at 2013_05_01, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking/Chatter/FieldServiceApp/socialstudio"; ja3_hash; content:"63de2b6188d5694e79b678f585b13264"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028006; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sibhost Status Check"; flow:established,to_server; content:"POST"; http_method; content:"|29 20|Java/1"; http_user_agent; fast_pattern; content:"text="; http_client_body; depth:5; pcre:"/\?(s|page|id)=\d+$/U"; classtype:exploit-kit; sid:2015974; rev:15; metadata:created_at 2012_11_30, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking/itunesstored"; ja3_hash; content:"7b343af1092863fdd822d6f10645abfb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028007; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Greencat SSL Certificate"; flow:established,from_server; content:"|55 04 08 13 05|Ocean"; fast_pattern; classtype:trojan-activity; sid:2016812; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_05_03, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking/Spotify/WhatsApp/Skype/iTunes"; ja3_hash; content:"a312f9162a08eeedf7feb7a13cd7e9bb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028008; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1347 IE 0-day used in DOL attack"; flow:established,to_client; file_data; content:".offsetParent"; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(\x22{2}|\x27{2}|null)/Ri"; content:"datalist"; nocase; pcre:"/^[\x22\x27\s\>]/R"; content:".innerHTML"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(\x22{2}|\x27{2}|null)/Ri"; content:"<!doctype html"; nocase; pcre:"/[\x22\x27\<]table[\x22\x27\>]/"; pcre:"/[\x22\x27\<]hr[\x22\x27\>]/"; content:"CollectGarbage"; nocase; fast_pattern; reference:cve,2013-1347; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,technet.microsoft.com/en-us/security/advisory/2847140; classtype:attempted-user; sid:2016822; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_05_04, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/533.1 (KHTML like Gecko) Version/4.0 Mobile Safari/533.1"; ja3_hash; content:"1a6ef47ab8325fbb42c447048cea9167"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028009; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT IE HTML+TIME ANIMATECOLOR with eval as seen in unknown EK"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern; content:"eval("; nocase; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; classtype:exploit-kit; sid:2016833; rev:6; metadata:created_at 2013_05_08, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/533.1 (KHTML like Gecko) Version/4.0 Mobile Safari/533.1"; ja3_hash; content:"b677934e592ece9e09805bf36cd68d8a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028010; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Exim/Dovecot Possible MAIL FROM Command Execution"; flow:to_server,established; content:"${IFS}"; fast_pattern; content:"mail from|3a|"; nocase; pcre:"/^[^\r\n]*?\x60[^\x60]*?\$\{IFS\}/R"; reference:url,redteam-pentesting.de/de/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution; classtype:attempted-admin; sid:2016835; rev:3; metadata:created_at 2013_05_08, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.30 (KHTML like Gecko) Version/4.0 Safari & Safari Mobile/534.30, AppleWebKit/534.30"; ja3_hash; content:"ef323f542a99ab12d6b5348bf039b7b4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028011; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Java Class 2 May 24 2013"; flow:to_client,established; file_data; content:"20130422.class"; fast_pattern; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016924; rev:12; metadata:created_at 2013_05_25, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.30"; ja3_hash; content:"e1e03b911a28815836d79c5cdd900a20"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028012; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HellSpawn EK Landing 2 May 24 2013"; flow:to_client,established; file_data; content:"FlashPlayer.cpl"; nocase; fast_pattern; content:"window.location"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?(?P<func>[_a-zA-Z][a-zA-Z0-9_-]+)\([\r\n\s]*?[\x22\x27](?!http\x3a\/\/)(?P<h>[^\x22\x27])(?P<t>(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P<slash>(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]*?[\x22\x27][\r\n\s]*?,[\r\n\s]*?[\x22\x27][^\x22\x27]+[\x22\x27][\r\n\s]*?\)\+(?P=func)/Rsi"; classtype:exploit-kit; sid:2016928; rev:3; metadata:created_at 2013_05_25, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.46 Mobile/9A334"; ja3_hash; content:"04e1f90d8719caabafb76d4a7b13c984"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028013; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible HellSpawn EK Fake Flash May 24 2013"; flow:to_server,established; content:"/FlashPlayer.cpl"; http_uri; nocase; fast_pattern; pcre:"/\/FlashPlayer\.cpl$/U"; classtype:exploit-kit; sid:2016929; rev:12; metadata:created_at 2013_05_25, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.46, iOS AppleWebKit/534.46"; ja3_hash; content:"dc08cf4510f70bf16d4106ee22f89197"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028014; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Landing Page 2 May 24 2013"; flow:to_client,established; file_data; content:"1337.exe"; nocase; fast_pattern; content:"<APPLET"; nocase; pcre:"/^((?!<\/applet>).)+?[\x22\x27]1337\.exe/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016926; rev:3; metadata:created_at 2013_05_25, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/535 & Ubuntu Product Search"; ja3_hash; content:"4049550d5f57eae67d958440bdc133e4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028015; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura - Payload Downloaded"; flow:established,to_client; flowbits:isset,ET.http.javaclient; content:".txt|0d 0a|"; http_header; fast_pattern; pcre:"/filename=[a-z]{4}\.txt\x0D\x0A/H"; classtype:exploit-kit; sid:2016787; rev:4; metadata:created_at 2013_04_26, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/600.7.12 or 600.1.4"; ja3_hash; content:"ef75a13be2ed7a82f16eefe6e84bc375"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028016; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack Reporting Plugin Detect Data June 03 2013"; flow:established,to_server; content:"/gate.php?ver="; http_uri; nocase; fast_pattern; pcre:"/&p=\d+\.\d+\.\d+\.\d+&j=\d+\.\d+\.\d+\.\d+&f=\d+\.\d+\.\d+\.\d+$/U"; classtype:exploit-kit; sid:2016964; rev:3; metadata:created_at 2013_06_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/600.7.12"; ja3_hash; content:"eaa8a172289b09a6789a415d1faac4c9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028017; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit Specific"; flow:established,to_client; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"IHDR"; distance:0; content:"tEXt"; distance:13; content:"db.php?j="; distance:0; content:"msnmusax.ninn"; fast_pattern; classtype:attempted-user; sid:2017008; rev:6; metadata:created_at 2013_06_12, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AT&T Connect"; ja3_hash; content:"c5c11e6105c56fd29cc72c3ac7a2b78b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028018; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit Landing"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; fast_pattern; content:"</applet>"; content:"<applet"; within:20; content:"archive"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(?P<q>[\x22\x27])[a-f0-9]{9,16}\.(jar|zip)(?P=q)/R"; classtype:exploit-kit; sid:2016840; rev:6; metadata:created_at 2013_05_09, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Atlassian SourceTree (git library?) (Tested v1.6.21.0)"; ja3_hash; content:"42215ee83bbf3a857a72ef42213cfbd6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028019; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible 2012-1533 altjvm RCE via JNLP command injection"; flow:established,from_server; file_data; content:"<jnlp"; nocase; content:"initial-heap-size"; nocase; content:"max-heap-size"; content:"-XXaltjvm"; nocase; fast_pattern; reference:cve,2012-1533; classtype:trojan-activity; sid:2017013; rev:3; metadata:created_at 2013_06_13, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Atlassian SourceTree (Tested v1.6.21.0)"; ja3_hash; content:"1c8a17e58c20b49e3786fc61e0533e50"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028020; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Dotka Chef EK .cache request"; flow:established,to_server; content:"Java/1"; http_user_agent; content:"/.cache/?f|3d|"; fast_pattern; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017019; rev:3; metadata:created_at 2013_06_15, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - atom.io #1"; ja3_hash; content:"4e5e5d9fbc43697be755696191fe649a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028021; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SolusVM WHMCS CURL Multi-part Boundary Issue"; flow:established,to_server; content:"POST"; http_method; content:"/rootpassword.php?"; http_uri; fast_pattern; content:"name=action"; content:"name=action"; distance:0; content:"name=action"; distance:0; reference:url,localhost.re/p/solusvm-whmcs-module-316-vulnerability; classtype:trojan-activity; sid:2017063; rev:4; metadata:created_at 2013_06_25, former_category EXPLOIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - atom.io #2"; ja3_hash; content:"c94858c6eb06de179493b3fac847143e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028022; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $HOME_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SolusVM 1.13.03 Access to solusvmc-node setuid bin"; flow:established,to_server; content:"solusvmc-node"; fast_pattern; pcre:"/\bsolusvmc-node\b/"; classtype:trojan-activity; sid:2017061; rev:4; metadata:created_at 2013_06_25, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Aviator (Mystery 3rd) (37.0.2062.99) (OS X)"; ja3_hash; content:"58360f4f663a0f5657f415ac2f47fe1b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028023; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Neutrino Exploit Kit Clicker.php TDS"; flow:established,to_server; content:"/clicker.php"; http_uri; fast_pattern; pcre:"/^\x2Fclicker\x2Ephp$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:exploit-kit; sid:2017069; rev:3; metadata:created_at 2013_06_27, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Aviator Updates"; ja3_hash; content:"5149f53b5554a31116f9d86237552ee3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028024; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Applet tag in jjencode as (as seen in Dotka Chef EK)"; flow:established,from_server; file_data; content:",$$$$|3a|(![]+|22 22|)"; fast_pattern; content:"<|22|+"; pcre:"/^(?P<var>.{1,10})\.\$\_\$\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\(\!\[\]\+\x22\x22\)\[(?P=var)\.\_\$\_\]\+(?P=var)\.\$\$\$\_\+(?P=var)\.\_\_\+/R"; classtype:exploit-kit; sid:2017070; rev:3; metadata:created_at 2013_06_27, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Battle.net/Dropbox"; ja3_hash; content:"fa030dbcb2e3c7141d3c2803780ee8db"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028025; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sibhost Status Check GET Jul 01 2013"; flow:established,to_server; content:"GET"; http_method; content:"|29 20|Java/1"; http_user_agent; fast_pattern; content:"text="; http_uri; pcre:"/\?(s|page|id)=\d+&text=\d+$/U"; classtype:exploit-kit; sid:2017079; rev:4; metadata:created_at 2013_07_02, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - bitgo/ShapeShift"; ja3_hash; content:"0ef9ca1c10d3f186f5786e1ef3461a46"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028026; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack Jar Download Jul 01 2013"; flow:established,to_client; content:"j51"; http_header; nocase; content:".jar"; http_header; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]+?=\s*?(?P<q>[\x22\x27]?)j51[a-f0-9]{21}\.jar(?P=q)\r?$/Hm"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017092; rev:3; metadata:created_at 2013_07_02, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BlackBerry Browser (Tested BB10)"; ja3_hash; content:"add211c763889c665ae4ab675165cbc4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028027; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack EXE Download Jul 01 2013"; flow:established,to_client; content:"e51"; http_header; nocase; content:".exe"; http_header; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]+?=\s*?(?P<q>[\x22\x27]?)e51[a-f0-9]{21}\.exe(?P=q)\r?$/Hm"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017093; rev:3; metadata:created_at 2013_07_03, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BlackBerry Mail Client"; ja3_hash; content:"a921515f014005af03fc1e2c4c9e66ce"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028028; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Lucky7 EK IE Exploit"; flow:established,from_server; file_data; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern; content:"JTQzJTZmJTZjJTZjJTY1JTYzJTc0JTQ3JTYxJTcyJTYyJTYxJTY3JTY1"; classtype:exploit-kit; sid:2017099; rev:3; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Blackberry Messenger (Android) 2"; ja3_hash; content:"4692263d4130929ae222ef50816527ca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028029; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3163 2"; flow:established,from_server; file_data; content:"CollectGarbage("; fast_pattern; nocase; content:".contentEditable"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?true/Ri"; content:"var"; pcre:"/^[\r\n\s\+]+?(?P<var>[^\r\n\s\+\x3d]+)[\r\n\s\+]*?=[\r\n\s\+]*?[^\)]+\.createElement\(.+?\.appendChild\([\r\n\s]*?[\x22\x27]?(?P=var)[\x22\x27]?[\r\n\s]*?\).+\b(?P=var)\.innerHTML[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])(?P=q).+?CollectGarbage\(.+?\b(?P=var)\./Rsi"; reference:cve,2013-3163; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017130; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_07_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Blackberry"; ja3_hash; content:"b5d42ca0e68a39d5c0a294134a21f020"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028030; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack - Java JNLP Requested"; flow:established,to_server; urilen:>70; content:".jnlp"; http_uri; fast_pattern; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jnlp$/Ui"; classtype:exploit-kit; sid:2017138; rev:4; metadata:created_at 2013_07_13, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Blackbery Messenger (Android)"; ja3_hash; content:"32b0ae286d1612c82cad93b4880ee512"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028031; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DotkaChef JJencode Script URI Struct"; flow:established,to_server; content:"voDc0RHa8NnZ"; http_uri; fast_pattern; pcre:"/\/\?={0,2}[A-Za-z0-9\+\/]+?voDc0RHa8NnZ$/U"; classtype:exploit-kit; sid:2017139; rev:3; metadata:created_at 2013_07_13, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BlueCoat Proxy"; ja3_hash; content:"5182f54f9c6e99d117d9dde3fa2b4cff"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028032; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx PDF July 15 2013"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".exe?"; fast_pattern; nocase; content:"<script"; nocase; content:"http|3a 2f 2f|"; distance:0; pcre:"/^[^\x3b\r\n\x22\x27]+?[A-Za-z0-9\/\_\-]{60,}\.exe\?/R"; classtype:exploit-kit; sid:2017151; rev:13; metadata:created_at 2013_07_16, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BlueJeans,CEPHtmlEngine"; ja3_hash; content:"cdec81515ccc75a5aa41eb3db22226e6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028033; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool PDF July 15 2013"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".txt?e="; fast_pattern; nocase; content:"<script"; nocase; content:"http|3a 2f 2f|"; distance:0; pcre:"/^[^\x3b\r\n\x22\x27]+?\.txt\?e=\d+(&[fh]=\d)?/R"; classtype:exploit-kit; sid:2017150; rev:13; metadata:created_at 2013_07_16, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BOT: Ahrefs, hola_svc"; ja3_hash; content:"5c1c89f930122bccc7a97d52f73bea2c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028034; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit Landing Applet Jul 05 2013"; flow:established,to_client; file_data; content:"<applet "; nocase; fast_pattern; content:"|3b|document.write("; nocase; pcre:"/^[^\x3b]+?\+[a-z]+?\.substring([^)]+?)[^\x3b]+?\+[a-z]+?\.substring([^)]+?)[^\x3b]+?\+[a-z]+?\.substring([^)]+?)/Rsi"; classtype:exploit-kit; sid:2017106; rev:4; metadata:created_at 2013_07_05, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BOT: GoogleBot"; ja3_hash; content:"a1cb2295baf199acf82d11ba4553b4a8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028035; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlimKit JNLP URI Struct"; flow:established,to_server; content:".pl|0d 0a|"; http_header; content:" Java/1."; http_header; content:".jnlp"; http_uri; fast_pattern; pcre:"/^[^\/]*?\/[a-z0-9]{9,16}\.jnlp$/U"; pcre:"/\d/U"; pcre:"/[a-z]/U"; classtype:exploit-kit; sid:2017153; rev:3; metadata:created_at 2013_07_17, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BOT: Qwant"; ja3_hash; content:"706567223fbf37d112fba2d95b8ecac3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028036; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SipCLI VOIP Scan - TCP"; flow:established,to_server; content:"|0D 0A|User-Agent|3A 20|sipcli/"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.yasinkaplan.com/SipCli/; classtype:attempted-recon; sid:2017161; rev:2; metadata:created_at 2013_07_17, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BrowserShots Script"; ja3_hash; content:"01aead19a1b1780978f732e056b183a6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028037; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SipCLI VOIP Scan"; content:"|0D 0A|User-Agent|3A 20|sipcli/"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.yasinkaplan.com/SipCli/; classtype:attempted-recon; sid:2017162; rev:3; metadata:created_at 2013_07_17, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Browsershots"; ja3_hash; content:"a4dc1c39a68bffec1cc7767472ac85a8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028038; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Possible Java Payload Download"; flow:to_server,established; content:".exe?"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/\.exe\?(e=)?\d+$/U"; classtype:exploit-kit; sid:2016427; rev:8; metadata:created_at 2013_02_19, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (1.6.01)"; ja3_hash; content:"93fbcdadc1bf98ff0e3c03e7f921edd1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028039; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack Jar Request (2)"; flow:established,to_server; content:".php?i="; http_uri; pcre:"/\/j\d{2}\.php\?i=/U"; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016013; rev:7; metadata:created_at 2012_12_08, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (1.6.01)"; ja3_hash; content:"c3ca411515180e79c765dc2c3c8cea88"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028040; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Class Request (3)"; flow:established,to_server; content:"/Vlast.class"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016299; rev:11; metadata:created_at 2013_01_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (tested: 1.6.32 Kali)"; ja3_hash; content:"15617351d807aa3145547d0ad0c976cc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028041; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT WhiteHole Exploit Kit Payload Download"; flow:established,to_server; content:"/?whole="; nocase; http_uri; fast_pattern; content:"Java/1."; http_user_agent; pcre:"/\/\?whole=\d+$/Ui"; classtype:exploit-kit; sid:2016350; rev:5; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (tested: 1.6.32 Kali)"; ja3_hash; content:"34f8cac266d07bfc6bd3966e99b54d00"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028042; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedDotv2 Java Check-in"; flow:established,to_server; content:"/search/"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/^\/search\/[0-9]{64}/U"; classtype:exploit-kit; sid:2016593; rev:9; metadata:created_at 2013_03_19, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (Tested: 1.7.03 on Windows 10), eclipse,JavaApplicationStub,idea"; ja3_hash; content:"8c5a50f1e833ed581e9cfc690814719a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028043; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss Recent Jar (3)"; flow:established,to_server; content:"/m1"; http_uri; nocase; content:".jar"; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/\/m1[1-6]\.jar$/U"; classtype:exploit-kit; sid:2016708; rev:9; metadata:created_at 2013_04_02, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Candy Crush (testing iOS 8.3)"; ja3_hash; content:"17a40616b856ec472714cd144471e0e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028044; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss Recent Jar (4)"; flow:established,to_server; content:"/cmm.jar"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016709; rev:9; metadata:created_at 2013_04_02, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Charles/java/eclipse"; ja3_hash; content:"424008725394c634a4616b8b1f2828a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028045; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 81:90 (msg:"ET EXPLOIT_KIT Sakura - Payload Requested"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".html"; http_uri; pcre:"/\/[0-9]{4}\.html$/Ui"; classtype:exploit-kit; sid:2016786; rev:6; metadata:created_at 2013_04_26, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Choqok 1.5 (KDE 4.14.18 Qt 4.8.6 on OpenSUSE 42.1)"; ja3_hash; content:"64bb259b446fe13f66bcd62d1f0d33df"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028046; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Java Exploit - jreg.jar"; flow:established,to_server; content:"/jreg.jar"; http_uri; fast_pattern; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016804; rev:5; metadata:created_at 2013_05_01, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (iOS)"; ja3_hash; content:"bec8267042d5885aa3acc07b4409cafc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028047; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura - Payload Requested"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".pkg"; http_uri; nocase; pcre:"/\/\d+\.pkg$/Ui"; classtype:exploit-kit; sid:2016943; rev:9; metadata:created_at 2013_05_29, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Possible 41.x)"; ja3_hash; content:"d54a0979516e607a1166e6efd157301c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028048; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Metasploit Based Unknown EK Jar Download June 03 2013"; flow:established,to_server; content:"/j_"; http_uri; pcre:"/\/j_[a-z0-9]+_(?:0422|1723|3544|5076)\.jar$/U"; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016965; rev:8; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_06_04, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #1"; ja3_hash; content:"ac67a2d0e3bd59459c32c996b5985979"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028049; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Jar Download June 20 2013"; flow:established,to_server; content:"/contacts.asp"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2017038; rev:5; metadata:created_at 2013_06_20, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #2"; ja3_hash; content:"34dfce2bb848da7c5dafa4d475f0ba41"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028050; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.7.x"; flow:established,to_server; content:"/frozen.jar"; http_uri; fast_pattern; content:"Java/1.7"; http_user_agent; classtype:exploit-kit; sid:2017041; rev:5; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #3"; ja3_hash; content:"937edefedb6fe13f26d1a425ef1c15a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028051; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.6 (Old)"; flow:established,to_server; content:"/arina.jar"; http_uri; fast_pattern; content:"Java/1.6"; http_user_agent; classtype:exploit-kit; sid:2017042; rev:5; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #4"; ja3_hash; content:"a342d14afad3a448029ec808295ccce9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028052; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/sigwer.jar"; http_uri; fast_pattern; content:"Java/1.6"; http_user_agent; classtype:exploit-kit; sid:2017043; rev:5; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #5"; ja3_hash; content:"71e74faaed87acd177bd3b47a543f476"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028053; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/dubstep.jar"; http_uri; fast_pattern; content:"Java/1.6"; http_user_agent; classtype:exploit-kit; sid:2017044; rev:5; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (tested: Version 46.0.2490.86 (64-bit) - OS X)"; ja3_hash; content:"1d64ab25ad6f7258581d43077147b9b1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028054; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack Java Exploit Payload June 03 2013"; flow:established,to_server; content:"Java/1."; nocase; http_user_agent; content:".php?"; http_uri; nocase; fast_pattern; pcre:"/\/[a-z0-9]{3}\.php\?[a-z]=[a-zA-Z0-9]{10}$/U"; classtype:exploit-kit; sid:2017119; rev:5; metadata:created_at 2013_07_09, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (tested: Version 46.0.2490.86 (64-bit) - OS X)"; ja3_hash; content:"230018e44608686b64907360b6def678"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028055; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Java Exploit - Recent Jar (1)"; flow:established,to_server; content:"/amor"; http_uri; content:".jar"; http_uri; within:6; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/amor\d{0,2}\.jar/U"; classtype:exploit-kit; sid:2015941; rev:5; metadata:created_at 2012_11_27, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (tested: Version 46.0.2490.86 (64-bit) - OS X)"; ja3_hash; content:"dea05e8c68dfeb28003f21d22efc0aba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028056; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Java Exploit - Recent Jar (2)"; flow:established,to_server; content:"/java7.jar?r="; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2015942; rev:5; metadata:created_at 2012_11_27, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 10, Chrome 10.0.648.82 (Chromium Portable 9.0)"; ja3_hash; content:"62351d5ea3cd4f21f697965b10a9bbbe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028057; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlimKit Jar URI Struct"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".jar"; http_uri; fast_pattern; pcre:"/^[^\/]*?\/[a-f0-9]{8}[a-z0-9]+\.jar$/U"; pcre:"/\d/U"; pcre:"/[a-f]/U"; classtype:exploit-kit; sid:2017152; rev:6; metadata:created_at 2013_07_17, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 11 - 18, Chrome 11.0.696.16 - 18.0.1025.33  Chrome 11.0.696.16 (Chromium Portable 9.2)"; ja3_hash; content:"a9da823fe77cd3df081644249edbf395"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028058; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java (Old) /golem.jar"; flow:established,to_server; content:"/golem.jar"; fast_pattern; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017272; rev:5; metadata:created_at 2013_08_03, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 19 - 20, Chrome 19.0.1084.15 - 20.0.1132.57, Chrome 21.0.1180.89, Chrome 22.0.1229.96 - 23.0.1271.64 Safari/537.11"; ja3_hash; content:"df4a50323dfcaf1789f72e4946a7be44"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028059; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java 1.7 /caramel.jar"; flow:established,to_server; content:"/caramel.jar"; fast_pattern; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017273; rev:4; metadata:created_at 2013_08_03, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 22.0.1201.0, Chrome/22.0.1229.96"; ja3_hash; content:"3c8cb61208e191af38b1fbef4eacd502"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028060; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack URI Format June 17 2013 1"; flow:established,to_server; content:".php?"; http_uri; content:"3a313"; http_uri; fast_pattern; pcre:"/=(3[0-9a]|2e)+3a313[3-9](3[0-9]){8}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017022; rev:4; metadata:created_at 2013_06_18, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 24.0.1312.57 - 28.0.1500.72 Safari/537.36"; ja3_hash; content:"1ef061c02d85b7e2654e11a9959096f4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028061; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Firefox CVE-2013-1690"; flow:established,from_server; file_data; content:"window.stop("; fast_pattern; nocase; content:"ownerDocument.write("; nocase; content:"addEventListener("; nocase; content:"readystatechange"; distance:0; nocase; content:"Array"; nocase; reference:cve,2013-1690; classtype:attempted-user; sid:2017298; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_08_08, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 26.0.1410.43-27.0.1453.110 Safari/537.31"; ja3_hash; content:"89d37026246d4888e78e69af4f8d1147"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028062; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit obfuscated hex-encoded jnlp_embedded Aug 08 2013"; flow:established,from_server; file_data; content:"fromCh"; pcre:"/(?P<m>[0-9a-f]{2})(?P<sep>[^0-9a-f])(?P<e>(?!(?P=m))[0-9a-f]{2})(?P=sep)([0-9a-f]{2}(?P=sep)){7}(?P=e)(?P=sep)(?P=m)(?P=sep)[0-9a-f]{2}(?P=sep)(?P=e)(?P=sep)(?P<d>(?!(?P=e))[0-9a-f]{2})(?P=sep)(?P=d)(?P=sep)(?P=e)(?P=sep)(?P=d)/R"; content:"<applet"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017324; rev:3; metadata:created_at 2013_08_13, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 29.0.1547.0"; ja3_hash; content:"206ee819879457f7536d2614695a5029"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028063; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT X20 EK Payload Download"; flow:established,to_server; content:"/download.asp?p=1"; http_uri; content:" Java/1."; http_header; fast_pattern; classtype:exploit-kit; sid:2017039; rev:4; metadata:created_at 2013_06_20, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 29.0.1547.62"; ja3_hash; content:"76d36fc79db002baa1b5e741fcd863bb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028064; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing with Applet Aug 26 2013"; flow:established,from_server; file_data; content:"Australian Holiday|22|"; fast_pattern; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017372; rev:6; metadata:created_at 2013_08_26, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 29.0.1547.62"; ja3_hash; content:"bbc3992faa92affc0d835717ea557e99"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028065; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of base64_decode"; flow:established,from_server; file_data; content:"base64_decode"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?base64_decode/Rsi"; classtype:trojan-activity; sid:2017399; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 30.0.0.0"; ja3_hash; content:"dc3eaee99a9221345698f8a8b2f4fc3f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028066; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of gzinflate"; flow:established,from_server; file_data; content:"gzinflate"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?gzinflate/Rsi"; classtype:trojan-activity; sid:2017400; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 30.0.1599.101"; ja3_hash; content:"53c7ed581cbaf36951559878fcec4559"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028067; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of str_rot13"; flow:established,from_server; file_data; content:"str_rot13"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?str_rot13/Rsi"; classtype:trojan-activity; sid:2017401; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 31.0.1650.57 & 32.0.1700.76 Safari/537.36"; ja3_hash; content:"fb8a6d2441ee9eaee8b560d48a8f59df"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028068; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of gzuncompress"; flow:established,from_server; file_data; content:"gzuncompress"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?gzuncompress/Rsi"; classtype:trojan-activity; sid:2017402; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 31.0.1650.63"; ja3_hash; content:"f7c4dc1d9595c27369a183a5df9f7b52"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028069; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of convert_uudecode"; flow:established,from_server; file_data; content:"convert_uudecode"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?convert_uudecode/Rsi"; classtype:trojan-activity; sid:2017403; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 33.0.1750.117"; ja3_hash; content:"16d7ebc398d772ef9969d2ed2a15f4c0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028070; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java /victoria.jar"; flow:established,to_server; content:"/victoria.jar"; fast_pattern; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017406; rev:6; metadata:created_at 2013_09_03, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 33.0.1750.117"; ja3_hash; content:"f3136cf565acf70dd2f98ca652f43780"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028071; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Bleeding EK Variant Landing Sep 06 2013"; flow:established,from_server; file_data; content:"DoCake()"; fast_pattern; nocase; content:"applet"; nocase; content:".php?e="; content:".php?e="; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017434; rev:3; metadata:created_at 2013_09_07, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 33.0.1750.154"; ja3_hash; content:"af0ae1083ab10ac957e394c2e7ec4634"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028072; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura EK Landing Sep 06 2013"; flow:established,from_server; file_data; content:"/deployJava.js"; fast_pattern; nocase; content:!"<applet"; nocase; content:" RegExp"; pcre:"/^[\r\n\s]*?\([\r\n\s]*?(?P<q>[\x22\x27])(?P<m>((?!(?P=q)).)+)(?P=q).+?<(?P=m)?a(?P=m)?p(?P=m)?p(?P=m)l(?P=m)?e(?P=m)?t/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017433; rev:4; metadata:created_at 2013_09_07, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 34.0.1847.116 & 35.0.1916.114 Safari/537.36"; ja3_hash; content:"4807d61f519249470ebed0b633e707cf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028073; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Fake Microsoft Security Update Applet Sep 16 2013"; flow:established,from_server; file_data; content:"JTNDJTNGeG1sJTIwdmVyc2lvbiUzRCUy"; content:"/microsoft.jnlp"; fast_pattern; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017468; rev:3; metadata:created_at 2013_09_17, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 34.0.1847.116 & 35.0.1916.114 Safari/537.36"; ja3_hash; content:"ef3364da4d76c98a669cb828f2e5283a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028074; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Other Java Exploit Kit 32-32 byte hex hostile jar"; flow:established,to_server; content:".jar"; http_uri; fast_pattern; urilen:70; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$/U"; classtype:exploit-kit; sid:2015782; rev:6; metadata:created_at 2012_10_05, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 36.0.1985.125 & 37.0.2062.102 Safari/537.36"; ja3_hash; content:"5b348680dec77f585cfe82513213ac3a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028075; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Java JNLP Requested"; flow:established,to_server; flowbits:isset,ET.http.javaclient; urilen:71; content:".jnlp"; http_uri; fast_pattern; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.jnlp$/Ui"; classtype:exploit-kit; sid:2016798; rev:4; metadata:created_at 2013_04_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 36.0.1985.125 - 40.0.2214.93 Safari/537.36"; ja3_hash; content:"52be6e88840d2211a243d9356550c4a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028076; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 Possible IE Memory Corruption Vulnerability with HXDS ASLR Bypass"; flow:established,to_client; file_data; content:"ms-help|3a|//"; nocase; content:"onlosecapture"; nocase; fast_pattern; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017477; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 37.0.0.0 Safari & Mobile Safari/537.36"; ja3_hash; content:"5f775bbfc50459e900d464ca1cecd136"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028077; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT WhiteHole Exploit Kit Jar Request"; flow:to_server,established; content:".jar?java="; http_uri; fast_pattern; nocase; content:"Java/1."; http_user_agent; pcre:"/\.jar\?java=\d+$/Ui"; classtype:exploit-kit; sid:2016349; rev:6; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 37.0.0.0"; ja3_hash; content:"a167568462b993d5787488ece82a439a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028078; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT WhiteHole Exploit Landing Page"; flow:established,from_server; file_data; content:".jar?java="; nocase; fast_pattern; content:"<applet"; pcre:"/^((?!<\/applet>).)+?\.jar\?java=\d+/R"; content:" name="; content:"http"; within:5; content:" name="; content:"ftp"; within:4; classtype:exploit-kit; sid:2016348; rev:8; metadata:created_at 2013_02_05, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 37.0.2062.120"; ja3_hash; content:"98652faa7e0a4d85f91e37aa6b8c0135"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028079; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit CVE-2013-3205 Exploit Specific"; flow:established,to_client; file_data; content:"function putPayload("; nocase; fast_pattern; classtype:attempted-user; sid:2017510; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_09_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 41.0.2272.89"; ja3_hash; content:"8b8322bad90e8bfbd66e664839b7a037"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028080; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command (/iam-ready)"; flow:established,to_server; content:"POST"; http_method; content:"/iam-ready"; fast_pattern; nocase; content:"|3c 7c 3e|"; http_header; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017518; rev:3; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 42.0.2311.135"; ja3_hash; content:"aa9074aa1ff31c65d01c35b9764762b6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028081; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing with Applet Sep 30 2013"; flow:established,from_server; file_data; content:"New Zealandn Holiday"; fast_pattern; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017545; rev:7; metadata:created_at 2013_09_30, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 42.0.2311.135"; ja3_hash; content:"de0963bc1f3a0f70096232b272774025"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028082; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text|Html)/Ri"; content:"onlosecapture"; nocase; fast_pattern; content:"function"; pcre:"/^[\r\n\s]+(?P<func>[^\r\n\s]+)[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{((?!function).)*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(?:\x22\x22|\x27\x27))?((?!function).)*?document\.write\([\r\n\s]*?(?:\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\).+?onlosecapture(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?(?P=func)\b/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017479; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 43.0.2357.132 & 45.02454.94"; ja3_hash; content:"3bb36ec17fef5d3da04ceeb6287314c6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028083; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake MS Security Update (Jar)"; flow:established,from_server; file_data; content:"Microsoft Security Update"; content:"applet_ssv_validated"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017549; rev:3; metadata:created_at 2013_10_02, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 48.0.2564.116"; ja3_hash; content:"cd3f72760dfd5575b91213a8016c596b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028084; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HiMan EK Landing Oct 1 2013"; flow:established,from_server; file_data; content:"java3()|3b|"; fast_pattern; content:"java2()|3b|"; content:"pdf()|3b|"; content:"ie()|3b|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017550; rev:3; metadata:created_at 2013_10_02, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 48.0.2564.97"; ja3_hash; content:"5406c4a87aa6cbcb7fc469fee526a206"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028085; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Base64 http argument in applet (Neutrino/Angler)"; flow:established,from_server; file_data; content:"<applet "; pcre:"/^((?!<\/applet>).)+?[\x22\x27]aHR0cDov/Rs"; content:"aHR0cDov"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016549; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_07, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 49.0.2623.75"; ja3_hash; content:"503fe06db7ef09b2cbd771c4e784c686"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028086; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Use-After-Free CVE-2013-3897"; flow:established,from_server; file_data; content:"onpropertychange"; fast_pattern; nocase; content:".execCommand("; nocase; pcre:"/^[\r\n\s]*?[\x27\x22]Unselect[\x27\x22]/Rsi"; content:"appendChild("; nocase; content:"textarea"; nocase; content:".select("; nocase; content:".onselect"; reference:cve,2013-3897; classtype:attempted-user; sid:2017572; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_10_08, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 50.0.2661.102 1"; ja3_hash; content:"bd4267e1672f9df843ada7c963490a0d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028087; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Magnitude EK (formerly Popads) IE Exploit with IE UA Oct 16 2013"; flow:established,to_server; urilen:66; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}$/Ui"; content:"Referer|3a 20|http|3a|//"; http_header; pcre:"/^[^\/\r\n]+/HR"; content:"/?"; http_header; within:2; pcre:"/^[a-f0-9]{32}=\d{1,10}\r\n/HR"; content:" MSIE "; http_user_agent; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017613; rev:10; metadata:created_at 2013_10_17, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 50.0.2661.102 2"; ja3_hash; content:"caeb3b546fc7469776d51f1f54a792ca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028088; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit CVE-2013-0422 Jar"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"B.class"; fast_pattern; pcre:"/[^a-zA-Z0-9_\-.]B\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; content:!"Browser.class"; classtype:attempted-user; sid:2016228; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_17, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.106 (test)"; ja3_hash; content:"aa84deda2a937ad225ef94161887b0cb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028089; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS JS Multiple Debug Math.atan2 calls with CollectGarbage"; flow:established,from_server; file_data; content:"CollectGarbage"; nocase; fast_pattern; content:"Math.atan2"; nocase; content:"Math.atan2"; nocase; distance:0; content:"Math.atan2"; nocase; distance:0; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; reference:url,cyvera.com/cve-2013-3897-analysis-of-yet-another-ie-0-day/; classtype:attempted-user; sid:2017657; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_11_04, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 1"; ja3_hash; content:"473e8bad0e8e1572197be80faa1795c3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028090; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Botnet Login Request CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/operator/login.php"; fast_pattern; http_uri; pcre:"/\/operator\/login\.php$/U"; content:!"Referer|3a 20|"; content:!"|0d 0a|Accept"; http_header; content:"Mozilla/4.0 (SEObot)"; depth:20; http_user_agent; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:command-and-control; sid:2017718; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_11_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 2"; ja3_hash; content:"e0b0e6c934c686fd18a5727648b3ed4f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028091; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 IE Exploit URI Struct"; flow:established,to_server; content:".tpl"; http_uri; fast_pattern; pcre:"/\/1[34]\d{8}\.tpl$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017601; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_17, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 3"; ja3_hash; content:"7ddfe8d6f8b51a90d10ab3fe2587c581"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028092; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK IE Exploit CVE-2013-2551"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"stroke"; nocase; content:"visibility"; nocase; content:"hidden"; nocase; distance:0; content:"Array"; nocase; pcre:"/^[\r\n\s]*?\([\r\n\s]*?[\x22\x27]f([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?r([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?o([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?m([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?C([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?h([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?a([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?r([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?c([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?o([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?d([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?e[\x22\x27]/Ri"; classtype:exploit-kit; sid:2017785; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_27, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 4"; ja3_hash; content:"bc76a4185cc9bd4c72471620e552618c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028093; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Adobe PDF CVE-2013-0640"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".keep.previous"; nocase; fast_pattern; content:".resolveNode"; nocase; pcre:"/^[\r\n\s]*?\\?\(.+?\\?\)\.keep\.previous[\r\n\s]*?=[\r\n\s]*?[\x22\x27]contentArea/Rsi"; reference:url,www.exploit-db.com/exploits/29881/; classtype:attempted-user; sid:2017790; rev:3; metadata:created_at 2013_11_30, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 5"; ja3_hash; content:"8e3eea71cb5a932031d90cc0fba581bc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028094; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Grandsoft/SofosFO EK PDF URI Struct"; flow:established,to_server; content:".pdf"; http_uri; fast_pattern; pcre:"/^\/\d{1,2}(?P<l>[A-Z])\d{1,2}(?P=l)\d{1,2}(?P=l)\d{1,2}\.pdf$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017699; rev:4; metadata:created_at 2013_11_09, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 6"; ja3_hash; content:"653924bcb1d6fd09a048a4978574e2c5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028095; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack Java Exploit"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/java.php?eid="; http_uri; fast_pattern; content:"type="; http_uri; pcre:"/\/java\.php\?eid=[a-f0-9]{32}&/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017863; rev:5; metadata:created_at 2013_12_16, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 7"; ja3_hash; content:"1ef652ecfb8e60e771a4710166afc262"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028096; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack PDF Exploit"; flow:established,to_server; content:"/pdf.php?pdf="; http_uri; fast_pattern; content:"type="; http_uri; pcre:"/\/pdf\.php\?pdf=[a-f0-9]{32}&/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017862; rev:4; metadata:created_at 2013_12_16, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 49.0.2623,87 (64-bit) Linux"; ja3_hash; content:"8a8159e6abf9fe493ca87efc38855149"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028097; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack HCP Exploit"; flow:established,to_server; content:"/hcp.php?"; http_uri; fast_pattern; content:"type="; nocase; http_uri; content:"o="; nocase; http_uri; content:"b="; nocase; http_uri; pcre:"/[&?]type=\d+(?:$|&)/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017864; rev:3; metadata:created_at 2013_12_17, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 49.0.2623,87 (64-bit) Linux"; ja3_hash; content:"a7f2d0376cdcfde3117bf6a8359b2ab8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028098; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack Jar 1 Dec 16 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/cp.jar"; http_uri; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017865; rev:4; metadata:created_at 2013_12_17, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 57.0.2987.110 (64-bit) Linux"; ja3_hash; content:"d551fafc4f40f1dec2bb45980bfa9492"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028099; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack Jar 2 Dec 16 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/serial.jar"; http_uri; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017866; rev:4; metadata:created_at 2013_12_17, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 57.0.2987.110 (64-bit) Linux"; ja3_hash; content:"e330bca99c8a5256ae126a55c4c725c5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028100; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache Solr Arbitrary XSLT inclusion attack"; flow:to_server,established; content:"../../"; fast_pattern; content:"&wt=xslt"; nocase; content:"&tr="; reference:cve,CVE-2013-6397; reference:url,www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html; classtype:attempted-user; sid:2017882; rev:3; metadata:created_at 2013_12_18, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 60/61.0.3163, Google Chrome"; ja3_hash; content:"94c485bca29d5392be53f2b8cf7f4304"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028101; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for whoismama.ru"; flow:established,to_client; content:"www.whoismama.ru"; fast_pattern; nocase; reference:md5,cca1713888b0534954234cf31dd5a7d4; classtype:trojan-activity; sid:2017940; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 60/61.0.3163, Google Chrome"; ja3_hash; content:"bc6c386f480ee97b9d9e52d472b772d8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028102; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for dewart.ru"; flow:established,to_client; content:"www.deweart.ru"; fast_pattern; nocase; reference:md5,6e0a6c4a06a446f70ae1463129711122; classtype:trojan-activity; sid:2017941; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 61.0.3163,100(64-bit) Win10"; ja3_hash; content:"d3b972883dfbd24fd20fc200ad8ab22a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028103; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for anlogtewron.ru"; flow:established,to_client; content:"www.anlogtewron.ru"; fast_pattern; nocase; reference:md5,c13c3e331f05d61a7204fb4599b07709; classtype:trojan-activity; sid:2017942; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome WebSockets (48.xxxx) - also TextSecure Desktop"; ja3_hash; content:"cafd1f84716def1a414c688943b99faf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028104; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for erjentronem.ru"; flow:established,to_client; content:"www.erjentronem.ru"; fast_pattern; nocase; reference:md5,05ddaa5b6b56123e792fd67bb03376bc; classtype:trojan-activity; sid:2017943; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome WebSockets (48.xxxx)"; ja3_hash; content:"62d8823f52dd8e1ba75a9a83e8748313"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028105; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CookieBomb 2.0 In Server Response Jan 29 2014"; flow:from_server,established; file_data; content:"%66%75%6e%63%74%69%6f%6e%20%72%65%64%69%72%65%63%74"; nocase; content:"%66%75%6e%63%74%69%6f%6e%20%63%72%65%61%74%65%43%6f%6f%6b%69%65"; nocase; content:"%64%6f%52%65%64%69%72%65%63%74"; nocase; fast_pattern; reference:url,malwaremustdie.blogspot.jp/2014/01/and-another-detonating-method-of-todays.html; classtype:trojan-activity; sid:2018037; rev:5; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/30.0.1599.101"; ja3_hash; content:"c405bbbe31c0e53ac4c8448355b2af5b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028106; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 3"; dsize:>11; content:"|7b 9e|"; fast_pattern; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]+?\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,2eed956920934a78200899ef05ace0d8; classtype:command-and-control; sid:2017548; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_30, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2022_04_18;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/41.0.2272.89"; ja3_hash; content:"2c3221f495d5e4debbb34935e1717703"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028107; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET FTP Outbound Java Downloading jar over FTP"; flow:to_server,established; flowbits:isset,ET.Java.FTP.Logon; content:".jar"; nocase; fast_pattern; content:"RETR "; pcre:"/^[^\r\n]+\.jar/Ri"; classtype:misc-activity; sid:2016688; rev:3; metadata:created_at 2013_03_29, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/49.0.2623.112 WinXP"; ja3_hash; content:"248bdbc3873396b05198a7e001fbd49a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028108; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT BeEF Cookie Outbound"; flow:to_server,established; content:"Cookie|3a 20|BEEFSESSION="; fast_pattern; threshold: type limit, track by_src, seconds 300, count 1; reference:url,beefproject.com; classtype:attempted-user; sid:2018088; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_07, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/56.0.2924.87 Linux/Charles/Google Play Music Desktop Player/Postman/Slack/other desktop programs"; ja3_hash; content:"83e04bc58d402f9633983cbf22724b02"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028109; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JoomSocial AvatarUpload RCE"; flow:established,to_server; content:"func="; nocase; content:"photo"; nocase; distance:0; content:"ajaxUploadAvatar"; nocase; fast_pattern; content:"CStringHelper"; nocase; content:"escape"; nocase; distance:0; reference:url,blog.sucuri.net/2014/02/joomla-jomsocial-remote-code-execution-vulnerability.html; classtype:web-application-attack; sid:2018107; rev:9; metadata:created_at 2014_02_11, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/59.0.3071.115 Win10, node.js"; ja3_hash; content:"9811c1bb9f0f6835d5c13a831cca4173"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028110; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE10 Use After Free CVE-2014-0322"; flow:established,to_client; file_data; content:"onpropertychange"; nocase; fast_pattern; content:".outerHTML"; pcre:"/^\s*?=\s*?[^\s]+?\.outerHTML/Rsi"; content:"appendChild"; nocase; content:"getElementsByTagName"; nocase; pcre:"/^\s*?\(\s*?[\x22\x27]script[\x22\x27].+?\s(?P<vname>[^\s]+)\.onpropertychange\s*=.+?\s(?P<vname2>[^\s\x3d]+)\s*?=\s*?[^\s]*?createElement\s*?\(\s*?[\x22\x27]select[\x22\x27].+?(?P=vname)\.appendChild\(\s*?[\x22\x27]?(?P=vname2)[\x22\x27]?/Rsi"; reference:cve,2014-0322; classtype:attempted-user; sid:2018147; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/60.0.3112.113 Win10, Chromium"; ja3_hash; content:"def8761e4bcaaf91d99801a22ac6f6d4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028111; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT EMET Detection Via XMLDOM"; flow:established,from_server; file_data; content:"loadXML"; nocase; content:"parseError"; nocase; content:"res:/"; content:"AppPatch"; nocase; distance:0; pcre:"/^.+?\bEMET\.DLL/Rsi"; content:"EMET.DLL"; nocase; fast_pattern; classtype:attempted-user; sid:2018152; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chromium"; ja3_hash; content:"be9f1360cf52dc1f61ae025252f192a3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028112; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Lang Runtime in Response"; flow:from_server,established; file_data; content:!"|CA FE BA BE|"; within:4; content:"getClass"; nocase; content:"java.lang.Runtime"; nocase; fast_pattern; content:"getRuntime"; nocase; content:"exec"; nocase; content:"script"; nocase; classtype:exploit-kit; sid:2018172; rev:3; metadata:created_at 2014_02_25, former_category WEB_CLIENT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chromium"; ja3_hash; content:"fc5cb0985a5f5e295163cc8ffff8a6e1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028113; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Obfuscation Technique Used in CVE-2014-0322 Attacks"; flow:established,from_server; file_data; content:"|2f|%u([0-9a-fA-F]{1,4}"; nocase; fast_pattern; content:"decode"; nocase; pcre:"/^\s*?\(\s*?key\s*?,\s*?js\s*?/Rsi"; content:"decode"; nocase; pcre:"/^\s*?\(\s*?[^,\s]*?\s*?,\s*?[\x22\x27][a-f0-9]{100}/Rsi"; classtype:trojan-activity; sid:2018179; rev:5; metadata:created_at 2014_02_26, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Cisco AnyConnect Secure Mobility Client (3.1.09013)"; ja3_hash; content:"7f340e6caa1fa4c979df919227160ff6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028114; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER log4jAdmin access from non-local network Page Body (can modify logging levels)"; flow:established,from_server; file_data; content:"<title>Log4J Administration</title>"; fast_pattern; content:"Change Log Level To"; reference:url,gist.github.com/iamkristian/943918; classtype:web-application-activity; sid:2018203; rev:3; metadata:created_at 2014_03_04, former_category WEB_SERVER, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Cisco AnyConnect Secure Mobility Client"; ja3_hash; content:"e7d46c98b078477c4324031e0d3b22f5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028115; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013"; flow:established,to_server; content:".htm"; http_uri; fast_pattern; pcre:"/^\/\d{8,11}(\/\d)?\/1[34]\d{8}\.htm$/U"; pcre:"/^Referer\x3a[^\r\n]+?\/[a-f0-9A-Z\_\-]{32,}\.html(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017774; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_27, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Cisco AnyConnect Secure Mobility Client"; ja3_hash; content:"ed36017db541879619c399c95e22067d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028116; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK IE Exploit CVE-2013-2551 March 12 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"stroke"; nocase; content:"visibility"; nocase; content:"hidden"; nocase; distance:0; content:"|22|f"; nocase; pcre:"/^\d+([\x22\x27]\s*?,\s*[\x22\x27])?r\d+([\x22\x27]\s*?,\s*[\x22\x27])?o\d+([\x22\x27]\s*?,\s*[\x22\x27])?m\d+([\x22\x27]\s*?,\s*[\x22\x27])?C\d+([\x22\x27]\s*?,\s*[\x22\x27])?h\d+([\x22\x27]\s*?,\s*[\x22\x27])?a\d+([\x22\x27]\s*?,\s*[\x22\x27])?r\d+([\x22\x27]\s*?,\s*[\x22\x27])?c\d+([\x22\x27]\s*?,\s*[\x22\x27])?o\d+([\x22\x27]\s*?,\s*[\x22\x27])?d\d+([\x22\x27]\s*?,\s*[\x22\x27])?e\d+[\x22\x27]/Ri"; classtype:exploit-kit; sid:2018262; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_03_13, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Citrix Receiver 4.4.0.8014"; ja3_hash; content:"203157ed9f587f0cfd265061bf309823"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028117; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic HeapSpray Construct"; flow:established,from_server; file_data; content:"createElement(|22|div|22|)"; fast_pattern; content:"for("; pcre:"/^\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b(?P=var)\s*?\<\s*?(?:0x)?\d{3,4}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b[^\x7d]+?\[\s*?(?P=var)\s*?\]\s*?=\s*?document\.createElement\([\x22]div[\x22]\)[^\x7d]+?\[\s*?(?P=var)\s*?\]/Rsi"; classtype:trojan-activity; sid:2018299; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_03_20, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Citrix Viewer"; ja3_hash; content:"5ee1a653fb824db7182714897fd3b5df"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028118; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File .RTF File download with invalid listoverridecount"; flow:from_server,established; file_data; content:"|5c|listoverridetable"; distance:0; content:"|5c|listoverride|5c|"; fast_pattern; content:"|5c|listoverridecount"; isdataat:2,relative; pcre:"/^(?:0*?[19]\d|[^190])/R"; reference:cve,2012-2539; classtype:attempted-user; sid:2018315; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_12_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Covenant Eyes"; ja3_hash; content:"a9d17f74e55dd53fcf7c234f8a240919"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028119; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF Struct"; flow:established,to_server; content:"/13"; http_uri; fast_pattern; content:".swf"; http_uri; pcre:"/\/13[89]\d{7}.swf$/U"; flowbits:set,et.Nuclear.SWF; flowbits:noalert; classtype:exploit-kit; sid:2018360; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_04, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - CRAWLER: facebookexternalhit/1.1"; ja3_hash; content:"111da7c75fee7fe934b35a8d88eb350a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028120; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Lucky7 Java Exploit URI Struct June 28 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".php?"; http_uri; pcre:"/\/[a-z]+\.php\?[a-z]+?=\d{7}&[a-z]+?=\d{7,8}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017078; rev:7; metadata:created_at 2013_06_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Creative Cloud"; ja3_hash; content:"c882d9444412c00e71b643f3f54145ff"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028121; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY EL8 EK Landing"; flow:established,from_server; file_data; content:"lady8vhc"; nocase; fast_pattern; content:"eval(function("; classtype:exploit-kit; sid:2018405; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_04_22, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - cscan"; ja3_hash; content:"bc0608d33dc64506b42f7f5f87958f37"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028122; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET POLICY Possible Grams DarkMarket Search DNS Domain Lookup"; content:"|10|grams7enufi7jmdl"; nocase; fast_pattern; classtype:policy-violation; sid:2018406; rev:4; metadata:created_at 2014_04_22, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - curl (tested: 7.22.0 on Linux)"; ja3_hash; content:"764b8952983230b0ac23dbd3741d2bb0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028123; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ftpchk3.php upload attempted"; flow:to_server,established; content:"STOR ftpchk3.php|0d 0a|"; nocase; fast_pattern; reference:url,digitalpbk.blogspot.com/2009/10/ftpchk3-virus-php-pl-hacked-website.html; reference:url,labs.mwrinfosecurity.com/system/assets/131/original/Journey-to-the-Centre-of-the-Breach.pdf; classtype:attempted-admin; sid:2018416; rev:5; metadata:created_at 2014_04_24, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - curl (tested: 7.43.0 OS X)"; ja3_hash; content:"9f198208a855994e1b8ec82c892b7d37"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028124; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack 2013-2551 May 13 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"|3a|stroke"; nocase; content:"|3a|oval"; nocase; content:"66"; pcre:"/^(?P<sep>[^\x22\x27]{0,10})75(?P=sep)6e(?P=sep)63(?P=sep)74(?P=sep)69(?P=sep)6f(?P=sep)6e(?P=sep)20/Rsi"; classtype:exploit-kit; sid:2018469; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - curl 7.35.0 (tested Ubuntu 14.x  openssl 1.0.1f)"; ja3_hash; content:"c458ae71119005c8bc26d38a215af68f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028125; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Goon/Infinity EK Landing May 05 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"/*"; pcre:"/^\d+?\*\/\s*?(?P<vname>[^\s\(\x3b]{1,20})\s*?\([^\)]+\)\s*?(?:\/\*\d+?\*\/\s*?)?\x3b\s*?(?:\/\*\d+?\*\/)?(?P=vname)\s*?(?:\/\*\d+?\*\/\s*?)?\([^\)]+\)\s*?(?:\/\*\d+?\*\/\s*?)?\x3b\s*?(?:\/\*\d+?\*\/)?(?P=vname)/Rs"; classtype:exploit-kit; sid:2018440; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_02, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - curl 7.37.0 / links 2.8 / git 2.6.6 (openSUSE Leap 42.1)"; ja3_hash; content:"e14d427fab707af91e4bbd0bf03076f8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028126; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $EXTERNAL_NET 10000: -> $HOME_NET 10000: (msg:"ET SCAN NMAP OS Detection Probe"; dsize:300; content:"CCCCCCCCCCCCCCCCCCCC"; fast_pattern; content:"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"; depth:255; content:"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"; within:45; classtype:attempted-recon; sid:2018489; rev:4; metadata:created_at 2014_05_21, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - curl"; ja3_hash; content:"f672d8f0e827ca1e704a9489b14dd316"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028127; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Urausy.C response"; flow:from_server,established; file_data; content:"|0d 0a|<?xml version="; depth:16; content:"<interval>"; distance:0; content:"</interval>"; distance:0; content:"<timeout>"; distance:0; content:"</timeout>"; distance:0; content:"|d1 81 d1 81 d1 8b d0 bb d0 be d0 ba 20|c&c -->"; fast_pattern; reference:md5,6213597f40ecb3e7cf2ab3ee5c8b1c70; classtype:trojan-activity; sid:2018499; rev:4; metadata:created_at 2014_05_23, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"; ja3_hash; content:"e3891da2a758d67ba921e5eec0b9707d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028128; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Various Java Exploit Common Class name"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PayloadX.class"; nocase; fast_pattern; classtype:attempted-user; sid:2018500; rev:7; metadata:affected_product Any, attack_target Client_and_Server, created_at 2014_05_27, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Customised Postfix - Damnit Matt"; ja3_hash; content:"f865de0807a17e9cb797e618162356db"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028129; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SSL Cert Observed with Unkown Trojan (statswas)"; flow:established,from_server; content:"|0c|statswas.com"; nocase; fast_pattern; reference:md5,9c087d528beefd22743666af772465fc; classtype:trojan-activity; sid:2018515; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_06_03, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dashlane"; ja3_hash; content:"0217dc3bd88c696cc15374db0d848de4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028130; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Adware.Wapsx.A"; flow:established, to_server; content:"/fengmian/"; fast_pattern; content:"meinv6.4.0 qiu shou gou, zhi mai 503 wan ren min bi"; http_user_agent; depth:51; content:!"Referer|3a|"; http_header; reference:md5,37e36531e6dbc3ad0954fd9bb4588fad; classtype:trojan-activity; sid:2018533; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_06_05, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Debian APT-CURL/1.0 (1.2.15)"; ja3_hash; content:"f7baf7d9da27449e823a4003e14cd623"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028131; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack Flash Exploit flash0515.php"; flow:established,to_server; content:"/flash0515.php"; fast_pattern; http_uri; nocase; classtype:exploit-kit; sid:2018540; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_06_06, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Debian APT-CURL/1.0 (1.2.20+)"; ja3_hash; content:"ec2e8760003621ca668b5f03e616cd57"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028132; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 3"; flow:established,to_server; content:"/PMConfig.dat"; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018587; rev:5; metadata:created_at 2014_06_20, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Deezer"; ja3_hash; content:"4fcd1770545298cc119865aeba81daba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028133; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Multiple EKs CVE-2013-3918"; flow:established,from_server; file_data; content:"C|3a 5c|rock.png"; nocase; fast_pattern; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; classtype:exploit-kit; sid:2018592; rev:3; metadata:created_at 2014_06_20, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox (installer?)"; ja3_hash; content:"ede63467191e9a12300e252c41ca9004"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028134; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER c99 Shell Backdoor Var Override Cookie"; flow:to_server,established; content:"c99shcook"; nocase; fast_pattern; pcre:"/c99shcook/Ci"; reference:url,thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/; classtype:trojan-activity; sid:2018602; rev:3; metadata:created_at 2014_06_24, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - DropBox (tested: 3.12.5 - Ubuntu 14.04TS & Win 10)"; ja3_hash; content:"653d342bee5001569662198a672746af"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028135; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sharik Checkin"; flow:established,to_server; dsize:10; content:"34feGaeRAd"; fast_pattern; reference:md5,f9f30307ca22d092c02701c108aa6402; classtype:command-and-control; sid:2018614; rev:2; metadata:created_at 2014_06_30, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox (Win 8.1)"; ja3_hash; content:"482a11a20da1629b77aaadf640478d13"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028136; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sharik C2 Incoming Traffic"; flow:established,from_server; dsize:18; content:"|0d 00 07 01 00 81 7c e4 04 c0 d4 01 00 19 c0 c2 04 00|"; fast_pattern; reference:md5,f9f30307ca22d092c02701c108aa6402; classtype:command-and-control; sid:2018615; rev:2; metadata:created_at 2014_06_30, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Client"; ja3_hash; content:"21ed4c7ee1daeb84c72199ceaf119b24"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028137; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Infostealer.Bancos Checkin via SMTP"; flow:to_server,established; content:"Subject|3a 20|"; content:"Foi Instalado"; nocase; fast_pattern; pcre:"/^Subject\x3a [^\r\n]+?Foi Instalado/mi"; reference:md5,7f5709c924bb1417a180a4fa8311a2e9; classtype:command-and-control; sid:2018646; rev:2; metadata:created_at 2014_07_07, former_category MALWARE, malware_family Bancos, tag Banking_Trojan, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Client"; ja3_hash; content:"30b168d81e38d9a55c474c1e30eaf9f9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028138; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed CWS"; flow:established,from_server; content:"callback=CWS"; nocase; fast_pattern; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=CWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018656; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_07_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Client"; ja3_hash; content:"f8e42933ba5b3990858ba621489047e3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028139; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed FWS"; flow:established,from_server; content:"callback=FWS"; nocase; fast_pattern; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=FWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018657; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_07_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Setup (tested: 3.10.11 on Win 8.x)"; ja3_hash; content:"2f8363419a9fb80ad46b380778d8eaf1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028140; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed ZWS"; flow:established,from_server; content:"callback=ZWS"; nocase; fast_pattern; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=ZWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018658; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_07_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Splash Pages (Win 10)"; ja3_hash; content:"c1e8322501b4d56d484b50bd7273e798"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028141; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|04|kreb"; distance:1; within:5; content:"|0d|kreb|40|kreb.com"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018902; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Windows"; ja3_hash; content:"6c141f98cd79d8b505123e555c1c3119"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028142; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Malicious Plugin Detect URI struct"; flow:established,to_server; content:"v_ja="; http_uri; nocase; fast_pattern; content:"v_f="; http_uri; nocase; content:"v_m="; http_uri; nocase; content:"v_s="; http_uri; nocase; content:"v_a="; http_uri; nocase; content:"v_q="; http_uri; nocase; content:"js="; nocase; http_uri; content:"ref="; http_uri; nocase; pcre:"/[&?]v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=/Ui"; classtype:exploit-kit; sid:2018920; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_23, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox"; ja3_hash; content:"054c9f9d304b7a2add3d6fa75bc20ae4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028143; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Trojan Dropped By Archie.EK"; flow:established,to_server; content:".exe"; http_uri; fast_pattern; pcre:"/^\/[56]\d{4}\x2c.*?\x2c[A-Z]\x3a[\x2f\x5c].+?\.exe/Ui"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; reference:md5,e6c91ab176887e5c79bb59277c651dfd; classtype:exploit-kit; sid:2018928; rev:4; metadata:created_at 2014_08_13, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox"; ja3_hash; content:"36bc8c7e10647bbfea3f740e7f05c0f1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028144; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious X-mailer Synapse"; flow:established,to_server; content:"produced by Synapse"; fast_pattern; content:"X|2d|mailer|3a 20|Synapse|20 2d 20|Pascal TCP|2f|IP library by Lukas Gebauer"; reference:md5,954acc71ffaa7010c603d74e76dfc70b; reference:url,www.joewein.net/spam/spam-joejob.htm; classtype:trojan-activity; sid:2018936; rev:3; metadata:created_at 2014_08_14, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dynalist/Postman/Google Chrome/Franz/GOG Galaxy"; ja3_hash; content:"4c40bf8baa7c301c5dba8a20bc4119e2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028145; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Social Engineering Toolkit JAR filename detected"; flow:established,to_client; content:"<applet"; content:"Signed_Update.jar"; fast_pattern; reference:url,trustedsec.com/downloads/social-engineer-toolkit/; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:2018970; rev:4; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_08_20, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, tag DriveBy, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse"; ja3_hash; content:"0411bbb5ff27ad46e1874a7a8beedacb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028146; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp any 873 -> any any (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys successful exfiltration"; flow:from_server,established; content:"ssh-rsa"; fast_pattern; flowbits:isset,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019089; rev:3; metadata:created_at 2014_08_29, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse"; ja3_hash; content:"4990c9da08f44a01ecd7ddc3837caf25"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028147; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys successful upload"; flow:to_server,established; content:"ssh-rsa"; fast_pattern; flowbits:isset,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019090; rev:3; metadata:created_at 2014_08_29, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse"; ja3_hash; content:"fa106fe5beec443af7e211ef8902e7e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028148; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi access attempt"; flow:to_server,established; dsize:4; content:"cmi|0a|"; fast_pattern; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019087; rev:5; metadata:created_at 2014_08_29, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse/java"; ja3_hash; content:"d74778f454e2b047e030b291b94dd698"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028149; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys access attempt"; flow:to_server,established; content:"cmi/var/ssh/root/authorized_keys"; fast_pattern; flowbits:set,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019088; rev:4; metadata:created_at 2014_08_29, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Facebook iOS"; ja3_hash; content:"576a1288426703ae0008c42f95499690"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028150; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe guessing router password 2"; flow:established,from_server; file_data; content:"dnsPrimary="; nocase; fast_pattern; content:"dnsSecondary="; nocase; content:"dnsDynamic="; nocase; content:"rebootinfo.cgi"; nocase; reference:url,securelist.com/blog/incidents/66358/web-based-attack-targeting-home-routers-the-brazilian-way/; classtype:attempted-user; sid:2019112; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_09_04, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Feedly/1.0, java,eclipse,Cyberduck"; ja3_hash; content:"f22bdd57e3a52de86cda40da2d84e83b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028151; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Silverlight URI Struct"; flow:established,to_server; content:".xap"; http_uri; fast_pattern; content:"/1"; http_uri; pcre:"/\/1(?:3[89]\d{7}|4\d{8})\.xap$/U"; classtype:exploit-kit; sid:2019167; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_12, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - fetchmail 6.3.26 (openSUSE Leap 42.1)"; ja3_hash; content:"a698fe6c52d210e3376bb6667729d4d2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028152; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|02|eu|00|"; fast_pattern; pcre:"/\x00\x07[a-z0-9]{7}\x02eu\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:command-and-control; sid:2014372; rev:6; metadata:created_at 2012_03_14, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - FieldServiceApp/socialstudio"; ja3_hash; content:"1fbe5382f9d8430fe921df747c46d95f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028153; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"|02|ru|00|"; fast_pattern; pcre:"/[^a-z0-9\-\.][a-z]{32,48}\x02ru\x00\x00/"; classtype:command-and-control; sid:2014376; rev:4; metadata:created_at 2012_03_14, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 24.0 Iceweasel24.3.0"; ja3_hash; content:"3d99dda4f6992b35fdb16d7ce1b6ccba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028154; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Redirect Sept 18 2014"; flow:established,to_server; content:".php?ds="; http_uri; fast_pattern; content:"&dr="; http_uri; pcre:"/&dr=\d+$/U"; reference:url,blog.malwarebytes.org/exploits-2/2014/07/socialblade-com-compromised-starts-redirection-chain-to-nuclear-pack-exploit-kit/; classtype:exploit-kit; sid:2019194; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_18, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 25.0"; ja3_hash; content:"c57914fadb301a73e712378023b4b177"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028155; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Redirect Sept 18 2014"; flow:established,to_server; content:".php?acc="; http_uri; fast_pattern; content:"&nrk="; http_uri; pcre:"/&nrk=\d+$/U"; classtype:exploit-kit; sid:2019195; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_18, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 26.0, Firefox/26.0"; ja3_hash; content:"755cdaa3496eb8728247a639dee17aad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028156; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit"; flow:established,to_client; file_data; content:".execCommand|28|"; nocase; pcre:"/^[\r\n\s]*[\x22\x27]selectAll/Ri"; content:"YMjf\\u0c08\\u0c0cKDog"; fast_pattern; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2015712; rev:6; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, created_at 2012_09_18, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Web_Client_Attacks, tag Metasploit, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 27.0"; ja3_hash; content:"ff9223b5c9a5d44a8a423833751fa158"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028157; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OneLouder EXE download possibly installing Zeus P2P"; flow:to_client,established; flowbits:isset,ET.OneLouderHeader; file_data; content:"MZ"; within:2; content:"PE|00 00|"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019103; rev:5; metadata:created_at 2014_09_03, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 3.0.19"; ja3_hash; content:"df9bedd5713fe0cc2e9184d7c16a5913"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028158; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK PDF"; flow:established,from_server; flowbits:isset,et.Nuclear.PDF; content:"Content-Disposition|3a|"; http_header; content:".pdf|0d 0a|"; http_header; fast_pattern; content:"X-Powered-By|3a|"; http_header; content:"nginx"; http_header; nocase; pcre:"/^Content-Disposition\x3a[^\r\n]+(?<!\W14\d{8})\.pdf\r?$/Hm"; file_data; content:"|25|PDF-1.6"; within:8; classtype:exploit-kit; sid:2019210; rev:14; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_22, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 3.5 - 3.6, Firefox 3.5.19  3.6.27  SeaMonkey 2.0.14"; ja3_hash; content:"4a9bd55341e1ffe6fedb06ad4d3010a0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028159; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Gate Sep 16 2014"; flow:established,from_server; file_data; content:"16.html"; fast_pattern; content:"etCookie"; content:"document.write(|27|<iframe"; pcre:"/^(?=(?:(?!<\/iframe>).)+?src\s*?=\s*?\x22http\x3a[^\x22]+16\.html\x22)(?=(?:(?!<\/iframe>).)+?left\s*?[\x3a\x3d]\s*?[\x22\x27]?\-)(?=(?:(?!<\/iframe>).)+?top\s*?[\x3a\x3d]\s*?[\x22\x27]?\-)(?:(?!<\/iframe>).)+?<\/iframe>\x27\x29/Rsi"; classtype:exploit-kit; sid:2019185; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_16, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 40.0.3 (tested Windows 8), Firefox/37.0"; ja3_hash; content:"2872afed8370401ec6fe92acb53e5301"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028160; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK 2013-3918"; flow:established,from_server; content:"X-Powered-By|3a|"; http_header; file_data; content:"C|3a 5c|Rock.png"; nocase; fast_pattern; content:"|7b|return"; pcre:"/^\s*?[A-Z0-9a-z\+]+?\s*?\x7d/R"; content:"|7d|function"; content:"|3b|function"; classtype:exploit-kit; sid:2019226; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_24, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 46.0"; ja3_hash; content:"46129449560e5731dc9c5106f111a3db"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028161; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible Job314 EK JAR URI Struct"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".pack.gz"; http_uri; pcre:"/^(?=(?:\/[a-z]+?)*?\/\d+\/)(?=(?:\/\d+?)*?\/[a-z]+?\/)(?:\/(?:[a-z]+|\d+)){4,}\/[a-z]+\.pack\.gz$/U"; classtype:exploit-kit; sid:2019288; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_09_27, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 46.0"; ja3_hash; content:"d06b3234356cb3df0983fc8dd02ece68"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028162; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion LF"; flow:to_server,established; content:"|28 29 0a 20 7b|"; fast_pattern; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; classtype:attempted-admin; sid:2019291; rev:3; metadata:created_at 2014_09_28, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 47.0 2"; ja3_hash; content:"05ece02fb23acf2efbfff54ce4099a45"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028163; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion CRLF"; flow:to_server,established; content:"|28 29 0d 0a 20 7b|"; fast_pattern; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; classtype:attempted-admin; sid:2019292; rev:4; metadata:created_at 2014_09_28, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 47.x 1 / FireFox 47.x (Windows 7SP1)"; ja3_hash; content:"aa907c2c4720b6f54cd8b67a14cef0a3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028164; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Job314 EK Landing"; flow:established,from_server; file_data; content:"|22|container|22|,|20 22|10|22|,"; fast_pattern; content:"swfobject.embedSWF"; nocase; pcre:"/^\s*?\x28\s*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?(?P=q)\s*?\,\s*?[\x22\x27]container[\x22\x27]\s*?,\s*?[\x22\x27]10[\x22\x27]\s*?,\s*?[\x22\x27]10[\x22\x27],\s*?[\x22\x27]9\.0\.0[\x22\x27]\s*?,\s*?false\s*?,\s*?flashvars,\s*?params\s*?,\s*?attributes\s*?\x29\s*?\x3b\s*?<\/script>\s*?<\/head>/Rs"; classtype:exploit-kit; sid:2019287; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_09_27, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 49 (dev edition)"; ja3_hash; content:"f586111542f330901d9a3885a9c821b5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028165; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible bash shell piped to dev udp Inbound to WebServer"; flow:established,to_server; content:"/dev/udp/"; fast_pattern; classtype:bad-unknown; sid:2019314; rev:4; metadata:created_at 2014_09_29, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 49 (TLSv1.3 enabled - I think websockets)"; ja3_hash; content:"1996e434b11323df4e87f8fe0e702209"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028166; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible bash shell piped to dev tcp Inbound to WebServer"; flow:established,to_server; content:"/dev/tcp/"; fast_pattern; classtype:bad-unknown; sid:2019285; rev:4; metadata:created_at 2014_09_26, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 49 (TLSv1.3 enabled)"; ja3_hash; content:"8ed0a2cdcad81fc29313910eb94941d8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028167; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp any 67 -> any 68 (msg:"ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK"; content:"|02 01|"; depth:2; content:"|28 29 20 7b|"; fast_pattern; reference:url,access.redhat.com/articles/1200223; reference:cve,2014-6271; classtype:attempted-admin; sid:2019237; rev:5; metadata:created_at 2014_09_25, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 49.0a2 Developer TLS 1.3 enabled"; ja3_hash; content:"8b18c5b0c54cba1ffb2438fe24792b63"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028168; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp any any -> $HOME_NET [5060,5061] (msg:"ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy"; flow:to_server; content:"|28 29 20 7b|"; fast_pattern; reference:url,github.com/zaf/sipshock; classtype:attempted-admin; sid:2019289; rev:4; metadata:created_at 2014_09_27, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 63.0"; ja3_hash; content:"b20b44b18b853ef29ab773e921b03422"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028169; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp any any -> $HOME_NET [5060,5061] (msg:"ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; reference:url,github.com/zaf/sipshock; classtype:attempted-admin; sid:2019290; rev:3; metadata:created_at 2014_09_27, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"0a81538cf247c104edb677bdb8902ed5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028170; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp any any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible Qmail CVE-2014-6271 Mail From attempt"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; pcre:"/^mail\s*?from\s*?\x3a\s*?[^\r\n]*?\x28\x29\x20\x7b/mi"; reference:url,marc.info/?l=qmail&m=141183309314366&w=2; classtype:attempted-admin; sid:2019293; rev:3; metadata:created_at 2014_09_29, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"0b6592fd91d4843c823b75e49b43838d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028171; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp any any -> $HOME_NET 1194 (msg:"ET EXPLOIT Possible OpenVPN CVE-2014-6271 attempt"; flow:to_server; content:"|20|"; depth:1; content:"|28 29 20 7b|"; fast_pattern; reference:url,news.ycombinator.com/item?id=8385332; classtype:attempted-admin; sid:2019322; rev:3; metadata:created_at 2014_09_30, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"1c15aca4a38bad90f9c40678f6aface9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028172; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp any any -> $HOME_NET 1194 (msg:"ET EXPLOIT Possible OpenVPN CVE-2014-6271 attempt"; flow:to_server,established; content:"|20|"; depth:1; content:"|28 29 20 7b|"; fast_pattern; reference:url,news.ycombinator.com/item?id=8385332; classtype:attempted-admin; sid:2019323; rev:3; metadata:created_at 2014_09_30, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"5163bc7c08f57077bc652ec370459c2f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028173; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp any any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible Pure-FTPd CVE-2014-6271 attempt"; flow:to_server,established; content:"|28 29 20 7b 20|"; fast_pattern; reference:url,gist.github.com/jedisct1/88c62ee34e6fa92c31dc; reference:cve,2014-6271; classtype:attempted-admin; sid:2019335; rev:2; metadata:created_at 2014_10_02, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"a88f1426c4603f2a8cd8bb41e875cb75"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028174; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert smtp any any -> any any (msg:"ET SMTP Possible ComputerCop Log Transmitted via SMTP"; flow:to_server,established; content:"Subject|3a 20|CCOP|20|"; nocase; fast_pattern; reference:url,www.eff.org/deeplinks/2014/09/computercop-dangerous-internet-safety-software-hundreds-police-agencies; classtype:trojan-activity; sid:2019340; rev:3; metadata:created_at 2014_10_02, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"b03910cc6de801d2fcfa0c3b9f397df4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028175; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Reply Sinkhole - irc-sinkhole.cert.pl"; flow:established,from_server; content:"|3a|irc|2d|sinkhole|2e|cert|2e|pl"; nocase; fast_pattern; content:"|3a|End of MOTD command|2e|"; classtype:trojan-activity; sid:2019354; rev:2; metadata:created_at 2014_10_06, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"bfcc1a3891601edb4f137ab7ab25b840"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028176; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF Struct"; flow:established,to_server; content:"/14"; fast_pattern; http_uri; pcre:"/\/14\d{8}(?:\.swf)?$/U"; flowbits:set,et.Nuclear.SWF; flowbits:noalert; classtype:exploit-kit; sid:2018361; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_04, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"f15797a734d0b4f171a86fd35c9a5e43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028177; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK PDF Struct (no alert)"; flow:established,to_server; content:"/14"; http_uri; fast_pattern; pcre:"/\/14\d{8}(?:\.pdf)?$/U"; flowbits:set,et.Nuclear.PDF; flowbits:noalert; classtype:exploit-kit; sid:2019209; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_22, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/10.0.11esrpre Iceape/2.7.12"; ja3_hash; content:"55f2bd38d462d74fb6bb72d3630aae16"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028178; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Payload URI Struct Oct 5 2014"; flow:established,from_server; flowbits:isset,et.Nuclear.Payload; content:".exe"; http_header; fast_pattern; content:"Content-Disposition|3a|"; http_header; pcre:"/^Content-Disposition\x3a.+?filename\s*?=\s*?[\x22\x27]?\d\.exe/Hm"; classtype:exploit-kit; sid:2019359; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/13.0-25.0"; ja3_hash; content:"85c420ab089dac5025034444789a8fb5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028179; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-1347 M1"; flow:established,from_server; file_data; content:"SharePoint.OpenDocuments.3"; nocase; content:"SharePoint.OpenDocuments.4"; nocase; content:"|3a|ANIMATECOLOR "; nocase; content:"ms-help|3a 2f 2f|"; fast_pattern; nocase; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019371; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/14.0.1 Linux"; ja3_hash; content:"847b0c334fd0f6f85457054fabff3145"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028180; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M1"; flow:established,from_server; file_data; content:"#default#VML"; fast_pattern; content:"dword2data"; content:"localhost"; content:".swf"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019368; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/25.0"; ja3_hash; content:"e98db583389531a37f2fe8d251f0f7ae"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028181; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6271 malicious DNS response"; byte_test:1,&,128,2; content:"|28 29 20 7b|"; fast_pattern; reference:cve,2014-6271; reference:url,packetstormsecurity.com/files/128650; classtype:attempted-admin; sid:2019402; rev:2; metadata:created_at 2014_10_15, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/27.0-32.0, IceWeasel 31.8.0"; ja3_hash; content:"cc9bcf019b339c01d200515d1cb39092"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028182; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DNS"; byte_test:1,&,128,4; content:"|28 29 20 7b|"; fast_pattern; reference:cve,2014-6271; reference:url,packetstormsecurity.com/files/128650; classtype:attempted-admin; sid:2019403; rev:2; metadata:created_at 2014_10_15, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/28.0-30.0"; ja3_hash; content:"45d22e6403f053bfb2cc223755588533"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028183; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download with Hurricane Panda IOC"; flow:to_client,established; flowbits:isset,ET.http.binary; file_data; content:"woqunimalegebi"; fast_pattern; reference:url,blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/; reference:cve,2014-4113; classtype:attempted-user; sid:2019421; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/31 Linux, firefox"; ja3_hash; content:"ce694315cbb81ce95e6ae4ae8cbafde6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028184; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JST Perl IrcBot download"; flow:to_client,established; file_data; content:"JST Perl IrcBot"; fast_pattern; content:!"<html"; reference:url,pastebin.com/HK8riv9Q; reference:url,www.binarydefense.com/bds/active-shellshock-smtp-botnet-campaign/; reference:md5,77a6c50a06b59df0f3d099b1819a01d9; classtype:trojan-activity; sid:2019509; rev:3; metadata:created_at 2014_10_27, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/32.0"; ja3_hash; content:"8df37d4e7430e2d9a291ae9ee500a1a9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028185; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32/Chanitor.A Domain in SNI"; flow:established,to_server; content:"svcz25e3m4mwlauz."; fast_pattern; classtype:trojan-activity; sid:2019518; rev:3; metadata:created_at 2014_10_27, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/33.0"; ja3_hash; content:"5ba6ed04b246c96c6839e0268a8b826f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028186; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP SNMP trap Format String detected"; content:"%s"; fast_pattern; reference:bugtraq,16267; reference:cve,2006-0250; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=22493; classtype:attempted-recon; sid:2100227; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/33.0"; ja3_hash; content:"c5392af25feaf95cfefe858abd01c86b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028187; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoExec Macro"; flow:established,to_client; file_data; content:"A|00|u|00|t|00|o|00|E|00|x|00|e|00|c"; nocase; fast_pattern; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019614; rev:3; metadata:created_at 2014_10_31, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/34.0-35.00"; ja3_hash; content:"9250f97ba65d86e7b0e60164c820d91a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028188; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Hikit Server Authentication Response"; flow:established; content:"ETag|3a 20|"; content:"75BCD15"; fast_pattern; pcre:"/^ETag\x3a\x20\x22\d+75BCD15\d+\x3a[a-f0-9]{1,6}/mi"; reference:url,www.novetta.com/files/9914/1446/8050/Hikit_Analysis-Final.pdf; classtype:trojan-activity; sid:2019621; rev:3; metadata:created_at 2014_10_31, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/34.0-35.00"; ja3_hash; content:"ab834ac5135f2204d473878821979cea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028189; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bedep SSL Cert"; flow:established,from_server; content:"|09 00 c9 80 9a 85 50 97 cc 97|"; fast_pattern; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"|0b|Company Ltd"; distance:1; within:12; content:"|55 04 0b|"; content:"|06|office"; distance:1; within:7; reference:url,malware-traffic-analysis.net/2014/11/02/index.html; reference:md5,11837229f834d296342b205433e9bc48; classtype:trojan-activity; sid:2019646; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/37.0, Google Chrome 45.0.2454.85 or FireFox 41-42"; ja3_hash; content:"514058a66606ae870bcc670e95ca7e68"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028190; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Archie.EK Landing"; flow:established,to_client; file_data; content:"|2f|Trident|5c 2f|(|5c|d)|2f|i"; content:"Exploit.class"; nocase; fast_pattern; reference:cve,2014-2820; classtype:exploit-kit; sid:2018933; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/38 Linux"; ja3_hash; content:"edf844351bc867631b5ebceda318669b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028191; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe guessing router password 1"; flow:established,from_server; file_data; content:"dnsPrimary="; nocase; fast_pattern; content:"dnsSecondary="; nocase; content:"dnsDynamic="; nocase; content:"dnsconfig.cgi"; nocase; reference:url,securelist.com/blog/incidents/66358/web-based-attack-targeting-home-routers-the-brazilian-way/; classtype:attempted-user; sid:2019111; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_09_04, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/40.1 Windows 7"; ja3_hash; content:"05af1f5ca1b87cc9cc9b25185115607d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028192; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Payload URI Struct Nov 07 2014"; flow:established,from_server; flowbits:isset,et.Nuclear.Payload; content:".dll"; http_header; fast_pattern; content:"Content-Disposition|3a|"; http_header; pcre:"/^Content-Disposition\x3a.+?filename\s*?=\s*?[\x22\x27]?\d\.dll/Hm"; classtype:exploit-kit; sid:2019676; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_11_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/45.0 Linux, firefox,thunderbird"; ja3_hash; content:"07b4162d4db57554961824a21c4a0fde"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028193; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Archie EK Payload Checkin POST"; flow:established,to_server; content:"POST"; http_method; content:"integritylvl="; depth:13; http_client_body; content:"&osversion="; distance:0; http_client_body; content:"&iselevated="; distance:0; http_client_body; content:"&iever="; distance:0; http_client_body; content:"&isnet20inst="; http_client_body; fast_pattern; content:!"Referer|3a|"; http_header; reference:md5,41c0cdde6be5166606008b2d02f3a128; classtype:exploit-kit; sid:2019679; rev:4; metadata:created_at 2014_11_08, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/51.0 Windows 10, firefox,thunderbird"; ja3_hash; content:"61d0d709fe7ac199ef4b2c52bc8cef75"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028194; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Payload URI Struct Oct 5 2014 (no alert)"; flow:established,to_server; content:"/14"; http_uri; fast_pattern; pcre:"/\/14\d{8}(?:\/\d+)*?(?:\/x[a-f0-9]+[\x3b0-9]*)?$/U"; flowbits:set,et.Nuclear.Payload; flowbits:noalert; classtype:exploit-kit; sid:2019358; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/52 Linux"; ja3_hash; content:"4e66f5ad78f3d9ad8d5c7c88d138db43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028195; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT GENERIC VB ShellExecute Function Inside of VBSCRIPT tag"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"shellexecute"; nocase; fast_pattern; content:"<script "; nocase; pcre:"/^[^>]*?(?:language\s*?=\s*?[\x22\x27]vbscript[\x22\x27]|type\s*?=\s*?[\x22\x27]text/vbscript[\x22\x27](?:(?!<\/script>).)+?\WShellExecute)/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019707; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_14, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/52"; ja3_hash; content:"ca0f3f4c08cbd372720beb1af7d2721f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028196; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure obfuscated CVE-2014-6332"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"Xor"; nocase; pcre:"/^\W/R"; content:"Execute"; nocase; content:"&chr"; nocase; content:"UBound"; fast_pattern; nocase; content:"Cint"; nocase; pcre:"/^\W/R"; content:"Split"; nocase; pcre:"/^\W/R"; content:"Mid"; pcre:"/^\W/R"; content:"Len"; pcre:"/^\W/R"; reference:cve,2014-6332; classtype:attempted-user; sid:2019715; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/55 Windows 10"; ja3_hash; content:"1885aa9927f99ed538ed895d9335995c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028197; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT GENERIC Possible IE Memory Corruption CollectGarbage with DOM Reset"; flow:established,to_client; file_data; content:"unescape"; nocase; content:"%u"; nocase; content:"CollectGarbage"; nocase; fast_pattern; content:"innerHTML"; nocase; pcre:"/^\s*?=\s*?(?:undefined|false|null|-?0|NaN|\x22\x22|\x27\x27)/Rsi"; classtype:attempted-user; sid:2019730; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/55/56 Mac/Win/Linux"; ja3_hash; content:"0ffee3ba8e615ad22535e7f771690a28"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028198; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bamital Checkin Response 2"; flow:established,from_server; file_data; content:"$$$$"; fast_pattern; pcre:"/^<(?P<var1>[a-z])>[a-z0-9/]+<\/(?P=var1)><(?P<var2>[a-z])>[a-z0-9/]+<\/(?P=var2)>$$$$/i"; classtype:command-and-control; sid:2019758; rev:3; metadata:created_at 2014_11_20, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/56.0 Windows 10"; ja3_hash; content:"be1a7de97ea176604a3c70622189d78d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028199; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a *.cvredirect.no-ip.net domain - CoinLocker Domain"; flow:to_server,established; content:"cvredirect.no-ip.net"; fast_pattern; http_header; pcre:"/^Host\x3a[^\r\n]+?cvredirect.no-ip.net/Hmi"; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:bad-unknown; sid:2019789; rev:5; metadata:created_at 2014_11_24, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/6.0.1 - 12.0"; ja3_hash; content:"2aef69b4ba1938c3a400de4188743185"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028200; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a *.cvredirect.ddns.net domain - CoinLocker Domain"; flow:to_server,established; content:"cvredirect.ddns.net"; fast_pattern; http_header; pcre:"/^Host\x3a[^\r\n]+?cvredirect.ddns.net/Hmi"; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:bad-unknown; sid:2019791; rev:3; metadata:created_at 2014_11_24, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Flux"; ja3_hash; content:"504ecb2d3e5e83a179316f098dadbaeb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028201; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VirRansom/VirLock Checkin"; flow:established,to_server; dsize:4; content:"|94 00 00 00|"; fast_pattern; flowbits:set,ET.VirLock; flowbits:noalert; reference:md5,fbeb6ebd498d85b1f404d7bb4acc3b89; classtype:command-and-control; sid:2019901; rev:2; metadata:created_at 2014_12_10, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Franz/Google Chrome/Kiwi/Spotify/nwjs/Slack"; ja3_hash; content:"8498fe4268764dbf926a38283e9d3d8f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028202; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE VirRansom/VirLock Checkin Response"; flow:established,from_server; dsize:4; content:"|74 01 00 00|"; fast_pattern; flowbits:isset,ET.VirLock; reference:md5,fbeb6ebd498d85b1f404d7bb4acc3b89; classtype:command-and-control; sid:2019902; rev:2; metadata:created_at 2014_12_10, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - FullTilt Poker v16.5 (OS X) #1"; ja3_hash; content:"a6090977601dc1345948f101e46d5759"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028203; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Trojan.SpamBanker Report via SMTP"; flow:established,to_server; content:"From|3a|"; content:"Subject|3a 20|Keylogger"; fast_pattern; nocase; content:"X-Library|3a 20|Indy"; pcre:"/^Keylogger\r$/m"; reference:md5,9c1aac05bd3212a3abcd7cce9c6c4c77; classtype:trojan-activity; sid:2019931; rev:2; metadata:created_at 2014_12_13, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - FullTilt Poker v16.5 (OS X) or DropBox"; ja3_hash; content:"f1b9f86645cb839bd6992e848d943898"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028204; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Trojan/Downloader.Fosniw.sap Reporting via SMTP"; flow:established,to_server; content:"From|3a|"; content:"Subject|3a 20|keylogger(v0."; fast_pattern; nocase; content:"@UserName"; content:"@ComputerName"; reference:md5,e36469241764b8c954a700146ca4c43f; classtype:trojan-activity; sid:2019933; rev:2; metadata:created_at 2014_12_13, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Fuze"; ja3_hash; content:"900c1fa84b4ea86537e1d148ee16eae8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028205; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE SpamBanker message"; flow:to_server,established; content:"NEGOCIO_ONLINE|2e|"; fast_pattern; nocase; content:"|0d 0a|Content-Disposition|3a 20|attachment"; content:"filename|3d|"; nocase; distance:0; pcre:"/^[\x22\x27]NEGOCIO_ONLINE(\.(?:zip|exe))[\x27\x22]\x0d\x0a/Ri"; reference:url,tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=36677; classtype:trojan-activity; sid:2019937; rev:4; metadata:created_at 2014_12_15, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - geod"; ja3_hash; content:"107144b88827da5da9ed42d8776ccdc5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028206; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Infostealer.Bancos Sending Stolen info SMTP"; flow:to_server,established; content:"X-Library|3a 20|Indy"; content:"BIGFONE TOCOU"; fast_pattern; content:"Nome Comp"; reference:md5,f71c41b816eadf221e188f6618798969; classtype:trojan-activity; sid:2019938; rev:2; metadata:created_at 2014_12_15, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - geod"; ja3_hash; content:"c46941d4de99445aef6b497679474cf4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028207; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Sep 29 2014"; flow:from_server,established; file_data; content:"|28 2f 5b 40 5c 2a 5c 2d 5d 2f 67 2c 27 27 29|"; fast_pattern; content:"return"; pcre:"/^\s[^\r\n]*?[\x28\x5b]\s*?[\x22\x27][^\x22\x27]?s[^\x22\x27]?u[^\x22\x27]?b[^\x22\x27]?s[^\x22\x27]?t[^\x22\x27]?r[^\x22\x27]?[\x22\x27]\s*?[\x29\x5d]\s*?(?:\x5d\s*?)?\x28/R"; classtype:exploit-kit; sid:2019315; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_30, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - git commandline (tested: 1.9. Linux)"; ja3_hash; content:"3e765b7a69050906e5e48d020921b98e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028208; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET MALWARE ZhCAT.HackTool Operation Cleaver HTTP CnC Beacon"; flow:established,to_server; content:"POST file.php HTTP/1."; depth:21; content:"|20 28 20|compatible"; fast_pattern; reference:url,www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:command-and-control; sid:2019943; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_12_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Git-Bash (Tested v2.6.0) / curl 7.47.1 (cygwin)"; ja3_hash; content:"d0df7f7c9ca173059b2cd17ce5c2e5cc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028209; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 22 2014 Video"; flow:established,to_server; content:"/video.php?id="; fast_pattern; http_uri; pcre:"/\/video.php\?id=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2019989; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - GitHub Desktop (tested build 216 on OSX)"; ja3_hash; content:"f8c50bbee59c526ca66da05f3dc4b735"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028210; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 22 2014 Player"; flow:established,to_server; content:"/player.php?pid="; fast_pattern; http_uri; pcre:"/\/player.php\?pid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2019990; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Glympse Location Tracking??"; ja3_hash; content:"c5cbafbbcf53dfbfc2a803ca3833fce2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028211; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 22 2014 Search"; flow:established,to_server; content:"/search.php?pid="; fast_pattern; http_uri; pcre:"/\/search.php\?pid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2019991; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - GMail SMTP Relay"; ja3_hash; content:"a3b2fe29619fdcb7a9422b8fddb37a67"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028212; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 6"; flow:established; content:"|09 22 33 30 28 35 2c|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020000; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - GNU Wget 1.16.1 built on darwin14.0.0"; ja3_hash; content:"94b94048a438e77122fc4eee3a6a4a26"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028213; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 7"; flow:established; content:"|13 2f 22 35 22 67 26 35 22 29 27 33 67 28 37 22 29 67 37 28 35 33 34 69|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020001; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - GNUTLS Commandline"; ja3_hash; content:"0267b752d6a8b5fd195096b41ea5839c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028214; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp any 488 -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 1"; flow:established,from_server; content:"|60 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020007; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - golang (tested: 1.4.1)"; ja3_hash; content:"f11b0fca6c063aa69d8d39e0d68b6178"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028215; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp any any -> any 488 (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 2"; flow:established,to_server; content:"|60 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020008; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Calendar Agent (Tested on OSX)"; ja3_hash; content:"07ef3a7f5f8ffef08affb186284f2af4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028216; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 4"; flow:established; content:"|8a 10 80 c2 67 80 f2 24 88 10|"; fast_pattern; content:"|8a 10 80 f2 24 80 ea 67 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020010; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (43.0.2357.130 64-bit OSX)"; ja3_hash; content:"abe568de919448adcd756aea9a136aea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028217; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp any 488 -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 5"; flow:established,from_server; content:"|65 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020011; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (Android)"; ja3_hash; content:"400961c8161ba7661a7029d3f7e8bb95"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028218; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp any any -> any 488 (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 6"; flow:established,to_server; content:"|65 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020012; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (tested: 43.0.2357.130 64-bit OSX)"; ja3_hash; content:"072c0469aa4f2f597bb38bcc17095c51"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028219; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 8"; flow:established; content:"|8a 10 80 ea 62 80 f2 b4 88 10|"; fast_pattern; content:"|8a 10 80 f2 b4 80 c2 62 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020014; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (tested: 43.0.2357.130 64-bit OSX)"; ja3_hash; content:"696cd0c8c241e19e3d6336c3d3d9e2e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028220; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 9"; flow:established; content:"|8a 10 80 c2 4e 80 f2 79 88 10|"; fast_pattern; content:"|8a 10 80 f2 79 80 ea 4e 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020015; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (tested: 43.0.2357.130 64-bit OSX)"; ja3_hash; content:"c40b51e2a59425b6a2b500d569962a60"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028221; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Proxy Tool 1"; flow:established; content:"|8a 10 80 c2 3a 80 f2 73 88 10|"; fast_pattern; content:"|8a 10 80 f2 73 80 ea 3a 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020017; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome 45.0.2454.101"; ja3_hash; content:"e8aabc4fe1fc8d47c648d37b2df7485f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028222; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT TCP Checkin 1"; flow:established,to_server; dsize:24; content:"|08 00 1b 00 00 00 1b 00 00 00 02 00 00 00 00 00 00 00 00 00|"; fast_pattern; content:"|00 00 00 00 |"; offset:20; depth:4; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020024; rev:3; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome 46.0.2490.71 m"; ja3_hash; content:"7ea3e17d09294aee8425ae05588f0c66"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028223; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Dropped by RIG EK"; flow:established,to_server; content:"/Prack"; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|InetURL/1.0|0d 0a|"; http_header; reference:md5,18fa3ab45c6fa9da218dd4c35688c5f4; classtype:exploit-kit; sid:2020070; rev:4; metadata:created_at 2014_12_26, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome 46.0.2490.71"; ja3_hash; content:"a9030ea4837810ce89fb8a3d39ca12ed"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028224; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Dec 29 2014"; flow:from_server,established; file_data; content:"|2f 67 2c 27 27 29 3b 7d 65 6c 73 65 7b 72 65 74 75 72 6e|"; fast_pattern; content:"Function"; pcre:"/^\s*?\x28\s*?[\x22\x27](?P<var1>[^\x22\x27]+)[\x22\x27]\s*,\s*[\x22\x27]if\s*?\x28(?P=var1)\s*\!\s*=\s*[\x27\x22][\x22\x27]\s*?\x29\s*?\{\s*?(?P<var2>[^\s\x3d]+)\s*?=\s*?(?P=var1)\s*?\[/Rs"; classtype:exploit-kit; sid:2020082; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_30, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome Helper"; ja3_hash; content:"0e46737668fe75092919ee047a0b5945"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028225; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Cushion Redirection URI Struct Mon Jan 05 2015"; flow:established,to_server; urilen:13; content:"/get_gift.php"; http_uri; fast_pattern; classtype:trojan-activity; sid:2020091; rev:3; metadata:created_at 2015_01_05, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome Helper"; ja3_hash; content:"39fa85654105398ee7ef6a3a1c81d685"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028226; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.A Checkin x86"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 32 32|"; fast_pattern; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:command-and-control; sid:2020150; rev:2; metadata:created_at 2015_01_07, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome Helper"; ja3_hash; content:"4ba7b7022f5f5e1e500bb19199d8b1a4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028227; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.A Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 64 32|"; fast_pattern; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:command-and-control; sid:2020151; rev:2; metadata:created_at 2015_01_07, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"002205d0f96c37c5e660b9f041363c11"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028228; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 9000:10000 (msg:"ET MALWARE Win32/Recslurp.D C2 Request (no alert)"; flow:established,to_server; dsize:4; content:"|e8 03 00 00|"; fast_pattern; flowbits:set,ET.Reslurp.D.Client; flowbits:noalert; reference:md5,fcf364abd9c82d89f8d0b4b091276b41; classtype:command-and-control; sid:2020154; rev:3; metadata:created_at 2015_01_08, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"073eede15b2a5a0302d823ecbd5ad15b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028229; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mini/Cosmic Duke variant FTP upload"; flow:established,to_server; content:"STOR "; pcre:"/^[A-F0-9]{48}\.bin\r\n/R"; content:".bin|0d 0a|"; fast_pattern; reference:url,f-secure.com/weblog/archives/00002780.html; classtype:targeted-activity; sid:2020158; rev:3; metadata:created_at 2015_01_08, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"0b61c673ee71fe9ee725bd687c455809"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028230; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Probable malicious download from e-mail link /1.php"; flow:established,to_server; content:"GET"; http_method; content:"/1.php?r"; http_uri; fast_pattern; content:!"Referer|3a 20|"; http_header; pcre:"/\/1\.php\?r$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019894; rev:4; metadata:created_at 2014_12_09, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"6cd1b944f5885e2cfbe98a840b75eeb8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028231; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Jan 19 2014"; flow:established,from_server; file_data; content:"|73 74 61 72 74 7C 7C 30|"; nocase; fast_pattern; content:"|24 2c|"; pcre:"/^\s*?\x73\x74\x61\x72\x74\s*?\x29\s*?\x7b\s*?for\s*?\x28\s*?var\s+?[^\s]+?\s*?=\s*?\x73\x74\x61\x72\x74\x7C\x7C\x30\s*\x2c/Rsi"; content:"|22 6c|"; distance:0; pcre:"/^[^a-z]?\x65[^a-z]?\x6e[^a-z]?\x67[^a-z]?\x74[^a-z]?\x68/Ri"; classtype:exploit-kit; sid:2020207; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_19, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"b4f4e6164f938870486578536fc1ffce"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028232; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Jan 21 2014"; flow:established,from_server; file_data; content:"|3d 20 20 20 20 20 20 20 20 20 20|"; fast_pattern; content:".replace|28|"; content:"<script>"; content:"|3d 20 20 20 20 20 20|"; distance:0; pcre:"/^\s*?[\x22\x27](?P<char>[^\x22\x27]+)[\x22\x27]\.replace\x28\s*?[\x22\x27](?P=char)[\x22\x27]\s*?,/R"; content:"|3d 20 20 20 20 20 20|"; distance:0; pcre:"/^\s*?[\x22\x27](?P<char>[^\x22\x27]+)[\x22\x27]\.replace\x28\s*?[\x22\x27](?P=char)[\x22\x27]\s*?,/R"; classtype:exploit-kit; sid:2020236; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_22, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"b8f81673c0e1d29908346f3bab892b9b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028233; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KL-Remote / Cryp_Banker14 RAT connection"; flow:established,to_server; dsize:13; content:"|3c 7c|PRINCIPAL|7c 3e|"; fast_pattern; flowbits:set,ET.KLRemote; reference:md5,636edeba541483421e29b81b35f92841; reference:md5,c5763d0ef12dffa213d265596bd1acf9; reference:md5,5e01557b8650616e005a9949cbf5459a; classtype:trojan-activity; sid:2020315; rev:2; metadata:created_at 2015_01_27, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"baaac9b6bf25ad098115c71c59d29e51"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028234; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE KL-Remote / Cryp_Banker14 RAT response"; flow:established,from_server; dsize:6; content:"|3c 7c|OK|7c 3e|"; fast_pattern; flowbits:isset,ET.KLRemote; reference:md5,636edeba541483421e29b81b35f92841; reference:md5,c5763d0ef12dffa213d265596bd1acf9; reference:md5,5e01557b8650616e005a9949cbf5459a; classtype:trojan-activity; sid:2020316; rev:2; metadata:created_at 2015_01_27, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"da949afd9bd6df820730f8f171584a71"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028235; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SilverLight M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; content:"X-Powered-By|3a 20|"; http_header; content:"Server|3a 20|nginx"; http_header; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2020317; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_27, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"f58966d34ff9488a83797b55c804724d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028236; rev:3; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.PYO Possible net.tcp CnC Beacon (stat)"; flow:established,to_server; content:"net.tcp|3a|//"; offset:7; depth:10; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d+\/stat\x03\x08\x0c$/R"; content:"/stat|03 08 0c|"; fast_pattern; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:command-and-control; sid:2020336; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"fd6314b03413399e4f23d1524d206692"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028237; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.PYO Possible net.tcp CnC Beacon (control)"; flow:established,to_server; content:"net.tcp|3a|//"; offset:7; depth:10; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d+\/control\x03\x08\x0c$/R"; content:"/control|03 08 0c|"; fast_pattern; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:command-and-control; sid:2020337; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome/Slack"; ja3_hash; content:"5498cef2cca704eb01cf2041cc1089c1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028238; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE f0xy Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?admin="; fast_pattern; content:"&id="; http_uri; content:"&nat="; http_uri; content:"&os="; http_uri; content:"&video="; http_uri; content:"&arch_type="; http_uri; content:"&v="; http_uri; content:"&av_list="; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a[^\r\n]+?\r\n(?:\r\n)?$/Hi"; reference:md5,160634d784c256d29563117554685c31; reference:url,community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx; classtype:command-and-control; sid:2020340; rev:6; metadata:created_at 2015_01_30, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Drive (tested: 1.26.0707.2863 - Win 8.x & Win 10)"; ja3_hash; content:"c1741dd3d2eec548df0bcd89e08fa431"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028239; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Xnote Keep-Alive"; flow:established,to_server; dsize:17; content:"|11 00 00 00 01 00 00 00 78 9c 4b 05 00 00 66 00 66|"; fast_pattern; reference:url,deependresearch.org/2015/02/linuxbackdoorxnote1-indicators.html; classtype:trojan-activity; sid:2020389; rev:2; metadata:created_at 2015_02_11, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Drive File Stream"; ja3_hash; content:"d27fb8deca6e3b9739db3fda2b229fe3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028240; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Android RCE via XSS and Play Store XFO"; flow:from_server,established; file_data; content:"|5c|u00"; byte_test:2,<,0x21,0,relative,string,hex; content:"javascript|3a|"; nocase; within:11; distance:2; content:"/store/apps/details?id="; nocase; fast_pattern; reference:url,1337day.com/exploit/22581; reference:cve,2014-6041; reference:url,github.com/rapid7/metasploit-framework/commit/7f2add2ce30f33e7787310d7abcb1781e8ea8f43; classtype:attempted-user; sid:2020393; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_02_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Earth Linux 7.1.4.1529"; ja3_hash; content:"b16614e71d26ba348c94bfc8e33b1767"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028241; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 11 2015 Banner"; flow:established,to_server; content:"/banner.php?sid="; fast_pattern; http_uri; pcre:"/\/banner.php\?sid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2020408; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Earth"; ja3_hash; content:"ae340571b4fd0755c4a0821b18d8fa93"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028242; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 11 2015 Blog"; flow:established,to_server; content:"/blog.php?id="; fast_pattern; http_uri; pcre:"/\/blog.php\?id=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2020409; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Mail server starttls connection"; ja3_hash; content:"9af622c65a17a0bf90d6e9504be96a43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028243; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Function Name"; flow:to_client,established; file_data; content:"function"; pcre:"/^(?:\x25(?:25)*?20|\s)*?runmumaa\W/Rs"; content:"runmumaa"; fast_pattern; reference:cve,2014-6332; classtype:attempted-user; sid:2019733; rev:6; metadata:created_at 2014_11_18, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Photos Backup"; ja3_hash; content:"f059212ce3de94b1e8253a7522cb1b44"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028244; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:to_server,established; content:"/main.html"; http_uri; fast_pattern; pcre:"/\/main\.html$/U"; content:"/connector.html|0d 0a|"; http_header; classtype:exploit-kit; sid:2020570; rev:4; metadata:created_at 2015_02_25, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - GoogleBot"; ja3_hash; content:"50dfee94717e9640b1c384e5bd78e61e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028245; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malicious Second Stage Download URI Struct M1 Feb 06 2015"; flow:established,to_server; content:".php?id="; http_uri; fast_pattern; content:"&rnd="; http_uri; pcre:"/\.php\?id=[0-9A-F]{44,54}&rnd=[0-9]{3,7}$/U"; classtype:exploit-kit; sid:2020643; rev:4; metadata:created_at 2015_03_07, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - gramblr"; ja3_hash; content:"fd10cc8cce9493a966c57249e074755f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028246; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Checkin 1"; flow:to_server,established; content:"/rico.php"; fast_pattern; content:".asia|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+\.asia\r\n/Hmi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:command-and-control; sid:2020654; rev:4; metadata:created_at 2015_03_09, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Great Firewall of China Probe (via pcaps from https://nymity.ch/active-probing/)"; ja3_hash; content:"e76ac6872939f6ebfdf75f1ea73b4daf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028247; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Checkin 2"; flow:to_server,established; content:"/rico.php"; fast_pattern; content:".ru|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+\.ru\r\n/Hmi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:command-and-control; sid:2020655; rev:4; metadata:created_at 2015_03_09, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - HipChat"; ja3_hash; content:"d9b07b9095590f4ff910ceee7b6af88a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028248; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing URI Struct March 6 2015"; flow:established,to_server; urilen:>40; content:"GET"; http_method; content:"/tdstest/"; http_uri; fast_pattern; pcre:"/^\/tdstest\/[a-f0-9]{32,}\/?$/U"; classtype:exploit-kit; sid:2020626; rev:4; metadata:created_at 2015_03_06, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"3e860202fc555b939e83e7a7ab518c38"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028249; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 10"; flow:established; content:"Sleepy!@#qaz13402scvsde890"; fast_pattern; content:"BC435@PRO62384923412!@3!"; nocase; content:!"content|3a 22|BC435@PRO62384923412!@3!|22 3b|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020016; rev:3; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"54328bd36c14bd82ddaa0c04b25ed9ad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028250; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Cryptolocker .onion Proxy Domain in SNI"; flow:established,to_server; content:"erhitnwfvpgajfbu."; fast_pattern; nocase; reference:url,www.welivesecurity.com/2014/09/04/torrentlocker-now-targets-uk-royal-mail-phishing/; classtype:trojan-activity; sid:2019124; rev:3; metadata:created_at 2014_09_05, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"56ac3a0bef0824c49e4b569941937088"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028251; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Server Response"; flow:established,from_server; content:"|0d 0a 0d 0a|ok"; fast_pattern; file_data; content:"ok"; within:2; byte_test:1,<,0x1b,0,relative; content:"|00|"; distance:1; within:1; flowbits:isset,ET.Vawtrak; classtype:trojan-activity; sid:2019499; rev:5; metadata:created_at 2014_10_24, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"8bd59c4b7f3193db80fd64318429bcec"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028252; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Chroject.B Receiving ClickFraud Commands from CnC 2"; flow:from_server,established; file_data; content:"<html><title>"; within:13; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/title><\/html>$/R"; content:"</title></html>"; fast_pattern; flowbits:isset,ET.Chroject; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:command-and-control; sid:2020749; rev:5; metadata:created_at 2015_03_26, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"d1f9f9b224387d2597f02095fcec96d7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028253; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT VBScript Driveby MAR 31 2015"; flow:established,to_server; content:"/content/dl.php?sl=vbs"; http_uri; fast_pattern; pcre:"/\/content\/dl\.php\?sl=vbs[a-z0-9]{32}$/U"; classtype:exploit-kit; sid:2020823; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_01, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"ff1040ba1e3d235855ef0d7cd9237fdc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028254; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT VBScript Driveby Related TDS MAR 31 2015"; flow:established,to_server; content:"/content/getvbslink.php?d="; http_uri; fast_pattern; pcre:"/\/content\/getvbslink\.php\?d=[a-z0-9]{32}$/U"; classtype:exploit-kit; sid:2020824; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_01, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - HTTRack"; ja3_hash; content:"a1ec6fd012b9ee6f84c50339c4205270"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028255; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; http_header; content:"Server|3a 20|nginx"; http_header; pcre:"/Content-Disposition\x3a\x20inline\x3b\x20filename=(?:[a-z0-9]{4})?\r\n/H"; file_data; content:"CWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2020312; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_26, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - IDSyncDaemon"; ja3_hash; content:"5af143afdbf58ec11ab3b3d53dd4e5e3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028256; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK SilverLight Exploit"; flow:established,from_server; flowbits:isset,et.Nuclear.Exploit; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/^[a-z0-9]*\r\n/HR"; file_data; content:"AppManifest.xaml"; fast_pattern; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2019917; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_11, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - IE 11 Win10"; ja3_hash; content:"fee8ec956f324c71e58a8c0baf7223ef"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028257; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Apr 03 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"eval|3b|"; fast_pattern; content:"replace"; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:exploit-kit; sid:2020841; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - IE 11"; ja3_hash; content:"4cafc7a0acf83a49317ca199b2f25c82"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028258; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Apr 03 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"return eval"; fast_pattern; content:"replace"; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:exploit-kit; sid:2020842; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - IE 11"; ja3_hash; content:"78273d33877a36c0c30e3fb7578ee9e7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028259; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Chrome Cookie Data Theft April 06 2015"; flow:established,to_server; content:".php?type=cookie&site="; fast_pattern; http_uri; reference:url,ocelot.li/the-malware-campaign-that-went-unnoticed/; classtype:trojan-activity; sid:2020848; rev:3; metadata:created_at 2015_04_07, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - In all the malware samples - Java updater perhaps, java"; ja3_hash; content:"a61299f9b501adcf680b9275d79d4ac6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028260; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B1 Checkin x86"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 32|"; fast_pattern; reference:md5,bd69714997e839618a7db82484819552; classtype:command-and-control; sid:2020849; rev:3; metadata:created_at 2015_04_08, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Inbox OSX"; ja3_hash; content:"d06acbe8ac31e753f40600a9d6717cba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028261; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B1 Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 86|"; fast_pattern; reference:md5,bd69714997e839618a7db82484819552; classtype:command-and-control; sid:2020850; rev:2; metadata:created_at 2015_04_08, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - inoreader.com-like FeedFetcher-Google, inoreader.com"; ja3_hash; content:"3ca5d63fa122552463772d3e87d276f2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028262; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B2 Checkin no architecture"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 84|"; fast_pattern; reference:md5,b4ce43e1c9e74c549e2bae8cd77d5af1; classtype:command-and-control; sid:2020851; rev:2; metadata:created_at 2015_04_08, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Internet Explorer 11 .0.9600.1731.(Win 8.1)"; ja3_hash; content:"a6776199188c09f5124b46b895772fa2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028263; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B1 Sending Processes"; content:"Sy|5c|"; content:"wininit|5c|"; distance:0; content:"winlogon|5c|"; fast_pattern; reference:md5,bd69714997e839618a7db82484819552; classtype:trojan-activity; sid:2020852; rev:2; metadata:created_at 2015_04_08, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Internet Explorer 11.0.9600.17959"; ja3_hash; content:"a264c0bb146b2fade4410bcd61744b69"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028264; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Secondary Landing Apr 20 2015"; flow:established,from_server; file_data; content:"2147023083"; content:"BlackList"; nocase; content:"lenBadFiles"; nocase; fast_pattern; content:"ProgFilePath"; nocase; content:"lenProgFiles"; nocase; classtype:exploit-kit; sid:2020985; rev:3; metadata:created_at 2015_04_24, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Internet Explorer 11.0.9600.18349 / TeamViewer 10.0.47484P / Notepad++ Update Check / Softperfect Network Scanner Update Check / Wireshark 2.0.4 Update Check"; ja3_hash; content:"d54b3eb800cbeccf99fd5d5cdcd7b5b5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028265; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK URI Struct T1 Apr 24 2015"; flow:established,to_server; content:"/street"; http_uri; fast_pattern; pcre:"/\/street[1-5]\.php$/U"; classtype:exploit-kit; sid:2020988; rev:3; metadata:created_at 2015_04_24, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - iOS AppleWebKit/536.26"; ja3_hash; content:"06d930b072bf052b10d0a9eea1554f60"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028266; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK Payload Struct T1 Apr 24 2015"; flow:established,to_server; content:".exe"; http_uri; content:"/XV-"; fast_pattern; pcre:"/\/XV-\d+\.exe$/U"; classtype:exploit-kit; sid:2020989; rev:3; metadata:created_at 2015_04_24, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - iOS Mail App (tested: iOS 9.3.3)"; ja3_hash; content:"99204897b101b15f87e9b07f67453f4e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028267; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK Payload Struct T2 M2 Apr 24 2015"; flow:established,to_server; content:"/BrowserUpdate.lnk"; http_uri; fast_pattern; classtype:exploit-kit; sid:2020992; rev:3; metadata:created_at 2015_04_24, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - iPad CPU OS 9_3_5 Safari 601.1 Used by many programs - apple.WebKit.Networking"; ja3_hash; content:"a9aecaa66ad9c6cfe1c361da31768506"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028268; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sundown EK Flash Exploit Apr 20 2015"; flow:established,to_server; content:"/bad/"; http_uri; fast_pattern; pcre:"/\/bad\/[A-Z0-9]+\.swf$/U"; classtype:exploit-kit; sid:2020951; rev:4; metadata:created_at 2015_04_21, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - iPhone OS 10_3_3 Safari 602.1, Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"7e72698146290dd68239f788a452e7d8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028269; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK SilverLight Exploit April 30 2015"; flow:established,from_server; file_data; content:"AppManifest.xaml"; fast_pattern; flowbits:isset,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021045; rev:3; metadata:created_at 2015_05_01, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - iTunes/iBooks #1"; ja3_hash; content:"c6ecc5ba2a6ab724a7430fa4890d957d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028270; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Exploit Struct April 30 2015"; flow:established,to_server; content:"GET"; http_method; pcre:"/\/\d\/[A-Z]+\/[a-f0-9]{32}\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/?$/U"; content:"/%20http%3A"; http_header; fast_pattern; flowbits:set,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021042; rev:6; metadata:created_at 2015_05_01, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - iTunes/iBooks #2"; ja3_hash; content:"c07295da5465d5705a38f044e53ef7c4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028271; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK IE Exploit Apr 23 2015"; flow:established,from_server; file_data; content:"<title>some"; fast_pattern; content:"<style>"; content:"|5c 3a|*{display|3a|inline-block|3b|behavior|3a|url(#default#VML)|3b|}</style>"; distance:3; within:65; classtype:exploit-kit; sid:2020980; rev:4; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Java 8U91 Update Check, Windows Java Plugin (tested: v8 Update 60), BurpSuite Free (Tested: 1.7.03 on Windows 10), java,studio,eclipse"; ja3_hash; content:"2db6873021f2a95daa7de0d93a1d1bf2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028272; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing Apr 23 2015"; flow:established,from_server; file_data; content:"=window|3b|"; fast_pattern; content:"String.fromCharCode"; content:"|28 2f|Win64|3b 2f|i,"; nocase; content:"function"; pcre:"/^\s*?[^\x28\s]*?\x28\s*?(?P<a1>[^\s,\x29]+)\s*?,\s*?(?P<a2>[^\s,\x29]+)\s*?\x29\{[^\r\n]*?[\+=]String.fromCharCode\((?P=a2)\)[^\r\n]*?\}/Rs"; classtype:exploit-kit; sid:2020979; rev:4; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"093081b45872912be9a1f2a8163fe041"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028273; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Java Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".jar"; http_header; fast_pattern; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.jar\r\n/Hm"; file_data; content:"PK"; within:2; classtype:exploit-kit; sid:2020983; rev:4; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"2080bf56cb87e64303e27fcd781e7efd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028274; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1710/CVE-2012-3993 Firefox Exploit Attempt"; flow:established,to_client; file_data; content:"generateCRMFRequest"; nocase; fast_pattern; content:"InstallTrigger"; nocase; content:"__exposedProps__"; nocase; content:"__defineGetter__"; nocase; content:"getInstallForURL"; nocase; content:".install|28|"; nocase; content:"x-xpinstall"; nocase; reference:cve,CVE-2013-1710; reference:cve,CVE-2012-3993; classtype:attempted-user; sid:2021078; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_05_08, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"225a24b45f0f1adbc2e245d4624c6e08"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028275; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VaultCrypt Uploading Files"; flow:to_server,established; content:"POST"; http_method; urilen:6; content:"/v.php"; http_uri; fast_pattern; content:"|0d 0a|UA-CPU|3a 20|"; http_header; content:"Content-Type|3a 20|application/upload|0d 0a|"; content:"boundary=---------------------------0123456789012"; http_header; content:"name=|22|pf|22 3b|"; http_client_body; reference:url,www.bleepingcomputer.com/forums/t/570390/vaultcrypt-uses-batch-files-and-open-source-gnupg-to-hold-your-files-hostage; classtype:trojan-activity; sid:2020707; rev:4; metadata:created_at 2015_03_18, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"3afe1fb5976d0999abe833b14b7d6485"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028276; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET HUNTING Suspicious X-mailer Synapse Inbound to SMTP Server"; flow:established,to_server; content:"produced by Synapse"; fast_pattern; content:"X|2d|mailer|3a 20|Synapse|20 2d 20|Pascal TCP|2f|IP library by Lukas Gebauer"; reference:url,www.joewein.net/spam/spam-joejob.htm; classtype:trojan-activity; sid:2021135; rev:2; metadata:created_at 2015_05_21, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"3b844830bfbb12eb5d2f8dc281d349a9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028277; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Landing May 21 2015 M1"; flow:from_server,established; file_data; content:"|3c 21 2d 2d 20 53 45 45 44 3a|"; nocase; fast_pattern; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; classtype:exploit-kit; sid:2021136; rev:3; metadata:created_at 2015_05_22, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"550628650380ff418de25d3d890e836e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028278; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Moose NAT Traversal CnC Beacon set"; flow:established,to_server; dsize:4; content:"|18 00 00 00|"; fast_pattern; flowbits:set,ET.Linux.Moose; flowbits:noalert; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021150; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"5b270b309ad8c6478586a15dece20a88"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028279; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:to_server,established; content:"/main.html"; http_uri; fast_pattern; pcre:"/\/main\.html$/U"; content:"/index.html"; http_header; pcre:"/\b[a-z]{2}\d+\s*?=\s*?Yes/C"; classtype:exploit-kit; sid:2020392; rev:6; metadata:created_at 2015_02_11, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"5d7abe53ae15b4272a34f10431e06bf3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028280; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Jun 09 2015"; flow:established,to_server; content:"/main.html"; http_uri; nocase; fast_pattern; content:"/index.html"; http_header; nocase; content:"cck_lasttime"; http_cookie; nocase; classtype:exploit-kit; sid:2021219; rev:5; metadata:created_at 2015_06_09, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"7c7a68b96d2aab15d678497a12119f4f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028281; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp any any -> $HOME_NET 443 (msg:"ET MALWARE Possible Duqu 2.0 Accessing backdoor over 443"; flow:to_server,established; content:"romanian.antihacker"; fast_pattern; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021242; rev:2; metadata:created_at 2015_06_10, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"88afa0dea1608e28f50acbad32d7f195"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028282; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Torrentlocker C2 Domain in SNI"; flow:established,to_server; content:"|00 00 0d|krusperon.net"; fast_pattern; nocase; reference:url,www.hybrid-analysis.com/sample/3ebc6999da89eaf44d94195b588cb869d894ca754a248b074893d11f6dd19188?environmentId=4; reference:md5,2c339dbb40b3b19ee275e4c7c1c17a18; classtype:command-and-control; sid:2021254; rev:3; metadata:created_at 2015_06_11, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"8ce6933b8c12ce931ca238e9420cc5dd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028283; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"base64decode"; nocase; content:"xxtea_decrypt"; nocase; fast_pattern; content:"long2str"; nocase; content:"str2long"; nocase; classtype:exploit-kit; sid:2021218; rev:4; metadata:created_at 2015_06_09, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"a9fead344bf3ac09f62df3cd9b22c268"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028284; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing URI Struct April 29 2015 M1"; flow:established,to_server; content:"GET"; http_method; content:"/|20|http|3a|/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[a-f0-9]{32}(?:[a-f0-9]{8})?\/\x20http\x3a\x2f/U"; classtype:exploit-kit; sid:2021033; rev:4; metadata:created_at 2015_04_30, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java/eclipse/STS"; ja3_hash; content:"028563cffc7a3a2e32090aee0294d636"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028285; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Java Exploit URI Struct April 29 2015"; flow:established,to_server; content:"Java/"; http_user_agent; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?(?:\.[a-z]+)?$/U"; classtype:exploit-kit; sid:2021035; rev:4; metadata:created_at 2015_04_30, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java/JavaApplicationStub"; ja3_hash; content:"5f9b53f0d39dc9d940a3b5568fe5f0bb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028286; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Payload April 29 2015"; flow:established,to_server; content:"/5/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/5\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?$/U"; content:"Referer|3a 20|"; http_header; pcre:"/^[^\r\n]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\r?/RH"; classtype:exploit-kit; sid:2021037; rev:4; metadata:created_at 2015_04_30, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - JavaApplicationStub"; ja3_hash; content:"c376061f96329e1020865a1dc726927d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028287; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing URI Struct June 19 2015 M3"; flow:established,to_server; content:"GET"; http_method; content:"/|3a|http|3a|/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[a-f0-9]{32}(?:[a-f0-9]{8})?\/\x3ahttp\x3a\x2f/U"; classtype:exploit-kit; sid:2021305; rev:3; metadata:created_at 2015_06_19, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - K9 Mail (Android)"; ja3_hash; content:"ced7418dee422dd70d2a6f42bb042432"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028288; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Payload June 19 2015"; flow:established,to_server; content:"/4/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/4\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?$/U"; content:"Referer|3a 20|"; http_header; pcre:"/^Referer\x3a[^\r\n]+\/4\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\r?$/Hm"; classtype:exploit-kit; sid:2021308; rev:3; metadata:created_at 2015_06_19, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Kindle/stack/nextcloud"; ja3_hash; content:"e516ad69a423f8e0407307aa7bfd6344"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028289; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing June 19 2015"; flow:established,from_server; file_data; content:"ScriptEngineMajorVersion"; nocase; content:"ScriptEngineMinorVersion"; nocase; content:"ScriptEngineBuildVersion"; nocase; content:"javafx_version"; nocase; content:"ip"; pcre:"/^\s*?=\s*?[\x22\x27]8\.8\.8\.8[\x22\x27]/Rsi"; content:"8.8.8.8"; fast_pattern; classtype:exploit-kit; sid:2021310; rev:4; metadata:created_at 2015_06_19, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Konqueror 4.14.18 (openSUSE Leap 42.1) 2"; ja3_hash; content:"8194818a46f5533268472f2167ffec70"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028290; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Landing May 21 2015 M2"; flow:from_server,established; file_data; content:"|5e 23 7e 40|"; nocase; fast_pattern; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2021137; rev:4; metadata:created_at 2015_05_22, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Konqueror 4.14.18 / Kmail 4.14.18 (openSUSE Leap 42.1) 1"; ja3_hash; content:"78253eb48a1431a4bbbe6bb4358464ac"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028291; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude CVE-2015-3113 Jun 29 2015 M1"; flow:established,to_server; urilen:10; content:"/video.flv"; nocase; http_uri; fast_pattern; pcre:"/Referer\x3a\x20http\x3a\x2f+?(?:[\x2eg-z]*[a-f0-9][\x2eg-z]*){32}\.[^\x2f\r\n]*?\x2f+\[\[DYNAMIC\]\]\x2f\d*?\r\n?/H"; pcre:"/Host\x3a\x20(?:[\x2eg-z]*[a-f0-9][\x2eg-z]*){32}\./H"; classtype:exploit-kit; sid:2021364; rev:3; metadata:created_at 2015_06_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Konqueror 4.8, OpenSSL s_client (tested: 1.0.1f - Ubuntu 14.04TS)"; ja3_hash; content:"0e0b798d0208ad365eec733b29da92a6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028292; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NullHole EK Landing URI struct"; flow:established,to_server; content:"/e.html"; http_uri; fast_pattern; pcre:"/\/e\.html$/U"; content:"nhweb="; http_cookie; classtype:exploit-kit; sid:2021373; rev:3; metadata:created_at 2015_07_02, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - LeagueClientUx"; ja3_hash; content:"3959d0a1344896e9fb5c0564ca0a2956"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028293; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 08"; flow:established,from_server; file_data; content:"></script><!--|2f|"; fast_pattern; content:"<!--"; pcre:"/^(?P<var>[a-f0-9]{6})-->\s*?<script\s*?type=[\x22\x27]text\/javascript[\x22\x27]\s*?src=[\x22\x27]http\x3a\x2f[^\x22\x27]*?\/[a-z\d]{8}\.php\?id=\d+[\x22\x27]\s*?><\/script><!--\/(?P=var)-->/Rs"; classtype:exploit-kit; sid:2021394; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_09, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - LINE Messaging"; ja3_hash; content:"0fe51fa93812c2ebb50a655222a57bf2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028294; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Targeted Attack from APT Actor Delivering HT SWF Exploit RIP"; flow:established,from_server; file_data; content:"|67 5f 6f 3d 69 65 56 65 72 73 69 6f 6e 28 29 3b|"; nocase; fast_pattern; content:"|67 65 74 42 69 74 73 28 29 3b|"; nocase; content:"var "; pcre:"/^\s*?(?P<var>[^=\s\x3b]+)\s*?=\s*?getBits\(\s*?\)\x3b.+?flashvars\s*?=\s*?\x5c\x22(?P=var)\s*?=\s*?\x22\s*?\+\s*?(?P=var)\s*?\+\s*?\x22\x5c\x22/Rsi"; classtype:targeted-activity; sid:2021405; rev:5; metadata:created_at 2015_07_13, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - LINE Messaging"; ja3_hash; content:"2e094913d88f0ad8dc69447cb7d2ce65"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028295; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IE MSMXL Detection of Local DLL (Likely Malicious)"; flow:established,from_server; file_data; content:"res|3a|"; nocase; content:"loadXML"; nocase; content:"parseError"; nocase; content:"errorCode"; nocase; content:"-2147023083"; fast_pattern; content:".dll"; classtype:trojan-activity; sid:2021429; rev:3; metadata:created_at 2015_07_16, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - LogMeIn Client"; ja3_hash; content:"193349d34561d1d5d1a270172eb2d97e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028296; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 17"; flow:to_server,established; content:"fare="; http_uri; nocase; content:".asp?"; http_uri; nocase; content:".pw|0d 0a|"; http_header; nocase; fast_pattern; pcre:"/[&?]fare=/Ui"; pcre:"/[&?]c=/Ui"; pcre:"/[&?]t=[a-f0-9]{32}(?:&|$)/Ui"; classtype:exploit-kit; sid:2021435; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Mail app iOS"; ja3_hash; content:"0cbbafcdaf63cbf1e490c4a2d903f24b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028297; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NullHole URI Struct Jul 22 2015 M3"; flow:established,from_server; content:"302"; http_stat_code; content:"/e.html"; http_header; fast_pattern; pcre:"/^Location\x3a\x20[a-f0-9]{32}\/e\.html\r$/Hm"; content:"Set-Cookie|3a|"; classtype:trojan-activity; sid:2021508; rev:3; metadata:created_at 2015_07_22, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Marble (KDE 5.21.0 QT 5.5.1 openSUSE Leap 42.1)"; ja3_hash; content:"fc5574de96793b73355ca9e555748225"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028298; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK URI Struct April 29 2015"; flow:established,to_server; content:"/5/"; http_uri; fast_pattern; pcre:"/\/5\/[A-Z]{3,}\/[a-f0-9]{32}(?:\.[^\x2f]+|\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/?|\/\d+\/?)?$/U"; classtype:exploit-kit; sid:2021036; rev:5; metadata:created_at 2015_04_30, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Maxthon"; ja3_hash; content:"d732ca39155f38942f90e9fc2b0f97f7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028299; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT ScanBox Jun 06 2015 M1 T1"; flow:established,from_server; file_data; content:"_=window|3b|"; nocase; fast_pattern; content:"var "; nocase; pcre:"/^\s*?[$_]+w[$_]+i[$_]+=window\x3b/Rsi"; content:"function "; pcre:"/^\s*?[_$]+\x28\x29/Rsi"; classtype:exploit-kit; sid:2021542; rev:3; metadata:created_at 2015_07_28, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Messenger/Jumpshare"; ja3_hash; content:"c9dbeed362a32f9a50a26f4d9b32bbd8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028300; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT ScanBox Jun 06 2015 M2 T1"; flow:established,from_server; file_data; content:"$=window|3b|"; nocase; fast_pattern; content:"var "; nocase; pcre:"/^\s*?[$_]+w[$_]+i[$_]+=window\x3b/Rsi"; content:"function "; pcre:"/^\s*?[_$]+\x28\x29/Rsi"; classtype:exploit-kit; sid:2021543; rev:3; metadata:created_at 2015_07_28, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Microsoft Smartscreen"; ja3_hash; content:"bedb7e0ff43a24272eb0a41993c65faf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028305; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 8"; flow:to_server,established; content:"GET"; http_method; content:"/viewphoto.asp?photoid="; http_uri; fast_pattern; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/; classtype:command-and-control; sid:2021571; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Microsoft Updater (Windows 7SP1) / TeamViewer 11.0.56083P"; ja3_hash; content:"bff2c7b5c666331bfe9afacefd1bdb51"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028306; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible DarkHotel Landing M2"; flow:established,to_client; file_data; content:"HTA|3a|APPLICATION"; nocase; fast_pattern; content:"|22|&#x"; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:targeted-activity; sid:2021611; rev:4; metadata:created_at 2015_08_11, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Microsoft Windows Socket (Tested: Windows 10)"; ja3_hash; content:"48cf5fb702315efbfc88ee3c8c94c6cb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028307; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible DarkHotel Landing M3"; flow:established,to_client; file_data; content:"HTA|3a|APPLICATION"; nocase; fast_pattern; content:"|27|&#x"; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:targeted-activity; sid:2021612; rev:3; metadata:created_at 2015_08_11, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - mj12bot.com"; ja3_hash; content:"11e1137464a4343105031631d470cd92"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028310; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Exploit URI Struct Aug 12"; flow:to_server,established; urilen:>100; content:!"|20|"; http_uri; content:!"+"; http_uri; content:!"_"; http_uri; content:!"-"; http_uri; content:"search?q="; http_header; fast_pattern; pcre:"/\/(?:[^?]+\?)(?=[A-Z&=\d]*?[a-z])(?=[a-zA-Z\d&=]*?[A-Za-z=&]\d[A-Za-z])(?=[a-zA-Z\d&=]*?[a-z\d][A-Z][A-Za-z\d])[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+[&=A-Za-z0-9]*?$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?!www\.)(?P<refhost>[^\x3a\x2f\r\n]+)[^\r\n]*?\/search\?q=(?=[A-Z&=\d]*?[a-z])(?=[a-zA-Z\d&=]*?[A-Za-z=&]\d[A-Za-z])(?=[a-zA-Z\d&=]*?[a-z\d][A-Z][A-Za-z\d])[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+[&=A-Za-z0-9]*?\r\n.*?Host\x3a\x20(?P=refhost)/Hsi"; pcre:!"/^Host\x3a\x20(?:[^\r\n]+\.)?(?:ya(?:ndex|hoo)|google|bing)\.(?:com?)?(?:\.[a-z]{2})?(:?\x3a\d{1,5})?\r$/Hmi"; content:!"Cookie|3a 20|"; flowbits:set,NuclearEK; classtype:exploit-kit; sid:2021620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_08_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Mobile Safari/537.35+ BB10"; ja3_hash; content:"87c6dda19108d68e526a72d9ae09fb9e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028311; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Secondary Landing Aug 17 2015"; flow:established,from_server; file_data; content:"fromCharCode"; nocase; content:"charCodeAt"; nocase; content:"fontFamily"; nocase; content:"style"; nocase; content:"language"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]vb[\x22\x27]/Rsi"; content:"^"; pcre:"/^\s*?\w+\s*?\.\s*?charCodeAt/Rsi"; content:"decodeURIComponent"; nocase; fast_pattern; classtype:exploit-kit; sid:2021637; rev:3; metadata:created_at 2015_08_17, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - mono-sgen/Syncplicity/Axure RP 8/Amazon Drive"; ja3_hash; content:"6acb250ada693067812c3335705dae79"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028312; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Magnitude EK Landing URI Struct Aug 21 2015"; flow:established,to_server; urilen:33<>67; content:"/?"; http_uri; depth:2; content:".pw|0d 0a|"; http_header; fast_pattern; pcre:"/^\/\?[a-f0-9]{32,64}$/U"; classtype:exploit-kit; sid:2021698; rev:3; metadata:created_at 2015_08_21, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla Sync Services (Android)"; ja3_hash; content:"d65ddade944f9acfe4052b2c9435eb85"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028313; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Landing Aug 21 2015"; flow:established,from_server; file_data; content:"/x-silverlight-2"; nocase; fast_pattern; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][a-z]+\.xap[\x22\x27]/Rs"; content:"/x-shockwave-flash"; nocase; content:!".swf"; nocase; content:"<div"; pcre:"/^[^>]*?id\s*?=[\x22\x27][a-z0-9]+[\x22\x27][^>]*?>\s*?[\x2a\d]{100}/R"; classtype:exploit-kit; sid:2021699; rev:3; metadata:created_at 2015_08_21, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla Thunderbird (tested: 31.5.0)"; ja3_hash; content:"c2116e5bb14394aafbefe12ade9bd8ab"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028314; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude Flash Exploit (IE) M2"; flow:established,to_server; urilen:<70; content:!".swf"; nocase; http_uri; content:"x-flash-version"; http_header; fast_pattern; pcre:"/^\/(?:\??[a-f0-9]{32,64}\/?)?$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<dl1>[^\x2e\r\n]+)\x2e[^\x2f\r\n]*?(?P<dl2>\x2e[^\x2e\r\n\x2f]+\x2e[^\x2e\x2f\r\n]+)\x2f(?:\??[a-f0-9]{32,64}\/?)?\r\n.*?Host\x3a\x20(?!(?P=dl1))[^\r\n]*?(?P=dl2)\r\n/Hsm"; classtype:exploit-kit; sid:2020895; rev:7; metadata:created_at 2015_04_11, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla Thunderbird (tested: 38.3.0), ThunderBird (v38.0.1 OS X)"; ja3_hash; content:"6fd163150b060dd7d07add280f42f4ed"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028315; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - Shell"; flow:established,from_server; file_data; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; content:"/system/bin/sh"; fast_pattern; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021757; rev:3; metadata:created_at 2015_09_10, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla/4.0 MSIE 6.0 or MSIE 7.0 User-Agent"; ja3_hash; content:"de350869b8c85de67a350c8d186f11e6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028316; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Spartan EK Secondary Flash Exploit DL M2"; flow:established,to_server; urilen:>13; content:"GET /"; byte_test:1,>,64,0,relative; byte_test:1,<,91,0,relative; content:".xml"; http_uri; offset:11; pcre:"/^\/[A-Z](?=[a-z0-9]*?[A-Z][a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z][A-Z0-9]*?[a-z])[A-Za-z0-9]{9,}\.xml$/U"; content:"x-flash-version|3a|"; http_header; fast_pattern; content:".swf"; http_header; nocase; pcre:"/Referer\x3a\x20[^\r\n]*?\/[a-f0-9]{32,64}\.swf/H"; classtype:exploit-kit; sid:2021764; rev:3; metadata:created_at 2015_09_14, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - MS Edge"; ja3_hash; content:"5bf43fbca3454853c26df6d996954aca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028317; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malicious Second Stage Download URI Struct Sept 15 2015"; flow:established,to_server; urilen:>46; content:".php?id="; http_uri; fast_pattern; content:"&rnd="; http_uri; pcre:"/\.php\?id=[0-9A-F]{32,}&rnd=\d+$/U"; content:!"Referer|3a|"; http_header; classtype:exploit-kit; sid:2021787; rev:3; metadata:created_at 2015_09_16, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - MS Edge"; ja3_hash; content:"888ecd3b5821a497195932b0338f2f12"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028318; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Possible Passthru/Kshell Port Redirection Initiation"; flow:to_server,established; dsize:11; content:"chkroot2007"; fast_pattern; reference:md5,f7146691adea573548fa040fb182f4fe; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021796; rev:2; metadata:created_at 2015_09_17, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - MS Edge"; ja3_hash; content:"8d2e46c9e2b1ee9b1503cab4905cb3e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028319; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CosmicDuke Exfiltrating Data via FTP STOR"; flow:established,to_server; dsize:55<>65; content:"STOR|20|"; depth:5; pcre:"/^[a-z0-9]{1,10}[A-F0-9]+\.bin\r\n$/R"; content:".bin|0d 0a|"; fast_pattern; reference:md5,5080bc705217c614b9cbf67a679979a8; classtype:targeted-activity; sid:2023910; rev:5; metadata:created_at 2015_07_17, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - MS Office Components"; ja3_hash; content:"f66b0314f269695fe3528ef39a27c158"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028320; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sept 25 2015"; flow:to_client,established; content:"<div style="; pcre:"/^(?:(?!<\/div).)+?top\x3a\s*?\x2d[0-9]+px\x3b.+left\x3a\s*?\x2d[0-9]+px\x3b.+<iframe\x20.+?stack=\d+/Rsi"; content:"absolute|3b|"; content:"<iframe src="; distance:0; content:" stack="; fast_pattern; classtype:exploit-kit; sid:2021841; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_25, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - MSIE 10.0 Trident/6.0"; ja3_hash; content:"2201d8e006f8f005a6b415f61e677532"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028321; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M5 1 Oct 05 2015"; flow:established,from_server; file_data; content:"str2long"; fast_pattern; content:"long2str"; content:"0xffffffff"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)str2long(?P=sep)).+?(?P=sep)long2str(?P=sep)/Rs"; classtype:exploit-kit; sid:2021905; rev:3; metadata:created_at 2015_10_06, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - MSIE 10.0 Trident/6.0)"; ja3_hash; content:"7b3b37883b5e80065b35f27888ed2b04"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028322; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M5 2 Oct 05 2015"; flow:established,from_server; file_data; content:"str2long"; fast_pattern; content:"0xffffffff"; content:"long2str"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)0xffffffff(?P=sep)).+?(?P=sep)str2long(?P=sep)/Rs"; classtype:exploit-kit; sid:2021906; rev:3; metadata:created_at 2015_10_06, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - MSIE 8.0 & 9.0 Trident/5.0)"; ja3_hash; content:"2baf01616e930d378df97576e2686df3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028323; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M5 3 Oct 05 2015"; flow:established,from_server; file_data; content:"long2str"; fast_pattern; content:"0xffffffff"; content:"str2long"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)0xffffffff(?P=sep)).+?(?P=sep)long2str(?P=sep)/Rs"; classtype:exploit-kit; sid:2021907; rev:3; metadata:created_at 2015_10_06, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - mutt (tested: 1.5.23 OSX)"; ja3_hash; content:"dc7c914e1817944435dd6b82a8495fbb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028324; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (STOP)"; flow:established,from_server; content:"PRIVMSG"; content:"{STOP} Stop command ->"; fast_pattern; nocase; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021879; rev:4; metadata:created_at 2015_10_01, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - mutt"; ja3_hash; content:"6761a36cfa692fcd3bc7d570b23cc168"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028325; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Landing Oct 08 2015"; flow:established,from_server; file_data; content:"/x-silverlight-2"; nocase; fast_pattern; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][a-z\d]+\.xap[\x22\x27]/Rs"; content:"/x-shockwave-flash"; nocase; content:!".swf"; nocase; content:"<param"; nocase; pcre:"/^(?=[^>]*?\sname\s*?\x3d\s*?[\x22\x27]?movie[\x22\x27]?)[^>]*?\svalue\s*?\x3d\s*?[\x22\x27][^\x22\x27]+\/(?:\??[a-f0-9]+)?[\x22\x27]/Ri"; classtype:exploit-kit; sid:2021939; rev:6; metadata:created_at 2015_10_09, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - NetFlix App on AppleTV (possibly others also)"; ja3_hash; content:"146c6a6537ba4cc22d874bf8ff346144"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028326; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible click2play bypass Oct 19 2015 as observed in PawnStorm"; flow:established,from_server; file_data; content:"javax.naming.InitialContext"; fast_pattern; content:"progress-class"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]javax.naming.InitialContext/Rsi"; content:"</jnlp>"; nocase; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:targeted-activity; sid:2021985; rev:4; metadata:created_at 2015_10_21, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - node-webkit/Kindle"; ja3_hash; content:"3ee4aaac7147ff2b80ada31686db660c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028330; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Reversed Pastebin Injection in Magento DB"; flow:established,from_server; file_data; content:"<script"; content:"=i?php.war/moc.nibetsap"; fast_pattern; content:".reverse("; reference:url,labs.sucuri.net/?note=2015-11-02; classtype:web-application-attack; sid:2022014; rev:3; metadata:created_at 2015_11_02, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - node.js"; ja3_hash; content:"641df9d6dbe7fdb74f70c8ad93def8cc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028331; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt"; flow:established,to_server; content:" HTTP/1."; pcre:"/^[^\r\n]*?HTTP\/1(?:(?!\r?\n\r?\n)[\x20-\x7e\s]){1,500}\n[\x20-\x7e]{1,100}\x3a[\x20-\x7e]{0,500}\x28\x29\x20\x7b/s"; content:"|28 29 20 7b|"; fast_pattern; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2022028; rev:2; metadata:created_at 2015_11_04, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - node.js/Postman/WhatsApp"; ja3_hash; content:"106ecbd3d14b4dc6e413494263720afe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028332; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leadking to EK Nov 2015"; flow:to_server,established; content:".pw|0d 0a|"; nocase; http_header; fast_pattern; content:"/?id="; http_uri; nocase; content:"&keyword="; nocase; http_uri; pcre:"/^Host\x3a[^\r\n]*?\.pw\r$/Hmi"; classtype:exploit-kit; sid:2022040; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Non-Specific Microsoft Socket"; ja3_hash; content:"1d095e68489d3c535297cd8dffb06cb9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028333; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE KilerRAT CnC - Remote Shell"; flow:from_server,established; content:"rs|7c 4b 69 6c 65 72 7c|"; fast_pattern; pcre:"/\x7c(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})$/"; reference:md5,51409b4216065c530a94cd7a5687c0d6; reference:url,alienvault.com/open-threat-exchange/blog/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off; classtype:command-and-control; sid:2022068; rev:3; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - NVIDEA GeForce Experience, Windows Diagnostic and Telemetry (also Security Essentials and Microsoft Defender) (Tested Win7)"; ja3_hash; content:"4025f224557638ee81afc4f272fd7577"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028334; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B2 Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 BA|"; fast_pattern; reference:md5,b4ce43e1c9e74c549e2bae8cd77d5af1; classtype:command-and-control; sid:2022072; rev:2; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - nwjs/Chromium"; ja3_hash; content:"49de9b1c7e60bd3b8e1d4f7a49ba362e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028335; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO form-data flowbit set (noalert)"; flow:to_server,established; dsize:>0; content:"Content-Type|3a 20|multipart|2f|form-data"; fast_pattern; flowbits:set,ET.formdata; flowbits:noalert; classtype:not-suspicious; sid:2022080; rev:2; metadata:created_at 2015_11_12, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - One Drive"; ja3_hash; content:"388a4049af7e631f8d36eb0f909de65a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028336; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Nuclear EK Nov 13 2015 Landing URI struct"; flow:established,to_server; urilen:>25; content:"_id="; http_uri; fast_pattern; pcre:"/^\/(?:[a-z0-9]+\/)?[^\x2f]+\?[a-z]{1,40}_id=\d{2,5}(?:&[a-z]{1,40}_id=\d{2,5})?&[^&\x3d]+=(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{15,}\x2e{0,2}?$/U"; pcre:"/^Host\x3a\x20[a-z0-9]+\.(?:g[aq]|cf|ml|tk|xyz|info|space)(?:\x3a\d{1,5})?\r$/Hm"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:exploit-kit; sid:2022090; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - OpenConnect version v7.01"; ja3_hash; content:"a35c1457421bcfaf5edaccb910bfea1d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028337; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp any any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible Postfix CVE-2014-6271 attempt"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; pcre:"/^[a-z-]+\s*?\x3a\s*?[^\r\n]*?\x28\x29\x20\x7b.*\x3b.*\x7d\s*\x3b(?!=[\r\n])/mi"; reference:url,exploit-db.com/exploits/34896/; reference:cve,2014-6271; classtype:attempted-admin; sid:2019389; rev:5; metadata:created_at 2014_10_10, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - OpenConnect version v7.06 / wget 1.17.1-1 (cygwin)"; ja3_hash; content:"07aa6d7cac645c8845d6e96503f7d985"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028338; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matryoshka CnC Beacon 2"; flow:established,to_server; urilen:>50; content:"GET"; http_method; content:"/img/"; depth:5; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/n"; distance:0; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/img\/[a-f0-9]{32}\/[a-f0-9]+\/n\d+\.png$/U"; content:".png|20|HTTP/1.1|0d 0a|"; fast_pattern; reference:md5,9853fc1f4d7ba23d728f4ee80842faf9; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:command-and-control; sid:2022147; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - openssl s_client / msmtp 1.6.2 (openSUSE Leap 42.1)"; ja3_hash; content:"6fffa2be612102d25dbed5f433b8238c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028339; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Java Class 1 May 24 2013"; flow:to_client,established; file_data; content:"gonagExp.class"; fast_pattern; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016923; rev:15; metadata:created_at 2013_05_25, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera 10.53  10.60  11.61  11.64  12.02, Presto 2.5.24  2.6.30  2.10.229  2.10.289"; ja3_hash; content:"4e6f7f036fb2b05a50ee8a686b1176a6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028340; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible HanJuan Landing March 20 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:!"<body>"; content:!"<html>"; content:"<script>"; depth:8; pcre:"/^\s*[a-z]+\s*?=\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]\/g,\x27\x27\)\.substr\(\s*?\d+\s*?,\s*?\d+\s*?\)\s*?\x3b\s*?[a-z]+\s*?=\s*?(?P<q2>[\x22\x27])(?:(?!(?P=q2)).)+?(?P=q2)\.replace\(\/\[[A-Za-z]{10,}\]\/g,\x27\x27\)\.substr/Rs"; content:"]/g,|27 27|).substr|28|"; fast_pattern; classtype:exploit-kit; sid:2020719; rev:5; metadata:created_at 2015_03_20, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera 11.11  11.52, Presto 2.8.131  2.9.168"; ja3_hash; content:"ceee08c3603b53be80c8afdc98babdd6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028341; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/lizkebab CnC Activity (Flooding 1)"; flow:established,to_server; content:"|20|Flooding|20|"; fast_pattern; content:"|20|for|20|"; content:"|20|seconds."; distance:0; pcre:"/(?:JUNK|HOLD) Flooding (?:\d{1,3}\.){3}\d{1,3} for \d+ seconds.\r?\n/"; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:command-and-control; sid:2022213; rev:2; metadata:created_at 2015_12_03, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera 12.14 - 12.16, Presto 2.12.388"; ja3_hash; content:"561271bdcbfe68504ce78b38c957eef0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028342; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Facebook password stealing inject Jan 04"; flow:from_server,established; file_data; content:"facebook.com"; nocase; content:"localStorage"; fast_pattern; nocase; content:"email"; nocase; content:"pass"; nocase; content:"login_form"; nocase; content:"location"; nocase; pcre:"/^\s*\.\s*hostname\s*.indexOf\s*\([\x22\x27]facebook\.com[\x22\x27]/Rsi"; content:"getElementById"; distance:0; pcre:"/^\s*\(\s*[\x22\x27]login_form[\x22\x27]/Rsi"; content:"getElementById"; distance:0; pcre:"/\s*\(\s*[\x22\x27](email|pass)[\x22\x27]/Rsi"; content:"image"; nocase; pcre:"/[^.]*\.\s*src\s*\=[\x22\x27][^\x22\x27]*\.php\?[ -~]+?\=[\x22\x27]\s*\+localStorage\./Rsi"; classtype:web-application-attack; sid:2022221; rev:4; metadata:created_at 2015_12_05, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 (X11 Linux x86_64 U en) Presto/2.6.30 Version/10.60"; ja3_hash; content:"8b475d6105c72827a234fbd47e25b0a3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028343; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 09"; flow:established,from_server; file_data; content:"<!--/"; fast_pattern; content:"<!--"; pcre:"/^(?P<ccode>[a-f0-9]{6})-->.*?<script.+?<\/script>.*?<!--/(?P=ccode)-->/Rsi"; classtype:exploit-kit; sid:2022242; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_10, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.10.229 Version/11.62"; ja3_hash; content:"44f37c3ceccb551271bfe0ba6d39426c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028344; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Reversed Pastebin Injection in Magento DB 2"; flow:established,from_server; file_data; content:"<script"; content:"ptth|22|=crs tpircs"; fast_pattern; content:".reverse("; reference:url,labs.sucuri.net/?note=2015-11-02; classtype:web-application-attack; sid:2022015; rev:4; metadata:created_at 2015_11_02, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.10.289 & Presto/2.10.229"; ja3_hash; content:"a16170ff03466c8ee703dd71feda9bfe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028345; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Derusbi/Winnti Receiving Configuration"; flow:established,from_server; file_data; content:"$$$--Hello"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})Wrod--\$\$\$/R"; content:"Wrod--$$$"; fast_pattern; reference:url,blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family; classtype:trojan-activity; sid:2022269; rev:3; metadata:created_at 2015_12_16, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.10.289 Version/12.00"; ja3_hash; content:"b237ac4bcc16c142168df03a871677bd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028346; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Dec 22 2015 (Proxy Filtering)"; flow:established,to_server; content:"POST"; http_method; content:"content-types|3a|"; http_header; nocase; fast_pattern; content:"Referer|3a|"; http_header; content:"content-type|3a|"; http_header; nocase; classtype:exploit-kit; sid:2022304; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_23, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.12.388"; ja3_hash; content:"07715901e2c6fe4c45e7c42587847d5d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028347; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Archive Download"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".class"; nocase; fast_pattern; classtype:trojan-activity; sid:2014472; rev:8; metadata:created_at 2012_04_04, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.12.388"; ja3_hash; content:"329ff4616732b84de926caa7fd6777b0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028348; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js HTTP RCE Exploit Inbound (openUrlInDefaultBrowser)"; flow:from_server,established; file_data; content:"XMLHttpRequest"; nocase; content:"|3a|49155/api/openUrlInDefaultBrowser?"; fast_pattern; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:2022352; rev:3; metadata:created_at 2016_01_13, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - OS X WebSockets"; ja3_hash; content:"43bb6a18756587426681e4964e5ea4bf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028349; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js HTTP RCE Exploit Inbound (showSB)"; flow:from_server,established; file_data; content:"XMLHttpRequest"; nocase; content:"|3a|49155/api/showSB?url="; fast_pattern; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:2022353; rev:3; metadata:created_at 2016_01_13, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - osc (python openSUSE Leap 42.1) 1"; ja3_hash; content:"3b6da2971936ac24457616e8ad46f362"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028350; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrochilusRAT CnC Beacon 1"; flow:established,to_server; dsize:8; content:"|bf bf af af 7e 00 00 00|"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:command-and-control; sid:2022360; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - osc (python openSUSE Leap 42.1) 2"; ja3_hash; content:"95baa3d2068d8c8da71990a353cf8453"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028351; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrochilusRAT CnC Beacon 2"; flow:established,to_server; dsize:13; content:"|07 0d 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:command-and-control; sid:2022361; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Outlook 2007 (Win 8.1)"; ja3_hash; content:"53eb89fe6147474039c1162e4d9d3dc0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028352; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Script Loaded from Pastebin"; flow:established,to_client; file_data; content:"pastebin.com/raw"; fast_pattern; content:"<script "; pcre:"/^(?:(?!<\/script>).)*?src\s*=\s*\x5c?[\x22\x27]https?\x3a\/\/(?:www\.)?pastebin\.com\/raw(?:\/|\.php\?i=)[A-Z-a-z0-9]{8}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2022376; rev:3; metadata:created_at 2016_01_20, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - p4v/owncloud"; ja3_hash; content:"38cbe70b308f42da7c9980c0e1c89656"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028353; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN MySQL Malicious Scanning 1"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"GRANT ALTER, ALTER ROUTINE"; distance:0; nocase; within:30; content:"TO root@% WITH"; fast_pattern; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022579; rev:2; metadata:created_at 2016_03_01, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - PaleMoon Browser"; ja3_hash; content:"d82cbe0b93f2b02d490a14f6bc1d421a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028354; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN MySQL Malicious Scanning 2"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"set global log_bin_trust_function_creators=1"; fast_pattern; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022580; rev:2; metadata:created_at 2016_03_01, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - parsecd/apple.geod/apple.photomoments/photoanalysisd/FreedomProxy"; ja3_hash; content:"62448833d8230241227c03b7d441e31b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028355; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Generic HeapSpray Construct"; flow:established,to_client; file_data; content:"CollectGarbage"; nocase; fast_pattern; content:"var"; pcre:"/^\s+?(?P<vname>[^\s\x3d]+)\s*?=\s*?(?:0x(?:(6[4-9a-f]|[7-9a-f])|\d{3,})|\d{3,}).+?[\s\x3b]for\s*?\([^\x3b\)]*?\x3b[^\x3b\)]+?<=?\s*?(?P=vname)[^\)]+?\)\s*?(?:\{[^}]*?|[^\r\n]*?)document\s*\.\s*createElement/Rsi"; classtype:bad-unknown; sid:2018145; rev:5; metadata:created_at 2014_02_15, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - php script (tested 5.5.27)"; ja3_hash; content:"16765fe48127809dc0ca406769c9391e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028356; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Single JS file inside of ZIP Download (Observed as lure in malspam campaigns)"; flow:established,to_client; file_data; content:"PK"; within:2; content:"PK|01 02|"; distance:0; pcre:"/^.{42}[\x20-\x7f]{1,500}\.jsPK\x05\x06.{4}\x01\x00\x01\x00/Rsi"; content:".jsPK|05 06|"; nocase; fast_pattern; classtype:misc-activity; sid:2022636; rev:4; metadata:created_at 2016_03_22, former_category INFO, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Pidgin (tested 2.10.11)"; ja3_hash; content:"b74f9ecf158e0575101c16c5265a85b0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028357; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 27 2016 (fbset)"; flow:established,to_server; urilen:11<>57; content:".js"; http_uri; fast_pattern; pcre:"/^\/[a-z]{2,20}\/[a-z]{2,20}\/(?:(?:(?:featur|quot)e|ip)s|d(?:ropdown|etect)|co(?:mpiled|re)|header|jquery|lang|min|ga)\.js$/U"; flowbits:set,ET.WordJS; flowbits:noalert; reference:url,research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html; classtype:exploit-kit; sid:2022770; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_27, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Pocket/Slack/Duo (Android)"; ja3_hash; content:"6ea7cfa450ce959818178b420f59fec4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028358; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 28 2016"; flow:established,from_server; file_data; content:"|3d 22 5c 78 32|"; content:"|3d 22 5c 78 36|"; content:"|3d 22 5c 78 37|"; fast_pattern; content:"</span>"; content:!"<span>"; distance:-500; within:500; pcre:"/^\s*?<script>\s*?(?:[A-Za-z][A-Za-z\d+]+\s*?\+?=\s*(?:[A-Za-z][A-Za-z\d]+|[\x22\x27]\\x[2-7][0-9a-fA-F](?:\\x[2-7][0-9a-fA-F]){0,4}[\x22\x27])\s*?\x3b){20}/Rs"; reference:url,researchcenter.paloaltonetworks.com/2016/03/unit42-campaign-evolution-darkleech-to-pseudo-darkleech-and-beyond/; classtype:exploit-kit; sid:2022772; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Polycom IP Phone Directory Lookup"; ja3_hash; content:"9e41b6bf545347abccf0dc8fd76083a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028359; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 29 2016"; flow:established,from_server; file_data; content:"|69 32 33 33 36 20 3d 3d 20 6e 75 6c 6c|"; nocase; fast_pattern; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 44 49 56 20 69 64 3d 63 68 65 63 6b 35 32 34 20 73 74 79 6c 65 3d 22 44 49 53 50 4c 41 59 3a 20 6e 6f 6e 65 22 3e|"; content:"|3c 69 66 72 61 6d 65 20 73 72 63 3d 22|"; classtype:exploit-kit; sid:2022774; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_29, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - postbox-bin"; ja3_hash; content:"e846898acc767ebeb2b4388e58a968d4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028404; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct M2"; flow:established,from_server; file_data; content:"redim"; nocase; fast_pattern; content:"Preserve"; nocase; content:"VBScript"; nocase; content:"chrw"; content:"32767"; distance:0; content:"chrw"; content:"2176"; distance:0; classtype:attempted-admin; sid:2022797; rev:3; metadata:created_at 2016_05_06, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Postfix with StartTLS"; ja3_hash; content:"26fa3da4032424ab61dc9be62c8e3ed0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028405; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jun 15 2016"; flow:established,from_server; content:"Set-Cookie|3a 20|bc3ad="; fast_pattern; content:"campaigns"; http_cookie; classtype:exploit-kit; sid:2022904; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_16, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - PubNub data stream #1 & Apteligent"; ja3_hash; content:"ef48bf8b2ccaab35642fd0a9f1bbe831"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028406; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Jun 22 2016 M1"; flow:established,to_server; content:"/js/analytic.php?id="; http_uri; fast_pattern; pcre:"/^\/js\/analytic\.php\?id=\d+&tz=\-?\d+&rs=\d+x\d+$/Ui"; classtype:exploit-kit; sid:2022909; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - PubNub data stream #2"; ja3_hash; content:"8cc24a6ff485c62e3eb213d2ca61cf12"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028407; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Jun 22 2016 M2"; flow:established,from_server; file_data; content:"&tz=|27|+tzSignature()+|27|&rs=|27|+rsSignature()+"; fast_pattern; content:"document.write("; pcre:"/^[\x22\x27](?!<script)[\x22\x27+\s]*<[\x22\x27+\s]*s[\x22\x27+\s]*c[\x22\x27+\s]*r[\x22\x27+\s]*i[\x22\x27+\s]*p[\x22\x27+\s]*t[^\r\n]+\.php\?id=\d+&tz=\x27\+tzSignature\x28\x29\+\x27&rs=/R"; classtype:exploit-kit; sid:2022910; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Pusherapp API"; ja3_hash; content:"12ad03cb3faa2748e92c9a38faab949f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028408; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp any any -> $HOME_NET 137 (msg:"ET INFO NBNS Name Query Response Possible WPAD Spoof BadTunnel"; byte_test:1,&,0x80,2; byte_test:1,!&,0x40,2; byte_test:1,!&,0x20,2; byte_test:1,!&,0x10,2; byte_test:1,=,0x00,3; content:"|00 00|"; offset:4; depth:2; content:"|46 48 46 41 45 42 45|"; fast_pattern; reference:url,tools.ietf.org/html/draft-ietf-wrec-wpad-01; reference:url,ietf.org/rfc/rfc1002.txt; classtype:protocol-command-decode; sid:2022914; rev:2; metadata:created_at 2016_06_23, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - py2app application (including box.net & google drive clients)"; ja3_hash; content:"ba502b2f5d64ac3d1d54646c0d6dd4dc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028409; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (exe generic custom headers)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern; content:"GET"; http_method; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"MSIE 7"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022942; rev:3; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Python Requests Library 2.4.3"; ja3_hash; content:"c398c55518355639c5a866c15784f969"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028410; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT LastPass RCE Attempt"; flow:from_server,established; file_data; content:"getBoundingClientRect"; nocase; content:"MouseEvent"; fast_pattern; content:"dispatchEvent"; nocase; pcre:"/^\s*\x28\s*new\s*MouseEvent\s*\x28\s*[\x22\x27]\s*click/Rsi"; content:"addEventListener"; nocase; pcre:"/^\s*\x28\s*[\x22\x27]\s*message/Rsi"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=884; classtype:trojan-activity; sid:2022989; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_07_28, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - python-requests/2.7.0 CPython/2.6.6 Linux/2.6.32-504.23.4.el6.x86_64"; ja3_hash; content:"1a9fb04aa1b4439666672be8661f9386"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028411; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Metasploit Browser Autopwn Aug1 2016"; flow:established,from_server; file_data; content:"|65 78 70 6c 6f 69 74 4c 69 73 74 2e 73 70 6c 69 63 65|"; nocase; fast_pattern; content:"|73 65 74 54 69 6d 65 6f 75 74 28 22 6c 6f 61 64 45 78 70 6c 6f 69 74 28 29 22|"; nocase; classtype:attempted-admin; sid:2023014; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Qsync Client"; ja3_hash; content:"a7823092705a5e91ce2b7f561b6e5b98"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028412; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Mobile Virus Scam M2 Aug 18 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"navigator.vibrate"; fast_pattern; content:"getURLParameter"; content:"gotooffer"; nocase; distance:0; content:"brandmodel"; nocase; distance:0; content:"countDown"; nocase; distance:0; content:"PreventExitPop"; nocase; distance:0; classtype:social-engineering; sid:2023080; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Reported as -"; ja3_hash; content:"4b06b445e3e12cdae777cec815ab90f5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028414; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 12 2016 (Flash)"; flow:established,to_server; content:"/promo"; http_uri; nocase; depth:6; content:"/promo.swf?t="; http_uri; nocase; fast_pattern; pcre:"/^\/promo\d+(?:x\d+)?\/promo\.swf\?t=\d+$/Ui"; classtype:exploit-kit; sid:2023186; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family EvilTDS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - RescueTime/Plantronics Hub"; ja3_hash; content:"c048d9f26a79e11ca7276499ef24daf3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028415; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; http_header; content:"Server|3a 20|nginx"; http_header; pcre:"/Content-Disposition\x3a\x20inline\x3b\x20filename=(?:[a-z0-9]{4})?\r\n/H"; file_data; content:"ZWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2020311; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_26, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - RingCentral App #2"; ja3_hash; content:"90f755509cba37094eb66be02335b932"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028416; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp any any -> $HOME_NET 3306 (msg:"ET EXPLOIT Possible MySQL cnf overwrite CVE-2016-6662 Attempt"; flow:established,to_server; content:"|03|"; offset:4; content:"global_log_dir"; nocase; distance:0; content:".cnf"; nocase; distance:0; content:"nmalloc_lib"; fast_pattern; reference:cve,2016-6662; reference:url,legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html; classtype:attempted-admin; sid:2023202; rev:2; metadata:affected_product MySQL, attack_target Server, created_at 2016_09_13, deployment Datacenter, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - RingCentral App"; ja3_hash; content:"7743db23afb26f18d632420e6c36e076"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028417; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows netsh advfirewall show allprofiles Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Domain Profile Settings|3a|"; fast_pattern; content:"Firewall Policy"; classtype:trojan-activity; sid:2023216; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - RSiteAuditor"; ja3_hash; content:"35c0a31c481927f022a3b530255ac080"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028418; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC SERVICE get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AcceptPause"; fast_pattern; content:"AcceptStop"; content:"Caption"; content:"ExecutablePath"; classtype:trojan-activity; sid:2023223; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - ruby script (tested: 2.0.0p481)"; ja3_hash; content:"688b34ca00a291ece0bc07b264b1344c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028419; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BleedingLife EK CVE-2014-6332 Exploit"; flow:to_server,established; content:"GET"; http_method; content:"|2f 32 30 31 34 2d 36 33 33 32 2e 70 68 70 3f|"; http_uri; fast_pattern; content:"/index.php?ss="; http_header; pcre:"/\.php\?\d{1,4}$/Ui"; classtype:exploit-kit; sid:2023288; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Exploit_Kit, malware_family BleedingLife, signature_severity Major, tag BleedingLifeEK, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - ruby"; ja3_hash; content:"d219efd07cbb8fbe547e6a5335843f0f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028420; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BleedingLife EK CVE-2016-0189 Exploit"; flow:to_server,established; content:"GET"; http_method; content:"|2f 32 30 31 36 2d 30 31 38 39 2e 70 68 70 3f|"; http_uri; fast_pattern; content:"/index.php?ss="; http_header; pcre:"/\.php\?\d{1,4}$/Ui"; classtype:exploit-kit; sid:2023289; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Exploit_Kit, malware_family BleedingLife, signature_severity Major, tag BleedingLifeEK, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 525 - 533  534.57.2, Safari 525.21  525.29  531.22.7  533.21.1  534.57.2 / Adobe Reader DC 15.x Updater"; ja3_hash; content:"cbcd1d81f242de31fd683d5acbc70dca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028421; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Sep 26 2016"; flow:established,from_server; file_data; content:"document.write"; within:14; pcre:"/^\s*\x28\s*[\x22\x27]<div\s*style\s*=\s*[\x22\x27](?=[^\x22\x27\r\n]*position\x3aabsolute\x3b)(?=[^\x22\x27\r\n]*top\x3a\s\-\d+px\x3b)(?=[^\x22\x27\r\n]*left\x3a\s0px\x3b)[^\r\n]*?<iframe[^\r\n>]*\s><\/i[\x22\x27]\+[\x22\x27]frame>[^\r\n]*<\/div>[\x22\x27]\s*\x29\x3b$/R"; content:"|3c 2f 69 27 2b 27 66 72 61 6d 65 3e|"; fast_pattern; classtype:exploit-kit; sid:2023302; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, malware_family AfraidGate, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.34"; ja3_hash; content:"4c551900711d12c864cfe2f95e1c98c2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028422; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TheTrick Banking Trojan User-Agent"; flow:to_server,established; content:"User-Agent|3a 20 54 72 69 63 6b 4c 6f 61 64 65 72|"; fast_pattern; reference:md5,f26649fc31ede7594b18f8cd7cdbbc15; classtype:trojan-activity; sid:2023338; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_13, deployment Perimeter, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.34, rekonq1.1  Arora0.11.0"; ja3_hash; content:"30701f5050d504c31805594fb5c083b8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028423; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IE MSMXL Detection of Local SYS (Likely Malicious)"; flow:established,from_server; file_data; content:"res|3a|"; nocase; content:"loadXML"; nocase; content:"parseError"; nocase; content:"errorCode"; nocase; content:"-2147023083"; fast_pattern; content:".sys"; classtype:trojan-activity; sid:2021430; rev:4; metadata:created_at 2015_07_16, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.34, Safari/537.21"; ja3_hash; content:"41ba55231de6643721fbe2ae25fab85d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028424; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS Pegasus Safari Exploit (CVE-2016-4657)"; flow:established,from_server; file_data; content:"+="; pcre:"/^\s*?\x27try\s*?{}\s*?catch\x28e\x29\s*?{}\x3b/Rsi"; content:"Object"; pcre:"/^(?:\.|\[\s*?[\x22\x27])defineProperties\s*?\x28/Rsi"; content:"defineProperties"; fast_pattern; reference:cve,2016-4657; reference:url,blog.lookout.com/blog/2016/11/02/trident-pegasus-technical-details/; classtype:attempted-admin; sid:2023484; rev:3; metadata:affected_product iOS, affected_product Safari, attack_target Mobile_Client, created_at 2016_11_07, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.59.8"; ja3_hash; content:"fb1d89e16f4dd558ad99011070785cce"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028425; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Applet Tag In Edwards Packed JavaScript"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|applet|7C|"; nocase; fast_pattern; content:!"|7C|_dynarch_popupCalendar|7C|"; classtype:bad-unknown; sid:2015708; rev:6; metadata:created_at 2012_09_18, former_category INFO, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 536.30.1"; ja3_hash; content:"e2a482fbb281f7662f12ff6cc871cfe7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028426; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M1 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern; content:"/#24/"; pcre:"/^#?\d+/R"; content:".exe"; content:"|5c 5c|Progra"; nocase; classtype:exploit-kit; sid:2023586; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, malware_family Exploit_Kit_RIG, signature_severity Major, tag Exploit_kit_RIG, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 537.71"; ja3_hash; content:"cc5925c4720edb550491a12a35c15d4d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028427; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M2 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern; content:"/#16/"; pcre:"/^#?\d+/R"; content:".exe"; nocase; content:"|5c 5c|Progra"; nocase; classtype:exploit-kit; sid:2023587; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, malware_family Exploit_Kit_RIG, signature_severity Major, tag Exploit_kit_RIG, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 537.78.2"; ja3_hash; content:"88770e3ad9e9d85b2e463be2b5c5a026"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028428; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK EITest Inject Oct 17 2016 M2"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern; content:"<script type=|22|text/javascript|22|>"; pcre:"/^\s*var\s*(?P<var>[^\s=]+)\s*=\s*document.createElement\(\s*[\x22\x27]iframe[\x22\x27](?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:exploit-kit; sid:2023482; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_03, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari"; ja3_hash; content:"c36fb08942cf19508c08d96af22d4ffc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028429; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 M1"; flow:established,from_server; file_data; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65 2e 77 65 62 73 74 6f 72 65|"; nocase; content:"|2e 6d 61 74 63 68 28 2f 3e 28 5c 77 3f 5c 73 3f 2e 2a 3f 29 3c 2f 67 29|"; nocase; fast_pattern; content:"|5b 69 5d 2e 72 65 70 6c 61 63 65 28 65 76 61 6c 28|"; content:"unescape"; nocase; pcre:"/^\s*\([^\x29]*(?:\%2F|\/)(?:\%5B|\[)(?:\%5E|^)(?=[^\x29]*(?:%3C|\<))(?=[^\x29]*(?:%3E|\>))(?=[^\x29]*(?:\%5C|\\)(?:\%6E|n))/Rsi"; classtype:social-engineering; sid:2023743; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, signature_severity Major, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari/534.57.2, hola_svc"; ja3_hash; content:"77310efe11f1943306ee317cf02150b7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028430; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]+type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]+name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]+value\s*=\s*[\x22\x27](?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)[\x22\x27]/Rsi"; content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:social-engineering; sid:2023744; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, signature_severity Major, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari/604.1.38 Macintosh, Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"c07cb55f88702033a8f52c046d23e0b2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028431; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 EXE Download"; flow:established,from_server; content:"Chrome_Font.exe"; http_header; nocase; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]+filename\s*=\s*[\x22\x27]?Chrome_Font\.exe/Hmi"; classtype:social-engineering; sid:2023745; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, signature_severity Major, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari/604.3.1 Macintosh/apple.WebKit.Networking,itunesstored"; ja3_hash; content:"3e4e87dda5a3162306609b7e330441d2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028432; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK EITest Inject Oct 17 2016 M3"; flow:established,from_server; file_data; content:"oq="; fast_pattern; content:"|22|frameBorder|22 2c 20 22|0|22|"; nocase; content:" document.body.appendChild"; nocase; content:"http|3a 2f 2f|"; nocase; pcre:"/^[^\x2f\x22\x27]+\/(?=[^\x22\x27]*?[?&]oq=[A-Za-z0-9+\x2f_-]+(?:[\x22\x27]|&))(?=[^\x22\x27]*?[&?][a-z]+_[a-z]+=\d+)(?=[^\x22\x27]*?[&?]q=)/Ri"; classtype:exploit-kit; sid:2023547; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Salesforce Files"; ja3_hash; content:"844166382cc98d98595e6778c470f5d5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028433; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Lock Emoji In Title - Possible Social Engineering Attempt"; flow:from_server,established; file_data; content:"<title>"; nocase; pcre:"/^(?:(?!<\/title).)*\x26\x23x1F512/Ri"; content:"|26 23|x1F512"; fast_pattern; classtype:trojan-activity; sid:2023749; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_19, deployment Perimeter, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SCANNER: hoax Firefox/40.1"; ja3_hash; content:"9a35e493f961ac377f948690b5334a9c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028434; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Unknown Trojan Checkin Jan 26 2017"; flow:to_server,established; content:"GET"; http_method; content:"/config.php?id="; http_uri; fast_pattern; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent"; http_header; pcre:"/\/config\.php\?id=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+/U"; reference:md5,2ccd95bb2e9d8c6e6b6eb68963461f08; classtype:command-and-control; sid:2023769; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SCANNER: wordpress wp-login Firefox/40.1"; ja3_hash; content:"ce5f3254611a8c095a3d821d44539877"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028435; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing M1 Feb 07 2016 M1"; flow:established,from_server; file_data; content:"value"; nocase; pcre:"/^\s*=\s*[\x27\x22](?:sh(?:ell(?:32)?)?|exec)=6wLrBej5\x2f\x2f/Rsi"; content:"6wLrBej5"; fast_pattern; classtype:exploit-kit; sid:2023878; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SCRAPER: DotBot"; ja3_hash; content:"d8844f000e5571807e9094e0fcd795fe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028436; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing M1 Feb 07 2016 M2"; flow:established,from_server; file_data; content:"EB02EB05E8F9FFFFFF"; nocase; fast_pattern; pcre:"/(?:value=[\x22\x27](?:sh(?:ell(?:32)?)?|exec)=|unescape\(EscapeHexString\(.)EB02EB05E8F9FFFFFF/si"; classtype:exploit-kit; sid:2023879; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Scraper: yandex.ru based Mozilla 4.0"; ja3_hash; content:"05e15a226e00230c416a8cdefeb483c7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:misc-activity; sid:2028437; rev:3; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Chrome Form Data Theft April 06 2015"; flow:established,to_server; content:".php?type=form&site="; fast_pattern; http_uri; reference:url,ocelot.li/the-malware-campaign-that-went-unnoticed/; classtype:trojan-activity; sid:2020847; rev:3; metadata:created_at 2015_04_07, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SeznamBot/3.2"; ja3_hash; content:"6cc3c7debc31952d05ecaacb6021925f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028438; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Request to malicious SutraTDS - lonly= in cookie"; flow:established,to_server; content:" lonly="; fast_pattern; content:" lonly="; http_cookie; classtype:exploit-kit; sid:2014884; rev:3; metadata:created_at 2012_06_09, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - ShadowServer Scanner 1"; ja3_hash; content:"fa8b8ed07b1dd0e4a262bd44d31251ec"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028439; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Polymorphic Flush IPTables Shellcode"; content:"|6a 52 58 99 52 66 68 2d 46 54 5b 52 48 b9 69 70 74 61 62 6c 65 73 51 d0 e0 28 c8 48 b9 2f 2f 73 62 69 6e 2f 2f 51 54 5f 52 53 57 54 5e 0f 05|"; fast_pattern; reference:url,a41l4.blogspot.ca/2017/03/polyflushiptables1434.html; classtype:shellcode-detect; sid:2024057; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2017_03_15, deployment Perimeter, former_category SHELLCODE, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - ShadowServer Scanner 2"; ja3_hash; content:"c05809230e9f7a6bf627a48b72dc4e1c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028440; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Polymorphic Setuid(0) & Execve(/bin/sh) Shellcode"; content:"|31 ff 57 6a 69 58 48 bb 5e c4 d2 dc 5e 5e e6 d0 0f 05 48 d1 cb b0 3b 53 87 f7 54 99 5f 0f 05|"; fast_pattern; reference:url,a41l4.blogspot.ca/2017/03/polysetuidexecve1434.html; classtype:shellcode-detect; sid:2024058; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2017_03_15, deployment Perimeter, former_category SHELLCODE, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - ShadowServer Scanner 3"; ja3_hash; content:"0ad94fcb7d3a2c56679fbd004f6b12cd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028441; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8880 (msg:"ET EXPLOIT IBM WebSphere - RCE Java Deserialization"; flow:to_server,established; content:"SOAPAction|3a 20||22|urn:AdminService|22|"; content:"<objectname xsi|3a|type=|22|ns1|3a|javax.management.ObjectName|22|>"; content:"vcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbn"; fast_pattern; reference:cve,2015-7450; classtype:attempted-user; sid:2024062; rev:3; metadata:affected_product IBM_Websphere, attack_target Server, created_at 2017_03_15, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"0add6ceb611a7613f97329af3b6828d9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028442; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Reverse Shell Shellcode"; content:"|6a 02 6a 2a 6a 10 6a 29 6a 01 6a 02|"; content:"|48 bf 2f 2f 62 69 6e 2f 73 68|"; fast_pattern; reference:url,exploit-db.com/exploits/41477/; classtype:shellcode-detect; sid:2024065; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category SHELLCODE, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"0b63812a99e66c82a20d30c3b9ba6e06"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028443; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK March 15 2017"; flow:established,from_server; file_data; content:"iframe"; nocase; content:"src"; nocase; pcre:"/^\s*=\s*[\x22\x27][Hh][Tt][Tt][Pp][Ss]?\x3a\x2f\x2f[^\x2f]+\x2f(?=[^\x2f\x22\x27]+=[^\x2f\x22\x27&]{0,5}QMvXcJ)[^\x2f\x22\x27]{90}/Rs"; content:"QMvXcJ"; fast_pattern; classtype:exploit-kit; sid:2024092; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_17, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"109dbd9238634b21363c3d62793c029c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028444; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK EITest Inject Oct 17 2016 M4"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern; content:"<script type=|22|text|2f|"; pcre:"/^(?:rocket|java)script\x22>\s*var\s*(?P<ifr>[^\s=]+)\s*=\s*[\x22\x27]iframe[\x22\x27].*?\s*var\s*(?P<var>[^\s=]+)\s*=\s*document\.createElement\(\s*(?P=ifr)(?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:exploit-kit; sid:2023748; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_19, deployment Perimeter, malware_family EITest, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"11e49581344c117df2c9ceb46e5594c4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028445; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK CVE-2016-0189 Exploit"; flow:established,from_server; file_data; content:"dllcode"; nocase; fast_pattern; content:"|28 26 68 34 64 2c 26 68 35 61 2c 26 68 38 30 2c 30 2c 31 2c 30 2c 30 2c 30|"; nocase; content:"GetSpecialFolder"; nocase; reference:cve,2016-0189; classtype:exploit-kit; sid:2024168; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"302579fd4ba13eca27932664f66725ad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028446; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET INFO SMTP PDF Attachment Flowbit Set"; flow:established,from_server; content:"|0d 0a 0d 0a|JVBERi"; fast_pattern; flowbits:set,ET.pdf.in.smtp.attachment; flowbits:noalert; classtype:bad-unknown; sid:2024236; rev:3; metadata:attack_target SMTP_Server, created_at 2017_04_21, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"badc09d74edf43c0204c4827a038c2fa"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028447; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kazuar CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:!"Accept"; http_header; content:"Referer|3a|"; http_header; content:"AuthToken="; depth:10; http_cookie; pcre:"/^AuthToken=[A-Za-z0-9+/]{43}=$/C"; content:"Cookie|3a 20|AuthToken="; fast_pattern; reference:md5,7a778e076e48ff269e91f17a15ea97d5; reference:url,researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/; classtype:command-and-control; sid:2024270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, former_category MALWARE, malware_family Turla, malware_family Kazuar, signature_severity Major, tag APT, tag RUAPT, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"f59a024cf47fdb835053ebf144189a47"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028448; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT WindowBase64.atob Function In Edwards Packed JavaScript - Possible iFrame Injection Detected"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|atob|7C|"; nocase; content:"|7C|iframe|7C|"; nocase; fast_pattern; reference:url,blog.malwarebytes.org/exploits-2/2015/02/celebrity-chef-jamie-olivers-website-hacked-redirects-to-exploit-kit/; classtype:exploit-kit; sid:2020605; rev:6; metadata:created_at 2015_03_04, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"f8f522671d2d2eba5803e6c002760c05"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028449; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Bingo Exploit Kit Landing May 08 2017"; flow:established,from_server; file_data; content:"+=String.fromCharCode("; pcre:"/^[a-z]\d{3}\[[a-z]\d{3}\]\^[a-z]\d{3}\)\x3breturn [a-z]\d{3}\x3b\}/R"; content:"|29 29 29 5e|"; fast_pattern; content:".text="; pcre:"/^[a-z]\d{3}\x3b[a-z]\d{3}\.getElementsByTagName\([a-z]\d{3}\(new Array\(\d+\,/R"; content:".type="; pcre:"/^[a-z]\d{3}\(new Array\(/R"; flowbits:set,ET.Fiesta.Exploit.URI; classtype:exploit-kit; sid:2025071; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_05_10, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan, mutt (tested: 1.5.23 - OS X)"; ja3_hash; content:"9d5869f950eeca2e39196c61fdf510c8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028450; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Tor based locker .onion Proxy domain in SNI July 31 2014"; flow:established,to_server; content:"iet7v4dciocgxhdv."; fast_pattern; nocase; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:trojan-activity; sid:2018872; rev:3; metadata:created_at 2014_08_01, former_category TROJAN, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan, mutt (tested: 1.6.2 OS X)"; ja3_hash; content:"3fcc12d9ee1f75a0212d1d16f7b9f8ad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028451; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish Jun 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"AppleSession"; http_cookie; content:"Cookie|3a 20|AppleSession"; fast_pattern; classtype:credential-theft; sid:2024374; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_10_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Signal (tested: 3.16.0 - Android)"; ja3_hash; content:"7dde4e4f0dceb29f711fb34b4bdbf420"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028452; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET EXPLOIT Suspicious FTP RETR to .hta file possible exploit (CVE-2017-0199)"; flow:established,to_server; content:"|2e|hta|0d 0a|"; nocase; fast_pattern; content:"RETR "; pcre:"/^[^\r\n]+\.hta\r?\n/Ri"; classtype:bad-unknown; sid:2024434; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_06_29, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Signal Chrome App"; ja3_hash; content:"07931ada5b9dd93ec706e772ee60782d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028453; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoOpen Macro"; flow:established,to_client; file_data; content:!"oct8ne"; content:"A|00|u|00|t|00|o|00|O|00|p|00|e|00|n"; nocase; fast_pattern; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019613; rev:4; metadata:created_at 2014_10_31, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SkipFish (tested: v2.10b kali)"; ja3_hash; content:"cfb6d1c72d09d4eaa4c7d2c0b1ecbce7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028454; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Rip Sep 05 2017"; flow:established,from_server; file_data; content:"iddq"; fast_pattern; content:"<param"; nocase; pcre:"/^(?=(?:(?!<\/>).)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27]iddqd?\s*=/Rsi"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2024660; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, performance_impact Moderate, signature_severity Major, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Skype (additional Win 10)"; ja3_hash; content:"7a75198d3e18354a6763860d331ff46a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028455; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Rip Sep 05 2017 M2"; flow:established,from_server; file_data; content:"iddq"; fast_pattern; content:"<param"; nocase; pcre:"/^(?=(?:(?!<\/>).)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27][^=]*\s*=EB02EB05E8F9FFFFFF/Rsi"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2024661; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, performance_impact Moderate, signature_severity Major, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Skype (multiple platforms)"; ja3_hash; content:"06207a1730b5deeb207b0556e102ded2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028456; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-8759 Soap File DL"; flow:established,from_server; file_data; content:"process.start"; nocase; fast_pattern; content:"<service"; nocase; pcre:"/^(?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*[\x22\x27](?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*?\x22[^\x22]*\r?\n[^\x22]*?process\.start/Rsi"; classtype:attempted-admin; sid:2024702; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_13, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Skype (tested 7.18(341) on OSX)"; ja3_hash; content:"5ef08bc989a9fcc18d5011f07d953c14"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028457; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-8759 Soap File DL"; flow:established,from_server; file_data; content:"process.start"; nocase; fast_pattern; content:"<service"; nocase; pcre:"/^(?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*[\x22\x27](?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*?\x22[^\x22]*\r?\n[^\x22]*?process\.start/Rsi"; classtype:attempted-admin; sid:2024706; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_15, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Skype"; ja3_hash; content:"49a341a21f4fd4ac63b027ff2b1a331f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028458; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing Jul 24 2015"; flow:to_client,established; file_data; content:"GOOGLE.com?</title>"; fast_pattern; content:"view shared document"; content:"ValidateFormYahoo"; distance:0; content:"ValidateFormGmail"; distance:0; content:"ValidateFormHotmail"; distance:0; content:"ValidateFormAol"; distance:0; content:"ValidateFormOther"; distance:0; classtype:social-engineering; sid:2025682; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Slack Desktop App"; ja3_hash; content:"c8ada45922a3e7857e4bfd4fc13e8f64"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028459; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android JadeRAT CnC Beacon"; flow:to_server,established; dsize:<500; content:"@!MyID|3a|"; depth:7; content:"IMEI|3a|"; distance:0; content:"Mobile|20|ID|3a|"; content:"SIM|3a|"; content:"IMSI|3a|"; content:"Android|20|version|3a|"; content:"Model|3a|"; content:"All|20|SD|20|Size|3a|"; fast_pattern; content:"Free|20|SD|20|Size|3a|"; content:"Network|20|type|3a|"; reference:md5,9027f111377598362972745478e40311; reference:url,blog.lookout.com/mobile-threat-jaderat; classtype:command-and-control; sid:2024895; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_JadeRAT, signature_severity Major, tag Android, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Slack"; ja3_hash; content:"3d72e4827837391cd5b6f5c6b2d5b1e1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028460; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Safari UXSS (CVE-2017-7089)"; flow:from_server,established; file_data; content:"parent-tab://"; fast_pattern; content:"open"; pcre:"/\b(?P<varname>[^\s\x3d]+)\s*\x3d\s*open\s*\x28\s*[^\x29]+parent-tab:\/\/.+(?P=varname)\s*\.\s*document\s*\.\s*body\s*.\s*innerHTML\s*=/si"; reference:cve,2017-7089; classtype:attempted-user; sid:2024995; rev:3; metadata:affected_product Safari, attack_target Client_Endpoint, created_at 2017_11_15, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Slack"; ja3_hash; content:"a5aa6e939e4770e3b8ac38ce414fd0d5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028461; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell commands sent B64 1"; flow:established,from_server; content:"UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAc"; fast_pattern; classtype:trojan-activity; sid:2025010; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Slack"; ja3_hash; content:"cdd8179dc9c0e4802f557b62bae73d43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028462; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell commands sent B64 2"; flow:established,from_server; content:"MAdABhAHIAdAAtAFAAcgBvAGMAZQBzAH"; fast_pattern; classtype:trojan-activity; sid:2025011; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Slackbot Link Expander"; ja3_hash; content:"22cca8ed59288f4984724f0ee03484ea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028463; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell commands sent B64 3"; flow:established,from_server; content:"TAHQAYQByAHQALQBQAHIAbwBjAGUAcwBz"; fast_pattern; classtype:trojan-activity; sid:2025012; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Spark"; ja3_hash; content:"116ffc8889873efad60457cd55eaf543"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028464; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Doc Download EXE Primer (flowbits set)"; flow:established,to_server; content:"?id="; http_uri; content:"&act="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\.[^\x3F]+\?id=\d+&act=\d+$/U"; flowbits:set,ET.MalDocEXEPrimer; flowbits:noalert; reference:url,fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2020837; rev:6; metadata:created_at 2015_04_03, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SpiderOak (tested: 6.0.1)"; ja3_hash; content:"f51156bcd5033603e750c8bd4db254e3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028465; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GrandSoft EK IE Exploit Jan 30 2018"; flow:established,from_server; file_data; content:"|3d 20 22 2c|&h|22|"; nocase; fast_pattern; content:"4d"; nocase; content:"5a"; nocase; within:20; content:"responseBody"; nocase; content:"Dim "; nocase; content:"Dim "; nocase; distance:0; content:"Win32_OperatingSystem"; nocase; classtype:exploit-kit; sid:2025272; rev:3; metadata:created_at 2018_01_30, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SpotlightNetHelper/Safari"; ja3_hash; content:"8db4b0f8e9dd8f2fff38ee7c5a1e4496"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028466; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Spectre Exploit Javascript"; flow:from_server,established; file_data; content:"0x1000000"; fast_pattern; pcre:"/(?<var1>[^=\s]*)\s*=\s*0x1000000.+?\x28\s*\x28\s*\x28\s*\w+\s*<<\s*12\s*\x29\s*\|\s*0\s*\x29\s*\+\s*(?P=var1)\s*\x29\s*\|\s*0/s"; reference:cve,2017-5753; reference:cve,2017-5715; reference:url,github.com/cgvwzq/spectre; classtype:attempted-user; sid:2025188; rev:6; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category WEB_CLIENT, performance_impact Moderate, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 1"; ja3_hash; content:"24339ea346521d98a8c50fd3713090c9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028469; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT VBscript UAF (CVE-2018-8373)"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"class_initialize"; nocase; fast_pattern; content:"<script "; nocase; content:"Redim"; nocase; content:"private"; nocase; pcre:"/^\s+sub\s+class_initialize\b(?:(?!end\s*sub).)*?\bReDim\s+array\b/Rsi"; content:"Public"; pcre:"/^\s+Default\s+Property\b(?:(?!end\s*property).)*?\bReDim\s+Preserve\s+array\b/Rsi"; reference:cve,2018-8373; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-cve-2018-8373-exploit-spotted-in-the-wild/; classtype:attempted-user; sid:2026411; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_26, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 2"; ja3_hash; content:"ad5d6f490f3819dc60b2a2fbe5bd1cba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028470; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Reverse HTTPS certificate"; flow:from_server,established; content:"|A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00|"; fast_pattern; content:"|16 03 03|"; pcre:"/^..\x0B.{9}\x30\x82..\x30\x82..\xA0\x03\x02\x01\x02\x02(?:\x09.{9}|\x08.{8})/Rs"; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30|"; within:16; pcre:"/^.\x31.\x30.\x06\x03\x55\x04\x03\x0C.([a-z]{2,9})\x30.\x17\x0D[0-9]{12}Z\x17\x0D[0-9]{12}Z\x30.\x31.\x30.\x06\x03\x55\x04\x03\x0C.\g{1}\x30\x82../Rs"; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; pcre:"/^...\x30\x82..\x02\x82...{256,257}/Rs"; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|"; within:36; content:!"|06|ubuntu"; content:!"|04|mint"; content:!"|a9 d5 73 d2 a0 a5 a1 69|"; reference:url,blog.didierstevens.com/2015/05/11/detecting-network-traffic-from-metasploits-meterpreter-reverse-http-module; classtype:trojan-activity; sid:2021178; rev:7; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_06_03, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 3"; ja3_hash; content:"1e9557c377f8ff50b80b7f87b60b1054"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028471; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u0020javascript|3a|"; nocase; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:attempted-user; sid:2020398; rev:5; metadata:created_at 2015_02_12, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 4"; ja3_hash; content:"c3c59ec21835721c92571e7742fadb88"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028472; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Upatre/Dyre/Kegotip SSL Cert Sept 14 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 03|"; pcre:"/^.{2}[A-Z]?[a-z]+ [A-Z]?[a-z]+/Rs"; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; pcre:"/^.{2}[A-Z]?[a-z]+\.[A-Z]?[a-z]+@gmail\.com[01]/Rs"; content:"@gmail.com"; fast_pattern; reference:md5,f22cad1a3985a5183a76324b448e06f2; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021773; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Steam OSX"; ja3_hash; content:"39cf5b7a13a764494de562add874f016"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028473; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT QNAP Shellshock script retrieval"; flow:established,from_server; file_data; content:"|2f|share|2f|MD0_DATA|2f|optware|2f|.xpl|2f|"; fast_pattern; content:"unset HISTFIE"; reference:url,www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; reference:cve,2014-6271; classtype:attempted-admin; sid:2019905; rev:4; metadata:created_at 2014_12_10, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Synology DDNS Beacon"; ja3_hash; content:"cab4a6a0c7ac91c2bd9e93cb0507ad4e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028474; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category JA3, signature_severity Major, tag c2, updated_at 2019_10_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Exodus Intel IE HTML+TIME EIP Control Technique"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern; content:"CollectGarbage"; nocase; content:"try"; distance:0; nocase; content:".values"; distance:0; nocase; pcre:"/^[\r\n\s\+]*?=.+?\}[\r\n\s]*?catch/Rsi"; reference:cve,2012-4792; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; classtype:attempted-user; sid:2016138; rev:6; metadata:created_at 2013_01_03, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tableau"; ja3_hash; content:"2d3854d1cbcdceece83eabd85bdcc056"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028475; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M2"; flow:established,to_server; content:"GET"; http_method; content:".dill/"; fast_pattern; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/[a-z]+\.dill\/$/U"; classtype:social-engineering; sid:2021968; rev:4; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tableau"; ja3_hash; content:"a585c632a2b49be1256881fb0c16c864"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028476; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerShell/Agent.A DNS File Transfer CnC Beacon"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"00"; distance:1; within:2; content:"00000"; distance:0; pcre:"/^[0-9A-Z]+232A/R"; content:"232A"; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html; classtype:command-and-control; sid:2022837; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tableau"; ja3_hash; content:"cd7c06b9459c9cfd4af2dba5696ea930"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028477; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT X20 EK Download Aug 07 2013"; flow:established,from_server; content:"filename=app.jar|0d 0a|"; http_header; fast_pattern; file_data; content:"PK"; within:2; content:"|CA FE BA BE|"; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017299; rev:8; metadata:created_at 2013_08_08, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tenable Passive Vulnerability Scanner Plugin Updater"; ja3_hash; content:"24993abb75ddda7eaf0709395e47ab4e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028478; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT echo command attempt"; flow:to_server,established; content:"/bin/echo"; nocase; fast_pattern; classtype:web-application-attack; sid:2101334; rev:11; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - TextSecure Name Lookup (Tested: Android)"; ja3_hash; content:"97d3b9036d5a4d7f1fe33fe730f38231"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028479; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura Exploit Kit Version 1.1 Applet Value lxxt"; flow:established,to_client; file_data; content:"value=|22|lxxt>33"; fast_pattern; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:exploit-kit; sid:2014853; rev:6; metadata:created_at 2012_06_05, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - ThunderBird (v17.0 OS X)"; ja3_hash; content:"207409c2b30e670ca50e1eac016a4831"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028480; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing (Payload Downloaded Via Dropbox)"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; content:"6u27.jar"; content:"6u41.jar"; fast_pattern; classtype:exploit-kit; sid:2017014; rev:4; metadata:created_at 2013_06_13, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - ThunderBird (v38.0.1 OS X), Thunderbird 38.7.0 (openSUSE Leap 42.1)"; ja3_hash; content:"4623da8b4586a8a4b86e31d689aa0c15"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028481; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)"; flow:from_server,established; file_data; content:"<style"; nocase; pcre:"/^[^>]*?>\s*?form\s*?\{\s*?-ms-behavior\s*?\x3a\s*?url/Rsi"; content:"x-ua-compatible"; nocase; pcre:"/^[\x22\x27]\s*content\s*=\s*[\x22\x27]\s*IE\s*=\s*10/Rsi"; content:"<button"; nocase; content:"<label"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"<optgroup"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"-ms-behavior"; nocase; fast_pattern; reference:cve,2015-2444; classtype:attempted-user; sid:2021709; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_08_24, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Browser (tested: 5.0.1f - May clash with FF38)"; ja3_hash; content:"0ed768d6e3bc66af60d31315afd423f2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028482; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Geost CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/geost.php?bid="; fast_pattern; classtype:command-and-control; sid:2028661; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_10_08, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Geost, updated_at 2019_10_08, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Browser (v4.5.3 OS X - based on FF 31.8.0)"; ja3_hash; content:"8c9a7fe81ba61dab1454e08f42f0a004"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028483; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www."; distance:1; within:5; content:".com"; distance:8; within:4; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[a-zA-Z0-9]+\x2e[01]/R"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022480; rev:3; metadata:attack_target Client_and_Server, created_at 2016_02_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Relay Traffic (tested 0.2.7.6)"; ja3_hash; content:"5b3eee2766b876e623ba05508d269830"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028484; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT EgyPack Exploit Kit Post-Infection Request"; flow:established,to_server; content:"Egypack"; nocase; http_user_agent; depth:7; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:exploit-kit; sid:2013176; rev:7; metadata:created_at 2011_07_04, former_category EXPLOIT_KIT, updated_at 2019_10_11;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Relay Traffic (tested 0.2.7.6), Tor Uplink (via Tails distro)"; ja3_hash; content:"79f0842a32b359d1b683c569bd07f23b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028485; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ddns .net"; dns.query; content:".ddns.net"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028675; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - tor uplink (tested 0.2.2.35)"; ja3_hash; content:"3b8f3ace50a7c7cd5205af210f17bb70"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028486; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ddnsking .com"; dns.query; content:".ddnsking.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028676; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tor uplink (tested: 0.2.6.10)"; ja3_hash; content:"659007d8bae74d1053f6ca4a329d25a7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028487; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.3utilities .com"; dns.query; content:".3utilities.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028677; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tracking something (noted with Dropbox Installer & Skype - Win 10)"; ja3_hash; content:"bc329d2a71e749067424502f1f72e13a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028488; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Trident/7.0"; ja3_hash; content:"2a458dd9c65afbcf591cd8c2a194b804"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028489; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Trident/7.0"; ja3_hash; content:"aea96546ac042f29fed1e2203a9b4c3f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028490; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - True Key"; ja3_hash; content:"df65746370dcabc9b4f370c6e14a8156"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028491; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Twitterbot/1.0"; ja3_hash; content:"edcf2fd479271286879efebd22bc8d16"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028492; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Software Center"; ja3_hash; content:"633e9558d4b25b46e8b1c49e10faaff4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028493; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Software Center"; ja3_hash; content:"b9b4d1f7283b5ddc59d0b8d15e386106"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028494; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #1"; ja3_hash; content:"ac206b75530d569a0a64cec378eb4b66"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028495; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #2"; ja3_hash; content:"94feb9008aeb393e76bac31b30af6ad0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028496; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #3"; ja3_hash; content:"f1b7bbeb8b79cecd728c72bba350d173"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028497; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #4"; ja3_hash; content:"3f00755c412442e642f5572ed4f2eaf2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028498; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - UMich Scanner (can use: zgrab)"; ja3_hash; content:"0e580f864235348848418123f96bbaa0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028499; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - UMich Scanner (can use: zgrab)"; ja3_hash; content:"9a1c3fed39b016b8d81cc77dae70f60f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028500; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - UMich Scanner (can use: zgrab)"; ja3_hash; content:"dc76bc3a4e3bc38939dfd90d8b7214b7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028501; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Unidentified attack tool"; ja3_hash; content:"90f6c4b0577fb24a31bea0acc1fcc27d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028502; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown BrowserStack timeframe SMTP STARTLS"; ja3_hash; content:"7bc3475b771c44c764614397da069d28"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028503; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown SMTP server (207.46.100.103)"; ja3_hash; content:"23a9b0eb3584e358816a123c208a2c8b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028504; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown SMTP Server (used by Facebook)"; ja3_hash; content:"26cdef14ec70c2d6ebd943fe8069c4da"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028505; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown Something on Android that talks to Google Analytics"; ja3_hash; content:"335ec05b3ddb3800a8df47641c2d8e33"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028506; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown TLS Scanner"; ja3_hash; content:"18e9afaf91db6f8a2470e7435c2a1d6b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028507; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - UNVERIFIED: May be BlueCoat proxy"; ja3_hash; content:"f6bae8bacf93b5e97e80b594ffeba859"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028508; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - urlgrabber/3.10 yum/3.4.3"; ja3_hash; content:"37f691b063c10372135db21579643bf1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028509; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many desktop apps,Quip,Spotify,GitHub Desktop"; ja3_hash; content:"84071ea96fc8a60c55fc8a405e214c0f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028510; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"40fd0a5e81ebdcf0ec82a4710a12dec1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028511; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"618ee2509ef52bf0b8216e1564eea909"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028512; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"799135475da362592a4be9199d258726"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028513; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"7b530a25af9016a9d12de5abc54d9e74"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028514; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"c05de18b01a054f2f6900ffe96b3da7a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028515; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"e4d448cdfe06dc1243c1eb026c74ac9a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028516; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"f1c5cf087b959cec31bd6285407f689a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028517; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Python/PHP/Git/dotnet/Adobe"; ja3_hash; content:"488b6b601cb141b062d4da7f524b4b22"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028518; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Quip/Aura/Spotify/Chatty"; ja3_hash; content:"f28d34ce9e732f644de2350027d74c3f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028519; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Quip/Spotify/Dropbox/GitHub Desktop/etc"; ja3_hash; content:"190dfb280fe3b541acc6a2e5f00690e6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028520; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Slack/Postman/Spotify/Google Chrome"; ja3_hash; content:"20dd18bdd3209ea718989030a6f93364"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028521; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Valve Steam Client #1"; ja3_hash; content:"2d96ffb535c7c7a30cad924b9b9f2b52"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028522; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Valve Steam Client #2"; ja3_hash; content:"ab1fa6468096ab057291aa381d5de2b7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028523; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Viber"; ja3_hash; content:"e0224fc1c33658f2d3d963bfb0a76a85"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028524; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - VirtualBox Update Poll (tested 5.0.8 r103449)"; ja3_hash; content:"41e3681b7c8c915e33b1f80d275c19d5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028525; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - VLC"; ja3_hash; content:"81fb3e51bf3f18c5755146c28d07431b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028526; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - VMWare Fusion / Workstation / Player Update Check 8.x-12.x"; ja3_hash; content:"cff90930827e8b0f4e5a6fcc17319954"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028527; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - VMWare Update Check 6.x"; ja3_hash; content:"a50a861119aceb0ccc74902e8fddb618"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028528; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - VMware vSphere Client (Tested v4.1.0)"; ja3_hash; content:"48e69b57de145720885af2894f2ab9e7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028529; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - vpnkit"; ja3_hash; content:"01319090aea981dde6fc8d6ae71ead54"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028530; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3af (tested: v1.6.54 Kali 1)"; ja3_hash; content:"10a686de1c41107df06c21df245e24cd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028531; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3af (tested: v1.6.54 Kali 2)"; ja3_hash; content:"f13e6d84b915e17f76fdf4ea8c959b4d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028532; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3af (tested: v1.6.54 Kali 3)"; ja3_hash; content:"345b5717dae9006a8bcd4cb1a5f09891"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028533; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3c HTML Validator"; ja3_hash; content:"74ebac04b642a0cab032dd46e8099fdc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028534; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3c HTML Validator, java,eclipse"; ja3_hash; content:"4056657a50a8a4e5cfac40ba48becfa2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028535; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3m (tested: 0.5.3 OS X)"; ja3_hash; content:"975ef0826e8485f2335db71873cb34c6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028536; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3m 0.5.3 (OS X version)"; ja3_hash; content:"6b4b535249a1dcd95e3b4b6e9e572e5e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028537; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3m 0.5.3 / lynx 3.2 / svn 1.8.10 (openSUSE Leap 42.1)"; ja3_hash; content:"575771dbc723df24b764ac0303c19d10"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028538; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Web"; ja3_hash; content:"0172e9e41a8940e6a809967e4835214a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028539; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - WebKit per Safari 9.0.1 (11601.2.7.2)"; ja3_hash; content:"58d97971a14d0520c5c56caa75470948"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028540; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - WebKit per Safari 9.0.1 (11601.2.7.2)"; ja3_hash; content:"9ef7a86952e78eeb83590ff4d82a5538"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028541; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - WeeChat"; ja3_hash; content:"8e1172bd5dcc4698928c7eb454a2c3de"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028542; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - wget (tested GNU Wget 1.16.1 & 1.17 on OS X)"; ja3_hash; content:"5f1d4c631ddedf942033c9ae919158b8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028543; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - wget 1.14 (openSUSE Leap 42.1)"; ja3_hash; content:"70663c6da28b3b9ac281d7b31d6b97c3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028544; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Wii-U"; ja3_hash; content:"444434ebe3f52b8453c3803bff077ebd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028545; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Win default thing a la webkit"; ja3_hash; content:"c8d1364bba308db5a4a20c65c58ffde1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028546; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Win10 Mail Client"; ja3_hash; content:"123b8f4705d525caffa3f2b36447f481"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028547; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 10 Native Connection"; ja3_hash; content:"aee020803d10a4d39072817184c8eedc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028548; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 10 WebSockets (inc Edge) #1"; ja3_hash; content:"205200cdaac61b110838556b834070d1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028549; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 10 WebSockets (inc Edge) #2"; ja3_hash; content:"5a0fa8873e5ffe7d9385647adc8912d7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028550; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 8.x Apps Store thing (unconfirmed)"; ja3_hash; content:"a7b2f0639f58f97aec151e015be1f684"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028551; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 8.x Builtin Mail Client"; ja3_hash; content:"0d15924fe8f8950a3ec3a916e97c8498"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028552; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 8.x TLS Socket"; ja3_hash; content:"a8ee937cf82bb0972fecc23d63c9cd82"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028553; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Windows Watson WCEI Telemetry Gather"; ja3_hash; content:"2c14bfb3f8a2067fbc88d8345e9f97f3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028554; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - wineserver"; ja3_hash; content:"84607748f3887541dd60fe974a042c71"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028555; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Yahoo! Slurp Indexer"; ja3_hash; content:"1202a58b454f54a47d2c216567ebd4fb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028557; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Yahoo! Slurp Indexer"; ja3_hash; content:"de364c46b0dfc283b5e38c79ceae3f8f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028558; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Yandex Bot, wget 1.18"; ja3_hash; content:"d83881675de3f6aacbcc0b2bae6f8923"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028559; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - youtube-dl 2016.06.03 (openSUSE Leap 42.1)"; ja3_hash; content:"11404429d240670cc018bed04e918b6f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028560; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Zite (Android) 1 - May collide with Chrome"; ja3_hash; content:"f8f5b71e02603b283e55b50d17ede861"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028561; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - Zite (Android) 2 - May collide with Chome"; ja3_hash; content:"5ae88f37a16f1b054f2edff1c8730471"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028562; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+
+#alert tls any any -> any any (msg:"ET DELETED Hash - ZwiftApp"; ja3_hash; content:"c2b4710c6888a5d47befe865c8e6fb19"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028563; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
 alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.bounceme .net"; dns.query; content:".bounceme.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028678; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
 
@@ -28074,8 +27612,6 @@ alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Suspected Cobal
 
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Suspected Meterpreter Reverse Shell M1 (set)"; flow:established,to_server; ja3.hash; content:"8916410db85077a5460817142dcbc8de"; flowbits:set,ET.meterpreter.ja3; flowbits:noalert; classtype:command-and-control; sid:2028828; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Meterpreter, signature_severity Major, updated_at 2019_10_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hash - Suspected Meterpreter Reverse Shell (ja3s) M1"; flow:established,from_server; ja3s.hash; content:"e35df3e00ca4ef31d42b34bebaa2f86e"; flowbits:isset,ET.meterpreter.ja3; classtype:command-and-control; sid:2028829; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Meterpreter, signature_severity Major, updated_at 2021_07_26;)
-
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Suspected Meterpreter Reverse Shell M2 (set)"; flow:established,to_server; ja3.hash; content:"72a589da586844d7f0818ce684948eea"; flowbits:set,ET.meterpreter.ja3; flowbits:noalert; classtype:command-and-control; sid:2028830; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Meterpreter, signature_severity Major, updated_at 2019_10_15;)
 
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OSX/AppleJeus Variant CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=beastgoc.com"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x49.html; classtype:domain-c2; sid:2028827; rev:1; metadata:affected_product Mac_OSX, attack_target Client_and_Server, created_at 2019_10_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
@@ -28114,6 +27650,10 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious Us
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Dyre Downloading Mailer"; flow:established,to_server; content:"GET"; http_method; content:".tar"; http_uri; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| Win64|3b| x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36|0d 0a|Host|3a|"; depth:132; http_header; fast_pattern:50,20; pcre:"/^[^\r\n]+\r\n(?:\r\n)?$/RH"; pcre:"/\.tar$/U"; classtype:trojan-activity; sid:2020308; rev:4; metadata:created_at 2015_01_26, former_category MALWARE, updated_at 2020_08_20;)
 
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Dropper YABROD Downloading Files"; flow:from_client,established; urilen:11; content:"/Yabrod.pdf"; content:"User-Agent|3a 20|n1|0d 0a|"; fast_pattern:12,4; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; reference:md5,44df02ac28d80deb45f5c7c48b56a858; reference:url,fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf; classtype:trojan-activity; sid:2020346; rev:3; metadata:created_at 2015_02_03, former_category MALWARE, updated_at 2019_10_16;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Onkod.Downloader Executable Download"; flow:established,to_server; content:"/js/"; http_uri; content:".exe"; fast_pattern; http_uri; content:"User-Agent|3A 20|Mozilla/5.0 (Windows NT 6.1|3b| WOW64|3b| rv|3a|22.0) Gecko/20100101 Firefox/22.0|0D 0A|"; http_header; pcre:"/\x2Fjs\x2F[\r\n]*\x2Eexe$/U"; reference:url,blog.fortinet.com/Avoiding-Heuristic-Detection/; classtype:trojan-activity; sid:2017617; rev:4; metadata:created_at 2013_10_18, former_category MALWARE, updated_at 2019_10_16;)
+
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SoftwareTracking Site - Download Report"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:28; content:"/pspwebservices/service.asmx"; http.header_names; content:"|0d 0a|SOAPAction|0d 0a|"; http.request_body; content:"DownloadTracKRecord"; content:"<mac>"; distance:0; content:"<prgname>"; distance:0; content:"<cpuid>"; reference:md5,740c2c6573066bf64718ea773f4ad9a7; classtype:pup-activity; sid:2028864; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Informational, updated_at 2019_10_17;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SoftwareTracking Site - Install Report"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:28; content:"/pspwebservices/service.asmx"; http.header_names; content:"|0d 0a|SOAPAction|0d 0a|"; http.request_body; content:"SSCSM_TraceRecord"; content:"<prgname>"; distance:0; content:"<macid>"; distance:0; content:"<cpuid>"; distance:0; content:"<sysname>"; distance:0; reference:md5,740c2c6573066bf64718ea773f4ad9a7; classtype:pup-activity; sid:2028878; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Informational, updated_at 2019_10_18;)
@@ -28172,8 +27712,6 @@ alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malwar
 
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - AnglerEK"; ja3_hash; content:"d55e755245ac118f2b1847c1c57b5e03"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028361; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Hash - Possible Malware - Banking Phish"; ja3_hash; content:"10ee8d30a5d01c042afd7b2b205facc4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2030399; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2020_06_26;)
-
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Boleto Malspam"; ja3_hash; content:"4f635262ad3fb6e634daee798082c788"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028363; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Boleto Malspam"; ja3_hash; content:"e9273590c7875d6367325f8714890790"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028364; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
@@ -28216,8 +27754,6 @@ alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malwar
 
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Neutrino"; ja3_hash; content:"fd6bbdf835788b3c7d33372127470a06"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028383; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Hash - Possible Malware - NuclearEK/Malspam"; ja3_hash; content:"1be3ecebe5aa9d3654e6e703d81f6928"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028384; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_30;)
-
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - NuclearEK"; ja3_hash; content:"fd2273056f386e0ba8004e897c337037"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028385; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - RigEK"; ja3_hash; content:"1848357994c2851c809cb01bae7d631c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028386; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
@@ -28386,7 +27922,7 @@ alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Poss
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Client Check-in (socket created)"; flow:established,to_server; dsize:5; content:"|01 00 00 00 98|"; flowbits:isset,ET.NetwireRAT.Client; reference:md5,b0e58a8f45a3e45fd7ee2b4cc20474b3; classtype:command-and-control; sid:2028918; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_29, deployment Perimeter, former_category MALWARE, malware_family Netwire_RAT, performance_impact Moderate, signature_severity Major, updated_at 2019_10_29;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET DELETED Unk/LNKR CnC Domain Observed in DNS Query"; dns_query; content:"cdn-javascript.net"; nocase; isdataat:!1,relative; classtype:domain-c2; sid:2028923; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_11_05;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Hash - Possible Malware - NuclearEK/Malspam"; ja3_hash; content:"1be3ecebe5aa9d3654e6e703d81f6928"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028384; rev:3; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_30;)
 
 alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT VMware VeloCloud Authorization Bypass (CVE-2019-5533)"; flow:established,to_server; http.request_body; content:"|7b 22|jsonrpc|22 3a 22|"; startswith; content:"/getEnterpriseUser|22|"; distance:0; fast_pattern; content:",|22|params|22 3a 7b 22|id|22 3a|"; distance:0; pcre:"/^(?P<num_value>\d+)\x7d,\x22id\x22\x3a(?P=num_value)/R"; http.method; content:"POST"; reference:cve,2019-5533; classtype:attempted-admin; sid:2028928; rev:1; metadata:created_at 2019_10_31, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2019_10_31;)
 
@@ -28396,6 +27932,8 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT PluginDetect
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible MSFVenom Exploit via Browser"; flow:established,to_client; file_data; content:"<script"; within:12; content:"ARR_SIZE ="; distance:0; content:"function search_corrupted_array()"; distance:0; content:"//msfvenom -p"; distance:0; fast_pattern; content:"windows/exec cmd="; within:20; classtype:exploit-kit; sid:2028940; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_05, deployment Perimeter, signature_severity Major, updated_at 2019_11_05;)
 
+#alert dns $HOME_NET any -> any any (msg:"ET DELETED Unk/LNKR CnC Domain Observed in DNS Query"; dns_query; content:"cdn-javascript.net"; nocase; isdataat:!1,relative; classtype:domain-c2; sid:2028923; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_11_05;)
+
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (Random String)"; flow:established,to_server; http.user_agent; content:"Random String"; bsize:13; reference:md5,a1e56bd465d1c1b5fc19384a3a7ec461; classtype:trojan-activity; sid:2028947; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_11_07, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2019_11_07;)
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Keyboy CN APT CnC Domain in DNS Lookup"; dns.query; content:"www.123456abcgsdwere56463455345435435657222222.com"; bsize:50; nocase; classtype:domain-c2; sid:2028948; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, updated_at 2019_11_07;)
@@ -28414,17 +27952,17 @@ alert dns $HOME_NET any -> any any (msg:"ET MALWARE Keyboy CN APT CnC Domain in
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/IcedID WebSocket Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/data3.php?"; startswith; fast_pattern; pcre:"/^[0-9A-F]{16}$/R"; http.header; content:"|0d 0a|Upgrade|3a 20|websocket|0d 0a|Connection|3a 20|Upgrade|0d 0a|"; http.header_names; content:"|0d 0a|Host|0d 0a|Upgrade|0d 0a|Connection|0d 0a|Sec-WebSocket-Version|0d 0a|Sec-WebSocket-Key|0d 0a 0d 0a|"; reference:md5,977a264f70acf703333f298019c3abd4; classtype:command-and-control; sid:2028955; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_08, deployment Perimeter, former_category MALWARE, malware_family IcedID, performance_impact Moderate, signature_severity Major, updated_at 2019_11_08;)
 
-#alert udp $HOME_NET any -> $HOME_NET 7 (msg:"ET DELETED Ryuk Wake-on-LAN Packet Observed"; dsize:<200; content:"|ff ff ff ff ff ff|"; startswith; fast_pattern; pcre:"/^(?P<mac_addr>[\x00-\xff]{6})(?P=mac_addr){2,}$/R"; reference:url,www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/; classtype:command-and-control; sid:2028943; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_05, deployment Internal, former_category MALWARE, malware_family Ransomware, malware_family Ryuk, performance_impact Moderate, signature_severity Major, updated_at 2019_11_08;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AHK Downloader Request Structure"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/traff.php"; endswith; fast_pattern; http.user_agent; content:"AutoHotkey"; bsize:10; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Connection|0d 0a|Cache-Control|0d 0a|Host|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2028956; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_08, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Minor, tag Downloader, updated_at 2019_11_08;)
 
+#alert udp $HOME_NET any -> $HOME_NET 7 (msg:"ET DELETED Ryuk Wake-on-LAN Packet Observed"; dsize:<200; content:"|ff ff ff ff ff ff|"; startswith; fast_pattern; pcre:"/^(?P<mac_addr>[\x00-\xff]{6})(?P=mac_addr){2,}$/R"; reference:url,www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/; classtype:command-and-control; sid:2028943; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_05, deployment Internal, former_category MALWARE, malware_family Ransomware, malware_family Ryuk, performance_impact Moderate, signature_severity Major, updated_at 2019_11_08;)
+
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Platinum APT - Titanium Payload CnC Checkin (x86)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"confirm.gif?f=1"; endswith; fast_pattern; reference:url,securelist.com/titanium-the-platinum-group-strikes-again/94961/; classtype:command-and-control; sid:2028957; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, malware_family Titanium, performance_impact Low, signature_severity Major, tag PLATINUM, updated_at 2019_11_11;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Platinum APT - Titanium Payload CnC Checkin (x64)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"confirm.gif?f=2"; endswith; fast_pattern; reference:url,securelist.com/titanium-the-platinum-group-strikes-again/94961/; classtype:command-and-control; sid:2028958; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, malware_family Titanium, performance_impact Low, signature_severity Major, tag PLATINUM, updated_at 2019_11_11;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Platinum APT - Titanium Hardcoded String Observed"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"06xwsrdrub2i84n6map3li3vz3h9bh4vfgcw"; fast_pattern; reference:url,securelist.com/titanium-the-platinum-group-strikes-again/94961/; classtype:command-and-control; sid:2028960; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, malware_family Titanium, performance_impact Low, signature_severity Major, tag PLATINUM, updated_at 2019_11_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blue Bot DDoS Proxy Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/proxy"; fast_pattern; endswith; http.connection; content:"Keep-Alive"; bsize:10; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|"; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; content:!"Cache-Control"; reference:md5,7d9411f7204782fdbcd0fd0f20956bbc; reference:url,research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html; classtype:trojan-activity; sid:2021128; rev:4; metadata:created_at 2015_05_21, updated_at 2019_11_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blue Bot DDoS Proxy Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/proxy"; fast_pattern; endswith; http.connection; content:"Keep-Alive"; bsize:10; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|"; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; content:!"Cache-Control"; reference:md5,7d9411f7204782fdbcd0fd0f20956bbc; reference:url,research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html; classtype:trojan-activity; sid:2021128; rev:4; metadata:created_at 2015_05_21, updated_at 2022_05_03;)
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Bandook v1.35 Initial Connection and Report"; flow:established,to_server; flowbits:isnotset,BE.Bandook1.35; dsize:<200; content:"|cf 8f 80 9b 9a 9d cf|"; depth:7; content:"|20 26 26 26|"; distance:50; flowbits:set,BE.Bandook1.35; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:command-and-control; sid:2003555; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2019_11_13;)
 
@@ -28552,7 +28090,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CrownAdPro CnC Ac
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.BrowserStealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; pcre:"/^(?:-[0-9]+|[A-F0-9]{32})=1$/Rsi"; content:"=1"; endswith; http.request_body; content:"info|7c|"; startswith; fast_pattern; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; http.header_names; content:!"Referer"; reference:md5,32642964fff0c97179d75086f515f5fe; classtype:command-and-control; sid:2029146; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_12_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.BrowserStealer Data Exfil M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; pcre:"/^(?:-[0-9]+|[A-F0-9]{32})=1&type=zip$/Rsi"; content:"=1&type=zip"; endswith; fast_pattern; http.content_len; byte_test:0,>,800,0,string,dec; http.header_names; content:!"Referer"; reference:md5,32642964fff0c97179d75086f515f5fe; classtype:command-and-control; sid:2029148; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_12_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.BrowserStealer Data Exfil M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; pcre:"/^(?:-[0-9]+|[A-F0-9]{32})=1&type=zip$/Rsi"; content:"=1&type=zip"; endswith; fast_pattern; http.content_len; byte_test:0,>,800,0,string,dec; http.header_names; content:!"Referer"; reference:md5,32642964fff0c97179d75086f515f5fe; classtype:command-and-control; sid:2029148; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.BrowserStealer Data Exfil M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; pcre:"/^(?:-[0-9]+|[A-F0-9]{32})=1&type=filter$/Rsi"; content:"=1&type=filter"; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:md5,32642964fff0c97179d75086f515f5fe; classtype:command-and-control; sid:2029149; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_12_13;)
 
@@ -28590,7 +28128,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Valak - Plu
 
 alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Possible XServer Backdoor Certificate Observed"; flow:established,to_server; content:"|16|"; depth:1; content:"|55 04 06|"; distance:0; content:"|02|US|31|"; distance:1; within:4; content:"|55 04 08|"; distance:0; content:"|02|BA|31|"; distance:1; within:4; content:"|55 04 0a|"; distance:0; content:"|04|Root|31|"; distance:1; within:6; content:"|55 04 0b|"; distance:0; content:"|04|Root|31|"; distance:1; within:6; fast_pattern; content:"|55 04 03|"; distance:0; content:"|04|Root|30|"; distance:1; within:6; reference:url,resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf; classtype:command-and-control; sid:2029190; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_23, deployment Perimeter, signature_severity Major, updated_at 2019_12_23;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (jssLoader CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=hidrofilms.com"; bsize:17; fast_pattern; reference:url,twitter.com/prsecurity_/status/1209710600994996224; classtype:domain-c2; sid:2029200; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_26, deployment Perimeter, former_category MALWARE, malware_family jssLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (jssLoader CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=hidrofilms.com"; bsize:17; fast_pattern; reference:url,twitter.com/prsecurity_/status/1209710600994996224; classtype:domain-c2; sid:2029200; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_26, deployment Perimeter, former_category MALWARE, malware_family jssLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BlackNET CnC Keep-Alive"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?command="; content:"&vicID="; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,16b2192fc64d1cc4347cc505234efbb7; classtype:command-and-control; sid:2029179; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_17, deployment Perimeter, former_category MALWARE, malware_family BlackNET, signature_severity Major, updated_at 2019_12_27;)
 
@@ -28602,9 +28140,7 @@ alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Upatre Cn
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DownloadAssistant.Q Variant Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:10; content:"/v2/events"; fast_pattern; http.request_body; pcre:"/^[A-F0-9]+$/"; http.header_names; bsize:50; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,0ec90cb6e0e3f8cd86d5d1d08f184e5f; classtype:pup-activity; sid:2029210; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_30, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2019_12_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DownloadAssistant.G Variant Error Report"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:13; content:"/1/dg/3/error"; http.request_body; content:"{|22|ApplicationName|22 3a 22|"; startswith; reference:md5,c48e6befa893cb771f0d7b6215240856; classtype:pup-activity; sid:2029211; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_30, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, tag PUP, updated_at 2019_12_30;)
-
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Netgear DGN1000/DGN2200 Unauthenticated Command Execution Inbound"; flow:established,to_server; content:"/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd="; depth:49; http_uri; reference:url,www.exploit-db.com/exploits/25978; classtype:attempted-admin; sid:2029214; rev:1; metadata:affected_product Netgear_Router, attack_target IoT, created_at 2019_12_31, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_01_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DownloadAssistant.G Variant Error Report"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:13; content:"/1/dg/3/error"; http.request_body; content:"{|22|ApplicationName|22 3a 22|"; startswith; reference:md5,c48e6befa893cb771f0d7b6215240856; classtype:pup-activity; sid:2029211; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_30, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, tag PUP, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ViSystem CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?hwid="; fast_pattern; content:"&pwd="; content:"&cc="; content:"&fz="; content:"&df="; content:"&wlt="; http.header_names; content:!"Referer"; reference:md5,9b0aa282698db89034d254076dd03e26; classtype:command-and-control; sid:2029212; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_31, deployment Perimeter, former_category MALWARE, malware_family ViSystem, signature_severity Major, updated_at 2019_12_31;)
 
@@ -28614,6 +28150,8 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Operation
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arechclient2 Backdoor CnC Checkin"; flow:established,to_server; content:"|7b 22 54 79 70 65 22 3a 22 43 6f 6e 6e 65 63 74 69 6f 6e 54 79 70 65 22 2c 22 43 6f 6e 6e 65 63 74 69 6f 6e 54 79 70 65 22 3a 22 43 6c 69 65 6e 74 22 2c 22 53 65 73 73 69 6f 6e 49 44 22 3a 22|"; fast_pattern; depth:80; content:"|22 2c 22 42 6f 74 4e 61 6d 65 22 3a 22|"; distance:0; content:"|22 2c 22 42 6f 74 4f 53 22 3a 22|"; distance:0; reference:md5,4ccba79d95dfd7d87b43643058e1cdd0; classtype:command-and-control; sid:2029218; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_02;)
 
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Netgear DGN1000/DGN2200 Unauthenticated Command Execution Inbound"; flow:established,to_server; content:"/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd="; depth:49; http_uri; reference:url,www.exploit-db.com/exploits/25978; classtype:attempted-admin; sid:2029214; rev:2; metadata:affected_product Netgear_Router, attack_target IoT, created_at 2019_12_31, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_01_03;)
+
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"googlo-analytics.com"; classtype:domain-c2; sid:2029225; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, signature_severity Major, updated_at 2020_01_06;)
 
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"googlc-analytics.net"; classtype:domain-c2; sid:2029228; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, signature_severity Major, updated_at 2020_01_06;)
@@ -28624,7 +28162,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Susp
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AstroBot CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; endswith; fast_pattern; http.request_body; content:"p="; startswith; content:"&id="; distance:0; isdataat:!20,relative; http.header_names; content:!"Referer"; reference:md5,3b6df3e900f8d0b757441fe682b91a3c; classtype:command-and-control; sid:2029233; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_07, deployment Perimeter, former_category MALWARE, malware_family AstroBot, signature_severity Major, updated_at 2020_01_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rarog Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"m="; startswith; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}&u=/Rsi"; content:"&v="; distance:0; content:"&p="; content:"&os="; content:"&os=Windows|20|"; fast_pattern; content:"&bit="; content:"&proc="; content:"&video="; content:"&av="; http.header_names; content:!"Referer"; reference:md5,4cb520ee89598a96a6df92caa8077faf; classtype:command-and-control; sid:2029235; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_08, deployment Perimeter, former_category MALWARE, malware_family rarog, signature_severity Major, updated_at 2020_01_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rarog Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"m="; startswith; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}&u=/Rsi"; content:"&v="; distance:0; content:"&p="; content:"&os="; content:"&os=Windows|20|"; fast_pattern; content:"&bit="; content:"&proc="; content:"&video="; content:"&av="; http.header_names; content:!"Referer"; reference:md5,4cb520ee89598a96a6df92caa8077faf; classtype:command-and-control; sid:2029235; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_08, deployment Perimeter, former_category MALWARE, malware_family rarog, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b 20|boundary=1BEF0A57BE110FD467A"; bsize:49; fast_pattern; http.request_body; content:".zip|22 0d 0a|"; content:"|0d 0a|PK"; distance:0; content:"screenshot.jpg"; distance:0; http.header_names; content:!"Referer"; reference:md5,6c8357280b50bb1808ec77b0292eb22b; classtype:command-and-control; sid:2029236; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_08, deployment Perimeter, former_category MALWARE, malware_family Oski, signature_severity Major, updated_at 2020_01_08;)
 
@@ -28632,13 +28170,15 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Magician/M461c14n
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Filecoder.NZK Variant"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?info=ID:__"; content:"__Key1:__"; distance:0; content:"__Key2:__"; distance:0; reference:md5,c7bbff934bd89ad39e98e2746c6e8af2; reference:url,twitter.com/GrujaRS/status/1214680560834162690; classtype:command-and-control; sid:2029240; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_01_08;)
 
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed HTTP Request to *.pythonanywhere .com Domain"; flow:established,to_server; http.host; content:".pythonanywhere.com"; endswith; fast_pattern; classtype:policy-violation; sid:2036456; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_01_08, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_11_11;)
+
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (whois .pconline .com .cn)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"whois.pconline.com.cn"; fast_pattern; classtype:external-ip-check; sid:2029243; rev:2; metadata:created_at 2020_01_09, former_category POLICY, performance_impact Low, updated_at 2020_01_09;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT/TransparentTribe Style Request"; flow:established,to_server; http.uri; content:"|2f 50 30 75 72 57 61 31 74 33 5f 72 21 65 73 2f|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,77549b8211c05fdf9114b09d38e88d98; classtype:command-and-control; sid:2029241; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_09, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2020_01_09;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT/TransparentTribe CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"=explorer!"; fast_pattern; content:"!!&"; distance:0; content:"!!&"; distance:0; content:"!!&"; distance:0; content:"!!&"; distance:0; content:"!!&"; distance:0; content:"=Microsoft+Windows+"; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,77549b8211c05fdf9114b09d38e88d98; classtype:command-and-control; sid:2029242; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_09, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2020_01_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=portofino.ug"; bsize:15; fast_pattern; reference:url,twitter.com/lazyactivist192/status/1214662422683885569; reference:md5,49a5cf0633b40d89b139ad3df85778c5; classtype:domain-c2; sid:2029245; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_01_09, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=portofino.ug"; bsize:15; fast_pattern; reference:url,twitter.com/lazyactivist192/status/1214662422683885569; reference:md5,49a5cf0633b40d89b139ad3df85778c5; classtype:domain-c2; sid:2029245; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Ursnif SAIGON Variant CnC Domain"; dns.query; content:"google-download.com"; nocase; bsize:19; reference:url,www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html; classtype:domain-c2; sid:2029246; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, former_category MALWARE, malware_family ursnif, malware_family SAIGON, signature_severity Major, updated_at 2020_01_10;)
 
@@ -28678,13 +28218,13 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerTrick downlo
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Possible PowerSploit/PowerView .ps1 Inbound"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"PowerSploit File|3a 20|PowerView.ps1"; within:200; fast_pattern; content:"function New-InMemoryModule"; distance:0; isdataat:5000,relative; classtype:trojan-activity; sid:2029275; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Certificate Containing Double Base64 Encoded Executable Inbound"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"-----BEGIN CERTIFICATE-----|0d 0a|"; depth:100; content:"GVYTjBaVzB"; distance:0; fast_pattern; isdataat:1000,relative; classtype:trojan-activity; sid:2029277; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Certificate Containing Double Base64 Encoded Executable Inbound"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"-----BEGIN CERTIFICATE-----|0d 0a|"; depth:100; content:"GVYTjBaVzB"; distance:0; fast_pattern; isdataat:1000,relative; classtype:trojan-activity; sid:2029277; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Certificate Containing Possible Base64 Encoded Powershell Inbound"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"-----BEGIN CERTIFICATE-----|0d 0a|JE"; depth:100; fast_pattern; isdataat:300,relative; classtype:trojan-activity; sid:2029278; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Certificate Base64 Encoded Executable Inbound"; flow:established,to_client; file.data; content:"-----BEGIN CERTIFICATE-----|0d 0a|TVqQ"; depth:100; fast_pattern; isdataat:1000,relative; classtype:trojan-activity; sid:2029280; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Certificate Base64 Encoded Executable Inbound"; flow:established,to_client; file.data; content:"-----BEGIN CERTIFICATE-----|0d 0a|TVqQ"; depth:100; fast_pattern; isdataat:1000,relative; classtype:trojan-activity; sid:2029280; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MillionLoader CnC Init Activity"; flow:established,to_server; dsize:16; content:"ggin|00 00 00 00 13 3e 00 00 00 00 00 00|"; startswith; endswith; reference:md5,957f3749d062e76f9cb1f05edf929168; classtype:command-and-control; sid:2029282; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_16, deployment Perimeter, former_category MALWARE, malware_family MillionLoader, signature_severity Major, updated_at 2020_01_16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MillionLoader CnC Init Activity"; flow:established,to_server; dsize:16; content:"ggin|00 00 00 00 13 3e 00 00 00 00 00 00|"; startswith; endswith; reference:md5,957f3749d062e76f9cb1f05edf929168; classtype:command-and-control; sid:2029282; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_16, deployment Perimeter, former_category MALWARE, malware_family MillionLoader, signature_severity Major, updated_at 2022_05_03;)
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MillionLoader CnC Activity (Outbound)"; flow:established,to_server; content:"ggin|0b 00 00 00|"; startswith; reference:md5,957f3749d062e76f9cb1f05edf929168; classtype:command-and-control; sid:2029283; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_16, deployment Perimeter, former_category MALWARE, malware_family MillionLoader, signature_severity Major, updated_at 2020_01_16;)
 
@@ -28704,13 +28244,13 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Nemty Ra
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemty Ransomware Payment Page ID File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|userfile|22 3b 20|filename=|22|NEMTY_"; fast_pattern; reference:md5,227bd2d9b55951828ebaed09ea561311; classtype:trojan-activity; sid:2029292; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family Nemty, signature_severity Major, tag Ransomware, updated_at 2020_01_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=borrdrillling.com"; bsize:20; fast_pattern; reference:md5,0407b500adcaafe09cc3280d6d02794f; classtype:domain-c2; sid:2029295; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_01_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=borrdrillling.com"; bsize:20; fast_pattern; reference:md5,0407b500adcaafe09cc3280d6d02794f; classtype:domain-c2; sid:2029295; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MilkyBoy CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Adzq41ceq52e353512hSfj"; fast_pattern; http.request_body; content:"key|3a|"; startswith; http.header_names; content:!"Referer"; reference:md5,a2f1df729688e1796aa11c426d197aeb; classtype:command-and-control; sid:2029293; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family MilkyBoy, signature_severity Major, updated_at 2020_01_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MilkyBoy CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Adzq41ceq52e353512hSfj"; fast_pattern; http.request_body; content:"key|3a|"; startswith; http.header_names; content:!"Referer"; reference:md5,a2f1df729688e1796aa11c426d197aeb; classtype:command-and-control; sid:2029293; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family MilkyBoy, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MilkyBoy CnC Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"python-requests/"; startswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|payload|22 3b 20|filename=|22|payload|22 0d 0a 0d 0a|PK"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,a2f1df729688e1796aa11c426d197aeb; classtype:command-and-control; sid:2029294; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family MilkyBoy, signature_severity Major, updated_at 2020_01_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=az.borrdrillling.com"; bsize:23; fast_pattern; reference:md5,7ad0081f61002bf67b852dc5d212f2e4; classtype:domain-c2; sid:2029296; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_01_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=az.borrdrillling.com"; bsize:23; fast_pattern; reference:md5,7ad0081f61002bf67b852dc5d212f2e4; classtype:domain-c2; sid:2029296; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
 #alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns_query; content:"jqueryextplugin.com"; nocase; endswith; classtype:domain-c2; sid:2029300; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_22;)
 
@@ -28760,7 +28300,7 @@ alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti TL
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti DNS Lookup"; dns.query; content:".livehost.live"; nocase; isdataat:!1,relative; reference:url,www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/; classtype:targeted-activity; sid:2029346; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_31, deployment Perimeter, former_category MALWARE, malware_family Winnti, signature_severity Major, updated_at 2020_01_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Amadey Stealer CnC - BotKiller Module Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"BotKiller"; bsize:9; fast_pattern; http.request_body; content:"info=killStatus|3a|"; startswith; content:"|20|remStatus|3a|"; content:"|20|remDLLStatus|3a|"; content:"|20|clearIEStatus|3a|"; content:"|20|regResetStartup|3a|"; content:"|20|regDeleteCred|3a|"; http.header_names; content:!"Referer"; reference:md5,fbf2d69aa6ae5da73a5024f80c593f92; reference:url,fr3d.hk/blog/amadey-malware-default-crededentials; classtype:command-and-control; sid:2029341; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_31, deployment Perimeter, former_category MALWARE, malware_family Amadey, signature_severity Major, updated_at 2020_01_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Amadey Stealer CnC - BotKiller Module Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"BotKiller"; bsize:9; fast_pattern; http.request_body; content:"info=killStatus|3a|"; startswith; content:"|20|remStatus|3a|"; content:"|20|remDLLStatus|3a|"; content:"|20|clearIEStatus|3a|"; content:"|20|regResetStartup|3a|"; content:"|20|regDeleteCred|3a|"; http.header_names; content:!"Referer"; reference:md5,fbf2d69aa6ae5da73a5024f80c593f92; reference:url,fr3d.hk/blog/amadey-malware-default-crededentials; classtype:command-and-control; sid:2029341; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_31, deployment Perimeter, former_category MALWARE, malware_family Amadey, signature_severity Major, updated_at 2022_05_03;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV FakeAlert.Rena or similar Checkin Flowbit Set 2"; flow:established,to_server; content:".php?id="; http_uri; fast_pattern; pcre:"/^\d{2,4}$/UR"; http_start; content:" HTTP/1.1|0d 0a|User-Agent|3a| Mozilla"; content:"|0d 0a|Host|3a| "; within:100; content:"|0d 0a|Cache-Control|3a| no-cache|0d 0a 0d 0a|"; within:60; http_header_names; content:!"Accept"; flowbits:set,ET.fakealert.rena.n; flowbits:noalert; classtype:command-and-control; sid:2013419; rev:5; metadata:created_at 2011_08_18, former_category MALWARE, updated_at 2020_02_04;)
 
@@ -28828,7 +28368,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Parallax CnC Activ
 
 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M6"; flow:established,to_client; content:"|eb 7d df 9f|"; depth:4; fast_pattern; content:"|32 c3 8a|"; distance:1; within:3; flowbits:isset,ET.Parallax-6; reference:md5,7babfff27d7aee0ceec438080e034fa0; classtype:command-and-control; sid:2029353; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, signature_severity Major, updated_at 2020_02_05;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (Patchwork CnC)"; flow:established,to_client; tls.cert_subject; content:"C=CN, ST=neijing, O=Internet Widgits Pty Ltd, emailAddress=s"; bsize:60; fast_pattern; tls.cert_issuer; content:"C=CN, ST=neijing, O=Internet Widgits Pty Ltd, emailAddress=s"; bsize:60; reference:url,twitter.com/blackorbird/status/1225002203221393411; classtype:domain-c2; sid:2029394; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (Patchwork CnC)"; flow:established,to_client; tls.cert_subject; content:"C=CN, ST=neijing, O=Internet Widgits Pty Ltd, emailAddress=s"; bsize:60; fast_pattern; tls.cert_issuer; content:"C=CN, ST=neijing, O=Internet Widgits Pty Ltd, emailAddress=s"; bsize:60; reference:url,twitter.com/blackorbird/status/1225002203221393411; classtype:domain-c2; sid:2029394; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT34 TONEDEAF 2.0 Requesting Commands from CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dow?ser="; startswith; fast_pattern; pcre:"/^[a-z0-9]{6}$/RUi"; http.user_agent; content:"Windows|20|Phone|20|OS"; reference:md5,a0324fa4f2d9d2f04ea4edad41160da6; classtype:command-and-control; sid:2029382; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family TONEDEAF, performance_impact Low, signature_severity Major, updated_at 2020_02_06;)
 
@@ -28846,13 +28386,13 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patchwork Backdoo
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Topic EK Requesting PDF"; flow:established,to_server; content:".php?exp=lib"; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; distance:0; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:exploit-kit; sid:2016108; rev:4; metadata:created_at 2012_12_28, updated_at 2020_02_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Request (Stackoverflow Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/questions/32251816/c-sharp-directives-compilation-error"; endswith; fast_pattern; http.header_names; content:!"Referer"; content:"Cookie"; http.cookie; content:"prov="; startswith; content:"_ga=GA1.2.9924|3b|_gat=1|3b|__qca=P0-214459"; endswith; reference:url,github.com/xx0hcd/Malleable-C2-Profiles; classtype:command-and-control; sid:2029381; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Request (Stackoverflow Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/questions/32251816/c-sharp-directives-compilation-error"; endswith; fast_pattern; http.header_names; content:!"Referer"; content:"Cookie"; http.cookie; content:"prov="; startswith; content:"_ga=GA1.2.9924|3b|_gat=1|3b|__qca=P0-214459"; endswith; reference:url,github.com/xx0hcd/Malleable-C2-Profiles; classtype:command-and-control; sid:2029381; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Satan Cryptor GeoIP Lookup"; flow:established,to_server; content:"GET /json/ HTTP/1.1|0d 0a|Host|3a 20|extreme-ip-lookup.com|0d 0a|User-Agent|3a 20|Go-http-client/1.1|0d 0a|Accept-Encoding|3a 20|gzip|0d 0a 0d 0a|"; depth:107; isdataat:!1,relative; reference:md5,057aad993a3ef50f6b3ca2db37cb928a; classtype:trojan-activity; sid:2029399; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_07, deployment Perimeter, former_category MALWARE, malware_family Satan_Cryptor, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Emotet Wifi Bruter Module Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/230238982BSBYKDDH938473938HDUI33/index.php"; bsize:43; fast_pattern; http.request_body; content:"c="; startswith; content:"|3a|"; distance:0; http.header_names; content:!"Referer"; reference:url,www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader; classtype:command-and-control; sid:2029398; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_07, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2020_02_07;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (TinyNuke Variant CnC) 2020-02-09"; flow:established,to_client; tls.cert_subject; content:"C=US, CN=thoughtlibrary.top/L=new york/O=new york/OU=new york/ST=new york/emailAddress=admin@thoughtlibrary.top"; bsize:111; fast_pattern; reference:url,twitter.com/P3pperP0tts/status/1226493807061094406; classtype:domain-c2; sid:2029400; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_10, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (TinyNuke Variant CnC) 2020-02-09"; flow:established,to_client; tls.cert_subject; content:"C=US, CN=thoughtlibrary.top/L=new york/O=new york/OU=new york/ST=new york/emailAddress=admin@thoughtlibrary.top"; bsize:111; fast_pattern; reference:url,twitter.com/P3pperP0tts/status/1226493807061094406; classtype:domain-c2; sid:2029400; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit .homeip. Landing Page"; flow:established,to_server; urilen:>2; pcre:"/^\/[a-z]+\/$/U"; content:".homeip."; http_header; nocase; fast_pattern; http_request_line; content:"/ HTTP/1."; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015818; rev:5; metadata:created_at 2012_10_19, former_category EXPLOIT_KIT, updated_at 2020_02_10;)
 
@@ -28894,7 +28434,7 @@ alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE X2000M.Agent Checkin Jan 24 2017"; flow:established,to_server; http.user_agent; content:"v7v7v7v7v7v7v7v7v7v7v7v7"; startswith; reference:md5,4c3b84efe89e5f5cf3e17f1e1751e708; classtype:command-and-control; sid:2023764; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AgentTesla CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=effetka.com"; bsize:14; fast_pattern; reference:url,twitter.com/0xCARNAGE/status/1228109444883664896; classtype:domain-c2; sid:2029469; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AgentTesla CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=effetka.com"; bsize:14; fast_pattern; reference:url,twitter.com/0xCARNAGE/status/1228109444883664896; classtype:domain-c2; sid:2029469; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"indox.php?v="; fast_pattern; pcre:"/^(?:pe|pp|s)$/R"; http.user_agent; content:"Mozilla|2f|4|2e|0|20|(compatible|3b 20|Win32|3b 20|WinHttp|2e|WinHttpRequest|2e|5)"; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf; classtype:command-and-control; sid:2029450; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2020_02_14;)
 
@@ -28916,7 +28456,7 @@ alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai User-Agent Obser
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sarwent Initial Checkin"; flow:established,to_server; flowbits:set,ET.sarwent.1; http.method; content:"GET"; http.uri; content:"/gate/test"; bsize:10; fast_pattern; http.user_agent; content:"Opera"; startswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Accept|0d 0a 0d 0a|"; classtype:command-and-control; sid:2029474; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_17, deployment Perimeter, former_category MALWARE, malware_family Sarwent, performance_impact Low, signature_severity Major, updated_at 2020_02_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=Adobe Reader/O=Adobe"; bsize:23; fast_pattern; tls.cert_issuer; content:"C=AU, ST=Some-State, L=City, O=Some Company"; bsize:43; reference:md5,e4224469bd75b63fa0cebd33c53b4d85; classtype:domain-c2; sid:2029491; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=Adobe Reader/O=Adobe"; bsize:23; fast_pattern; tls.cert_issuer; content:"C=AU, ST=Some-State, L=City, O=Some Company"; bsize:43; reference:md5,e4224469bd75b63fa0cebd33c53b4d85; classtype:domain-c2; sid:2029491; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible NK APT SLICKSHOES Host Checkin"; flow:established,to_server; content:"|41 00 70 00 6f 00 6c 00 6c 00 6f 00 5a 00 65 00 75 00 73 00|"; depth:20; fast_pattern; reference:md5,b57db76cc1c0175c4f18ea059d9e2ab2; reference:url,www.us-cert.gov/ncas/analysis-reports/ar20-045b; classtype:targeted-activity; sid:2029478; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_18;)
 
@@ -28984,8 +28524,6 @@ alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious
 
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-02-21 3)"; flow:established,to_client; tls.cert_subject; content:"CN=doolised.xyz"; nocase; endswith; classtype:domain-c2; sid:2029527; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED HTTP GET Request on port 53 - Very Likely Hostile"; flow:established,to_server; content:"GET"; nocase; depth:4; content:!".newsinc.com"; reference:url,doc.emergingthreats.net/2008420; classtype:trojan-activity; sid:2008420; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_07_16;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent filled with System Details - GET Request"; flow:established,to_server; content:"GET"; nocase; http_method; content:"mac="; http_user_agent; depth:4; nocase; content:"&hdid="; distance:0; nocase; http_user_agent; content:"&wlid="; nocase; distance:0; http_user_agent; content:"&start="; nocase; distance:0; http_user_agent; content:"&os="; nocase; distance:0; http_user_agent; content:"&mem="; nocase; distance:0; http_user_agent; content:"&alive"; nocase; distance:0; http_user_agent; content:"&ver="; nocase; distance:0; http_user_agent; content:"&mode="; nocase; distance:0; http_user_agent; content:"&guid"; distance:0; http_user_agent; content:"&install="; nocase; distance:0; http_user_agent; content:"&auto="; nocase; distance:0; http_user_agent; content:"&serveid"; nocase; distance:0; http_user_agent; content:"&area="; nocase; distance:0; http_user_agent; reference:url,doc.emergingthreats.net/2009541; classtype:trojan-activity; sid:2009541; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_02_24;)
 
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=microsoft-ware.com"; nocase; endswith; classtype:domain-c2; sid:2029528; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_24, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
@@ -29502,7 +29040,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Mirai Variant
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Ursnif Encoded Payload Inbound"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|3d fa 61 3c 79 ee de ea 18 90 08 95 55 44 8d 41|"; depth:16; fast_pattern; reference:url,github.com/ptresearch/AttackDetection; classtype:trojan-activity; sid:2024837; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_12, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, updated_at 2020_04_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT [PTsecurity] Grandsoft EK Payload"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|96 08 FA EC DE C0 22 84 66 58 4A BC 2E|"; fast_pattern; reference:url,www.malware-traffic-analysis.net/2018/03/15/index3.html; classtype:exploit-kit; sid:2025437; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family GrandSoft_EK, signature_severity Major, updated_at 2020_05_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT [PTsecurity] Grandsoft EK Payload"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|96 08 FA EC DE C0 22 84 66 58 4A BC 2E|"; fast_pattern; reference:url,www.malware-traffic-analysis.net/2018/03/15/index3.html; classtype:exploit-kit; sid:2025437; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family GrandSoft_EK, signature_severity Major, updated_at 2022_05_03;)
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSG - Data Exfiltration via DNS"; content:"|00 00 13 00 01|"; endswith; fast_pattern; dns.query; content:".com"; endswith; pcre:"/^[A-Za-z0-9\-_\.]{20,80}\.[a-z]{2}\d{2}\.com$/"; threshold: type limit, count 1, seconds 60, track by_src; classtype:command-and-control; sid:2028631; rev:2; metadata:attack_target Client_and_Server, created_at 2019_09_19, deployment Perimeter, deployment Internal, former_category MALWARE, performance_impact Low, signature_severity Major, tag DNS_tunneling, updated_at 2020_04_15;)
 
@@ -29528,7 +29066,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Zebrocy
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check (ip. jsontest .com)"; flow:to_server,established; http.host; content:"ip.jsontest.com"; bsize:15; classtype:external-ip-check; sid:2029923; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_16, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_04_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CONFUCIUS_B CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!".php"; http.request_body; content:"arch=x"; depth:6; content:"&computer%5fname="; distance:0; nocase; fast_pattern; content:"&guid="; distance:0; content:"&ip="; distance:0; content:"&os="; distance:0; content:"&tracking%5ftoken="; distance:0; nocase; content:"&version="; distance:0; http.header_names; content:!"Referer"; content:!"Accept-"; reference:url,www.researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/; reference:md5,2d2fe787b2728332341166938a25fa26; classtype:command-and-control; sid:2029924; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_16, deployment Perimeter, former_category TROJAN, malware_family CONFUCIUS_B, signature_severity Major, updated_at 2020_04_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CONFUCIUS_B CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!".php"; http.request_body; content:"arch=x"; depth:6; content:"&computer%5fname="; distance:0; nocase; fast_pattern; content:"&guid="; distance:0; content:"&ip="; distance:0; content:"&os="; distance:0; content:"&tracking%5ftoken="; distance:0; nocase; content:"&version="; distance:0; http.header_names; content:!"Referer"; content:!"Accept-"; reference:url,www.researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/; reference:md5,2d2fe787b2728332341166938a25fa26; classtype:command-and-control; sid:2029924; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_16, deployment Perimeter, former_category TROJAN, malware_family CONFUCIUS_B, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CONFUCIUS_B External IP Check to CnC M2"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:"/2.php"; fast_pattern; http.content_len; content:"0"; bsize:1; http.header_names; content:!"Referer"; content:!"Accept-"; reference:url,www.researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/; reference:md5,2d2fe787b2728332341166938a25fa26; classtype:trojan-activity; sid:2029925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_16, deployment Perimeter, former_category TROJAN, malware_family CONFUCIUS_B, signature_severity Major, updated_at 2022_04_18;)
 
@@ -30014,7 +29552,7 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CiscoWo
 
 alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Targeted Activity - CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"dellgenius.hopto.org"; endswith; reference:md5,bedf648063aa10ea2810b2f6b9601326; classtype:domain-c2; sid:2029952; rev:1; metadata:created_at 2020_04_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SepSys/SepSystem Ransomware Style External IP Address Check"; flow:established,to_server; http.start; content:"GET|20|/|20|HTTP/1.1|0d 0a|Host|3a 20|www.myip.ch|0d 0a|Accept|3a 20|*/*|0d 0a|"; bsize:50; fast_pattern; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:md5,c596d787d0848722d393a4a5945b3e15; classtype:trojan-activity; sid:2029933; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category MALWARE, malware_family Sepsys, signature_severity Major, tag Ransomware, updated_at 2020_04_20, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Various Ransomware/Stealer Style External IP Address Check (myip .ch)"; flow:established,to_server; http.start; content:"GET|20|/|20|HTTP/1.1|0d 0a|Host|3a 20|www.myip.ch|0d 0a|Accept|3a 20|*/*|0d 0a|"; bsize:50; fast_pattern; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:md5,c596d787d0848722d393a4a5945b3e15; classtype:trojan-activity; sid:2029933; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category MALWARE, malware_family Sepsys, signature_severity Major, tag Ransomware, updated_at 2020_04_20, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PoetRAT Domain (dellgenius .hoptop .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"dellgenius.hoptop.org"; bsize:21; reference:url,blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html; classtype:domain-c2; sid:2029975; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_20;)
 
@@ -30284,8 +29822,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Go
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Google Music Streaming"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stream?id="; http.header; content:"googleusercontent.com|0d 0a|"; reference:url,music.google.com/about; classtype:policy-violation; sid:2012935; rev:7; metadata:created_at 2011_06_06, updated_at 2020_04_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Suspicious *.cu.cc domain"; flow:to_server,established; http.header; content:".cu.cc|0d 0a|"; fast_pattern; classtype:bad-unknown; sid:2013242; rev:4; metadata:created_at 2011_07_09, former_category HUNTING, updated_at 2021_06_23;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; http.uri; content:"?id="; content:"&time="; content:"&imei="; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012863; rev:4; metadata:created_at 2011_05_26, updated_at 2020_04_20;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Spambot (often Tibs) Post-Infection Checkin (justcount.net likely)"; flow:established,to_server; http.uri; content:"/t/d2hsdWF3OzJ0OHY5Oj0,cyJtI"; reference:url,doc.emergingthreats.net/2008232; classtype:command-and-control; sid:2008232; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_20;)
@@ -30578,8 +30114,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gootkit Checkin U
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gootkit Scanner User-Agent Outbound"; flow:established,to_server; http.header; content:"Gootkit auto-rooter scanner"; classtype:web-application-attack; sid:2014023; rev:3; metadata:created_at 2011_12_13, former_category MALWARE, updated_at 2020_04_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Scalaxy exploit kit binary download request"; flow:established,to_server; urilen:37; http.uri; content:"/"; offset:2; depth:3; content:"/"; within:3; pcre:"/\/[a-z]\/[0-9]\/[0-9a-f]{32}$/"; classtype:exploit-kit; sid:2014026; rev:2; metadata:created_at 2011_12_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GridinSoft.com Software Version Check"; flow:established,to_server; http.header; content:"User-Agent|3A 20|GridinSoft"; classtype:trojan-activity; sid:2013719; rev:4; metadata:created_at 2011_10_01, updated_at 2020_04_20;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kazy User-Agent (Windows NT 5.1 \; v.) space infront of semi-colon"; flow:established,to_server; http.header; content:"User-Agent|3A 20|Mozilla/5.0|20 28|Windows NT 5.1|20 3B 20|v|2E|"; fast_pattern; classtype:trojan-activity; sid:2014001; rev:5; metadata:created_at 2011_12_08, former_category USER_AGENTS, updated_at 2020_04_20;)
@@ -30614,7 +30148,7 @@ alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS jbS
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jbshop/jbshop.php?"; nocase; content:"item_details="; nocase; content:"item_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014076; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jbshop/jbshop.php?"; nocase; content:"item_details="; nocase; content:"item_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014077; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jbshop/jbshop.php?"; nocase; content:"item_details="; nocase; content:"item_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014077; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jbshop/jbshop.php?"; nocase; content:"item_details="; nocase; content:"item_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014078; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
@@ -31084,11 +30618,11 @@ alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER DELETE at
 
 alert http any any -> $HOME_NET any (msg:"ET EXPLOIT IBM Data Risk Manager Authentication Bypass - Password Retrieval"; flow:established,to_server; xbits:isset,ET.IBMDRM1,track ip_dst; http.method; content:"POST"; http.uri; bsize:21; content:"/albatross/user/login"; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|"; startswith; http.request_body; content:"name=|22|username|22 0d 0a|"; content:"name=|22|clientDetails|22 0d 0a|"; content:"name=|22|password|22 0d 0a|"; content:"name=|22|sessionId|22 0d 0a|"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; classtype:attempted-admin; sid:2029987; rev:2; metadata:attack_target Server, created_at 2020_04_21, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Dynamic DNS Exploit Pack Landing Page /de/sN"; flow:established,to_server; urilen:6; flowbits:set,et.exploitkitlanding; http.uri; content:"/de/s"; depth:5; classtype:exploit-kit; sid:2014446; rev:3; metadata:created_at 2012_03_31, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Dynamic DNS Exploit Pack Landing Page /de/sN"; flow:established,to_server; urilen:6; flowbits:set,et.exploitkitlanding; http.uri; content:"/de/s"; depth:5; classtype:exploit-kit; sid:2014446; rev:3; metadata:created_at 2012_03_31, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Dynamic Dns Exploit Pack Java exploit"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"/de/"; depth:4; content:".jar"; distance:32; within:4; classtype:exploit-kit; sid:2014447; rev:7; metadata:created_at 2012_03_31, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Dynamic Dns Exploit Pack Java exploit"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"/de/"; depth:4; content:".jar"; distance:32; within:4; classtype:exploit-kit; sid:2014447; rev:7; metadata:created_at 2012_03_31, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Event Calendar PHP cal_year Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/demo_eventcalendar.php?"; nocase; content:"cal_id="; nocase; content:"cal_month="; nocase; content:"cal_year="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/111161/Event-Calendar-PHP-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014449; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_04_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Event Calendar PHP cal_year Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/demo_eventcalendar.php?"; nocase; content:"cal_id="; nocase; content:"cal_month="; nocase; content:"cal_year="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/111161/Event-Calendar-PHP-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014449; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_04_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected (tcp)"; flow:established,from_client; urilen:8; content:"|13|QVOD protocol|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; http.method; content:"POST"; http.uri; content:"/service"; classtype:policy-violation; sid:2014459; rev:3; metadata:created_at 2012_04_03, updated_at 2020_04_21;)
 
@@ -31192,7 +30726,7 @@ alert http $HOME_NET any -> $HOME_NET any (msg:"ET POLICY Dlink Soho Router Conf
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito Exploit Kit PDF request to images.php?t=81118"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"/images.php?t=81118"; classtype:exploit-kit; sid:2014639; rev:3; metadata:created_at 2012_04_26, former_category EXPLOIT_KIT, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_videogallery controller parameter Local File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_videogallery"; nocase; content:"controller="; nocase; http.uri.raw; content:"|2e 2e 2f|"; reference:url,packetstormsecurity.org/files/112161/Joomla-Video-Gallery-Local-File-Inclusion-SQL-Injection.html; classtype:web-application-attack; sid:2014654; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_04_28, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_videogallery controller parameter Local File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_videogallery"; nocase; content:"controller="; nocase; http.uri.raw; content:"|2e 2e 2f|"; reference:url,packetstormsecurity.org/files/112161/Joomla-Video-Gallery-Local-File-Inclusion-SQL-Injection.html; classtype:web-application-attack; sid:2014654; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_04_28, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_some controller Parameter Local File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_some"; nocase; content:"controller="; nocase; http.uri.raw; content:"|2e 2e 2f|"; reference:url,packetstormsecurity.org/files/108906/Joomla-Some-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014655; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_04_28, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
@@ -31242,7 +30776,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.VB.TX/
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress LeagueManager plugin group parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=leaguemanager"; nocase; content:"subpage="; nocase; content:"league_id="; nocase; content:"group="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112698/WordPress-LeagueManager-3.7-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014812; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_25, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress LeagueManager plugin season parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=leaguemanager"; nocase; content:"subpage="; nocase; content:"edit="; nocase; content:"season="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112698/WordPress-LeagueManager-3.7-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014813; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_25, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress LeagueManager plugin season parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=leaguemanager"; nocase; content:"subpage="; nocase; content:"edit="; nocase; content:"season="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112698/WordPress-LeagueManager-3.7-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014813; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_25, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component JE Story Submit view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_jesubmit"; nocase; content:"view="; nocase; reference:url,packetstormsecurity.org/files/103214/Joomla-JE-K2-Story-Submit-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014814; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_05_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
@@ -31252,7 +30786,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Req
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ez-dns.com Domain"; flow:established,to_server; http.host; content:".ez-dns.com"; endswith; classtype:bad-unknown; sid:2013846; rev:4; metadata:created_at 2011_11_05, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-web.com Domain"; flow:to_server,established; http.host; content:".dyndns-web.com"; endswith; classtype:bad-unknown; sid:2013864; rev:4; metadata:created_at 2011_11_07, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-web.com Domain"; flow:to_server,established; http.host; content:".dyndns-web.com"; endswith; classtype:bad-unknown; sid:2013864; rev:4; metadata:created_at 2011_11_07, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Renos.Downloader User Agent zeroup"; flow:established,to_server; http.header; content:"User-Agent|3A 20|zeroup"; reference:url,www.f-secure.com/v-descs/trojan_w32_renos_h.shtml; reference:md5,35ba53f6aeb6b38c1107018f271189af; classtype:trojan-activity; sid:2014817; rev:3; metadata:created_at 2012_05_25, former_category USER_AGENTS, updated_at 2020_04_21;)
 
@@ -31350,7 +30884,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WindowsEnterprise
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yahoo550.com Related Downloader/Trojan Checkin"; flow:established,to_server; http.uri; content:"/image/logo.jpg?queryid="; pcre:"/^\d+$/R"; reference:url,doc.emergingthreats.net/2008049; classtype:command-and-control; sid:2008049; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"board["; fast_pattern; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005570; classtype:web-application-attack; sid:2005570; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"board["; fast_pattern; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005570; classtype:web-application-attack; sid:2005570; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY DynDNS CheckIp External IP Address Server Response"; flow:established,to_client; http.header; content:"Server|3A 20|DynDNS-CheckIP/"; classtype:external-ip-check; sid:2014932; rev:3; metadata:created_at 2012_06_22, updated_at 2020_04_21;)
 
@@ -31468,7 +31002,7 @@ alert dns $HOME_NET any -> any any (msg:"ET HUNTING Suspicious NULL DNS Request"
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin title parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php?"; fast_pattern; nocase; content:"title="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,secunia.com/advisories/43652; classtype:web-application-attack; sid:2013310; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_07_23, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id INSERT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"gruppe_id="; fast_pattern; distance:0; nocase; content:"INSERT"; distance:0; nocase; content:"INTO"; distance:0; nocase; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006959; classtype:web-application-attack; sid:2006959; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id INSERT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"gruppe_id="; fast_pattern; distance:0; nocase; content:"INSERT"; distance:0; nocase; content:"INTO"; distance:0; nocase; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006959; classtype:web-application-attack; sid:2006959; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"AlphaSort="; fast_pattern; distance:0; nocase; content:"UNION"; nocase; distance:0; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007266; classtype:web-application-attack; sid:2007266; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_22;)
 
@@ -31614,7 +31148,7 @@ alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER viewcode
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; http.uri.raw; content:"/..%c1%9c../"; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100983; rev:20; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL WEB_SERVER 403 Forbidden"; flow:from_server,established; http.stat_code; content:"403"; classtype:attempted-recon; sid:2101201; rev:11; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL WEB_SERVER 403 Forbidden"; flow:from_server,established; http.stat_code; content:"403"; classtype:attempted-recon; sid:2101201; rev:11; metadata:created_at 2010_09_23, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Backdoor reDuh http initiate"; flow:to_server,established; http.uri; content:"?action=checkPort&port="; http.user_agent; content:"Java/"; reference:url,www.sensepost.com/labs/tools/pentest/reduh; reference:url,doc.emergingthreats.net/2011667; classtype:trojan-activity; sid:2011667; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
 
@@ -31626,7 +31160,7 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat admin-blank l
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY iTunes User Agent"; flow:established,to_server; threshold: type limit, count 1, seconds 360, track by_src; http.user_agent; content:"iTunes"; nocase; depth:6; reference:url,hcsoftware.sourceforge.net/jason-rohrer/itms4all/; reference:url,doc.emergingthreats.net/2002878; classtype:policy-violation; sid:2002878; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Skype User-Agent detected"; flow:to_server,established; http.user_agent; content:"Skype"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:12; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Skype User-Agent detected"; flow:to_server,established; http.user_agent; content:"Skype"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:12; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Norton Update User-Agent (Install Stub)"; flow:to_server,established; http.host; content:"stats.norton.com"; endswith; http.user_agent; content:"Install Stub"; depth:12; reference:url,threatexpert.com/reports.aspx?find=stats.norton.com; classtype:trojan-activity; sid:2013882; rev:6; metadata:created_at 2011_11_08, updated_at 2020_04_22;)
 
@@ -31650,8 +31184,6 @@ alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY ApacheBenchmar
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Carbonite.com Backup Software User-Agent (Carbonite Installer)"; flow:established,to_server; http.user_agent; content:"Carbonite Installer"; nocase; depth:19; reference:url,doc.emergingthreats.net/2009801; classtype:policy-violation; sid:2009801; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Java Exploit Kit cc exploit progress status cookie"; flow:established,to_server; http.header.raw; content:"|0d 0a|Cookie|3a|"; content:"%3D|3b 20|cc2="; distance:0; content:"%3D|3b 20|cc3="; content:"%3D|3b 20|cc4="; content:"|20|Java/"; classtype:exploit-kit; sid:2013695; rev:5; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)"; flow:to_server,established; http.user_agent; content:"Mozilla/5.0 (compatible|3b| Nmap Scripting Engine"; nocase; depth:46; reference:url,doc.emergingthreats.net/2009358; classtype:web-application-attack; sid:2009358; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Brutus Scan Outbound"; flow:established,to_server; http.user_agent; content:"Brutus/AET"; classtype:attempted-recon; sid:2015702; rev:4; metadata:created_at 2012_09_17, updated_at 2020_04_22;)
@@ -31672,13 +31204,13 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ZmEu exploit scanner
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY BingBar ToolBar User-Agent (BingBar)"; flow:established,to_server; http.user_agent; content:"BingBar"; depth:7; classtype:policy-violation; sid:2013715; rev:5; metadata:created_at 2011_10_01, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - Served Attached HTTP"; flow:to_client,established; http.header; content:"Content-Disposition"; nocase; content:"attachment"; nocase; file.data; content:"MZ"; within:2; classtype:misc-activity; sid:2014520; rev:7; metadata:created_at 2012_04_06, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - Served Attached HTTP"; flow:to_client,established; http.header; content:"Content-Disposition"; nocase; content:"attachment"; nocase; file.data; content:"MZ"; within:2; classtype:misc-activity; sid:2014520; rev:7; metadata:created_at 2012_04_06, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura exploit kit exploit download request /nano.php"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"/nano.php?x="; classtype:exploit-kit; sid:2015734; rev:4; metadata:created_at 2012_09_25, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows Mobile 7.0 User-Agent detected"; flow:to_server,established; http.user_agent; content:"ZDM/4.0|3B| Windows Mobile 7.0|3B|"; depth:28; classtype:not-suspicious; sid:2013784; rev:7; metadata:created_at 2011_10_20, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Jembot PHP Webshell (system command)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php"; nocase; content:"empix="; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014614; rev:3; metadata:created_at 2012_04_18, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Jembot PHP Webshell (system command)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php"; nocase; content:"empix="; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014614; rev:3; metadata:created_at 2012_04_18, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management"; flow:established,to_server; http.user_agent; content:"APT-HTTP|2F|"; reference:url,help.ubuntu.com/community/AptGet/Howto; classtype:not-suspicious; sid:2013504; rev:6; metadata:created_at 2011_08_31, former_category POLICY, updated_at 2020_04_22;)
 
@@ -31770,9 +31302,9 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit - Pote
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Necurs"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/iis/host.aspx"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; http.content_type; content:"application/octet-stream"; reference:md5,871ecf11ddd7ffe294cab82bcaf9c310; reference:url,blogs.technet.com/b/mmpc/archive/2012/12/06/unexpected-reboot-necurs.aspx; classtype:trojan-activity; sid:2016000; rev:3; metadata:created_at 2012_12_08, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PRADO PHP Framework functional_tests.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; nocase; http.uri; content:"/tests/test_tools/functional_tests.php?"; nocase; content:"sr="; nocase; reference:url,packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html; classtype:web-application-attack; sid:2016006; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PRADO PHP Framework functional_tests.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; nocase; http.uri; content:"/tests/test_tools/functional_tests.php?"; nocase; content:"sr="; nocase; reference:url,packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html; classtype:web-application-attack; sid:2016006; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PRADO PHP Framework functional.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; nocase; http.uri; content:"/demos/time-tracker/tests/functional.php?"; nocase; content:"sr="; nocase; reference:url,packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html; classtype:web-application-attack; sid:2016007; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PRADO PHP Framework functional.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; nocase; http.uri; content:"/demos/time-tracker/tests/functional.php?"; nocase; content:"sr="; nocase; reference:url,packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html; classtype:web-application-attack; sid:2016007; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Nagios XI Network Monitor - OS Command Injection"; flow:to_server,established; http.uri; content:"/nagiosxi/includes/components/graphexplorer/visApi.php?"; pcre:"/(?:\?|&)(?:host|service|opt|end|start)=[^&]+?\x60.+?\x60/i"; reference:url,exchange.nagios.org/directory/Addons/Components/Graph-Explorer-Component/details; classtype:attempted-user; sid:2016015; rev:4; metadata:created_at 2012_12_04, updated_at 2020_04_22;)
 
@@ -31888,8 +31420,6 @@ alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wor
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dell OpenManage Server Administrator topic parameter XSS Attempt"; flow:established,to_server; http.uri; content:"/help/sm/en/Output/wwhelp/wwhimpl/js/html/index_main.htm?"; nocase; content:"topic="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,kb.cert.org/vuls/id/950172; classtype:web-application-attack; sid:2016196; rev:4; metadata:created_at 2013_01_12, updated_at 2020_04_22;)
 
-#alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"T8hlGOo9"; fast_pattern; content:"OKl2N"; pcre:"/^(?:\\r\\n|\x0d\x0a)C/R"; content:"AAAAAAAA"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030007; rev:1; metadata:attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_05_01;)
-
 alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; pcre:"/(?:\x0a|\\n)\/s1Caa6/"; content:"J1Ls9RWH"; fast_pattern; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030009; rev:1; metadata:attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_04_23;)
 
 alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"://44449"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030010; rev:1; metadata:attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_04_23;)
@@ -32074,7 +31604,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Adobe PDF Zero Da
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Adobe PDF Zero Day Trojan.666 Payload libarhlp32.dll Second Stage Download POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php"; http.request_body; content:"lbarhlp32.blb"; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016409; rev:4; metadata:created_at 2013_02_15, former_category CURRENT_EVENTS, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likseput.B Checkin"; flow:established,to_server; http.header; pcre:"/User-Agent\x3a[^\r\n]+[^\x20]\x3bTrident\/4\.0\x29\s\d{2}\x3a\d{2}\s\r$/mi"; http.user_agent; content:"|3b|Trident/4.0 "; fast_pattern; reference:md5,95d85aa629a786bb67439a064c4349ec; classtype:command-and-control; sid:2016432; rev:5; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likseput.B Checkin"; flow:established,to_server; http.header; pcre:"/User-Agent\x3a[^\r\n]+[^\x20]\x3bTrident\/4\.0\x29\s\d{2}\x3a\d{2}\s\r$/mi"; http.user_agent; content:"|3b|Trident/4.0 "; fast_pattern; reference:md5,95d85aa629a786bb67439a064c4349ec; classtype:command-and-control; sid:2016432; rev:5; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SEASALT HTTP Checkin"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.00|3b 20|Windows 98) KSMM"; fast_pattern; bsize:52; reference:md5,5e0df5b28a349d46ac8cc7d9e5e61a96; reference:url,www.mandiant.com/apt1; classtype:command-and-control; sid:2016440; rev:3; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_04_23;)
 
@@ -32214,7 +31744,7 @@ alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible W
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Wordpress Super Cache Plugin PHP Injection dynamic-cached-content"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"comment"; nocase; content:"dynamic-cached-content"; fast_pattern; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?dynamic-cached-content/i"; classtype:attempted-user; sid:2016790; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_04_26, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET 8880 (msg:"ET WEB_SERVER Plesk Panel Possible HTTP_AUTH_LOGIN SQLi CVE-2012-1557"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/enterprise/control/agent.php"; http.header; content:"HTTP_AUTH_LOGIN|3a|"; pcre:"/^[^\r\n]*?[\x27\x22\t\\%\x00\x08\x26]/R"; reference:cve,CVE-2012-1557; classtype:attempted-user; sid:2016792; rev:4; metadata:created_at 2013_04_27, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET 8880 (msg:"ET WEB_SERVER Plesk Panel Possible HTTP_AUTH_LOGIN SQLi CVE-2012-1557"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/enterprise/control/agent.php"; http.header; content:"HTTP_AUTH_LOGIN|3a|"; pcre:"/^[^\r\n]*?[\x27\x22\t\\%\x00\x08\x26]/R"; reference:cve,CVE-2012-1557; classtype:attempted-user; sid:2016792; rev:4; metadata:created_at 2013_04_27, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV FakeSmoke HTTP POST check-in"; flow:established,to_server; http.method; content:"POST"; nocase; http.header_names; content:!"User-Agent|0d 0a|"; nocase; content:!"Referer|0d 0a|"; nocase; http.request_body; content:"current_version="; pcre:"/^[a-z0-9]{196}/Ri"; reference:url,isc.sans.org/diary.html?storyid=7768; reference:url,doc.emergingthreats.net/2010512; classtype:trojan-activity; sid:2010512; rev:10; metadata:created_at 2010_07_30, updated_at 2020_04_24;)
 
@@ -32252,11 +31782,11 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tosct.B UA
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/\/[a-z]\/$/Ui"; http.user_agent; content:"(compatible|3b|"; content:"|20|MSIE|20|"; distance:0; content:"(Compatible|3b|"; fast_pattern; distance:0; classtype:command-and-control; sid:2016829; rev:4; metadata:created_at 2013_05_07, former_category MALWARE, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyposit Ransomware Checkin 1"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/ad"; depth:3; pcre:"/^\/ad[^\x2f]*?\/\?[a-z]{1,5}\x3d\x2e?[a-z0-9]+?$/i"; http.user_agent; content:"Microsoft BITS/"; depth:15; classtype:command-and-control; sid:2015957; rev:8; metadata:attack_target Client_Endpoint, created_at 2012_11_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_04_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyposit Ransomware Checkin 1"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/ad"; depth:3; pcre:"/^\/ad[^\x2f]*?\/\?[a-z]{1,5}\x3d\x2e?[a-z0-9]+?$/i"; http.user_agent; content:"Microsoft BITS/"; depth:15; classtype:command-and-control; sid:2015957; rev:8; metadata:attack_target Client_Endpoint, created_at 2012_11_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_05_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger.acqh User-Agent(EMSFRTCBVD)"; flow:established,to_server; http.user_agent; content:"EMSFRTCBVD"; depth:10; reference:md5,0e9e46d068fea834e12b2226cc8969fd; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016865; rev:3; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 0 User-Agent"; flow:established,to_server; http.user_agent; content:"Windows NT 0"; nocase; classtype:trojan-activity; sid:2016880; rev:7; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 0 User-Agent"; flow:established,to_server; http.user_agent; content:"Windows NT 0"; nocase; classtype:trojan-activity; sid:2016880; rev:7; metadata:created_at 2013_05_21, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(DSMBVCTFRE)"; flow:established,to_server; http.user_agent; content:"DSMBVCTFRE"; nocase; depth:10; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016882; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
 
@@ -32316,7 +31846,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tibs Checkin"; fl
 
 alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE Possible Win32.Bicololo Checkin"; flow:established,to_server; flowbits:set,ET.Bicololo.Request; http.method; content:"GET"; http.uri; content:"/stat/"; nocase; pcre:"/^[a-z]{3,4}\/\d{1,4}$/R"; reference:md5,252c95327ce556a21bdd7e9a322e206c; reference:url,www.virusradar.com/Win32_Bicololo.A/description; classtype:command-and-control; sid:2016946; rev:4; metadata:created_at 2013_05_31, former_category MALWARE, updated_at 2020_04_24;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Backdoor.Linux.Tsunami Outbound HTTP request"; flow:established,to_server; http.header; content:"|3a|80|0d 0a|"; http.user_agent; content:"Mozilla/4.75 [en] (X11|3b| U|3b| Linux 2.2.16-3 i686)"; reference:url,malwaremustdie.blogspot.jp/2013/05/story-of-unix-trojan-tsunami-ircbot-w.html; classtype:trojan-activity; sid:2016949; rev:4; metadata:created_at 2013_05_31, updated_at 2020_04_24;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Backdoor.Linux.Tsunami Outbound HTTP request"; flow:established,to_server; http.header; content:"|3a|80|0d 0a|"; http.user_agent; content:"Mozilla/4.75 [en] (X11|3b| U|3b| Linux 2.2.16-3 i686)"; reference:url,malwaremustdie.blogspot.jp/2013/05/story-of-unix-trojan-tsunami-ircbot-w.html; classtype:trojan-activity; sid:2016949; rev:4; metadata:created_at 2013_05_31, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec In URI"; flow:to_server,established; http.uri; content:"java.lang.Runtime@getRuntime().exec("; nocase; classtype:attempted-user; sid:2016953; rev:4; metadata:created_at 2013_05_31, updated_at 2020_04_24;)
 
@@ -32346,7 +31876,7 @@ alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell G
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious user agent (Google page)"; flow:to_server,established; http.header; content:"User-Agent|3a 20|Google page"; classtype:trojan-activity; sid:2017067; rev:6; metadata:created_at 2011_05_31, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alina Checkin"; flow: established,to_server; http.method; content:"POST"; nocase; http.uri; content:".php"; http.user_agent; content:"Alina v"; http.request_body; content:"act="; content:"&b="; content:"&c="; content:"&v="; reference:url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html; classtype:command-and-control; sid:2016837; rev:7; metadata:created_at 2013_05_09, former_category MALWARE, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alina Checkin"; flow: established,to_server; http.method; content:"POST"; nocase; http.uri; content:".php"; http.user_agent; content:"Alina v"; http.request_body; content:"act="; content:"&b="; content:"&c="; content:"&v="; reference:url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html; classtype:command-and-control; sid:2016837; rev:7; metadata:created_at 2013_05_09, former_category MALWARE, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alina User-Agent(Alina)"; flow: established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Alina v"; depth:7; nocase; reference:url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html; classtype:trojan-activity; sid:2016838; rev:6; metadata:created_at 2013_05_09, updated_at 2020_04_24;)
 
@@ -32386,11 +31916,11 @@ alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE VBulletin Bac
 
 alert http any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Non-Local Burp Proxy Error"; flow:established,to_client; http.stat_code; content:"502"; http.stat_msg; content:"Bad gateway"; file.data; content:"Burp proxy error|3A 20|"; within:18; reference:url,portswigger.net/burp/proxy.html; classtype:successful-admin; sid:2017148; rev:4; metadata:created_at 2013_07_16, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Android.Plankton/Tonclank Successful Installation Device Information POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ProtocolGW/protocol/"; nocase; pcre:"/(?:(?:command(?:statu)?|bookmark|shortcut)s|h(?:omepage|istory)|eula(?:status)?|installation|activate|dumplog)/i"; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013042; rev:7; metadata:created_at 2011_06_16, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Android.Plankton/Tonclank Successful Installation Device Information POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ProtocolGW/protocol/"; nocase; pcre:"/(?:(?:command(?:statu)?|bookmark|shortcut)s|h(?:omepage|istory)|eula(?:status)?|installation|activate|dumplog)/i"; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013042; rev:7; metadata:created_at 2011_06_16, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE signed-unsigned integer mismatch code-verification bypass"; flow:from_server,established; http.stat_code; content:"200"; http.stat_msg; content:"OK"; file.data; content:"PK"; depth:2; content:"|FD FF|"; distance:26; within:2; content:".dex"; nocase; within:128; reference:url,sophos.com/2013/07/17/anatomy-of-another-android-hole-chinese-researchers-claim-new-code-verification-bypass/; classtype:trojan-activity; sid:2017163; rev:3; metadata:created_at 2013_07_17, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Unknown - Java Request  - gt 60char hex-ascii"; flow:established,to_server; urilen:>60; http.uri; pcre:"/[\/\?][a-z0-9]{60,66}[\;0-9]/i"; http.user_agent; content:"Java/1."; fast_pattern; content:"Mozilla"; depth:7; classtype:trojan-activity; sid:2014912; rev:7; metadata:created_at 2012_06_16, former_category CURRENT_EVENTS, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Unknown - Java Request  - gt 60char hex-ascii"; flow:established,to_server; urilen:>60; http.uri; pcre:"/[\/\?][a-z0-9]{60,66}[\;0-9]/i"; http.user_agent; content:"Java/1."; fast_pattern; content:"Mozilla"; depth:7; classtype:trojan-activity; sid:2014912; rev:7; metadata:created_at 2012_06_16, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Watering Hole applet name AppletHigh.jar"; flow:established,to_server; http.uri; content:"/AppletHigh.jar"; http.user_agent; content:"Java/1."; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:exploit-kit; sid:2016639; rev:5; metadata:created_at 2013_03_22, updated_at 2020_04_24;)
 
@@ -32398,8 +31928,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlimKit hex.z
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising Exploit Kit Hostile Jar app.jar"; flow:established,to_server; http.uri; content:"/app.jar"; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2017096; rev:5; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2020_04_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (3) Mar 07 2013"; flow:established,to_server; urilen:10; http.uri; content:"/jot.class"; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2016556; rev:7; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Serialized Data request"; flow:established,to_server; http.uri; content:".ser"; endswith; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2016504; rev:5; metadata:created_at 2013_02_26, updated_at 2020_04_24;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder URI"; flow:to_server,established; http.uri; content:"java.lang.ProcessBuilder("; nocase; classtype:attempted-user; sid:2017172; rev:5; metadata:created_at 2013_07_24, updated_at 2020_04_24;)
@@ -32418,8 +31946,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Comfoo Checkin";
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Comfoo Outbound Communication"; flow:established,to_server; http.header; content:"Accept-Language|3a 20|en-en|0d 0a|"; http.user_agent; content:"|3b|Windows|20|"; nocase; reference:url,doc.emergingthreats.net/2009125; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/; classtype:trojan-activity; sid:2009125; rev:16; metadata:created_at 2010_07_30, updated_at 2020_04_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Ransom.Win32.Blocker.bjat"; flow:established,to_server; http.uri; content:"?&"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; http.header; content:"User-Agent|3a 20|Update"; fast_pattern; classtype:trojan-activity; sid:2017281; rev:4; metadata:created_at 2013_08_06, former_category MALWARE, updated_at 2022_03_02;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Rovnix.I Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ld.aspx?key="; startswith; http.header_names; content:!"Accept|0d 0a|"; nocase; content:!"Referer|0d 0a|"; nocase; http.user_agent; content:"FWVersionTestAgent"; depth:18; reference:md5,605daaa9662b82c0d5982ad3a742d2e7; classtype:command-and-control; sid:2017279; rev:4; metadata:created_at 2013_08_06, former_category MALWARE, updated_at 2020_04_24;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER - EXE File Uploaded - Hex Encoded"; flow:established,to_server; http.request_body; content:"4d5a"; nocase; content:"50450000"; distance:0; classtype:bad-unknown; sid:2017293; rev:3; metadata:created_at 2013_08_07, updated_at 2020_04_24;)
@@ -32432,7 +31958,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yayih.A Checkin 3
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yayih.A Checkin 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/bbs/search.asp"; fast_pattern; http.header; content:"Mozilla/4.0 (compatible|3b| MSIE 5.0|3b| Windows NT 5.0)|0d 0a|"; reference:md5,832f5e01be536da71d5b3f7e41938cfb; reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; classtype:command-and-control; sid:2017325; rev:5; metadata:created_at 2013_08_13, former_category MALWARE, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sinowal/sinonet/mebroot/Torpig infected host POSTing process list"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"[System Process]|0a|"; depth:17; classtype:trojan-activity; sid:2011364; rev:6; metadata:created_at 2010_09_28, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sinowal/sinonet/mebroot/Torpig infected host POSTing process list"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"[System Process]|0a|"; depth:17; classtype:trojan-activity; sid:2011364; rev:6; metadata:created_at 2010_09_28, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Pirate Browser Download"; flow:established,to_server; http.uri; content:"/PirateBrowser"; content:".exe"; reference:url,piratebrowser.com; classtype:policy-violation; sid:2017329; rev:3; metadata:created_at 2013_08_15, updated_at 2020_04_24;)
 
@@ -32448,11 +31974,11 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Napolar.A G
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO InetSim Response from External Source Possible SinkHole"; flow:from_server,established; http.server; content:"INetSim HTTP Server"; bsize:19; classtype:bad-unknown; sid:2017363; rev:3; metadata:created_at 2013_08_21, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect"; flow:established,to_server; http.uri; content:".action?"; content:"redirect|3a|"; distance:0; content:"{"; distance:0; pcre:"/[\?&]redirect\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017155; rev:5; metadata:created_at 2013_07_17, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect"; flow:established,to_server; http.uri; content:".action?"; content:"redirect|3a|"; distance:0; content:"{"; distance:0; pcre:"/[\?&]redirect\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017155; rev:5; metadata:created_at 2013_07_17, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirectAction"; flow:established,to_server; http.uri; content:".action?"; content:"redirectAction|3a|"; distance:0; content:"{"; distance:0; pcre:"/[\?&]redirectAction\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017156; rev:5; metadata:created_at 2013_07_17, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 action"; flow:established,to_server; http.uri; content:".action?"; content:"action|3a|"; distance:0; content:"{"; distance:0; pcre:"/[\?&]action\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017157; rev:5; metadata:created_at 2013_07_17, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 action"; flow:established,to_server; http.uri; content:".action?"; content:"action|3a|"; distance:0; content:"{"; distance:0; pcre:"/[\?&]action\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017157; rev:5; metadata:created_at 2013_07_17, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Win32/Napolar.A URL Response"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"!http|3a|//"; within:8; pcre:"/^[^\r\n]+?\$$/R"; reference:md5,9a8cee88d7440f25be8404b71cb584de; reference:md5,b70f8d0afa82c222f55f7a18d2ad0b81; classtype:trojan-activity; sid:2017367; rev:3; metadata:created_at 2013_08_22, updated_at 2020_04_24;)
 
@@ -32464,14 +31990,6 @@ alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell -
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - ASPyder -File Upload - POST Structure"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"?upload=@&txtpath="; http.request_body; content:"Upload !"; classtype:trojan-activity; sid:2017393; rev:3; metadata:created_at 2013_08_28, updated_at 2020_04_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Java request to UNI.ME Domain Set 1"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:c(?:o(?:l(?:leg(?:e(?:(?:confidential|-station|prowler)\.net|s?explained\.com)|iate(?:explained|info)\.com)|(?:o(?:rado-springs-jobs|nexplained)|umnexplore)\.com)|m(?:p(?:uter(?:explained\.com|themes\.net)|assiondefinition\.com)|m(?:oditylingerie|unesinfo|ercekid)\.com)|n(?:ce(?:rtparis\.net|ptsets\.com)|trolwedding\.com)|(?:(?:rnell|upon)explained|peguide)\.com|7\.us)|a(?:(?:(?:mpaign|talog|det)explained|n(?:cersexplained|adadaycore)|p(?:itali[sz]eguide|ricornhi)|b(?:leexplained|indynamic))\.com|r(?:(?:tograph(?:yanalysis|erwhat)|cinomas?explained|scratch-remover|eblack)\.com|insurance-compare\.net)|ce\.us)|h(?:(?:a(?:r(?:med-episodes|les-proxy|tpixel)|p(?:elsinfo|terball)|nnelexplained)|ristmas(?:gift-ideas|motion)|inesenewyearboom|eckingwatch)\.com|(?:orizo|urros)\.es)|(?:e(?:l(?:lularexplained|iac-diet)|ntigrade(?:explained|info))|(?:li(?:nical|ck)|ustomized)explained|r(?:uiseshipdating|iticsmart)|pu-benchmark|nc-cs)\.com|8\.biz|z\.cc)|a(?:(?:ll(?:about(?:(?:(?:collegi|gradu)at|yal)e|s(?:eminary|tudent)|(?:facul|varsi)ty|bestsellers|academic|teaching|harvard|ucla|pro)|babyours)|n(?:(?:tipodesbi|alyzelan)d|onymous-film)|(?:mericas-nexttopmode|gentsbal)l|r(?:chitectureice|lingtonwriter)|c(?:ademicexplaine|tionmo)d|ero(?:flotinfo|bicfund))\.com|u(?:(?:toma(?:tedexplained|kers24)|stralia-airlines|xiliaryverb)\.com|di(?:t(?:jewellery\.com|report\.net)|o-planet\.com))|p(?:(?:rilfools(?:hotel|spin)|ple-airport)\.com|[fh]i\.biz)|ir(?:(?:bnb-coupon|waysinfo)\.com|portshuttleseattle\.net)|v(?:enue(?:domain|hello)\.com|li\.biz)|\.e\.gy)|b(?:(?:a(?:c(?:helorexplained|kpackscope)|by(?:online-shop|revision)|(?:rcelonarea|ggagecoo)l|s(?:icexplained|escope)|ttle-field-3)|e(?:(?:st-hoteldeal|er-calorie|t-award)s|nefitexplained)|u(?:y-invite|dgetyep)|logger-com)\.com|r(?:(?:o(?:adbandinternet-providers|king(?:explained|guide))|unomarsalbum|yan-college)\.com|ea(?:st(?:cancertattoos\.net|explained\.com)|dmachine-recipes\.com))|o(?:(?:(?:om(?:ing|s)|nd)explained|tany(?:explained|info)|dybuildingdomains|rrowings?24)\.com|stoncolleges\.net)|irthcertificatetemplate\.net|3g\.biz)|d(?:e(?:(?:(?:(?:benture|posit)explaine|alershipislan)d|n(?:guefevertreatment|verhowto)|ductguide|veloptea)\.com|(?:xterstreaming|ciduoustrees)\.net)|o(?:(?:ctorate(?:s?explained|info)|llar-converter|gwalking-jobs|texplained|mainsknow)\.com|wnload(?:starcraft|-films|ubuntu)\.net)|(?:a(?:ncecentralsonglist|rtmouthexplained)|na-replication|hcp-server|vd-codec|rivewww)\.com|i(?:(?:s(?:count|ease)explained|nnerparty-recipes|walifile)\.com|rect-golf\.net))|e(?:(?:a(?:r(?:fulexplained|th-clinic)|sy(?:-costumes|repayment))|conomic(?:save|24))\.com|\.gy)|4(?:(?:4qs|h5)\.com|[jp]\.org|ql\.biz)|3(?:vt\.info|gb\.biz|q\.org)|2(?:eat\.com|sf\.biz|u\.se)|8(?:c1\.net|x\.biz)|7(?:c\.org|p\.biz)|11r\.(?:biz|us))(\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017457; rev:4; metadata:created_at 2013_09_13, former_category INFO, updated_at 2021_08_13;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Java request to UNI.ME Domain Set 2"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:f(?:(?:a(?:c(?:ultyexplained|e-bok)|(?:ncy-font|ke-nail)s|ir(?:explained|fuse)|shion-wallpaper|lterguide)|i(?:nanc(?:i(?:al|ng)explained|epets)|rm(?:explained|s24)|lter-coffee)|o(?:r(?:umexplained|ecastbooks|ceestate)|x-drama)|udaninfo)\.com|re(?:e(?:-(?:(?:(?:foodcoupon|angrybird)s|s(?:oundclips|tock)|photoeditor)\.com|music-download\.net)|(?:p(?:owerpointthem|roduct-sampl)es|dom-ofspeech)\.com|fileconverter\.net)|snoever\.com)|l(?:a(?:shplayerdownload\.net|tbelly-diet\.com)|oridaunemploymentclaim\.com|v-downloader\.net)|e(?:rtility-calculator\.net|stivalexplained\.com)|b(?:-smileys\.com|skins\.net))|l(?:(?:i(?:n(?:k(?:explained|master)|colnsbirthdaytea)|(?:ability|ver)explained|(?:berty-saf|ftmov)e|stings(?:biz|red)|teraturemulti)|u(?:ng(?:explained|abscess)|ggageboom)|o(?:cationssecure|ndon-riots|gback))\.com|e(?:(?:a(?:singexplained|ther-trousers)|(?:edsunited-new|d-candle)s|cturer(?:explained|info)|nd(?:ing|er)explained|isure-diving)\.com|u(?:kemiaexplained\.com|e\.biz)|tup\.org)|a(?:guay\.(?:com|es)|-gazzetta\.com)|6\.org)|i(?:n(?:s(?:(?:ur(?:er(?:s(?:explained|24)|explained)|ancesexplained)|ide-film)\.com|(?:pection-camera|taflex)\.net)|d(?:e(?:pendenceday(?:portal|realty)|mnityexplained)\.com|ividual-healthinsurance\.net)|t(?:er(?:estexplained\.com|trigo\.net)|ranet(?:explained|pm)\.com)|(?:(?:vestment|centive)explained|expensivehyper)\.com|f(?:ections?explained\.com|o\.se))|(?:(?:mmersio|sd)nexplained|ronmancom|pone-5)\.com|i(?:nkai|lg)\.biz)|m(?:(?:e(?:tropolis(?:(?:cruis|fac|mov)e|pixel)|(?:lanoma|dical)explained|r(?:idiantotal|cedes-cls)|ntal-healthjobs|morialdaycon|ssenger-mac|ansgift)|i(?:ami(?:-holidays|what)|di-editor)|baexplained)\.com|a(?:r(?:(?:tial-empires|ket-hq)\.com|iogames-online\.net)|n(?:(?:agejoin|ualzap)\.com|ipal-university\.net)|(?:lignanthypertension|gazinedownload)\.net|s(?:on(?:wave|car)|tersexplained)\.com|c2\.org))|e(?:(?:s(?:ta(?:tes(?:mob|fx)|blishstyle)|lexplained)|mploy(?:e(?:eexplained|r24)|mentexplained))\.com|n(?:(?:(?:gagement-photo|able-cookie)s|rollexplained)\.com|trepreneur-ideas\.net)|x(?:(?:(?:hibition|po)explained|ecutive-decision)\.com|tremedeal\.net)|l(?:ect(?:ronicexplained|orate123)\.com|guay\.(?:com|es))|q(?:uityexplained\.com|8\.biz))|g(?:(?:o(?:a(?:d(?:minister|vertize|just)|cademic|llocate)|(?:thic-literatur|handl)e|(?:bailou|conduc)t|govern)|r(?:a(?:duate(?:explained|sinfo)|ndparentsdayplan)|oceryexplained|4)|ym(?:glas|car)s|m[69])\.com|a(?:(?:(?:llaudet|te)explained|mevelocity|rnerguide)\.com|511\.net)|cwsa\.org)|h(?:o(?:(?:me(?:made-biscuits|pageexplained)|(?:nours|tline|using)explained|6)\.com|stel-barcelona\.net)|a(?:r(?:dback(?:city|yoga)|vardexplained)|n(?:dlechange|ukkahbio)|lloweenorange)\.com|y(?:perthyroidsymptoms\.net|d\.me)|ellokittypictures\.net)|j(?:(?:o(?:urnalism(?:explained|info)|hn-grisham|ker-tattoo)|query-examples)\.com|a(?:cksonvillepath\.com|vacollection\.net)|(?:vvg|6)\.org)|k(?:ilometersreach|udosexplained|jyg)\.com)(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017458; rev:4; metadata:created_at 2013_09_13, former_category INFO, updated_at 2021_08_13;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Java request to UNI.ME Domain Set 3"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:p(?:r(?:o(?:pert(?:ies(?:-forsale\.net|winters\.com)|y-(?:singapore|rental)\.net)|(?:fessors|state)explained\.com)|e(?:miums(?:e(?:xplained|ek)|guide)|(?:acher|cinct|late)sinfo|pexplained)\.com|i(?:va(?:te(?:car-sales|explained)\.com|do\.info)|nceton\.me))|e(?:(?:n(?:sionexplained|thousepal|cetruck)|diatricsexplained)\.com|rsonal(?:trainer-certification\.net|-injuryclaims\.com)|tardo\.es)|o(?:(?:wer(?:borrowings?|repayment|debts)|rt(?:land-holidays|alexplained)|intexplained|litical24)\.com|kertexas-holdem\.net)|a(?:(?:ss(?:engersinfo|agepix)|ge(?:explained|as)|cemaker-surgery|ttinson-robert|rk-edu)\.com|loaltocollege\.net)|(?:u(?:blicationgift|pils?info)|ickups(?:articles|gen)|neumoniaexplained|sychologyquotes|lus-sign)\.com|h(?:o(?:toedit(?:orfreedownload\.net|ingsite\.com)|neexplained\.com)|pbb-themes\.com|yscology\.net)|cbp\.net|9\.org)|o(?:n(?:line(?:(?:(?:f(?:o(?:ster|rce)|irstborn|raternal|ulltime)|b(?:r(?:idegroom|owse)|oxoffice)|e(?:(?:valuat|xpress)e|fficient)|-(?:collegecourse|radiostation)|d(?:escendant|aughter|iscusse)|v(?:illage|acant)|re(?:sidence|al))s|c(?:(?:r(?:iti(?:c(?:ize|al)|que)|ew)|o(?:nsider|usin)|a(?:pture|meo)|elluloid)s|ha(?:racters|teau))|a(?:(?:(?:vailabl|doptiv|llianc|pprais)e|ss(?:esse|ay)|unt)s|n(?:(?:cestor|alyze)s|imated)|way)|per(?:sonal-trainer|manents))\.com|mediaconverter\.net)|e-lyrics\.com|amia\.biz)|(?:ver(?:seasexplained|drawnreal)|(?:wnership|ffline)explained|cean(?:ic-cable|you)|rphanagesinfo|klahomafuse)\.com|a(?:klandour\.com|pg\.org))|r(?:e(?:(?:s(?:idenc(?:e(?:attorney|dating|cook|food)|yexplained)|erves(?:development|core))|(?:c(?:o(?:ver(?:ing|ed)|up)|laim)guid|laxationhyp|bateventur)e|g(?:i(?:on(?:private|mentor)|stercommunity)|ainguide)|t(?:r(?:ainingexplained|ieveguide)|ailexplained)|motecontrol-helicopter|viewwinters|payment24)\.com|alestate-perth\.net)|(?:a(?:cetracksinfo|veexplained|iserepair|tetask)|ising-antivirus|bnnetwork)\.com|o(?:(?:o(?:m(?:sfootball|mateco)|fcute)|admodern)\.com|yallondonhospital\.net))|s(?:(?:o(?:(?:lventsourc|ftenguid)e|urceexplained|cietiesinfo|ng-india)|a(?:n(?:antoniosource|diegodiscover)|l(?:aryexplaine|euploa)d)|ta(?:nford(?:explained|info)|(?:bilis|v)eguide|r-treck)|p(?:ecialtyexplained|iralwatch|orts-tab)|ch(?:oolexplained|eduleedu)|ites?explained)\.com|e(?:(?:minar(?:y(?:explained|info)|explained)|c(?:(?:urities|tor)explained|what)|aworld-coupons)\.com|rvertransfer\.net)|m(?:ier\.org|oz\.us)|hellgascard\.net|gba\.biz)|m(?:o(?:(?:t(?:oristsinfo|iveshare)|ntre-breitling|dernexplained|squesinfo)\.com|hamed\.me)|(?:y(?:borrowings|-husband)|ultimediaexplained|inistriesinfo)\.com|mcd\.us)|n(?:(?:a(?:ming(?:mac|our)|uticalfit|vigateadd)|e(?:tworkexplained|w-college))\.com|8\.biz))(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017459; rev:4; metadata:created_at 2013_09_13, former_category INFO, updated_at 2021_08_13;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Java request to UNI.ME Domain Set 4"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:t(?:e(?:(?:l(?:e(?:phoneexplained|comsguide)|learth)|n(?:ured(?:explained|info)|nis-ranking))\.com|mp(?:l(?:ates-gratis\.com|ecollege\.net)|converter\.net)|a(?:ching(?:-certificate\.net|explained\.com)|m\.pro))|r(?:a(?:(?:(?:nsferbyt|de-)e|in(?:eesinf|ge)o|mray)\.com|vel(?:insurance-comparison\.net|agentnerd\.com))|e(?:k-bicycles|nd-online)\.net|uckstool\.com|onco\.es)|(?:o(?:wn(?:housepic|study|euro|meta)|(?:tal-tool|memap)s|pgamebook|olboxsol)|u(?:mors?explained|lsatrain|rn-ons)|attoo-websites|ype-racer|wainfo)\.com|h(?:(?:anksgivinggaming|riftexplained)\.com|e(?:sis-examples\.com|atreparis\.net))|i(?:mezonevendor\.com|dl\.net)|cmn\.biz)|w(?:e(?:b(?:(?:b(?:estseller|ailout)|administer)\.com|site(?:downloader\.net|explained\.com)|developertoolbar\.net)|(?:l(?:lesley|fare)explained|akenguide)\.com)|or(?:th(?:voice|war)\.com|ld-records\.net)|ater(?:front-property\.net|-plants\.com)|(?:riterpics|hoiscan)\.com|pbh\.org|sse\.us)|s(?:(?:t(?:ud(?:ent(?:financecontact|s?explained)|yexplained)|r(?:eetmaphub|ongat)|patricksweightloss|onewhat)|wissairinfo)\.com|u(?:(?:mmertimelyrics|nset-wallpaper|per-committee|itegraphic)\.com|b\.(?:name|cat|es)))|v(?:(?:i(?:llage(?:(?:in|na)no|crystal)|deo(?:-mediaset|explained)|ta(?:minssms|lwow)|rtualexplained)|o(?:lumesynergy|ucheragent|ters24)|a(?:rsityexplained|lentinesproxy)|entureexplained)\.com|qtel\.net|f1\.us)|u(?:n(?:i(?:versityexplained\.com|nstalltool\.net|\.me)|(?:(?:secured|am)explained|ravelguide)\.com|limited-web-hosting\.net)|(?:cla(?:explained|info)|s-inflation|alinfo|zdom)\.com|[04]\.org)|y(?:(?:o(?:u(?:ngstersinfo|rbroking)|mkippursocial)|(?:eshiva|ale)explained|vxs)\.com|nna\.biz)|zwr\.org)(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017460; rev:4; metadata:created_at 2013_09_13, former_category INFO, updated_at 2021_08_13;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess P2P Module v6 Reporting"; flow:to_server,established; http.uri; content:"dj02LjAmaWQ9"; offset:13; depth:12; http.header_names; content:!"Referer|0d 0a|"; reference:url,dnsamplificationattacks.blogspot.gr/p/blog-page.html; classtype:trojan-activity; sid:2017462; rev:3; metadata:created_at 2013_09_13, updated_at 2020_04_24;)
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Parallax CnC Activity M9 (set)"; flow:established,to_server; content:"|a5 20 94 f5|"; depth:4; fast_pattern; content:"|6d 54 21|"; distance:1; within:3; flowbits:set,ET.Parallax-9; flowbits:noalert; reference:md5,1b3f8c92d5d1ace34fa4dc2dd80c3eb7; classtype:command-and-control; sid:2030027; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_25, deployment Perimeter, former_category MALWARE, malware_family Parallax, signature_severity Major, updated_at 2020_04_25;)
@@ -32556,8 +32074,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Magn
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FaceBook IM & Web Driven Facebook Trojan Posting Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/tsone/ajuno.php"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"u="; depth:2; content:"&p="; distance:0; content:"&l="; distance:0; reference:url,pastebin.com/raw.php?i=tdATTg7L; classtype:trojan-activity; sid:2017697; rev:6; metadata:created_at 2013_11_08, updated_at 2020_04_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious lgfxsrvc.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lgfxsrvc.exe"; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2017678; rev:4; metadata:created_at 2013_11_06, former_category HUNTING, updated_at 2021_06_23;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Download Executable"; flow:established,to_server; http.uri; content:"/gate.php?cmd=getinstallconfig"; fast_pattern; endswith; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016902; rev:6; metadata:created_at 2013_05_21, updated_at 2020_04_27;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev V1.Botnet HTTP Login POST Flood Traffic Outbound"; flow:established,to_server; threshold: type both, count 5, seconds 60, track by_src; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; fast_pattern; http.request_body; content:"login="; depth:6; content:"$pass="; within:50; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:trojan-activity; sid:2017721; rev:4; metadata:created_at 2013_11_15, updated_at 2020_04_27;)
@@ -32646,7 +32162,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS.Win32/Daceluw
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye C&C Check-in URI"; flow:established,to_server; http.uri; content:"guid="; content:"ver="; content:"stat="; fast_pattern; content:"ie="; content:"os="; pcre:"/(\?|&)guid=[^!&]+?\!/"; reference:url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot; reference:url,krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/; classtype:command-and-control; sid:2011857; rev:7; metadata:created_at 2010_10_27, former_category MALWARE, updated_at 2020_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportMessageRequest CnC Beacon"; flow:established,to_server; urilen:14; http.method; content:"POST"; http.uri; content:"/reportMessage"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018004; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportMessageRequest CnC Beacon"; flow:established,to_server; urilen:14; http.method; content:"POST"; http.uri; content:"/reportMessage"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018004; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy GetTaskRequest CnC Beacon"; flow:established,to_server; urilen:8; http.method; content:"POST"; http.uri; content:"/getTask"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018003; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
@@ -32720,9 +32236,9 @@ alert http $EXTERNAL_NET any -> any any (msg:"ET WEB_SERVER Possible AntSword We
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Query"; dns.query; content:"rythemsjoy.club"; nocase; endswith; classtype:domain-c2; sid:2030038; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DonotGroup, updated_at 2020_04_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass fw_sys_up.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/fw_sys_up.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018156; rev:3; metadata:created_at 2014_02_19, updated_at 2020_04_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass fw_sys_up.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/fw_sys_up.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018156; rev:3; metadata:created_at 2014_02_19, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass override.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/override.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018157; rev:3; metadata:created_at 2014_02_19, updated_at 2020_04_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass override.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/override.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018157; rev:3; metadata:created_at 2014_02_19, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass share_editor.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/share_editor.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018158; rev:3; metadata:created_at 2014_02_19, updated_at 2020_04_28;)
 
@@ -32738,7 +32254,7 @@ alert http $EXTERNAL_NET any -> $HOME_NET [8443,9090] (msg:"ET WEB_SPECIFIC_APPS
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kazy/Kryptor/Cycbot Trojan Checkin 2"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"?tq="; fast_pattern; pcre:"/\.(?:(?:jp|pn)g|cgi|gif)\?tq=/"; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2013865; rev:8; metadata:created_at 2011_11_08, former_category MALWARE, updated_at 2020_04_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Matsnu.L Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?text="; content:"&img_url=http"; distance:0; content:"&rpt=simage&pos="; distance:0; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; http.user_agent; content:" Windows NT 5.0"; nocase; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=TROJAN%3AWIN32/MATSNU.L; reference:md5,38b1862a42a6453d8ccdf1c2d2eff018; classtype:command-and-control; sid:2018200; rev:4; metadata:created_at 2014_03_04, former_category MALWARE, updated_at 2020_04_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Matsnu.L Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?text="; content:"&img_url=http"; distance:0; content:"&rpt=simage&pos="; distance:0; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; http.user_agent; content:" Windows NT 5.0"; nocase; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=TROJAN%3AWIN32/MATSNU.L; reference:md5,38b1862a42a6453d8ccdf1c2d2eff018; classtype:command-and-control; sid:2018200; rev:4; metadata:created_at 2014_03_04, former_category MALWARE, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Qakbot.Bot Version 8 CnC Beacon"; flow:established,to_server; urilen:7<>32; content:"|0d 0a 0d 0a|v="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; pcre:"/^\/[b-u][A-Za-z0-9]{6,25}\.php$/"; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"&c="; reference:url,www.anubisnetworks.com/the-return-of-qakbot/; reference:md5,e9201c8b126ac40229e9ce3f82f5c608; reference:md5,749a7bf2ad84212bd78e46d240a4f434; classtype:command-and-control; sid:2018204; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_03_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
@@ -32784,11 +32300,11 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS BeeMovie Rela
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (h55u4u4u5uii5)"; flow:established,to_server; http.user_agent; content:"h55u4u4u5uii5"; bsize:13; reference:url,www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/; classtype:trojan-activity; sid:2030058; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_04_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Possible Linux/Cdorked.A Incoming Command"; flow:established,to_server; http.uri; pcre:"/\?[0-9a-f]{6}$/"; http.cookie; content:"SECID="; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:attempted-user; sid:2016794; rev:8; metadata:created_at 2013_04_27, former_category CURRENT_EVENTS, updated_at 2020_04_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Possible Linux/Cdorked.A Incoming Command"; flow:established,to_server; http.uri; pcre:"/\?[0-9a-f]{6}$/"; http.cookie; content:"SECID="; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:attempted-user; sid:2016794; rev:8; metadata:created_at 2013_04_27, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (DownloadMR)"; flow:to_server,established; http.user_agent; content:"DownloadMR"; nocase; depth:10; reference:url,www.virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5,0da0d8e664f44400c19898b4c9e71456; classtype:trojan-activity; sid:2016903; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_05_21, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-CSON Checkin - APT1 Related"; flow:to_server,established; http.uri; content:"/Default.aspx?INDEX="; pcre:"/\?ID=[A-Z]{10}$/"; http.user_agent; content:!"Mozilla"; startswith; reference:md5,8dd6a7fe83bd9682187d956f160ffb47; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.XR; reference:md5,ba45339da92ca4622b472ac458f4c8f2; reference:url,intelreport.mandiant.com/; classtype:targeted-activity; sid:2016460; rev:8; metadata:created_at 2011_10_06, former_category MALWARE, updated_at 2020_04_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-CSON Checkin - APT1 Related"; flow:to_server,established; http.uri; content:"/Default.aspx?INDEX="; pcre:"/\?ID=[A-Z]{10}$/"; http.user_agent; content:!"Mozilla"; startswith; reference:md5,8dd6a7fe83bd9682187d956f160ffb47; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.XR; reference:md5,ba45339da92ca4622b472ac458f4c8f2; reference:url,intelreport.mandiant.com/; classtype:targeted-activity; sid:2016460; rev:8; metadata:created_at 2011_10_06, former_category MALWARE, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dorkbot Loader Payload Request"; flow:established,to_server; urilen:<11; http.uri; content:".exe"; fast_pattern; http.header; content:"Mozilla/4.0|0D 0A|Host|3a|"; reference:md5,3452c20fd0df69ccfdea520a6515208a; classtype:trojan-activity; sid:2016578; rev:6; metadata:created_at 2013_03_15, updated_at 2020_04_29;)
 
@@ -32830,7 +32346,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rodecap CnC
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Cazanova SMTP Mailer"; nocase; content:">Cazanova SMTP Mailer</div>"; nocase; distance:0; classtype:web-application-attack; sid:2030059; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, signature_severity Major, updated_at 2020_04_29;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Cazanova SMTP Mailer"; nocase; content:">Cazanova SMTP Mailer</div>"; nocase; distance:0; classtype:web-application-attack; sid:2030060; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, signature_severity Critical, updated_at 2020_04_30;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Cazanova SMTP Mailer"; nocase; content:">Cazanova SMTP Mailer</div>"; nocase; distance:0; classtype:web-application-attack; sid:2030060; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, signature_severity Critical, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Server"; flow:established,to_client; file.data; content:"SCRIPT MAILER INBOX"; content:">SMTP Login:</font></div>"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2030061; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, signature_severity Major, updated_at 2020_04_29;)
 
@@ -32904,7 +32420,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CyberGate RAT Use
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MINEBRIDGE CnC Request"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"uuid="; depth:5; nocase; content:"&id="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"&pcname="; nocase; distance:0; fast_pattern; content:"&osver="; nocase; distance:0; content:"&timeout="; nocase; distance:0; reference:md5,7d22d5b7cac4c8789f3fe7102e459edd; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:targeted-activity; sid:2030067; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MINEBRIDGE CnC Response"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"drun_command="; depth:13; fast_pattern; content:"&drun_URL="; content:"&rundll_command="; content:"&rundll_URL="; content:"&update_command="; content:"&update_URL="; content:"&restart_command="; content:"&terminate_command="; content:"&kill_command="; content:"&poweroff_command="; content:"&reboot_command="; content:"&setinterval_command="; content:"&setinterval_time="; reference:md5,7d22d5b7cac4c8789f3fe7102e459edd; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:targeted-activity; sid:2030068; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_04_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MINEBRIDGE CnC Response"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"drun_command="; depth:13; fast_pattern; content:"&drun_URL="; content:"&rundll_command="; content:"&rundll_URL="; content:"&update_command="; content:"&update_URL="; content:"&restart_command="; content:"&terminate_command="; content:"&kill_command="; content:"&poweroff_command="; content:"&reboot_command="; content:"&setinterval_command="; content:"&setinterval_time="; reference:md5,7d22d5b7cac4c8789f3fe7102e459edd; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:targeted-activity; sid:2030068; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rhabdo CnC Activity M1"; flow:established,to_server; content:"|3a|U1Q="; distance:48; within:5; endswith; http.method; content:"GET"; http.uri; content:".php?ID="; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Win64|3b 20|x64|3b 20|rv:47.0) Gecko / 20100101 Chrome/73.0.3645.0"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:37; endswith; reference:url,www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center?utm_medium=social&utm_source=linkedin&utm_content=blog; classtype:targeted-activity; sid:2030069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_30;)
 
@@ -32914,7 +32430,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET 9999 (msg:"ET MOBILE_MALWARE Android S
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Minirem"; flow: established,to_server; urilen:>18; http.method; content:"GET"; http.uri; content:"/FC001/"; fast_pattern; depth:7; http.user_agent; content:"Microsoft Internet Explorer"; reference:md5,d92075280872b9fe4f541f090bf0076c; classtype:trojan-activity; sid:2018664; rev:7; metadata:created_at 2014_01_22, updated_at 2020_04_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (uTorrent)"; flow:to_server,established; http.header; content:"User-Agent|3a 20|uTorrent"; reference:url,www.utorrent.com; reference:url,doc.emergingthreats.net/2011706; classtype:policy-violation; sid:2011706; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (uTorrent)"; flow:to_server,established; http.header; content:"User-Agent|3a 20|uTorrent"; reference:url,www.utorrent.com; reference:url,doc.emergingthreats.net/2011706; classtype:policy-violation; sid:2011706; rev:7; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Upatre Common URI Struct July 15 2014"; flow:established,to_server; http.uri; content:"/0/"; content:"Service Pack "; distance:2; within:13; pcre:"/\/0\/$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,79772d72082a082a0048569ba2dfe5a3; classtype:trojan-activity; sid:2018678; rev:4; metadata:created_at 2014_07_15, updated_at 2020_04_30;)
 
@@ -32978,7 +32494,7 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Chroot-apache0day Un
 
 alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32/Gatak Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/\/(?:[a-z]{4,9}\/[a-z]{3,10}\?[a-z_]{2,9}=[0-9]{2,8}|[a-z]{10})&[a-z]{5,9}=[a-zA-Z0-9_*]{30,}$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; http.header; content:"Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 5.1|3b| Trident/4.0)|0d 0a|Host|3a|"; fast_pattern; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32/Gatak; reference:url,www.malwaresigs.com/2013/01/30/trojan-gatak-post-compromise/; classtype:trojan-activity; sid:2018799; rev:4; metadata:created_at 2014_07_29, updated_at 2020_05_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Spy.Kasandra.A Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/path/DeviceManager.php"; nocase; depth:23; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; http.request_body; content:"func="; depth:5; content:"&deviceid="; distance:0; reference:md5,6df6553b115d9ed837161a9e67146ecf; classtype:trojan-activity; sid:2018888; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_08_04, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_05_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Spy.Kasandra.A Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/path/DeviceManager.php"; nocase; depth:23; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; http.request_body; content:"func="; depth:5; content:"&deviceid="; distance:0; reference:md5,6df6553b115d9ed837161a9e67146ecf; classtype:trojan-activity; sid:2018888; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_08_04, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2022_05_03, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ddex Loader Check-in"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?t="; content:"&o="; content:"&i="; content:"&task_id="; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/files/2014/07/Kaspersky_Lab_crouching_yeti_appendixes_eng_final.pdf; classtype:trojan-activity; sid:2018895; rev:3; metadata:created_at 2014_08_05, updated_at 2020_05_01;)
 
@@ -33004,12 +32520,14 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Flashback.K/I
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyreza RAT Ex-filtrating Data"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Wget/"; depth:5; http.request_body; content:"POST /"; depth:6; fast_pattern; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:trojan-activity; sid:2018578; rev:8; metadata:created_at 2014_06_13, updated_at 2020_05_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyreza RAT Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_W"; content:"|2e|"; distance:6; within:1; content:"/NAT/"; distance:0; fast_pattern; content:"|20|NAT/"; distance:0; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,2a835747b7442b1d58ab30abc90d3b0f; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:command-and-control; sid:2018683; rev:7; metadata:created_at 2014_07_16, former_category MALWARE, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyreza RAT Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_W"; content:"|2e|"; distance:6; within:1; content:"/NAT/"; distance:0; fast_pattern; content:"|20|NAT/"; distance:0; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,2a835747b7442b1d58ab30abc90d3b0f; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:command-and-control; sid:2018683; rev:7; metadata:created_at 2014_07_16, former_category MALWARE, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex/Bugat/Feodo POST Checkin"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; http.header; content:"Content-Length|3a 20|59|0d 0a|Host|3a 20|"; depth:26; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.uri; pcre:"/^\/[\/a-z0-9]+$/i"; reference:md5,2ddb6cb347eb7939545a1801c72f1f3f; classtype:command-and-control; sid:2018771; rev:6; metadata:created_at 2014_07_24, former_category MALWARE, updated_at 2020_05_01;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex/Bugat/Feodo Cookie"; flow:established,to_client; http.cookie; content:"tfardci_session="; depth:16; reference:md5,2ddb6cb347eb7939545a1801c72f1f3f; classtype:trojan-activity; sid:2018770; rev:5; metadata:created_at 2014_07_24, updated_at 2020_05_01;)
 
+#alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"T8hlGOo9"; fast_pattern; content:"OKl2N"; pcre:"/^(?:\\r\\n|\x0d\x0a)C/R"; content:"AAAAAAAA"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030007; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_05_01;)
+
 alert http $HOME_NET any -> any any (msg:"ET MALWARE JAWS Webserver Unauthenticated Shell Command Execution"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/shell?cd+/tmp|3b|rm+-rf+*|3b|wget+"; depth:29; fast_pattern; reference:md5,fea9e4132fc9d30bda5eb6b1d9d0b9b9; classtype:web-application-attack; sid:2030092; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2020_05_04, deployment Perimeter, signature_severity Major, updated_at 2020_05_04;)
 
 alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN JAWS Webserver Unauthenticated Shell Command Execution"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/shell?cd+/tmp|3b|rm+-rf+*|3b|wget+"; depth:29; fast_pattern; reference:md5,fea9e4132fc9d30bda5eb6b1d9d0b9b9; classtype:web-application-attack; sid:2030093; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2020_05_04, deployment Perimeter, signature_severity Minor, updated_at 2020_05_04;)
@@ -33040,7 +32558,7 @@ alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /bin/bash
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Scan Precursor"; flow:established,to_server; http.uri; content:"/thisdoesnotexistahaha.php"; reference:url,doc.emergingthreats.net/2010720; classtype:web-application-attack; sid:2010720; rev:5; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Skipfish Web Application Scan Detected (2)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".old"; http.header; content:"Range|3A| bytes=0-199999"; http.user_agent; content:"Mozilla/5.0 SF/"; reference:url,isc.sans.org/diary.html?storyid=8467; reference:url,code.google.com/p/skipfish/; reference:url,doc.emergingthreats.net/2010956; classtype:attempted-recon; sid:2010956; rev:5; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Skipfish Web Application Scan Detected (2)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".old"; http.header; content:"Range|3A| bytes=0-199999"; http.user_agent; content:"Mozilla/5.0 SF/"; reference:url,isc.sans.org/diary.html?storyid=8467; reference:url,code.google.com/p/skipfish/; reference:url,doc.emergingthreats.net/2010956; classtype:attempted-recon; sid:2010956; rev:5; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN crimscanner User-Agent detected"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"crimscanner/"; nocase; reference:url,doc.emergingthreats.net/2010954; classtype:network-scan; sid:2010954; rev:6; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
 
@@ -33050,8 +32568,6 @@ alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET SCAN w3af Scan Remote
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible WafWoof Web Application Firewall Detection Scan"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/<invalid>hello.html"; reference:url,code.google.com/p/waffit/; reference:url,doc.emergingthreats.net/2011720; classtype:attempted-recon; sid:2011720; rev:5; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED exploit kit x/exe.php?x=mdac"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"exe.php?x=mdac"; nocase; classtype:exploit-kit; sid:2011908; rev:4; metadata:created_at 2010_11_09, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER DD-WRT Information Disclosure Attempt"; flow:established,to_server; flowbits:set,et.ddwrt.infodis; http.uri; content:"/Info.live.htm"; nocase; reference:url,www.exploit-db.com/exploits/15842/; classtype:attempted-recon; sid:2012116; rev:6; metadata:created_at 2010_12_30, updated_at 2020_05_04;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Large Subnormal Double Precision Floating Point Number PHP DoS in URI"; flow:established,to_server; http.uri; content:"2.2250738585072011e-308"; nocase; reference:url,bugs.php.net/bug.php?id=53632; classtype:attempted-dos; sid:2012150; rev:4; metadata:created_at 2011_01_06, updated_at 2020_05_04;)
@@ -33132,8 +32648,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible JKDDOS d
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hiloti loader requesting payload URL"; flow:established,to_server; http.uri; content:"/lurl.php?affid="; depth:16; classtype:trojan-activity; sid:2012514; rev:4; metadata:created_at 2011_03_16, updated_at 2020_05_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Phoenix Exploit Kit malware payload download"; flow:established,to_server; http.uri; content:".php?deserialize="; reference:url,doc.emergingthreats.net/2011183; classtype:exploit-kit; sid:2011183; rev:6; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY request for hide-my-ip.com autoupdate"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/auto_update/HideMyIP/update.dat"; nocase; classtype:policy-violation; sid:2011311; rev:6; metadata:created_at 2010_09_28, updated_at 2020_05_06;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.cz.cc domain"; flow:to_server,established; http.host; content:".cz.cc"; endswith; classtype:bad-unknown; sid:2011375; rev:5; metadata:created_at 2010_09_28, updated_at 2020_05_06;)
@@ -33222,8 +32736,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.orge.pl Domain"; flow:established,to_server; http.host; content:".orge.pl"; endswith; classtype:bad-unknown; sid:2013844; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 1"; flow:established,to_server; http.uri; content:"/Google_setup.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013895; rev:5; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (moanmyip .com)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"moanmyip.com"; fast_pattern; classtype:policy-violation; sid:2030126; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_05_07;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Agent.XXZBEN Downloader Activity"; flow:established,to_server; http.start; content:"Cookie|3a 20 0d 0a|Accept|3a 20|"; http.method; content:"GET"; http.uri; content:"/check?ver="; fast_pattern; content:"&os="; distance:0; content:"&binary="; distance:0; content:"&token="; distance:0; content:"&host="; distance:0; content:"&run_time="; distance:0; content:"&once="; distance:0; http.header; content:"|0d 0a|User-Agent|3a 20|User-Agent|3a 20|Mozilla"; reference:md5,113a0256fa05ece2a56b88e6285aff7a; classtype:trojan-activity; sid:2030123; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_07;)
@@ -33248,14 +32760,6 @@ alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET POLICY Oracle T3 Respo
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (ipchicken .com)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"ipchicken.com"; fast_pattern; classtype:policy-violation; sid:2030137; rev:1; metadata:created_at 2020_05_08, updated_at 2020_05_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 2"; flow:established,to_server; http.uri; content:"google_setup.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013896; rev:5; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 3"; flow:established,to_server; http.uri; content:"/FaceBook_Complemento.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013897; rev:4; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 4"; flow:established,to_server; http.uri; content:"/YouTube_Setup.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013898; rev:4; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 5"; flow:established,to_server; http.uri; content:"/google2.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013899; rev:4; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Likely MS12-004 midiOutPlayNextPolyEvent Heap Overflow Midi Filename Requested baby.mid"; flow:established,to_server; http.uri; content:"/baby.mid"; reference:cve,2012-0003; classtype:trojan-activity; sid:2014207; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_02_07, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_05_08;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a 3322.org.cn Domain"; flow:to_server,established; http.host; content:".3322.org.cn"; endswith; classtype:bad-unknown; sid:2014289; rev:4; metadata:created_at 2012_02_28, updated_at 2020_05_08;)
@@ -33286,9 +32790,9 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Tobfy.Ransomw
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Tobfy.Ransomware Invalid URI CnC Request"; flow:established,to_server; http.uri; content:"/.ru|60|utr/qiq"; http.host; content:".my-files-download.ru"; reference:url,blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html; classtype:command-and-control; sid:2016187; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_05_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BroBot POST"; flow:established,to_server; threshold: type limit, count 1, seconds 300, track by_src; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 Firefox/3.6.12"; fast_pattern; bsize:26; http.request_body; pcre:"/^(?:c(?:omment|_id)|m(?:jdu)?)=/"; classtype:web-application-attack; sid:2016212; rev:5; metadata:created_at 2013_01_16, updated_at 2020_05_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BroBot POST"; flow:established,to_server; threshold: type limit, count 1, seconds 300, track by_src; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 Firefox/3.6.12"; fast_pattern; bsize:26; http.request_body; pcre:"/^(?:c(?:omment|_id)|m(?:jdu)?)=/"; classtype:web-application-attack; sid:2016212; rev:5; metadata:created_at 2013_01_16, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Ruby on Rails CVE-2013-0333 Attempt"; flow:established,to_server; http.request_body; content:"!ruby/"; nocase; content:"NamedRouteCollection"; nocase; reference:url,gist.github.com/4660248; classtype:web-application-activity; sid:2016305; rev:8; metadata:created_at 2013_01_30, updated_at 2020_05_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Ruby on Rails CVE-2013-0333 Attempt"; flow:established,to_server; http.request_body; content:"!ruby/"; nocase; content:"NamedRouteCollection"; nocase; reference:url,gist.github.com/4660248; classtype:web-application-activity; sid:2016305; rev:8; metadata:created_at 2013_01_30, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CommentCrew downloader without user-agent string exe download without User Agent"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"open="; nocase; content:"myid="; nocase; http.header_names; content:!"User-Agent|0d 0a|"; classtype:targeted-activity; sid:2016475; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_05_08;)
 
@@ -33454,7 +32958,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miuref/Boaxxe Che
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Belkin N750 Buffer Overflow Attempt"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/login.cgi"; http.request_body; content:"GO=&jump="; depth:9; isdataat:1380,relative; reference:cve,CVE-2014-1635; reference:url,labs.integrity.pt/advisories/cve-2014-1635/; classtype:attempted-admin; sid:2019686; rev:4; metadata:created_at 2014_11_11, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup Redirection from infected Website to Trojan-Downloader"; flow:established,to_server; http.uri; content:"/cgi-bin/r.cgi"; nocase; depth:14; content:"p="; nocase; content:"h="; nocase; content:"u="; nocase; content:"q="; nocase; content:"t="; nocase; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013181; rev:11; metadata:created_at 2011_07_04, updated_at 2020_05_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup Redirection from infected Website to Trojan-Downloader"; flow:established,to_server; http.uri; content:"/cgi-bin/r.cgi"; nocase; depth:14; content:"p="; nocase; content:"h="; nocase; content:"u="; nocase; content:"q="; nocase; content:"t="; nocase; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013181; rev:11; metadata:created_at 2011_07_04, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fiesta URI Struct"; flow:established,to_server; urilen:>64; flowbits:set,ET.Fiesta.Exploit.URI; http.uri; content:"|3b|"; offset:63; fast_pattern; content:!"="; content:!"&"; pcre:"/^\/[^\x2f]+?\/\??[a-f0-9]{60,66}(?:\x3b\d+){1,4}$/"; classtype:exploit-kit; sid:2018407; rev:10; metadata:created_at 2014_04_23, former_category EXPLOIT_KIT, updated_at 2020_05_13;)
 
@@ -33466,11 +32970,11 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Asprox P
 
 alert http $EXTERNAL_NET any -> $HOME_NET [9200,9292] (msg:"ET WEB_SERVER Possible CVE-2014-3120 Elastic Search Remote Code Execution Attempt"; flow:established,to_server; http.uri; content:"search"; nocase; content:"source="; nocase; distance:0; content:"script_fields"; nocase; distance:0; content:"import"; distance:0; nocase; content:"java."; nocase; distance:0; reference:url,bouk.co/blog/elasticsearch-rce/; classtype:attempted-admin; sid:2018495; rev:4; metadata:created_at 2014_05_21, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DEEP PANDA Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Photos/Query.cgi?loginid="; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf; classtype:command-and-control; sid:2016820; rev:4; metadata:created_at 2013_05_04, former_category MALWARE, updated_at 2020_05_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DEEP PANDA Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Photos/Query.cgi?loginid="; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf; classtype:command-and-control; sid:2016820; rev:4; metadata:created_at 2013_05_04, former_category MALWARE, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DEEP PANDA Checkin 3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Catelog/login1.cgi"; fast_pattern; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf; classtype:command-and-control; sid:2016821; rev:5; metadata:created_at 2013_05_04, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alureon Checkin"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; http.request_body; content:"winver="; depth:7; content:"&ver="; distance:0; pcre:"/^winver=\d+&ver=\d+$/"; reference:md5,2155b7942ddc6d7a82e7d96a8c594501; classtype:command-and-control; sid:2019717; rev:3; metadata:created_at 2014_11_18, former_category MALWARE, updated_at 2020_05_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alureon Checkin"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; http.request_body; content:"winver="; depth:7; content:"&ver="; distance:0; pcre:"/^winver=\d+&ver=\d+$/"; reference:md5,2155b7942ddc6d7a82e7d96a8c594501; classtype:command-and-control; sid:2019717; rev:3; metadata:created_at 2014_11_18, former_category MALWARE, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker HTTP Request for manhuaba.com.cn"; flow:established,to_server; http.method; content:"GET"; http.host; content:"manhuaba.com.cn"; endswith; reference:url,researchcenter.paloaltonetworks.com/2014/11/question-wirelurker-attribution-responsible; classtype:trojan-activity; sid:2019731; rev:4; metadata:created_at 2014_11_18, updated_at 2020_05_13;)
 
@@ -33500,15 +33004,15 @@ alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Insomnia S
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pandora FMS SQLi"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/pandora_console/mobile/index.php"; http.request_body; content:"action=login"; fast_pattern; content:"user="; distance:0; pcre:"/[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ri"; reference:url,www.rapid7.com/db/modules/exploit/linux/http/pandora_fms_sqli; classtype:attempted-admin; sid:2019903; rev:4; metadata:created_at 2014_12_10, updated_at 2020_05_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (shell_exec() function used)"; flow:to_server,established; http.header; content:"aGVsbF9l"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013939; rev:5; metadata:created_at 2011_11_22, updated_at 2020_05_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (shell_exec() function used)"; flow:to_server,established; http.header; content:"aGVsbF9l"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013939; rev:5; metadata:created_at 2011_11_22, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (proc_open() function used)"; flow:to_server,established; http.header; content:"JHAgPSBhcnJheShhcnJh"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013940; rev:5; metadata:created_at 2011_11_22, updated_at 2020_05_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (proc_open() function used)"; flow:to_server,established; http.header; content:"JHAgPSBhcnJheShhcnJh"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013940; rev:5; metadata:created_at 2011_11_22, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (popen() function used)"; flow:to_server,established; http.header; content:"JGggPSBwb3Bl"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013941; rev:5; metadata:created_at 2011_11_22, updated_at 2020_05_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (popen() function used)"; flow:to_server,established; http.header; content:"JGggPSBwb3Bl"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013941; rev:5; metadata:created_at 2011_11_22, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (perl->system() function used)"; flow:to_server,established; http.header; content:"JHBlcmwgPSBuZXcg"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013944; rev:5; metadata:created_at 2011_11_22, updated_at 2020_05_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (perl->system() function used)"; flow:to_server,established; http.header; content:"JHBlcmwgPSBuZXcg"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013944; rev:5; metadata:created_at 2011_11_22, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (exec() function used)"; flow:to_server,established; http.header; content:"ZXhlYygn"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013945; rev:5; metadata:created_at 2011_11_22, updated_at 2020_05_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (exec() function used)"; flow:to_server,established; http.header; content:"ZXhlYygn"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013945; rev:5; metadata:created_at 2011_11_22, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (system() function used)"; flow:to_server,established; http.header; content:"QHN5c3Rl"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013937; rev:7; metadata:created_at 2011_11_21, updated_at 2020_05_14;)
 
@@ -33562,7 +33066,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AutoHotkey Downlo
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Terse Named Filename EXE Download - Possibly Hostile"; flow:established,to_client; http.header; content:"filename="; content:".exe"; within:8; fast_pattern; pcre:"/filename\x3d[\x27\x22][a-z0-9]{1,3}\x2Eexe/i"; classtype:trojan-activity; sid:2020202; rev:3; metadata:created_at 2015_01_16, updated_at 2020_05_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/PcClient.AA Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/2015"; depth:5; fast_pattern; pcre:"/^\d+?\/(?:\d+?\/-?\d+?\.(?:php|jsp))?$/Ri"; http.user_agent; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.2|3b| .NET CLR 1.1.4322|3b| .NET CLR 2.0.50727|3b| InfoPath.1)"; reference:md5,33439543cae709aa7efa58f94e4b2a62; classtype:command-and-control; sid:2019201; rev:12; metadata:created_at 2014_01_31, former_category MALWARE, updated_at 2020_05_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/PcClient.AA Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/2015"; depth:5; fast_pattern; pcre:"/^\d+?\/(?:\d+?\/-?\d+?\.(?:php|jsp))?$/Ri"; http.user_agent; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.2|3b| .NET CLR 1.1.4322|3b| .NET CLR 2.0.50727|3b| InfoPath.1)"; reference:md5,33439543cae709aa7efa58f94e4b2a62; classtype:command-and-control; sid:2019201; rev:12; metadata:created_at 2014_01_31, former_category MALWARE, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoWall CryptoWall 3.0 Check-in"; flow:established,to_server; http.method; content:"POST"; http.uri.raw; content:"http|3a 2f 2f|proxy"; depth:12; fast_pattern; http.header; content:"i2p|0d 0a|"; http.header_names; content:!"|0d 0a|Accept-"; content:!"Referer|0d 0a|"; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2020233; rev:3; metadata:created_at 2015_01_21, updated_at 2020_05_14;)
 
@@ -33578,9 +33082,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Scieron-A C
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Possible WordPress Pingback DDoS in Progress (Inbound)"; flow:established,to_server; threshold:type both, track  by_src, count 5, seconds 90; http.uri; content:"/xmlrpc.php"; nocase; http.request_body; content:"pingback.ping"; nocase; fast_pattern; classtype:attempted-dos; sid:2018277; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_03_14, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_05_14;)
 
-#alert http $EXTERNAL_NET any -> any any (msg:"ET DELETED Possible Netlink XPON 1GE Remote Command Execution Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/formPing"; endswith; fast_pattern; http.request_body; content:"target_addr="; startswith; content:"&waninf="; distance:0; reference:url,www.exploit-db.com/exploits/48470; classtype:attempted-admin; sid:2030175; rev:1; metadata:attack_target Networking_Equipment, created_at 2020_05_14, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_18;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Syria-Twitter Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/contacts"; endswith; http.user_agent; content:"Apache-HttpClient/"; depth:18; http.request_body; content:"contact|25|26="; depth:11; fast_pattern; reference:md5,b91315805ef1df07bdbfa07d3a467424; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf; classtype:trojan-activity; sid:2020343; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_02_03, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_05_15, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Syria-Twitter Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/contacts"; endswith; http.user_agent; content:"Apache-HttpClient/"; depth:18; http.request_body; content:"contact|25|26="; depth:11; fast_pattern; reference:md5,b91315805ef1df07bdbfa07d3a467424; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf; classtype:trojan-activity; sid:2020343; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_02_03, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2022_05_03, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ArcDoor User-Agent (ALIZER)"; flow:established,to_server; http.user_agent; content:"ALIZER"; bsize:6; reference:md5,71bae4762a6d2c446584f1ae991a8fbe; classtype:trojan-activity; sid:2020344; rev:3; metadata:created_at 2015_02_03, updated_at 2020_05_15;)
 
@@ -33616,7 +33118,7 @@ alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER W
 
 alert http any any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ATTACKER WebShell - Weevely - Cookie"; flow:established,to_server; http.header; content:"ing|3a| identity|0D 0A|Host|3a|"; http.cookie; content:"SESS="; content:"|3B| SID="; distance:0; content:"|3B| PREF="; distance:0; content:"|3B|SSID="; distance:0; classtype:trojan-activity; sid:2020557; rev:3; metadata:created_at 2015_02_24, updated_at 2020_05_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Athena DDoS Bot Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"a=%"; depth:3; fast_pattern; content:"&b="; distance:0; content:"&c="; distance:0; pcre:"/^a=(?:%[0-9A-Fa-f]{2})+\x26b=[0-9A-Za-z]+(?:%3[dD]){0,2}\x26c=(?:%[0-9A-Fa-f]{2})+$/"; reference:md5,19ca0d830cd7b44e5de1ab85f4e17d82; classtype:command-and-control; sid:2017633; rev:5; metadata:created_at 2013_04_26, former_category MALWARE, updated_at 2020_05_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Athena DDoS Bot Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"a=%"; depth:3; fast_pattern; content:"&b="; distance:0; content:"&c="; distance:0; pcre:"/^a=(?:%[0-9A-Fa-f]{2})+\x26b=[0-9A-Za-z]+(?:%3[dD]){0,2}\x26c=(?:%[0-9A-Fa-f]{2})+$/"; reference:md5,19ca0d830cd7b44e5de1ab85f4e17d82; classtype:command-and-control; sid:2017633; rev:5; metadata:created_at 2013_04_26, former_category MALWARE, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GandCrab Style External IP Check (Spoofed Yahoo Host)"; flow:established,to_server; http.start; content:"GET / HTTP/1.1|0d 0a|Host|3a 20|yahoo.com|0d 0a|User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko|0d 0a|Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; bsize:142; threshold:type both,track by_src, count 10, seconds 30; classtype:trojan-activity; sid:2030168; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_15, deployment Perimeter, former_category POLICY, malware_family GandCrab, signature_severity Major, updated_at 2020_05_15;)
 
@@ -33658,6 +33160,8 @@ alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AgentTesla Exfil
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to Afraid.org Top 100 Dynamic DNS Domain"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; pcre:"/\.(?:s(?:tr(?:eetdirectory\.co\.id|angled\.net)|(?:at(?:dv\.net|-dv)|vlen)\.ru(?:pacetechnology\.ne|oon\.i)t|hop\.tm|uka\.se)|c(?:(?:hickenkiller|rabdance)\.com|o(?:ntinent\.kz|alnet\.ru)|sproject\.org|c\.st|f\.gs)|m(?:i(?:ne(?:craftn(?:ation\.net|oob\.com)|\.bz)|l\.nf)|ooo\.(?:info|com)|adhacker\.biz)|t(?:h(?:emafia\.info|cgirls\.com)|wilightparadox\.com|ime4film\.ru|ruecsi\.org|28\.net)|a(?:(?:(?:vangardkennel|gropeople)\.r|buser\.e)u|ntongorbunov\.com|llowed\.org|x\.lt)|h(?:a(?:ck(?:quest\.com|ed\.jp)|ppyforever\.com)|ome(?:net\.or|\.k)g|-o-s-t\.name)|p(?:(?:rivatedns|sybnc|ort0|wnz)\.org|(?:hoto-frame|irat3)\.com|unked\.us)|i(?:n(?:fo\.(?:gf|tm)|c\.gs)|gnorelist\.com|iiii\.info|z\.rs)|b(?:i(?:gbox\.info|z\.tm)|yte4byte\.com|ot\.nu|rb\.dj)|d(?:earabba\.org|-n-s\.name|alnet\.ca|ynet\.com)|(?:w(?:ith-linux|hynotad)|3dxtras|ohbah)\.com|u(?:n(?:do\.it|i\.cx)|k\.(?:is|to)|s\.to)|v(?:(?:erymad\.ne|r\.l)t|ietnam\.ro)|r(?:o(?:ot\.sx|\.lt)|-o-o-t\.net)|n(?:eon\.org|ow\.im|a\.tl|x\.tc)|j(?:umpingcrab\.com|avafaq\.nu)|f(?:(?:art|ram)ed\.net|tp\.sh)|(?:k(?:ir22\.r|\.v)|69\.m)u|l(?:inux[dx]\.org|eet\.la)|e(?:vils\.in|z\.lv)|(?:24-7\.r|qc\.t)o|(?:55|gw)\.lt|1337\.cx)(?:\x3a\d{1,5})?$/"; classtype:credential-theft; sid:2030174; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_05_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
+#alert http $EXTERNAL_NET any -> any any (msg:"ET DELETED Possible Netlink XPON 1GE Remote Command Execution Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/formPing"; endswith; fast_pattern; http.request_body; content:"target_addr="; startswith; content:"&waninf="; distance:0; reference:url,www.exploit-db.com/exploits/48470; classtype:attempted-admin; sid:2030175; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_05_14, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_18;)
+
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NORTHSTAR Client CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/smanage.php?sid="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,github.com/EnginDemirbilek/NorthStarC2/; classtype:command-and-control; sid:2030188; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_19;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NORTHSTAR Client Data POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/getjuice.php"; bsize:13; fast_pattern; http.content_type; content:"multipart/form-data|3b| boundary=---------------------"; startswith; http.header; content:"|0d 0a|Expect|3a 20|100-continue|0d 0a|"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,github.com/EnginDemirbilek/NorthStarC2/; classtype:trojan-activity; sid:2030189; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_19;)
@@ -33670,13 +33174,13 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NORTHSTAR Command
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (info)"; flow:established,to_server; content:"|0d 0a|Content-Length|3a 20|6|0d 0a 0d 0a|info=1"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030182; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, tag Ransomware, updated_at 2020_05_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (id)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"id="; depth:3; content:"&mass="; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030184; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, tag Ransomware, updated_at 2020_05_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (id)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"id="; depth:3; content:"&mass="; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030184; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, tag Ransomware, updated_at 2022_05_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Attempted Symantec Secure Web Gateway RCE"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/spywall/timeConfig.php"; bsize:23; fast_pattern; http.user_agent; content:"XTC"; http.request_body; content:"posttime="; content:"&saveForm="; content:"&timesync="; content:"&ntpserver="; content:"wget"; content:"/tmp/viktor|29 3b|"; content:"timezone="; reference:url,unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/; classtype:attempted-user; sid:2030193; rev:1; metadata:attack_target Web_Server, created_at 2020_05_19, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Exploit Suspected PHP Injection Attack (cmd=)"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:".php?"; nocase; content:"cmd="; fast_pattern; nocase; pcre:"/[&?]cmd=[^\x26\x28]*(?:cd|\;|echo|cat|perl|curl|wget|id|uname|t?ftp)/i"; reference:cve,2002-0953; reference:url,doc.emergingthreats.net/2010920; classtype:web-application-attack; sid:2010920; rev:9; metadata:created_at 2010_07_30, updated_at 2020_05_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamarue/Andromeda Downloading Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; pcre:"/^\/[a-z]+\/[a-z]+\.exe$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; fast_pattern; reference:md5,85d925a76909f29c3f370f35faedb9ea; classtype:trojan-activity; sid:2020683; rev:3; metadata:created_at 2015_03_12, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamarue/Andromeda Downloading Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; pcre:"/^\/[a-z]+\/[a-z]+\.exe$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; fast_pattern; reference:md5,85d925a76909f29c3f370f35faedb9ea; classtype:trojan-activity; sid:2020683; rev:3; metadata:created_at 2015_03_12, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Darkness DDoS Bot Checkin"; flow:established,to_server; http.uri; content:".php?uid="; nocase; content:"&ver="; distance:0; pcre:"/\.php\?uid=\d{5,6}&ver=[^&]+(?:&traff=\d+)?$/"; http.header_names; content:!"Accept|0d 0a|"; http.user_agent; content:"darkness"; depth:8; fast_pattern; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20101205; reference:md5,7fcebf5bd67cede35d08bedd683e3524; reference:md5,60c84bb1ca03f80ca385f16946322440; reference:md5,778113cc4e758ed65de0123bb79cbd1f; reference:md5,55edeb8742f0c38aaa3d984eb4205c68; reference:url,ef.kaffenews.com/?p=833; classtype:command-and-control; sid:2011996; rev:14; metadata:created_at 2010_12_06, former_category MALWARE, updated_at 2020_05_19;)
 
@@ -33768,13 +33272,13 @@ alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WRT54GL DNS Change
 
 alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK TL-WR750N DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/userRpm/WanStaticIpCfgRpm.htm"; fast_pattern; content:"&dnsserver="; content:"&Save=Save"; reference:url,www.xexexe.cz/2015/02/bruteforcing-tp-link-routers-with.html; classtype:attempted-admin; sid:2020880; rev:4; metadata:created_at 2015_04_09, updated_at 2020_05_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kriptovor Retrieving RAR Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".rar"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 6.1|3b 20|en-us|3b 20|rv:1.9.2.3) Gecko/20100401 YFF35 Firefox/3.6.3"; depth:94; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Connection|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,c3ab87f85ca07a7d026d3cbd54029bbe; classtype:trojan-activity; sid:2020885; rev:5; metadata:created_at 2015_04_09, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kriptovor Retrieving RAR Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".rar"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 6.1|3b 20|en-us|3b 20|rv:1.9.2.3) Gecko/20100401 YFF35 Firefox/3.6.3"; depth:94; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Connection|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,c3ab87f85ca07a7d026d3cbd54029bbe; classtype:trojan-activity; sid:2020885; rev:5; metadata:created_at 2015_04_09, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kriptovor External IP Lookup checkip.dyndns.org"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.header; content:"Host|3a 20|checkip.dyndns.org|0d 0a|"; depth:26; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 5.1|3b 20|en-US|3b 20|rv:x.xx) Gecko/20030504 Mozilla Firebird/0.6"; depth:92; http.header_names; content:!"Referer|0d 0a|"; content:!"Connection|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,00e3b69b18bfad7980c1621256ee10fa; classtype:external-ip-check; sid:2020886; rev:6; metadata:created_at 2015_04_09, former_category MALWARE, updated_at 2020_05_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 180 Solutions (Zango Installer) User Agent"; flow:to_server,established; http.user_agent; content:"SAIv"; fast_pattern; reference:url,doc.emergingthreats.net/2003062; classtype:pup-activity; sid:2003062; rev:14; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 180 Solutions (Zango Installer) User Agent"; flow:to_server,established; http.user_agent; content:"SAIv"; fast_pattern; reference:url,doc.emergingthreats.net/2003062; classtype:pup-activity; sid:2003062; rev:14; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Maldoc Retrieving Dridex from pastebin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/raw.php?i="; depth:11; fast_pattern; http.host; content:"pastebin.com"; bsize:12; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; depth:57; http.header_names; content:!"Referer|0d 0a|"; reference:md5,07523de32e43f67b1bbd5edc87803d5c; classtype:trojan-activity; sid:2020892; rev:6; metadata:created_at 2015_04_11, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Maldoc Retrieving Dridex from pastebin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/raw.php?i="; depth:11; fast_pattern; http.host; content:"pastebin.com"; bsize:12; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; depth:57; http.header_names; content:!"Referer|0d 0a|"; reference:md5,07523de32e43f67b1bbd5edc87803d5c; classtype:trojan-activity; sid:2020892; rev:6; metadata:created_at 2015_04_11, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LankerBoy HTTP CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".txt"; endswith; http.header; content:"User-Agent|3a 20|us|0d 0a|Host"; depth:20; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,db2c617a6e53a24fa887e6ecf60a076d; classtype:command-and-control; sid:2020902; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
@@ -33814,7 +33318,7 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Fla
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS MSF Meterpreter Default User Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.1|3b 20|Windows NT|29 0d 0a|"; fast_pattern; reference:url,blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings; classtype:bad-unknown; sid:2021060; rev:3; metadata:created_at 2015_05_06, updated_at 2020_05_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)"; flow:established,to_client; flowbits:isset,ET.http.binary; http.header; content:!"|0d 0a|x-avast"; file.data; content:"IsDebuggerPresent"; classtype:misc-activity; sid:2015744; rev:5; metadata:created_at 2012_09_28, updated_at 2020_05_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)"; flow:established,to_client; flowbits:isset,ET.http.binary; http.header; content:!"|0d 0a|x-avast"; file.data; content:"IsDebuggerPresent"; classtype:misc-activity; sid:2015744; rev:5; metadata:created_at 2012_09_28, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible CryptoPHP Leaking Credentials May 8 2015 M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js?callback="; content:"&data=bG9nP"; distance:0; fast_pattern; content:"JnB3ZD"; distance:0; content:"&_="; distance:0; pcre:"/&_=\d+$/"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021081; rev:3; metadata:created_at 2015_05_09, former_category CURRENT_EVENTS, updated_at 2020_05_21;)
 
@@ -33850,7 +33354,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Hellsing Prox
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yahoyah CnC Beacon"; flow:established,to_server; http.header; content:"User-Agent|3a 20|MSIE|28|"; content:"|29 29 3b 20|NT|28|"; distance:0; content:"|29 3b 20|AV|28|"; distance:0; content:"|29 3b 20|OV|28|"; distance:0; content:"|29 3b 20|NA|28|"; distance:0; content:"|29 20|VR|28|"; distance:0; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf; classtype:command-and-control; sid:2021114; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Fsysna.Downloader CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; http.header; content:"Content-Type|3a 20|*/*|0d 0a|"; depth:19; http.user_agent; content:"Mozilla/4.0 (compatible|3B 20|MSIE "; content:".0|3B 20|Win32|29 3B 20|"; distance:1; within:15; fast_pattern; pcre:"/^\d+$/R"; reference:url,blogs.mcafee.com/mcafee-labs/targeted-attacks-japanese-firm-use-old-activex-vulnerability; reference:md5,2b91011e122364148698a249c2f4b7fe; reference:md5,6c040be9d91083ffba59405f9b2c89bf; classtype:command-and-control; sid:2018462; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_05_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Fsysna.Downloader CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; http.header; content:"Content-Type|3a 20|*/*|0d 0a|"; depth:19; http.user_agent; content:"Mozilla/4.0 (compatible|3B 20|MSIE "; content:".0|3B 20|Win32|29 3B 20|"; distance:1; within:15; fast_pattern; pcre:"/^\d+$/R"; reference:url,blogs.mcafee.com/mcafee-labs/targeted-attacks-japanese-firm-use-old-activex-vulnerability; reference:md5,2b91011e122364148698a249c2f4b7fe; reference:md5,6c040be9d91083ffba59405f9b2c89bf; classtype:command-and-control; sid:2018462; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_05_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External Timezone Check (earthtools.org)"; flow:established,to_server; http.uri; content:"/timezone/"; depth:10; http.host; content:"www.earthtools.org"; bsize:18; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:policy-violation; sid:2021120; rev:3; metadata:created_at 2015_05_20, updated_at 2020_05_22;)
 
@@ -33944,7 +33448,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.XOR Checkin
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.XOR Checkin 3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/compiler?iid="; fast_pattern; content:"username="; distance:0; content:"password="; distance:0; pcre:"/iid=[a-fA-F0-9]{32}&username=/"; reference:url,blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/#more-33072; classtype:command-and-control; sid:2021335; rev:3; metadata:created_at 2015_06_24, former_category MALWARE, updated_at 2020_05_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Taidoor Checkin"; flow:to_server,established; http.uri; content:".jsp?"; fast_pattern; pcre:"/^[a-z]{2}\x3d[a-z0-9]+?[A-F0-9]+?$/R"; http.header; content:"User-Agent|3a 20|"; depth:12; http.host; content:!"reg.163.com"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:command-and-control; sid:2017713; rev:8; metadata:created_at 2013_11_14, former_category MALWARE, updated_at 2020_05_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Taidoor Checkin"; flow:to_server,established; http.uri; content:".jsp?"; fast_pattern; pcre:"/^[a-z]{2}\x3d[a-z0-9]+?[A-F0-9]+?$/R"; http.header; content:"User-Agent|3a 20|"; depth:12; http.host; content:!"reg.163.com"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:command-and-control; sid:2017713; rev:8; metadata:created_at 2013_11_14, former_category MALWARE, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kazy.325252 Variant CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?p="; fast_pattern; offset:2; depth:7; pcre:"/^\x2F[a-z]\x2Ephp\x3Fp\x3D[a-z0-9]{30,}$/i"; http.header; content:"Accept|3A 20|text/*, application/*, */*|0D 0A|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,87cdd25ac537280cc6751050050cae9c; classtype:command-and-control; sid:2018681; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
@@ -33986,11 +33490,9 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkHotel Initial
 
 alert http any any -> any 8081 (msg:"ET EXPLOIT Websense Content Gateway submit_net_debug.cgi cmd_param Param Buffer Overflow Attempt"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/submit_net_debug.cgi"; nocase; http.request_body; content:"cmd_param="; nocase; isdataat:500,relative; content:!"|0A|"; within:500; pcre:"/[\?\&]cmd_param=[^\&\r\n]{500}/si"; reference:cve,2015-5718; reference:url,seclists.org/fulldisclosure/2015/Aug/8; classtype:web-application-attack; sid:2021644; rev:4; metadata:created_at 2015_08_18, updated_at 2020_05_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Bank of America Phish 2015-08-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"onlineid="; depth:9; fast_pattern; content:"&passcode="; distance:0; content:"&fullname="; distance:0; content:"&address="; distance:0; content:"&password="; distance:0; classtype:credential-theft; sid:2031761; rev:3; metadata:created_at 2015_08_19, former_category PHISHING, updated_at 2021_06_23;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.VBKrypt.vquj Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php"; http.header; content:"|0d 0a|Content-Encoding|3a 20|binary|0d 0a|"; fast_pattern; http.request_body; content:"|03 00|"; depth:2; content:"|00 01 00|"; within:4; content:"|00 01 00|"; within:4; reference:md5,0c420e1eef4b1f097ffec8d0c0ff438a; classtype:command-and-control; sid:2021605; rev:5; metadata:created_at 2015_08_10, former_category MALWARE, updated_at 2020_05_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W2KM_BARTALEX August 11 2015"; flow:to_server,established; http.uri; content:".jpg"; nocase; pcre:"/\/(?:[a-z]+|\d+)\.jpg/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|FSL 7.0.6.01001)"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,1bcea0364088c5308ed217649eeef4d9; classtype:trojan-activity; sid:2021625; rev:5; metadata:created_at 2015_08_14, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W2KM_BARTALEX August 11 2015"; flow:to_server,established; http.uri; content:".jpg"; nocase; pcre:"/\/(?:[a-z]+|\d+)\.jpg/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|FSL 7.0.6.01001)"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,1bcea0364088c5308ed217649eeef4d9; classtype:trojan-activity; sid:2021625; rev:5; metadata:created_at 2015_08_14, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise Style IP Check M2"; flow:to_server,established; urilen:16; http.uri; content:"/myip?format=txt"; http.header; content:"User-Agent|3a 20|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Win32)"; http.host; content:"api.ipaddress.com"; fast_pattern; http.header_names; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2030229; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_29, deployment Perimeter, signature_severity Major, updated_at 2020_05_29;)
 
@@ -34000,7 +33502,7 @@ alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed OSX/NukeS
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Banker.bqba Checkin"; flow:to_server,established; http.uri; content:".php"; nocase; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MyApp)"; fast_pattern; bsize:31; http.request_body; content:"windows="; depth:8; content:"&av="; reference:md5,838d43239ba2c28bd968f8a7da64d340; classtype:command-and-control; sid:2023693; rev:3; metadata:created_at 2015_08_26, former_category MALWARE, updated_at 2020_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Bedep Connectivity Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stats/eurofxref/eurofxref-hist-90d.xml?"; fast_pattern; pcre:"/\?[a-z0-9]{32}$/"; http.host; content:"www.ecb.europa.eu"; bsize:17; classtype:trojan-activity; sid:2019400; rev:6; metadata:created_at 2014_10_15, updated_at 2020_06_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Bedep Connectivity Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stats/eurofxref/eurofxref-hist-90d.xml?"; fast_pattern; pcre:"/\?[a-z0-9]{32}$/"; http.host; content:"www.ecb.europa.eu"; bsize:17; classtype:trojan-activity; sid:2019400; rev:6; metadata:created_at 2014_10_15, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Cheshire Cat CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.0|3b 20|Windows NT 4.0)"; fast_pattern; bsize:50; http.header_names; content:!"Referer|0d 0a|"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021719; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
@@ -34164,16 +33666,20 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypa
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Account Phish 2015-10-30 3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?Go=_"; http.request_body; content:"chldr="; depth:7; content:"&ccnum="; nocase; distance:0; content:"&password="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2022019; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA410 APT FlowCloud Dependency Download M1"; flow:established,to_server; urilen:20; http.method; content:"GET"; http.uri; content:"/SL3716/S8437AEB.DAT"; nocase; fast_pattern; classtype:trojan-activity; sid:2036384; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, former_category MALWARE, malware_family TA410, signature_severity Major, updated_at 2020_06_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA410 APT FlowCloud Dependency Download M2"; flow:established,to_server; urilen:19; http.method; content:"GET"; http.uri; content:"/WC413/21FB9FCF.DAT"; nocase; fast_pattern; classtype:trojan-activity; sid:2036385; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, former_category MALWARE, malware_family TA410, signature_severity Major, updated_at 2020_06_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA410 APT FlowCloud Dependency Download M3"; flow:established,to_server; urilen:19; http.method; content:"GET"; http.uri; content:"/WC413/6EE2EFF7.DAT"; nocase; fast_pattern; classtype:trojan-activity; sid:2036386; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA410 APT FlowCloud Dependency Download M4"; flow:established,to_server; urilen:19; http.method; content:"GET"; http.uri; content:"/WC413/67B1B02F.DAT"; nocase; fast_pattern; classtype:trojan-activity; sid:2036387; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, former_category MALWARE, malware_family TA410, signature_severity Major, updated_at 2020_06_05;)
+
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blaze/Supreme Bot Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/update.php?tag="; depth:16; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|Win64|3b 20|x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36"; bsize:112; http.header_names; content:!"Referer"; reference:url,dfir.it/blog/2019/02/26/the-supreme-backdoor-factory; classtype:trojan-activity; sid:2030254; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_05;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blaze/Supreme Bot Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stat.php?info=SLADE"; fast_pattern; endswith; http.user_agent; content:"Wget/"; nocase; http.header_names; content:!"Referer"; reference:url,dfir.it/blog/2019/02/26/the-supreme-backdoor-factory; classtype:trojan-activity; sid:2030255; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_05;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Higaisa CnC (ipconfig)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"inter.php"; bsize:9; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"&test="; startswith; fast_pattern; reference:url,blog.malwarebytes.com/threat-analysis/2020/06/higaisa/; classtype:command-and-control; sid:2030265; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
 
-#alert smb any any -> $HOME_NET any (msg:"ET DELETED Possible Attempted SMB RCE Exploitation M1 (CVE-2020-0796)"; flow:established,to_server; content:"|41 8B 47 3C 4C 01 F8 8B 80 88 00 00 00 4C 01 F8 50|"; fast_pattern; reference:url,github.com/chompie1337/SMBGhost_RCE_PoC; reference:cve,2020-0796; classtype:attempted-admin; sid:2030263; rev:2; metadata:affected_product SMBv3, created_at 2020_06_08, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag SMBGhost, updated_at 2021_07_29;)
-
-#alert smb any any -> $HOME_NET any (msg:"ET DELETED Possible Attempted SMB RCE Exploitation M2 (CVE-2020-0796)"; flow:established,to_server; content:"|FF C9 8B 34 8B 4C 01 FE|"; fast_pattern; reference:url,github.com/chompie1337/SMBGhost_RCE_PoC; reference:cve,2020-0796; classtype:attempted-admin; sid:2030264; rev:2; metadata:affected_product SMBv3, created_at 2020_06_08, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag SMBGhost, updated_at 2021_07_29;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Malvertising Communication"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?rand_key="; fast_pattern; content:"&packagename="; distance:0; content:"&imei="; distance:0; content:"&login="; distance:0; http.user_agent; content:"|20|U|3b 20|Android|20|"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/barcode-reader-apps-on-google-play-found-using-new-ad-fraud-technique/; reference:md5,c73cf82c0043463f8079d0540b2634e0; classtype:trojan-activity; sid:2030266; rev:1; metadata:attack_target Mobile_Client, created_at 2020_06_08, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_08;)
 
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OZH Rat)"; flow:established,to_client; tls.cert_subject; content:"CN=www.ozhsec.com"; nocase; endswith; classtype:domain-c2; sid:2030257; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_06_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
@@ -34244,16 +33750,12 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Spar
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful SFR Phishing 2015-11-24"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&password="; distance:0; nocase; content:"&remember-me="; distance:0; nocase; content:"&identifier="; distance:0; nocase; classtype:credential-theft; sid:2031790; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic Phishing Landing Uri 2015-11-25"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?usernms="; fast_pattern; pcre:"/\.php\?usernms=[^@]+@[^\r\n]+$/i"; classtype:social-engineering; sid:2022185; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Swrort.A Checkin 3"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:".php?/12345"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; startswith; reference:md5,24203ba70f584b64a432fb6dad52765d; classtype:command-and-control; sid:2022186; rev:3; metadata:created_at 2015_11_25, former_category MALWARE, updated_at 2020_06_09;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBKlip/ClipBanker.P Status Update"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.uri; content:"/"; http.user_agent; content:"Mozilla/5.0 (compatible MSIE 9.0 Windows NT 6.1 WOW64 Trident/5.0)"; bsize:66; http.request_body; content:"tekst="; depth:6; fast_pattern; pcre:"/^tekst=\w+$/i"; http.header_names; content:!"Accept-"; reference:md5,ef230777f5b34291ea22bfc3c591ce2d; classtype:trojan-activity; sid:2022192; rev:3; metadata:created_at 2015_11_30, updated_at 2020_06_09;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - ASPyder - Auth Creds"; flow:established,to_server; http.request_body; content:!"&date="; content:"code="; depth:5; content:"&submit="; distance:0; classtype:trojan-activity; sid:2017389; rev:7; metadata:created_at 2013_08_28, updated_at 2020_06_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Zmap User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 zgrab/0.x"; fast_pattern; bsize:21; classtype:network-scan; sid:2030345; rev:3; metadata:created_at 2015_12_01, former_category SCAN, updated_at 2020_06_16;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Sykipot Checkin"; flow:established,from_client; http.uri; content:"allow_get.asp?name="; fast_pattern; content:"&hostname="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:cve,CVE-2011-2462; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:command-and-control; sid:2014006; rev:4; metadata:created_at 2011_12_09, former_category MALWARE, updated_at 2020_06_09;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito Payload Download /load/*exe"; flow:established,from_server; http.header; content:"Content-Disposition|3a 20|inline"; nocase; content:".exe"; content:"load/"; fast_pattern; file.data; content:"MZ"; depth:2; classtype:exploit-kit; sid:2014314; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_06, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_06_09;)
@@ -34424,6 +33926,8 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Koadic H
 
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OceanLotus APT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=summerevent.webhop.net"; nocase; endswith; classtype:domain-c2; sid:2030343; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_06_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_06_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Zmap User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 zgrab/0.x"; fast_pattern; bsize:21; classtype:network-scan; sid:2030345; rev:4; metadata:created_at 2015_12_01, former_category SCAN, updated_at 2020_06_16;)
+
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Safebrowse Profile) POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/safebrowsing/rd/"; depth:17; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; bsize:63; http.accept_lang; content:"en-US,en|3b|q=0.5"; bsize:14; http.accept_enc; content:"gzip, deflate"; bsize:13; http.cookie; content:"PREF=ID=U="; depth:10; fast_pattern; pcre:"/^[a-z0-9]{10,}$/Rsi"; http.header_names; content:"|0d 0a|Accept-Language|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:70; content:!"Referer"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/safebrowsing.profile; classtype:command-and-control; sid:2030344; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_16, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_06_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FRat WebSockets Request M2"; flow:established,to_server; http.start; content:"GET /socket.io/?__sails_io_sdk_version=1.2.1&__sails_io_sdk_platform=node&__sails_io_sdk_language=javascript&EIO=3&transport=websocket HTTP/1.1|0d 0a|Sec-WebSocket-Version|3a 20|13|0d 0a|Sec-WebSocket-Key|3a 20|"; startswith; fast_pattern; http.header; content:"Sec-WebSocket-Extensions|3a 20|permessage-deflate|3b 20|client_max_window_bits|0d 0a|"; http.header_names; content:"|0d 0a|Sec-WebSocket-Version|0d 0a|Sec-WebSocket-Key|0d 0a|Connection|0d 0a|Upgrade|0d 0a|"; startswith; content:"Sec-WebSocket-Extensions|0d 0a|Host|0d 0a 0d 0a|"; endswith; classtype:command-and-control; sid:2030346; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_16;)
@@ -34460,8 +33964,6 @@ alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Inv
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.XST Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"this is UP"; depth:10; fast_pattern; content:"|00 00 00 00|"; http.content_type; content:"text/html"; bsize:9; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,d579d7a42ff140952da57264614c37bc; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:command-and-control; sid:2022362; rev:3; metadata:created_at 2016_01_13, former_category MALWARE, updated_at 2020_06_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Successful Generic Phish (set) 2016-01-14"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; nocase; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031862; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Phishing Landing 2016-01-15"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"GOVERNMENT SYSTEM IS FOR AUTHORIZED"; fast_pattern; content:"Use of this system constitutes"; nocase; distance:0; content:"Internal Revenue Service"; nocase; distance:0; content:"Electronic Filing PIN"; nocase; distance:0; content:"foreignPostalLbl"; nocase; distance:0; classtype:social-engineering; sid:2031958; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_15, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_17;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Webmail Update Phishing Landing 2016-01-15"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"form action=|22|http|3a|//www.formbuddy.com"; nocase; distance:0; content:"Name|3a|"; nocase; distance:0; content:"E-Mail|3a|"; nocase; distance:0; content:"Password|3a|"; fast_pattern; nocase; distance:0; content:"Submit Form"; nocase; distance:0; classtype:social-engineering; sid:2031959; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_15, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_17;)
@@ -34540,8 +34042,6 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTTPCore CnC Task
 
 #alert ipv6 any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11897 IPv6 deprecated RH Type 0 source routing attack"; decode-event:ipv6.rh_type_0; reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030386; rev:1; metadata:created_at 2020_06_22, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2020_06_22;)
 
-#alert ipv6 any any -> ff00::/8 any (msg:"ET EXPLOIT Possible CVE-2020-11899 Multicast out-of-bound read";  reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030387; rev:1; metadata:created_at 2020_06_22, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2020_08_20;)
-
 #alert ip any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11900 IP-in-IP tunnel Double-Free"; ip_proto:4; reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030388; rev:1; metadata:created_at 2020_06_22, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2020_06_22;)
 
 #alert icmp any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11902 ICMPv4 parameter problem with tunnel inside"; itype:12; reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030389; rev:1; metadata:created_at 2020_06_22, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2020_06_22;)
@@ -34614,7 +34114,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible OceanLot
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 1 User-Agent"; flow: established,to_server; http.user_agent; content:"Windows NT 1"; nocase; content:!"0"; within:1; pcre:"/^[^0-9]/R"; classtype:trojan-activity; sid:2015898; rev:5; metadata:created_at 2012_11_20, updated_at 2020_06_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Blockbuster User-Agent (Mozillar)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Mozillar"; depth:8; nocase; fast_pattern; reference:url,securelist.com/blog/incidents/73914/operation-blockbuster-revealed/; reference:url,www.operationblockbuster.com/resources/index.html; classtype:trojan-activity; sid:2022564; rev:4; metadata:created_at 2016_02_24, updated_at 2020_06_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Blockbuster User-Agent (Mozillar)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Mozillar"; depth:8; nocase; fast_pattern; reference:url,securelist.com/blog/incidents/73914/operation-blockbuster-revealed/; reference:url,www.operationblockbuster.com/resources/index.html; classtype:trojan-activity; sid:2022564; rev:4; metadata:created_at 2016_02_24, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely PadCrypt Locker PKG DL"; flow:established,to_server; http.uri; content:".pdcr"; nocase; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b6d25a5629221041e857266b9188ea3b; classtype:trojan-activity; sid:2022568; rev:3; metadata:created_at 2016_02_26, updated_at 2020_06_24;)
 
@@ -34654,6 +34154,8 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY COCCOC Browser (VN
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IndigoDrop/Cobalt Strike Download"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"XHhmY1x4ZThceDg5XHgwMFx4MDBceDAwXHg2MFx4ODlceGU1X"; depth:49; fast_pattern; isdataat:!5000,relative; reference:url,blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html; classtype:trojan-activity; sid:2030400; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_26, deployment Perimeter, signature_severity Major, updated_at 2020_06_26;)
 
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Hash - Possible Malware - Banking Phish"; ja3_hash; content:"10ee8d30a5d01c042afd7b2b205facc4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2030399; rev:3; metadata:created_at 2019_09_10, former_category JA3, updated_at 2020_06_26;)
+
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Lucy Server Phish"; flow:established,to_client; http.stat_code; content:"302"; http.header; content:"Server|3a 20|Lucy|0d 0a|"; fast_pattern; content:"/account|0d 0a|"; reference:url,lucysecurity.com/download/; classtype:credential-theft; sid:2030404; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Wombat Phishing Test"; flow:established,to_client; file.data; content:"been phished!</title>"; fast_pattern; content:"<form action=|22|/training/acceptance"; distance:0; content:"name=|22|training_ack|22 20|type=|22|submit|22|>Acknowledge"; distance:0; content:"href=|22|https://www.wombatsecurity.com/"; distance:0; classtype:misc-activity; sid:2030405; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
@@ -34666,7 +34168,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY LumOffice Uploadin
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RezoStealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php?ip="; content:"&user="; distance:0; content:"&localation="; distance:0; fast_pattern; content:"&windows="; distance:0; content:"&time="; distance:0; http.header_names; content:!"Referer"; reference:url,github.com/3xp0rt/RezoStealer/blob/master/FHwFvbCd/modules/SendToServer.cs; classtype:trojan-activity; sid:2030403; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_29, deployment Perimeter, former_category MALWARE, malware_family RezoStealer, signature_severity Major, updated_at 2020_06_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"version="; depth:8; fast_pattern; pcre:"/^version=\d{4}-\d{1,2}-\d{1,2}$/"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:command-and-control; sid:2020936; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"version="; depth:8; fast_pattern; pcre:"/^version=\d{4}-\d{1,2}-\d{1,2}$/"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:command-and-control; sid:2020936; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Genome User-Agent (Http Down)"; flow:established,to_server; http.user_agent; content:"Http Down"; fast_pattern; startswith; reference:md5,479306863946029e545a4803b303d74c; classtype:trojan-activity; sid:2022654; rev:3; metadata:created_at 2016_03_24, updated_at 2020_06_29;)
 
@@ -34978,7 +34480,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful US Ba
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bolek HTTP Checkin"; flow: to_server,established; http.method; content:"GET"; http.uri; pcre:"/\?[a-f0-9]{32}$/i"; http.user_agent; content:"Client 1.2"; fast_pattern; bsize:10; reference:md5,e89ff40a8832cd27d2aae48ff7cd67d2; reference:url,malware-traffic-analysis.net/2016/06/09/index2.html; classtype:command-and-control; sid:2022889; rev:3; metadata:created_at 2016_06_10, former_category MALWARE, updated_at 2020_07_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neurevt.A/Betabot checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"ps0="; depth:4; fast_pattern; content:"&ps1="; pcre:"/^ps0=[A-F0-9]+\&ps1=[A-F0-9]+($|\&[a-z]s\d=)/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c447d364a9dad369ff07dcc14f5fbefb; reference:md5,a0a66dfbdf1ce76782ba20a07a052976; classtype:command-and-control; sid:2017371; rev:12; metadata:created_at 2013_05_16, former_category MALWARE, updated_at 2020_07_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neurevt.A/Betabot checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"ps0="; depth:4; fast_pattern; content:"&ps1="; pcre:"/^ps0=[A-F0-9]+\&ps1=[A-F0-9]+($|\&[a-z]s\d=)/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c447d364a9dad369ff07dcc14f5fbefb; reference:md5,a0a66dfbdf1ce76782ba20a07a052976; classtype:command-and-control; sid:2017371; rev:12; metadata:created_at 2013_05_16, former_category MALWARE, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EvilNum CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Validate/valsrv"; bsize:16; fast_pattern; http.header_names; content:"Host|0d 0a|Connection|0d 0a 0d 0a|"; content:!"User-Agent"; content:!"Referer"; content:!"Accept-"; reference:md5,0823457bcb82afff15c900f949e325f4; reference:url,www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/; classtype:command-and-control; sid:2030526; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_15;)
 
@@ -35036,6 +34538,8 @@ alert tcp any 53 -> any any (msg:"ET EXPLOIT Possible Windows DNS Integer Overfl
 
 alert tcp any any -> any 53 (msg:"ET EXPLOIT Possible Windows DNS Integer Overflow Attempt M2 (CVE-2020-1350)"; flow:established,to_server; byte_test:2,>=,0xfeea,0; content:"|00 00 18|"; within:76; fast_pattern; content:"|c0|"; distance:2; within:1; content:"|00 18|"; distance:1; within:2; reference:cve,2020-1350; reference:url,research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/; classtype:attempted-admin; sid:2030532; rev:4; metadata:affected_product Windows_DNS_server, created_at 2020_07_14, former_category EXPLOIT, performance_impact Significant, signature_severity Critical, updated_at 2020_07_16;)
 
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED HTTP GET Request on port 53 - Very Likely Hostile"; flow:established,to_server; content:"GET"; nocase; depth:4; content:!".newsinc.com"; reference:url,doc.emergingthreats.net/2008420; classtype:trojan-activity; sid:2008420; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_07_16;)
+
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MASSLOGGER Client Data Exfil (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?/upload"; endswith; fast_pattern; http.request_body; content:"Content-Disposition|3a| form-data|3b| name=|22|file|22 3b 20|filename=|22|"; pcre:"/^[^_]+_[^\_]+_[A-F0-9]{10}_[0-9]{2}-[0-9]{2}-20[0-9]{2}\s[0-9]{1,2}\.[0-9]{1,2}\.[0-9]{1,2}\./R"; content:"zip|22 0d 0a|Content-Type: application/zip|0d 0a 0d 0a|PK"; within:41; content:"/Log.txt"; distance:0; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; startswith; content:!"|0d 0a|User-Agent|0d 0a|"; reference:md5,79efca38c3230aaae9dd8bb11f15fe43; classtype:trojan-activity; sid:2030550; rev:2; metadata:created_at 2020_07_16, former_category MALWARE, updated_at 2020_07_16;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BYOB - Python Backdoor Stager Download"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|0a 27|Stager|20 28|Build Your Own Botnet|29 27 0a|"; fast_pattern; reference:md5,76117987409f341b5272958e27dd9ac5; classtype:command-and-control; sid:2030551; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_16;)
@@ -35124,7 +34628,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Phishing Landing
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Cknife Shell Command Struct Inbound (PHP)"; flow:to_server,established; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|Java"; depth:16; http.request_body; content:"=@eval"; depth:9; content:"base64_decode"; distance:0; content:"&action="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,recordedfuture.com/web-shell-analysis-part-2; classtype:trojan-activity; sid:2022976; rev:3; metadata:attack_target Web_Server, created_at 2016_07_20, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_07_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Cknife Shell Command Struct Inbound (aspx)"; flow:to_server,established; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|Java"; depth:16; http.request_body; content:"=Response.Write"; depth:18; fast_pattern; content:"eval"; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.recordedfuture.com/web-shell-analysis-part-2; classtype:trojan-activity; sid:2022977; rev:3; metadata:attack_target Web_Server, created_at 2016_07_20, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_07_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Cknife Shell Command Struct Inbound (aspx)"; flow:to_server,established; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|Java"; depth:16; http.request_body; content:"=Response.Write"; depth:18; fast_pattern; content:"eval"; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.recordedfuture.com/web-shell-analysis-part-2; classtype:trojan-activity; sid:2022977; rev:3; metadata:attack_target Web_Server, created_at 2016_07_20, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Webmail Account Upgrade Phishing Landing 2016-07-20"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>|3a 3a|WEBMAIL"; nocase; fast_pattern; content:"Sign in to Update Your Account"; nocase; distance:0; content:"Email"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Webmail Admin"; nocase; distance:0; classtype:social-engineering; sid:2032031; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_20;)
 
@@ -35228,7 +34732,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious Us
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CollectorStealer CnC Exfil M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary=SendFileZIPBoundary|0d 0a|"; depth:65; http.user_agent; content:"uploader"; depth:8; endswith; http.request_body; content:"form-data|3b 20|name=|22|fileToUpload|22 3b 20|filename=|22|zipfile.zip"; fast_pattern; reference:md5,fe15986992ef7dd209047deec2851e2e; classtype:command-and-control; sid:2034324; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_27, deployment Perimeter, former_category MALWARE, malware_family CollectorStealer, signature_severity Major, updated_at 2020_07_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Symantec Download Flowbit Set"; flow:established,to_server; flowbits:set,ET.Symantec.Site.Download; flowbits:noalert; http.host; content:".symantec.com"; pcre:"/^(?:\x3a\d{1,5})?$/R"; classtype:misc-activity; sid:2023067; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, performance_impact Low, signature_severity Minor, updated_at 2020_07_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Symantec Download Flowbit Set"; flow:established,to_server; flowbits:set,ET.Symantec.Site.Download; flowbits:noalert; http.host; content:".symantec.com"; pcre:"/^(?:\x3a\d{1,5})?$/R"; classtype:misc-activity; sid:2023067; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, performance_impact Low, signature_severity Minor, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Phishing Landing M1 2016-08-16"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Adobe PDF Online"; nocase; fast_pattern; content:"Confirm your identity"; nocase; distance:0; content:"data|3a|image/jpeg|3b|base64"; nocase; distance:0; classtype:social-engineering; sid:2032042; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
@@ -35684,7 +35188,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Crede
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credential Phish (Multiple Brands) 2016-12-22"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"data1="; depth:6; nocase; content:"&data"; nocase; distance:0; content:"&data"; nocase; distance:0; content:"&donnee"; nocase; distance:0; fast_pattern; content:"&donnee"; nocase; distance:0; classtype:credential-theft; sid:2032212; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Towerweb Ransomware Landing Page"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"WRITE THIS INFORMATION DOWN---------------<br>|0a|Ransom Id|3a|"; fast_pattern; content:"BTC Address|3a 20|"; distance:0; content:"|0a|Email|3a 20|"; distance:0; reference:md5,fb279dc7e47adefb3a9f1c78297c5870; reference:url,www.bleepingcomputer.com/forums/t/618055/towerweb-ransomware-help-support-topic-payment-instructionsjpg/; classtype:trojan-activity; sid:2022906; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Towerweb Ransomware Landing Page"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"WRITE THIS INFORMATION DOWN---------------<br>|0a|Ransom Id|3a|"; fast_pattern; content:"BTC Address|3a 20|"; distance:0; content:"|0a|Email|3a 20|"; distance:0; reference:md5,fb279dc7e47adefb3a9f1c78297c5870; reference:url,www.bleepingcomputer.com/forums/t/618055/towerweb-ransomware-help-support-topic-payment-instructionsjpg/; classtype:trojan-activity; sid:2022906; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_05_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Windows Live Phish 2016-12-23"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login_email="; depth:12; nocase; content:"&login_password="; nocase; distance:0; fast_pattern; content:"&remMe="; nocase; distance:0; content:"&SI="; nocase; distance:0; classtype:credential-theft; sid:2032213; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
@@ -35694,8 +35198,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Gmail
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banamex Bank Phish 2016-12-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"&USERID="; nocase; content:"&PASSWORD="; nocase; distance:0; content:"&AHN="; nocase; distance:0; content:"&BANK+ID="; nocase; distance:0; fast_pattern; content:"&PRODUCT+NAME="; nocase; distance:0; content:"&LANGUAGE+ID="; nocase; distance:0; content:"&EXTRA1="; nocase; distance:0; content:"&GROUP="; nocase; distance:0; content:"&PIN="; nocase; distance:0; classtype:credential-theft; sid:2032214; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Archie EK Payload Checkin GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/log?log="; depth:9; http.host; content:!"gigwise.com"; endswith; content:!"cleanerapp.net"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,41c0cdde6be5166606008b2d02f3a128; classtype:exploit-kit; sid:2019680; rev:6; metadata:created_at 2014_11_08, former_category MALWARE, updated_at 2022_04_22;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MRCR1 Ransomware Checkin M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"form-data|3b 20|name=|22|uid|22|"; content:"form-data|3b 20|name=|22|uname|22|"; content:"form-data|3b 20|name=|22|cname|22|"; content:"form-data|3b 20|name=|22|ltime|22|"; content:"form-data|3b 20|name=|22|uright|22|"; content:"form-data|3b 20|name=|22|sysinfo|22|"; fast_pattern; reference:md5,fc57a660e24d9c91cb5464b2ece30756; reference:md5,a1d83e290429477f05c0eaddafdb0355; classtype:command-and-control; sid:2023691; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_03, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MRCR1 Ransomware Checkin M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|43 50 55 20 4d 6f 64 65 6c 3a|"; fast_pattern; content:"|43 50 55 20 43 6f 75 6e 74 3a|"; content:"|47 65 74 52 41 4d 3a|"; content:"|5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d|"; content:"|5b 50 72 6f 67 72 61 6d 6d 73 5d|"; reference:md5,fc57a660e24d9c91cb5464b2ece30756; reference:md5,a1d83e290429477f05c0eaddafdb0355; classtype:command-and-control; sid:2023692; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_03, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
@@ -35988,11 +35490,11 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ARM Binary Reques
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful OWA Phish Apr 25 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv="; nocase; content:"refresh"; nocase; distance:1; within:7; content:"office365.com/owa/"; nocase; distance:0; fast_pattern; content:"<title>Account"; nocase; distance:0; content:"Success"; nocase; within:20; classtype:credential-theft; sid:2024999; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DANDERSPRITZ Default HTTP Headers"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Referrer|3a 20|"; content:"|0d 0a|TlEo|3a 20|"; fast_pattern; classtype:trojan-activity; sid:2024247; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_26, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_08_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DANDERSPRITZ Default HTTP Headers"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Referrer|3a 20|"; content:"|0d 0a|TlEo|3a 20|"; fast_pattern; classtype:trojan-activity; sid:2024247; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_26, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DANDERSPRITZ HTTP Beacon"; flow:established,to_server; http.method; content:"POST"; http.header; content:"|3a|0000"; http.request_body; content:"|f0 00 00 00 45 ff 11 ff f0 44 00 00|"; fast_pattern; offset:0; classtype:trojan-activity; sid:2024248; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DANDERSPRITZ HTTP Beacon"; flow:established,to_server; http.method; content:"POST"; http.header; content:"|3a|0000"; http.request_body; content:"|f0 00 00 00 45 ff 11 ff f0 44 00 00|"; fast_pattern; offset:0; classtype:trojan-activity; sid:2024248; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Saker UA"; flow:established,to_server; http.user_agent; content:"Mozilla/"; depth:8; content:"|20|MSIE|20|"; distance:0; content:"|3b 20|Wis NT|20|"; distance:0; fast_pattern; content:"|3b 20|.NET CLR|20|"; distance:0; reference:url,www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html; reference:md5,b362f833c9d6e5bed19aeec5a5b868ea; classtype:trojan-activity; sid:2018321; rev:7; metadata:created_at 2014_03_26, former_category TROJAN, updated_at 2020_08_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Saker UA"; flow:established,to_server; http.user_agent; content:"Mozilla/"; depth:8; content:"|20|MSIE|20|"; distance:0; content:"|3b 20|Wis NT|20|"; distance:0; fast_pattern; content:"|3b 20|.NET CLR|20|"; distance:0; reference:url,www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html; reference:md5,b362f833c9d6e5bed19aeec5a5b868ea; classtype:trojan-activity; sid:2018321; rev:7; metadata:created_at 2014_03_26, former_category TROJAN, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M3"; flow:to_server,established; http.header; content:"substr{"; nocase; fast_pattern; pcre:"/^Host\x3a[^\r\n]+?[\x28\x29\x27\x22\x7b\x7d]/mi"; reference:url,exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html; classtype:web-application-attack; sid:2024279; rev:3; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2017_05_05, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_05;)
 
@@ -36048,7 +35550,7 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshe
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) May 24 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email"; depth:5; nocase; content:"|25|40"; distance:0; content:"senha"; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2024576; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish Mar 30 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"telefone="; depth:9; nocase; content:"&senha6="; nocase; distance:0; fast_pattern; content:"&ir="; nocase; distance:0; content:"&agencia="; nocase; distance:0; content:"&conta="; nocase; distance:0; content:"&senha8="; nocase; distance:0; classtype:credential-theft; sid:2024328; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish Mar 30 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"telefone="; depth:9; nocase; content:"&senha6="; nocase; distance:0; fast_pattern; content:"&ir="; nocase; distance:0; content:"&agencia="; nocase; distance:0; content:"&conta="; nocase; distance:0; content:"&senha8="; nocase; distance:0; classtype:credential-theft; sid:2024328; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish May 25 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"agencia="; depth:8; nocase; content:"&conta="; nocase; distance:0; content:"&senha8="; nocase; distance:0; fast_pattern; content:"&ir="; nocase; distance:0; classtype:credential-theft; sid:2024329; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
@@ -36294,9 +35796,9 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Foudre Checkin M1
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish - Fake Loading Page 2017-08-03"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"//configure destination URL"; nocase; fast_pattern; content:"targetdestination"; nocase; distance:0; content:"splashmessage[0]"; nocase; distance:0; content:"splashmessage[1]"; nocase; distance:0; content:"//Do not edit below this line"; nocase; distance:0; classtype:credential-theft; sid:2029660; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-0199 HTA Inbound"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; content:"application/hta"; bsize:15; file.data; content:"|7b 5c 72 74|"; distance:1; content:"|7b 5c|"; distance:0; content:"|7b 5c|"; distance:0; classtype:trojan-activity; sid:2024192; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_04_10, cve 2017_0199, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-0199 HTA Inbound"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; content:"application/hta"; bsize:15; file.data; content:"|7b 5c 72 74|"; distance:1; content:"|7b 5c|"; distance:0; content:"|7b 5c|"; distance:0; classtype:trojan-activity; sid:2024192; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_04_10, cve 2017_0199, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-0199 HTA Inbound M2"; flow:established,from_server; http.content_type; content:"application/hta"; bsize:15; file.data; content:"|2e 65 78 70 61 6e 64 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73 28 22 25 41 50 50 44 41 54 41 25 22 29 20|"; content:"|4d 65 6e 75 5c 50 72 6f 67 72 61 6d 73 5c 53 74 61 72 74 75 70 5c|"; classtype:trojan-activity; sid:2024193; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_04_10, cve 2017_0199, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-0199 HTA Inbound M2"; flow:established,from_server; http.content_type; content:"application/hta"; bsize:15; file.data; content:"|2e 65 78 70 61 6e 64 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73 28 22 25 41 50 50 44 41 54 41 25 22 29 20|"; content:"|4d 65 6e 75 5c 50 72 6f 67 72 61 6d 73 5c 53 74 61 72 74 75 70 5c|"; classtype:trojan-activity; sid:2024193; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_04_10, cve 2017_0199, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Internal Host Retrieving External IP Address (monip.outils-rezo. info)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/text"; http.host; content:"monip.outils-rezo.info"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:external-ip-check; sid:2024526; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_08_11;)
 
@@ -36346,7 +35848,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M1 2016-10-27"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; content:"&idst="; nocase; distance:0; content:"&question1="; nocase; distance:0; content:"&sitekeyChallengeAnswer1="; nocase; distance:0; fast_pattern; content:"&question2="; nocase; distance:0; content:"&sitekeyChallengeAnswer2="; nocase; distance:0; content:"&question3="; nocase; distance:0; content:"&sitekeyChallengeAnswer3="; nocase; distance:0; content:"&sitekeyDeviceBind="; nocase; distance:0; classtype:credential-theft; sid:2032301; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jun 29 2016"; flow:from_server,established; http.stat_code; content:"401"; http.header; content:"WWW-Authenticate|3a 20|Basic realm=|22|"; nocase; content:"has been blocked"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2022925; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_29, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jun 29 2016"; flow:from_server,established; http.stat_code; content:"401"; http.header; content:"WWW-Authenticate|3a 20|Basic realm=|22|"; nocase; content:"has been blocked"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2022925; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_29, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful RBC Royal Bank Phish M1 Aug 17 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"FromPreSignIn_SIP="; depth:18; nocase; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; content:"&RSA_DEVPRINT="; nocase; distance:0; content:"&cn1="; nocase; distance:0; content:"&cn2="; nocase; distance:0; classtype:credential-theft; sid:2024586; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
@@ -36402,7 +35904,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Success
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Interac Phish Aug 18 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"fiId="; depth:5; nocase; content:"&cuId="; nocase; distance:0; content:"&hiddenFiLabel="; nocase; distance:0; content:"&hiddenCuLabel="; nocase; distance:0; content:"&isMobileBrowser="; nocase; distance:0; content:"&language="; nocase; distance:0; content:"&paymentRefNum="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024599; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish 2015-10-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"stateo="; depth:7; nocase; fast_pattern; content:"&passcode="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&ssn"; nocase; distance:0; classtype:credential-theft; sid:2031781; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish 2015-10-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"stateo="; depth:7; nocase; fast_pattern; content:"&passcode="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&ssn"; nocase; distance:0; classtype:credential-theft; sid:2031781; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish 2016-10-03"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cc="; depth:3; nocase; content:"&ex="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&ssn="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032294; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
@@ -36430,15 +35932,15 @@ alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tofsee Phar
 
 alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/JobCrypter Ransomware Checkin via SMTP"; flow:to_server,established; content:"|0d 0a 0d 0a|jui=0D=0A=0D=0Atre|3a 20|"; fast_pattern; content:"|0d 0a 0d 0a 2e 0d 0a|"; distance:0; isdataat:!1,relative; reference:md5,3bb560cb690a91134508910178928973; classtype:trojan-activity; sid:2030672; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_11, deployment Perimeter, former_category MALWARE, malware_family JobCrypter, signature_severity Major, tag Ransomware, updated_at 2020_08_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Aug 22 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"xxx="; depth:4; nocase; content:"&yyy="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2025027; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Aug 22 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"xxx="; depth:4; nocase; content:"&yyy="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2025027; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Datper CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"="; within:9; pcre:"/\.php\?[a-z]{3,8}=[a-f0-9]{16}[01][a-z]+$/i"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,eae5b16bef5f7dc37909ec91367fa807; reference:url,blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html; classtype:command-and-control; sid:2024601; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category MALWARE, malware_family Datper, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
 
 #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Hancitor/Tordal Document Inbound"; flow:established,from_server; flowbits:isset,ET.Hancitor; http.stat_code; content:"200"; http.header; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; content:".doc"; distance:0; http.content_type; content:"application/msword|3b|"; startswith; file.data; content:"|d0 cf 11 e0|"; depth:4; fast_pattern; classtype:exploit-kit; sid:2024605; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Hancitor, malware_family Tordal, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Disdain EK URI Struct Aug 23 2017 M1"; flow:established,to_server; urilen:>41; flowbits:set,ET.DisDain.EK; http.uri; content:".php"; offset:38; depth:4; pcre:"/^\/(?=[a-z0-9]{0,22}[A-Z]+?[a-z0-9])(?=[A-Z0-9]{0,22}[a-z]+?[A-Z0-9])[a-zA-Z0-9]{24}\/[a-zA-Z0-9]{12}\.php(?:\?[^&=]+=(?:[a-zA-Z0-9]{8}|0(?:189|037)|flash|2(?:551|419)|6332))?$/"; classtype:exploit-kit; sid:2024606; rev:3; metadata:created_at 2017_08_23, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Disdain EK URI Struct Aug 23 2017 M1"; flow:established,to_server; urilen:>41; flowbits:set,ET.DisDain.EK; http.uri; content:".php"; offset:38; depth:4; pcre:"/^\/(?=[a-z0-9]{0,22}[A-Z]+?[a-z0-9])(?=[A-Z0-9]{0,22}[a-z]+?[A-Z0-9])[a-zA-Z0-9]{24}\/[a-zA-Z0-9]{12}\.php(?:\?[^&=]+=(?:[a-zA-Z0-9]{8}|0(?:189|037)|flash|2(?:551|419)|6332))?$/"; classtype:exploit-kit; sid:2024606; rev:3; metadata:created_at 2017_08_23, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Disdain EK URI Struct Aug 23 2017 M2"; flow:established,to_server; urilen:34; flowbits:set,ET.DisDain.EK; http.uri; content:"/test.mp3"; offset:25; depth:9; pcre:"/^\/(?=[a-z0-9]{0,22}[A-Z]+?[a-z0-9])(?=[A-Z0-9]{0,22}[a-z]+?[A-Z0-9])[a-zA-Z0-9]{24}\/test\.mp3$/"; classtype:exploit-kit; sid:2024607; rev:3; metadata:created_at 2017_08_23, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Disdain EK URI Struct Aug 23 2017 M2"; flow:established,to_server; urilen:34; flowbits:set,ET.DisDain.EK; http.uri; content:"/test.mp3"; offset:25; depth:9; pcre:"/^\/(?=[a-z0-9]{0,22}[A-Z]+?[a-z0-9])(?=[A-Z0-9]{0,22}[a-z]+?[A-Z0-9])[a-zA-Z0-9]{24}\/test\.mp3$/"; classtype:exploit-kit; sid:2024607; rev:3; metadata:created_at 2017_08_23, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Aug 25 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"e="; depth:2; nocase; content:"&p="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024614; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
@@ -36488,7 +35990,7 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing L
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing M2 Sep 14 2017"; flow:to_client,established; http.stat_code; content:"200"; http.cookie; content:"connect.sid"; file.data; content:"mainController as mainCtrl"; nocase; content:"mainCtrl.username"; nocase; distance:0; content:"mainCtrl.password"; nocase; distance:0; content:"mainCtrl.submitCreds"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2024704; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zbot Activity Common Download Struct"; flow:to_server,established; http.uri; content:".bin"; fast_pattern; endswith; http.header; content:"Accept|3a 20|*/*|0d 0a|Connection|3a 20|Close|0d 0a|"; depth:32; http.user_agent; content:"|20|MSIE|20|"; http.host; content:!"passport.net"; endswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; classtype:trojan-activity; sid:2017836; rev:5; metadata:created_at 2013_12_12, former_category TROJAN, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zbot Activity Common Download Struct"; flow:to_server,established; http.uri; content:".bin"; fast_pattern; endswith; http.header; content:"Accept|3a 20|*/*|0d 0a|Connection|3a 20|Close|0d 0a|"; depth:32; http.user_agent; content:"|20|MSIE|20|"; http.host; content:!"passport.net"; endswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; classtype:trojan-activity; sid:2017836; rev:5; metadata:created_at 2013_12_12, former_category TROJAN, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 Sep 15 2017"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"?country.x="; nocase; content:"&locale.x="; nocase; distance:0; http.request_body; content:"login_email="; depth:12; nocase; content:"&login_password="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2031576; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
@@ -36820,7 +36322,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious Us
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ms_ie) - Crypt.ZPACK Gen Trojan Downloader GET Request"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.header; content:"User-Agent\: ms_ie|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2009538; classtype:trojan-activity; sid:2009538; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Forthgoner) - Possible Trojan Downloader GET Request"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.header; content:"User-Agent\: Forthgoner|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2009547; classtype:trojan-activity; sid:2009547; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Forthgoner) - Possible Trojan Downloader GET Request"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.header; content:"User-Agent\: Forthgoner|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2009547; classtype:trojan-activity; sid:2009547; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Luder.B User-Agent (Mozilla/4.0 (SPGK)) - GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"Mozilla/4.0 (SPGK)"; fast_pattern; nocase; bsize:18; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=212955#none; reference:url,www.threatexpert.com/threats/virus-win32-luder-b.html; reference:url,doc.emergingthreats.net/2009805; classtype:trojan-activity; sid:2009805; rev:7; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_13;)
 
@@ -36892,7 +36394,7 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drovorub shell Mo
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drovorub tunnel Module Server Response"; flow:established,to_client; file_data; content:"|7b 22|children|22|"; startswith; content:"|22|name|22|"; content:"|22|module|22|"; content:"|22|dHVubmVs|22|"; distance:0; fast_pattern; content:"|22|name|22|"; content:"|22|action|22|"; reference:url,media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF; classtype:targeted-activity; sid:2030687; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Raiffeisen Phishing Domain Nov 03 2017"; dns.query; content:"banking.raiffeisen.at."; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}$/Ri"; classtype:social-engineering; sid:2024943; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_13;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Raiffeisen Phishing Domain Nov 03 2017"; dns.query; content:"banking.raiffeisen.at."; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}$/Ri"; classtype:social-engineering; sid:2024943; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2022_05_03;)
 
 alert dns $HOME_NET any -> any any (msg:"ET PHISHING Sparkasse Phishing Domain Nov 03 2017"; dns.query; content:"netbanking.sparkasse.at."; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}$/Ri"; classtype:social-engineering; sid:2024944; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_13;)
 
@@ -37086,7 +36588,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winsoft.E Checkin
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WORM_VOBFUS Requesting exe"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?"; offset:2; depth:11; pcre:"/^\/[a-z0-9]{1,10}\/?\?.+?$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.1|3b 20|SV1)"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015969; rev:15; metadata:created_at 2012_11_30, updated_at 2020_08_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)"; flow:established,to_client; tls.cert_subject; content:"O=Internet Widgits Pty Ltd"; classtype:not-suspicious; sid:2011540; rev:7; metadata:created_at 2010_09_27, former_category POLICY, updated_at 2020_08_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)"; flow:established,to_client; tls.cert_subject; content:"O=Internet Widgits Pty Ltd"; classtype:not-suspicious; sid:2011540; rev:7; metadata:created_at 2010_09_27, former_category POLICY, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup Attempt To Wipmania"; flow:established,to_server; http.host; content:"api.wipmania.com"; reference:md5,b318988249cd8e8629b4ef8a52760b65; classtype:external-ip-check; sid:2014304; rev:5; metadata:created_at 2012_03_05, former_category POLICY, updated_at 2020_08_17;)
 
@@ -37116,7 +36618,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Maliciou
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bamital Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[a-z0-9.&-]+(?:[a-z0-9]{4}-){3}[a-z0-9.&+-]+$/i"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/5.0)"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept-"; classtype:command-and-control; sid:2019756; rev:5; metadata:created_at 2014_11_20, former_category MALWARE, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016"; flow:established,to_server; http.uri; content:".exe"; nocase; fast_pattern; http.host; pcre:"/\.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)(?:\x3a\d{1,5})?$/"; http.header_names; content:!"Referer"; content:!"Cookie"; classtype:trojan-activity; sid:2022896; rev:6; metadata:created_at 2016_06_14, former_category CURRENT_EVENTS, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016"; flow:established,to_server; http.uri; content:".exe"; nocase; fast_pattern; http.host; pcre:"/\.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)(?:\x3a\d{1,5})?$/"; http.header_names; content:!"Referer"; content:!"Cookie"; classtype:trojan-activity; sid:2022896; rev:6; metadata:created_at 2016_06_14, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod requesting EXE payload 2016-03-31"; flow:established,to_server; flowbits:set,ET.nemucod.exerequest; http.method; content:"GET"; http.uri; content:"/counter/?ad="; nocase; content:"="; distance:0; pcre:"/=\d+$/"; http.header_names; content:!"Referer"; reference:url,certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,c5ad81d8d986c92f90d0462bc06ac9c6; classtype:trojan-activity; sid:2022692; rev:4; metadata:created_at 2016_03_31, updated_at 2020_08_17;)
 
@@ -37302,7 +36804,7 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE GORGON APT Downlo
 
 #alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Hupigon System Stats Report (I-variant)"; flow:established,to_server; content:"|00 00 00|"; depth:3; content:"<CPUI>"; content:"</CPUI><"; within:27; content:"<MEMI>"; content:"</MEMI><"; within:27; pcre:"/^\x00\x00\x00[\x72-\x74]/"; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:trojan-activity; sid:2009052; rev:4; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WORM SDBot HTTP Checkin"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a 0d 0a|quem=dodoi&tit="; content:"&txt="; within:40; reference:url,doc.emergingthreats.net/2007914; classtype:trojan-activity; sid:2007914; rev:5; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WORM SDBot HTTP Checkin"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a 0d 0a|quem=dodoi&tit="; content:"&txt="; within:40; reference:url,doc.emergingthreats.net/2007914; classtype:trojan-activity; sid:2007914; rev:5; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
 #alert tcp any any -> $HOME_NET 3000 (msg:"ET DOS ntop Basic-Auth DOS inbound"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/configNtop.html"; within:20; nocase; content:"Authorization|3a|"; nocase; content: "Basic"; within:20; content:"=="; within:100; reference:url,www.securityfocus.com/bid/36074; reference:url,www.securityfocus.com/archive/1/505862; reference:url,www.securityfocus.com/archive/1/505876; classtype:denial-of-service; sid:2011511; rev:2; metadata:created_at 2010_09_27, updated_at 2020_08_20;)
 
@@ -37326,6 +36828,8 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB Trans2 Query_F
 
 #alert udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 2"; content:"|FE|"; byte_test:1,>,11,0,relative; content:"|45 53 44 44|"; depth:4; content:"|04|"; distance:2; within:1; content:"|FE FF|"; within:50; content:"|FE FF|"; within:50; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012155; rev:3; metadata:created_at 2011_01_06, updated_at 2020_08_20;)
 
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus GET Request to CnC"; flow:established,to_server; content:"GET"; http_method; content:"HTTP/1.1|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a|"; content:!"Content-Type|3a| "; http_header; content:"|0d 0a|Content-Length|3a| "; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0D 0A|Cache-Control|3a| no-cache|0D 0A 0D 0A|"; classtype:command-and-control; sid:2011817; rev:4; metadata:created_at 2010_10_14, updated_at 2020_08_20;)
+
 #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Iframe in Purported Image Download (png) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type|3a| "; nocase; content:" image/png"; nocase; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\x3a\s+image\/png/i"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2008315; classtype:web-application-attack; sid:2008315; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
 
 #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Iframe in Purported Image Download (jpeg) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type|3a| "; nocase; content:" image/jpeg"; nocase; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\x3a\s+image\/jpeg/i"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2008313; classtype:web-application-attack; sid:2008313; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Server_Applications, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Web_Client_Attacks, updated_at 2020_08_20;)
@@ -37360,6 +36864,8 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nitol.A Chec
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ShellBot.C retrieval"; flow:from_server,established; file_data; content:"my $processo"; content:"my @adms="; distance:0; content:"my @canais="; distance:0; content:"|23|gh|30|sts"; within:10; reference:md5,3e44252394078c8fd792da1583525d0c; reference:url,pastebin.com/0dAciksC; reference:url,pastebin.com/C0arvGxU; classtype:trojan-activity; sid:2018953; rev:3; metadata:created_at 2014_08_19, updated_at 2020_08_19;)
 
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Beizhu/Womble/Vipdataend Checking in with Controller"; flow:established,to_server; dsize:<70; content:"|3a|Windows"; depth:11; offset:2; content:"|7c|212("; within:15; reference:url,doc.emergingthreats.net/2008334; classtype:trojan-activity; sid:2008334; rev:11; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+
 #alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32.Onlinegames.ajok CnC Packet to Server"; flow:established,to_server; dsize:20; content:"|7e 7e 7e|"; depth:4; content:"|7e 7e 7e|"; within:4; flowbits:set,ET.onlinegames.ajok; reference:url,doc.emergingthreats.net/2008291; classtype:command-and-control; sid:2008291; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_20;)
 
 #alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Win32.Onlinegames.ajok CnC Packet from Server"; flow:established,from_server; flowbits:isset,ET.onlinegames.ajok; content:"|7e 7e 7e|"; depth:4; content:"|7e 7e 7e|"; within:4; reference:url,doc.emergingthreats.net/2008292; classtype:command-and-control; sid:2008292; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_20;)
@@ -37404,6 +36910,10 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/STDbot CnC Act
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/STDbot CnC Activity (UNK attack)"; flow:established,to_server; content:"PRIVMSG|20|"; content:"|20 3a|[UNK]Hitting|20|"; fast_pattern; distance:0; content:"!|0a|"; within:40; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:command-and-control; sid:2022216; rev:3; metadata:created_at 2015_12_03, former_category MALWARE, updated_at 2020_08_19;)
 
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|velodrivve|03|biz|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; within:4; pcre:"/[a-z]{4,10}\x08velodrivve\x03biz\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022703; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2020_08_20, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Outdated Mac Flash Version"; flow:established,to_server; content:"x-flash-version|3a 20|"; http_header; content:!"18,0,0,366|0d 0a|"; within:12; http_header; content:!"22,0,0,209|0d 0a|"; within:12; http_header; content:"Macintosh"; http_user_agent; threshold: type limit, count 1, seconds 60, track by_src; classtype:policy-violation; sid:2014727; rev:61; metadata:created_at 2012_05_09, updated_at 2020_08_20;)
+
 #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Scam M3 Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:".chrome-alert"; nocase; content:"<title>"; nocase; distance:0; content:"Microsoft Official Support"; fast_pattern; nocase; within:40; classtype:social-engineering; sid:2023239; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2020_08_20;)
 
 #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING XBOOMBER Paypal Phishing Landing Nov 28 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Encoding|3a 20|gzip"; http_header; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<form method=|22|post|22|"; nocase; content:"action=|22|websc"; nocase; within:150; content:".php?SessionID-xb="; fast_pattern; nocase; within:50; classtype:social-engineering; sid:2023557; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_20;)
@@ -37498,7 +37008,7 @@ alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerSploit/Power
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Group 21 Payload CnC Checkin"; flow:established,to_server; dsize:<400; content:"|3a 3a|MAC|3a 3a|"; startswith; content:"|3a 3a|HOSTNAME/USERNAME|3a 3a|"; within:100; fast_pattern; content:"|3a 3a|U-FILE|3a 3a|"; within:100; reference:md5,6a271282fe97322d49e9692891332ad7; classtype:trojan-activity; sid:2035061; rev:3; metadata:created_at 2020_01_16, former_category MALWARE, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nexus Stealer CnC Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:!"Mozilla"; http.request_body; content:"{"; startswith; content:"|7e 3b 5e 3b|Windows|20|"; within:50; fast_pattern; content:"|7e 3b 5e 3b|"; distance:0; content:"|7e 3b 5e 3b|"; distance:0; content:"|7e 3b 5e 3b|"; distance:0; http.header_names; content:!"Referer"; reference:md5,8bd8582155ef003b8a24d341d75f1d7f; classtype:command-and-control; sid:2029298; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_21, deployment Perimeter, former_category MALWARE, malware_family Nexus, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nexus Stealer CnC Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:!"Mozilla"; http.request_body; content:"{"; startswith; content:"|7e 3b 5e 3b|Windows|20|"; within:50; fast_pattern; content:"|7e 3b 5e 3b|"; distance:0; content:"|7e 3b 5e 3b|"; distance:0; content:"|7e 3b 5e 3b|"; distance:0; http.header_names; content:!"Referer"; reference:md5,8bd8582155ef003b8a24d341d75f1d7f; classtype:command-and-control; sid:2029298; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_21, deployment Perimeter, former_category MALWARE, malware_family Nexus, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Embedded NTLM Hash Theft Code"; flow:established,to_client; file.data; content:"src="; nocase; content:"file|3a 2f 2f 2f 5c 5c|"; distance:0; nocase; fast_pattern; within:10; content:"|5f|C$|5f|"; nocase; within:50; content:"visibility|3a|"; nocase; within:50; content:"hidden"; within:8; content:"src="; pcre:"/^\s*[\x22\x27]\s*file\x3a\x2f\x2f\x2f\x5c\x5c[^\x20]+\x5cC\$\x5c\s*[\x22\x27]/Rsi"; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting; classtype:attempted-user; sid:2029329; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_08_19;)
 
@@ -37556,269 +37066,311 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/CoalaBot CnC
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing - Data URI Inline Javascript Mar 07 2016"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"data|3a|text/html|3b|"; fast_pattern; content:"|3b|base64,"; within:21; pcre:"/^[^\x22|\x27]+<\s*?script(?:(?!<\s*?\/\s*?script).)+?data\x3atext\/html\x3b(?:charset=UTF-8\x3b)?base64\x2c/si"; reference:url,proofpoint.com/us/threat-insight/post/Obfuscation-Techniques-In-Phishing-Attacks; classtype:social-engineering; sid:2022597; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET 8004 (msg:"ET EXPLOIT Symantec Scan Engine Request Password Hash"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/xml.xml"; nocase; http_uri; content:"<request"; nocase; http_client_body; content:"<key "; nocase; http_client_body; reference:cve,2006-0230; reference:bugtraq,17637; reference:url,doc.emergingthreats.net/bin/view/Main/2002896; classtype:attempted-recon; sid:2002896; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert udp [174.129.0.0/16,67.202.0.0/18,79.125.0.0/17,184.72.0.0/15,75.101.128.0/17,174.129.0.0/16,204.236.128.0/17] !53 -> $HOME_NET !53 (msg:"ET POLICY Incoming UDP Packet From Amazon EC2 Cloud";  reference:url,doc.emergingthreats.net/2010816; classtype:command-and-control; sid:2010816; rev:7; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_08_20;)
+
+#alert tcp any any -> $HOME_NET any (msg:"ET DELETED Pitbull IRCbotnet Commands"; flow:from_server,established; content:"PRIVMSG|20|"; pcre:"/PRIVMSG.*@(portscan|nmap|back|udpflood|tcpflood|httpflood|linuxhelp|rfi|system|milw0rm|logcleaner|sendmail|join|part|help)/i"; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007625; classtype:trojan-activity; sid:2007625; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo CA - Cryptsoft Pty (CN)"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; content:"Test PCA (1024 bit)"; within:50; classtype:trojan-activity; sid:2011541; rev:5; metadata:created_at 2010_09_27, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET 8004 (msg:"ET EXPLOIT Symantec Scan Engine Request Password Hash"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/xml.xml"; nocase; http_uri; content:"<request"; nocase; http_client_body; content:"<key "; nocase; http_client_body; reference:cve,2006-0230; reference:bugtraq,17637; reference:url,doc.emergingthreats.net/bin/view/Main/2002896; classtype:attempted-recon; sid:2002896; rev:7; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; http_header; content:"Host|3a| "; http_header; nocase; pcre:"/User-Agent|3a|[^\n]+Windows-Update-Agent/Hsmi"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,windowsupdate.microsoft.com; reference:url,doc.emergingthreats.net/2002948; classtype:policy-violation; sid:2002948; rev:11; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo CA - Cryptsoft Pty (CN)"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; content:"Test PCA (1024 bit)"; within:50; classtype:trojan-activity; sid:2011541; rev:5; metadata:created_at 2010_09_27, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RSP MP3 Player OCX ActiveX OpenFile Method Buffer Overflow Attempt"; flow:to_client,established; content:"3C88113F-8CEC-48DC-A0E5-983EF9458687"; nocase; content:"OpenFile"; distance:0; nocase; reference:url,exploit-db.com/exploits/14309/; reference:url,packetstormsecurity.org/1007-exploits/rspmp3-overflow.txt; reference:url,doc.emergingthreats.net/2011249; classtype:web-application-attack; sid:2011249; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_20;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; http_header; content:"Host|3a| "; http_header; nocase; pcre:"/User-Agent|3a|[^\n]+Windows-Update-Agent/Hsmi"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,windowsupdate.microsoft.com; reference:url,doc.emergingthreats.net/2002948; classtype:policy-violation; sid:2002948; rev:11; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Gesytec ElonFmt ActiveX Component GetItem1 member Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT"; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"824C4DC5-8DA4-11D6-A01F-00E098177CDC"; nocase; distance:0; content:".GetItem1"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*824C4DC5-8DA4-11D6-A01F-00E098177CDC/si"; reference:url,exploit-db.com/exploits/17196; classtype:web-application-attack; sid:2012741; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_04_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_19;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RSP MP3 Player OCX ActiveX OpenFile Method Buffer Overflow Attempt"; flow:to_client,established; content:"3C88113F-8CEC-48DC-A0E5-983EF9458687"; nocase; content:"OpenFile"; distance:0; nocase; reference:url,exploit-db.com/exploits/14309/; reference:url,packetstormsecurity.org/1007-exploits/rspmp3-overflow.txt; reference:url,doc.emergingthreats.net/2011249; classtype:web-application-attack; sid:2011249; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes Jump.jsp CnC Checkin Message"; flow:established,to_server; content:"/Jump.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:command-and-control; sid:2013142; rev:4; metadata:attack_target Mobile_Client, created_at 2011_06_30, former_category MOBILE_MALWARE, updated_at 2020_08_20, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Gesytec ElonFmt ActiveX Component GetItem1 member Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT"; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"824C4DC5-8DA4-11D6-A01F-00E098177CDC"; nocase; distance:0; content:".GetItem1"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*824C4DC5-8DA4-11D6-A01F-00E098177CDC/si"; reference:url,exploit-db.com/exploits/17196; classtype:web-application-attack; sid:2012741; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_04_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"D="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006610; classtype:web-application-attack; sid:2006610; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes Jump.jsp CnC Checkin Message"; flow:established,to_server; content:"/Jump.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:command-and-control; sid:2013142; rev:4; metadata:attack_target Mobile_Client, created_at 2011_06_30, former_category MOBILE_MALWARE, updated_at 2022_05_03, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:78; nocase; classtype:protocol-command-decode; sid:2103091; rev:6; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"D="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006610; classtype:web-application-attack; sid:2006610; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:78; nocase; classtype:protocol-command-decode; sid:2103091; rev:6; metadata:created_at 2010_09_23, updated_at 2022_05_03;)
+
+#alert ip any any <> 127.0.0.0/8 any (msg:"GPL SCAN loopback traffic";  reference:url,rr.sans.org/firewall/egress.php; classtype:bad-unknown; sid:2100528; rev:7; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
+
+#alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"GPL POLICY udp port 0 traffic";  reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:2100525; rev:11; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Banker.OT Checkin"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"praquem="; http_client_body; fast_pattern; content:"&titulo="; http_client_body; content:"&texto="; http_client_body; reference:url,doc.emergingthreats.net/2007823; classtype:trojan-activity; sid:2007823; rev:9; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Spyaxe Spyware User-Agent (spyaxe)"; flow:to_server,established; content:" spyaxe "; fast_pattern:only; http_header; reference:url,doc.emergingthreats.net/2002807; classtype:trojan-activity; sid:2002807; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dictcn Trojan Downloader Node Server Type"; flow:established,to_client; content:"Server|3A| Dict/"; fast_pattern:only; classtype:trojan-activity; sid:2013326; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_27, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2020_08_20;)
 
 #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; fast_pattern; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; distance:1; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2102090; rev:13; metadata:created_at 2010_09_23, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Boaxxe HTTP POST Checkin"; flow:established,to_server; content:"/u/"; http_uri; content:"POST"; nocase; http_method; content:"user-Agent|3a| Internet Explorer|0d 0a|"; http_header; content:"a="; http_client_body; content:"&b="; http_client_body; reference:url,doc.emergingthreats.net/2009297; classtype:command-and-control; sid:2009297; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Boaxxe HTTP POST Checkin"; flow:established,to_server; content:"/u/"; http_uri; content:"POST"; nocase; http_method; content:"user-Agent|3a| Internet Explorer|0d 0a|"; http_header; content:"a="; http_client_body; content:"&b="; http_client_body; reference:url,doc.emergingthreats.net/2009297; classtype:command-and-control; sid:2009297; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rootkit.Win32.Clbd.cz Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"gd="; http_client_body; content:"=="; http_client_body; content:"&affid="; http_client_body; content:"="; http_client_body; content:"&subid="; http_client_body; content:"=="; content:"&prov="; http_client_body; reference:url,doc.emergingthreats.net/2008442; classtype:command-and-control; sid:2008442; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rootkit.Win32.Clbd.cz Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"gd="; http_client_body; content:"=="; http_client_body; content:"&affid="; http_client_body; content:"="; http_client_body; content:"&subid="; http_client_body; content:"=="; content:"&prov="; http_client_body; reference:url,doc.emergingthreats.net/2008442; classtype:command-and-control; sid:2008442; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Coreflood/AFcore Trojan Infection (2)"; flow:to_server; content:"POST"; nocase; http_method; content:"HTTP/1.0|0d 0a|Host|3a 20|"; content:"r="; http_client_body; content:"&i="; http_client_body; content:"&v="; http_client_body; content:"&os="; http_client_body; content:"&s="; http_client_body; content:"&h="; http_client_body; content:"&d="; http_client_body; content:"&panic"; http_client_body; content:"&ie="; http_client_body; content:"&input="; http_client_body; content:"&c="; http_client_body; reference:url,www.secureworks.com/research/threats/coreflood; reference:url,doc.emergingthreats.net/2008443; classtype:trojan-activity; sid:2008443; rev:10; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Coreflood/AFcore Trojan Infection (2)"; flow:to_server; content:"POST"; nocase; http_method; content:"HTTP/1.0|0d 0a|Host|3a 20|"; content:"r="; http_client_body; content:"&i="; http_client_body; content:"&v="; http_client_body; content:"&os="; http_client_body; content:"&s="; http_client_body; content:"&h="; http_client_body; content:"&d="; http_client_body; content:"&panic"; http_client_body; content:"&ie="; http_client_body; content:"&input="; http_client_body; content:"&c="; http_client_body; reference:url,www.secureworks.com/research/threats/coreflood; reference:url,doc.emergingthreats.net/2008443; classtype:trojan-activity; sid:2008443; rev:10; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-GameThief.Win32.OnLineGames infection report"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&hAssunto=infect-"; http_client_body; content:"&hCorpo="; http_client_body; content:"&hPara="; http_client_body; reference:url,doc.emergingthreats.net/2008984; classtype:trojan-activity; sid:2008984; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-GameThief.Win32.OnLineGames infection report"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&hAssunto=infect-"; http_client_body; content:"&hCorpo="; http_client_body; content:"&hPara="; http_client_body; reference:url,doc.emergingthreats.net/2008984; classtype:trojan-activity; sid:2008984; rev:7; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Knockbot Proxy Response From Controller (empty command)"; flow:established,from_server; content:"|0d 0a 0d 0a|command|7c|"; nocase; reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; reference:url,doc.emergingthreats.net/2010788; classtype:trojan-activity; sid:2010788; rev:6; metadata:created_at 2010_07_30, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Knockbot Proxy Response From Controller (empty command)"; flow:established,from_server; content:"|0d 0a 0d 0a|command|7c|"; nocase; reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; reference:url,doc.emergingthreats.net/2010788; classtype:trojan-activity; sid:2010788; rev:6; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT EnableExecuteProtectionSupport - Undocumented API to Modify DEP"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"EnableExecuteProtectionSupport"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012777; rev:6; metadata:created_at 2011_05_03, former_category POLICY, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT EnableExecuteProtectionSupport - Undocumented API to Modify DEP"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"EnableExecuteProtectionSupport"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012777; rev:6; metadata:created_at 2011_05_03, former_category POLICY, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye Checkin version 1.3.25 or later 3"; flow:established,to_server; content:"POST"; http_method; nocase; content:"data=mIqWm8"; http_client_body; depth:11; classtype:command-and-control; sid:2014428; rev:7; metadata:created_at 2012_03_26, former_category MALWARE, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye Checkin version 1.3.25 or later 3"; flow:established,to_server; content:"POST"; http_method; nocase; content:"data=mIqWm8"; http_client_body; depth:11; classtype:command-and-control; sid:2014428; rev:7; metadata:created_at 2012_03_26, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X Client for RDP ClientSystem Class ActiveX Control InstallClient Download and Execute"; flow:to_client,established; content:"CLSID"; nocase; content:"F5DF8D65-559D-4b75-8562-5302BD2F5F20"; nocase; distance:0; content:"InstallClient"; nocase; reference:url,www.exploit-db.com/exploits/18624/; classtype:attempted-user; sid:2014422; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X Client for RDP ClientSystem Class ActiveX Control InstallClient Download and Execute"; flow:to_client,established; content:"CLSID"; nocase; content:"F5DF8D65-559D-4b75-8562-5302BD2F5F20"; nocase; distance:0; content:"InstallClient"; nocase; reference:url,www.exploit-db.com/exploits/18624/; classtype:attempted-user; sid:2014422; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Peed Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; content:"Content-Type|3a| application/x-www-form-urlencoded|3b 20|charset=UTF-8|0d 0a|Connection|3a| close|0d 0a 0d 0a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"aa1020R0="; http_client_body; depth:9; fast_pattern; content:"%3D%0D%0A"; http_client_body; offset:109; reference:md5,142ff7d3d931ecfa9a06229842ceefc4; reference:md5,df690cbf6e33e9ee53fdcfc456dc4c1f; classtype:command-and-control; sid:2014347; rev:6; metadata:created_at 2012_03_09, former_category MALWARE, updated_at 2020_08_20;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 2 byte"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02 02|"; distance:1; within:2; byte_test:2,<,0x06,0,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014432; rev:10; metadata:created_at 2012_03_24, updated_at 2020_08_20;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX  Dell Webcam CrazyTalk ActiveX Control BackImage Access Potential Buffer Overflow Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"13149882-F480-4F6B-8C6A-0764F75B99ED"; nocase; distance:0; content:"BackImage"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111077/Dell-Webcam-CrazyTalk-ActiveX-BackImage-Vulnerability.html; classtype:attempted-user; sid:2014451; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Peed Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; content:"Content-Type|3a| application/x-www-form-urlencoded|3b 20|charset=UTF-8|0d 0a|Connection|3a| close|0d 0a 0d 0a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"aa1020R0="; http_client_body; depth:9; fast_pattern; content:"%3D%0D%0A"; http_client_body; offset:109; reference:md5,142ff7d3d931ecfa9a06229842ceefc4; reference:md5,df690cbf6e33e9ee53fdcfc456dc4c1f; classtype:command-and-control; sid:2014347; rev:6; metadata:created_at 2012_03_09, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest InTrust Annotation Objects ActiveX Control Add Access Potential Remote Code Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"EF600D71-358F-11D1-8FD4-00AA00BD091C"; nocase; distance:0; content:".Add("; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18674/; classtype:attempted-user; sid:2014453; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_19;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Dell Webcam CrazyTalk ActiveX Control BackImage Access Potential Buffer Overflow Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"13149882-F480-4F6B-8C6A-0764F75B99ED"; nocase; distance:0; content:"BackImage"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111077/Dell-Webcam-CrazyTalk-ActiveX-BackImage-Vulnerability.html; classtype:attempted-user; sid:2014451; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2022_05_03;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest InTrust Annotation Objects ActiveX Control Add Access Potential Remote Code Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"EF600D71-358F-11D1-8FD4-00AA00BD091C"; nocase; distance:0; content:".Add("; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18674/; classtype:attempted-user; sid:2014453; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2022_05_03;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Connectivity Check of Unknown Origin 1"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/"; urilen:1; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|Host|3a| www.google.com|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; depth:85; fast_pattern; content:"PREF=ID="; http_cookie; depth:8; classtype:trojan-activity; sid:2013349; rev:5; metadata:created_at 2011_08_04, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Connectivity Check of Unknown Origin 2"; flow:to_server,established; content:"GET"; content:"/whois/usgoodluck.com"; http_uri; fast_pattern:only; urilen:21; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|Host|3a| www.whois-search.com|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; depth:91; classtype:trojan-activity; sid:2013350; rev:4; metadata:created_at 2011_08_04, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Connectivity Check of Unknown Origin 2"; flow:to_server,established; content:"GET"; content:"/whois/usgoodluck.com"; http_uri; fast_pattern:only; urilen:21; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|Host|3a| www.whois-search.com|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; depth:91; classtype:trojan-activity; sid:2013350; rev:4; metadata:created_at 2011_08_04, updated_at 2022_05_03;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Dell Webcam CrazyTalk ActiveX Control BackImage Access Potential  Buffer Overflow Attempt 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"CRAZYTALK4Lib.CrazyTalk4"; nocase; distance:0; content:"BackImage"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111077/Dell-Webcam-CrazyTalk-ActiveX-BackImage-Vulnerability.html; classtype:attempted-user; sid:2014452; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Dell Webcam CrazyTalk ActiveX Control BackImage Access Potential  Buffer Overflow Attempt 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"CRAZYTALK4Lib.CrazyTalk4"; nocase; distance:0; content:"BackImage"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111077/Dell-Webcam-CrazyTalk-ActiveX-BackImage-Vulnerability.html; classtype:attempted-user; sid:2014452; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - Multi Arch w/Intel"; flow:established,to_client; content:"|0d 0a 0d 0a CA FE BA BE|"; content:"|CE FA ED FE|"; distance:0; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014514; rev:8; metadata:created_at 2012_04_06, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - Multi Arch w/Intel"; flow:established,to_client; content:"|0d 0a 0d 0a CA FE BA BE|"; content:"|CE FA ED FE|"; distance:0; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014514; rev:8; metadata:created_at 2012_04_06, updated_at 2020_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Dynamic DNS Exploit Pack Payload"; flow:established,to_server; content:".php"; http_uri; content:"quote="; distance:0; http_uri; content:"tid=";http_uri; content:"fid="; http_uri; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014445; rev:6; metadata:created_at 2012_03_30, updated_at 2020_08_20;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Metasploit Meterpreter core_channel_* Command Response"; flow:established; content:"|00 01 00 01|core_channel_"; offset:11; depth:17; classtype:successful-user; sid:2014533; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_08_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Metasploit Meterpreter core_channel_* Command Response"; flow:established; content:"|00 01 00 01|core_channel_"; offset:11; depth:17; classtype:successful-user; sid:2014533; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2022_05_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Metasploit Meterpreter stdapi_* Command Response"; flow:established; content:"|00 01 00 01|stdapi_"; offset:11; depth:11; classtype:successful-user; sid:2014532; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_08_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Metasploit Meterpreter stdapi_* Command Response"; flow:established; content:"|00 01 00 01|stdapi_"; offset:11; depth:11; classtype:successful-user; sid:2014532; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2022_05_03;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Metasploit Meterpreter core_channel_* Command Request"; flow:established; content:"|00 01 00 01|core_channel_"; offset:12; depth:17; classtype:successful-user; sid:2014531; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_08_19;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Metasploit Meterpreter core_channel_* Command Request"; flow:established; content:"|00 01 00 01|core_channel_"; offset:12; depth:17; classtype:successful-user; sid:2014531; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2022_05_03;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Metasploit Meterpreter stdapi_* Command Request"; flow:established; content:"|00 01 00 01|stdapi_"; offset:12; depth:11; classtype:successful-user; sid:2014530; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_08_19;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Metasploit Meterpreter stdapi_* Command Request"; flow:established; content:"|00 01 00 01|stdapi_"; offset:12; depth:11; classtype:successful-user; sid:2014530; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Reporting - POST often to resolution|borders.php"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"data=CjEf"; http_client_body; pcre:"/data=[a-zA-Z0-9\+\/]{64}/P"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010337; classtype:trojan-activity; sid:2010337; rev:20; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Reporting - POST often to resolution|borders.php"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"data=CjEf"; http_client_body; pcre:"/data=[a-zA-Z0-9\+\/]{64}/P"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010337; classtype:trojan-activity; sid:2010337; rev:20; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Keylogger Pro Update Check"; flow:established,to_server; content:"POST"; nocase; http_method; content:"<root><clnt>"; http_client_body; content:"</clnt><code>CheckUpdate</code>"; http_client_body; nocase; fast_pattern; pcre:"/<root><clnt>\d{8}-\d{4}-\d{4}-\d{4}-[0-9A-F]{12}</clnt><code>CheckUpdate</code>/P"; reference:url,vil.nai.com/vil/content/v_130975.htm; reference:url,doc.emergingthreats.net/2009533; classtype:trojan-activity; sid:2009533; rev:8; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Keylogger Pro Update Check"; flow:established,to_server; content:"POST"; nocase; http_method; content:"<root><clnt>"; http_client_body; content:"</clnt><code>CheckUpdate</code>"; http_client_body; nocase; fast_pattern; pcre:"/<root><clnt>\d{8}-\d{4}-\d{4}-\d{4}-[0-9A-F]{12}</clnt><code>CheckUpdate</code>/P"; reference:url,vil.nai.com/vil/content/v_130975.htm; reference:url,doc.emergingthreats.net/2009533; classtype:trojan-activity; sid:2009533; rev:8; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
 #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED WebshotsNetClient"; flow: to_server,established; content:"WebshotsNetClient"; http_header; nocase; reference:url,www.webshots.com; reference:url,doc.emergingthreats.net/2002407; classtype:policy-violation; sid:2002407; rev:9; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Exchange 2003 OWA plain-text E-Mail message access not SSL"; flow:established,from_server; content:"var g_szURL = |22|http|3a 2f 2f|"; content:"var g_szFolder = |22|"; content:"varg_szVirtualRoot = |22|http|3a 2f 2f|"; content:"Microsoft Corporation."; reference:url,support.microsoft.com/kb/321832; classtype:web-application-activity; sid:2010030; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Exchange 2003 OWA plain-text E-Mail message access not SSL"; flow:established,from_server; content:"var g_szURL = |22|http|3a 2f 2f|"; content:"var g_szFolder = |22|"; content:"varg_szVirtualRoot = |22|http|3a 2f 2f|"; content:"Microsoft Corporation."; reference:url,support.microsoft.com/kb/321832; classtype:web-application-activity; sid:2010030; rev:7; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-#alert http any $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Help Center Arbitrary Command Execution Exploit Attempt"; flow:established,from_server; content:"hcp|3a|//"; fast_pattern; nocase; content:"script"; nocase; distance:0; content:"defer"; nocase; distance:0; content:"unescape"; nocase; distance:0; pcre:"/src\s*=\s*[\x22\x27]?hcp\x3a\x2f\x2F[^\n]*?(%3c|<)script[^\n]*?defer[^\n]*?unescape/i"; reference:url,www.exploit-db.com/exploits/13808/; reference:url,doc.emergingthreats.net/2011173; reference:cve,2010-1885; classtype:misc-attack; sid:2011173; rev:12; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wicjgufeimlbmcus.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wicjgufeimlbmcus|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015456; rev:3; metadata:created_at 2012_07_12, updated_at 2020_08_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot GET to Google checking Internet connectivity using proxy"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/webhp"; http_uri; content:"Accept|3a| */*|0d 0a|Pragma|3a| no-cache|0d 0a|User-Agent|3a| "; depth:43; http_header; content:"|0d 0a|Host|3a| "; distance:0; http_header; content:!"Referer|3a| "; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:command-and-control; sid:2014105; rev:5; metadata:created_at 2012_01_10, former_category MALWARE, updated_at 2020_08_20;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain oxkjnvhjnvnegtyb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|oxkjnvhjnvnegtyb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015442; rev:3; metadata:created_at 2012_07_12, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/DirtJumper CnC Server Providing DDOS Targets"; flow:established,from_server; content:"|0d 0a 0d 0a|"; content:"|7C|"; distance:2; within:1; content:"|7c|"; distance:2; within:4; content:"http|3A 2F 2F|"; distance:3; within:7; pcre:"/\d{2}\x7C\d{1,3}\x7C\d{1,3}http\x3A\x2F\x2F/Ai"; reference:url,asert.arbornetworks.com/2011/08/dirt-jumper-caught/; classtype:command-and-control; sid:2013440; rev:7; metadata:created_at 2011_08_19, former_category MALWARE, updated_at 2020_08_20;)
+#alert http any $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Help Center Arbitrary Command Execution Exploit Attempt"; flow:established,from_server; content:"hcp|3a|//"; fast_pattern; nocase; content:"script"; nocase; distance:0; content:"defer"; nocase; distance:0; content:"unescape"; nocase; distance:0; pcre:"/src\s*=\s*[\x22\x27]?hcp\x3a\x2f\x2F[^\n]*?(%3c|<)script[^\n]*?defer[^\n]*?unescape/i"; reference:url,www.exploit-db.com/exploits/13808/; reference:url,doc.emergingthreats.net/2011173; reference:cve,2010-1885; classtype:misc-attack; sid:2011173; rev:12; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; pcre:"/\x0d\x0aContent-Length\x3a \d{0,6}\x0d\x0a/"; reference:url,doc.emergingthreats.net/2007671; classtype:policy-violation; sid:2007671; rev:16; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot GET to Google checking Internet connectivity using proxy"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/webhp"; http_uri; content:"Accept|3a| */*|0d 0a|Pragma|3a| no-cache|0d 0a|User-Agent|3a| "; depth:43; http_header; content:"|0d 0a|Host|3a| "; distance:0; http_header; content:!"Referer|3a| "; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:command-and-control; sid:2014105; rev:5; metadata:created_at 2012_01_10, former_category MALWARE, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY DRIVEBY Generic - EXE Download by Java"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2014471; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_04_04, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DriveBy, updated_at 2020_08_20;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP request udp";  reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101417; rev:12; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization"; flow: to_server,established; content:"GET"; nocase; http_method; content:"|5C|"; http_uri; content:".aspx"; within:100; nocase; http_uri; reference:url,doc.emergingthreats.net/2001342; reference:cve,CVE-2004-0847; classtype:web-application-attack; sid:2001342; rev:26; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP trap udp";  reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101419; rev:11; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pincav.cjvb Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:"Asynchronous WinHTTP"; http_user_agent; depth:20; content:"CyoK"; http_client_body; depth:4; content:"CyoK"; http_client_body; distance:0; reference:md5,1e5499640ca31e4b1f113b97a0cae08b; classtype:command-and-control; sid:2015753; rev:4; metadata:created_at 2012_10_01, former_category MALWARE, updated_at 2020_08_20;)
+#alert udp any any -> 255.255.255.255 161 (msg:"GPL SNMP Broadcast request";  reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101415; rev:11; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
+
+#alert udp any any -> 255.255.255.255 162 (msg:"GPL SNMP broadcast trap";  reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101416; rev:11; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/DirtJumper CnC Server Providing DDOS Targets"; flow:established,from_server; content:"|0d 0a 0d 0a|"; content:"|7C|"; distance:2; within:1; content:"|7c|"; distance:2; within:4; content:"http|3A 2F 2F|"; distance:3; within:7; pcre:"/\d{2}\x7C\d{1,3}\x7C\d{1,3}http\x3A\x2F\x2F/Ai"; reference:url,asert.arbornetworks.com/2011/08/dirt-jumper-caught/; classtype:command-and-control; sid:2013440; rev:7; metadata:created_at 2011_08_19, former_category MALWARE, updated_at 2022_05_03;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; pcre:"/\x0d\x0aContent-Length\x3a \d{0,6}\x0d\x0a/"; reference:url,doc.emergingthreats.net/2007671; classtype:policy-violation; sid:2007671; rev:16; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY DRIVEBY Generic - EXE Download by Java"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2014471; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_04_04, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DriveBy, updated_at 2022_05_03;)
+
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization"; flow: to_server,established; content:"GET"; nocase; http_method; content:"|5C|"; http_uri; content:".aspx"; within:100; nocase; http_uri; reference:url,doc.emergingthreats.net/2001342; reference:cve,CVE-2004-0847; classtype:web-application-attack; sid:2001342; rev:26; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pincav.cjvb Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:"Asynchronous WinHTTP"; http_user_agent; depth:20; content:"CyoK"; http_client_body; depth:4; content:"CyoK"; http_client_body; distance:0; reference:md5,1e5499640ca31e4b1f113b97a0cae08b; classtype:command-and-control; sid:2015753; rev:4; metadata:created_at 2012_10_01, former_category MALWARE, updated_at 2022_05_03;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Blackhole Java Exploit request to Trop.jar"; flow:established,to_server; content:"/Trop.jar"; http_uri; nocase; classtype:trojan-activity; sid:2014937; rev:20; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /Pol.jar"; flow:established,to_server; content:"/Pol.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014436; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_28, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOM Document.3.0 Uninitialized Memory Corruption Attempt"; flow:to_client,established; file_data; content:"f5078f3"; content:"-c551-11d3-89b9-0000f81fe221"; nocase; distance:1; within:28; content:".definition|28|"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*f5078f3(2|3)-c551-11d3-89b9-0000f81fe221/si"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2015554; rev:20; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOM Document.3.0 Uninitialized Memory Corruption Attempt"; flow:to_client,established; file_data; content:"f5078f3"; content:"-c551-11d3-89b9-0000f81fe221"; nocase; distance:1; within:28; content:".definition|28|"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*f5078f3(2|3)-c551-11d3-89b9-0000f81fe221/si"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2015554; rev:20; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_05_03;)
 
 #alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET DELETED Prg Trojan v0.1-v0.3 Data Upload"; flow:to_server,established; content:"POST"; nocase; http_method; content:"php?"; http_uri; content:"Content-Type|3a20|binary"; http_header; content:"LLAH"; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2003182; classtype:trojan-activity; sid:2003182; rev:12; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Glazunov Java exploit request /9-10-/4-5-digit"; flow:established,to_server; content:"|29 20|Java/"; http_user_agent; urilen:14<>18; pcre:"/^\/\d{9,10}\/\d{4,5}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015922; rev:7; metadata:created_at 2012_11_24, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Glazunov Java exploit request /9-10-/4-5-digit"; flow:established,to_server; content:"|29 20|Java/"; http_user_agent; urilen:14<>18; pcre:"/^\/\d{9,10}\/\d{4,5}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015922; rev:7; metadata:created_at 2012_11_24, updated_at 2022_05_03;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Skill.gk User-Agent"; flow:established,to_server; content:"|3b 20 3b 20|"; http_user_agent; content:"MSIE"; http_user_agent; classtype:trojan-activity; sid:2016074; rev:5; metadata:created_at 2012_12_21, updated_at 2020_08_20;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Checkin Header Pattern"; flow:established,to_server; content:"POST"; nocase; http_method; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|X-ID|3a 20|"; fast_pattern; pcre:"/^X-ID\x3a\x20\d+\r?$/Hm"; classtype:command-and-control; sid:2014014; rev:7; metadata:created_at 2011_12_09, former_category MALWARE, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Jar Download Sep 30 2013"; flow:to_server,established; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/index.html?p="; http_uri; pcre:"/\/index\.html\?p=\d+$/U"; reference:md5,d58fea2d0f791e65c6aae8e52f7089c1; classtype:exploit-kit; sid:2017547; rev:4; metadata:created_at 2013_10_01, former_category EXPLOIT_KIT, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Jar Download Sep 30 2013"; flow:to_server,established; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/index.html?p="; http_uri; pcre:"/\/index\.html\?p=\d+$/U"; reference:md5,d58fea2d0f791e65c6aae8e52f7089c1; classtype:exploit-kit; sid:2017547; rev:4; metadata:created_at 2013_10_01, former_category EXPLOIT_KIT, updated_at 2022_05_03;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bebloh C&C HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ff.ie?rnd="; http_uri; fast_pattern:only; nocase; pcre:"/\/ff\.ie\?rnd=\x2d?\d/Ui"; reference:url,doc.emergingthreats.net/2010565; classtype:command-and-control; sid:2010565; rev:13; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bebloh C&C HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ff.ie?rnd="; http_uri; fast_pattern:only; nocase; pcre:"/\/ff\.ie\?rnd=\x2d?\d/Ui"; reference:url,doc.emergingthreats.net/2010565; classtype:command-and-control; sid:2010565; rev:13; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_20;)
+alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC PONG response"; flow:from_client,established; content:"PONG|20|"; depth:5; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002028; classtype:misc-activity; sid:2002028; rev:20; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC PONG response"; flow:from_client,established; content:"PONG|20|"; depth:5; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002028; classtype:misc-activity; sid:2002028; rev:20; metadata:created_at 2010_07_30, updated_at 2020_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Theinstalls.com Trojan Download"; flow:established,to_server; content:"/files/programs/"; http_uri; content:"|0d 0a|Host|3a| "; http_header; content:"theinstalls.com|0d 0a|"; http_header; reference:url,www.theinstalls.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007798; classtype:trojan-activity; sid:2007798; rev:8; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
 #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet structure June 27 2013"; flow:established,from_server; file_data; content:"<applet"; content:"<param value=|22|1|22| name=|22|WindowSize|22|>"; fast_pattern; distance:0; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?[a-f0-9]/R"; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?[a-f0-9]/R"; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?[a-f0-9]/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017075; rev:6; metadata:created_at 2013_06_28, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PE EXE or DLL Windows file download disguised as ASCII"; flow:established,from_server; file_data; content:"|34 44 35 41|"; depth:4; content:"|35 30 34 35 30 30|"; distance:0; classtype:trojan-activity; sid:2017962; rev:5; metadata:created_at 2014_01_13, updated_at 2020_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PWS-LDPinch posting data (2)"; flow:established,to_server; content:"POST"; nocase; http_method; urilen:1; content:"/"; http_uri; content:"HTTP/1.1"; content:!"BDNC"; http_user_agent; depth:4; content:"a="; depth:2; http_client_body; fast_pattern; content:"&b="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; reference:url,doc.emergingthreats.net/2007756; classtype:trojan-activity; sid:2007756; rev:12; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Kuluoz.B CnC 3"; flow:from_server,established; file_data; content:"c=rdl&u="; depth:8; fast_pattern; content:"&a="; distance:0; content:"&k="; distance:0; content:"&n="; distance:0; reference:md5,96255178f15033362c81fb6d9b9c3ce4; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2015904; rev:7; metadata:created_at 2012_09_25, former_category MALWARE, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Checkin v2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/gate.php"; fast_pattern; nocase; http_uri; content:"application|2F|x-www-form-urlencoded|0D 0A|"; http_header; content:"a="; http_client_body; depth:2; nocase; content:"b="; http_client_body; nocase; content:"d="; http_client_body; nocase; content:"c="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2008469; classtype:trojan-activity; sid:2008469; rev:8; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell ASPXShell - Title"; flow:established,to_client; file_data; content:"<title>"; content:"ASPX Shell"; fast_pattern; nocase; content:"</title>"; distance:0; classtype:trojan-activity; sid:2017183; rev:5; metadata:created_at 2013_07_24, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PE EXE or DLL Windows file download disguised as ASCII"; flow:established,from_server; file_data; content:"|34 44 35 41|"; depth:4; content:"|35 30 34 35 30 30|"; distance:0; classtype:trojan-activity; sid:2017962; rev:5; metadata:created_at 2014_01_13, updated_at 2022_05_03;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Kuluoz.B CnC 3"; flow:from_server,established; file_data; content:"c=rdl&u="; depth:8; fast_pattern; content:"&a="; distance:0; content:"&k="; distance:0; content:"&n="; distance:0; reference:md5,96255178f15033362c81fb6d9b9c3ce4; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2015904; rev:7; metadata:created_at 2012_09_25, former_category MALWARE, updated_at 2022_05_03;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell ASPXShell - Title"; flow:established,to_client; file_data; content:"<title>"; content:"ASPX Shell"; fast_pattern; nocase; content:"</title>"; distance:0; classtype:trojan-activity; sid:2017183; rev:5; metadata:created_at 2013_07_24, updated_at 2022_05_03;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED My Search Bar Install"; flow: to_server,established; content:"/mysetup.exe"; nocase; http_uri; fast_pattern:only; reference:url,www.2-spyware.com/parasite-my-search-bar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001040; classtype:trojan-activity; sid:2001040; rev:12; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED 360safe.com related Fake Security Product Update"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/?fixtool="; fast_pattern; http_uri; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008036; classtype:trojan-activity; sid:2008036; rev:11; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Downloader.Win32.Tesch.A Bot Command Checkin 1"; flow:established,to_server; dsize:51; content:"|03 00 30 01 01 00|"; fast_pattern; depth:6; flowbits:set,ET.Tesch; reference:md5,86b5491831522f3c7bdcdacb17417514; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:command-and-control; sid:2018478; rev:3; metadata:created_at 2014_05_15, former_category MALWARE, updated_at 2020_08_19;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Downloader.Win32.Tesch.A Bot Command Checkin 1"; flow:established,to_server; dsize:51; content:"|03 00 30 01 01 00|"; fast_pattern; depth:6; flowbits:set,ET.Tesch; reference:md5,86b5491831522f3c7bdcdacb17417514; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:command-and-control; sid:2018478; rev:3; metadata:created_at 2014_05_15, former_category MALWARE, updated_at 2022_05_03;)
 
 #alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED LibSSH Based SSH Connection - Often used as a BruteForce Tool"; flow:established,to_server; ssh.software; content:"libssh-"; threshold: type limit, track by_src, count 1, seconds 30; reference:url,doc.emergingthreats.net/2006435; classtype:misc-activity; sid:2006435; rev:11; metadata:created_at 2010_07_30, updated_at 2021_08_27;)
 
 #alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED LibSSH2 Based SSH Connection - Often used as a BruteForce Tool"; flow:established,to_server; ssh.software; content:"libssh2_"; threshold: type limit, track by_src, count 1, seconds 30; classtype:misc-activity; sid:2018689; rev:4; metadata:created_at 2014_07_17, updated_at 2021_08_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV Gemini systempack exe download"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=systempack"; classtype:trojan-activity; sid:2011991; rev:4; metadata:created_at 2010_12_01, updated_at 2020_08_20;)
+#alert udp $HOME_NET 3531 -> $EXTERNAL_NET 3531 (msg:"ET DELETED JoltID Agent Probing or Announcing UDP";  reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000900; classtype:trojan-activity; sid:2000900; rev:11; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV CryptMEN pack.exe Payload Download"; flow:established,from_server; content:"Content-Disposition|3a| attachment|3b| filename="; content:"|22|pack.exe|22|"; classtype:trojan-activity; sid:2012208; rev:6; metadata:created_at 2011_01_21, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FAKEAV Gemini - packupdate*.exe download"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=packupdate"; classtype:trojan-activity; sid:2011919; rev:5; metadata:created_at 2010_11_10, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV Gemini softupdate*.exe download"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=softupdate"; classtype:trojan-activity; sid:2012227; rev:7; metadata:created_at 2011_01_24, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential FakeAV download ASetup_2009.exe variant"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"Setup_"; fast_pattern; nocase; http_uri; content:".exe"; distance:0; nocase; http_uri; content:!"|0d 0a|Referer|3a| "; nocase; pcre:"/\/[A-Z]Setup_[0-9]{4}\.exe$/Ui"; reference:url,www.prevx.com/avgraph/1/AVG.html; reference:url,doc.emergingthreats.net/2010901; classtype:trojan-activity; sid:2010901; rev:8; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV download (AntiSpyWareSetup.exe)"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=AntiSpy"; nocase; content:"etup.exe"; nocase; classtype:trojan-activity; sid:2012318; rev:7; metadata:created_at 2011_02_18, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV Gemini systempack exe download"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=systempack"; classtype:trojan-activity; sid:2011991; rev:4; metadata:created_at 2010_12_01, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinese Bootkit Checkin"; flow:established,to_server; content:".aspx"; http_uri; content:"a=Windows"; nocase; http_uri; content:"&b="; http_uri; content:"&c="; http_uri; content:"&f="; http_uri; content:"&k="; pcre:"/c=[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}/iU"; reference:url,www.securelist.com/en/blog/434/The_Chinese_bootkit; classtype:command-and-control; sid:2012631; rev:6; metadata:created_at 2011_04_05, former_category MALWARE, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV CryptMEN pack.exe Payload Download"; flow:established,from_server; content:"Content-Disposition|3a| attachment|3b| filename="; content:"|22|pack.exe|22|"; classtype:trojan-activity; sid:2012208; rev:6; metadata:created_at 2011_01_21, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE USPS Spam/Trojan Executable Download"; flow:from_server,established; content:"filename=USPS_Invoice"; content:".exe"; within:32; reference:url,www.virustotal.com/file-scan/report.html?id=41866ac1950b620bd13fb3d6063e3781eaa3bbccb3089b13073abe752d0a6ffa-1318350235; classtype:trojan-activity; sid:2013770; rev:6; metadata:created_at 2011_10_12, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV Gemini softupdate*.exe download"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=softupdate"; classtype:trojan-activity; sid:2012227; rev:7; metadata:created_at 2011_01_24, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre Downloader SSL certificate (fake org)"; flow:established,from_server; content:"|06 03 55 04 0a|"; content:!"|03|cnc"; distance:1; within:4; pcre:"/^.{2}(?P<fake_org>([asdfgh]+|[qwerty]+|[zxcvbn]+|[23werf]+)[01]).+?\x06\x03\x55\x04\x0a.{2}(?P=fake_org)/Rs"; classtype:trojan-activity; sid:2018005; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MALWARE, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2020_08_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV download (AntiSpyWareSetup.exe)"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=AntiSpy"; nocase; content:"etup.exe"; nocase; classtype:trojan-activity; sid:2012318; rev:7; metadata:created_at 2011_02_18, updated_at 2022_05_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows netstat Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Active Connections|0d|"; content:"Proto"; content:"Local Address"; content:"Foreign Address"; content:"State"; distance:0; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019003; rev:3; metadata:created_at 2014_08_26, updated_at 2020_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinese Bootkit Checkin"; flow:established,to_server; content:".aspx"; http_uri; content:"a=Windows"; nocase; http_uri; content:"&b="; http_uri; content:"&c="; http_uri; content:"&f="; http_uri; content:"&k="; pcre:"/c=[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}/iU"; reference:url,www.securelist.com/en/blog/434/The_Chinese_bootkit; classtype:command-and-control; sid:2012631; rev:6; metadata:created_at 2011_04_05, former_category MALWARE, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Flashpack Redirect Method 2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/^Referer\x3a[^\r\n]+\.swf/Hmi"; content:"fvers="; fast_pattern; http_client_body; content:"osa="; http_client_body; classtype:trojan-activity; sid:2019134; rev:6; metadata:created_at 2014_09_08, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED PHP Remote File Inclusion (monster list http)"; flow:established,to_server; content:".php"; nocase; http_uri; content:"http"; nocase; http_uri; pcre:"/\.php.+?(?:c(?:(?:onfi|f)g|alendar)|p(?:a(?:ge|th)|rog)|l(?:ang(uage)?|ib)|f(?:older|ile|ad)|d(?:omain|ir|f)|s(?:ettings|bp)|a(?:genda|uth)|i(?:con|ncl|d)|n(?:ame|ews)|r(?:oot|f)|gallery|type|ext|mod|[a-z](\[.*\])+?)\s*=\s*https?/Ui"; reference:url,www.sans.org/top20/; reference:url,doc.emergingthreats.net/2002997; classtype:web-application-attack; sid:2002997; rev:13; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET HUNTING Suspicious Quotation Mark Usage in FTP Username"; flow:established,to_server; content:"USER "; depth:5; content:"|22|"; distance:0; pcre:"/^USER [^\r\n]*?\x22/"; reference:url,www.checkpoint.com/defense/advisories/public/2010/sbp-16-Aug.html; classtype:bad-unknown; sid:2011488; rev:3; metadata:created_at 2010_09_29, former_category FTP, updated_at 2020_08_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE USPS Spam/Trojan Executable Download"; flow:from_server,established; content:"filename=USPS_Invoice"; content:".exe"; within:32; reference:url,www.virustotal.com/file-scan/report.html?id=41866ac1950b620bd13fb3d6063e3781eaa3bbccb3089b13073abe752d0a6ffa-1318350235; classtype:trojan-activity; sid:2013770; rev:6; metadata:created_at 2011_10_12, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Sweet Orange Landing Nov 3 2014"; flow:established,to_client; file_data; content:"class=|22|green_class|22|"; pcre:"/^[^>\r\n<]+>[A-Za-z]{70}/R"; classtype:exploit-kit; sid:2019643; rev:4; metadata:created_at 2014_11_04, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential FAKEAV Download a-f0-9 x16 download"; flow:to_server,established; content:"/pr2/"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{16}\/.+?\.(exe|zip)$/U"; classtype:bad-unknown; sid:2014730; rev:9; metadata:created_at 2012_05_11, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SweetOrange EK Landing Nov 19 2014"; flow:established,from_server; file_data; content:"|6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 76 61 72 70 72 6f 74 3d 5b|"; classtype:exploit-kit; sid:2019751; rev:7; metadata:created_at 2014_11_20, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+#alert udp $HOME_NET any -> 78.47.139.110 53 (msg:"ET DELETED Possible DNS Data Exfiltration to SSHD Rootkit Last Resort CnC";  reference:url,isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229; classtype:command-and-control; sid:2016473; rev:4; metadata:created_at 2013_02_22, updated_at 2020_08_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Archie EK T2 SWF Exploit Struct Nov 20 2014"; flow:established,to_server; urilen:69; content:".swf"; http_uri; offset:65; depth:4; pcre:"/^\/[a-f0-9]{64}\.swf$/U"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a/Hmi"; classtype:exploit-kit; sid:2019770; rev:6; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre Downloader SSL certificate (fake org)"; flow:established,from_server; content:"|06 03 55 04 0a|"; content:!"|03|cnc"; distance:1; within:4; pcre:"/^.{2}(?P<fake_org>([asdfgh]+|[qwerty]+|[zxcvbn]+|[23werf]+)[01]).+?\x06\x03\x55\x04\x0a.{2}(?P=fake_org)/Rs"; classtype:trojan-activity; sid:2018005; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MALWARE, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre Redirector IE Requesting Payload Jan 19 2015"; flow:established,to_server; content:"GET"; http_method; content:".js?get_message"; http_uri; fast_pattern:only; pcre:"/\d\.js\?get_message(?:=-?\d+?)?$/U"; content:"Referer|3a|"; http_header; pcre:"/^[^\r\n]+?\.html?\r?$/RHmi"; classtype:trojan-activity; sid:2020212; rev:7; metadata:created_at 2015_01_20, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows netstat Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Active Connections|0d|"; content:"Proto"; content:"Local Address"; content:"Foreign Address"; content:"State"; distance:0; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019003; rev:3; metadata:created_at 2014_08_26, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ProxyBox - HTTP CnC - Checkin Response"; flow:established,to_client; file_data; content:"1234567890|0a|"; within:11; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:command-and-control; sid:2015501; rev:7; metadata:created_at 2012_07_21, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Flashpack Redirect Method 2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/^Referer\x3a[^\r\n]+\.swf/Hmi"; content:"fvers="; fast_pattern; http_client_body; content:"osa="; http_client_body; classtype:trojan-activity; sid:2019134; rev:6; metadata:created_at 2014_09_08, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (2)"; flow:established,to_server; content:"/pics/image.gif"; fast_pattern:only; http_uri; content:!"Referer|3a|"; http_header; nocase; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/image\.gif$/U"; classtype:exploit-kit; sid:2016279; rev:7; metadata:created_at 2013_01_25, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET HUNTING Suspicious Quotation Mark Usage in FTP Username"; flow:established,to_server; content:"USER "; depth:5; content:"|22|"; distance:0; pcre:"/^USER [^\r\n]*?\x22/"; reference:url,www.checkpoint.com/defense/advisories/public/2010/sbp-16-Aug.html; classtype:bad-unknown; sid:2011488; rev:3; metadata:created_at 2010_09_29, former_category FTP, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre Redirector Jan 9 2015"; flow:established,to_server; content:"GET"; http_method; content:".js?"; http_uri; fast_pattern; content:".js"; distance:30; http_uri; pcre:"/\d\.js\?[a-zA-Z0-9]{7,16}=[^&]+(?:&[a-zA-Z0-9]{7,16}=[^&]+){3}\.js$/U"; content:".html"; http_header; content:"Referer|3a|"; http_header; pcre:"/^[^\r\n]+\.html\r?$/RHmi"; flowbits:set,ET.Upatre.Redirector; classtype:trojan-activity; sid:2020159; rev:7; metadata:created_at 2015_01_09, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+#alert udp $HOME_NET any -> 195.22.26.192/26 any (msg:"ET MALWARE AnubisNetworks Sinkhole UDP Connection";  classtype:trojan-activity; sid:2019632; rev:5; metadata:created_at 2014_11_03, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (URI data)"; flow:established,to_server; content:"Content-Type|3a 20|application"; http_raw_header; content:"Content-Type|3a 20|"; distance:0; http_raw_header; pcre:"/(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)/Ui"; reference:url,seclists.org/fulldisclosure/2015/Mar/95; classtype:attempted-dos; sid:2020731; rev:3; metadata:created_at 2015_03_24, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Sweet Orange Landing Nov 3 2014"; flow:established,to_client; file_data; content:"class=|22|green_class|22|"; pcre:"/^[^>\r\n<]+>[A-Za-z]{70}/R"; classtype:exploit-kit; sid:2019643; rev:4; metadata:created_at 2014_11_04, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (POST data)"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type|3a 20|application"; http_raw_header; content:"Content-Type|3a 20|"; http_raw_header; distance:0; pcre:"/(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)/Pmi"; reference:url,seclists.org/fulldisclosure/2015/Mar/95; classtype:attempted-dos; sid:2020732; rev:3; metadata:created_at 2015_03_24, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SweetOrange EK Landing Nov 19 2014"; flow:established,from_server; file_data; content:"|6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 76 61 72 70 72 6f 74 3d 5b|"; classtype:exploit-kit; sid:2019751; rev:7; metadata:created_at 2014_11_20, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (cookie)"; flow:established,to_server; content:"Content-Type|3a 20|application"; http_raw_header; content:"Content-Type|3a 20|"; distance:0; http_raw_header; pcre:"/(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)/Cmi"; reference:url,seclists.org/fulldisclosure/2015/Mar/95; classtype:attempted-dos; sid:2020733; rev:3; metadata:created_at 2015_03_24, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Archie EK T2 SWF Exploit Struct Nov 20 2014"; flow:established,to_server; urilen:69; content:".swf"; http_uri; offset:65; depth:4; pcre:"/^\/[a-f0-9]{64}\.swf$/U"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a/Hmi"; classtype:exploit-kit; sid:2019770; rev:6; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Message)"; flow:from_client,established; content:"|00|MSG|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00msg\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019216; rev:4; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2020_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre Redirector IE Requesting Payload Jan 19 2015"; flow:established,to_server; content:"GET"; http_method; content:".js?get_message"; http_uri; fast_pattern:only; pcre:"/\d\.js\?get_message(?:=-?\d+?)?$/U"; content:"Referer|3a|"; http_header; pcre:"/^[^\r\n]+?\.html?\r?$/RHmi"; classtype:trojan-activity; sid:2020212; rev:7; metadata:created_at 2015_01_20, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jun 06 2016"; flow:established,from_server; file_data; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; fast_pattern; content:"name=|27|"; distance:0; content:"|27|"; distance:12; within:1; content:"|20 77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; within:44; classtype:exploit-kit; sid:2022869; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_06, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ProxyBox - HTTP CnC - Checkin Response"; flow:established,to_client; file_data; content:"1234567890|0a|"; within:11; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:command-and-control; sid:2015501; rev:7; metadata:created_at 2012_07_21, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre Redirector Jan 9 2015"; flow:established,to_server; content:"GET"; http_method; content:".js?"; http_uri; fast_pattern; content:".js"; distance:30; http_uri; pcre:"/\d\.js\?[a-zA-Z0-9]{7,16}=[^&]+(?:&[a-zA-Z0-9]{7,16}=[^&]+){3}\.js$/U"; content:".html"; http_header; content:"Referer|3a|"; http_header; pcre:"/^[^\r\n]+\.html\r?$/RHmi"; flowbits:set,ET.Upatre.Redirector; classtype:trojan-activity; sid:2020159; rev:7; metadata:created_at 2015_01_09, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toserver M3"; flow:established,to_server; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022935; rev:2; metadata:created_at 2016_06_30, updated_at 2020_08_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (URI data)"; flow:established,to_server; content:"Content-Type|3a 20|application"; http_raw_header; content:"Content-Type|3a 20|"; distance:0; http_raw_header; pcre:"/(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)/Ui"; reference:url,seclists.org/fulldisclosure/2015/Mar/95; classtype:attempted-dos; sid:2020731; rev:3; metadata:created_at 2015_03_24, updated_at 2022_05_03;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M4"; flow:established,to_client; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022936; rev:2; metadata:created_at 2016_06_30, updated_at 2020_08_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (POST data)"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type|3a 20|application"; http_raw_header; content:"Content-Type|3a 20|"; http_raw_header; distance:0; pcre:"/(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)/Pmi"; reference:url,seclists.org/fulldisclosure/2015/Mar/95; classtype:attempted-dos; sid:2020732; rev:3; metadata:created_at 2015_03_24, updated_at 2022_05_03;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M3"; flow:established,to_client; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022937; rev:2; metadata:created_at 2016_06_30, updated_at 2020_08_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (cookie)"; flow:established,to_server; content:"Content-Type|3a 20|application"; http_raw_header; content:"Content-Type|3a 20|"; distance:0; http_raw_header; pcre:"/(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)/Cmi"; reference:url,seclists.org/fulldisclosure/2015/Mar/95; classtype:attempted-dos; sid:2020733; rev:3; metadata:created_at 2015_03_24, updated_at 2022_05_03;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toserver M4"; flow:established,to_server; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022938; rev:2; metadata:created_at 2016_06_30, updated_at 2020_08_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Message)"; flow:from_client,established; content:"|00|MSG|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00msg\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019216; rev:4; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Common Construct M1"; flow:established,from_server; file_data; content:"%u0008%u4141%u4141%u4141"; nocase; content:"redim"; nocase; content:"Preserve"; content:"2000"; distance:0; pcre:"/^\s*?\x29/Rs"; content:"%u400C%u0000%u0000%u0000"; nocase; reference:url,theori.io/research/cve-2016-0189; reference:cve,2016-0189; classtype:attempted-user; sid:2022971; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, performance_impact Low, signature_severity Major, tag CVE_2016_0189, updated_at 2020_08_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jun 06 2016"; flow:established,from_server; file_data; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; fast_pattern; content:"name=|27|"; distance:0; content:"|27|"; distance:12; within:1; content:"|20 77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; within:44; classtype:exploit-kit; sid:2022869; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_06, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Common Construct M2"; flow:established,from_server; file_data; content:"triggerBug"; nocase; content:"Dim "; nocase; distance:0; content:".resize"; nocase; pcre:"/^\s*\x28/Rs"; content:"Mid"; pcre:"/^\s*?\(x\s*,\s*1,\s*24000\s*\x29/Rs"; reference:url,theori.io/research/cve-2016-0189; reference:cve,2016-0189; classtype:attempted-user; sid:2022972; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toserver M3"; flow:established,to_server; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022935; rev:2; metadata:created_at 2016_06_30, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|12|do.tntcentral.mobi"; fast_pattern:only; tls.fingerprint:"75:02:e5:5d:eb:4d:19:b9:6e:a9:61:26:34:82:4b:2f:b6:ad:96:6d"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018760; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M4"; flow:established,to_client; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022936; rev:2; metadata:created_at 2016_06_30, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (ZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|daznukhurebkolsek.net"; distance:1; within:22; tls.fingerprint:"b6:d7:85:2a:e1:ca:32:5f:77:28:d4:64:12:44:8b:01:41:94:0b:c9"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018807; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M3"; flow:established,to_client; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022937; rev:2; metadata:created_at 2016_06_30, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|expert-256bitssl.com"; distance:1; within:21; tls.fingerprint:"ca:2e:43:5b:b8:83:60:81:ff:a6:1c:90:2d:b0:5a:4e:0e:11:c7:8f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018913; rev:4; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toserver M4"; flow:established,to_server; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022938; rev:2; metadata:created_at 2016_06_30, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|19|siefrra1967ga@outlook.com"; distance:1; within:26; tls.fingerprint:"b5:ff:48:e0:d2:15:2e:04:83:f1:8d:50:60:41:46:7a:55:d1:fb:a8"; reference:url,sslbl.abuse.ch; reference:md5,7832ac3ad8275695b8051ab70432e161; classtype:domain-c2; sid:2018917; rev:4; metadata:attack_target Client_and_Server, created_at 2014_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Common Construct M1"; flow:established,from_server; file_data; content:"%u0008%u4141%u4141%u4141"; nocase; content:"redim"; nocase; content:"Preserve"; content:"2000"; distance:0; pcre:"/^\s*?\x29/Rs"; content:"%u400C%u0000%u0000%u0000"; nocase; reference:url,theori.io/research/cve-2016-0189; reference:cve,2016-0189; classtype:attempted-user; sid:2022971; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, performance_impact Low, signature_severity Major, tag CVE_2016_0189, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre C2)"; flow:established,from_server; content:"|55 04 07|"; content:"|05|miami"; distance:1; within:6; content:"|55 04 03|"; distance:0; content:"|0c|94.23.236.54"; distance:1; within:13; tls.fingerprint:"b2:ca:f5:a1:82:79:c1:cb:10:da:17:4c:58:1a:71:38:ff:8b:0c:f2"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018940; rev:4; metadata:attack_target Client_and_Server, created_at 2014_08_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Common Construct M2"; flow:established,from_server; file_data; content:"triggerBug"; nocase; content:"Dim "; nocase; distance:0; content:".resize"; nocase; pcre:"/^\s*\x28/Rs"; content:"Mid"; pcre:"/^\s*?\(x\s*,\s*1,\s*24000\s*\x29/Rs"; reference:url,theori.io/research/cve-2016-0189; reference:cve,2016-0189; classtype:attempted-user; sid:2022972; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Sep 13 2016 (b641)"; flow:established,from_server; file_data; content:"KyAnPHBhcmFtIG5hbWU9Rmxhc2hWYXJzIHZhbHVlPSJpZGRxZD"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2023198; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_13, deployment Perimeter, malware_family RIG, signature_severity Major, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Sep 13 2016 (b641)"; flow:established,from_server; file_data; content:"KyAnPHBhcmFtIG5hbWU9Rmxhc2hWYXJzIHZhbHVlPSJpZGRxZD"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2023198; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_13, deployment Perimeter, malware_family RIG, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Sep 13 2016 (b642)"; flow:established,from_server; file_data; content:"sgJzxwYXJhbSBuYW1lPUZsYXNoVmFycyB2YWx1ZT0iaWRkcWQ9"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2023199; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_13, deployment Perimeter, malware_family RIG, signature_severity Major, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Sep 13 2016 (b642)"; flow:established,from_server; file_data; content:"sgJzxwYXJhbSBuYW1lPUZsYXNoVmFycyB2YWx1ZT0iaWRkcWQ9"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2023199; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_13, deployment Perimeter, malware_family RIG, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Sep 13 2016 (b643)"; flow:established,from_server; file_data; content:"rICc8cGFyYW0gbmFtZT1GbGFzaFZhcnMgdmFsdWU9ImlkZHFkP"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2023200; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_13, deployment Perimeter, malware_family RIG, signature_severity Major, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Sep 13 2016 (b643)"; flow:established,from_server; file_data; content:"rICc8cGFyYW0gbmFtZT1GbGFzaFZhcnMgdmFsdWU9ImlkZHFkP"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2023200; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_13, deployment Perimeter, malware_family RIG, signature_severity Major, updated_at 2022_05_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Route Table"; content:"Active Routes|3a|"; fast_pattern; content:"Network Destination"; content:"Netmask"; content:"Gateway"; content:"Interface"; content:"Metric"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019082; rev:3; metadata:created_at 2014_08_28, updated_at 2020_08_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Route Table"; content:"Active Routes|3a|"; fast_pattern; content:"Network Destination"; content:"Netmask"; content:"Gateway"; content:"Interface"; content:"Metric"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019082; rev:3; metadata:created_at 2014_08_28, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"wSNfF6IsxmIHAD8ewTEVACMiwT0d"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023277; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"wSNfF6IsxmIHAD8ewTEVACMiwT0d"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023277; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"IaOoM9BCQ9FnEgy6IoITEaz6Iex"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023278; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"IaOoM9BCQ9FnEgy6IoITEaz6Iex"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023278; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"9xb4GwTUbwUQoyD09AFIox7g9y6"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023279; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"9xb4GwTUbwUQoyD09AFIox7g9y6"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023279; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2016-0189 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"yTEsz98oyHssxnxc"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023280; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2016-0189 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"yTEsz98oyHssxnxc"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023280; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2016-0189 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"coBDgMAD9lBCQmN"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023281; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2016-0189 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"coBDgMAD9lBCQmN"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023281; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2016-0189 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"hADUiGDEgPTUbAa"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023282; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2016-0189 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"hADUiGDEgPTUbAa"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023282; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2013-2551 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"ATUazSM9vDcoOnUbxnU4Oncoynw9z"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023283; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2013-2551 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"ATUazSM9vDcoOnUbxnU4Oncoynw9z"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023283; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2013-2551 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"Isx7sawSohAH4sxmQsvH4hAD4mwT"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023284; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2013-2551 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"Isx7sawSohAH4sxmQsvH4hAD4mwT"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023284; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2013-2551 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"pBCMlx6I4yTFfBCQbBCpfyTEfA6Il"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023285; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2013-2551 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"pBCMlx6I4yTFfBCQbBCpfyTEfA6Il"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023285; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_05_03;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT SUSPICIOUS DTLS 1.0 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 fe ff 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018560; rev:3; metadata:created_at 2014_06_13, former_category CURRENT_EVENTS, updated_at 2020_08_19;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT SUSPICIOUS DTLS 1.0 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 fe ff 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018560; rev:3; metadata:created_at 2014_06_13, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data; content:"|67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 64 65 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74|"; content:"3c"; nocase; distance:-242; within:200; pcre:"/^(?P<split>.{1,10})2f(?P=split)64(?P=split)69(?P=split)76(?P=split)3e(?P=split)?[^\x22\x27]*[\x22\x27]\.replace\s*\(\s*[\x22\x27]?\/(?P=split)\/g[\x22\x27]?\s*,\s*[\x22\x27]\x25[\x22\x27]\s*\x29\s*\x3b/Ri"; classtype:exploit-kit; sid:2023307; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data; content:"|67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 64 65 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74|"; content:"3c"; nocase; distance:-242; within:200; pcre:"/^(?P<split>.{1,10})2f(?P=split)64(?P=split)69(?P=split)76(?P=split)3e(?P=split)?[^\x22\x27]*[\x22\x27]\.replace\s*\(\s*[\x22\x27]?\/(?P=split)\/g[\x22\x27]?\s*,\s*[\x22\x27]\x25[\x22\x27]\s*\x29\s*\x3b/Ri"; classtype:exploit-kit; sid:2023307; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DNSChanger EK Secondary Landing Oct 31 2016"; flow:established,from_server; file_data; content:".controlurl"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".schematype"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".csrf"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".port"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:"upnp"; nocase; content:" ip"; nocase; pcre:"/^\s*=\s*[\x22\x27]?(?:10|127|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\./R"; classtype:exploit-kit; sid:2023473; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, malware_family DNSEK, performance_impact Low, signature_severity Major, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DNSChanger EK Secondary Landing Oct 31 2016"; flow:established,from_server; file_data; content:".controlurl"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".schematype"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".csrf"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".port"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:"upnp"; nocase; content:" ip"; nocase; pcre:"/^\s*=\s*[\x22\x27]?(?:10|127|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\./R"; classtype:exploit-kit; sid:2023473; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, malware_family DNSEK, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016"; flow:to_server,established; content:"GET"; http_method; content:"/counter/?"; http_uri; depth:10; fast_pattern; content:"&r="; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/counter\/\?(?:[a-z]=(?:0\.\d{8}|1[A-Z0-9a-z]+))+&r=\d+$/U"; classtype:trojan-activity; sid:2023594; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, malware_family Trojan_Kwampirs, performance_impact Low, signature_severity Major, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016"; flow:to_server,established; content:"GET"; http_method; content:"/counter/?"; http_uri; depth:10; fast_pattern; content:"&r="; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/counter\/\?(?:[a-z]=(?:0\.\d{8}|1[A-Z0-9a-z]+))+&r=\d+$/U"; classtype:trojan-activity; sid:2023594; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, malware_family Trojan_Kwampirs, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert tcp any 445 -> $HOME_NET any (msg:"ET DOS Excessive Large Tree Connect Response"; flow:from_server,established; byte_test:  3,>,1000,1; content: "|fe 53 4d 42 40 00|"; offset: 4; depth: 6; content: "|03 00|"; offset: 16; depth:2; reference:url,isc.sans.edu/forums/diary/Windows+SMBv3+Denial+of+Service+Proof+of+Concept+0+Day+Exploit/22029/; classtype:attempted-dos; sid:2023831; rev:3; metadata:affected_product SMBv3, attack_target Client_and_Server, created_at 2017_02_03, deployment Datacenter, signature_severity Major, updated_at 2020_08_19;)
+alert tcp any 445 -> $HOME_NET any (msg:"ET DOS Excessive Large Tree Connect Response"; flow:from_server,established; byte_test:  3,>,1000,1; content: "|fe 53 4d 42 40 00|"; offset: 4; depth: 6; content: "|03 00|"; offset: 16; depth:2; reference:url,isc.sans.edu/forums/diary/Windows+SMBv3+Denial+of+Service+Proof+of+Concept+0+Day+Exploit/22029/; classtype:attempted-dos; sid:2023831; rev:3; metadata:affected_product SMBv3, attack_target Client_and_Server, created_at 2017_02_03, deployment Datacenter, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious SCF File Inbound"; flow:to_client,established; file_data; content:"[shell]"; nocase; content:"iconfile"; nocase; distance:0; pcre:"/^\s*=\s*\x5c\x5c/Rs"; reference:url,defensecode.com/news_article.php?id=21; classtype:attempted-user; sid:2024303; rev:3; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category WEB_CLIENT, performance_impact Moderate, signature_severity Minor, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious SCF File Inbound"; flow:to_client,established; file_data; content:"[shell]"; nocase; content:"iconfile"; nocase; distance:0; pcre:"/^\s*=\s*\x5c\x5c/Rs"; reference:url,defensecode.com/news_article.php?id=21; classtype:attempted-user; sid:2024303; rev:3; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category WEB_CLIENT, performance_impact Moderate, signature_severity Minor, updated_at 2022_05_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"ET MALWARE IRC Private message on non-standard port"; flow:to_server,established; dsize:<128; content:"PRIVMSG "; depth:8; content:!".twitch.tv"; content:!"twitch.tv|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000347; classtype:trojan-activity; sid:2000347; rev:17; metadata:created_at 2010_07_30, updated_at 2020_08_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"ET MALWARE IRC Private message on non-standard port"; flow:to_server,established; dsize:<128; content:"PRIVMSG "; depth:8; content:!".twitch.tv"; content:!"twitch.tv|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000347; classtype:trojan-activity; sid:2000347; rev:17; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
 alert tcp any any -> any any (msg:"ET MALWARE DPRK HIDDEN COBRA DDoS Handshake Success"; dsize:6; flow:established,to_server; content:"|18 17 e9 e9 e9 e9|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA17-164A; classtype:trojan-activity; sid:2024382; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_06_14, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_08_19;)
 
 alert tcp any any -> any any (msg:"ET MALWARE DPRK HIDDEN COBRA Botnet C2 Host Beacon"; flow:established,to_server; content:"|1b 17 e9 e9 e9 e9|"; depth:6; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA17-164A; classtype:command-and-control; sid:2024383; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_06_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp any any -> $HOME_NET 9100 (msg:"ET EXPLOIT HP Printer Attempted Path Traversal via PJL"; flow:to_server,established; content:"@PJL FS"; depth:7; content:"NAME="; distance:0; pcre:"/^\s*[\x22\x27][^\x22\x27]{0,128}\x2e\x2e/Ri"; reference:url,www.tenable.com/blog/rooting-a-printer-from-security-bulletin-to-remote-code-execution; reference:cve,2017-2741; classtype:attempted-admin; sid:2024404; rev:3; metadata:attack_target IoT, created_at 2017_06_16, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_08_19;)
+alert tcp any any -> $HOME_NET 9100 (msg:"ET EXPLOIT HP Printer Attempted Path Traversal via PJL"; flow:to_server,established; content:"@PJL FS"; depth:7; content:"NAME="; distance:0; pcre:"/^\s*[\x22\x27][^\x22\x27]{0,128}\x2e\x2e/Ri"; reference:url,www.tenable.com/blog/rooting-a-printer-from-security-bulletin-to-remote-code-execution; reference:cve,2017-2741; classtype:attempted-admin; sid:2024404; rev:3; metadata:attack_target IoT, created_at 2017_06_16, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) cert"; flow:established,to_client; content:"|30 82|"; depth:300; content:"|a0 03 02 01 02 02|"; distance:6; within:6; content:"|63 50 61 6e 65 6c 2c 20 49 6e 63|"; distance:60; within:120; fast_pattern; flowbits:set,FB346039_0; flowbits:noalert; classtype:command-and-control; sid:2024772; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2020_08_19;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) cert"; flow:established,to_client; content:"|30 82|"; depth:300; content:"|a0 03 02 01 02 02|"; distance:6; within:6; content:"|63 50 61 6e 65 6c 2c 20 49 6e 63|"; distance:60; within:120; fast_pattern; flowbits:set,FB346039_0; flowbits:noalert; classtype:command-and-control; sid:2024772; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BadRabbit Driveby Download M1 Oct 24 2017"; flow:established,from_server; file_data; content:"InjectionString"; fast_pattern; content:"setRequestHeader"; nocase; pcre:"/^\s*\(\s*[\x22\x27]Content\-Type/Ri"; content:"onreadystatechange"; nocase; distance:0; content:"readyState"; nocase; distance:0; pcre:"/^\s*==\s*4/Ri"; content:"status"; nocase; distance:0; pcre:"/^\s*==\s*200/Ri"; content:"navigator"; nocase; pcre:"/^\s*\.\s*userAgent/Ri"; content:"document"; nocase; pcre:"/^\s*\.\s*referrer/Ri"; content:"document"; nocase; pcre:"/^\s*\.\s*cookie/Ri"; content:"window"; nocase; pcre:"/^\s*\.\s*location\s*\.\s*hostname/Ri"; content:"document"; nocase; pcre:"/^\s*\.\s*cookie/Ri"; reference:url,www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/; reference:url,www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html; classtype:trojan-activity; sid:2024911; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_and_Server, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BadRabbit Driveby Download M1 Oct 24 2017"; flow:established,from_server; file_data; content:"InjectionString"; fast_pattern; content:"setRequestHeader"; nocase; pcre:"/^\s*\(\s*[\x22\x27]Content\-Type/Ri"; content:"onreadystatechange"; nocase; distance:0; content:"readyState"; nocase; distance:0; pcre:"/^\s*==\s*4/Ri"; content:"status"; nocase; distance:0; pcre:"/^\s*==\s*200/Ri"; content:"navigator"; nocase; pcre:"/^\s*\.\s*userAgent/Ri"; content:"document"; nocase; pcre:"/^\s*\.\s*referrer/Ri"; content:"document"; nocase; pcre:"/^\s*\.\s*cookie/Ri"; content:"window"; nocase; pcre:"/^\s*\.\s*location\s*\.\s*hostname/Ri"; content:"document"; nocase; pcre:"/^\s*\.\s*cookie/Ri"; reference:url,www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/; reference:url,www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html; classtype:trojan-activity; sid:2024911; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_and_Server, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING s0m3 Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"href=|22|s0m3/"; nocase; content:"href=|22|s0m3/"; nocase; distance:0; content:"src=|22|s0m3/"; nocase; distance:0; content:"src=|22|s0m3/"; nocase; distance:0; classtype:social-engineering; sid:2025477; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING s0m3 Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"href=|22|s0m3/"; nocase; content:"href=|22|s0m3/"; nocase; distance:0; content:"src=|22|s0m3/"; nocase; distance:0; content:"src=|22|s0m3/"; nocase; distance:0; classtype:social-engineering; sid:2025477; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - page redirecting to a SutraTDS"; flow:established,to_client; file_data; content:!"[Adblock Plus"; depth:13; content:"/in.cgi?"; distance:0; flowbits:isnotset,ET.opera.adblock; classtype:exploit-kit; sid:2014545; rev:8; metadata:created_at 2012_04_12, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - page redirecting to a SutraTDS"; flow:established,to_client; file_data; content:!"[Adblock Plus"; depth:13; content:"/in.cgi?"; distance:0; flowbits:isnotset,ET.opera.adblock; classtype:exploit-kit; sid:2014545; rev:8; metadata:created_at 2012_04_12, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multi-Email Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function popupwnd(url,"; nocase; fast_pattern; content:"var popupwindow = this.open(url,"; nocase; distance:0; content:"src=|22|signin_files/"; nocase; distance:0; content:"href=|22|signin_files/"; nocase; distance:0; classtype:social-engineering; sid:2026048; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multi-Email Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function popupwnd(url,"; nocase; fast_pattern; content:"var popupwindow = this.open(url,"; nocase; distance:0; content:"src=|22|signin_files/"; nocase; distance:0; content:"href=|22|signin_files/"; nocase; distance:0; classtype:social-engineering; sid:2026048; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2022_05_03;)
 
 alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [eSentire] Win32/Spy.Banker CnC Command (DOWNLOAD)"; flow:from_server,established; dsize:11; content:"DOWNLOAD1|0d 0a|"; depth:11; reference:md5,f45991556122b07d501fa995bd4e74a7; classtype:command-and-control; sid:2025651; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_11, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable base64 encoded"; flow: established,from_server; file_data; content:"TVqQA"; pcre:"/^[A-Za-z0-9]{3}(?:[A-Za-z0-9+/]{4}|\s){100}/Rs"; pcre:"/[^A-Za-z0-9+/]TVqQA/"; reference:md5,49aca228674651cba776be727bdb7e60; classtype:trojan-activity; sid:2018856; rev:12; metadata:created_at 2014_07_31, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable base64 encoded"; flow: established,from_server; file_data; content:"TVqQA"; pcre:"/^[A-Za-z0-9]{3}(?:[A-Za-z0-9+/]{4}|\s){100}/Rs"; pcre:"/[^A-Za-z0-9+/]TVqQA/"; reference:md5,49aca228674651cba776be727bdb7e60; classtype:trojan-activity; sid:2018856; rev:12; metadata:created_at 2014_07_31, updated_at 2022_05_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET ADWARE_PUP [PTsecurity] DeathBot.Java (Minecraft Spambot)"; flow:established, to_server; dsize:<256; content:"|00 00 00|"; depth:3; content:"|01 78 9c|"; distance:1; within:3; fast_pattern; byte_jump:1,3,from_beginning,post_offset 2; isdataat:1, relative; isdataat:!2,relative; threshold:type limit, track by_src, count 1, seconds 30; classtype:pup-activity; sid:2024793; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category ADWARE_PUP, malware_family Spambot, performance_impact Moderate, signature_severity Major, updated_at 2020_08_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET ADWARE_PUP [PTsecurity] DeathBot.Java (Minecraft Spambot)"; flow:established, to_server; dsize:<256; content:"|00 00 00|"; depth:3; content:"|01 78 9c|"; distance:1; within:3; fast_pattern; byte_jump:1,3,from_beginning,post_offset 2; isdataat:1, relative; isdataat:!2,relative; threshold:type limit, track by_src, count 1, seconds 30; classtype:pup-activity; sid:2024793; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category ADWARE_PUP, malware_family Spambot, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Altiris.AeXNSConsoleUtilities"; nocase; distance:0; content:"BrowseAndSaveFile"; nocase; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00; reference:url,www.securityfocus.com/bid/36698/info; reference:url,sotiriu.de/adv/NSOADV-2009-001.txt; reference:url,securitytracker.com/alerts/2009/Nov/1023122.html; reference:cve,2009-3031; reference:url,doc.emergingthreats.net/2010245; classtype:attempted-user; sid:2010245; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Altiris.AeXNSConsoleUtilities"; nocase; distance:0; content:"BrowseAndSaveFile"; nocase; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00; reference:url,www.securityfocus.com/bid/36698/info; reference:url,sotiriu.de/adv/NSOADV-2009-001.txt; reference:url,securitytracker.com/alerts/2009/Nov/1023122.html; reference:cve,2009-3031; reference:url,doc.emergingthreats.net/2010245; classtype:attempted-user; sid:2010245; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX DB Software Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods"; flow:to_client,established; content:"CLSID"; nocase; content:"7600707B-9F47-416D-8AB5-6FD96EA37968"; nocase; pcre:"/(LogFile|ClearLogFile|SaveToFile)/i"; reference:bugtraq,31907; reference:url,milw0rm.com/exploits/6828; reference:url,doc.emergingthreats.net/2008789; classtype:web-application-attack; sid:2008789; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX DB Software Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods"; flow:to_client,established; content:"CLSID"; nocase; content:"7600707B-9F47-416D-8AB5-6FD96EA37968"; nocase; pcre:"/(LogFile|ClearLogFile|SaveToFile)/i"; reference:bugtraq,31907; reference:url,milw0rm.com/exploits/6828; reference:url,doc.emergingthreats.net/2008789; classtype:web-application-attack; sid:2008789; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2022_05_03;)
 
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ECLIPSEDWING RPCTOUCH MS08-067"; flow:to_server,established; content:"|ff|SMB|2f 00 00 00 00|"; offset:4; depth:9; content:"NTLMSSP|00 03 00 00 00 01 00 01 00|"; distance:0; fast_pattern; content:"|00 00 00 00 49 00 00 00|"; distance:4; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 49 00 00 00|"; within:8; content:"|00 00 00 00 00 00 00 00 00|"; distance:4; within:9; endswith; classtype:trojan-activity; sid:2024214; rev:3; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_19;)
+alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ECLIPSEDWING RPCTOUCH MS08-067"; flow:to_server,established; content:"|ff|SMB|2f 00 00 00 00|"; offset:4; depth:9; content:"NTLMSSP|00 03 00 00 00 01 00 01 00|"; distance:0; fast_pattern; content:"|00 00 00 00 49 00 00 00|"; distance:4; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 49 00 00 00|"; within:8; content:"|00 00 00 00 00 00 00 00 00|"; distance:4; within:9; endswith; classtype:trojan-activity; sid:2024214; rev:3; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack URI Format June 17 2013 2"; flow:established,to_server; content:".php?hash=I3QxW"; http_uri; fast_pattern; pcre:"/\.php\?hash=I3QxW[A-Za-z0-9\+\/]+={0,2}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017023; rev:7; metadata:created_at 2013_06_18, former_category EXPLOIT_KIT, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack URI Format June 17 2013 2"; flow:established,to_server; content:".php?hash=I3QxW"; http_uri; fast_pattern; pcre:"/\.php\?hash=I3QxW[A-Za-z0-9\+\/]+={0,2}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017023; rev:7; metadata:created_at 2013_06_18, former_category EXPLOIT_KIT, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Landing Applet With Payload"; flow:established,to_client; file_data; content:".exe?"; fast_pattern; content:"<applet"; content:" value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\/[a-zA-Z0-9\/\-\_]{60,}\/[a-zA-Z0-9]+\.exe\?[a-zA-Z0-9]+=[a-zA-Z0-9]+(&h=\d+)?[\x22\x27]/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; reference:md5,9a17d72f6234a1dc930ffe6b1681504c; classtype:exploit-kit; sid:2016498; rev:11; metadata:created_at 2013_02_26, former_category EXPLOIT_KIT, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Landing Applet With Payload"; flow:established,to_client; file_data; content:".exe?"; fast_pattern; content:"<applet"; content:" value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\/[a-zA-Z0-9\/\-\_]{60,}\/[a-zA-Z0-9]+\.exe\?[a-zA-Z0-9]+=[a-zA-Z0-9]+(&h=\d+)?[\x22\x27]/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; reference:md5,9a17d72f6234a1dc930ffe6b1681504c; classtype:exploit-kit; sid:2016498; rev:11; metadata:created_at 2013_02_26, former_category EXPLOIT_KIT, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Office Doc CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/im"; http_uri; content:"g"; distance:0; http_uri; content:".php?id="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"MSOffice"; http_header; content:!"Outlook"; http_header; pcre:"/\/im(?:age|g)\.php\?id=\d+$/U"; reference:md5,27cd0a3db18fbb6d316fb4542c3a51f3; classtype:command-and-control; sid:2020860; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_04_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Office Doc CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/im"; http_uri; content:"g"; distance:0; http_uri; content:".php?id="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"MSOffice"; http_header; content:!"Outlook"; http_header; pcre:"/\/im(?:age|g)\.php\?id=\d+$/U"; reference:md5,27cd0a3db18fbb6d316fb4542c3a51f3; classtype:command-and-control; sid:2020860; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_04_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]*type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]*name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]*value\s*=\s*[\x22\x27][A-Za-z0-9+/]+[\x22\x27]/Rsi"; content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:social-engineering; sid:2023742; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, performance_impact Low, signature_severity Major, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]*type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]*name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]*value\s*=\s*[\x22\x27][A-Za-z0-9+/]+[\x22\x27]/Rsi"; content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:social-engineering; sid:2023742; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
 alert udp any any -> $HOME_NET 50000 (msg:"ET EXPLOIT Win32/Industroyer DDOS Siemens SIPROTEC (CVE-2015-5374)"; dsize:18; content:"|11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E|"; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf; classtype:attempted-dos; sid:2024376; rev:3; metadata:attack_target Client_and_Server, created_at 2017_06_12, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows Scriptlet Invoking Powershell Likely Malicious"; flow:established,from_server; file_data; content:"WScript.shell"; nocase; fast_pattern; content:"ActiveXObject"; nocase; content:"<registration"; nocase; distance:0; content:"progid"; distance:0; nocase; content:"<script"; nocase; distance:0; content:"<![CDATA["; nocase; distance:0; pcre:"/^.{1,1000}p(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?o(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?w(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?e(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?r(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?s(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?h(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?e(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?l(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?l/Rsi"; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024549; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows Scriptlet Invoking Powershell Likely Malicious"; flow:established,from_server; file_data; content:"WScript.shell"; nocase; fast_pattern; content:"ActiveXObject"; nocase; content:"<registration"; nocase; distance:0; content:"progid"; distance:0; nocase; content:"<script"; nocase; distance:0; content:"<![CDATA["; nocase; distance:0; pcre:"/^.{1,1000}p(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?o(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?w(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?e(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?r(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?s(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?h(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?e(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?l(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?l/Rsi"; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024549; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2022_05_03;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-8759 Soap File DL Over FTP"; flow:established,from_server; content:"process.start"; nocase; fast_pattern; content:"<service"; nocase; pcre:"/^(?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*[\x22\x27](?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*?\x22[^\x22]*\r?\n[^\x22]*?process\.start/Rsi"; classtype:attempted-admin; sid:2024729; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Critical, updated_at 2020_08_19;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-8759 Soap File DL Over FTP"; flow:established,from_server; content:"process.start"; nocase; fast_pattern; content:"<service"; nocase; pcre:"/^(?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*[\x22\x27](?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*?\x22[^\x22]*\r?\n[^\x22]*?process\.start/Rsi"; classtype:attempted-admin; sid:2024729; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Critical, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PowerShell call in script 1"; flow:from_server,established; file_data; content:"vbscript"; nocase; content:".run"; nocase; content:"powershell.exe"; fast_pattern; content:"<script"; pcre:"/^((?!<\/script>).)+?powershell\.exe/Rsi"; classtype:attempted-user; sid:2025061; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PowerShell call in script 1"; flow:from_server,established; file_data; content:"vbscript"; nocase; content:".run"; nocase; content:"powershell.exe"; fast_pattern; content:"<script"; pcre:"/^((?!<\/script>).)+?powershell\.exe/Rsi"; classtype:attempted-user; sid:2025061; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PowerShell call in script 2"; flow:from_server,established; file_data; content:"vbscript"; nocase; content:"shell"; nocase; pcre:"/^\W/Rs"; content:"powershell.exe"; fast_pattern; content:"<script"; pcre:"/^((?!<\/script>).)+?powershell\.exe/Rsi"; classtype:attempted-user; sid:2025062; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PowerShell call in script 2"; flow:from_server,established; file_data; content:"vbscript"; nocase; content:"shell"; nocase; pcre:"/^\W/Rs"; content:"powershell.exe"; fast_pattern; content:"<script"; pcre:"/^((?!<\/script>).)+?powershell\.exe/Rsi"; classtype:attempted-user; sid:2025062; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_05_03;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed Suspicious UA (Windows)"; flow:established,to_server; http.user_agent; content:"Windows"; bsize:7; http.header; content:"User-Agent|3a 20|Windows|0d 0a|"; fast_pattern; classtype:bad-unknown; sid:2028879; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_21, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_08_20;)
 
@@ -37868,6 +37420,8 @@ alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SmailMax P
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LODEINFO v0.3.5 CnC Checkin"; flow:established,to_server; urilen:1; http.start; content:"POST|20|/|20|HTTP/1.1|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; http.request_body; content:"=njgGCEgbkXQIgexSr"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html; classtype:command-and-control; sid:2030314; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, former_category MALWARE, malware_family LODEINFO, signature_severity Major, updated_at 2020_08_19;)
 
+#alert ipv6 any any -> ff00::/8 any (msg:"ET EXPLOIT Possible CVE-2020-11899 Multicast out-of-bound read";  reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030387; rev:2; metadata:created_at 2020_06_22, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2020_08_20;)
+
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex POST Retrieving Second Stage M2"; flow:established,to_server; content:"|0d 0a 0d 0a|"; distance:0; byte_extract:1,4,Dridex.Pivot,relative; byte_test:1,!=,Dridex.Pivot,0,relative; byte_test:1,=,Dridex.Pivot,7,relative; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/R"; http.host; pcre:"/^(?=[a-z0-9]{0,19}[A-Z])(?:(?=[A-Z0-9]{0,19}[a-z])|(?=[A-Za-z]{0,19}\d)|(?=[A-Z]+\.))[a-zA-Z0-9]{3,20}[\x2e\x20][a-z]{2,3}$/"; http.start; content:"POST / HTTP/1.1|0d 0a|"; depth:17; fast_pattern; reference:md5,148112df459ba40b9127f7d4f1c08df2; classtype:trojan-activity; sid:2020825; rev:8; metadata:created_at 2015_04_01, updated_at 2020_08_19;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [401TRG] ZeroShell RCE Inbound (CVE-2019-12725)"; flow:to_server,established; http.uri; content:"/kerbynet?"; nocase; fast_pattern; content:"Action="; nocase; content:"Section="; nocase; reference:cve,2019-12725; reference:url,isc.sans.edu/forums/diary/Scanning+Activity+for+ZeroShell+Unauthenticated+Access/26368/; classtype:attempted-admin; sid:2030597; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
@@ -38006,9 +37560,7 @@ alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed APT/SideW
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.ACBD CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.content_len; bsize:3; content:"364"; http.request_body; content:"OE1utcJ1hOpXDXMMv7v6fEB0TE58D8zB2PFvgXLL"; startswith; reference:md5,26382278c3d185d750203d6a600f8ae9; classtype:command-and-control; sid:2030727; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Zebrocy Downloader Traffic"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/buildings.php"; endswith; fast_pattern; http.content_len; content:"11"; bsize:2; http.host; pcre:"/(?:\d{1,3}\.){3}\d{1,3}/"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,a31e3b8d2f5e0369be8f3dbb7e23120b; reference:url,twitter.com/Vishnyak0v/status/1269651391980736513; classtype:trojan-activity; sid:2030728; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
-
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njRAT CnC Command (ll)"; flow:established,to_server; dsize:<350; content:"|00|ll"; depth:8; fast_pattern; content:"Win|20|"; distance:0;  pcre:"/^\d{1,5}\x00ll/i"; reference:md5,ac7b1fdc679fdbd3cb0cd8a3e30ecddb; classtype:command-and-control; sid:2021176; rev:5; metadata:created_at 2015_06_02, former_category MALWARE, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Zebrocy Downloader Traffic"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/buildings.php"; endswith; fast_pattern; http.content_len; content:"11"; bsize:2; http.host; pcre:"/(?:\d{1,3}\.){3}\d{1,3}/"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,a31e3b8d2f5e0369be8f3dbb7e23120b; reference:url,twitter.com/Vishnyak0v/status/1269651391980736513; classtype:trojan-activity; sid:2030728; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Observed"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Cookie|3a 20|"; fast_pattern; pcre:"/^[a-zA-Z0-9/+]{171}=/R"; http.header_names; content:!"Referer"; reference:md5,d3f53580f7ce72caf9be799106ad89ca; classtype:targeted-activity; sid:2033713; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
@@ -38124,7 +37676,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS.ARS Checkin";
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rodecap/Travle/PYLOT CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"Mozilla/5.0"; fast_pattern; bsize:11; http.request_body; content:"l"; depth:1; content:"=OTl"; within:8; content:"&e"; distance:0; content:"="; within:6; content:"&m"; distance:0; content:"="; within:6; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,ba6dcea82f59799d86111fa28ae95641; reference:url,securelist.com/travle-aka-pylot-backdoor-hits-russian-speaking-targets/83455; classtype:command-and-control; sid:2025234; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category MALWARE, malware_family travle, malware_family PYLOT, malware_family Rodecap, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Compromised Wordpress - Generic Phishing Landing 2018-01-22"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-"; depth:4; content:"?cmd=login_submit&id="; nocase; distance:0; fast_pattern; content:"&session="; nocase; distance:64; within:9; isdataat:!65,relative; classtype:social-engineering; sid:2025236; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Compromised Wordpress - Generic Phishing Landing 2018-01-22"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-"; depth:4; content:"?cmd=login_submit&id="; nocase; distance:0; fast_pattern; content:"&session="; nocase; distance:64; within:9; isdataat:!65,relative; classtype:social-engineering; sid:2025236; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/SamMiner CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?act=hi&uid="; fast_pattern; content:"&ver="; content:"&dotnetver="; content:"&onwork="; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,baa89d17522df0e05a16fa2c23d58f58; classtype:command-and-control; sid:2025235; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
 
@@ -38164,7 +37716,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Ebay Phishing La
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Shurl0ckr Ransomware CnC (kdvm5fd6tn6jsbwh .onion .to in DNS Lookup)"; dns.query; content:"kdvm5fd6tn6jsbwh"; nocase; depth:16; classtype:command-and-control; sid:2025332; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_08, deployment Perimeter, former_category MALWARE, malware_family Shurl0ckr, signature_severity Major, tag Ransomware, updated_at 2020_08_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SPARS/ARS Stealer Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?action="; content:"&hwid="; distance:0; content:"&access="; fast_pattern; distance:0; http.header_names; content:!"Referer"; reference:md5,76516b465b3589547a9c7c7d955238d8; classtype:command-and-control; sid:2025344; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_12, deployment Perimeter, former_category MALWARE, malware_family Ars_Stealer, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SPARS/ARS Stealer Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?action="; content:"&hwid="; distance:0; content:"&access="; fast_pattern; distance:0; http.header_names; content:!"Referer"; reference:md5,76516b465b3589547a9c7c7d955238d8; classtype:command-and-control; sid:2025344; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_12, deployment Perimeter, former_category MALWARE, malware_family Ars_Stealer, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evrial Stealer Retrieving CnC Information"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Project-Evrial-C2-DOMAIN-"; fast_pattern; nocase; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cookie"; reference:md5,540c736b7e11287805ddd4f3a9d37934; classtype:command-and-control; sid:2025346; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category MALWARE, malware_family Evrial, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
 
@@ -38422,19 +37974,19 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/G1 Stealer/G
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/G2 Stealer/GravityRAT CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?Value="; content:"UserCode="; distance:0; content:"MacId="; distance:0; content:"HitDate="; distance:0; content:"FingerPrint="; distance:0; fast_pattern; content:"CurrentIp="; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Cache"; content:!"Connection"; reference:md5,6899c2219764bac56007ce80021bfcbf; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:command-and-control; sid:2025540; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category MALWARE, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/GX Stealer/GravityRAT Uploading File"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?VALUE=2&Type="; fast_pattern; content:"&SIGNATUREHASH="; distance:0; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Cache"; reference:md5,ec629f648434fc3d17e9561532d038c8; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025541; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category TROJAN, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/GX Stealer/GravityRAT Uploading File"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?VALUE=2&Type="; fast_pattern; content:"&SIGNATUREHASH="; distance:0; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Cache"; reference:md5,ec629f648434fc3d17e9561532d038c8; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025541; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category TROJAN, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/G1 Stealer/GravityRAT Uploading File"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?Value=11&FileName="; fast_pattern; content:"&FileSize="; distance:0; content:"&Macid="; distance:0; content:"&UserCode="; distance:0; reference:md5,783a48640c0776932fc81925962f273b; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025538; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category TROJAN, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) Aug 21 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"GET"; http.uri; content:"&UserName="; nocase; content:"&Password="; nocase; distance:0; fast_pattern; http.host; content:!"absolutdata.com"; content:!"absolutresearch.com"; classtype:credential-theft; sid:2025026; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible Rogue LoJack Asset Tracking Agent"; flow:established,to_server; urilen:1; threshold: type limit, count 2, seconds 300, track by_src; http.method; content:"POST"; http.header; content:"TagId|3a 20|"; fast_pattern; content:!".namequery.com|0d 0a|"; reference:url,asert.arbornetworks.com/lojack-becomes-a-double-agent/amp/; classtype:misc-attack; sid:2025553; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_05_02, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible Rogue LoJack Asset Tracking Agent"; flow:established,to_server; urilen:1; threshold: type limit, count 2, seconds 300, track by_src; http.method; content:"POST"; http.header; content:"TagId|3a 20|"; fast_pattern; content:!".namequery.com|0d 0a|"; reference:url,asert.arbornetworks.com/lojack-becomes-a-double-agent/amp/; classtype:misc-attack; sid:2025553; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_05_02, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-05-02"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"eml="; nocase; depth:4; content:"|25|40"; distance:0; content:"&pw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025554; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful IRS Phish 2018-05-07"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&pww="; nocase; distance:0; fast_pattern; content:"&image.x="; nocase; distance:0; content:"&image.y="; nocase; distance:0; classtype:credential-theft; sid:2025562; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible TSB Bank Phishing Landing 2018-05-07"; flow:established,to_server; http.method; content:"GET"; http.host; content:"tsb.co.uk.personal.logon.login.jsp."; isdataat:50; classtype:social-engineering; sid:2025563; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible TSB Bank Phishing Landing 2018-05-07"; flow:established,to_server; http.method; content:"GET"; http.host; content:"tsb.co.uk.personal.logon.login.jsp."; isdataat:50; classtype:social-engineering; sid:2025563; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful TSB Bank Phish 2018-05-07"; flow:established,to_server; http.method; content:"POST"; http.host; content:"tsb.co.uk.personal.logon.login.jsp."; isdataat:50; classtype:credential-theft; sid:2025564; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
@@ -38528,7 +38080,7 @@ alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apa
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache CouchDB Remote Code Execution 4"; flow:established,to_server; http.method; content:"DELETE"; http.uri; content:"/_config/query_servers/cmd"; fast_pattern; reference:cve,2017-12636; classtype:attempted-user; sid:2025743; rev:3; metadata:attack_target Web_Server, created_at 2018_06_25, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component Ek rishta 2.10 - SQL Injection 3"; flow:established,to_server; http.uri; content:"/index.php?option=com_ekrishta&view="; nocase; content:"&cid="; nocase; distance:0; pcre:"/^(?:[a-zA-Z0-9_])*[\x2c\x22\x27\x28]/Ri"; reference:url,www.exploit-db.com/exploits/44869/; classtype:web-application-attack; sid:2025746; rev:3; metadata:affected_product Joomla, attack_target Client_Endpoint, created_at 2018_06_26, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component Ek rishta 2.10 - SQL Injection 3"; flow:established,to_server; http.uri; content:"/index.php?option=com_ekrishta&view="; nocase; content:"&cid="; nocase; distance:0; pcre:"/^(?:[a-zA-Z0-9_])*[\x2c\x22\x27\x28]/Ri"; reference:url,www.exploit-db.com/exploits/44869/; classtype:web-application-attack; sid:2025746; rev:3; metadata:affected_product Joomla, attack_target Client_Endpoint, created_at 2018_06_26, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component Ek rishta 2.10 - SQL Injection 2"; flow:established,to_server; http.uri; content:"/ekrishta/index.php/login/sign-in"; nocase; fast_pattern; http.request_body; content:"username="; nocase; pcre:"/^(?:[a-zA-Z0-9_])*[\x2c\x22\x27\x28]/Ri"; reference:url,www.exploit-db.com/exploits/44869/; classtype:web-application-attack; sid:2025745; rev:3; metadata:affected_product Joomla, attack_target Web_Server, created_at 2018_06_26, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
@@ -38908,7 +38460,7 @@ alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible APT28 DOC
 
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible DarkTequila SSL/TLS Certificate Observed"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=OH, O=International Security Depart, CN=the-ebooks-store.com/emailAddress=contact@infws.com"; tls.cert_issuer; content:"O=International Security Depart, emailAddress=contact@infws.com, L=Greater Cleveland, ST=OH, C=US, CN=International Security Depart Ca"; tls.cert_serial; content:"00:ED"; reference:md5,9fbdc5eca123e81571e8966b9b4e4a1e; classtype:trojan-activity; sid:2026540; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, signature_severity Major, tag DarkTequila, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Octopus Malware CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?query="; fast_pattern; pcre:"/^\/[a-z]\.php\?query=[a-f0-9]{32}$/i"; http.request_body; content:"eyJpZCI6"; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http.content_type; content:"multipart/form-data|3b|"; http.protocol; content:"HTTP/1.0"; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:command-and-control; sid:2026544; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Octopus, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Octopus Malware CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?query="; fast_pattern; pcre:"/^\/[a-z]\.php\?query=[a-f0-9]{32}$/i"; http.request_body; content:"eyJpZCI6"; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http.content_type; content:"multipart/form-data|3b|"; http.protocol; content:"HTTP/1.0"; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:command-and-control; sid:2026544; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Octopus, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sharik/Smoke Fake 404 Response with Payload Location"; flow:established,from_server; http.stat_code; content:"404"; file.data; content:"|00 00|Location|3a 20|"; depth:12; fast_pattern; reference:md5,6ccf5004f5bd1ffd26a428961a4baf6e; classtype:trojan-activity; sid:2026556; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_25, deployment Perimeter, former_category TROJAN, malware_family Sharik, malware_family SmokeLoader, performance_impact Low, signature_severity Major, tag Fake_404, updated_at 2020_08_27;)
 
@@ -38976,6 +38528,8 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DanaBot Har
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Win32 Lucky Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?sys="; content:"&c_type="; distance:0; content:"&dis_type="; distance:0; fast_pattern; content:"&num="; distance:0; content:"&user="; distance:0; content:"&ver="; distance:0; reference:url,blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/; classtype:command-and-control; sid:2026725; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Satan, signature_severity Major, tag Ransomware, tag Multi_Platform, updated_at 2020_08_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO RealThinClient Session Init"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?ACTION=HELLO"; distance:0; fast_pattern; http.host; content:!"nanosystems.it"; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept-"; reference:url,www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html; reference:md5,7553a383bbdee93624e8208dad686c5a; reference:url,rtc.teppi.net; classtype:bad-unknown; sid:2036705; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
+
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious Fake Login - Possible Phishing - 2018-12-31"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"fakeLogin="; depth:10; nocase; content:"&fakePassword="; nocase; distance:0; fast_pattern; classtype:suspicious-login; sid:2026746; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_12_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious Generic Login - Possible Successful Phish 2019-01-02"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"myusername="; depth:11; nocase; content:"&mypassword="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2026749; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_01_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
@@ -39570,7 +39124,7 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN -
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Information Disclosure (CVE-2018-13379)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/remote/fgt_lang?lang=/../"; depth:35; isdataat:30,relative; fast_pattern; reference:cve,CVE-2018-13379; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027883; rev:3; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2019_08_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gator/Claria Data Submission"; flow: to_server,established; http.method; content:"POST"; nocase; http.uri; content:"gs_trickler"; nocase; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000596; classtype:pup-activity; sid:2000596; rev:17; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gator/Claria Data Submission"; flow: to_server,established; http.method; content:"POST"; nocase; http.uri; content:"gs_trickler"; nocase; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000596; classtype:pup-activity; sid:2000596; rev:17; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casino on Net Reporting Data"; flow: to_server,established; http.uri; content:"/logs.asp?MSGID=100"; nocase; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001031; classtype:pup-activity; sid:2001031; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
@@ -39590,15 +39144,15 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Related
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MediaTickets Download"; flow: to_server,established; http.uri; content:"MediaTicketsInstaller.cab"; http.host; content:"www.mt-download.com"; startswith; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001448; classtype:pup-activity; sid:2001448; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Spyware Install Reporting"; flow: to_server,established; http.uri; content:"/report.php?user_id="; fast_pattern; content:"&status="; content:"&country_id="; http.user_agent; content:"Windows Internet"; depth:16; reference:url,doc.emergingthreats.net/bin/view/Main/2001472; reference:md5,17c204bb156dd7f6a3ebd1547129f347; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FZdesnado.AD&ThreatID=-2147454482; classtype:pup-activity; sid:2001472; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Spyware Install Reporting"; flow: to_server,established; http.uri; content:"/report.php?user_id="; fast_pattern; content:"&status="; content:"&country_id="; http.user_agent; content:"Windows Internet"; depth:16; reference:url,doc.emergingthreats.net/bin/view/Main/2001472; reference:md5,17c204bb156dd7f6a3ebd1547129f347; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FZdesnado.AD&ThreatID=-2147454482; classtype:pup-activity; sid:2001472; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmeup Spyware Install (prog)"; flow: to_server,established; http.uri; content:"/dkprogs/dktibs.php"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001474; classtype:pup-activity; sid:2001474; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmeup Spyware Install (prog)"; flow: to_server,established; http.uri; content:"/dkprogs/dktibs.php"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001474; classtype:pup-activity; sid:2001474; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmeup Spyware Receiving Commands"; flow: to_server,established; http.uri; content:"/xpsystem/commands.ini"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001475; classtype:pup-activity; sid:2001475; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmeup Spyware Install (systime)"; flow: to_server,established; http.uri; content:"/dkprogs/systime.txt"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001480; classtype:pup-activity; sid:2001480; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmeup Spyware Install (systime)"; flow: to_server,established; http.uri; content:"/dkprogs/systime.txt"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001480; classtype:pup-activity; sid:2001480; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmeup Spyware Install (mstask)"; flow: to_server,established; http.uri; content:"/dkprogs/mstasks3.txt"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001483; classtype:pup-activity; sid:2001483; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmeup Spyware Install (mstask)"; flow: to_server,established; http.uri; content:"/dkprogs/mstasks3.txt"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001483; classtype:pup-activity; sid:2001483; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Tibsystems Spyware Download"; flow: to_server,established; http.uri; content:"/d4.fcgi?v="; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001488; classtype:pup-activity; sid:2001488; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
@@ -39614,15 +39168,15 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Look2me Spywar
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Clickspring.net Spyware Reporting"; flow: to_server,established; http.uri; content:"/notify.php?pid=ctxad&module=NDrvExe&v="; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; reference:url,doc.emergingthreats.net/bin/view/Main/2001500; classtype:pup-activity; sid:2001500; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Install (silent_install)"; flow: to_server,established; http.uri; content:"/silent_install.exe"; nocase; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001534; classtype:pup-activity; sid:2001534; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Install (silent_install)"; flow: to_server,established; http.uri; content:"/silent_install.exe"; nocase; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001534; classtype:pup-activity; sid:2001534; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Install (protector.exe)"; flow: to_server,established; http.uri; content:"/protector.exe"; http.host; content:"install.searchmiracle.com"; startswith; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001535; classtype:pup-activity; sid:2001535; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Install (protector.exe)"; flow: to_server,established; http.uri; content:"/protector.exe"; http.host; content:"install.searchmiracle.com"; startswith; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001535; classtype:pup-activity; sid:2001535; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BInet Information Install Report"; flow: to_server,established; http.uri; content:"/bi/servlet/ThinstallPost"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001576; classtype:pup-activity; sid:2001576; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Context Plus Spyware User-Agent (Apropos)"; flow: established,to_server; http.user_agent; content:"AproposClient AutoLoader"; reference:url,doc.emergingthreats.net/2001703; classtype:pup-activity; sid:2001703; rev:36; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Context Plus Spyware Install"; flow: established,to_server; http.uri; content:"/AproposClientInstaller.exe"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001704; classtype:pup-activity; sid:2001704; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Context Plus Spyware Install"; flow: established,to_server; http.uri; content:"/AproposClientInstaller.exe"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001704; classtype:pup-activity; sid:2001704; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfSidekick Activity"; flow: established,to_server; http.uri; content:"/Bundling/SskUpdater"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001731; classtype:pup-activity; sid:2001731; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
@@ -39648,9 +39202,9 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Grandstreet In
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shopathomeselect .com Spyware User-Agent (WebDownloader)"; flow: to_server,established; http.user_agent; content:"WebDownloader"; reference:url,doc.emergingthreats.net/2002038; classtype:pup-activity; sid:2002038; rev:251; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, tag Spyware_User_Agent, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP yupsearch.com Spyware Install - protector.exe"; flow: to_server,established; http.uri; content:"/protector.exe"; nocase; reference:url,www.yupsearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002092; classtype:pup-activity; sid:2002092; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP yupsearch.com Spyware Install - protector.exe"; flow: to_server,established; http.uri; content:"/protector.exe"; nocase; reference:url,www.yupsearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002092; classtype:pup-activity; sid:2002092; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP yupsearch.com Spyware Install - sideb.exe"; flow: to_server,established; http.uri; content:"/sideb.exe"; nocase; reference:url,www.yupsearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002098; classtype:pup-activity; sid:2002098; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP yupsearch.com Spyware Install - sideb.exe"; flow: to_server,established; http.uri; content:"/sideb.exe"; nocase; reference:url,www.yupsearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002098; classtype:pup-activity; sid:2002098; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casalemedia Spyware Reporting URL Visited 2"; flow: to_server,established; http.uri; content:"/sd?s="; nocase; pcre:"/\/sd\?s=\d+&f=\d/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2002196; classtype:pup-activity; sid:2002196; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
@@ -39658,7 +39212,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iframebiz - lo
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zenotecnico Adware 2"; flow: to_server,established; http.uri; content:"/cl/clienthost"; http.header; content:"zenotecnico"; nocase; reference:url,www.zenotecnico.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002735; classtype:pup-activity; sid:2002735; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zenotecnico Spyware Install Report"; flow: to_server,established; http.uri; content:"/instreport"; http.header; content:"zenotecnico"; nocase; reference:url,www.zenotecnico.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002737; classtype:pup-activity; sid:2002737; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zenotecnico Spyware Install Report"; flow: to_server,established; http.uri; content:"/instreport"; http.header; content:"zenotecnico"; nocase; reference:url,www.zenotecnico.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002737; classtype:pup-activity; sid:2002737; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iDownloadAgent Spyware User-Agent (iDownloadAgent)"; flow:to_server,established; http.user_agent; content:"|20|iDownloadAgent"; reference:url,doc.emergingthreats.net/2002739; classtype:pup-activity; sid:2002739; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
@@ -39688,13 +39242,13 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP dialno Dialer
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfAccuracy.com Spyware Updating"; flow:to_server,established; http.uri; content:"/sacc/sacc.cfg.php?"; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99; reference:url,doc.emergingthreats.net/bin/view/Main/2003390; classtype:pup-activity; sid:2003390; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP clickspring.com Spyware Install User-Agent (CS Fingerprint Module)"; flow:to_server,established; http.user_agent; content:"CS Fingerprint Module"; nocase; reference:url,doc.emergingthreats.net/2003425; classtype:pup-activity; sid:2003425; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP clickspring.com Spyware Install User-Agent (CS Fingerprint Module)"; flow:to_server,established; http.user_agent; content:"CS Fingerprint Module"; nocase; reference:url,doc.emergingthreats.net/2003425; classtype:pup-activity; sid:2003425; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Outerinfo.com Spyware Checkin"; flow: to_server,established; http.uri; content:"/notify.php?"; nocase; content:"pid="; nocase; content:"&module="; nocase; content:"&v="; nocase; content:"&result="; nocase; content:"&message="; nocase; http.header; content:"outerinfo.com"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003426; classtype:pup-activity; sid:2003426; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Dropspam.com Spyware Reporting"; flow:established,to_server; http.uri; content:"/reportaddon.cgi?"; nocase; content:"report.cgi?"; nocase; content:"user="; nocase; content:"software="; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003440; classtype:pup-activity; sid:2003440; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Deskwizz.com Spyware Install INI Download"; flow: to_server,established; http.uri; content:"/GetAd/tekID"; nocase; content:".ini"; reference:url,doc.emergingthreats.net/bin/view/Main/2003445; classtype:pup-activity; sid:2003445; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Deskwizz.com Spyware Install INI Download"; flow: to_server,established; http.uri; content:"/GetAd/tekID"; nocase; content:".ini"; reference:url,doc.emergingthreats.net/bin/view/Main/2003445; classtype:pup-activity; sid:2003445; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bestoffersnetwork.com Related Spyware User-Agent (TBONAS)"; flow:to_server,established; http.user_agent; content:"TBONAS"; depth:6; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BestOffersNetworks&threatid=43670; reference:url,doc.emergingthreats.net/2003501; classtype:pup-activity; sid:2003501; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
@@ -39760,7 +39314,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Topgame-online
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (MyIE/1.0)"; flow:established,to_server; http.user_agent; content:"MyIE/"; depth:5; reference:url,doc.emergingthreats.net/2009991; classtype:pup-activity; sid:2009991; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (M0zilla)"; flow:established,to_server; http.user_agent; content:"M0zilla/4.0|20|(compatible)"; startswith; reference:url,doc.emergingthreats.net/2010265; classtype:pup-activity; sid:2010265; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (M0zilla)"; flow:established,to_server; http.user_agent; content:"M0zilla/4.0|20|(compatible)"; startswith; reference:url,doc.emergingthreats.net/2010265; classtype:pup-activity; sid:2010265; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (MSIE7 na)"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|na|3b 20|)"; fast_pattern; reference:url,doc.emergingthreats.net/2010461; classtype:pup-activity; sid:2010461; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
@@ -40158,7 +39712,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Request for utu.d
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT"; flow:established,to_server; http.uri; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006446; classtype:web-application-attack; sid:2006446; rev:14; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ArtraDownloader Checkin"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-type|3a 20|application/x-www-form-urlencoded"; http.request_body; content:"SNI="; content:"&UME="; fast_pattern; content:"&IVR="; content:"&st="; reference:md5,eec2828cb4a9032ab1177bb472f1977b; reference:url,unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan; classtype:command-and-control; sid:2027771; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ArtraDownloader, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ArtraDownloader Checkin"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-type|3a 20|application/x-www-form-urlencoded"; http.request_body; content:"SNI="; content:"&UME="; fast_pattern; content:"&IVR="; content:"&st="; reference:md5,eec2828cb4a9032ab1177bb472f1977b; reference:url,unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan; classtype:command-and-control; sid:2027771; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ArtraDownloader, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-08-23"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"usuario="; fast_pattern; content:"&clave="; distance:0; classtype:credential-theft; sid:2027911; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
@@ -40644,24 +40198,10 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY CBS Streaming Vide
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NBC Streaming Video"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".smil"; endswith; nocase; http.host; content:"video.nbcuni.com"; startswith; reference:url,doc.emergingthreats.net/2007764; classtype:policy-violation; sid:2007764; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SEO Exploit Kit - client exploited by Acrobat"; flow:established,to_server; http.uri; content:".php?exp=PDF"; classtype:exploit-kit; sid:2011815; rev:4; metadata:created_at 2010_10_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SEO Exploit Kit - client exploited by SMB"; flow:established,to_server; http.uri; content:".php?exp=SMB"; classtype:exploit-kit; sid:2011814; rev:5; metadata:created_at 2010_10_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Farfli HTTP Checkin Activity"; flow: to_server,established; http.uri; content:"/getmac.asp?x="; content:"&y="; pcre:"/x=[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/i"; reference:url,www.virustotal.com/analisis/3b532a7bf7850483882024652f6c8a8b; reference:url,doc.emergingthreats.net/2009215; classtype:command-and-control; sid:2009215; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_02;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Waledac Beacon Traffic Detected"; flow:to_server,established; http.method; content:"POST"; depth:4; http.user_agent; content:"Mozilla"; bsize:7; http.request_body; content:"a="; nocase; http.referer; content:"Mozilla"; nocase; bsize:7; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081231; reference:url,doc.emergingthreats.net/2008958; classtype:trojan-activity; sid:2008958; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED exploit kit x/l.php?s=dexc"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"x/l.php?s=dexc"; nocase; classtype:exploit-kit; sid:2011907; rev:4; metadata:created_at 2010_11_09, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED exploit kit x/index.php?s=dexc"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"x/index.php?s=dexc"; nocase; classtype:exploit-kit; sid:2011905; rev:4; metadata:created_at 2010_11_09, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Phoenix Exploit Kit - PROPFIND AVI"; flow:established,to_server; http.method; content:"PROPFIND"; http.uri; content:".avi"; classtype:exploit-kit; sid:2011513; rev:6; metadata:created_at 2010_09_27, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Phoenix Exploit Kit - tmp/flash.swf"; flow:established,to_server; http.uri; content:"tmp/flash.swf"; classtype:exploit-kit; sid:2011514; rev:5; metadata:created_at 2010_09_27, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Phoenix Exploit Kit - collab.pdf"; flow:established,to_server; http.uri; content:"collab.pdf"; classtype:exploit-kit; sid:2011515; rev:6; metadata:created_at 2010_09_27, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitter RAT HTTP CnC Beacon"; flow:established,to_server; threshold: type both, count 1, seconds 120, track by_src; http.method; content:"GET"; http.uri; content:".php?cId="; fast_pattern; content:"&hos"; distance:0; content:"Name="; distance:0; content:"Info="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; reference:md5,2b07e054a1abb2941e5e70fba652a211; classtype:command-and-control; sid:2023400; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category MALWARE, malware_family Bitter_implant, signature_severity Major, tag c2, updated_at 2020_09_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PLATINUM Dipsind CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ud7LDjtsTHe2tWeC8DYo8A**"; fast_pattern; reference:md5,0cc901350eaffb8f84b920691460921f; classtype:command-and-control; sid:2024369; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category MALWARE, malware_family Dipsind, malware_family PLATINUM, signature_severity Major, tag APT, tag PLATINUM, tag c2, updated_at 2020_09_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
@@ -41500,8 +41040,6 @@ alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious
 
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=b-metric.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030844; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/NixScare Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.request_body; content:"zipx=UEs"; startswith; fast_pattern; reference:md5,b04981c338165b27fc2e1e19c9713379; classtype:command-and-control; sid:2030845; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_07, deployment Perimeter, former_category MALWARE, malware_family NixScare, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_09_09;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT29/Wellness CnC Host Checkin"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.cookie; content:".+"; fast_pattern; isdataat:100,relative; content:".+"; distance:0; content:".+"; distance:0; content:"%3a"; nocase; content:"%2c"; nocase; http.request_body; pcre:"/^(?:[a-z0-9:.,]{3,10}\s){50,}[a-z0-9:.,]{3,10}\s*$/i"; reference:md5,98fe909510c79b21e740fec32fb6b1a0; reference:url,blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html; classtype:targeted-activity; sid:2030846; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_08;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006516; classtype:web-application-attack; sid:2006516; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
@@ -41708,6 +41246,8 @@ alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fra
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position UNION SELECT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"position="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005487; classtype:web-application-attack; sid:2005487; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/NixScare Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.request_body; content:"zipx=UEs"; startswith; fast_pattern; reference:md5,b04981c338165b27fc2e1e19c9713379; classtype:command-and-control; sid:2030845; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_07, deployment Perimeter, former_category MALWARE, malware_family NixScare, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_09_09;)
+
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position INSERT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"position="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005489; classtype:web-application-attack; sid:2005489; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Microsoft Malware Protection User-Agent Observed to Non-Microsoft Domain"; flow:to_server,established; http.user_agent; content:"MpCommunication"; depth:15; fast_pattern; http.host; content:!".microsoft.com"; isdataat:!1,relative; classtype:misc-activity; sid:2030850; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_09, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2020_09_09;)
@@ -44438,9 +43978,9 @@ alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Flooder.Agent.NAS CnC
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mac Trojan HTTP Checkin (accept-language violation)"; flow:established,to_server; http.method; content:"GET"; http.start; content:"|20|HTTP/1.1|0d 0a|Accept-Language|3a 20|"; fast_pattern; pcre:"/^[a-zA-Z0-9]{20}/R"; reference:url,doc.emergingthreats.net/2007650; classtype:command-and-control; sid:2007650; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bifrose/Cycbot Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\x2E(p(hp|ng)|jpe?g|cgi|gif)\x3F(v\d{1,2}|pr)\x3D/"; http.user_agent; content:"chrome/9.0"; reference:md5,8c4f90bb59c05269c6c6990ec434eab6; classtype:command-and-control; sid:2014163; rev:11; metadata:created_at 2012_01_28, former_category MALWARE, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bifrose/Cycbot Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\x2E(p(hp|ng)|jpe?g|cgi|gif)\x3F(v\d{1,2}|pr)\x3D/"; http.user_agent; content:"chrome/9.0"; reference:md5,8c4f90bb59c05269c6c6990ec434eab6; classtype:command-and-control; sid:2014163; rev:11; metadata:created_at 2012_01_28, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] Cobalt Strike Malleable C2 Request (YouTube Profile)"; flow:established,to_server; http.uri; content:"/watch?v=iRXJXaLV0n4"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1)|20|"; startswith; http.host; content:"www.youtube.com"; http.header_names; content:!"Referer"; content:"Cookie"; reference:md5,69c6e302cc4394cae7ed8c6f7b288e92; reference:url,attack.mitre.org/groups/G0080/; classtype:command-and-control; sid:2028591; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_09_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] Cobalt Strike Malleable C2 Request (YouTube Profile)"; flow:established,to_server; http.uri; content:"/watch?v=iRXJXaLV0n4"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1)|20|"; startswith; http.host; content:"www.youtube.com"; http.header_names; content:!"Referer"; content:"Cookie"; reference:md5,69c6e302cc4394cae7ed8c6f7b288e92; reference:url,attack.mitre.org/groups/G0080/; classtype:command-and-control; sid:2028591; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSBin Demo - Data Exfil"; threshold: type limit, track by_src, seconds 180, count 1; dns.query; bsize:>32; content:"|2e|"; content:".d.zhack.ca"; distance:20; within:11; endswith; reference:url,sysopfb.github.io/malware/2019/09/26/Golang-Dropper-With-A-Rat.html; reference:url,github.com/ettic-team/dnsbin; classtype:command-and-control; sid:2028634; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_09_27, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_10;)
 
@@ -44580,7 +44120,7 @@ alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"manufacturer="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007528; classtype:web-application-attack; sid:2007528; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer UNION SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"manufacturer="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007529; classtype:web-application-attack; sid:2007529; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer UNION SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"manufacturer="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007529; classtype:web-application-attack; sid:2007529; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer INSERT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"manufacturer="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007530; classtype:web-application-attack; sid:2007530; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
@@ -48612,8 +48152,6 @@ alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Reimagepl
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Reimageplus Ransomware Checkin"; flow:established,to_server; http.request_line; content:"GET /?computer_name="; startswith; content:"&userName="; content:"&allow=ransom HTTP/1.1"; endswith; fast_pattern; reference:md5,0e8d3afa39275492cf98dbdd7da49ce9; reference:url,twitter.com/malwrhunterteam/status/1304390412489166848; classtype:command-and-control; sid:2030852; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (QiHoo Profile)"; flow:established,to_server;  http.method; content:"GET"; http.uri; content:!"."; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,image/webp,image/apng,*/*|3b|q=0.8"; bsize:85; content:!"application/signed-exchange"; http.user_agent; content:"Mozilla/5.0 (Linux|3b 20|Android 4.1.1|3b 20|Nexus 7 Build/JRO03D) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.166 Safari";  bsize:123; content:!"Safari/535.19"; http.cookie; content:"__guid="; depth:7; content:"|3b|opqopq="; distance:0; fast_pattern; content:"|3b|QiHooGUID="; distance:0; content:"|3b|"; endswith; http.header_names; content:!"Accept-"; content:!"Referer"; classtype:command-and-control; sid:2032746; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_11, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_09_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
-
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/notaevento.php?"; nocase; content:"id_novedad="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012359; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/notaevento.php?"; nocase; content:"id_novedad="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012360; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
@@ -48692,7 +48230,7 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco U
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id DELETE"; flow:established,to_server; http.uri; content:"/detail.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004364; classtype:web-application-attack; sid:2004364; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible AIOCP cp_html2xhtmlbasic.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/public/code/cp_html2xhtmlbasic.php?"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A)/i"; reference:url,www.securityfocus.com/bid/36609/info; reference:url,www.securityfocus.com/archive/1/507030; reference:url,doc.emergingthreats.net/2010080; classtype:web-application-attack; sid:2010080; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible AIOCP cp_html2xhtmlbasic.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/public/code/cp_html2xhtmlbasic.php?"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A)/i"; reference:url,www.securityfocus.com/bid/36609/info; reference:url,www.securityfocus.com/archive/1/507030; reference:url,doc.emergingthreats.net/2010080; classtype:web-application-attack; sid:2010080; rev:9; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"id_menu="; fast_pattern; nocase; distance:0; content:"SELECT"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009980; classtype:web-application-attack; sid:2009980; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
@@ -48720,7 +48258,7 @@ alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET INFO User-Agent (pyth
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id SELECT"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004529; classtype:web-application-attack; sid:2004529; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UNION SELECT"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+?SELECT/i"; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004530; classtype:web-application-attack; sid:2004530; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UNION SELECT"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+?SELECT/i"; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004530; classtype:web-application-attack; sid:2004530; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id INSERT"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004531; classtype:web-application-attack; sid:2004531; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
@@ -48924,7 +48462,7 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI -
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .pl source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".pl~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009949; classtype:web-application-attack; sid:2009949; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .inc source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".inc~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009950; classtype:web-application-attack; sid:2009950; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .inc source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".inc~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009950; classtype:web-application-attack; sid:2009950; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .conf source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".conf~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009951; classtype:web-application-attack; sid:2009951; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
 
@@ -49048,7 +48586,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Possib
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.pw domain"; flow:established,to_server; http.host; content:".pw"; fast_pattern; endswith; content:!"u.pw"; depth:4; endswith; classtype:bad-unknown; sid:2016777; rev:14; metadata:created_at 2013_04_20, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Xtrat.A Checkin"; flow:established,to_server; http.uri; content:".functions"; fast_pattern; endswith; pcre:"/^\/\d+\.functions$/"; http.host; content:!"microsoft.com"; http.header_names; content:!"Referer"; reference:md5,f45b1b82c849fbbea3374ae7e9200092; classtype:command-and-control; sid:2016275; rev:12; metadata:created_at 2011_12_13, former_category MALWARE, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Xtrat.A Checkin"; flow:established,to_server; http.uri; content:".functions"; fast_pattern; endswith; pcre:"/^\/\d+\.functions$/"; http.host; content:!"microsoft.com"; http.header_names; content:!"Referer"; reference:md5,f45b1b82c849fbbea3374ae7e9200092; classtype:command-and-control; sid:2016275; rev:12; metadata:created_at 2011_12_13, former_category MALWARE, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tinba Checkin 2"; flow:established,to_server; urilen:>1; flowbits:set,ET.Tinba.Checkin; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:2,2,Tinba.Pivot,relative; byte_test:2,=,Tinba.Pivot,2,relative; byte_test:2,!=,Tinba.Pivot,5,relative; http.method; content:"POST"; http.uri; content:"/"; endswith; http.content_len; byte_test:0,>,99,0,string,dec; http.protocol; content:"HTTP/1.0"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; fast_pattern; content:!"User-Agent"; content:!"Accept"; reference:md5,7af6d8de2759b8cc534ffd72fdd8a654; classtype:command-and-control; sid:2020418; rev:7; metadata:created_at 2015_02_12, former_category MALWARE, updated_at 2020_09_14;)
 
@@ -49232,13 +48770,13 @@ alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MALWARE W32/Dridex POST
 
 alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query 4"; dns.query; content:"bigdata.advmob.cn"; nocase; endswith; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023518; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sytes.net Domain"; flow:established,to_server; http.host; content:".sytes.net"; endswith; classtype:bad-unknown; sid:2018219; rev:9; metadata:created_at 2012_03_05, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sytes.net Domain"; flow:established,to_server; http.host; content:".sytes.net"; endswith; classtype:bad-unknown; sid:2018219; rev:9; metadata:created_at 2012_03_05, updated_at 2022_05_03;)
 
 alert dns $HOME_NET any -> any any (msg:"ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use"; dns.query; content:"client-lb.dropbox.com"; nocase; endswith; reference:url,dropbox.com; classtype:policy-violation; sid:2020565; rev:4; metadata:created_at 2015_02_25, updated_at 2020_09_15;)
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 42"; dns.query; content:"www.37513.cn"; nocase; endswith; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022452; rev:4; metadata:created_at 2016_01_27, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4."; flow:established,to_server; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:"|20|MSIE 4."; fast_pattern; nocase; http.host; content:!".weatherbug.com"; endswith; content:!".wxbug.com"; endswith; classtype:policy-violation; sid:2016871; rev:7; metadata:created_at 2013_05_21, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4."; flow:established,to_server; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:"|20|MSIE 4."; fast_pattern; nocase; http.host; content:!".weatherbug.com"; endswith; content:!".wxbug.com"; endswith; classtype:policy-violation; sid:2016871; rev:7; metadata:created_at 2013_05_21, updated_at 2022_05_03;)
 
 alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query 3"; dns.query; content:"bigdata.adfuture.cn"; nocase; endswith; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023517; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_09_15;)
 
@@ -49248,11 +48786,11 @@ alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup / Tor Chec
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.tk domain"; flow:established,to_server; http.host; content:".tk"; fast_pattern; endswith; content:!".tcl.tk"; content:!"tcl.tk"; depth:6; endswith; classtype:bad-unknown; sid:2012810; rev:12; metadata:created_at 2011_05_15, former_category POLICY, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup ipinfo.io"; flow:established,to_server; http.host; content:"ipinfo.io"; depth:9; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:external-ip-check; sid:2020716; rev:6; metadata:created_at 2015_03_20, former_category POLICY, updated_at 2020_09_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup ipinfo.io"; flow:established,to_server; http.host; content:"ipinfo.io"; depth:9; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:external-ip-check; sid:2020716; rev:6; metadata:created_at 2015_03_20, former_category POLICY, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY OpenVPN Update Check"; flow:established,to_server; http.user_agent; content:"Twisted PageGetter"; depth:18; endswith; http.host; content:"swupdate.openvpn.net"; fast_pattern; depth:20; endswith; classtype:policy-violation; sid:2014799; rev:5; metadata:created_at 2012_05_22, updated_at 2020_09_15;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)"; dns.query; content:"myip.opendns.com"; nocase; endswith; classtype:external-ip-check; sid:2023472; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_15;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup)"; dns.query; content:"myip.opendns.com"; nocase; endswith; classtype:external-ip-check; sid:2023472; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_15;)
 
 alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)"; dns.query; content:"ipapi.co"; nocase; endswith; classtype:external-ip-check; sid:2024527; rev:6; metadata:attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_15;)
 
@@ -49400,8 +48938,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/NxRansomware C2 Domain Detected (0cf5ff34 .ngrok .io in DNS Lookup)"; dns.query; content:"0cf5ff34.ngrok.io"; endswith; reference:url,twitter.com/struppigel/status/940239612324319232; classtype:command-and-control; sid:2025143; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Downloader.Small.BIL CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?a=Te"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; startswith;  reference:md5,4C669A60719FC1051FB336CB25B209FD; classtype:command-and-control; sid:2025147; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_13, deployment Perimeter, former_category MALWARE, malware_family Downloader_Small_BIL, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
-
 alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup Domain (curlmyip .net in DNS lookup)"; dns.query; content:"curlmyip.net"; nocase; endswith; reference:md5,c375012865b94fa037d23c555e6c2772; classtype:external-ip-check; sid:2025154; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2017_12_16, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_09_16;)
 
 alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .gr.com Domain (gr .com in DNS Lookup)"; dns.query; content:".gr.com"; endswith; reference:url,www.domain.gr.com; classtype:bad-unknown; sid:2025146; rev:5; metadata:created_at 2017_12_12, former_category HUNTING, updated_at 2020_09_16;)
@@ -49458,7 +48994,7 @@ alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA May 201
 
 alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Jun 2017"; dns.query; content:"ab1c403220c27.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024712; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Python Monero Miner CnC DNS Query"; dns.query; content:".zsw8.cc"; endswith; pcre:"/^[a-z]\./"; reference:url,f5.com/labs/articles/threat-intelligence/malware/new-python-based-crypto-miner-botnet-flying-under-the-radar; classtype:command-and-control; sid:2025183; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_01_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Cryptominer, updated_at 2020_09_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Python Monero Miner CnC DNS Query"; dns.query; content:".zsw8.cc"; endswith; pcre:"/^[a-z]\./"; reference:url,f5.com/labs/articles/threat-intelligence/malware/new-python-based-crypto-miner-botnet-flying-under-the-radar; classtype:command-and-control; sid:2025183; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_01_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Cryptominer, updated_at 2022_05_03;)
 
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.ml)"; flow:established,to_client; tls.cert_subject; content:".ml"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025189; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
 
@@ -49496,7 +49032,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation EvilTra
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed ExecPS/Cobolt Domain (getfreshnews .com in DNS Lookup)"; dns.query; content:"getfreshnews.com"; nocase; endswith; reference:md5,5d4d3ba6823a07f070f5a42cbcc7a5c8; classtype:trojan-activity; sid:2025304; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic .EDU Phish (Legit Set)"; flow:to_server,established; flowbits:set,ET.realEDUrequest; flowbits:noalert; http.host; content:".edu"; endswith; classtype:credential-theft; sid:2025333; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic .EDU Phish (Legit Set)"; flow:to_server,established; flowbits:set,ET.realEDUrequest; flowbits:noalert; http.host; content:".edu"; endswith; classtype:credential-theft; sid:2025333; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evrial Stealer CnC Activity M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|report -|20|"; content:".bin|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; distance:19; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:md5,ecd56f1f42f932865e98fd319301e1a5; classtype:command-and-control; sid:2025375; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_21, deployment Perimeter, former_category MALWARE, malware_family Evrial, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
@@ -49560,7 +49096,7 @@ alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/GravityRAT CnC Domain (
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/GravityRAT CnC Domain (mylogisoft .com in DNS Lookup)"; dns.query; content:"mylogisoft.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:command-and-control; sid:2025544; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category MALWARE, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely GandCrab Ransomware Domain in HTTP Host M1"; http.host; content:".bit"; endswith; pcre:"/^(?:(?:malwarehuntertea|nomoreranso)m|politiaromana|ransomware|carder)\.(?:bit|coin)$/"; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025547; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_30, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely GandCrab Ransomware Domain in HTTP Host M1"; http.host; content:".bit"; endswith; pcre:"/^(?:(?:malwarehuntertea|nomoreranso)m|politiaromana|ransomware|carder)\.(?:bit|coin)$/"; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025547; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_30, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2022_05_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely GandCrab Ransomware Domain in HTTP Host M2"; http.host; content:".coin"; endswith; pcre:"/^(?:(?:malwarehuntertea|nomoreranso)m|politiaromana|ransomware|carder)\.(?:bit|coin)$/"; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025548; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_30, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
@@ -49590,7 +49126,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Phishin
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Phishing Attempt via GetGoPhish Phishing Tool"; flow:to_server,established; http.method; content:"POST"; http.header; content:"?rid="; fast_pattern; pcre:"/\?rid=[a-f0-9]{64}\x0d\x0a/i"; http.host; content:!"xerox.com"; endswith; reference:url,getgophish.com; classtype:credential-theft; sid:2022487; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Header INetSim"; flow:established,from_server; http.content_type; content:"x-msdos-program"; file.data; content:"MZ|0a|Sinkholed|0a|"; depth:13; fast_pattern; endswith; classtype:trojan-activity; sid:2025585; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Header INetSim"; flow:established,from_server; http.content_type; content:"x-msdos-program"; file.data; content:"MZ|0a|Sinkholed|0a|"; depth:13; fast_pattern; endswith; classtype:trojan-activity; sid:2025585; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; http.method; content:"POST"; nocase; http.host; content:!"nvidia.com"; endswith; content:!"dc.services.visualstudio.com"; endswith; content:!".avg.com"; endswith; content:!"bitdefender.net"; endswith; content:!"svc.iolo.com"; endswith; content:!".lavasoft.com"; endswith; content:!"canonicalizer.ucsuri.tcs"; http.request_body; content:"C|3A 5C 5C|WINDOWS|5C|"; fast_pattern; nocase; classtype:trojan-activity; sid:2011341; rev:17; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_09_16;)
 
@@ -49834,7 +49370,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OilRig OopsIE CnC
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OilRig OopsIE CnC Checkin M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/khc?"; depth:5; fast_pattern; pcre:"/^[A-F0-9]{10,}$/Ri"; http.accept_enc; content:"gzip, deflate"; endswith; http.header_names; content:"User-Agent"; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:command-and-control; sid:2026083; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family OilRig, malware_family OopsIE, performance_impact Low, signature_severity Major, tag APT, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aura Ransomware User-Agent"; flow:established,to_server; http.user_agent; content:"{KIARA}"; depth:7; endswith; fast_pattern; reference:md5,dde4654f1aa9975d1ffea1af8ea5015f; classtype:trojan-activity; sid:2026100; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_06, deployment Perimeter, former_category MALWARE, malware_family Aura, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aura Ransomware User-Agent"; flow:established,to_server; http.user_agent; content:"{KIARA}"; depth:7; endswith; fast_pattern; reference:md5,dde4654f1aa9975d1ffea1af8ea5015f; classtype:trojan-activity; sid:2026100; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_06, deployment Perimeter, former_category MALWARE, malware_family Aura, signature_severity Major, tag Ransomware, updated_at 2022_05_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS MSIL/Peppy User-Agent"; flow:established,to_server; http.user_agent; content:"onedru/"; depth:7; endswith; fast_pattern; reference:md5,ebffb046d0e12b46ba5f27c0176b01c5; classtype:trojan-activity; sid:2026101; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_07, deployment Perimeter, former_category USER_AGENTS, malware_family Peppy, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
@@ -51124,7 +50660,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUA Related Us
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Mozilla 6.0)"; flow:established,to_server; http.user_agent; content:"Mozilla 6.0"; depth:11; endswith; classtype:bad-unknown; sid:2027142; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_01, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kribat-A Downloader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.user_agent; content:"Command"; depth:7; endswith; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,78184ca66e1774598b96188f977f0687; classtype:trojan-activity; sid:2027024; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_01, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kribat-A Downloader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.user_agent; content:"Command"; depth:7; endswith; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,78184ca66e1774598b96188f977f0687; classtype:trojan-activity; sid:2027024; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_01, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Password Submitted to *.000webhostapp.com"; flow:established,to_server; http.method; content:"POST"; http.host; content:".000webhostapp.com"; endswith; fast_pattern; http.request_body; content:"password="; nocase; classtype:credential-theft; sid:2027146; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
@@ -51158,7 +50694,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Check
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-04-12"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.genericphish; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ur="; depth:3; nocase; content:"&ps="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2027196; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Unk.IoT IPCamera Exploit Attempt Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/sysTimeCfgEx"; fast_pattern; endswith; http.request_body; content:"systemdate="; depth:11; nocase; content:"&systemtime="; nocase; content:"&dwTimeZone"; nocase; content:"&updatemode="; nocase; content:"&ntpHost="; nocase; content:"&ntpPort="; nocase; content:"&timezonecon="; nocase; http.header_names; content:!"Referer"; reference:url,twitter.com/zom3y3/status/1115481065701830657/photo/1; classtype:trojan-activity; sid:2027194; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_12, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Unk.IoT IPCamera Exploit Attempt Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/sysTimeCfgEx"; fast_pattern; endswith; http.request_body; content:"systemdate="; depth:11; nocase; content:"&systemtime="; nocase; content:"&dwTimeZone"; nocase; content:"&updatemode="; nocase; content:"&ntpHost="; nocase; content:"&ntpPort="; nocase; content:"&timezonecon="; nocase; http.header_names; content:!"Referer"; reference:url,twitter.com/zom3y3/status/1115481065701830657/photo/1; classtype:trojan-activity; sid:2027194; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_12, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
 alert dns $HOME_NET any -> any any (msg:"ET POLICY URL Shortener Service Domain in DNS Lookup (tiny .cc)"; dns.query; content:"tiny.cc"; nocase; endswith; classtype:trojan-activity; sid:2027199; rev:4; metadata:created_at 2019_04_15, former_category POLICY, tag URL_Shortener_Service, updated_at 2020_09_17;)
 
@@ -51316,7 +50852,7 @@ alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to APT10
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to APT10 Related CnC Domain"; dns.query; content:".tencentchat.net"; nocase; endswith; reference:url,blog.ensilo.com/uncovering-new-activity-by-apt10; classtype:targeted-activity; sid:2027387; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category MALWARE, malware_family APT10, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent"; flow:established,to_server; http.user_agent; content:"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; depth:42; endswith; nocase; fast_pattern; classtype:unknown; sid:2027390; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent"; flow:established,to_server; http.user_agent; content:"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; depth:42; endswith; nocase; fast_pattern; classtype:misc-activity; sid:2027390; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Node XMLHTTP User-Agent"; flow:established,to_server; http.user_agent; content:"node-XMLHttpRequest"; depth:19; endswith; nocase; fast_pattern; classtype:unknown; sid:2027388; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
@@ -51360,7 +50896,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ra
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA (GHOST)"; flow:established,to_server; http.user_agent; content:"GHOST"; depth:5; endswith; classtype:trojan-activity; sid:2027444; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buran Ransomware Activity M2"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"GHOST"; depth:5; endswith; fast_pattern; http.referer; content:!"."; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i"; http.header_names; content:!"Connection"; content:!"Cache"; content:!"Accept"; classtype:trojan-activity; sid:2027445; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_10, deployment Perimeter, former_category MALWARE, malware_family Buran, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buran Ransomware Activity M2"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"GHOST"; depth:5; endswith; fast_pattern; http.referer; content:!"."; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i"; http.header_names; content:!"Connection"; content:!"Cache"; content:!"Accept"; classtype:trojan-activity; sid:2027445; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_10, deployment Perimeter, former_category MALWARE, malware_family Buran, signature_severity Major, tag Ransomware, updated_at 2022_05_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
 alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Attempted Remote Command Injection Outbound (CVE-2019-3929)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/file_transfer.cgi"; endswith; http.request_body; content:"file_transfer="; depth:14; content:"&dir=|27|Pa_Note"; distance:0; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027450; rev:3; metadata:attack_target IoT, created_at 2019_06_11, cve 2019_3929, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
@@ -51590,7 +51126,7 @@ alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inter Skimmer CnC Domain in
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inter Skimmer CnC Domain in DNS Lookup"; dns.query; content:"jsreload.pw"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html; classtype:command-and-control; sid:2027692; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE eCh0raix/QNAPCrypt CnC Activity - Started"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?s=started"; endswith; fast_pattern; http.user_agent; content:"Go-http-client/1.1"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:command-and-control; sid:2027701; rev:4; metadata:attack_target IoT, created_at 2019_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE eCh0raix/QNAPCrypt CnC Activity - Started"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?s=started"; endswith; fast_pattern; http.user_agent; content:"Go-http-client/1.1"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:command-and-control; sid:2027701; rev:4; metadata:attack_target IoT, created_at 2019_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE eCh0raix/QNAPCrypt CnC Activity - Done"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?s=done"; endswith; fast_pattern; http.user_agent; content:"Go-http-client/1.1"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:command-and-control; sid:2027702; rev:4; metadata:attack_target IoT, created_at 2019_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
@@ -51750,7 +51286,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MedusaHTTP Varian
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoBrut/StealthWorker Requesting Brute Force List (flowbit set)"; flow:established,to_server; flowbits:set,ET.PhpMyAdminBrute.1; threshold:type limit, count 1, seconds 120, track by_src; http.method; content:"GET"; http.uri; content:"?worker=php_b"; fast_pattern; endswith; http.user_agent; content:"Ubuntu|3b 20|Linux|20|x86_64"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:!"Referer"; reference:md5,1c315f9487ad20c3ac72747f13968507; reference:url,blog.yoroi.company/research/gobrut-a-new-golang-botnet/; reference:url,blog.yoroi.company/research/new-gobrut-version-in-the-wild/; classtype:trojan-activity; sid:2033717; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_14, deployment Perimeter, former_category MALWARE, malware_family PhpMyAdminBrute, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoBrut/StealthWorker Service Bruter CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gw?worker="; fast_pattern; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|Ubuntu|3b 20|Linux x"; depth:33; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:!"Referer"; reference:md5,1b8052d60de7ce8a9d281cf43d8d3091; reference:url,blog.yoroi.company/research/gobrut-a-new-golang-botnet/; reference:url,blog.yoroi.company/research/new-gobrut-version-in-the-wild/; classtype:command-and-control; sid:2033718; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoBrut/StealthWorker Service Bruter CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gw?worker="; fast_pattern; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|Ubuntu|3b 20|Linux x"; depth:33; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:!"Referer"; reference:md5,1b8052d60de7ce8a9d281cf43d8d3091; reference:url,blog.yoroi.company/research/gobrut-a-new-golang-botnet/; reference:url,blog.yoroi.company/research/new-gobrut-version-in-the-wild/; classtype:command-and-control; sid:2033718; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoBrut/StealthWorker Service Bruter CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/knock?worker="; fast_pattern; content:"&os="; content:"&version="; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|Ubuntu|3b 20|Linux x"; depth:33; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:!"Referer"; reference:md5,bcb7d4fdee2023ad62132ebdf794baa4; reference:url,blog.yoroi.company/research/gobrut-a-new-golang-botnet/; reference:url,blog.yoroi.company/research/new-gobrut-version-in-the-wild/; classtype:command-and-control; sid:2033719; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_05_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
@@ -51872,9 +51408,9 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MyKings Bootloade
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (api .ipaddress .com)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/myip"; depth:5; endswith; http.host; content:"api.ipaddress.com"; depth:17; fast_pattern; endswith; classtype:external-ip-check; sid:2027905; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_22, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nemty Ransomware Style Geo IP Check M1"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Chrome"; fast_pattern; bsize:6; http.host; content:"api.db-ip.com"; endswith; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-conn; reference:md5,0e0b7b238a06a2a37a4de06a5ab5e615; classtype:trojan-activity; sid:2027913; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category MALWARE, malware_family Nemty, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nemty Ransomware Style Geo IP Check M1"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Chrome"; fast_pattern; bsize:6; http.host; content:"api.db-ip.com"; endswith; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-conn; reference:md5,0e0b7b238a06a2a37a4de06a5ab5e615; classtype:trojan-activity; sid:2027913; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category MALWARE, malware_family Nemty, signature_severity Major, tag Ransomware, updated_at 2022_05_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nemty Ransomware Style Geo IP Check M2"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Chrome"; fast_pattern; bsize:6; http.host; content:"api.ipify.org"; endswith; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-conn; reference:md5,0e0b7b238a06a2a37a4de06a5ab5e615; classtype:trojan-activity; sid:2027914; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category MALWARE, malware_family Nemty, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nemty Ransomware Style Geo IP Check M2"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Chrome"; fast_pattern; bsize:6; http.host; content:"api.ipify.org"; endswith; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-conn; reference:md5,0e0b7b238a06a2a37a4de06a5ab5e615; classtype:trojan-activity; sid:2027914; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category MALWARE, malware_family Nemty, signature_severity Major, tag Ransomware, updated_at 2022_05_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External Geo IP Lookup (api .db-ip .com)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"api.db-ip.com"; endswith; http.header_names; content:!"Referer"; classtype:policy-violation; sid:2027915; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
 
@@ -52248,8 +51784,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Googl
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Office 365 Phish 2016-11-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"Email="; depth:6; nocase; content:"&Passwd="; nocase; distance:0; content:"&type="; nocase; distance:0; content:"&fspost="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032630; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Generic PDF Online Phish (set) 2016-10-11"; flow:to_server,established; flowbits:set,ET.GenericPDFOnline.Phish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&pass"; nocase; distance:0; content:"&submit="; nocase; distance:0; endswith; classtype:credential-theft; sid:2032631; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_21, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2021_06_23;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish M1 2016-09-30"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"_nossn="; depth:7; nocase; content:"&lobIndicator="; nocase; distance:0; fast_pattern; content:"&userid="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&epass="; nocase; distance:0; classtype:credential-theft; sid:2032556; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Sparkasse (DE) Phish 2016-11-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"sfm_form_submitted="; depth:19; nocase; content:"&Anrede="; nocase; distance:0; content:"&Titel="; nocase; distance:0; content:"&Vorname="; nocase; distance:0; content:"&Name="; nocase; distance:0; content:"&LegitimationsID="; nocase; distance:0; fast_pattern; content:"&PIN="; nocase; distance:0; content:"&Strabe="; nocase; distance:0; content:"&Postleitzah="; nocase; distance:0; content:"&PLZ="; nocase; distance:0; content:"&Wohnort="; nocase; distance:0; content:"&Geburtsdatum="; nocase; distance:0; content:"&Handy="; nocase; distance:0; content:"&Telefon="; nocase; distance:0; content:"&KontoNr="; nocase; distance:0; content:"&Datum="; nocase; distance:0; classtype:credential-theft; sid:2032632; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
@@ -52494,7 +52028,7 @@ alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to dns-stuff.
 
 alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR"; dns.query; content:".onion"; fast_pattern; endswith; reference:url,en.wikipedia.org/wiki/.onion; classtype:policy-violation; sid:2014939; rev:5; metadata:created_at 2012_06_22, updated_at 2020_09_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for a Suspicious *.be.ma domain"; dns.query; content:".be.ma"; fast_pattern; endswith; classtype:bad-unknown; sid:2012902; rev:7; metadata:created_at 2011_05_31, former_category HUNTING, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for a Suspicious *.be.ma domain"; dns.query; content:".be.ma"; fast_pattern; endswith; classtype:bad-unknown; sid:2012902; rev:7; metadata:created_at 2011_05_31, former_category HUNTING, updated_at 2022_05_03;)
 
 alert dns $HOME_NET any -> any any (msg:"ET INFO Query for a Suspicious *.upas.su domain"; dns.query; content:".upas.su"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2015550; rev:5; metadata:created_at 2012_07_31, former_category HUNTING, updated_at 2020_09_17;)
 
@@ -53940,7 +53474,7 @@ alert dns $HOME_NET any -> any any (msg:"ET MALWARE BernhardPOS Possible Data Ex
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT28 Maldoc CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/software-protection/app.php"; startswith; fast_pattern; endswith; http.connection; content:"Keep-Alive"; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cache"; reference:url,blog.telsy.com/zebrocy-dropbox-remote-injection/; classtype:targeted-activity; sid:2027939; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_09_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Evil Eye Android Malware Beacon"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64|3b 20|rv:65.0) Gecko/20100101 Firefox/65.0"; depth:78; http.request_body; content:"{|22|device_id|22 3a 22|"; depth:14; fast_pattern; http.accept_lang; content:"zh-CN"; depth:5; endswith; reference:url,www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/; classtype:trojan-activity; sid:2027940; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag c2, updated_at 2020_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Evil Eye Android Malware Beacon"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64|3b 20|rv:65.0) Gecko/20100101 Firefox/65.0"; depth:78; http.request_body; content:"{|22|device_id|22 3a 22|"; depth:14; fast_pattern; http.accept_lang; content:"zh-CN"; depth:5; endswith; reference:url,www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/; classtype:trojan-activity; sid:2027940; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
 alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a Reverse Proxy Service Observed"; dns.query; content:".serveo.net"; nocase; endswith; classtype:policy-violation; sid:2027942; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_09_03, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
 
@@ -53988,7 +53522,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious smss.e
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious csrss.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/csrss.exe"; nocase; fast_pattern; endswith; reference:md5,21a069667a6dba38f06765e414e48824; classtype:bad-unknown; sid:2016702; rev:15; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious rundll32.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/rundll32.exe"; nocase; fast_pattern; endswith; reference:md5,ea3dec87f79ff97512c637a5c8868a7e; classtype:bad-unknown; sid:2016703; rev:15; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious rundll32.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/rundll32.exe"; nocase; fast_pattern; endswith; reference:md5,ea3dec87f79ff97512c637a5c8868a7e; classtype:bad-unknown; sid:2016703; rev:15; metadata:created_at 2013_04_02, former_category INFO, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious lsass.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/lsass.exe"; nocase; endswith; fast_pattern; reference:md5,d929747212309559cb702dd062fb3e5d; classtype:bad-unknown; sid:2016699; rev:16; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
 
@@ -54000,6 +53534,8 @@ alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inception Group CnC Observed
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Absent)"; flow:established,to_server; http.user_agent; content:"Absent"; depth:6; endswith; classtype:bad-unknown; sid:2028571; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_09_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
 
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key"; flow:established,to_server; threshold: type limit, track by_dst, seconds 60, count 1; http.method; content:"GET"; http.uri; content:"/get.php?pid="; fast_pattern; content:"&first=true"; distance:32; within:11; endswith; http.user_agent; content:"Microsoft Internet Explorer"; depth:27; endswith; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,13f04ff944fa65eddd3e911740837a8a; reference:md5,c0672f0359afba1c24ab0f90f568bdc0; classtype:trojan-activity; sid:2036334; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TransparentTribe APT Maldoc CnC Checkin"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"relay=y"; startswith; fast_pattern; endswith; http.content_type; content:"application|2f|x-www-form-urlencoded"; http.header_names; content:!"Referer"; content:!"Connection"; content:!"Accept"; reference:url,mp.weixin.qq.com/s/pJ-rnzB7VMZ0feM2X0ZrHA; classtype:targeted-activity; sid:2028569; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TransparentTribe, updated_at 2020_09_17;)
 
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=suport.worldupdate.site"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,m.threatbook.cn/detail/1924; classtype:domain-c2; sid:2028584; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_09_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
@@ -54358,7 +53894,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Troj.Cidox
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Coldfusion 9 Auth Bypass CVE-2013-0632"; flow:to_server; http.method; content:"POST"; http.uri; content:"/adminapi/administrator.cfc?"; nocase; content:"method"; nocase; content:"login"; nocase; http.request_body; content:"rdsPasswordAllowed"; nocase; fast_pattern; pcre:"/rdsPasswordAllowed[\r\n\s]*?=[\r\n\s]*?(?:true|1)/i"; reference:url,www.exploit-db.com/exploits/27755/; reference:cve,2013-0632; classtype:attempted-user; sid:2017366; rev:4; metadata:created_at 2013_08_22, updated_at 2020_09_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RegSubsDat Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"0000/log"; fast_pattern; pcre:"/\/\d\d[A-F0-9]{4}0000\/log$/"; http.user_agent; content:"Mozilla/4.0"; bsize:11; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:command-and-control; sid:2014310; rev:7; metadata:created_at 2012_03_05, former_category MALWARE, updated_at 2020_09_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RegSubsDat Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"0000/log"; fast_pattern; pcre:"/\/\d\d[A-F0-9]{4}0000\/log$/"; http.user_agent; content:"Mozilla/4.0"; bsize:11; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:command-and-control; sid:2014310; rev:7; metadata:created_at 2012_03_05, former_category MALWARE, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitcoin variant Checkin"; flow:to_server,established; http.uri; content:"/register_slave.php"; fast_pattern; http.header_names; content:!"|0d 0a|Referer"; nocase; reference:url,blog.avast.com/2013/08/01/malicious-bitcoin-miners-target-czech-republic/; classtype:coin-mining; sid:2017369; rev:4; metadata:created_at 2013_08_23, former_category MALWARE, updated_at 2020_09_20;)
 
@@ -54580,8 +54116,6 @@ alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sehyioa Variant Activity (Download)"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"seCurEstrInGTogloBALAlLoCUnicOdE|28 20 24 28 27|76492d1116743f0423413b16050a5345MgB8A"; nocase; fast_pattern; reference:md5,fc30e902d1098b7efd85bd2651b2293f; reference:url,www.group-ib.com/blog/oldgremlin; classtype:trojan-activity; sid:2030905; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Moist Stealer CnC Exfil"; flow:established,to_server; http.uri; content:".php?id=";  content:"&caption="; distance:0; content:"|20|Moist|20|Stealer|20|gate|20|detected|20|new|20|log!"; nocase; distance:0; fast_pattern; content:"User|3a|"; nocase; distance:0; content:"IP|3a|"; nocase; distance:0; http.request_body; content:"].zip|0d 0a|"; http.header_names; content:!"Referer"; reference:md5,f855dffcbd21d4e4a59eed5a7a392af9; classtype:command-and-control; sid:2030900; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Moist_Stealer, signature_severity Major, updated_at 2020_09_23;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Trojan Downloader"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?p="; fast_pattern; content:"&s="; content:"&v="; distance:0; content:"uid="; distance:0; content:"&q="; distance:0; http.header_names; content:!"Accept|0d 0a|"; reference:url,doc.emergingthreats.net/2009299; classtype:trojan-activity; sid:2009299; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2020_09_24;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE hacker87 checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/AppEn.php"; fast_pattern; http.request_body; content:"parameter="; depth:10; reference:md5,0d7dd2a6c69f2ae7e575ee8640432c4b; classtype:command-and-control; sid:2018420; rev:4; metadata:created_at 2014_04_25, former_category MALWARE, updated_at 2020_09_24;)
@@ -54770,8 +54304,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Huge IT Image Gallery 1.0.0 SQL Injection"; flow:established,to_server; http.uri; content:"wp-admin/admin.php"; content:"page=gallerys_huge_it_gallery"; fast_pattern; content:"task=edit_cat"; content:"removeslide="; reference:url,packetstormsecurity.com/files/128118/wphugeitig-sql.txt; classtype:web-application-attack; sid:2019139; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_09_09, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - PDF Exploit - Feb 12 2013"; flow:established,to_server; http.uri; content:".pdf"; nocase; fast_pattern; pcre:"/\/w(?:hite|orld|step)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.PDF)$/"; classtype:exploit-kit; sid:2016405; rev:9; metadata:created_at 2013_02_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zeus GameOver Connectivity Check 2"; flow:established,to_server; urilen:1; http.host; content:"windowsupdate.microsoft.com"; bsize:27; http.connection; content:"Close"; fast_pattern; startswith; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,236bde81355e075e7ed6bcdc60daefcb; classtype:trojan-activity; sid:2019155; rev:4; metadata:created_at 2014_09_10, updated_at 2020_09_25;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Webmin Directory Traversal"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/save_env.cgi"; fast_pattern; http.request_body; content:"&user="; content:"|2e 2e 2f|"; distance:0; reference:url,sites.utexas.edu/iso/2014/09/09/arbitrary-file-deletion-as-root-in-webmin/; classtype:misc-attack; sid:2019157; rev:5; metadata:created_at 2014_09_10, updated_at 2020_09_25;)
@@ -55044,8 +54576,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Code
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Adrom.Backdoor CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?page="; content:"&enckey="; fast_pattern; pcre:"/\x26enckey\x3D[A-F0-9]+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c621055803c68e89f3cb141608fd0894; reference:md5,3c2be5202d2d68047c76bdf7e1dfc2be; classtype:command-and-control; sid:2020293; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (7)"; flow:established,to_server; http.uri; content:"/get"; fast_pattern; content:".jpg"; pcre:"/\/(?:w(?:hite|orld)|step)\/get(?:a+|n+)\.jpg/"; classtype:exploit-kit; sid:2016559; rev:17; metadata:created_at 2013_03_09, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
-
 #alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Heimdallbot Attack Tool Inbound"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.header; content:"Heimdallbot"; nocase; fast_pattern; pcre:"/^User-Agent\x3a[^\r\n]*?Heimdallbot/mi"; classtype:web-application-attack; sid:2020323; rev:4; metadata:created_at 2015_01_28, updated_at 2020_09_29;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Generic revslider Arbitrary File Download"; flow:established,to_server; http.uri; content:"/admin-ajax.php?"; fast_pattern; content:"slider_show_image"; pcre:"/^[^\r\n]*(?:%2(?:52e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))|\.(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))/Rim"; reference:url,blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html; classtype:web-application-attack; sid:2020221; rev:6; metadata:created_at 2015_01_21, updated_at 2020_09_29;)
@@ -55666,6 +55196,10 @@ alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Card Skim
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fullz House Credit Card Skimmer JavaScript Inbound"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"var SendFlag = []|3b 0a|function Base64Function(e) {|0d|"; startswith; fast_pattern; content:"|0a|function SendData(vals){|0a|"; distance:0; content:"var b = document.createElement|28 22|img|22 29 3b|b.width = |22|1px|22 3b|b.height = |22|1px|22 3b 20|b.id = img_id|3b|b.src = atob|28 22|"; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:command-and-control; sid:2030981; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_10_06;)
 
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UsefulTyphon CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/image?i="; fast_pattern; content:"&u="; distance:0; content:"&p="; distance:0; pcre:"/&u=[a-f0-9]{16}&p=/"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,768c84100d6e3181a26fa50261129287; classtype:command-and-control; sid:2036502; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2020_10_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UsefulTyphon CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".down"; fast_pattern; pcre:"/\/[a-f0-9]{16}\.down$/"; http.header_names; content:!"Referer"; reference:md5,768c84100d6e3181a26fa50261129287; classtype:command-and-control; sid:2036503; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2020_10_06;)
+
 alert udp $HOME_NET !9987 -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set"; content:!"7PYqwfzt"; depth:8; content:!"r6fnvWj8"; depth:8; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,&,16,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014701; rev:13; metadata:created_at 2012_05_04, updated_at 2022_04_18;)
 
 alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set"; content:!"7PYqwfzt"; depth:8; content:!"r6fnvWj8"; depth:8; byte_test:1,&,64,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014702; rev:10; metadata:created_at 2012_05_04, updated_at 2020_10_06;)
@@ -55990,19 +55524,19 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mysearch.com/M
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zango Seekmo Bar Spyware User-Agent (Seekmo Toolbar)"; flow:to_server,established; threshold:type both, count 1, seconds 300, track by_src; http.user_agent; content:"Seekmo"; fast_pattern; nocase; classtype:pup-activity; sid:2003397; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Morpheus Spyware Install User-Agent (SmartInstaller)"; flow:to_server,established; http.user_agent; content:"SmartInstaller"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003398; classtype:pup-activity; sid:2003398; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Morpheus Spyware Install User-Agent (SmartInstaller)"; flow:to_server,established; http.user_agent; content:"SmartInstaller"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003398; classtype:pup-activity; sid:2003398; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_10_12, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mysearch.com Spyware User-Agent (iMeshBar)"; flow:to_server,established; http.header; content:"iMeshBar"; fast_pattern; pcre:"/User-Agent\:[^\n]+iMeshBar/i"; reference:url,doc.emergingthreats.net/2003406; classtype:pup-activity; sid:2003406; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Surfaccuracy.com Spyware Install User-Agent (SF Installer)"; flow:to_server,established; http.user_agent; content:"SF Installer"; fast_pattern; reference:url,doc.emergingthreats.net/2003428; classtype:pup-activity; sid:2003428; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Surfaccuracy.com Spyware Install User-Agent (SF Installer)"; flow:to_server,established; http.user_agent; content:"SF Installer"; fast_pattern; reference:url,doc.emergingthreats.net/2003428; classtype:pup-activity; sid:2003428; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_10_12, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Dropspam.com Spyware Install User-Agent (DSInstall)"; flow:to_server,established; http.user_agent; content:"DSInstall"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003439; classtype:pup-activity; sid:2003439; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Dropspam.com Spyware Install User-Agent (DSInstall)"; flow:to_server,established; http.user_agent; content:"DSInstall"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003439; classtype:pup-activity; sid:2003439; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_10_12, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Oemji Spyware User-Agent (Oemji)"; flow:to_server,established; http.header; content:"|20|Oemji"; fast_pattern; pcre:"/User-Agent\:[^\n]+Oemji/i"; reference:url,doc.emergingthreats.net/2003468; classtype:pup-activity; sid:2003468; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AskSearch Spyware User-Agent (AskSearchAssistant)"; flow:to_server,established; threshold:type limit, count 2, seconds 360, track by_src; http.user_agent; content:"AskSearch"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003493; classtype:pup-activity; sid:2003493; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Win95)"; flow:to_server,established; http.user_agent; content:"Win95"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/2008015; classtype:pup-activity; sid:2008015; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Win95)"; flow:to_server,established; http.user_agent; content:"Win95"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/2008015; classtype:pup-activity; sid:2008015; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Antispywaremaster.com/Privacyprotector.com Fake AV Checkin"; flow:established,to_server; http.uri; content:"?action="; content:"&pc_id="; content:"&abbr="; fast_pattern; content:"&err="; reference:url,doc.emergingthreats.net/2008282; classtype:pup-activity; sid:2008282; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
 
@@ -56066,6 +55600,8 @@ alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Age
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"JuffHell/"; depth:9; nocase; classtype:web-application-attack; sid:2030996; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_10_12, deployment Perimeter, signature_severity Major, updated_at 2020_10_12;)
 
+alert http $HOME_NET any -> $EXTERNAL_NET [!80,!443] (msg:"ET MALWARE Possible TA410 APT FlowCloud Dependency Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".DAT"; endswith; pcre:"/\/[A-Z0-9]{4,8}\/[A-Z0-9]{8}\.DAT$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:25; http.host.raw; content:"|3a|"; classtype:trojan-activity; sid:2036388; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_12, deployment Perimeter, former_category MALWARE, malware_family TA410, signature_severity Major, updated_at 2020_10_12;)
+
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex DL Pattern Feb 18 2016"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe?."; fast_pattern; pcre:"/\.exe\?\.\d+$/"; http.user_agent; content:"MSIE 7.0|3b 20|Windows NT"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022549; rev:6; metadata:created_at 2016_02_19, former_category CURRENT_EVENTS, updated_at 2020_10_13;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Dridex.Maldoc Minimal Executable Request"; flow:established,to_server; urilen:<15; http.method; content:"GET"; http.uri; content:".exe"; endswith; fast_pattern; pcre:"/^\/\d+\/\d+\.exe$/"; http.header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:(?:Cache-Control|Pragma)\x3a[^\r\n]+\r\n)?(?:\r\n)?$/mi"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; startswith; reference:md5,2cea5182d71b768e8b669cacdea39825; classtype:trojan-activity; sid:2020941; rev:5; metadata:created_at 2015_04_17, former_category CURRENT_EVENTS, updated_at 2020_10_13;)
@@ -56118,8 +55654,6 @@ alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 CnC Domain in DNS L
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 CnC Domain in DNS Lookup"; dns.query; content:".winx64-microsoft.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:domain-c2; sid:2028665; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_10_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Upatre Header Structure 2"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:!"Taitus"; content:!"Sling/"; content:!"Updexer/"; http.host; content:!"sophosupd.com"; content:!"sophosupd.net"; http.accept; content:"text/*,|20|application/*"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host"; depth:26; classtype:trojan-activity; sid:2018635; rev:14; metadata:created_at 2014_07_03, updated_at 2020_10_13;)
-
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-08"; flow:established,to_client; tls.cert_subject; bsize:22; content:"CN=superlatinradio.com"; fast_pattern; reference:md5,ce879fb552e7740bb2e940c65746aad2; classtype:domain-c2; sid:2028672; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_11, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-08"; flow:established,to_client; tls.cert_subject; content:"CN=corpcougar.in"; endswith; fast_pattern; reference:md5,f7a490fcf756f9ddbaedc2441fbc3c0c; classtype:domain-c2; sid:2028673; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
@@ -56196,16 +55730,12 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StormKitty Data E
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Login Hosted on Firebasestorage"; flow:established,to_client; http.header; content:"X-GUploader-UploadID|3a 20|"; content:"|0d 0a|x-goog-"; file.data; content:"<title>Sign in to your Microsoft account</title>"; fast_pattern; classtype:social-engineering; sid:2031006; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2020_10_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent Detected (Windows+NT)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Windows+NT"; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2008600; classtype:trojan-activity; sid:2008600; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload HTTP Checkin Detected (envia.php)"; flow:established,to_server; http.uri; content:"/envia.php"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; endswith; nocase; http.request_body; content:"praquem="; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2008256; classtype:command-and-control; sid:2008256; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Likely PCTools.com Installer User-Agent (Installer Ping)"; flow:to_server,established; http.user_agent; content:"Installer Ping"; depth:14; classtype:trojan-activity; sid:2013190; rev:5; metadata:created_at 2011_07_05, updated_at 2020_10_13;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vaccineprogram.co.kr Related Spyware User-Agent (Museon)"; flow:established,to_server; http.user_agent; content:"Museon"; depth:6; reference:url,doc.emergingthreats.net/2006418; classtype:pup-activity; sid:2006418; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)
 
-#alert http $HOME_NET any -> any any (msg:"ET DELETED Suspicious User-Agent (asp2009)"; flow: established, to_server; http.user_agent; content:"asp2009"; depth:7; endswith; reference:md5,6cad864a439da7bbd6f1cec941cca72b; reference:url,doc.emergingthreats.net/2010136; classtype:trojan-activity; sid:2010136; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon User Agent Detected (??)"; flow:established,to_server; http.header; content:"User-Agent|3a 20 3f 3f 0d 0a|"; reference:url,doc.emergingthreats.net/2007689; classtype:trojan-activity; sid:2007689; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WScript/VBScript XMLHTTP downloader likely malicious get?src="; flow:established,to_server; content:"|0d 0a|Request|3a 20|"; nocase; content:"run|0d 0a|"; within:5; http.uri; content:"/get?src="; nocase; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest"; nocase; depth:54; reference:url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html; reference:url,doc.emergingthreats.net/2010838; classtype:trojan-activity; sid:2010838; rev:8; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
@@ -56224,8 +55754,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.PE
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Graybird Checkin"; flow:to_server,established; http.uri; content:"/count.asp?mac="; content:"&os="; content:"&av="; http.user_agent; content:"Post"; depth:4; endswith; reference:md5,0fd68129ecbf68ad1290a41429ee3e73; reference:md5,11353f5bdbccdd59d241644701e858e6; classtype:command-and-control; sid:2014365; rev:5; metadata:created_at 2012_02_11, former_category MALWARE, updated_at 2020_10_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent (ld)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"ld"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008342; classtype:trojan-activity; sid:2008342; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Banker.PWS POST Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; http.request_body; content:"IDMAQUINA="; reference:url,doc.emergingthreats.net/2009127; classtype:command-and-control; sid:2009127; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bancos/Banker Info Stealer Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; nocase; http.request_body; content:"op="; nocase; content:"servidor="; nocase; content:"senha="; nocase; content:"usuario="; nocase; content:"base="; nocase; content:"sgdb="; nocase; reference:url,www.pctools.com/mrc/infections/id/Trojan.Bancos/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan.Bancos; reference:url,doc.emergingthreats.net/2009471; classtype:trojan-activity; sid:2009471; rev:11; metadata:created_at 2010_07_30, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2020_10_13;)
@@ -56254,7 +55782,7 @@ alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL/TLS Certificate
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FraudLoad.aww HTTP CnC Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/instlog/?"; nocase; fast_pattern; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|TALWinInetHTTPClient"; depth:45; reference:url,doc.emergingthreats.net/2008322; classtype:command-and-control; sid:2008322; rev:12; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKE AV HTTP CnC Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|TALWinInetHTTPClient)"; depth:46; http.request_body; content:"action="; nocase; content:"uid="; nocase; content:"cnt="; nocase; content:"lng="; nocase; content:"type="; nocase; content:"user_id="; nocase; content:"pc_id="; nocase; content:"abbr="; nocase; reference:url,doc.emergingthreats.net/2009455; classtype:command-and-control; sid:2009455; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKE AV HTTP CnC Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|TALWinInetHTTPClient)"; depth:46; http.request_body; content:"action="; nocase; content:"uid="; nocase; content:"cnt="; nocase; content:"lng="; nocase; content:"type="; nocase; content:"user_id="; nocase; content:"pc_id="; nocase; content:"abbr="; nocase; reference:url,doc.emergingthreats.net/2009455; classtype:command-and-control; sid:2009455; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fruspam polling for IP likely infected"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/automation/n09230945.asp"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|U|3b 20|Linux i686|3b 20|en-US|3b 20|rv|3a|1.9.0.4) Ubuntu/8.04 (hardy) Firefox/3.0.0"; depth:85; endswith; reference:url,community.ca.com/blogs/securityadvisor/archive/2009/03/26/in-the-wild-win32-fruspam-using-american-greetings.aspx; reference:url,doc.emergingthreats.net/2011072; classtype:trojan-activity; sid:2011072; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_14;)
 
@@ -56308,7 +55836,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Malware Cn
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Likseput.A Checkin Windows Vista/7/8"; flow:to_server,established; http.header; content:"|5c|"; within:64; content:"Host|3a 20|"; distance:0; content:!"|0d 0a|"; distance:-6; within:2; http.user_agent; content:"6."; depth:2; pcre:"/^6\.[0-2]\x20\d\d\x3a\d\d\x20/i"; reference:md5,b5e9ce72771217680efaeecfafe3da3f; reference:md5,4b6f5e62d7913fc1ab6c71b5b909ecbf; classtype:command-and-control; sid:2016433; rev:5; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_10_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-TABLE Checkin 1 - APT1 Related"; flow:established,to_server; flowbits:set,ET.webc2; http.header; content:"|3a|"; distance:1; within:1; content:"|3a|"; distance:2; within:1; content:"+"; distance:2; within:1; http.user_agent; content:"0"; startswith; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016435; rev:7; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-TABLE Checkin 1 - APT1 Related"; flow:established,to_server; flowbits:set,ET.webc2; http.header; content:"|3a|"; distance:1; within:1; content:"|3a|"; distance:2; within:1; content:"+"; distance:2; within:1; http.user_agent; content:"0"; startswith; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016435; rev:7; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-TABLE Checkin 2 - APT1 Related"; flow:established,to_server; flowbits:set,ET.webc2; http.header; content:"|3a|"; distance:1; within:1; content:"|3a|"; distance:2; within:1; content:"+"; distance:2; within:1; http.user_agent; content:"1"; startswith; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016436; rev:4; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_10_14;)
 
@@ -56328,7 +55856,7 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshe
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-DIV UA"; flow:established,to_server; http.user_agent; content:"Microsoft Internet Explorer Exelon|20|"; depth:35; fast_pattern; reference:url,www.mandiant.com/apt1; reference:md5,1e5ec6c06e4f6bb958dcbb9fc636009d; classtype:command-and-control; sid:2016454; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_10_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Sluegot.A Checkin WEBC2-YAHOO APT1 Related"; flow:to_server,established; http.user_agent; content:"IPHONE"; depth:6; pcre:"/^IPHONE\d+\x2e\d+\x28(host\x3a|[^\r\n\x2c]+\x2c(\d{1,3}\.){3}\d{1,3})/i"; reference:url,www.securelist.com/en/descriptions/24052976/Trojan.Win32.Scar.ddxe; reference:md5,0149b7bd7218aab4e257d28469fddb0d; reference:md5,6f9992c486195edcf0bf2f6ee6c3ec74; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016461; rev:6; metadata:created_at 2011_06_28, former_category MALWARE, updated_at 2020_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Sluegot.A Checkin WEBC2-YAHOO APT1 Related"; flow:to_server,established; http.user_agent; content:"IPHONE"; depth:6; pcre:"/^IPHONE\d+\x2e\d+\x28(host\x3a|[^\r\n\x2c]+\x2c(\d{1,3}\.){3}\d{1,3})/i"; reference:url,www.securelist.com/en/descriptions/24052976/Trojan.Win32.Scar.ddxe; reference:md5,0149b7bd7218aab4e257d28469fddb0d; reference:md5,6f9992c486195edcf0bf2f6ee6c3ec74; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016461; rev:6; metadata:created_at 2011_06_28, former_category MALWARE, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-RAVE UA"; flow:established,to_server; http.user_agent; content:"HTTP Mozilla/5.0(compatible+MSIE)"; depth:33; endswith; reference:url,www.mandiant.com/apt1; reference:md5,5bcaa2f4bc7567f6ffd5507a161e221a; classtype:command-and-control; sid:2016458; rev:5; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_10_14;)
 
@@ -56362,14 +55890,10 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Automated Site
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Automated Site Scanning for backup_data"; flow:established,to_server; http.uri; content:"backup_data"; nocase; http.user_agent; content:"Mozilla/4.0"; bsize:11; classtype:attempted-recon; sid:2012287; rev:6; metadata:created_at 2011_02_04, updated_at 2020_10_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Likseput.A Checkin"; flow:to_server,established; http.header; content:"|5c|"; within:64; content:"Host|3a 20|"; distance:0; content:!"|0d 0a|"; distance:-6; within:2; http.user_agent; content:"5|2e|"; startswith; pcre:"/^5\.[0-2]\x20\d\d\x3a\d\d\x20/";  reference:md5,4b6f5e62d7913fc1ab6c71b5b909ecbf; classtype:command-and-control; sid:2016450; rev:6; metadata:created_at 2012_01_12, former_category MALWARE, updated_at 2020_10_14;)
-
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible SKyWIper/Win32.Flame UA"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|.NET CLR 1.1.2150)"; depth:69; endswith; fast_pattern; reference:url,crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:2014818; rev:8; metadata:created_at 2012_05_29, updated_at 2020_10_14;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN JCE Joomla Scanner"; flow:established,to_server; http.user_agent; content:"BOT/0.1 (BOT for JCE)"; depth:21; classtype:web-application-attack; sid:2016032; rev:5; metadata:created_at 2012_12_14, updated_at 2020_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent (DownloadNetFile)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"DownloadNetFile"; depth:15; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008344; classtype:trojan-activity; sid:2008344; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Brontok User-Agent Detected (Rivest)"; flow:established,to_server; http.user_agent; content:"Rivest"; depth:6; endswith; nocase; reference:md5,c83b55ab56f3deb60858cb25d6ded8c4; classtype:trojan-activity; sid:2020179; rev:4; metadata:created_at 2015_01_13, updated_at 2020_10_14;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Bittorrent User-Agent inbound - possible DDOS"; flow:established,to_server; threshold: type both, count 1, seconds 60, track by_src; http.user_agent; content:"Bittorrent"; depth:10; reference:url,torrentfreak.com/zombie-pirate-bay-tracker-fuels-chinese-ddos-attacks-150124/; classtype:attempted-dos; sid:2020702; rev:4; metadata:created_at 2015_03_18, updated_at 2020_10_14;)
@@ -56664,8 +56188,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User A
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat Web Application Manager scanning"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/manager/html"; nocase; fast_pattern; http.header; content:"Authorization|3a 20|Basic"; content:!"Proxy-Authorization|3a 20|Basic"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; endswith; reference:url,doc.emergingthreats.net/2010019; classtype:attempted-recon; sid:2010019; rev:11; metadata:created_at 2010_07_30, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (Agent and 5 or 6 digits)"; flow:established,to_server; http.user_agent; content:"Agent"; depth:5; pcre:"/^Agent\d{5,6}$/i"; http.host; content:!"cloud.10jqka.com.cn"; content:!".maxthon.com";  classtype:trojan-activity; sid:2013315; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Ezula Related User-Agent (mez)"; flow: to_server,established; http.user_agent; content:"mez"; nocase; depth:3; endswith; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; reference:url,doc.emergingthreats.net/2000586; classtype:pup-activity; sid:2000586; rev:35; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP YourSiteBar User-Agent (istsvc)"; flow: to_server,established; http.user_agent; content:"istsvc"; nocase; depth:6; endswith; reference:url,www.ysbweb.com; reference:url,doc.emergingthreats.net/2001699; classtype:pup-activity; sid:2001699; rev:264; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
@@ -56700,7 +56222,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Freeze.com Spy
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Best-targeted-traffic.com Spyware Checkin"; flow:established,to_server; http.uri; content:"/checkin.php?"; nocase; content:"unq="; nocase; content:"version="; nocase; http.user_agent; content:"Opera|20|"; nocase; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2003209; classtype:pup-activity; sid:2003209; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Best-targeted-traffic.com Spyware Install"; flow:established,to_server; http.uri; content:"/install.php?"; nocase; content:"&pais="; nocase; content:"unq="; nocase; http.user_agent; content:"Opera|20|"; nocase; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2003210; classtype:pup-activity; sid:2003210; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Best-targeted-traffic.com Spyware Install"; flow:established,to_server; http.uri; content:"/install.php?"; nocase; content:"&pais="; nocase; content:"unq="; nocase; http.user_agent; content:"Opera|20|"; nocase; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2003210; classtype:pup-activity; sid:2003210; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_10_17, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Download Agent) Possibly Related to TrinityAcquisitions.com"; flow:to_server,established; http.user_agent; content:"Download Agent"; depth:14; reference:url,doc.emergingthreats.net/bin/view/Main/2003243; classtype:pup-activity; sid:2003243; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
 
@@ -56778,8 +56300,6 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Effectivebrands.com Spyware User-Agent (atsu)"; flow:to_server,established; http.user_agent; content:"atsu"; depth:4; endswith; reference:url,doc.emergingthreats.net/2006370; classtype:pup-activity; sid:2006370; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (006)"; flow:established,to_server; http.user_agent; content:"00"; depth:2; pcre:"/00\d+$/";  reference:url,doc.emergingthreats.net/bin/view/Main/2006388; classtype:pup-activity; sid:2006388; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win-touch.com Spyware User-Agent (WTRecover)"; flow:established,to_server; http.user_agent; content:"WTRecover"; depth:9; reference:url,doc.emergingthreats.net/2006392; classtype:pup-activity; sid:2006392; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win-touch.com Spyware User-Agent (WTInstaller)"; flow:established,to_server; http.user_agent; content:"WTInstaller"; depth:11; reference:url,doc.emergingthreats.net/2006393; classtype:pup-activity; sid:2006393; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
@@ -56994,7 +56514,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Eldorado.BHO
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Apple iDisk Sync Unencrypted"; flow:established,to_server; http.header; content:"|0d 0a|Host|3a 20|idisk.mac.com|0d 0a|"; nocase; http.user_agent; content:"DotMacKit-like, File-Sync-Direct"; depth:32; nocase; classtype:policy-violation; sid:2012331; rev:6; metadata:created_at 2011_02_22, updated_at 2020_10_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN w3af User Agent"; flow: established,to_server; http.user_agent; content:"w3af.sourceforge.net"; depth:20; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2007757; classtype:attempted-recon; sid:2007757; rev:13; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN w3af User Agent"; flow: established,to_server; http.user_agent; content:"w3af.sourceforge.net"; depth:20; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2007757; classtype:attempted-recon; sid:2007757; rev:13; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Sending Hostname"; dns.query; bsize:>30; content:"61643"; offset:5; depth:5; content:"31303"; distance:7; within:5; pcre:"/^[a-zA-Z0-9]{5}6164(?:3[0-9]){4}31303[0-9](?:[a-f0-9][a-f0-9]){5,}\./"; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028667; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2020_10_19;)
 
@@ -57008,8 +56528,6 @@ alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - G
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Sending Command Results"; dns.query; bsize:>30; content:"72643"; offset:5; depth:5; content:"31303"; distance:7; within:5; pcre:"/^[a-zA-Z0-9]{5}7264(?:3[0-9]){4}31303[0-9](?:[a-f0-9][a-f0-9]){10,}\./"; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028671; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2020_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User Agent WebUpdate"; flow:established,to_server; http.user_agent; content:"WebUpdate"; bsize:9; reference:url,doc.emergingthreats.net/2010600; classtype:trojan-activity; sid:2010600; rev:5; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Ares traffic"; flow:established,to_server; http.user_agent; content:"Ares"; startswith; reference:url,www.aresgalaxy.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001059; classtype:policy-violation; sid:2001059; rev:11; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan DroidDream Command and Control Communication"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/GMServer/GMServlet"; nocase; fast_pattern; http.user_agent; content:"Dalvik"; depth:6; reference:url,blog.mylookout.com/2011/03/security-alert-malware-found-in-official-android-market-droiddream/; classtype:trojan-activity; sid:2012453; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_03_10, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_10_19;)
@@ -57062,7 +56580,7 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER DataCha0s Web
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (ScrapeBox)"; flow:to_server,established; http.user_agent; content:"ScrapeBox"; depth:9; classtype:trojan-activity; sid:2011282; rev:6; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2020_10_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Hmap Webserver Fingerprint Scan"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"4.75 [en] (Windows NT 5.0"; http.protocol; content:"HTTP/1.0"; reference:url,www.ujeni.murkyroc.com/hmap/; reference:url,doc.emergingthreats.net/2008537; classtype:attempted-recon; sid:2008537; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Hmap Webserver Fingerprint Scan"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"4.75 [en] (Windows NT 5.0"; http.protocol; content:"HTTP/1.0"; reference:url,www.ujeni.murkyroc.com/hmap/; reference:url,doc.emergingthreats.net/2008537; classtype:attempted-recon; sid:2008537; rev:9; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS suspicious user-agent (REKOM)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"REKOM"; nocase; depth:5; classtype:trojan-activity; sid:2012295; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_02_07, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
 
@@ -57436,7 +56954,7 @@ alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (
 
 alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"Kayla"; startswith; pcre:"/^Kayla(?:(?:\/|\s)[0-9]\.0)?$/"; classtype:attempted-admin; sid:2029023; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Phishing Landing 2020-10-23"; flow:established,to_client; file.data; content:"var str =  'Sign in to Outlook'|3b|"; content:"$(|22|#add_pass|22|).show()|3b|"; content:"$('#email').val('')|3b|"; content:"function set_brand("; content:"function true_email("; fast_pattern; classtype:social-engineering; sid:2031086; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Phishing Landing 2020-10-23"; flow:established,to_client; file.data; content:"var str =  'Sign in to Outlook'|3b|"; content:"$(|22|#add_pass|22|).show()|3b|"; content:"$('#email').val('')|3b|"; content:"function set_brand("; content:"function true_email("; fast_pattern; classtype:social-engineering; sid:2031086; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^OSIRIS(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"OSIRIS"; fast_pattern; startswith; classtype:attempted-admin; sid:2029026; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
 
@@ -57718,9 +57236,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Netgear DGN1000/D
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET HUNTING Suspicious Chmod Usage in URI (Inbound)"; flow:to_server,established; http.uri; content:"chmod"; fast_pattern; nocase; pcre:"/^(?:\+|\x2520|\x24IFS|\x252B|\s)+(?:x|[0-9]{3,4})/Ri"; content:!"&launchmode="; content:!"/chmod/"; content:!"searchmod"; reference:url,doc.emergingthreats.net/2009363; classtype:attempted-admin; sid:2009363; rev:10; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_10_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Chmod Usage in URI (Outbound)"; flow:to_server,established; http.uri; content:"chmod"; fast_pattern; nocase; content:!"&launchmode="; content:!"/chmod/"; content:!"searchmod"; pcre:"/^(?:\+|\x2520|\x24IFS|\x252B|\s)+(?:x|[0-9]{3,4})/Ri"; classtype:attempted-admin; sid:2029216; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_12_31, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GENERIC Likely Malicious Fake IE Downloading .exe"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; endswith; content:!"download_helper.ns"; http.header; content:!"softdl.360tpcdn.com"; http.user_agent; content:"|20|MSIE|20|"; http.host; content:!"microsoft.com"; content:!"adobe.com"; content:!"360safe.com"; content:!"cfbeta.razersynapse.com"; content:!"download.windowsupdate.com"; content:!"gladmainnew.morningstar.com"; http.connection; content:"close"; nocase; http.header_names; content:!"Accept-Encoding"; content:!"Referer"; classtype:trojan-activity; sid:2018403; rev:15; metadata:created_at 2014_04_22, former_category TROJAN, updated_at 2020_10_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Chmod Usage in URI (Outbound)"; flow:to_server,established; http.uri; content:"chmod"; fast_pattern; nocase; content:!"&launchmode="; content:!"/chmod/"; content:!"searchmod"; pcre:"/^(?:\+|\x2520|\x24IFS|\x252B|\s)+(?:x|[0-9]{3,4})/Ri"; classtype:attempted-admin; sid:2029216; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_12_31, deployment Perimeter, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA"; flow:established,to_server; http.user_agent; content:"fuck u"; nocase; bsize:6; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2028991; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
@@ -57968,7 +57484,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FortDisco Reporti
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamut Spambot Checkin"; flow:established,to_server; flowbits:set,ETGamut; http.uri; content:"file=SenderClient.conf"; nocase; fast_pattern; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.spiderlabs.com/2014/03/gamut-spambot-analysis-.html; reference:md5,f00f3f47062646f900aa327b1d5ca3a1; classtype:command-and-control; sid:2018245; rev:6; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2020_10_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Popwin Checkin"; flow:to_server,established; http.uri; content:"/soft/xiaomi"; fast_pattern; content:".asp"; distance:0; http.user_agent; content:"API-Guide test program"; depth:22; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,dd762c69049fbd00c22f70f109baa26e; classtype:command-and-control; sid:2018143; rev:8; metadata:created_at 2014_02_15, former_category MALWARE, updated_at 2020_10_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Popwin Checkin"; flow:to_server,established; http.uri; content:"/soft/xiaomi"; fast_pattern; content:".asp"; distance:0; http.user_agent; content:"API-Guide test program"; depth:22; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,dd762c69049fbd00c22f70f109baa26e; classtype:command-and-control; sid:2018143; rev:8; metadata:created_at 2014_02_15, former_category MALWARE, updated_at 2022_05_03;)
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Almanahe.B Checkin"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"ClientUpdate"; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.virustotal.com/en/file/f80fc95e44d90a8e02de4fde0ea5e58227cbbde7b6d3848c1f8afbd5ed0affe7/analysis/; reference:md5,1d331ef7d24f6316947e94f737d1f219; classtype:command-and-control; sid:2018123; rev:6; metadata:created_at 2014_02_12, former_category MALWARE, updated_at 2020_10_28;)
 
@@ -58028,7 +57544,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Banco
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PNC Bank Phish 2016-01-09"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?LOB="; fast_pattern; http.header; content:".php?LOB="; http.request_body; content:"user"; nocase; content:"pass"; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032671; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phishing 2016-01-08"; flow:to_server,established; content:"|0d 0a 0d 0a|user="; fast_pattern; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.header; content:".php?"; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032670; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phishing 2016-01-08"; flow:to_server,established; content:"|0d 0a 0d 0a|user="; fast_pattern; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.header; content:".php?"; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032670; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phishing 2016-02-23"; flow:to_server,established; content:"|0d 0a 0d 0a|username="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"username="; nocase; content:"pass"; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032674; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
@@ -58040,7 +57556,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynam
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2019-08-02"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"CardNumber="; nocase; fast_pattern; content:"&Exp"; nocase; content:"CVV="; nocase; classtype:credential-theft; sid:2029676; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DownloaderExchanger/Cbeplay Variant Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ldrctl.php"; endswith; http.request_body; content:"os="; depth:3; nocase; content:"&ver="; nocase; distance:0; content:"&idx="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&ioctl="; nocase; fast_pattern; distance:0; content:"&data="; nocase; distance:0; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fCbeplay.B; reference:url,www.secureworks.com/research/threats/ppi/; reference:url,doc.emergingthreats.net/2010217; classtype:command-and-control; sid:2010217; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DownloaderExchanger/Cbeplay Variant Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ldrctl.php"; endswith; http.request_body; content:"os="; depth:3; nocase; content:"&ver="; nocase; distance:0; content:"&idx="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&ioctl="; nocase; fast_pattern; distance:0; content:"&data="; nocase; distance:0; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fCbeplay.B; reference:url,www.secureworks.com/research/threats/ppi/; reference:url,doc.emergingthreats.net/2010217; classtype:command-and-control; sid:2010217; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Jul 28 2016"; flow:established,to_client; http.start; content:"Set-Cookie|3a 20|yatutuzebil=1|3b|"; fast_pattern; classtype:exploit-kit; sid:2022990; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_28, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2020_10_29;)
 
@@ -58226,8 +57742,6 @@ alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query for Suspic
 
 alert dns any any -> $HOME_NET any (msg:"ET PHISHING Suspected Appspot Hosted Phishing Domain"; dns.query; content:!"www."; content:"-dot-"; content:".appspot.com"; fast_pattern; isdataat:!1,relative; pcre:"/^[a-z]{36,38}\-dot\-[a-z]+\-[a-z]+\-\d{6}\.[a-z]{2}\.[a-z]\.appspot\.com$/"; classtype:social-engineering; sid:2031149; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2020_10_30;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS Oracle WebLogic RCE Shell Inbound M2 (CVE-2020-14882)"; flow:established,to_server; http.uri.raw; content:"/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel="; content:"com.tangosol.coherence.mvel2.sh.ShellSession("; distance:0; within:75; http.uri; content:"com.tangosol.coherence.mvel2.sh.ShellSession(";  fast_pattern; content:"java.lang.Runtime.getRuntime("; distance:0; content:".exec"; distance:0; reference:url,isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/; reference:url,packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html; reference:cve,2020-14882; classtype:attempted-user; sid:2031147; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_10_30, cve CVE_2020_14882, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_30;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Python/PBot Browser Hijacker Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js?streamId="; fast_pattern; content:"&isAdvpp="; distance:0; content:".js?streamId="; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&isAdvpp=(?:true|false)$/Rsi"; http.header; content:"|0d 0a|Origin|3a 20|http"; reference:md5,f741a2febf0630407ba17945362f3bce; classtype:trojan-activity; sid:2031148; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_31;)
 
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=stat-group.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.goggleheadedhacker.com/blog/post/16; classtype:domain-c2; sid:2029524; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_31, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
@@ -58242,7 +57756,7 @@ alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE f0xy Checkin"; flow:to_server,established; urilen:10; content:"/hello.php"; fast_pattern; http.method; content:"GET"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; endswith; reference:md5,160634d784c256d29563117554685c31; reference:url,community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx; classtype:command-and-control; sid:2020339; rev:5; metadata:created_at 2015_01_30, former_category MALWARE, updated_at 2020_11_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:to_server,established; http.uri; content:"/win.html"; fast_pattern; endswith; http.header; pcre:"/Host\x3a\x20(?P<refhost>[^\x3a\r\n]+)(?:\x3a\d{1,5})?\r\n.*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?P=refhost)(?:\x3a\d{1,5})?\/?/si"; http.host; content:!"www.carrona.org"; classtype:exploit-kit; sid:2021293; rev:6; metadata:created_at 2015_06_18, updated_at 2020_11_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:to_server,established; http.uri; content:"/win.html"; fast_pattern; endswith; http.header; pcre:"/Host\x3a\x20(?P<refhost>[^\x3a\r\n]+)(?:\x3a\d{1,5})?\r\n.*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?P=refhost)(?:\x3a\d{1,5})?\/?/si"; http.host; content:!"www.carrona.org"; classtype:exploit-kit; sid:2021293; rev:6; metadata:created_at 2015_06_18, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HanJuan EK Current Campaign Landing URI Struct Jul 10 2015"; flow:established,to_server; urilen:>13; http.uri; content:!"/"; offset:1; content:".asp"; pcre:"/^\/[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\.asp/"; pcre:"/[a-z].*?[a-z]/"; pcre:"/[A-Z].*?[A-Z]/"; pcre:"/\d.*?\d/"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\r$|\x3a)/"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2021407; rev:6; metadata:created_at 2015_07_13, updated_at 2020_11_02;)
 
@@ -58326,7 +57840,7 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Windows
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; http.content_type; content:"text/css"; depth:8; endswith; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; classtype:trojan-activity; sid:2009909; rev:12; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 401 XSS Attempt (Local Source)"; flow:from_server,established; threshold:type threshold,track by_src,count 10,seconds 60; http.stat_code; content:"401"; http.stat_msg; content:"Unauthorized"; nocase; file.data; content:"<script"; nocase; depth:280; fast_pattern; reference:url,doc.emergingthreats.net/2010513; classtype:web-application-attack; sid:2010513; rev:8; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 401 XSS Attempt (Local Source)"; flow:from_server,established; threshold:type threshold,track by_src,count 10,seconds 60; http.stat_code; content:"401"; http.stat_msg; content:"Unauthorized"; nocase; file.data; content:"<script"; nocase; depth:280; fast_pattern; reference:url,doc.emergingthreats.net/2010513; classtype:web-application-attack; sid:2010513; rev:8; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible D-Link Router HNAP Protocol Security Bypass Attempt"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"/HNAP1/"; nocase; endswith; fast_pattern; http.header; content:"SOAPAction|3a 20|"; nocase; content:"/HNAP1/"; distance:0; pcre:"/^(?:set|get)/Ri"; content:"DeviceSettings"; within:14; reference:url,www.securityfocus.com/bid/37690; reference:url,doc.emergingthreats.net/2010698; classtype:web-application-attack; sid:2010698; rev:6; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
 
@@ -58480,7 +57994,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Generic IOT Downl
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Router EK Landing Page Inbound 2019-05-24"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:">Loading ...<|2f|title>"; content:"|3b|base64,"; distance:0; content:"ZnVuY3Rpb24gTWFrZShDcmVkZW50aWF"; distance:0; fast_pattern; content:"ZG5zU2Vjb25kYXJ5OiAn"; distance:0; classtype:exploit-kit; sid:2027380; rev:3; metadata:created_at 2019_05_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Baldr Stealer Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|Encrypted.zip|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|"; fast_pattern; content:!"PK"; within:25; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:md5,216a00647603b66967cda5d91638f18a; classtype:command-and-control; sid:2027273; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, malware_family BALDR, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Baldr Stealer Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|Encrypted.zip|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|"; fast_pattern; content:!"PK"; within:25; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:md5,216a00647603b66967cda5d91638f18a; classtype:command-and-control; sid:2027273; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, malware_family BALDR, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Spelevo EK Post-Compromise Data Dump"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/?"; depth:2; http.request_body; content:"|06 00 00 00 01 00 00 00|"; depth:8; content:"|00 00 02 00 00 00|"; offset:8; depth:16; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2027075; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Spleevo_EK, performance_impact Moderate, signature_severity Major, updated_at 2020_11_04;)
 
@@ -58488,7 +58002,7 @@ alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed External I
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Locky CnC Checkin"; flow:to_server,established; urilen:14; http.method; content:"POST"; http.uri; content:"/imageload.cgi"; fast_pattern; http.header; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; content:"www-form-urlencoded|0d 0a|"; http.request_body; pcre:"/^[A-Za-z]{1,10}=[^&]+(?:&[A-Za-z]{1,10}=[^&]+){10,}$/s"; reference:md5,40ebefdec6870263827ce6425702e785; classtype:command-and-control; sid:2026517; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Locky, updated_at 2020_11_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.YordanyanActiveAgent CnC Reporting"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"client?mac_address="; content:"&agent_id="; distance:0; content:"agent_file_version"; http.user_agent; content:"cpprestsdk/"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,d71d1ad067c3d4dc9ca74cca76bc9139; classtype:command-and-control; sid:2026435; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, malware_family ActiveAgent, signature_severity Major, updated_at 2020_11_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.YordanyanActiveAgent CnC Reporting"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"client?mac_address="; content:"&agent_id="; distance:0; content:"agent_file_version"; http.user_agent; content:"cpprestsdk/"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,d71d1ad067c3d4dc9ca74cca76bc9139; classtype:command-and-control; sid:2026435; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, malware_family ActiveAgent, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Tinba (Banking Trojan) Check-in"; flow:established,to_server; content:"|0d 0a 0d 0a|"; depth:2000; byte_extract:2,0,byte0,relative; byte_extract:2,0,byte1,relative; byte_test:2,=,byte1,6,relative; byte_test:2,!=,byte1,7,relative; byte_test:2,=,byte1,10,relative; byte_test:2,!=,byte1,11,relative; byte_test:2,!=,byte1,23,relative; byte_test:2,!=,byte0,25,relative; byte_test:2,!=,byte1,27,relative; byte_test:2,=,byte0,40,relative; byte_test:2,=,byte1,42,relative; byte_test:2,=,byte0,44,relative; byte_test:2,=,byte1,46,relative; byte_test:2,=,byte0,48,relative; byte_test:2,=,byte1,50,relative; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/6.0)"; depth:64; fast_pattern; http.request_body; content:!"|00 00|"; depth:30; content:"|00 00|"; offset:34; depth:2; content:"|00 00|"; distance:2; within:2; content:"|00 00|"; distance:2; within:2; http.header_names; content:!"Referer|0d 0a|"; reference:md5,be312fdb94f3a3c783332ea91ef00ebd; classtype:trojan-activity; sid:2026002; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Tinba, updated_at 2020_11_04;)
 
@@ -58516,7 +58030,7 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell comman
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Google Chrome XSS (CVE-2017-5124)"; flow:from_server,established; http.content_type; content:"multipart/related"; fast_pattern; startswith; file.data; content:"<xsl"; pcre:"/^((?!<\/xsl).)+?src\s*=\s*[\x27\x22](?P<loc>[^\x22\x27]+?)[\x27\x22].+?Content-Location\x3a\s+(?P=loc)/Rsi"; reference:cve,2017-5124; classtype:attempted-user; sid:2024996; rev:6; metadata:affected_product Google_Chrome, attack_target Client_Endpoint, created_at 2017_11_15, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_11_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trickbot Payload Request"; flow:to_server,established; http.method; content:"GET"; http.uri; pcre:"/^\/(?:kas|ser|mac)[0-9]+\.png$/i"; http.start; content:".png HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,2c6cd25a31fe097ee7532422fc8eedc8; classtype:trojan-activity; sid:2024901; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Trickbot, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trickbot Payload Request"; flow:to_server,established; http.method; content:"GET"; http.uri; pcre:"/^\/(?:kas|ser|mac)[0-9]+\.png$/i"; http.start; content:".png HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,2c6cd25a31fe097ee7532422fc8eedc8; classtype:trojan-activity; sid:2024901; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Trickbot, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.RedAlert CnC Beacon"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:"|3b 20|Android|20|"; http.request_line; content:"/gt|20|HTTP/1."; fast_pattern; http.connection; content:"keep-alive"; depth:10; endswith; http.content_type; content:"application/json"; depth:16; endswith; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Connection|0d 0a|Content-Type|0d 0a|"; reference:md5,b66010a9c91b17f4d26dc973a97419ac; reference:url,info.phishlabs.com/blog/redalert2-mobile-banking-trojan-actively-updating-its-techniques; classtype:command-and-control; sid:2024765; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_09_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_RedAlert, signature_severity Major, tag Android, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
@@ -58528,7 +58042,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Maldoc D
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Locky VB/JS Loader Download Sep 08 2017"; flow:established,from_server; http.header_names; content:!"Cookie|0d 0a|"; file.data; content:"|3c 64 69 76 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 23 65 65 65 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 70 61 64 64 69 6e 67 3a 35 70 78 20 31 30 70 78 3b 22 3e 59 6f 75 72|"; nocase; within:100; fast_pattern; pcre:"/^[a-z0-9!\x22#$%&'()*+,.\/\x3a\x3b<=>?@\[\] ^_`{|}~\s-]+?downloading\.?\s*Please wait\x2e*<\/div\>\s*<iframe src\s*=\s*[\x22\x27]http\:\/\/[^\x22\x27]+\.php[\x22\x27]\s*style\s*=\s*[\x22\x27]display\x3a\s*none\x3b\s*[\x22\x27]>\s*<\/iframe\>\s*$/Rsi"; classtype:trojan-activity; sid:2024678; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bitshifter Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?root="; fast_pattern; pcre:"/^[a-f0-9]{16}$/Ri"; http.accept; content:"text/plain"; depth:10; endswith; http.protocol; content:"HTTP/1.0"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,d01229914a6b57387e2c963e3aadbc1f; classtype:command-and-control; sid:2024489; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_21, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Bitshifter, signature_severity Major, tag Ransomware, updated_at 2020_11_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bitshifter Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?root="; fast_pattern; pcre:"/^[a-f0-9]{16}$/Ri"; http.accept; content:"text/plain"; depth:10; endswith; http.protocol; content:"HTTP/1.0"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,d01229914a6b57387e2c963e3aadbc1f; classtype:command-and-control; sid:2024489; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_21, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Bitshifter, signature_severity Major, tag Ransomware, updated_at 2022_05_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Quant Loader Download Request"; flow:to_server,established; threshold: type limit, track by_src, count 1, seconds 30; http.method; content:"GET"; http.uri; content:".php?id="; fast_pattern; content:"&c="; distance:0; nocase; content:"&mk="; distance:0; nocase; content:"&il="; distance:0; nocase; content:"&vr="; distance:0; nocase; content:"&bt="; distance:0; nocase; http.header_names; content:!"Referer"; content:!"Cookie|0d 0a|"; reference:md5,23646295E98BD8FA022299374E4F76E0; classtype:trojan-activity; sid:2024452; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_10, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
 
@@ -58586,7 +58100,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pottieq.A C
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (dll generic custom headers)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dll"; http.header; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; fast_pattern; http.user_agent; content:"MSIE 7"; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022941; rev:5; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_11_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)"; flow:established,to_server; http.uri; content:"/~"; depth:2; pcre:"/^\/\~[a-z]+\/(?:[a-z]+\/)*[a-z]+\.exe$/i"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.request_line; content:".exe HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,a27bb6ac49f890bbdb97d939ccaa5956; classtype:trojan-activity; sid:2022940; rev:5; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)"; flow:established,to_server; http.uri; content:"/~"; depth:2; pcre:"/^\/\~[a-z]+\/(?:[a-z]+\/)*[a-z]+\.exe$/i"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.request_line; content:".exe HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,a27bb6ac49f890bbdb97d939ccaa5956; classtype:trojan-activity; sid:2022940; rev:5; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pony DLL Download"; flow:established,to_server; http.uri; content:"/pm"; pcre:"/^\d?\.dll$/R"; http.request_line; content:".dll HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022939; rev:6; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_11_05;)
 
@@ -58616,7 +58130,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Onion2Web Tor Prox
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nivdort Posting Data 2"; flow:established,to_server; content:"|0d 0a 0d 0a|env="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^env=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/"; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Nivdort; classtype:trojan-activity; sid:2022281; rev:4; metadata:created_at 2015_12_18, updated_at 2020_11_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request (no .exe)"; flow:to_server,established; flowbits:set,et.MS.XMLHTTP.no.exe.request; flowbits:noalert; http.uri; content:!".exe"; nocase; content:!".msi"; nocase; content:!".msp"; nocase; http.start; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:45; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; content:!"UA-CPU|0d 0a|"; classtype:misc-activity; sid:2022049; rev:5; metadata:created_at 2015_11_09, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request (no .exe)"; flow:to_server,established; flowbits:set,et.MS.XMLHTTP.no.exe.request; flowbits:noalert; http.uri; content:!".exe"; nocase; content:!".msi"; nocase; content:!".msp"; nocase; http.start; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:45; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; content:!"UA-CPU|0d 0a|"; classtype:misc-activity; sid:2022049; rev:5; metadata:created_at 2015_11_09, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MWI Maldoc Stats Callout Oct 28"; flow:established,to_server; http.uri; content:"/pict."; fast_pattern; content:"?id="; distance:0; pcre:"/\/pict\.(?:jpg|php|xsp)\?id=\d+((?:&data=|&bid=)[^&]*?)?$/"; http.user_agent; content:"office"; nocase; http.host; content:!".money-media.com"; endswith; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2022008; rev:6; metadata:created_at 2015_10_28, updated_at 2020_11_05;)
 
@@ -58676,7 +58190,7 @@ alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Magento XMLRPC-Explo
 
 alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080] (msg:"ET MALWARE W32/Emotet Empty CnC Beacon"; flow:established,to_server; http.start; content:"GET / HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|SLCC1|3b 20|.NET CLR 1.1.4322)|0d 0a|Host|3a|"; depth:111; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"Cookie|0d 0a|"; reference:md5,627f3572e9c37de307b3511925934fb9; classtype:command-and-control; sid:2035046; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_09, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PurpleWave Stealer Requesting Config"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/config"; endswith; content:!"."; http.header; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|id|22 3b 0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2030625; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_31, deployment Perimeter, former_category MALWARE, malware_family PurpleWaveStealer, signature_severity Major, updated_at 2020_11_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PurpleWave Stealer Requesting Config"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/config"; endswith; content:!"."; http.header; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|id|22 3b 0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2030625; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_31, deployment Perimeter, former_category MALWARE, malware_family PurpleWaveStealer, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP STOPzilla Download Accelerator Activity"; flow:established,to_server; http.user_agent; content:"STOPzilla Download Accelerator"; depth:30; reference:md5,6748824b325cbc1be57394469e361d63; classtype:pup-activity; sid:2031182; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_05, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_11_05;)
 
@@ -58774,7 +58288,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT C
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 65"; flow:established,to_server; content:"|ba e7 11 d6 b7 9f b5 c9 1d 10 58|"; depth:11; fast_pattern; content:"|4f 3a|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026505; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS High Orbit Ion Cannon (HOIC) Attack Inbound Generic Detection Double Spaced UA"; flow:established,to_server; threshold: type both, track by_src, count 225, seconds 60; http.header.raw; content:"User-Agent|3a 20 20|"; fast_pattern; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:attempted-dos; sid:2014153; rev:8; metadata:created_at 2012_01_28, updated_at 2020_11_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS High Orbit Ion Cannon (HOIC) Attack Inbound Generic Detection Double Spaced UA"; flow:established,to_server; threshold: type both, track by_src, count 225, seconds 60; http.header.raw; content:"User-Agent|3a 20 20|"; fast_pattern; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:attempted-dos; sid:2014153; rev:8; metadata:created_at 2012_01_28, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter INSERT INTO SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/index2.php?"; nocase; fast_pattern; content:"limit="; nocase; content:"limitstart="; nocase; content:"zorder="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014081; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_06;)
 
@@ -58808,7 +58322,7 @@ alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible CVE-2020-8518 (Horde Groupware RCE)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"data.php"; endswith; http.request_body; content:"|22 3b 20|filename=|22|"; content:"|2e|passthru|28|"; content:"|2e|die|28 29 3b|"; distance:0; http.header_names; content:"horde_secret_key|0d 0a|"; nocase; fast_pattern; reference:url,cardaci.xyz/advisories/2020/03/10/horde-groupware-webmail-edition-5.2.22-rce-in-csv-data-import/; reference:cve,2020-8518; classtype:attempted-admin; sid:2029636; rev:3; metadata:attack_target Web_Server, created_at 2020_03_13, cve 2020_8518, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"feb.kkooppt.com"; bsize:15; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029626; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"feb.kkooppt.com"; bsize:15; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029626; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"compdate.my03.com"; bsize:17; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029627; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
 
@@ -58820,9 +58334,9 @@ alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Viciou
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"bur.vueleslie.com"; bsize:17; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029630; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"wind.windmilldrops.com"; bsize:22; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029631; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"wind.windmilldrops.com"; bsize:22; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029631; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER LANDesk Command Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gsb/datetime.php"; nocase; http.request_body; content:"delBackupName"; nocase; content:"backupRestoreFormSubmitted"; distance:0; nocase; reference:url,www.coresecurity.com/content/landesk-csrf-vulnerability; reference:cve,2010-0369; reference:url,doc.emergingthreats.net/2010863; classtype:web-application-attack; sid:2010863; rev:9; metadata:created_at 2010_07_30, updated_at 2020_11_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER LANDesk Command Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gsb/datetime.php"; nocase; http.request_body; content:"delBackupName"; nocase; content:"backupRestoreFormSubmitted"; distance:0; nocase; reference:url,www.coresecurity.com/content/landesk-csrf-vulnerability; reference:cve,2010-0369; reference:url,doc.emergingthreats.net/2010863; classtype:web-application-attack; sid:2010863; rev:9; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress wp-admin/admin.php Module Configuration Security Bypass Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php"; nocase; content:"page="; nocase; distance:0; pcre:"/\x2Fwp\x2Dadmin\x2Fadmin\x2Ephp.+page\x3D(?:\x2Fcollapsing\x2Darchives\x2Foptions\x2Etxt|akismet\x2Freadme\x2Etxt|related\x2Dways\x2Dto\x2Dtake\x2Daction\x2Foptions\x2Ephp|wp\x2Dsecurity\x2Dscan\x2Fsecurityscan\x2Ephp)/i"; reference:url,www.securityfocus.com/bid/35584; reference:cve,2009-2334; reference:url,doc.emergingthreats.net/2010728; classtype:web-application-attack; sid:2010728; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_07;)
 
@@ -58844,6 +58358,8 @@ alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pos
 
 alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS *.dyn-ip24 .de Domain"; dns.query; content:".dyn-ip24.de"; nocase; endswith; classtype:policy-violation; sid:2029638; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_16, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_11_09;)
 
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO RealThinClient Outbound Communication"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/$rdgate?ACTION="; depth:16; fast_pattern; http.header; content:"HOST|3a|"; nocase; http.header_names; content:!"Accept"; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,e6fe6b5f943a45018d2d0da4357cfe6d; reference:url,rtc.teppi.net; classtype:bad-unknown; sid:2036704; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_24, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_11_09;)
+
 alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Nexus Repository Manager EL Injection to RCE Inbound (CVE-2020-10204)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|22|action|22 3a 22|"; content:"|22 3a 5b 22 24 5c 5c|"; distance:0; fast_pattern; reference:url,medium.com/@prem2/nexus-repository-manger-3-rce-cve-2020-10204-el-injection-rce-blind-566d902c1616; reference:cve,2020-10204; classtype:attempted-admin; sid:2031190; rev:1; metadata:created_at 2020_11_09, cve CVE_2020_10204, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_11_09;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.Joia CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ABCDIMQ"; depth:7; fast_pattern; http.start; content:".php|20|HTTP/1.0|0d 0a|Host|3a 20|"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,7e10e615edd111a5b77266c862aca78a; classtype:command-and-control; sid:2029641; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
@@ -58852,6 +58368,8 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Sogou.H
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MZRevenge Ransomware CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; bsize:38; http.request_body; content:"filename|3d 22|TVpS"; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|boundary=--------"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,app.any.run/tasks/e5a3d700-993f-47ab-bde1-e9ed8e9d323e/; classtype:trojan-activity; sid:2029647; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_11_09, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Suspicious Reversed String Inbound (StrReverse)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"esreveRrtS"; nocase; classtype:bad-unknown; sid:2036336; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_18, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_09;)
+
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish Aug 31 2015"; flow:to_server,established; content:"|0d 0a 0d 0a|email="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"email="; depth:6; content:"&pass="; distance:0; classtype:credential-theft; sid:2029652; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Office Phishing Landing 2016-12-18"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; depth:9; file.data; content:"<title>Microsoft Office"; fast_pattern; nocase; content:"Login below to access file"; nocase; distance:0; classtype:social-engineering; sid:2029658; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_09;)
@@ -58942,6 +58460,8 @@ alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Stitch
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (jquery Profile)"; flow:established,to_server; http.cookie; bsize:179; content:"session-"; depth:8; pcre:"/^[a-zA-Z0-9\/+_-]{171}$/R"; http.start; content:"GET|20|/jquery.min.js|20|HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Cookie|3a 20|session-"; startswith; fast_pattern; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2032751; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_31, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common RAT Connectivity Check Observed"; flow:to_server,established; urilen:6; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|48.0) Gecko/20100101 Firefox/48.0"; depth:65; http.host; content:"ip-api.com"; depth:10; endswith; http.request_line; content:"GET /json/"; depth:10; fast_pattern; http.connection; content:"Keep-Alive"; depth:10; endswith; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:34; endswith; reference:md5,69aeb53d5d8792e5479966aeed917bc4; classtype:trojan-activity; sid:2036383; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_07, deployment Perimeter, former_category MALWARE, malware_family Qasar_Rat, malware_family AZORult, malware_family VoidRat, signature_severity Major, updated_at 2020_11_11;)
+
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Request with Possible COVID-19 Domain M2"; http.method; content:"POST"; http.host; content:"corona"; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029714; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Request with Possible COVID-19 Domain M1"; http.method; content:"POST"; http.host; content:"covid"; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029713; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
@@ -58988,8 +58508,6 @@ alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious
 
 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Inbound (info)"; flow:established,from_server; dsize:<50; content:"info|7c|"; nocase; depth:5; fast_pattern; content:"|7c|"; distance:0; isdataat:!1,relative; reference:md5,ca075cb808eb6f69ab5ea82d7acb3f39; classtype:command-and-control; sid:2029696; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Inbound (aw)"; flow:established,from_server; dsize:<50; content:"aw|7c 7c 7c|"; fast_pattern; nocase; depth:5; content:"|7c|"; isdataat:!1,relative;  reference:md5,ca075cb808eb6f69ab5ea82d7acb3f39; classtype:command-and-control; sid:2029697; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_11_12;)
-
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF Linux/Dnsamp.AB Variant CnC"; flow:established,to_server; dsize:84; content:"|54|"; depth:1; content:"|11|"; distance:6; within:1; content:"|95 08 00 00 01 00 00 00|"; distance:68; within:8; fast_pattern; isdataat:!1,relative; reference:md5,b1fcab441a1221b33206924f12af64a0; reference:url,intezer.com/blog/ddos/chinaz-updates-toolkit-by-introducing-new-undetected-malware/; classtype:command-and-control; sid:2029839; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_12;)
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE M3RAT CnC Checkin Outbound"; flow:established,to_server; content:"infoHacKed*"; depth:11; fast_pattern; content:"*"; distance:0; content:"*"; distance:0; content:"*"; distance:0; content:"*"; distance:0; content:"*Beta"; isdataat:!1,relative; reference:md5,5627e7aba7168aefe878e9251392542e; classtype:command-and-control; sid:2030144; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, malware_family M3RAT, signature_severity Major, updated_at 2020_11_12;)
@@ -59002,7 +58520,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Screenshot Outbound"; flow:established,to_server; content:"|40 7c 7c|"; depth:3; content:"|FF D8 FF E0 00 10 4A 46 49 46 00 01|"; within:100; content:"|7c|Boss2019|7c|"; fast_pattern; isdataat:!1,relative; reference:md5,d09be7dd3433a0b6fc2bc729f181a1f0; classtype:command-and-control; sid:2030143; rev:3; metadata:affected_product Windows_DNS_server, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_11_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FTCode Stealer Init Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"guid="; depth:5; content:"&crederror="; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,www.malware-traffic-analysis.net/2020/04/02/index.html; classtype:command-and-control; sid:2029802; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FTCode Stealer Init Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"guid="; depth:5; content:"&crederror="; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,www.malware-traffic-analysis.net/2020/04/02/index.html; classtype:command-and-control; sid:2029802; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Dridex Download URI Struct with no referer"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\/\d+\/\d+\.exe$/"; http.user_agent; content:!"LogitechUpdate"; depth:14; http.request_line; content:".exe HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:trojan-activity; sid:2021245; rev:9; metadata:created_at 2015_06_10, updated_at 2020_11_12;)
 
@@ -59026,7 +58544,7 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Success
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING GOV UK Possible COVID-19 Phish 2020-04-06"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Postcode.php?sslchannel="; fast_pattern; content:"&sessionid="; distance:0; http.request_body; content:"postcode="; depth:9; content:!"&"; distance:0; classtype:credential-theft; sid:2029849; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MOOZ.THCCABO CoinMiner CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"|7c 20|Processor|3a 20|"; content:"|7c 20|Cores|3a 20|"; distance:0; content:"|7c 20|Videocard|3a 20|"; distance:0; content:"|7c 20|SmartScreen|3a 20|"; distance:0; content:"|7c 20|Defender|3a 20|"; distance:0; content:"|7c 20|Antivirus|3a 20|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/zoomed-in-a-look-into-a-coinminer-bundled-with-zoom-installer; classtype:command-and-control; sid:2029813; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2020_11_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MOOZ.THCCABO CoinMiner CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"|7c 20|Processor|3a 20|"; content:"|7c 20|Cores|3a 20|"; distance:0; content:"|7c 20|Videocard|3a 20|"; distance:0; content:"|7c 20|SmartScreen|3a 20|"; distance:0; content:"|7c 20|Defender|3a 20|"; distance:0; content:"|7c 20|Antivirus|3a 20|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/zoomed-in-a-look-into-a-coinminer-bundled-with-zoom-installer; classtype:command-and-control; sid:2029813; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2022_05_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL/Adobe/Excel Phishing Landing 2016-01-07"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"application/javascript"; file.data; content:"function script()"; nocase; content:"#email_field"; nocase; distance:0; fast_pattern; content:"#password_field"; nocase; distance:0; content:"click_to_download()"; nocase; distance:0; content:"Wrong Email Format"; nocase; distance:0; content:"make_the_delay()"; nocase; distance:0; classtype:social-engineering; sid:2032669; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_07, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_16;)
 
@@ -59044,7 +58562,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Lazarus Nukes
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KPOT Stealer Initial CnC Activity M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/util.php?id="; fast_pattern; pcre:"/^[A-F0-9]+$/Rsi"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer"; reference:md5,5aa703c714e3fa012289bb521687cb0f; classtype:command-and-control; sid:2029837; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category MALWARE, malware_family KPOT_Stealer, signature_severity Major, updated_at 2020_11_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent"; flow:established,to_server; http.user_agent; content:"AnyDesk"; depth:7; reference:md5,1501639af59b0ff39d41577af30367cf; classtype:policy-violation; sid:2027762; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_11_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent"; flow:established,to_server; http.user_agent; content:"AnyDesk"; depth:7; reference:md5,1501639af59b0ff39d41577af30367cf; classtype:policy-violation; sid:2027762; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DACLS RAT CnC (Log Server Reporting)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"log=save&session_id="; depth:20; fast_pattern; content:"&value="; distance:0; pcre:"/^log=save&session_id=[^&]+&value=[^&]+$/"; reference:url,blog.netlab.360.com/dacls-the-dual-platform-rat-en/; classtype:command-and-control; sid:2029879; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_16;)
 
@@ -59112,7 +58630,7 @@ alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain
 
 alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup"; dns.query; content:"oldgoldcities.com"; nocase; bsize:17; reference:url,context-cdn.washingtonpost.com/notes/prod/default/documents/bf5edf35-5672-49fa-aca1-edefadff683f/note/8ef25c0d-fee9-416a-b7f9-e0a4dedc66f2.pdf; reference:url,twitter.com/jsrailton/status/1253526716460535808; classtype:command-and-control; sid:2030026; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_24, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Drive DDoS Check-in"; flow:established,to_server; flowbits:set,ET.Drive.DDoS.Checkin; http.method; content:"POST"; http.header; pcre:"/-urlencoded\r\n(?:\r\n)?$/"; http.request_body; content:"k="; fast_pattern; startswith; pcre:"/^[0-9]*?[a-z]/PR"; http.content_len; byte_test:0,=,17,0,string,dec; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; startswith; classtype:trojan-activity; sid:2017045; rev:5; metadata:created_at 2013_06_22, updated_at 2020_11_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Drive DDoS Check-in"; flow:established,to_server; flowbits:set,ET.Drive.DDoS.Checkin; http.method; content:"POST"; http.header; pcre:"/-urlencoded\r\n(?:\r\n)?$/"; http.request_body; content:"k="; fast_pattern; startswith; pcre:"/^[0-9]*?[a-z]/PR"; http.content_len; byte_test:0,=,17,0,string,dec; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; startswith; classtype:trojan-activity; sid:2017045; rev:5; metadata:created_at 2013_06_22, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MALWARE Win32/Cridex Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/(?:[a-z0-9+]+?\/){3}$/i"; http.header; content:"Accept|3a 20|*/*|0d 0a|Host|3a 20|"; depth:19; content:"Cache-Control|3a 20|no-cache"; distance:0; http.host.raw; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a8080$/"; http.connection; content:"Keep-Alive"; bsize:10; http.content_len; byte_test:0,>,99,0,string,dec; byte_test:0,<,1000,0,string,dec; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; startswith; reference:md5,94e496decf90c4ba2fb3e7113a081726; classtype:command-and-control; sid:2017305; rev:5; metadata:created_at 2013_08_09, former_category MALWARE, updated_at 2020_11_17;)
 
@@ -59208,7 +58726,7 @@ alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group Domain in D
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Patchwork Staging Domain in DNS Query"; dns.query; content:"dnsresolve.live"; nocase; endswith; classtype:domain-c2; sid:2030378; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Patchwork, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evil Google Drive Download"; flow:established,to_server; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|CODE|0d 0a|"; fast_pattern; http.host; content:"drive.google.com"; reference:md5,f5ee4c578976587586202c15e98997ed; classtype:bad-unknown; sid:2030438; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evil Google Drive Download"; flow:established,to_server; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|CODE|0d 0a|"; fast_pattern; http.host; content:"drive.google.com"; reference:md5,f5ee4c578976587586202c15e98997ed; classtype:bad-unknown; sid:2030438; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"ms6-upload-serv3.com"; bsize:20; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030418; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
 
@@ -59448,7 +58966,9 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon D
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon DDoS JS M4"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"var _a|3d 22|"; depth:8; content:"|22 2c|_b|3d 22|"; within:120; content:"|22 2c|_c|3d 22|"; within:120; content:"|22 3b|eval|28|function|28 5f 2c|"; within:120; content:"|29 7b|if|28|n|3d|function|28 5f 29 7b|return|28 5f|"; distance:9; within:27; fast_pattern; reference:url,citizenlab.ca/2015/04/chinas-great-cannon/; reference:url,twitter.com/chrisdoman/status/1168576334777454594; classtype:attempted-dos; sid:2027964; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_06, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE InfoBot Sending LAN Details"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|7b 22 4c 61 6e 43 6e 74 22 3a 20 22|"; depth:12; fast_pattern; content:"|22 7d|"; within:3; endswith; http.header_names; content:!"Referer"; reference:md5,6daa7e95d172c2e54953adae7bdfaffc; classtype:trojan-activity; sid:2025578; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_16, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Filecoder.STOP Variant Public Key Download"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|7b 22|public_key|22 3a 22|-----BEGIN|26 23 31 36 30 3b|PUBLIC|26 23 31 36 30 3b|KEY-----"; depth:51; fast_pattern; content:"-----END|26 23 31 36 30 3b|PUBLIC|26 23 31 36 30 3b|KEY-----"; content:"|22 2c 22|id|22 3a 22|"; within:12; reference:md5,13f04ff944fa65eddd3e911740837a8a; reference:md5,c0672f0359afba1c24ab0f90f568bdc0; classtype:trojan-activity; sid:2036335; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE InfoBot Sending LAN Details"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|7b 22 4c 61 6e 43 6e 74 22 3a 20 22|"; depth:12; fast_pattern; content:"|22 7d|"; within:3; endswith; http.header_names; content:!"Referer"; reference:md5,6daa7e95d172c2e54953adae7bdfaffc; classtype:trojan-activity; sid:2025578; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_16, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Scarsi Variant CnC Activity"; flow:to_server,established; http.uri; content:"/WP"; content:".php"; within:50; endswith; pcre:"/\/WP(?:Security|CoreLog)\/(?:data\/)?\w+\.php$/i"; http.header; content:"Content-Length|3a 20|"; byte_test:1,>,0x30,0,relative; http.request_body; pcre:"/^[\x20-\x25\x27-\x3c\x3e-\x7e]{25,}$/si"; http.content_type; content:"application/x-www-form-urlencoded|3b 20|Charset=UTF-8"; fast_pattern; bsize:48; http.header_names; content:!"Referer|0d 0a|"; reference:md5,52c193a7994a6bb55ec85addc8987c10; classtype:command-and-control; sid:2024758; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
@@ -59478,227 +58998,227 @@ alert http $EXTERNAL_NET any -> $HOME_NET 9080 (msg:"ET EXPLOIT Possible LG Supe
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO NetSupport Remote Admin Response"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"application/x-www-form-urlencoded"; http.server; content:"NetSupport Gateway"; fast_pattern; startswith; reference:md5,54c0e7593d94c03a2b7909e6a459ce14; classtype:trojan-activity; sid:2035895; rev:5; metadata:created_at 2015_08_27, former_category POLICY, updated_at 2022_04_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Kuriyama Loader Checkin"; flow: established, to_server; threshold: type both, track by_src, count 2, seconds 60; http.method; content:"GET"; http.uri; content:"?hwid="; content:"&group="; fast_pattern; content:"&os="; content:"&cpu="; http.header_names; content:!"Referer|0d 0a|"; reference:url,darkwebs.ws/threads/41806/; reference:md5,e18c73ec38cbdd0bb0c66f360183e6d9; classtype:command-and-control; sid:2025253; rev:6; metadata:created_at 2018_01_26, former_category MALWARE, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Kuriyama Loader Checkin"; flow: established, to_server; threshold: type both, track by_src, count 2, seconds 60; http.method; content:"GET"; http.uri; content:"?hwid="; content:"&group="; fast_pattern; content:"&os="; content:"&cpu="; http.header_names; content:!"Referer|0d 0a|"; reference:url,darkwebs.ws/threads/41806/; reference:md5,e18c73ec38cbdd0bb0c66f360183e6d9; classtype:command-and-control; sid:2025253; rev:6; metadata:created_at 2018_01_26, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.4.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/1.4."; reference:url,www.oracle.com/technetwork/java/javase/documentation/index.html; classtype:bad-unknown; sid:2011584; rev:14; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, tag EOL, updated_at 2021_12_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.4.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/1.4."; reference:url,www.oracle.com/technetwork/java/javase/documentation/index.html; classtype:bad-unknown; sid:2011584; rev:14; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, tag EOL, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious HTML Decimal Obfuscated Title - Possible Phishing Landing Apr 19 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; nocase; content:"|26 23|"; within:5; content:"|3b 26 23|"; fast_pattern; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"</title>"; nocase; distance:0; classtype:social-engineering; sid:2024228; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious HTML Decimal Obfuscated Title - Possible Phishing Landing Apr 19 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; nocase; content:"|26 23|"; within:5; content:"|3b 26 23|"; fast_pattern; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"</title>"; nocase; distance:0; classtype:social-engineering; sid:2024228; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Oracle America)"; tls.cert_subject; content:"C=US"; content:"ST=California"; content:"L=Redwood Shores"; content:"O=Oracle America, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle America, Inc."; tls.cert_issuer; content:"C=US"; content:"ST=California"; content:"L=Redwood Shores"; content:"O=Oracle America, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle America, Inc."; fast_pattern; reference:md5,a0bbfdb2d4dbfb2f3c182bd394099803; classtype:trojan-activity; sid:2025413; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Oracle America)"; tls.cert_subject; content:"C=US"; content:"ST=California"; content:"L=Redwood Shores"; content:"O=Oracle America, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle America, Inc."; tls.cert_issuer; content:"C=US"; content:"ST=California"; content:"L=Redwood Shores"; content:"O=Oracle America, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle America, Inc."; fast_pattern; reference:md5,a0bbfdb2d4dbfb2f3c182bd394099803; classtype:trojan-activity; sid:2025413; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Yahoo)"; tls.cert_subject; content:"C=US"; content:"ST=Arizona"; content:"L=Phoenix"; content:"O=Yahoo Widget, Inc."; content:"OU=Yahoo Widget Bureau"; content:"CN=Yahoo Widget, Inc."; tls.cert_issuer; content:"C=US"; content:"ST=Arizona"; content:"L=Phoenix"; content:"O=Yahoo Widget, Inc."; content:"OU=Yahoo Widget Bureau"; content:"CN=Yahoo Widget, Inc."; fast_pattern; reference:md5,ce413a29e6cde5701a26e7e4e02ecc66; classtype:trojan-activity; sid:2025412; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Yahoo)"; tls.cert_subject; content:"C=US"; content:"ST=Arizona"; content:"L=Phoenix"; content:"O=Yahoo Widget, Inc."; content:"OU=Yahoo Widget Bureau"; content:"CN=Yahoo Widget, Inc."; tls.cert_issuer; content:"C=US"; content:"ST=Arizona"; content:"L=Phoenix"; content:"O=Yahoo Widget, Inc."; content:"OU=Yahoo Widget Bureau"; content:"CN=Yahoo Widget, Inc."; fast_pattern; reference:md5,ce413a29e6cde5701a26e7e4e02ecc66; classtype:trojan-activity; sid:2025412; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Google)"; tls.cert_subject; content:"C=US"; content:"ST=Florida"; content:"L=Tampa"; content:"O=Google, Inc."; content:"OU=Google Corp, Inc"; content:"CN=Google, Inc."; tls.cert_issuer; content:"C=US"; content:"ST=Florida"; content:"L=Tampa"; content:"O=Google, Inc."; content:"OU=Google Corp, Inc"; content:"CN=Google, Inc."; fast_pattern; reference:md5,8c7722acb2f7400df1027fa6741e37d5; classtype:trojan-activity; sid:2025414; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Google)"; tls.cert_subject; content:"C=US"; content:"ST=Florida"; content:"L=Tampa"; content:"O=Google, Inc."; content:"OU=Google Corp, Inc"; content:"CN=Google, Inc."; tls.cert_issuer; content:"C=US"; content:"ST=Florida"; content:"L=Tampa"; content:"O=Google, Inc."; content:"OU=Google Corp, Inc"; content:"CN=Google, Inc."; fast_pattern; reference:md5,8c7722acb2f7400df1027fa6741e37d5; classtype:trojan-activity; sid:2025414; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Oracle canada)"; tls.cert_subject; content:"C=canada"; content:"ST=quebec"; content:"L=Redwood Shores"; content:"O=Oracle canada, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle canada, Inc."; tls.cert_issuer; content:"C=canada"; content:"ST=quebec"; content:"L=Redwood Shores"; content:"O=Oracle canada, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle canada, Inc."; fast_pattern; reference:md5,f71d168b5b987d9fde792098ca5cca19; classtype:trojan-activity; sid:2025415; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Oracle canada)"; tls.cert_subject; content:"C=canada"; content:"ST=quebec"; content:"L=Redwood Shores"; content:"O=Oracle canada, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle canada, Inc."; tls.cert_issuer; content:"C=canada"; content:"ST=quebec"; content:"L=Redwood Shores"; content:"O=Oracle canada, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle canada, Inc."; fast_pattern; reference:md5,f71d168b5b987d9fde792098ca5cca19; classtype:trojan-activity; sid:2025415; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arkei Stealer IP Lookup"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Arkei/"; depth:6; fast_pattern; http.host; content:"ip-api.com"; reference:md5,1f075616f69983f5b3fc7ba068032c6d; classtype:trojan-activity; sid:2025429; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_13, deployment Perimeter, former_category TROJAN, malware_family Arkei, signature_severity Major, tag Stealer, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arkei Stealer IP Lookup"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Arkei/"; depth:6; fast_pattern; http.host; content:"ip-api.com"; reference:md5,1f075616f69983f5b3fc7ba068032c6d; classtype:trojan-activity; sid:2025429; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_13, deployment Perimeter, former_category TROJAN, malware_family Arkei, signature_severity Major, tag Stealer, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arkei Stealer Config Download Request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/grubConfig"; http.user_agent; content:"Arkei/"; depth:6; fast_pattern; reference:md5,1f075616f69983f5b3fc7ba068032c6d; classtype:trojan-activity; sid:2025430; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_13, deployment Perimeter, former_category TROJAN, malware_family Arkei, signature_severity Major, tag Stealer, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arkei Stealer Config Download Request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/grubConfig"; http.user_agent; content:"Arkei/"; depth:6; fast_pattern; reference:md5,1f075616f69983f5b3fc7ba068032c6d; classtype:trojan-activity; sid:2025430; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_13, deployment Perimeter, former_category TROJAN, malware_family Arkei, signature_severity Major, tag Stealer, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBase Keylogger Uploading Screenshots"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/image/upload.php"; fast_pattern; http.request_body; content:"filename=|22|"; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\>\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}[\d_]+\.(?:jpg|png)\x22\x0d\x0a/R"; http.header_names; content:!"User-Agent"; content:!"Referer"; content:"|0d 0a|Expect|0d 0a|"; reference:md5,5626771cf6751286de4b90ea4b8df94d; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:trojan-activity; sid:2021441; rev:5; metadata:created_at 2015_07_20, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBase Keylogger Uploading Screenshots"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/image/upload.php"; fast_pattern; http.request_body; content:"filename=|22|"; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\>\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}[\d_]+\.(?:jpg|png)\x22\x0d\x0a/R"; http.header_names; content:!"User-Agent"; content:!"Referer"; content:"|0d 0a|Expect|0d 0a|"; reference:md5,5626771cf6751286de4b90ea4b8df94d; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:trojan-activity; sid:2021441; rev:5; metadata:created_at 2015_07_20, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (passthru() function used) M1"; flow:to_server,established; http.header; content:"QHBhc3N0aHJ1KC"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013938; rev:7; metadata:created_at 2011_11_22, former_category WEB_SERVER, updated_at 2020_11_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (passthru() function used) M1"; flow:to_server,established; http.header; content:"QHBhc3N0aHJ1KC"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013938; rev:7; metadata:created_at 2011_11_22, former_category WEB_SERVER, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache CouchDB Remote Code Execution 1"; flow:established,to_server; http.uri; content:"/_users/org.couchdb.user|3a|"; http.request_body; content:"|22|roles|22 3a 20 5b 22 5f|admin|22 5d 2c|"; fast_pattern; content:"password"; reference:cve,2017-12635; classtype:attempted-user; sid:2025740; rev:4; metadata:attack_target Web_Server, created_at 2018_06_25, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache CouchDB Remote Code Execution 1"; flow:established,to_server; http.uri; content:"/_users/org.couchdb.user|3a|"; http.request_body; content:"|22|roles|22 3a 20 5b 22 5f|admin|22 5d 2c|"; fast_pattern; content:"password"; reference:cve,2017-12635; classtype:attempted-user; sid:2025740; rev:4; metadata:attack_target Web_Server, created_at 2018_06_25, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Remote Code Execution 3"; flow:established,to_server; http.uri; content:"/index.php?cmd=submitcommand&command="; content:"&command_data=$("; fast_pattern; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025776; rev:4; metadata:attack_target Server, created_at 2018_07_03, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_11_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Remote Code Execution 3"; flow:established,to_server; http.uri; content:"/index.php?cmd=submitcommand&command="; content:"&command_data=$("; fast_pattern; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025776; rev:4; metadata:attack_target Server, created_at 2018_07_03, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Bank of America"; nocase; content:"// the field has a value it's a spam bot"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025698; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Bank of America"; nocase; content:"// the field has a value it's a spam bot"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025698; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2022_05_03;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NUUO OS Command Injection"; flow:to_server,established; http.uri; content:"/handle_iscsi.php"; http.request_body; content:"act=discover&address="; fast_pattern; pcre:"/[^&]*(?:\x60|\x24)/R"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026107; rev:4; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_11_19;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NUUO OS Command Injection"; flow:to_server,established; http.uri; content:"/handle_iscsi.php"; http.request_body; content:"act=discover&address="; fast_pattern; pcre:"/[^&]*(?:\x60|\x24)/R"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026107; rev:4; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MySearch Products Spyware User-Agent (MySearch)"; flow:established,to_server; http.user_agent; content:"|20|MySearch"; reference:url,doc.emergingthreats.net/2002080; classtype:pup-activity; sid:2002080; rev:26; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MySearch Products Spyware User-Agent (MySearch)"; flow:established,to_server; http.user_agent; content:"|20|MySearch"; reference:url,doc.emergingthreats.net/2002080; classtype:pup-activity; sid:2002080; rev:26; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware-Win32/EoRezo Reporting"; flow:established,to_server; http.uri; content:"/advert/get"; nocase; pcre:"/\/advert\/get(?:ads|kws)(?:\.cgi)?\?(?:d|[ex]_dp_)id=/i"; reference:md5,b5708efc8b478274df4b03d8b7dbbb26; classtype:pup-activity; sid:2013983; rev:9; metadata:created_at 2011_12_02, former_category ADWARE_PUP, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware-Win32/EoRezo Reporting"; flow:established,to_server; http.uri; content:"/advert/get"; nocase; pcre:"/\/advert\/get(?:ads|kws)(?:\.cgi)?\?(?:d|[ex]_dp_)id=/i"; reference:md5,b5708efc8b478274df4b03d8b7dbbb26; classtype:pup-activity; sid:2013983; rev:9; metadata:created_at 2011_12_02, former_category ADWARE_PUP, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/InstallMonetizer.Adware Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"NSIS_Inetc (Mozilla)"; fast_pattern; http.request_body; content:"from="; depth:5; content:"&type="; distance:0; content:"&pubid="; distance:0; content:"&BundleVersionID="; distance:0; classtype:pup-activity; sid:2018148; rev:7; metadata:attack_target Client_Endpoint, created_at 2014_02_18, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_11_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/InstallMonetizer.Adware Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"NSIS_Inetc (Mozilla)"; fast_pattern; http.request_body; content:"from="; depth:5; content:"&type="; distance:0; content:"&pubid="; distance:0; content:"&BundleVersionID="; distance:0; classtype:pup-activity; sid:2018148; rev:7; metadata:attack_target Client_Endpoint, created_at 2014_02_18, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; content:"application/hta"; fast_pattern; nocase; bsize:15; classtype:trojan-activity; sid:2024197; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, cve 2017_0199, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; content:"application/hta"; fast_pattern; nocase; bsize:15; classtype:trojan-activity; sid:2024197; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, cve 2017_0199, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit CVE-2012-4792 EIP in URI IE 8"; flow:established,to_server; http.uri.raw; content:"/%E0%AC%B0%E0%B0%8C"; fast_pattern; http.header; content:"MSIE 8.0|3b|"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016136; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_12_31, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2020_11_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit CVE-2012-4792 EIP in URI IE 8"; flow:established,to_server; http.uri.raw; content:"/%E0%AC%B0%E0%B0%8C"; fast_pattern; http.header; content:"MSIE 8.0|3b|"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016136; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_12_31, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Netviewer.com Remote Control Proxy Test"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/nvserver"; http.request_body; content:"cmd="; content:"&params="; content:"Netviewer Proxy Test"; reference:url,doc.emergingthreats.net/2008472; classtype:policy-violation; sid:2008472; rev:7; metadata:created_at 2010_07_30, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Netviewer.com Remote Control Proxy Test"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/nvserver"; http.request_body; content:"cmd="; content:"&params="; content:"Netviewer Proxy Test"; reference:url,doc.emergingthreats.net/2008472; classtype:policy-violation; sid:2008472; rev:7; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Facebook Chat (settings)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/chat/settings.php"; http.header; content:"facebook.com|0d 0a|"; reference:url,doc.emergingthreats.net/2010786; classtype:policy-violation; sid:2010786; rev:7; metadata:created_at 2010_07_30, updated_at 2020_11_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Facebook Chat (settings)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/chat/settings.php"; http.header; content:"facebook.com|0d 0a|"; reference:url,doc.emergingthreats.net/2010786; classtype:policy-violation; sid:2010786; rev:7; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa INSERT"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006353; classtype:web-application-attack; sid:2006353; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa INSERT"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006353; classtype:web-application-attack; sid:2006353; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c ASCII"; flow:established,to_server; http.uri; content:"/forum.php?"; nocase; content:"c="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004168; classtype:web-application-attack; sid:2004168; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c ASCII"; flow:established,to_server; http.uri; content:"/forum.php?"; nocase; content:"c="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004168; classtype:web-application-attack; sid:2004168; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Volunteer Management id parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/mods/hours/data/get_hours.php?"; nocase; content:"take="; nocase; content:"skip="; nocase; content:"pageSize="; nocase; content:"id="; nocase; pcre:"/id\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/i"; reference:url,packetstormsecurity.org/files/112219/PHP-Volunteer-Management-1.0.2-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014647; rev:6; metadata:created_at 2012_04_28, updated_at 2020_11_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Volunteer Management id parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/mods/hours/data/get_hours.php?"; nocase; content:"take="; nocase; content:"skip="; nocase; content:"pageSize="; nocase; content:"id="; nocase; pcre:"/id\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/i"; reference:url,packetstormsecurity.org/files/112219/PHP-Volunteer-Management-1.0.2-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014647; rev:6; metadata:created_at 2012_04_28, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Koobface Checkin via POST"; flow: to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"f="; content:"&a="; content:"&v="; content:"&c="; content:"&s="; content:"&l="; content:"&ck="; content:"&c_fb="; content:"&c_ms="; content:"&c_hi="; content:"&c_be="; content:"&c_fr="; content:"&c_yb="; reference:url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094; reference:url,doc.emergingthreats.net/2009156; classtype:command-and-control; sid:2009156; rev:12; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Koobface Checkin via POST"; flow: to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"f="; content:"&a="; content:"&v="; content:"&c="; content:"&s="; content:"&l="; content:"&ck="; content:"&c_fb="; content:"&c_ms="; content:"&c_hi="; content:"&c_be="; content:"&c_fr="; content:"&c_yb="; reference:url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094; reference:url,doc.emergingthreats.net/2009156; classtype:command-and-control; sid:2009156; rev:12; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET DNS Query to a *.pw domain - Likely Hostile"; dns.query; content:".pw"; nocase; endswith; content:!".u.pw"; endswith; nocase; classtype:bad-unknown; sid:2016778; rev:8; metadata:created_at 2013_04_20, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET DNS Query to a *.pw domain - Likely Hostile"; dns.query; content:".pw"; nocase; endswith; content:!".u.pw"; endswith; nocase; classtype:bad-unknown; sid:2016778; rev:8; metadata:created_at 2013_04_20, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PRG/wnspoem/Zeus InfoStealer Trojan Config Download"; flow:established; http.method; content:"GET"; http.uri; content:"/cfg.bin"; nocase; fast_pattern; endswith; http.header; content:"no-cache|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2008100; classtype:trojan-activity; sid:2008100; rev:15; metadata:created_at 2010_07_30, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PRG/wnspoem/Zeus InfoStealer Trojan Config Download"; flow:established; http.method; content:"GET"; http.uri; content:"/cfg.bin"; nocase; fast_pattern; endswith; http.header; content:"no-cache|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2008100; classtype:trojan-activity; sid:2008100; rev:15; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.accept; pcre:"/^(?!m(?:ultipart|essage|odel)|a(?:pplication|udio|ccept)|(?:exampl|imag)e|video|text|\*)/i"; http.header_names; content:"|0d 0a|Accept|0d 0a|"; depth:10; fast_pattern; content:!"Referer"; content:"Accept"; reference:md5,35a6de1e8dbea19bc44cf49ae0cae59e; classtype:trojan-activity; sid:2022502; rev:7; metadata:created_at 2016_02_11, former_category MALWARE, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.accept; pcre:"/^(?!m(?:ultipart|essage|odel)|a(?:pplication|udio|ccept)|(?:exampl|imag)e|video|text|\*)/i"; http.header_names; content:"|0d 0a|Accept|0d 0a|"; depth:10; fast_pattern; content:!"Referer"; content:"Accept"; reference:md5,35a6de1e8dbea19bc44cf49ae0cae59e; classtype:trojan-activity; sid:2022502; rev:7; metadata:created_at 2016_02_11, former_category MALWARE, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .gdn Domain"; dns.query; content:".gdn"; nocase; endswith; classtype:bad-unknown; sid:2025098; rev:5; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .gdn Domain"; dns.query; content:".gdn"; nocase; endswith; classtype:bad-unknown; sid:2025098; rev:5; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Agent.qweydh CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/update.php"; endswith; fast_pattern; http.request_body; content:"data="; depth:5; pcre:"/^(?:[A-Za-z0-9%2b%2f]{4})*(?:[A-Za-z0-9%2b%2f]{2}%3d%3d|[A-Za-z0-9%2b%2f]{3}%3d|[A-Za-z0-9%2b%2f]{4})$/Rsi"; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:md5,5dcc10711305c0bd4c8290eaae660ef3; classtype:command-and-control; sid:2025171; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Agent.qweydh CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/update.php"; endswith; fast_pattern; http.request_body; content:"data="; depth:5; pcre:"/^(?:[A-Za-z0-9%2b%2f]{4})*(?:[A-Za-z0-9%2b%2f]{2}%3d%3d|[A-Za-z0-9%2b%2f]{3}%3d|[A-Za-z0-9%2b%2f]{4})$/Rsi"; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:md5,5dcc10711305c0bd4c8290eaae660ef3; classtype:command-and-control; sid:2025171; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MedusaHTTP CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|Ubuntu|3b 20|Linux i686|3b 20|rv|3a|45.0) Gecko/20100101 Firefox/45.0"; fast_pattern; endswith; http.request_body; content:"xyz="; depth:4; content:"|7c|"; distance:0; content:"|7c|"; distance:0; http.header_names; content:!"Referer"; reference:md5,d463ee91a2d7b8482554c23bb7d9aa3d; reference:url,www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight; classtype:command-and-control; sid:2025187; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_05, deployment Perimeter, former_category MALWARE, malware_family MedusaHTTP, performance_impact Moderate, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MedusaHTTP CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|Ubuntu|3b 20|Linux i686|3b 20|rv|3a|45.0) Gecko/20100101 Firefox/45.0"; fast_pattern; endswith; http.request_body; content:"xyz="; depth:4; content:"|7c|"; distance:0; content:"|7c|"; distance:0; http.header_names; content:!"Referer"; reference:md5,d463ee91a2d7b8482554c23bb7d9aa3d; reference:url,www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight; classtype:command-and-control; sid:2025187; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_05, deployment Perimeter, former_category MALWARE, malware_family MedusaHTTP, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DanijBot User-Agent"; flow:established,to_server; http.user_agent; content:"Botnet by Danij"; fast_pattern; depth:15; endswith; http.header_names; content:!"Referer"; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:trojan-activity; sid:2025469; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_06, deployment Perimeter, former_category TROJAN, malware_family DanijBot, performance_impact Moderate, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DanijBot User-Agent"; flow:established,to_server; http.user_agent; content:"Botnet by Danij"; fast_pattern; depth:15; endswith; http.header_names; content:!"Referer"; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:trojan-activity; sid:2025469; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_06, deployment Perimeter, former_category TROJAN, malware_family DanijBot, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] Cobalt Strike Beacon"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"|43 6f 62 61 6c 74 20 53 74 72 69 6b 65 20 42 65 61 63 6f 6e 29|"; fast_pattern; endswith; http.header_names; content:!"Referer"; classtype:targeted-activity; sid:2025635; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] Cobalt Strike Beacon"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"|43 6f 62 61 6c 74 20 53 74 72 69 6b 65 20 42 65 61 63 6f 6e 29|"; fast_pattern; endswith; http.header_names; content:!"Referer"; classtype:targeted-activity; sid:2025635; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> any any (msg:"ET MALWARE [PT MALWARE] Hacked Mikrotik C2 Request"; flow:established, to_server; threshold:type threshold, track by_src, count 1, seconds 35; http.method; content:"GET"; http.uri; content:"/mikrotik.php"; endswith; http.user_agent; content:"Mikrotik/6.x Fetch"; depth:18; endswith; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,forum.mikrotik.com/viewtopic.php?t=137217; classtype:command-and-control; sid:2026027; rev:5; metadata:created_at 2018_08_23, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> any any (msg:"ET MALWARE [PT MALWARE] Hacked Mikrotik C2 Request"; flow:established, to_server; threshold:type threshold, track by_src, count 1, seconds 35; http.method; content:"GET"; http.uri; content:"/mikrotik.php"; endswith; http.user_agent; content:"Mikrotik/6.x Fetch"; depth:18; endswith; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,forum.mikrotik.com/viewtopic.php?t=137217; classtype:command-and-control; sid:2026027; rev:5; metadata:created_at 2018_08_23, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS ESET Installer"; flow:established,to_server; threshold: type limit, track by_src, seconds 180, count 1; http.user_agent; content:"ESET Installer"; depth:14; endswith; classtype:policy-violation; sid:2027219; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_17, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, tag PUA, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS ESET Installer"; flow:established,to_server; threshold: type limit, track by_src, seconds 180, count 1; http.user_agent; content:"ESET Installer"; depth:14; endswith; classtype:policy-violation; sid:2027219; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_17, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, tag PUA, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encrypted-mail.center"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027576; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encrypted-mail.center"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027576; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encrypted-mail.global"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027577; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encrypted-mail.global"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027577; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encryptedmail.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027578; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encryptedmail.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027578; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encrypted-message.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027579; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encrypted-message.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027579; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"hrsurveypro.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027580; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"hrsurveypro.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027580; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"hrsurveyservice.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027581; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"hrsurveyservice.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027581; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ifileupload.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027582; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ifileupload.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027582; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"imail-auth.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027583; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"imail-auth.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027583; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"imail-secure.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027584; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"imail-secure.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027584; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"imail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027585; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"imail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027585; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"internal-message.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027586; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"internal-message.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027586; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"itunesrewardscode.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027587; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"itunesrewardscode.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027587; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"mcafeeonlinescanner.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027588; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"mcafeeonlinescanner.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027588; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"mcafee-scan.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027589; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"mcafee-scan.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027589; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"online-microsoft-update.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027590; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"online-microsoft-update.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027590; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"outlook-auth.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027591; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"outlook-auth.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027591; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"searscorporategiftcard.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027592; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"searscorporategiftcard.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027592; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail-corp.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027593; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail-corp.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027593; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027594; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027594; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail-online.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027595; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail-online.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027595; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027596; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027596; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secmail-us.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027597; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secmail-us.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027597; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secureimailonline.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027598; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secureimailonline.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027598; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"securemail-data.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027599; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"securemail-data.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027599; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secure-mail.global"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027600; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secure-mail.global"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027600; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"securemail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027601; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"securemail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027601; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secure-ssl.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027602; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secure-ssl.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027602; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"securessl-vpn.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027603; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"securessl-vpn.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027603; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secure-vpn.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027604; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secure-vpn.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027604; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-account.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027605; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-account.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027605; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-login.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027606; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-login.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027606; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-secure.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027607; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-secure.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027607; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-upgrade.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027608; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-upgrade.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027608; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssofiles.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027609; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssofiles.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027609; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"sso-signon.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027610; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"sso-signon.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027610; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"sso-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027611; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"sso-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027611; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"vpn-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027612; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"vpn-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027612; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"vsecuremail.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027613; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"vsecuremail.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027613; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"webex-cloud.net"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027614; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"webex-cloud.net"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027614; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"webex-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027615; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"webex-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027615; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"wu-signon.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027616; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"wu-signon.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027616; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"xmail-auth.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027617; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"xmail-auth.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027617; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"xmail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027618; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"xmail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027618; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (downloader)"; flow:to_server,established; http.user_agent; content:"downloader"; depth:10; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007885; classtype:pup-activity; sid:2007885; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (downloader)"; flow:to_server,established; http.user_agent; content:"downloader"; depth:10; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007885; classtype:pup-activity; sid:2007885; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Amadey CnC Check-In"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"id="; depth:3; nocase; content:"&vs="; nocase; content:"&ar="; nocase; content:"&bi="; nocase; content:"&lv="; nocase; content:"&os="; nocase; content:"&av="; nocase; fast_pattern; reference:md5,a83a58cbcd200461b1a80de45e436d9c; classtype:command-and-control; sid:2027700; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Amadey, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Amadey CnC Check-In"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"id="; depth:3; nocase; content:"&vs="; nocase; content:"&ar="; nocase; content:"&bi="; nocase; content:"&lv="; nocase; content:"&os="; nocase; content:"&av="; nocase; fast_pattern; reference:md5,a83a58cbcd200461b1a80de45e436d9c; classtype:command-and-control; sid:2027700; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Amadey, updated_at 2022_05_03;)
 
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Unomi MVEL Eval RCE Inbound M1 (CVE-2020-13942)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"condition|22 3a|"; content:"|22|script|3a 3a|"; distance:0; fast_pattern; reference:url,www.checkmarx.com/blog/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/; reference:cve,2020-13942; classtype:attempted-admin; sid:2031219; rev:1; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2020_11_19, cve CVE_2020_13942, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Usteal.B Checkin"; flow:to_server,established; http.uri; content:"/ufr.php"; fast_pattern; http.request_body; content:"name="; content:"filename="; content:"UFR|21|"; reference:md5,3155b146bee46723acc5637617e3703a; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FUsteal.B&ThreatID=-2147320862; classtype:command-and-control; sid:2014616; rev:8; metadata:created_at 2011_11_16, former_category MALWARE, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Usteal.B Checkin"; flow:to_server,established; http.uri; content:"/ufr.php"; fast_pattern; http.request_body; content:"name="; content:"filename="; content:"UFR|21|"; reference:md5,3155b146bee46723acc5637617e3703a; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FUsteal.B&ThreatID=-2147320862; classtype:command-and-control; sid:2014616; rev:8; metadata:created_at 2011_11_16, former_category MALWARE, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ksapp.A Checkin"; flow:to_server,established; http.uri; content:"/kspp/do?imei="; fast_pattern; content:"&wid="; content:"&type="; content:"&step="; reference:md5,e6d9776113b29680aec73ac2d1445946; reference:url,symantec.com/connect/blogs/mdk-largest-mobile-botnet-china; reference:md5,13e6ce4aac7e60b10bfde091c09b9d88; reference:url,anubis.iseclab.org/?action=result&task_id=16b7814b794cd728435e122ca2c2fcdd3; reference:url,www.fortiguard.com/latest/mobile/4158213; classtype:trojan-activity; sid:2016318; rev:9; metadata:affected_product Android, attack_target Mobile_Client, created_at 2012_12_12, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_11_19, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ksapp.A Checkin"; flow:to_server,established; http.uri; content:"/kspp/do?imei="; fast_pattern; content:"&wid="; content:"&type="; content:"&step="; reference:md5,e6d9776113b29680aec73ac2d1445946; reference:url,symantec.com/connect/blogs/mdk-largest-mobile-botnet-china; reference:md5,13e6ce4aac7e60b10bfde091c09b9d88; reference:url,anubis.iseclab.org/?action=result&task_id=16b7814b794cd728435e122ca2c2fcdd3; reference:url,www.fortiguard.com/latest/mobile/4158213; classtype:trojan-activity; sid:2016318; rev:9; metadata:affected_product Android, attack_target Mobile_Client, created_at 2012_12_12, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2022_05_03, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Unomi OGNL Eval RCE Inbound M2 (CVE-2020-13942)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"condition|22 3a|"; content:"getClass|28|"; distance:0; nocase; content:".runtime"; distance:0; nocase; content:"getDeclaredMethods|28|"; distance:0; fast_pattern; content:".invoke|28|"; distance:0; reference:url,www.checkmarx.com/blog/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/; reference:cve,2020-13942; classtype:attempted-admin; sid:2031220; rev:1; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2020_11_19, cve CVE_2020_13942, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kelihos.F Checkin"; flow:established,to_server; urilen:<13; http.method; content:"GET"; http.uri; content:".htm"; fast_pattern; pcre:"/^\/[^\x2f]+?\.htm$/"; http.header; content:"Content-Length|3a 20|"; content:!"0|0d 0a|"; within:3; content:"|0d 0a|"; distance:0; http.user_agent; content:!"BridgitAgent"; http.header_names; content:!"Accept"; content:!"Referer"; content:!"Content-Type"; reference:md5,00db349caf2eefc3be5ee30b8b8947a2; classtype:command-and-control; sid:2017191; rev:6; metadata:created_at 2013_07_24, former_category MALWARE, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kelihos.F Checkin"; flow:established,to_server; urilen:<13; http.method; content:"GET"; http.uri; content:".htm"; fast_pattern; pcre:"/^\/[^\x2f]+?\.htm$/"; http.header; content:"Content-Length|3a 20|"; content:!"0|0d 0a|"; within:3; content:"|0d 0a|"; distance:0; http.user_agent; content:!"BridgitAgent"; http.header_names; content:!"Accept"; content:!"Referer"; content:!"Content-Type"; reference:md5,00db349caf2eefc3be5ee30b8b8947a2; classtype:command-and-control; sid:2017191; rev:6; metadata:created_at 2013_07_24, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK PDF URI Struct"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".pdf"; fast_pattern; content:"/1"; pcre:"/\/1(?:3[89]\d{7}|4\d{8})\.pdf$/"; http.header; pcre:"/^Referer\x3a[^\r\n]+?\/[a-z0-9A-Z\_\-]{26,}\.html(?:\x3a\d{1,5})?\r$/m"; classtype:exploit-kit; sid:2017636; rev:14; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_28, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK PDF URI Struct"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".pdf"; fast_pattern; content:"/1"; pcre:"/\/1(?:3[89]\d{7}|4\d{8})\.pdf$/"; http.header; pcre:"/^Referer\x3a[^\r\n]+?\/[a-z0-9A-Z\_\-]{26,}\.html(?:\x3a\d{1,5})?\r$/m"; classtype:exploit-kit; sid:2017636; rev:14; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_28, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK URI Struct"; flow:established,to_server; http.uri; content:"/3/"; fast_pattern; pcre:"/\/3\/(?:M[ABCDFGHIJKMOPSTUZ]|E[ABDEGIJKMNPRSVY]|R[ABCEFGHIKLMNPST]|G[ABCEGKMNPSTUV]|A[BCGLMNPQSUVZ]|O[ABCDFIJMNRST]|S[ABEGILMPRSUW]|T[ABEGHILMPSTY]|N[BCGHIKMPSTV]|I[ABCFGKLNSV]|L[ABCGIMNPST]|W[ABCGKMPRTZ]|Z[ABCDKMNSTU]|F[ABCGMNPTW]|H[BCEGKMPST]|K[CDFHLMPST]|U[ACGHLMNRV]|Y[BCGKLMPSU]|C[CELMNSTV]|D[ABCGIMST]|V[BCLMST]|J[BDFST]|P[GJKMN]|Q[ABGIM]|B[BGLS]|X[ACMS])\/[a-f0-9]{32}(?:\.[^\x2f]+|\/\d+\.\d+\.\d+\.\d+\/?)?$/"; classtype:exploit-kit; sid:2018534; rev:6; metadata:created_at 2014_06_05, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK URI Struct"; flow:established,to_server; http.uri; content:"/3/"; fast_pattern; pcre:"/\/3\/(?:M[ABCDFGHIJKMOPSTUZ]|E[ABDEGIJKMNPRSVY]|R[ABCEFGHIKLMNPST]|G[ABCEGKMNPSTUV]|A[BCGLMNPQSUVZ]|O[ABCDFIJMNRST]|S[ABEGILMPRSUW]|T[ABEGHILMPSTY]|N[BCGHIKMPSTV]|I[ABCFGKLNSV]|L[ABCGIMNPST]|W[ABCGKMPRTZ]|Z[ABCDKMNSTU]|F[ABCGMNPTW]|H[BCEGKMPST]|K[CDFHLMPST]|U[ACGHLMNRV]|Y[BCGKLMPSU]|C[CELMNSTV]|D[ABCGIMST]|V[BCLMST]|J[BDFST]|P[GJKMN]|Q[ABGIM]|B[BGLS]|X[ACMS])\/[a-f0-9]{32}(?:\.[^\x2f]+|\/\d+\.\d+\.\d+\.\d+\/?)?$/"; classtype:exploit-kit; sid:2018534; rev:6; metadata:created_at 2014_06_05, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Zollard PHP Exploit UA Outbound"; flow:established,to_server; http.user_agent; content:"Zollard"; nocase; fast_pattern; reference:cve,2012-1823; reference:url,blogs.cisco.com/security/the-internet-of-everything-including-malware/; classtype:trojan-activity; sid:2017825; rev:6; metadata:created_at 2013_12_10, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Zollard PHP Exploit UA Outbound"; flow:established,to_server; http.user_agent; content:"Zollard"; nocase; fast_pattern; reference:cve,2012-1823; reference:url,blogs.cisco.com/security/the-internet-of-everything-including-malware/; classtype:trojan-activity; sid:2017825; rev:6; metadata:created_at 2013_12_10, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyreza RAT Checkin 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_W"; content:"|2e|"; distance:6; within:1; content:"/replace/"; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,4d1d43789e038c6a03c07083ca0b0809; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:command-and-control; sid:2018749; rev:9; metadata:created_at 2014_07_21, former_category MALWARE, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyreza RAT Checkin 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_W"; content:"|2e|"; distance:6; within:1; content:"/replace/"; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,4d1d43789e038c6a03c07083ca0b0809; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:command-and-control; sid:2018749; rev:9; metadata:created_at 2014_07_21, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body"; flow:established,to_server; http.request_body; content:"|28 29 20 7b|"; fast_pattern; pcre:"/(?:^|[=?&])\s*?\x28\x29\x20\x7b/"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019233; rev:7; metadata:created_at 2014_09_25, updated_at 2020_11_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body"; flow:established,to_server; http.request_body; content:"|28 29 20 7b|"; fast_pattern; pcre:"/(?:^|[=?&])\s*?\x28\x29\x20\x7b/"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019233; rev:7; metadata:created_at 2014_09_25, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cryptolocker Checkin"; flow:established,to_server; urilen:11; http.method; content:"POST"; http.uri; content:"/random.php"; fast_pattern; http.user_agent; content:"Mozilla/5."; pcre:"/^\d{2,7}$/R"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,01be3fc3243d582d9f93d01401c4f95e; classtype:command-and-control; sid:2019353; rev:6; metadata:created_at 2014_10_03, former_category MALWARE, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cryptolocker Checkin"; flow:established,to_server; urilen:11; http.method; content:"POST"; http.uri; content:"/random.php"; fast_pattern; http.user_agent; content:"Mozilla/5."; pcre:"/^\d{2,7}$/R"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,01be3fc3243d582d9f93d01401c4f95e; classtype:command-and-control; sid:2019353; rev:6; metadata:created_at 2014_10_03, former_category MALWARE, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransom.Win32.Blocker.fwlm Checkin"; flow:established,to_server; urilen:497; http.method; content:"GET"; http.uri; content:".bin"; fast_pattern; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\.bin$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,vxsecurity.sg/2014/10/25/technical-teardown-hongkong-protest-malware/; classtype:command-and-control; sid:2019538; rev:5; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_11_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransom.Win32.Blocker.fwlm Checkin"; flow:established,to_server; urilen:497; http.method; content:"GET"; http.uri; content:".bin"; fast_pattern; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\.bin$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,vxsecurity.sg/2014/10/25/technical-teardown-hongkong-protest-malware/; classtype:command-and-control; sid:2019538; rev:5; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2022_05_03;)
 
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Citrix XenMobile Server Directory Traversal Attempt Inbound (CVE-2020-8209)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?sbFileName=../"; fast_pattern; reference:url,github.com/B1anda0/CVE-2020-8209/blob/main/CVE-2020-8209.py; reference:cve,2020-8209; classtype:attempted-admin; sid:2031221; rev:1; metadata:attack_target Server, created_at 2020_11_19, cve CVE_2020_8209, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Mailer CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php?action="; fast_pattern; content:"&sent_all="; content:"&sent_success="; distance:0; content:"&active_connections="; distance:0; content:"&queue_connections="; distance:0; http.user_agent; content:"Send Mail"; depth:9; http.header_names; content:!"Referer|0d 0a|"; reference:md5,57e546330fd3a4658dff0e29cbb98214; classtype:command-and-control; sid:2020329; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Mailer CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php?action="; fast_pattern; content:"&sent_all="; content:"&sent_success="; distance:0; content:"&active_connections="; distance:0; content:"&queue_connections="; distance:0; http.user_agent; content:"Send Mail"; depth:9; http.header_names; content:!"Referer|0d 0a|"; reference:md5,57e546330fd3a4658dff0e29cbb98214; classtype:command-and-control; sid:2020329; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Bayrob Keepalive"; flow:established,to_server; urilen:9; http.method; content:"GET"; http.uri; content:"/isup.php"; fast_pattern; http.header.raw; content:"Accept-Encoding|3a 20 20 20 20 20 20 20 20 20 20 20 20 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,a4a3fab712b04ee901f491d4c704b138; classtype:trojan-activity; sid:2020621; rev:6; metadata:created_at 2015_03_05, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Bayrob Keepalive"; flow:established,to_server; urilen:9; http.method; content:"GET"; http.uri; content:"/isup.php"; fast_pattern; http.header.raw; content:"Accept-Encoding|3a 20 20 20 20 20 20 20 20 20 20 20 20 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,a4a3fab712b04ee901f491d4c704b138; classtype:trojan-activity; sid:2020621; rev:6; metadata:created_at 2015_03_05, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE W32/Farfli.BHQ!tr Dropper CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/do.asp?search="; fast_pattern; http.header; pcre:"/^Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x3A\d{1,5}\r?$/mi"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,93be88ad3816c19d74155f8cd3aae1d2; classtype:command-and-control; sid:2020913; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE W32/Farfli.BHQ!tr Dropper CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/do.asp?search="; fast_pattern; http.header; pcre:"/^Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x3A\d{1,5}\r?$/mi"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,93be88ad3816c19d74155f8cd3aae1d2; classtype:command-and-control; sid:2020913; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Nette Command Injection Attempt Inbound (CVE-2020-15227)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nette"; content:"?callback=shell_exec"; distance:0; fast_pattern; reference:url,github.com/hu4wufu/CVE-2020-15227/blob/master/exploit-CVE-2020-15227.py; reference:cve,2020-15227; classtype:attempted-admin; sid:2031222; rev:1; metadata:attack_target Server, created_at 2020_11_19, cve CVE_2020_15227, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE APT Lurker POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; fast_pattern; pcre:"/\.php$/"; http.header; content:"HOST|3a|"; depth:5; content:"User-Agent|3a|"; distance:0; pcre:"/^Host\x3a[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\nContent-Length\x3a\x20\d+\r\n(?:\r\n)?$/mi"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c5a8e09295b852a6e32186374b66e1a7; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021584; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_08_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE APT Lurker POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; fast_pattern; pcre:"/\.php$/"; http.header; content:"HOST|3a|"; depth:5; content:"User-Agent|3a|"; distance:0; pcre:"/^Host\x3a[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\nContent-Length\x3a\x20\d+\r\n(?:\r\n)?$/mi"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c5a8e09295b852a6e32186374b66e1a7; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021584; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_08_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Matahari client"; flow:to_server,established; http.header; content:"Accept|2d|Encoding|3a 20|identity|0d 0a|"; content:"Next|2d|Polling"; fast_pattern; content:"Content|2d|Salt|3a 20|"; pcre:"/Content\x2dSalt\x3a\x20[0-9\.\-]+\x0d\x0a/i"; reference:url,doc.emergingthreats.net/2010795; classtype:trojan-activity; sid:2010795; rev:13; metadata:created_at 2010_07_30, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Matahari client"; flow:to_server,established; http.header; content:"Accept|2d|Encoding|3a 20|identity|0d 0a|"; content:"Next|2d|Polling"; fast_pattern; content:"Content|2d|Salt|3a 20|"; pcre:"/Content\x2dSalt\x3a\x20[0-9\.\-]+\x0d\x0a/i"; reference:url,doc.emergingthreats.net/2010795; classtype:trojan-activity; sid:2010795; rev:13; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw/SlemBunk/SLocker Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:",|22|model|22 3a|"; content:",|22|apps|22 3a 5b 22|"; content:",|22|imei|22 3a|"; fast_pattern; pcre:"/^\{\x22(?:os|type)\x22\x3a/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:md5,a83ce290469654002bcc64062c39387c; reference:url,www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022288; rev:8; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_12_21, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_11_19, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw/SlemBunk/SLocker Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:",|22|model|22 3a|"; content:",|22|apps|22 3a 5b 22|"; content:",|22|imei|22 3a|"; fast_pattern; pcre:"/^\{\x22(?:os|type)\x22\x3a/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:md5,a83ce290469654002bcc64062c39387c; reference:url,www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022288; rev:8; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_12_21, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2022_05_03, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Glupteba/ClIEcker CnC Checkin"; flow:established,to_server; http.uri; content:"&downlink="; content:"&uplink="; content:"&id="; content:"&statpass="; fast_pattern; content:"&version="; content:"&features="; content:"&guid="; content:"&comment="; reference:url,blog.eset.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs; classtype:command-and-control; sid:2013293; rev:7; metadata:created_at 2011_07_19, former_category MALWARE, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Glupteba/ClIEcker CnC Checkin"; flow:established,to_server; http.uri; content:"&downlink="; content:"&uplink="; content:"&id="; content:"&statpass="; fast_pattern; content:"&version="; content:"&features="; content:"&guid="; content:"&comment="; reference:url,blog.eset.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs; classtype:command-and-control; sid:2013293; rev:7; metadata:created_at 2011_07_19, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot User-Agent (Charon/Inferno)"; flow:established,to_server; http.user_agent; content:"(Charon|3b 20|Inferno)"; fast_pattern; classtype:trojan-activity; sid:2021641; rev:9; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot User-Agent (Charon/Inferno)"; flow:established,to_server; http.user_agent; content:"(Charon|3b 20|Inferno)"; fast_pattern; classtype:trojan-activity; sid:2021641; rev:9; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Macro DL EXE Feb 2016 (WinHTTPRequest)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; nocase; fast_pattern; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|osts?\/[a-z0-9]+|rogcicicic)|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|in(?:voice\/[^\x2f]+|fos?)|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|keem)\.exe$)/i"; http.header; content:"WinHttp.WinHttpRequest."; http.host; content:!"download.nai.com"; classtype:trojan-activity; sid:2022658; rev:8; metadata:created_at 2016_03_24, former_category CURRENT_EVENTS, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Macro DL EXE Feb 2016 (WinHTTPRequest)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; nocase; fast_pattern; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|osts?\/[a-z0-9]+|rogcicicic)|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|in(?:voice\/[^\x2f]+|fos?)|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|keem)\.exe$)/i"; http.header; content:"WinHttp.WinHttpRequest."; http.host; content:!"download.nai.com"; classtype:trojan-activity; sid:2022658; rev:8; metadata:created_at 2016_03_24, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Slideshow Gallery 1.4.6 - Shell Upload"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"application/x-httpd-php"; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|"; pcre:"/^[^\r]*?name=[\x22\x27]image_file"\x3b[^(?>\r\n|\n|\r)]*?(?>\r\n|\n|\r)(?>\r\n|\n|\r)?Content-Type: application\/x-httpd-php/Rsi"; reference:url,www.exploit-db.com/exploits/34681/; reference:cve,2014-5460; classtype:trojan-activity; sid:2019728; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_11_18, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Slideshow Gallery 1.4.6 - Shell Upload"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"application/x-httpd-php"; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|"; pcre:"/^[^\r]*?name=[\x22\x27]image_file"\x3b[^(?>\r\n|\n|\r)]*?(?>\r\n|\n|\r)(?>\r\n|\n|\r)?Content-Type: application\/x-httpd-php/Rsi"; reference:url,www.exploit-db.com/exploits/34681/; reference:cve,2014-5460; classtype:trojan-activity; sid:2019728; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_11_18, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Vulnerable iTunes Version 10.6.x"; flow:established,to_server; flowbits:set,ET.iTunes.vuln; flowbits:noalert; http.header; pcre:"/^User-Agent\x3a\x20iTunes\/10\.6\.[0-1]/m"; http.user_agent; content:"iTunes/10.6."; depth:12; classtype:policy-violation; sid:2014954; rev:12; metadata:created_at 2012_06_25, updated_at 2020_11_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Vulnerable iTunes Version 10.6.x"; flow:established,to_server; flowbits:set,ET.iTunes.vuln; flowbits:noalert; http.header; pcre:"/^User-Agent\x3a\x20iTunes\/10\.6\.[0-1]/m"; http.user_agent; content:"iTunes/10.6."; depth:12; classtype:policy-violation; sid:2014954; rev:12; metadata:created_at 2012_06_25, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M5"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; http.header; content:"DNT|3a 20|1|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6."; startswith; http.request_body; content:!"."; content:"%2F"; fast_pattern; http.content_len; byte_test:0,<,800,0,string,dec; byte_test:0,>,300,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[A-Z0-9a-z]{2,25}){1,5})\sHTTP\/1\.1\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?:\x3a[0-9]{2,5})?(?P=urivar)\r\n/"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|DNT|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:93; reference:md5,e5fecd3be1747f6a934f70e921399a10; classtype:command-and-control; sid:2029059; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andromeda Checkin Dec 29 2014"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/4.0"; depth:11; endswith; http.request_body; content:"EPF#"; depth:4; fast_pattern; http.connection; content:"close"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,7a1ad388bdcebcbc4cc48a2eff71775f; classtype:command-and-control; sid:2020076; rev:5; metadata:created_at 2014_12_29, former_category MALWARE, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andromeda Checkin Dec 29 2014"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/4.0"; depth:11; endswith; http.request_body; content:"EPF#"; depth:4; fast_pattern; http.connection; content:"close"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,7a1ad388bdcebcbc4cc48a2eff71775f; classtype:command-and-control; sid:2020076; rev:5; metadata:created_at 2014_12_29, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 3"; flow:established,to_server; urilen:1; http.request_line; content:"POST / 1.1"; depth:10; endswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|"; depth:28; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,789ee114125a6e1db363b505a643c03d; classtype:command-and-control; sid:2021632; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_08_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 3"; flow:established,to_server; urilen:1; http.request_line; content:"POST / 1.1"; depth:10; endswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|"; depth:28; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,789ee114125a6e1db363b505a643c03d; classtype:command-and-control; sid:2021632; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_08_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FTCode Stealer CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"l=dj0"; depth:5; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/Rs"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,www.malware-traffic-analysis.net/2020/04/02/index.html; classtype:command-and-control; sid:2029803; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Ouija_x.86)"; flow:established,to_server; http.user_agent; content:!"OuijaBoardWigi"; content:"Ouija"; startswith; classtype:trojan-activity; sid:2028990; rev:6; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Ouija_x.86)"; flow:established,to_server; http.user_agent; content:!"OuijaBoardWigi"; content:"Ouija"; startswith; classtype:trojan-activity; sid:2028990; rev:6; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
 alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Ahmyth.f (DNS Lookup)"; dns.query; content:"tryanotherhorse.com"; endswith; reference:md5,cf71ba878434605a3506203829c63b9d; classtype:domain-c2; sid:2030822; rev:3; metadata:attack_target Mobile_Client, created_at 2020_09_02, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Ahmyth, signature_severity Critical, tag Android, updated_at 2020_11_19;)
 
@@ -59802,7 +59322,7 @@ alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS P
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multi-Email Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function popupwnd(url,"; nocase; fast_pattern; content:"var popupwindow = this.open(url,"; nocase; distance:0; content:"href=|22|javascript:popupwnd("; nocase; distance:0; content:"href=|22|javascript:popupwnd("; nocase; distance:0; content:"href=|22|javascript:popupwnd("; nocase; distance:0; content:!".jpg',no','no',no'"; nocase; distance:0; content:!".pdf,no','no',no'"; nocase; distance:0; content:!".SlideMenu1_Folder div"; content:!"PhotoGallery"; nocase; classtype:social-engineering; sid:2026047; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_12_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT AsusWRT RT-AC750GF Cross-Site Request Forgery"; flow:from_server,established; file.data; content:"<form action=|22|http://router.asus.com/findasus.cgi|22 20|method=|22|POST|22|>"; nocase; content:"name=|22|action_mode|22 20|value=|22|refresh_networkmap|22|"; nocase; distance:0; content:"start_apply.htm?productid="; nocase; distance:0; content:"&current_page=Advanced_System_Content.asp"; nocase; distance:0; content:"&next_page=Advanced_System_Content.asp"; nocase; distance:0; fast_pattern; content:"&action_mode=apply"; nocase; distance:0; content:"&http_username="; nocase; distance:0; content:"&http_passwd="; nocase; distance:0; content:"&sshd_enable="; nocase; distance:0; reference:url,www.exploit-db.com/exploits/44937/; classtype:web-application-attack; sid:2025736; rev:5; metadata:attack_target Networking_Equipment, created_at 2018_06_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_12_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT AsusWRT RT-AC750GF Cross-Site Request Forgery"; flow:from_server,established; file.data; content:"<form action=|22|http://router.asus.com/findasus.cgi|22 20|method=|22|POST|22|>"; nocase; content:"name=|22|action_mode|22 20|value=|22|refresh_networkmap|22|"; nocase; distance:0; content:"start_apply.htm?productid="; nocase; distance:0; content:"&current_page=Advanced_System_Content.asp"; nocase; distance:0; content:"&next_page=Advanced_System_Content.asp"; nocase; distance:0; fast_pattern; content:"&action_mode=apply"; nocase; distance:0; content:"&http_username="; nocase; distance:0; content:"&http_passwd="; nocase; distance:0; content:"&sshd_enable="; nocase; distance:0; reference:url,www.exploit-db.com/exploits/44937/; classtype:web-application-attack; sid:2025736; rev:5; metadata:attack_target Networking_Equipment, created_at 2018_06_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Acunetix scan in progress acunetix_wvs_security_test in http_uri"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.uri; content:"acunetix_wvs_security_test"; fast_pattern; reference:url,www.acunetix.com/; classtype:web-application-attack; sid:2023687; rev:7; metadata:affected_product Any, attack_target Web_Server, created_at 2016_12_28, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
 
@@ -59844,7 +59364,7 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Gener
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkIRC Bot CnC Domain Lookup"; dns.query; content:"cnc."; startswith; fast_pattern; content:".xyz"; endswith; bsize:22; pcre:"/^cnc\.[a-fA-F0-9]{14}.xyz$/"; reference:url,blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability; classtype:command-and-control; sid:2031260; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenMRS Deserialization Vulnerability CVE-2018-19276 M2"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"<string>"; content:"</string>"; distance:0; content:"<string>"; distance:0; content:"</string>"; distance:0; content:"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"; fast_pattern; reference:url,www.exploit-db.com/exploits/46327; reference:cve,2018-19276; classtype:attempted-admin; sid:2031259; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2020_12_04, cve CVE_2018_19276, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_12_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenMRS Deserialization Vulnerability CVE-2018-19276 M2"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"<string>"; content:"</string>"; distance:0; content:"<string>"; distance:0; content:"</string>"; distance:0; content:"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"; fast_pattern; reference:url,www.exploit-db.com/exploits/46327; reference:cve,2018-19276; classtype:attempted-admin; sid:2031259; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2020_12_04, cve CVE_2018_19276, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Blacktech Plead CnC Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?m="; pcre:"/^[^&]+&[a-z]=[^&]+&[a-z]=[A-F0-9]+$/Rsi"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Win32)"; bsize:41; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,2250fec29baf44d9d2c123ae037fce9c; reference:url,twitter.com/GlobalNTT_JP/status/1517061187107946496; classtype:trojan-activity; sid:2036308; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_04, deployment Perimeter, former_category MALWARE, malware_family BlackTech, signature_severity Major, updated_at 2022_04_22;)
 
@@ -59918,7 +59438,7 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye]
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle MSOffice GET]"; flow:established,to_server; content:"sess-="; content:"auth=0|3b|loc=US|7d|"; fast_pattern; http.method; content:"GET"; http.uri; pcre:"/^(?:\/updates|\/license\/eula|\/docs\/office|\/software-activation)/"; http.accept; content:"*/*"; http.accept_enc; content:"gzip, deflate, br"; startswith; http.accept_lang; content:"en-US"; bsize:5; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031290; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle NYTIMES GET]"; flow:established,to_server; content:"nyt-a="; content:"nyt-gdpr=0|3b|nyt-purr=cfh|3b|nyt-geo=US}"; fast_pattern; http.method; content:"GET"; http.accept; content:"*/*"; depth:3; http.accept_enc; content:"gzip, deflate, br"; depth:17; http.accept_lang; content:"en-US,en|3b|q=0.5"; startswith; http.request_line; pcre:"/^GET\s(?:\/(?:(?:v(?:i-assets\/static-asset|[12]\/preference)|idcta\/translation)s|ads\/google))/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031276; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle NYTIMES GET]"; flow:established,to_server; content:"nyt-a="; content:"nyt-gdpr=0|3b|nyt-purr=cfh|3b|nyt-geo=US}"; fast_pattern; http.method; content:"GET"; http.accept; content:"*/*"; depth:3; http.accept_enc; content:"gzip, deflate, br"; depth:17; http.accept_lang; content:"en-US,en|3b|q=0.5"; startswith; http.request_line; pcre:"/^GET\s(?:\/(?:(?:v(?:i-assets\/static-asset|[12]\/preference)|idcta\/translation)s|ads\/google))/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031276; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[Yelp Request]"; flow:established,to_server; http.cookie; content:"hl=en|3b|bse="; startswith; fast_pattern; pcre:"/^(?:[a-zA-Z0-9+\/]{4})*(?:[a-zA-Z0-9_\/\+\-]{2}==|[a-zA-Z0-9_\/\+\-]{3}=|[a-zA-Z0-9_\/\+\-]{4})\x3b/"; content:"|3b|_gat_global=1|3b|recent_locations|3b|_gat_www=1|3b|"; endswith; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031289; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
@@ -60262,7 +59782,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Nitol.K Vari
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Randrew.A CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?A="; fast_pattern; pcre:"/^[A-Z0-9\-]{30,42}$/R"; http.header; content:"Accept-Language|3a 20|zh-TW"; http.header_names; content:"Referer|0d 0a|"; content:!"Cache"; reference:md5,344c04216840312cad17b6610b723825; classtype:command-and-control; sid:2025145; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_11, deployment Perimeter, former_category MALWARE, malware_family Randrew_A, performance_impact Low, signature_severity Major, updated_at 2020_12_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransom.Win32.Birele.gsg Checkin"; flow:established,to_server; http.uri; content:".html"; pcre:"/^\/\d+?\/\d+?\.html$/i"; http.header; content:"From|3a| "; depth:6; pcre:"/^\d+?\r\n/Ri"; content:"Via|3a| "; content:!"1|2e|"; within:2; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,116aaaa5765228d61501322b02a6a3b1; reference:md5,2e66f39a263cb2e95425847b60ee2a93; reference:md5,0ea9b34e9d77b5a4ef5170406ed1aaed; classtype:command-and-control; sid:2015786; rev:5; metadata:created_at 2012_10_10, former_category MALWARE, updated_at 2020_12_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransom.Win32.Birele.gsg Checkin"; flow:established,to_server; http.uri; content:".html"; pcre:"/^\/\d+?\/\d+?\.html$/i"; http.header; content:"From|3a| "; depth:6; pcre:"/^\d+?\r\n/Ri"; content:"Via|3a| "; content:!"1|2e|"; within:2; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,116aaaa5765228d61501322b02a6a3b1; reference:md5,2e66f39a263cb2e95425847b60ee2a93; reference:md5,0ea9b34e9d77b5a4ef5170406ed1aaed; classtype:command-and-control; sid:2015786; rev:5; metadata:created_at 2012_10_10, former_category MALWARE, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/IcedID Requesting Encoded Binary M5"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Cookie|3a 20|__io_r="; fast_pattern; http.cookie; content:"__io_r="; startswith; content:"|3b 20|__io_vl="; distance:0; content:"|3b 20|__io_bl="; distance:0; content:"|3b 20|Session_id="; distance:0; content:"|3b 20|__io_uniq="; distance:0; content:"|3b 20|__io_f="; isdataat:!38,relative; pcre:"/^__io_r=[0-9]{10}_[01]_[0-9]{4,5}_[0-9]{7,8}_[0-9]{1,2}\x3b\x20__io_vl=[0-9]_[0-9]{6}_[0-9]{3}_[0-9]{2}\x3b\x20__io_bl=[0-9]{1,2}:[0-9]:[0-9]{4,5}:[0-9]{2}\x3b\x20Session_id=[0-9A-F]{12}\x3b\x20__io_uniq=[0-9A-F]{8,22}_[0-9A-F]{12,20}\x3b\x20__io_f=[0-9]{2}::[0-9]{10}::[0-9]{9,10}::[0-9]{9,10}$/"; http.header_names; bsize:30; content:"|0d 0a|Connection|0d 0a|Cookie|0d 0a|Host|0d 0a 0d 0a|"; classtype:command-and-control; sid:2031298; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family IcedID, performance_impact Moderate, signature_severity Major, updated_at 2020_12_18;)
 
@@ -60282,11 +59802,11 @@ alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Ma
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"function Pilih1("; nocase; fast_pattern; content:"document.getElementById(|22|xmailer"; nocase; distance:0; classtype:web-application-attack; sid:2031438; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_21, deployment Perimeter, signature_severity Major, updated_at 2020_12_21;)
 
-alert http any any -> any any (msg:"ET MALWARE Possible MSIL/Solorigate.G!dha/SUPERNOVA Webshell Access Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/logoimagehandler.ashx"; content:"clazz="; fast_pattern; content:"method="; content:"args="; content:"codes="; http.header_names; content:!"Referer"; reference:url,www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect; reference:url,unit42.paloaltonetworks.com/solarstorm-supernova; classtype:trojan-activity; sid:2031436; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2020_12_21, deployment Perimeter, former_category MALWARE, malware_family Solorigate, signature_severity Major, updated_at 2020_12_21;)
+alert http any any -> any any (msg:"ET MALWARE Possible MSIL/Solorigate.G!dha/SUPERNOVA Webshell Access Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/logoimagehandler.ashx"; content:"clazz="; fast_pattern; content:"method="; content:"args="; content:"codes="; http.header_names; content:!"Referer"; reference:url,www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect; reference:url,unit42.paloaltonetworks.com/solarstorm-supernova; classtype:trojan-activity; sid:2031436; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2020_12_21, deployment Perimeter, former_category MALWARE, malware_family Solorigate, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Redirect to Download EXE from Bitbucket"; flow:established,to_client; http.stat_code; content:"302"; http.location; content:"https://bitbucket.org"; startswith; content:".exe"; endswith; classtype:bad-unknown; sid:2026515; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_17, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_12_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO 3XX redirect to data URL"; flow:from_server,established; http.stat_code; content:"3"; depth:1; http.location; content:"data|3a|"; fast_pattern; depth:5; classtype:misc-activity; sid:2015674; rev:6; metadata:created_at 2012_09_05, updated_at 2020_12_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO 3XX redirect to data URL"; flow:from_server,established; http.stat_code; content:"3"; depth:1; http.location; content:"data|3a|"; fast_pattern; depth:5; classtype:misc-activity; sid:2015674; rev:6; metadata:created_at 2012_09_05, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Redirect M1 Feb 24 2017"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:".php?cmd=_update-information&account_bank="; nocase; fast_pattern; content:"&dispatch="; distance:32; within:10; nocase; http.content_len; byte_test:0,=,0,0,string,dec; classtype:social-engineering; sid:2024016; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, tag Phishing, updated_at 2020_12_22;)
 
@@ -60346,7 +59866,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET COINMINER Win32/Ymacco.A
 
 alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET COINMINER Win32/Ymacco.AA2F Checking (Multiple OS)"; flow:established,to_server; http.start; content:"GET /banner HTTP"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; isdataat:!1,relative; reference:url,twitter.com/luc4m/status/1340737667961679881; classtype:coin-mining; sid:2031465; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category COINMINER, performance_impact Low, signature_severity Minor, updated_at 2020_12_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE NuggetPhantom Module Download Request"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:".moe"; endswith; fast_pattern; pcre:"/^\/[a-fA-F0-9]{8}\.moe$/"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; reference:url,blog.nsfocusglobal.com/wp-content/uploads/2018/10/NuggetPhantom-Analysis-Report-V4.1.pdf; classtype:command-and-control; sid:2031467; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE NuggetPhantom Module Download Request"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:".moe"; endswith; fast_pattern; pcre:"/^\/[a-fA-F0-9]{8}\.moe$/"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; reference:url,blog.nsfocusglobal.com/wp-content/uploads/2018/10/NuggetPhantom-Analysis-Report-V4.1.pdf; classtype:command-and-control; sid:2031467; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Clydesdale Bank Phish 2020-12-30"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"uzername="; depth:9; nocase; fast_pattern; content:"&ip="; nocase; distance:0; content:"&ua="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2031468; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
@@ -60388,14 +59908,6 @@ alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Apple Phishi
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Panel Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>--> Ermecca Panel <--"; nocase; fast_pattern; classtype:web-application-attack; sid:2031484; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_06, deployment Perimeter, signature_severity Major, updated_at 2021_01_06;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SSLv2 Used in Session"; flow:to_server,established; ssl_version:sslv2;  reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031488; rev:1; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2021_01_06;)
-
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SSLv3 Used in Session"; flow:to_server,established; ssl_version:sslv3;  reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031489; rev:1; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2021_01_06;)
-
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TLSv1.1 Used in Session"; flow:to_server,established; tls.version:1.1;  reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031490; rev:1; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2021_01_06;)
-
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TLSv1.0 Used in Session"; flow:to_server,established; tls.version:1.0;  reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031491; rev:1; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2021_01_06;)
-
 alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Silver Peak Unity Orchestrator Exploitation Inbound (CVE-2020-12146)"; flow:established,to_server; pcre:"/(localhost|127\.0\.0\.1)/W"; http.method; content:"POST"; http.uri; content:"/gms/rest/debugFiles/delete"; startswith; http.request_body; content:"../phantomGenImg.js"; fast_pattern; reference:cve,CVE-2020-12145; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-12146/CVE-2020-12146.rules; reference:cve,CVE-2020-12146; reference:cve,2020-12146; classtype:attempted-admin; sid:2031494; rev:1; metadata:attack_target Server, created_at 2021_01_07, cve CVE_2020_12146, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_01_07;)
 
 alert http any any -> [$HTTP_SERVERS,$HOME_NET] 8000 (msg:"ET EXPLOIT SaltStack Salt Exploitation Inbound (CVE-2020-16846)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/run"; startswith; http.request_body; content:"client=ssh"; fast_pattern; content:"ssh_priv="; content:"%20"; distance:0; reference:cve,CVE-2020-16846; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-16846/CVE-2020-16846.rules; reference:cve,2020-16846; classtype:web-application-attack; sid:2031495; rev:1; metadata:attack_target Server, created_at 2021_01_07, cve CVE_2020_16846, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_01_07;)
@@ -60602,7 +60114,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buer Loader Downl
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Buer Loader Successful Payload Download"; flow:established,to_client; flowbits:isset,ETPRO.wacatac.b.download; http.stat_code; content:"200"; http.content_type; content:"application/*"; fast_pattern; bsize:13; http.content_len; byte_test:0,>,500000,0,string,dec; byte_test:0,<,3000000,0,string,dec; reference:md5,a8819db1fa758fd9f1d501dbb50f454f; classtype:command-and-control; sid:2029079; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, malware_family BuerLoader, signature_severity Major, updated_at 2021_02_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Trend Micro Phishing Simulation Service"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>You have almost been phished"; nocase; content:"Trend Micro Phish Insight provides a phishing simulation service"; nocase; fast_pattern; classtype:social-engineering; sid:2031611; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_02_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Trend Micro Phishing Simulation Service"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>You have almost been phished"; nocase; content:"Trend Micro Phish Insight provides a phishing simulation service"; nocase; fast_pattern; classtype:social-engineering; sid:2031611; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2021_02_11;)
 
 alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Observed DNS Query to Malicious Cookie Monster Roulette JS Cookie Stealer Exfil Domain"; dns.query; content:".cdncontentdelivery.com"; nocase; endswith; classtype:trojan-activity; sid:2031612; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, former_category WEB_CLIENT, malware_family CookieMonster, performance_impact Low, signature_severity Major, updated_at 2021_02_11;)
 
@@ -60768,8 +60280,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Payload Re
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Payload Request (grab64.rar)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/grab64.rar"; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,github.com/stamparm/maltrail/blob/master/trails/static/malware/ursnif.txt; reference:md5,c453d38c87a5df2fff509a4d9aba40e8; classtype:trojan-activity; sid:2031746; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_02, deployment Perimeter, former_category MALWARE, malware_family ursnif, signature_severity Major, updated_at 2021_03_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Interesting Content-Type Inbound (application/x-sh)"; flow:established,from_server; http.header; content:"Content-Type|3a 20|application/x-sh"; fast_pattern; reference:url,developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types; classtype:policy-violation; sid:2031747; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_03_02, deployment Perimeter, former_category HUNTING, performance_impact Significant, signature_severity Informational, updated_at 2022_04_22;)
-
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Hidden embedded HTML Document"; flow:established,to_client; file.data; content:"<embed src=|27|data|3a|text/html|3b|base64|2c|PCFET0NUWVBFIGh0bWw+"; content:"|27 20|height|3d 27|0|27 20|frameborder|3d 27|0|27 3e 3c 2f|embed|3e|"; within:6000; reference:url,cujo.com/dns-hijacking-attacks-on-home-routers-in-brazil/; classtype:bad-unknown; sid:2031803; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_03, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_03;)
 
 alert http any any -> $HOME_NET any (msg:"ET EXPLOIT COMTREND ADSL Router CT-5367 Remote DNS Change Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dnscfg.cgi?"; fast_pattern; nocase; content:"dnsPrimary="; content:"dnsRefresh="; nocase; reference:url,www.expku.com/remote/5853.html; classtype:attempted-admin; sid:2023467; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, signature_severity Major, updated_at 2021_03_03;)
@@ -60806,7 +60316,7 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocENG
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mimikatz x86 Mimidrv.sys Download Over HTTP"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"|a0 00 00 00 24 02 00 00 40 00 00 00|"; distance:0; content:"|b8 00 00 00 6c 02 00 00 40 00 00 00|"; within:16; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029336; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2021_03_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mimikatz x64 Mimidrv.sys Download Over HTTP"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"|88 01 00 00 3c 04 00 00 40 00 00 00|"; distance:0; content:"|e8 02 00 00 f8 02 00 00 40 00 00 00|"; within:16; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029337; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2021_03_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mimikatz x64 Mimidrv.sys Download Over HTTP"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"|88 01 00 00 3c 04 00 00 40 00 00 00|"; distance:0; content:"|e8 02 00 00 f8 02 00 00 40 00 00 00|"; within:16; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029337; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET !443 -> $HOME_NET any (msg:"ET PHISHING Possible Google Docs Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Google Docs</title>"; nocase; classtype:social-engineering; sid:2024386; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2021_03_08;)
 
@@ -61122,16 +60632,12 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Bea
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Terse Request for EXE from DigitalOcean Spaces"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.host; content:".digitaloceanspaces.com"; endswith; fast_pattern; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept"; classtype:bad-unknown; sid:2032359; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_01, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_04_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious HTTP Request to .bit domain"; flow:to_server,established; http.host; content:".bit"; fast_pattern; pcre:"/^(?:\x3a\d{1,5})?$/R"; reference:url,normanshark.com/blog/necurs-cc-domains-non-censorable/; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:bad-unknown; sid:2018009; rev:5; metadata:created_at 2014_01_24, former_category HUNTING, updated_at 2021_06_23;)
-
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Control Panel Applet File Download"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"CPlApplet"; fast_pattern; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/bb776392%28v=vs.85%29.aspx; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf; classtype:policy-violation; sid:2018087; rev:3; metadata:created_at 2014_02_07, updated_at 2021_04_02;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Nitro Stealer Exfil Activity (Response)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"is_bot|22 3a|"; content:"|2c 22|username|22 3a 22|nitronotification_bot|22|"; fast_pattern; reference:url,app.any.run/tasks/ab993f27-958c-4ab4-8da4-0bcd7fe35fcd/; reference:url,twitter.com/James_inthe_box/status/1378044484089376768; reference:md5,95b98ecb440a23daefc5c12d0edfa048; classtype:trojan-activity; sid:2032418; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_02;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Redirect M2"; flow:established,to_client; http.stat_code; content:"302"; http.location; content:"?key="; fast_pattern; content:"&id="; distance:16; within:4; content:"&gid="; pcre:"/key=[A-F0-9]{16}&id=\d+&gid=[A-F0-9\-]+$/"; file.data; content:"<body>"; content:"<a HREF=|22|http"; distance:0; content:"?key="; within:400; pcre:"/^[A-F0-9]{16}(?:&|&amp\x3b)id=\d+(?:&|&amp\x3b)gid=[A-F0-9\-]+\x22>/R"; content:!"<html>"; reference:url,twitter.com/nao_sec/status/1378546891349106692; classtype:exploit-kit; sid:2032480; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family PurpleFox, signature_severity Major, tag Exploit_Kit, updated_at 2021_04_05;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Suspicious GitHack TLS SNI Request - Possible PurpleFox EK"; flow:established,to_server; tls.sni; content:".githack."; content:!".githack.com"; endswith;  classtype:exploit-kit; sid:2032481; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family PurpleFox, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2021_04_05;)
-
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Killbot JS Configuration - Possible Phishing"; flow:established,to_client; file.data; content:"const killbot"; nocase; content:"apiKey|3a|"; nocase; content:"botRedirection|3a|"; nocase; content:"killbot-security.js"; nocase; fast_pattern; reference:url,killbot.org; classtype:misc-activity; sid:2032468; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category INFO, signature_severity Critical, tag Phishing, updated_at 2021_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
 alert dns $HOME_NET any -> any any (msg:"ET EXPLOIT_KIT Suspicious GitHack DNS Request - Possible PurpleFox EK"; flow:established,to_server; dns.query; content:".githack."; content:!".githack.com"; endswith; classtype:exploit-kit; sid:2032482; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family PurpleFox, signature_severity Major, tag Exploit_Kit, updated_at 2021_04_05;)
@@ -61164,8 +60670,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MereTam.A R
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonotGroup Template Download"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/jack/"; startswith; fast_pattern; pcre:"/^[a-zA-Z0-9]{32}\.dot$/R"; http.user_agent; content:"Microsoft Office"; http.header_names; content:!"Referer"; reference:md5,82e3981303bee2eff6d1af17ad51eb32; reference:md5,8cc87eb3667aecc1bd41018f00aca559; reference:md5,d4b45f7a937139e05f386a8ad0aba04e; reference:md5,5fdcbb85733f9e8686d582b2f1459961; reference:url,twitter.com/ShadowChasing1/status/1379048935969316871; classtype:trojan-activity; sid:2032483; rev:1; metadata:created_at 2021_04_05, former_category MALWARE, malware_family DonotGroup, updated_at 2021_04_05;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number"; flow:established,to_server; http.protocol; content:"|28 29 20 7b|"; startswith; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019236; rev:6; metadata:created_at 2014_09_25, updated_at 2021_04_06;)
-
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011108; classtype:web-application-attack; sid:2011108; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2021_04_06;)
 
 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011109; classtype:web-application-attack; sid:2011109; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2021_04_06;)
@@ -61266,8 +60770,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M3 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"fname="; depth:6; nocase; content:"&lname="; nocase; distance:0; content:"&db1="; nocase; distance:0; content:"&db2="; nocase; distance:0; content:"&db3="; nocase; distance:0; content:"&adrs="; nocase; distance:0; content:"&country="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&state="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&phone="; nocase; distance:0; content:"&cc="; nocase; distance:0; content:"&exp1="; nocase; distance:0; content:"&exp2="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&vbv="; nocase; distance:0; content:"&sortcode="; nocase; distance:0; fast_pattern; content:"&ssn="; nocase; distance:0; classtype:credential-theft; sid:2032615; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Snugy DNS Backdoor Initial Beacon"; content:"|00 00 01 00 01|"; endswith; dns.query; bsize:>19; content:"646"; offset:2; depth:5; fast_pattern; pcre:"/^[qbedm]{1}[a-zA-Z]{1,3}646[a-zA-Z0-9]{1,3}+\./"; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-backdoors/; reference:md5,162959ebfd839229969d5e830c7d1dbc; classtype:command-and-control; sid:2031193; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_04_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (tapewormorchestra .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"tapewormorchestra.top"; bsize:21; fast_pattern; classtype:domain-c2; sid:2032742; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_12, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_04_12;)
 
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (belochkaneprihoditodna .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"belochkaneprihoditodna.top"; bsize:26; fast_pattern; classtype:domain-c2; sid:2032743; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_12;)
@@ -61316,16 +60818,12 @@ alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Rac
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RedLine - GetArguments Request"; flow:established,to_server; http.method; content:"POST"; http.header; content:"|0d 0a|SOAPAction|3a 20 22|http://tempuri.org/"; http.request_body; content:"|3c 73 3a|Body|3e 3c|GetArguments|20|xmlns=|22|http|3a 2f 2f|tempuri|2e|org|2f 22 2f|"; fast_pattern; reference:md5,9a3ac9f18c1222e7a77a47db01b1f597; classtype:command-and-control; sid:2034361; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_14, deployment Perimeter, former_category MALWARE, malware_family Redline, signature_severity Major, updated_at 2021_04_14;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Observed Phish Domain in DNS Query (daviviendapersonalingresos .live) 2021-04-15"; dns.query; content:"daviviendapersonalingresos.live"; nocase; bsize:31; reference:url,twitter.com/TeamDreier/status/1382230430108254209; classtype:credential-theft; sid:2032763; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_04_15;)
-
 alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT ScadaBR RCE with JSP Shell Inbound (CVE-2021-26828)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ScadaBR/view_edit.shtm"; fast_pattern; http.request_body; content:"|22|view.name|22|"; content:"|0d 0a 0d 0a|"; content:"|3c 25 40|"; distance:0; within:5; reference:url,github.com/hevox/CVE-2021-26828_ScadaBR_RCE/blob/main/LinScada_RCE.py; reference:cve,2021-26828; classtype:attempted-admin; sid:2032766; rev:1; metadata:attack_target Server, created_at 2021_04_15, cve CVE_2021_26828, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_15;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Observed BottleEK Domain in DNS Lookup 2021-04-15"; dns.query; content:"ctgame.tk"; nocase; bsize:9; reference:url,twitter.com/nao_sec/status/1381100024919035908; classtype:domain-c2; sid:2032764; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ArtraDownloader CnC Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?id="; content:"&&user="; fast_pattern; distance:0; content:"ZxxZ"; distance:0; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,59b043a913014a1f03258c695b9333af; classtype:trojan-activity; sid:2036652; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category MALWARE, performance_impact Low, updated_at 2021_04_15;)
 
 alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Advantech iView RCE Setup via Config Overwrite Inbound (CVE-2021-22652)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/iView3/NetworkServlet"; fast_pattern; http.request_body; content:"page_action"; startswith; content:"|22|EXPORTPATH|22 3a 20 22|webapps|5c 5c|iView3|5c 5c 22|"; reference:url,www.rapid7.com/blog/post/2021/02/11/cve-2021-22652-advantech-iview-missing-authentication-rce-fixed/; reference:cve,2021-22652; classtype:attempted-admin; sid:2032767; rev:1; metadata:attack_target Web_Server, created_at 2021_04_15, cve CVE_2021_22652, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_15;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Observed Phish Domain in DNS Query (daviviendapersonalingresos .xyz) 2021-04-15"; dns.query; content:"daviviendapersonalingresos.xyz"; nocase; bsize:30; reference:url,twitter.com/TeamDreier/status/1382230430108254209; classtype:credential-theft; sid:2032765; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_04_15;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?filename=corona"; endswith; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest|2e|5)"; bsize:57; http.header_names; content:!"Referer"; reference:md5,0821884168a644f3c27176a52763acc9; reference:url,twitter.com/ShadowChasing1/status/1382509560179531782; classtype:trojan-activity; sid:2032770; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_04_15;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Magecart/Skimmer - AngryBeaver Exfil Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"cgi-bin/index.php"; endswith; http.content_type; content:"application/x-www-form-urlencoded|3b|charset=utf-8"; bsize:47; http.request_body; content:"0="; startswith; content:"&1="; distance:0; content:"&2=enc02"; endswith; fast_pattern; reference:url,twitter.com/rootprivilege/status/1376899513592336391?s=20; reference:url,lukeleal.com/research/posts/magento2-angrybeaver-skimmer/; classtype:trojan-activity; sid:2032769; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag CardSkimmer, updated_at 2021_04_15;)
@@ -61346,6 +60844,8 @@ alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Remocs 3.x Une
 
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (attentionmagnet .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"attentionmagnet.top"; bsize:19; fast_pattern; classtype:domain-c2; sid:2032773; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_16, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, updated_at 2021_04_16;)
 
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Remcos 3.x TLS Connection"; flow:established,to_server; ja3.hash; content:"a85be79f7b569f1df5e6087b69deb493"; classtype:command-and-control; sid:2036594; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_19, deployment Perimeter, former_category JA3, malware_family Remcos, signature_severity Major, updated_at 2021_04_19;)
+
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk Downloader CnC Activity"; flow:established,to_server; http.request_line; content:"GET /"; startswith; content:"image.php?id="; fast_pattern; pcre:"/^[0-9A-F]{21,22}\x20HTTP\/1\.1$/R"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; reference:md5,1743533d63a8ba25142ffa3efc59b50b; classtype:command-and-control; sid:2032342; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_19;)
 
 #alert dns $HOME_NET any -> any any (msg:"ET HUNTING Malformed Domain Name in DNS Query (Domain Length Exceeds 253 Bytes)"; dns.query; bsize:>253; classtype:bad-unknown; sid:2032779; rev:1; metadata:created_at 2021_04_19, former_category HUNTING, updated_at 2021_04_19;)
@@ -61600,8 +61100,6 @@ alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DarkSide
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buer - DomainInfo User-Agent"; flow:established,to_server; http.user_agent; content:"|6e 71 71 66 34 3a 33 35 25 2d 46 75 75 71 6a 32 6e 55 6d 74 73 6a 3c 48 37 34 36 37 35 37 33 39 3b 3b 40 25 5a 40 25 48 55 5a 25 71 6e 70 6a 25 52 66 68 25 54 58 25 5d 40 25 6a 73 2e 25 46 75 75 71 6a 5c 6a 67 50 6e 79 34 39 37 35 30 25 2d 50 4d 59 52 51 31 25 71 6e 70 6a 25 4c 6a 68 70 74 2e 25 5b 6a 77 78 6e 74 73 34 38 33 35 25 52 74 67 6e 71 6a 34 36 46 3a 39 38 25 58 66 6b 66 77 6e 34 39 36 3e 33 38|"; reference:md5,0731679c5f99e8ee65d8b29a3cabfc6b; classtype:trojan-activity; sid:2032892; rev:1; metadata:created_at 2021_04_30, former_category MALWARE, malware_family Buer, updated_at 2021_04_30;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DNS Query to Buer - DomainInfo Domain"; flow:established,to_server; dns.query; content:"officewestunionbank.com"; bsize:23; reference:md5,0731679c5f99e8ee65d8b29a3cabfc6b; classtype:domain-c2; sid:2032893; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_30, deployment Perimeter, former_category MALWARE, malware_family Buer, signature_severity Major, updated_at 2021_04_30;)
-
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phish - Mirrored Website Comment Observed"; flow:established,to_client; file.data; content:"<!-- Mirrored from "; content:"by HTTrack Website Copier/"; distance:0; classtype:trojan-activity; sid:2018302; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_03_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/DarkNexus User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|checker/v"; fast_pattern; http.user_agent; content:"checker/v"; startswith; content:"/p"; distance:0; http.header_names; content:!"Referer"; reference:md5,81150784e5cef98bf6e56638da5fe5f3; classtype:trojan-activity; sid:2032895; rev:1; metadata:affected_product IoT, attack_target Client_Endpoint, created_at 2021_05_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_05_03;)
@@ -61772,8 +61270,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.buzz domain"; flow:established,to_server; http.host; content:".buzz"; fast_pattern; endswith; classtype:bad-unknown; sid:2032991; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Cobalt Strike Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.server; content:"ESF"; bsize:3; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,5b5a730628dc9eba2c12530d225c2f70; classtype:command-and-control; sid:2032974; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_05_20;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Profile (Teams) M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Collector/2.0/settings/"; startswith; fast_pattern; content:"events="; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.accept; content:"json"; bsize:4; http.referer; content:"https://teams.microsoft.com/_"; bsize:29; reference:url,www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/; classtype:command-and-control; sid:2032975; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Profile (Teams) M2"; flow:established,to_server; http.method; content:"GET"; http.header; content:"Authentication|3a 20|skypetoken=eyJhbGciOi"; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.accept; content:"json"; bsize:4; http.referer; content:"https://teams.microsoft.com/_"; bsize:29; reference:url,www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/; classtype:command-and-control; sid:2032976; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
@@ -61782,22 +61278,12 @@ alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious
 
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (WastedLoader CnC)"; flow:established,to_client; tls.cert_subject; content:"C=LC, L=Castries, O=Isesem Cooperative, OU=Tinarthar and tha6mate narobiaof and t5he, CN=Udngt5rlura.my"; bsize:103; fast_pattern; reference:url,www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf; classtype:domain-c2; sid:2032993; rev:1; metadata:attack_target Client_and_Server, created_at 2021_05_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_05_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Google Webcrawler User-Agent (Mediapartners-Google)"; flow:established,to_server; http.user_agent; content:"Mediapartners-Google"; nocase;  classtype:not-suspicious; sid:2032978; rev:1; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_05_18, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DecryptmyFiles Ransomware CnC (POST)"; flow:established,to_server; http.method; content:"POST"; http.host; content:"decryptmyfiles.top"; bsize:18; fast_pattern; reference:md5,0e61e496fc218c1c6dc1f5640a3ac7e5; classtype:command-and-control; sid:2032994; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_05_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DecryptmyFiles Ransomware User-Agent (uniquesession)"; flow:established,to_server; http.user_agent; content:"uniquesession"; bsize:13; fast_pattern; reference:md5,0e61e496fc218c1c6dc1f5640a3ac7e5; classtype:trojan-activity; sid:2032995; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_05_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/RiskWare.YouXun.AD CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?sc="; content:!"&"; distance:0; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31"; bsize:101; fast_pattern; reference:md5,2292c6acb1e5f139900b9d1942b14b08; classtype:command-and-control; sid:2032977; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Yandex Webcrawler User-Agent (YandexBot)"; flow:established,to_server; http.user_agent; content:"YandexBot"; nocase;  classtype:not-suspicious; sid:2032979; rev:1; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_05_18, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN DuckDuckGo Webcrawler User-Agent (DuckDuckBot)"; flow:established,to_server; http.user_agent; content:"DuckDuckBot"; nocase;  classtype:not-suspicious; sid:2032980; rev:1; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_05_18, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Bing Webcrawler User-Agent (BingBot)"; flow:established,to_server; http.user_agent; content:"bingbot"; nocase;  classtype:not-suspicious; sid:2032981; rev:1; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_05_18, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Naver Webcrawler User-Agent (Naver.me)"; flow:established,to_server; http.user_agent; content:"naver.me"; nocase;  classtype:not-suspicious; sid:2032982; rev:1; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_05_18, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Ymacco.AA36 User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|deus vult|0d 0a|"; reference:md5,bde62aedd46fcbf7520a22e7375b6254; classtype:trojan-activity; sid:2032972; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_05_18;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Flubot / LIKEACHARM Stealer Exfil (POST) 2"; flow:established,to_server; http.method; content:"POST"; http.start; content:"/poll2.php HTTP/1.1|0d 0a|Content-Length|3a 20|"; fast_pattern; http.user_agent; content:"|28|Linux|3b 20|U|3b 20|Android|20|"; http.host; pcre:"/^[a-z]{15}\.(?:com|ru|cn|su)$/W"; classtype:trojan-activity; sid:2032971; rev:2; metadata:created_at 2021_05_18, former_category MOBILE_MALWARE, updated_at 2021_05_18;)
@@ -61828,6 +61314,8 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fl
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SystemBC CnC Checkin (null key) M1"; flow:established,to_server; dsize:100; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; startswith; content:"|89 40|"; distance:2; within:2; content:"|46 ad 57 90|"; fast_pattern; endswith; reference:md5,b8fb4ba9ef16fcaa442c2857bb045640; classtype:command-and-control; sid:2033004; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_20, deployment Perimeter, former_category MALWARE, malware_family SystemBC, performance_impact Moderate, signature_severity Major, updated_at 2021_05_20;)
 
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Cobalt Strike Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.server; content:"ESF"; bsize:3; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,5b5a730628dc9eba2c12530d225c2f70; classtype:command-and-control; sid:2032974; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_05_20;)
+
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jquery-"; startswith; content:".min.js"; endswith; http.header; content:"Accept|3a 20|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8|0d 0a|Accept-Language|3a 20|en-US,en|3b|q=0.5|0d 0a|Referer|3a 20|"; startswith; fast_pattern; http.accept_enc; content:"gzip, deflate"; bsize:13; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Referer|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; reference:md5,4547d3404ceb0436585e11f317eadb7c; classtype:command-and-control; sid:2033008; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response"; flow:established,to_client; file.data; content:"/*!|20|jQuery|20|v"; startswith; content:"if|28|e|5b|n|5d 3d 3d 3d|t|29|return n|3b|return|2d|1|7d 2c|P|3d 22|"; fast_pattern; distance:0; content:!"checked"; within:7; reference:md5,09773b90da8f3688faf54750b6a5ecf5; classtype:command-and-control; sid:2033009; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
@@ -62046,8 +61534,6 @@ alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET [!2038,!3478,!5000,!22466,!3101,!61
 
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed Filesharing Domain (privatlab .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"privatlab.com"; bsize:13; fast_pattern; classtype:policy-violation; sid:2033137; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_10, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_06_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY User-Agent (Launcher)"; flow: to_server,established; http.user_agent; content:"Launcher"; nocase; content:!"EpicGamesLauncher"; depth:17; content:!"7Launcher";  reference:url,doc.emergingthreats.net/2010645; classtype:policy-violation; sid:2010645; rev:11; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2021_06_10;)
-
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Lazarus Maldoc CnC Domain (shopweblive .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"shopweblive.com"; bsize:15; fast_pattern; reference:url,twitter.com/360CoreSec/status/1402920149754155010; reference:md5,4fb3bd661331b10fbd01e5f3e72f476c; reference:md5,b7dbb3bef80d04e4b8981ab4011f4bfe; classtype:domain-c2; sid:2033135; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_10, deployment Perimeter, malware_family Maldoc, performance_impact Low, signature_severity Major, updated_at 2021_06_10;)
 
 alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Atlassian Jira Unauth User Enumeration Attempt (CVE-2020-36289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secure/QueryComponentRendererValue!Default.jspa?assignee=user|3a|admin"; fast_pattern; endswith; reference:url,jira.atlassian.com/browse/JRASERVER-71559; reference:cve,2020-36289; reference:url,twitter.com/ptswarm/status/1402644004781633540/photo/1; classtype:attempted-admin; sid:2033136; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_11, cve CVE_2020_36289, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_11;)
@@ -62116,14 +61602,326 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vidar Varia
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Downloading from Dropbox via API"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/2/files/download"; http.header; content:"Authorization|3a 20|Bearer|20|FLtUsbS3oqcAAAAAAAAAAZ_86BAKGkKPNHeBSV8ETDcqFjlDgagrviCEw0VV6Ecn|0d 0a|"; content:"/Energy/staging/debugps"; fast_pattern; http.host; content:"content.dropboxapi.com"; bsize:22; reference:url,twitter.com/ShadowChasing1/status/1407540607954743297; reference:md5,f123a68eea92b34d76f0ca0b677419bd; classtype:trojan-activity; sid:2033170; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Ask Webcrawler User-Agent"; flow:established,to_server; http.user_agent; content:"Ask Jeeves"; nocase;  classtype:not-suspicious; sid:2033164; rev:1; metadata:attack_target Web_Server, created_at 2021_06_23, deployment Perimeter, former_category POLICY, signature_severity Informational, tag WebCrawler, updated_at 2021_06_23, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
-
 alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Exabot Webcrawler User Agent"; flow:established,to_server; content:"Exabot"; nocase; http_user_agent; classtype:not-suspicious; sid:2033165; rev:2; metadata:attack_target Web_Server, created_at 2021_06_23, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_06_23, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN AOL Webcrawler User-Agent"; flow:established,to_server; content:"AOLBuild "; nocase; http_user_agent; classtype:not-suspicious; sid:2033166; rev:1; metadata:attack_target Web_Server, created_at 2021_06_23, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_06_23, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
 
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious POST to ROBOTS.TXT"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/robots.txt"; nocase; http_uri; pcre:"/^\s?\+x=[0-9]*\;\ +y=[0-9]/C"; reference:url,doc.emergingthreats.net/bin/view/Main/2002856; classtype:unknown; sid:2002856; rev:10; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious Microsoft Windows NT 6.1 User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| "; nocase; http_header; content:"|3b 20|Windows NT 6.1|3b 20|"; http_header; threshold:type limit, track by_src, seconds 60, count 1; reference:url,www.microsoft.com/windows/windows-7/default.aspx; reference:url,doc.emergingthreats.net/2010228; classtype:policy-violation; sid:2010228; rev:8; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User Agent Maxthon"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1|3b| Maxthon"; http_header; reference:url,doc.emergingthreats.net/2011118; classtype:trojan-activity; sid:2011118; rev:5; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent (Internet Antivirus Pro)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| Internet Antivirus Pro|0d 0a|"; reference:url,doc.emergingthreats.net/2009440; classtype:trojan-activity; sid:2009440; rev:7; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent (ClickAdsByIE)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| ClickAdsByIE"; reference:url,doc.emergingthreats.net/2009445; classtype:trojan-activity; sid:2009456; rev:6; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED GhostNet Trojan Reporting"; flow:established,to_server; content:"/microsoft/v2/update/upgrade.aspx?hostname="; http_uri; content:"&ostype="; http_uri; content:"&macaddr="; http_uri; content:"&ipaddr="; http_uri; content:"&owner="; http_uri; threshold: type limit, track by_src, count 1, seconds 300; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; reference:url,doc.emergingthreats.net/2009202; classtype:trojan-activity; sid:2009202; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2021_06_23;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent (Zlob Related) (UA00000)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible"; http_header; content:"|3b| UA"; fast_pattern; http_header; pcre:"/User-Agent\:[^\n]+\; UA\d\d\d\d\d\;/H"; reference:url,doc.emergingthreats.net/2008083; classtype:trojan-activity; sid:2008083; rev:14; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Games.jar Download Suspicious Possible Exploit Attempt"; flow:established,to_server; content:"/Games.jar"; http_uri; classtype:policy-violation; sid:2011324; rev:5; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Notes1.pdf Download Suspicious Possible Exploit Attempt"; flow:established,to_server; content:"/Notes1.pdf"; http_uri; classtype:policy-violation; sid:2011325; rev:4; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MALVERTISING redirect to exploit kit (unoeuro server)"; flow:established,to_client; content:"=|5b 22 5c|x68|5c|x74|5c|x74|5c|x70|5c|x3A|5c|x2F|5c|x2F|5c|"; content:"|0d 0a|Serverxi|3a| Apache/Unoeuro (Unix) - Secured|0d 0a|"; classtype:exploit-kit; sid:2011479; rev:5; metadata:created_at 2010_09_29, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious HTTP GET to JPG with query string"; flow:established,to_server; content:"GET"; nocase; http_method; content:".jpg?"; nocase; http_uri; classtype:trojan-activity; sid:2011873; rev:5; metadata:created_at 2010_10_29, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED EXE Using Suspicious IAT NtUnmapViewOfSection Possible Malware Process Hollowing"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtUnmapViewOfSection"; nocase; fast_pattern:only; reference:url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012817; rev:5; metadata:created_at 2011_05_18, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Exploit Kit Delivering Executable to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:exploit-kit; sid:2013962; rev:15; metadata:created_at 2011_11_23, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Excessive JavaScript replace /g - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:"replace|28 2F|"; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; classtype:exploit-kit; sid:2014098; rev:5; metadata:created_at 2012_01_04, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Styx Exploit Kit Landing"; flow:established,to_server; urilen:7; content:"/i.html"; http_uri; depth:7; fast_pattern; content:"Referer|3a| "; http_header; content:!"|0d 0a|"; http_header; within:100; content:"|0d 0a|"; distance:0; http_header; classtype:exploit-kit; sid:2014171; rev:6; metadata:created_at 2012_01_31, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Incognito/Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; content:"<applet"; depth:500; content:"lxxt>33"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014176; rev:4; metadata:created_at 2012_02_01, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Incognito/Sakura exploit kit binary download request"; flow:established,to_server; content:"/load.php?showforum="; http_uri; pcre:"/^\/load.php\?showforum=(ato|obe|rhino|lib)$/U"; classtype:exploit-kit; sid:2014177; rev:6; metadata:created_at 2012_02_01, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED TDS Sutra Exploit Kit Redirect Received"; flow:established,from_server; content:"302"; http_stat_code; content:"=_"; http_header; content:"_|3b| domain="; http_header; distance:1; within:10; pcre:"/^[a-z]{5}\d=\x5f\d\x5f/C"; classtype:exploit-kit; sid:2014220; rev:8; metadata:created_at 2012_02_11, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Exploit Kit Delivering Compressed Flash Content to Client"; flow:established,to_client; flowbits:isset,et.exploitkitlanding; content:"|0d 0a 0d 0a|CWS"; classtype:exploit-kit; sid:2014527; rev:5; metadata:created_at 2012_04_06, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Probable Golfhole exploit kit landing page #2"; flow:established,to_server; content:"/index.php?"; http_uri; depth:11; urilen:43; pcre:"/index.php\?[0-9a-f]{32}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014844; rev:4; metadata:created_at 2012_06_01, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Probable Golfhole exploit kit binary download #2"; flow:established,to_server; content:"/o/"; http_uri; depth:3; urilen:47; pcre:"/o/\d{9}\/[0-9a-f]{32}\/[0-9]$/U"; classtype:exploit-kit; sid:2014845; rev:4; metadata:created_at 2012_06_01, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO exploit kit jar download"; flow:established,to_server; content:"GET"; http_method; content:"files.php?"; http_uri; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015006; rev:7; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO exploit kit version check"; flow:established,to_server; content:"GET"; http_method; content:"&u="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; content:"&java"; http_uri; fast_pattern:only; content:"&pdf="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015007; rev:10; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern:only; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015009; rev:4; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 3"; flow:established,to_server; urilen:7; content:"/login/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015558; rev:5; metadata:created_at 2012_08_02, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Sakura exploit kit binary download request /out.php"; flow:established,to_server; content:"/out.php?id="; http_uri; pcre:"/\/out.php\?id=\d$/U"; classtype:exploit-kit; sid:2015677; rev:6; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Java Exploit Kit with fast-flux like behavior hostile FQDN - Sep 05 2012"; flow:established,to_server; content:".justdied.com|0d 0a|"; http_header; classtype:exploit-kit; sid:2015681; rev:4; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 4"; flow:established,to_server; urilen:10; content:"/comments/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015696; rev:5; metadata:created_at 2012_09_11, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown base64-style Java-based Exploit Kit using github as initial director"; flow:established,to_server; content:"%3D HTTP/1."; fast_pattern:only; content:"/?"; http_uri; isdataat:45,relative; pcre:"/\/\?[a-z0-9]{5,}=[a-zA-Z0-9\x25]{40,}\x253D$/I"; classtype:exploit-kit; sid:2015699; rev:4; metadata:created_at 2012_09_12, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 6"; flow:established,to_server; urilen:6; content:"/news/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015705; rev:5; metadata:created_at 2012_09_18, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 5"; flow:established,to_server; urilen:6; content:"/view/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015706; rev:5; metadata:created_at 2012_09_18, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql Exploit Kit 09/25/12 Sending PDF"; flow:established,from_server; content:"application/pdf|0d 0a|"; fast_pattern:only; http_header; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}$/C"; file_data; content:"%PDF-"; within:5; classtype:exploit-kit; sid:2015725; rev:9; metadata:created_at 2012_09_21, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 7"; flow:established,to_server; urilen:7; content:"/feeds/"; http_uri; content:".dyndns"; http_header; classtype:exploit-kit; sid:2015731; rev:4; metadata:created_at 2012_09_22, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Font File Download (32-bit Host) Dec 11 2012"; flow:to_server,established; content:"/32s_font.eot"; http_uri; classtype:exploit-kit; sid:2015815; rev:5; metadata:created_at 2012_10_18, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Font File Download (64-bit Host) Dec 11 2012"; flow:to_server,established; content:"/64s_font.eot"; http_uri; classtype:exploit-kit; sid:2015816; rev:5; metadata:created_at 2012_10_18, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Font File Download Dec 18 2012"; flow:to_server,established; content:".eot"; http_uri; nocase; fast_pattern:only; pcre:"/\/(?:(?:article|contact|new)s|read|(?:fo|tu)r)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.eot|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.EOT)$/U"; classtype:exploit-kit; sid:2016057; rev:9; metadata:created_at 2012_12_19, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - New PDF Exploit - Dec 18 2012"; flow:established,to_server; content:"1.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new|sale)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})1\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}1\.PDF)$/U"; classtype:exploit-kit; sid:2016058; rev:12; metadata:created_at 2012_12_19, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - Old PDF Exploit - Dec 18 2012"; flow:established,to_server; content:"2.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new|sale)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})2\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}2\.PDF)$/U"; classtype:exploit-kit; sid:2016059; rev:15; metadata:created_at 2012_12_19, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - Jar - Jun 05 2013"; flow:to_server,established; content:".jar"; nocase; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; pcre:"/Host\x3a[^\r\n]+?\.(pw|us)(\x3a\d{1,5})?\r$/Hmi"; pcre:"/^(\/[a-z]{3,20})?\/([a-z]{3,20}[-_])+[a-z]{3,20}\.jar$/U"; classtype:exploit-kit; sid:2016060; rev:20; metadata:created_at 2012_12_19, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED CoolEK - Landing Page (2)"; flow:established,to_client; file_data; content:"</title>|0D 0A|<link href=|22|favicon.ico|22| rel=|22|shortcut icon|22| type=|22|image/x-icon|22| />"; classtype:exploit-kit; sid:2016066; rev:4; metadata:created_at 2012_12_20, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - New PDF Exploit - Jan 24 2013"; flow:established,to_server; content:"3.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new|sale)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})3\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}3\.PDF)$/U"; classtype:exploit-kit; sid:2016278; rev:7; metadata:created_at 2013_01_25, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (3)"; flow:established,to_server; content:"/pics/foto.png"; fast_pattern:only; http_uri; content:!"Referer|3a|"; http_header; nocase; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/foto\.png$/U"; classtype:exploit-kit; sid:2016280; rev:8; metadata:created_at 2013_01_25, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Exploit Kit Java png download"; flow:established,to_server; content:".png"; http_uri; pcre:"/\.png$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016402; rev:5; metadata:created_at 2013_02_12, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (1) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/kid.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016554; rev:8; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (2) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/dab.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016555; rev:8; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (4) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/kir.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016557; rev:7; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Styx Exploit Kit - HTML"; flow:to_server,established; urilen:>300; content:".htm"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.html?$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:exploit-kit; sid:2017841; rev:5; metadata:created_at 2013_12_12, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible IE/SilverLight GoonEK Payload Download"; flow:to_server,established; content:".mp3?rnd="; fast_pattern:only; http_uri; pcre:"/\/\d+\.mp3\x3frnd\x3d\d+$/U"; classtype:exploit-kit; sid:2017998; rev:9; metadata:created_at 2014_01_22, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT Checking for Debugger"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"DebuggerPresent"; nocase; distance:0; pcre:"/(Is|CheckRemote)DebuggerPresent/i"; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012763; rev:10; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NtQueryInformationProcess Possibly Checking for Debugger"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"NtQueryInformationProcess"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012764; rev:6; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT GetStartupInfo"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"GetStartupInfo"; distance:0; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012765; rev:8; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT GetComputerName"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"GetComputerName"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012766; rev:6; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT ZwSetSystemInformation - Undocumented API Which Can be Used for Rootkit Functionality"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"ZwSetSystemInformation"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012769; rev:3; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT ZwWriteVirtualMemory - Undocumented API Which Can be Used for CnC Functionality"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"ZwSystemDebugControl"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:command-and-control; sid:2012770; rev:3; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT SetSfcFileException - Undocumented API Which Can be Used for Disabling Windows File Protections"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"SetSfcFileException"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012771; rev:3; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NtQueueApcThread - Undocumented API Which Can be Used for Thread Injection/Downloading"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtQueueApcThread"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012772; rev:3; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NtResumeThread - Undocumented API Which Can be Used to Resume Thread Injection"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtQueueApcThread"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012773; rev:3; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NoExecuteAddFileOptOutList - Undocumented API to Add Executable to DEP Exception List"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NoExecuteAddFileOptOutList"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012774; rev:3; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT ModifyExecuteProtectionSupport - Undocumented API to Modify DEP"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"ModifyExecuteProtectionSupport"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012775; rev:3; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT LdrLoadDll - Undocumented Low Level API to Load DLL"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"LdrLoadDll"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012776; rev:3; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NamedPipe - May Indicate Reverse Shell/Backdoor Functionality"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NamedPipe"; nocase; fast_pattern:only; pcre:"/(Create|Connect|Peek)NamedPipe/i"; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012778; rev:4; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT FTP File Interaction"; flow:established,to_client; content:"ftp"; nocase; content:"file"; nocase; within:8; pcre:"/ftp(open|get)file/i"; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012779; rev:5; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 2"; flow:established,to_server; urilen:5; content:"/mix/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015549; rev:6; metadata:created_at 2012_07_31, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED CoolEK - Landing Page - Title"; flow:established,to_client; file_data; content:"<title>Hello my friend...</title>"; classtype:exploit-kit; sid:2015891; rev:5; metadata:created_at 2012_11_16, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - PDF Exploit - pdf_new.php"; flow:established,to_server; content:"/pdf_new.php"; fast_pattern:only; http_uri; classtype:exploit-kit; sid:2015892; rev:5; metadata:created_at 2012_11_16, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - PDF Exploit - pdf_old.php"; flow:established,to_server; content:"/pdf_old.php"; fast_pattern:only; http_uri; classtype:exploit-kit; sid:2015893; rev:6; metadata:created_at 2012_11_16, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Landing Pattern (1)"; flow:to_server,established; content:"/r/l/"; depth:5; http_uri; content:".php"; http_uri; pcre:"/^\/r\/l\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:exploit-kit; sid:2015915; rev:5; metadata:created_at 2012_11_21, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Landing Pattern (2)"; flow:to_server,established; content:"/t/l/"; depth:5; http_uri; content:".php"; http_uri; pcre:"/^\/t\/l\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:exploit-kit; sid:2015916; rev:5; metadata:created_at 2012_11_21, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Popads Exploit Kit font request 32hex digit .eot"; flow:established,to_server; content:".eot"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\.eot$/Ui"; classtype:exploit-kit; sid:2016064; rev:6; metadata:created_at 2012_12_20, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download"; flow:established,to_server; content:"/pics/new.png"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/new\.png$/U"; classtype:exploit-kit; sid:2016221; rev:6; metadata:created_at 2013_01_16, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Exploit Kit Java gif download"; flow:established,to_server; content:".gif"; http_uri; pcre:"/\.gif$/U"; content:"Java/1."; http_user_agent; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016320; rev:7; metadata:created_at 2013_01_31, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED CoolEK landing applet plus class Feb 12 2013"; flow:established,to_client; file_data; content:"<applet"; content:"SunJCE"; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016406; rev:4; metadata:created_at 2013_02_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (4)"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/\/(?:w(?:hite|orld)|step)\/\d+$/U"; classtype:exploit-kit; sid:2016408; rev:15; metadata:created_at 2013_02_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Exploit Kit Java .psd download"; flow:established,to_server; content:".psd"; http_uri; pcre:"/\.psd$/U"; content:"Java/1."; http_user_agent; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016495; rev:9; metadata:created_at 2013_02_25, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Exploit Kit Java jpeg download"; flow:established,to_server; content:".jpeg"; http_uri; pcre:"/\.jpeg$/U"; content:" Java/1."; http_header; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016506; rev:7; metadata:created_at 2013_02_26, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (6)"; flow:established,to_server; content:"/mypic.dll"; http_uri; nocase; fast_pattern:only; pcre:"/\/(w(?:hite|orld)|step)\/mypic\.dll$/U"; classtype:exploit-kit; sid:2016547; rev:11; metadata:created_at 2013_03_07, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (8)"; flow:established,to_server; content:"/getqq.jpg"; http_uri; nocase; fast_pattern:only; pcre:"/getqq\.jpg$/U"; classtype:exploit-kit; sid:2016782; rev:16; metadata:created_at 2013_04_23, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED CoolEK Landing Aug 29 2013"; flow:established,from_server; file_data; content:".txt?e"; nocase; fast_pattern:only; content:"value"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])((?!(?P=q)).)+?\.txt\?e=\d+(&[fh]=\d+)?(?P=q)/Ri"; classtype:exploit-kit; sid:2017396; rev:7; metadata:created_at 2013_08_29, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED PHISH Generic Webmail - Landing Page Sept 11"; flow:established,to_client; file_data; content:"<title>Webmail Login"; fast_pattern; content:"For Webmail to function properly"; distance:0; content:"you must enable JavaScript"; distance:0; content:"You have logged out"; distance:0; content:"Please select a locale"; distance:0; content:"Email Address"; distance:0; classtype:social-engineering; sid:2021760; rev:4; metadata:created_at 2015_09_11, former_category PHISHING, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby Download Secondary Request"; flow:established,to_server; content:".php?t"; http_uri; pcre:"/\.php\?t[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2012401; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_03_01, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Obfuscated Javascript Often Used in the Blackhole Exploit Kit 3"; flow:established,from_server; content:"Content-Type|3a 20|text/html"; content:"|0d 0a|<html><body>"; within:500; content:"<script>|0d 0a 09 09 09|"; fast_pattern; within:500; pcre:"/([a-z$+-]{0,4}[0-9.*]+[a-z$+-]{0,4},){24}/R"; classtype:exploit-kit; sid:2013313; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_07_26, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Request tkr"; flow:established,to_server; content:".php?"; http_uri; content:"src="; http_uri; distance:0; content:"&gpr="; http_uri; distance:0; content:"&tkr="; http_uri; distance:0; pcre:"/[\?&]src=\d+&gpr=\d+&tkr[ib]?=[a-f0-9]+/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013363; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_08_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Reporting Successful Java Compromise"; flow:established,to_server; content:".php?spl="; http_uri; pcre:"/\.php\?spl=[A-Z]{3}/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013652; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?b Download Secondary Request"; flow:established,to_server; content:".php?b"; http_uri; pcre:"/\.php\?b[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013664; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?n Download Secondary Request"; flow:established,to_server; content:".php?n"; http_uri; pcre:"/\.php\?n[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013665; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?page Download Secondary Request"; flow:established,to_server; content:".php?page"; http_uri; pcre:"/^[^?#]+?\.php\?page[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013666; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?v Download Secondary Request"; flow:established,to_server; content:".php?v"; http_uri; pcre:"/\.php\?v[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013667; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?doit Download Secondary Request"; flow:established,to_server; content:".php?doit"; http_uri; pcre:"/\.php\?doit[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013788; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_10_20, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Delivering PDF Exploit to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; content:"|0d 0a 0d 0a|%PDF-"; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:exploit-kit; sid:2013960; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Delivering Java Exploit to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; content:"<applet"; nocase; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:exploit-kit; sid:2013961; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit hostile PDF qwe123"; flow:established,from_server; file_data; content:"/Kids [1 0 R]/"; content:"|0d 0a 09 09|<field qwe=|22|213123|22| name=|22|qwe123|22|"; distance:0; content:"application/x-javascript"; distance:0; classtype:exploit-kit; sid:2013990; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Java Rhino Script Engine Remote Code Execution Attempt"; flow:established,to_client; content:"document.createElement('applet'"; nocase; content:"setAttribute('code"; nocase; distance:0; content:"setAttribute('archive"; nocase; distance:0; content:".jar"; nocase; distance:0; content:"document.createElement('param"; nocase; distance:0; content:"setAttribute('name"; nocase; distance:0; content:"setAttribute('value"; nocase; distance:0; reference:url,blog.eset.com/2011/12/15/spam-campaign-uses-blackhole-exploit-kit-to-install-spyeye; reference:bid,50218; reference:cve,2011-3544; classtype:exploit-kit; sid:2014048; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_30, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?id Download Secondary Request"; flow:established,to_server; content:".php?id"; http_uri; pcre:"/^[^?#]+?\.php\?id[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014189; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit JavaScript colon string splitting"; flow:established,from_server; content:"<html><body><pre style=|22|visibility|3a|hidden|3b 22|"; pcre:"/(-?\d+\x3a-?\d+\x3a){100}/"; classtype:exploit-kit; sid:2014194; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit JAR from //Home/"; flow:established,to_server; content:"GET //Home/"; depth:11; fast_pattern; content:".jar"; http_uri; nocase; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:exploit-kit; sid:2014457; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Request for Blackhole Exploit Kit Landing Page - src.php?case="; flow:established,to_server; content:"/src.php?case="; http_uri; pcre:"/\x2Fsrc\x2Ephp\x3Fcase\x3D[a-f0-9]{16}$/U"; classtype:exploit-kit; sid:2014725; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_09, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Request tkr"; flow:established,to_server; content:".php?"; http_uri; content:"src="; http_uri; distance:0; content:"&gpr="; http_uri; distance:0; content:"&tkr="; http_uri; fast_pattern; distance:0; pcre:"/[\?&]src=\d+&gpr=\d+&tkr[ib]?=[a-f0-9]/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014843; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_01, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Try Renamed Prototype Catch - June 28th 2012"; flow:established,to_client; file_data; content:"try {"; content:"=prototype|2d|"; within:80; content:"} catch"; within:80; reference:url,research.zscaler.com/2012/06/cleartripcom-infected-with-blackhole.html; classtype:exploit-kit; sid:2014981; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_28, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Applet Code Rafa.Rafa 6th July 2012"; flow:established,to_client; content:"<applet/code=|22|Rafa.Rafa|22|"; classtype:exploit-kit; sid:2015043; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Obfuscated Applet Value 6th July 2012"; flow:established,to_client; content:"<applet"; content:"value=|22|&#"; isdataat:50,relative; distance:0; content:"|3B|&#"; distance:4; within:3; content:"|3B|&#"; distance:4; within:3; content:"|3B|&#"; distance:4; within:3; pcre:"/value\x3D\x22\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23/"; classtype:exploit-kit; sid:2015044; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Kit Java Exploit request to /Set1.jar 6th July 2012"; flow:established,to_server; content:"/Set1.jar"; http_uri; classtype:exploit-kit; sid:2015046; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Redirect.php Port 8080 Request"; flow:established,to_server; content:"/redirect.php?d="; fast_pattern:only; http_uri; content:"|3A|8080|0D 0A|"; http_header; pcre:"/\x2Fredirect\x2Ephp\x3Fd\x3D[0-9a-f]{8}$/U"; classtype:exploit-kit; sid:2015047; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; content:"<html><body><script>"; content:"Math.floor"; fast_pattern; distance:0; content:"try{"; distance:0; content:"prototype"; within:20; content:"}catch("; within:20; classtype:exploit-kit; sid:2015056; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_12, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; file_data; content:"|3c|script>try{"; fast_pattern; content:"Math."; within:15; content:"}catch("; within:20; content:"eval"; within:17; classtype:exploit-kit; sid:2015579; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing - Aug 21 2012"; flow:established,from_server; content:"|3c|html>|3c|body>|3c|applet "; fast_pattern; content:"code="; within:100; content:">|3c|param"; distance:0; content:">|3c|script>"; distance:0; content:".split("; within:100; content:").join("; within:100; classtype:exploit-kit; sid:2015648; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_21, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Exploit Kit suspected Blackhole"; flow:established,to_server; content:".js?"; http_uri; fast_pattern; urilen:33<>34; pcre:"/\/\d+\.js\?\d+&[a-f0-9]{16}$/U"; classtype:exploit-kit; sid:2015670; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole - TDS Redirection To Exploit Kit - Loading"; flow:established,to_client; file_data; content:"<title>Loading...!</title>"; classtype:exploit-kit; sid:2016024; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - TDS Redirection To Exploit Kit - /head/head1.html"; flow:established,to_server; content:"/head/head1.html"; http_uri; classtype:exploit-kit; sid:2016025; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit PluginDetect FromCharCode Jan 04 2013"; flowbits:set,et.exploitkitlanding; flow:established,to_client; file_data; content:"80,108,117,103,105,110,68,101,116,101,99,116"; nocase; classtype:exploit-kit; sid:2016166; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit encoded PluginDetect Jan 15 2013"; flow:established,to_client; file_data; content:"80|3A|!08|3A|!!7|3A|!03|3A|!05|3A|!!0|3A|68|3A|!0!|3A|!!6|3A|!0!|3A|99|3A|!!6"; classtype:exploit-kit; sid:2016213; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_16, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch Body Specific -  4/3/2013"; flow:established,to_client; file_data; content:"}try{doc[|22|body|22|]^=2}catch("; distance:0; classtype:exploit-kit; sid:2016524; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch Body Style 2 Specific -  4/3/2013"; flow:established,to_client; file_data; content:"try{document.body^=2}catch("; distance:0; classtype:exploit-kit; sid:2016525; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch False Specific -  4/3/2013"; flow:established,to_client; file_data; content:"}try{}catch("; distance:0; content:"=false|3B|}"; within:30; classtype:exploit-kit; sid:2016526; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Shrift.php Microsoft OpenType Font Exploit Request"; flow:established,to_server; content:"/ngen/shrift.php"; http_uri; reference:cve,2011-3402; classtype:exploit-kit; sid:2017340; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Microsoft OpenType Font Exploit"; flow:established,to_client; content:"Content-Description|3A| File Transfer"; http_header; content:"Content-Disposition|3A| attachment|3B| filename=font.eot"; http_header; fast_pattern:33,17; reference:cve,2011-3402; classtype:exploit-kit; sid:2017341; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent|3a| downloader|0d 0a|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; classtype:trojan-activity; sid:2003546; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent Detected (DigitAl56K/6.3)"; flow:established,to_server; content:"User-Agent|3a| DigitAl56K/"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008659; classtype:trojan-activity; sid:2008659; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY phoenix exploit kit landing page"; flow:established,to_client; content:"dev.s.AdgredY"; content:"tmp/des.jar"; content:".php?deserialize"; classtype:exploit-kit; sid:2011369; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible AnglerEK Java Exploit/Payload Structure Jan 16 2014"; flow:established,to_server; urilen:49; content:" Java/1."; http_header; pcre:"/^\/[a-z0-9_\-]{48}$/Ui"; classtype:exploit-kit; sid:2017976; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Successful Phishing Attempt Jan 20 2015"; flow:established,to_server; content:"POST"; http_method; urilen:20; content:"/js/moontools-1.7.js"; http_uri; fast_pattern:only; content:"username="; depth:9; http_client_body; content:"&password="; distance:0; http_client_body; classtype:credential-theft; sid:2020224; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Exploit Kit Payload Request"; flow:established,to_server; content:"/download.php?e="; http_uri; fast_pattern:only; pcre:"/\.php\?e=[^&]+?$/U"; classtype:exploit-kit; sid:2016522; rev:4; metadata:created_at 2013_03_05, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit Exploit Kit Java exploit drive-by host likely infected (kav)"; flow:established,to_server; content:"/kav"; http_uri; nocase; content:"|0d 0a|accept-encoding|3a| pack200-gzip,gzip|0d 0a|"; nocase; content:"|0d 0a|content-type|3a| application/x-java-archive|0d 0a|"; nocase; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| Mozilla"; nocase; content:" Java/"; nocase; within:50; reference:url,www.malwaredomainlist.com/forums/index.php?action=printpage%3btopic=3781.0; reference:url,doc.emergingthreats.net/2010870; classtype:exploit-kit; sid:2010870; rev:8; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent (ld)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"ld"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008342; classtype:trojan-activity; sid:2008342; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent (DownloadNetFile)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"DownloadNetFile"; depth:15; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008344; classtype:trojan-activity; sid:2008344; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent Detected (Windows+NT)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Windows+NT"; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2008600; classtype:trojan-activity; sid:2008600; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User Agent WebUpdate"; flow:established,to_server; http.user_agent; content:"WebUpdate"; bsize:9; reference:url,doc.emergingthreats.net/2010600; classtype:trojan-activity; sid:2010600; rev:6; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> any any (msg:"ET DELETED Suspicious User-Agent (asp2009)"; flow: established, to_server; http.user_agent; content:"asp2009"; depth:7; endswith; reference:md5,6cad864a439da7bbd6f1cec941cca72b; reference:url,doc.emergingthreats.net/2010136; classtype:trojan-activity; sid:2010136; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Phoenix Exploit Kit malware payload download"; flow:established,to_server; http.uri; content:".php?deserialize="; reference:url,doc.emergingthreats.net/2011183; classtype:exploit-kit; sid:2011183; rev:7; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Phoenix Exploit Kit - PROPFIND AVI"; flow:established,to_server; http.method; content:"PROPFIND"; http.uri; content:".avi"; classtype:exploit-kit; sid:2011513; rev:7; metadata:created_at 2010_09_27, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Phoenix Exploit Kit - tmp/flash.swf"; flow:established,to_server; http.uri; content:"tmp/flash.swf"; classtype:exploit-kit; sid:2011514; rev:6; metadata:created_at 2010_09_27, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Phoenix Exploit Kit - collab.pdf"; flow:established,to_server; http.uri; content:"collab.pdf"; classtype:exploit-kit; sid:2011515; rev:7; metadata:created_at 2010_09_27, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
 #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NewGames.jar Download Suspicious Possible Exploit Attempt"; flow:established,to_server; content:"/NewGames.jar"; http_uri;  classtype:policy-violation; sid:2011326; rev:5; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2021_06_23;)
 
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SEO Exploit Kit - client exploited by SMB"; flow:established,to_server; http.uri; content:".php?exp=SMB"; classtype:exploit-kit; sid:2011814; rev:6; metadata:created_at 2010_10_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SEO Exploit Kit - client exploited by Acrobat"; flow:established,to_server; http.uri; content:".php?exp=PDF"; classtype:exploit-kit; sid:2011815; rev:5; metadata:created_at 2010_10_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED exploit kit x/index.php?s=dexc"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"x/index.php?s=dexc"; nocase; classtype:exploit-kit; sid:2011905; rev:5; metadata:created_at 2010_11_09, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED exploit kit x/l.php?s=dexc"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"x/l.php?s=dexc"; nocase; classtype:exploit-kit; sid:2011907; rev:5; metadata:created_at 2010_11_09, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED exploit kit x/exe.php?x=mdac"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"exe.php?x=mdac"; nocase; classtype:exploit-kit; sid:2011908; rev:5; metadata:created_at 2010_11_09, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Suspicious *.cu.cc domain"; flow:to_server,established; http.header; content:".cu.cc|0d 0a|"; fast_pattern; classtype:bad-unknown; sid:2013242; rev:5; metadata:created_at 2011_07_09, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Java Exploit Kit cc exploit progress status cookie"; flow:established,to_server; http.header.raw; content:"|0d 0a|Cookie|3a|"; content:"%3D|3b 20|cc2="; distance:0; content:"%3D|3b 20|cc3="; content:"%3D|3b 20|cc4="; content:"|20|Java/"; classtype:exploit-kit; sid:2013695; rev:6; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 1"; flow:established,to_server; http.uri; content:"/Google_setup.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013895; rev:6; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 2"; flow:established,to_server; http.uri; content:"google_setup.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013896; rev:6; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 3"; flow:established,to_server; http.uri; content:"/FaceBook_Complemento.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013897; rev:5; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 4"; flow:established,to_server; http.uri; content:"/YouTube_Setup.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013898; rev:5; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 5"; flow:established,to_server; http.uri; content:"/google2.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013899; rev:5; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Scalaxy exploit kit binary download request"; flow:established,to_server; urilen:37; http.uri; content:"/"; offset:2; depth:3; content:"/"; within:3; pcre:"/\/[a-z]\/[0-9]\/[0-9a-f]{32}$/"; classtype:exploit-kit; sid:2014026; rev:3; metadata:created_at 2011_12_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit JavaScript dotted quad hostile applet"; flow:established,from_server; content:"<html><body><applet"; fast_pattern; content:"archive="; distance:0; content:"code="; pcre:"/archive=[^\x3e]+?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:exploit-kit; sid:2014415; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".dyndns"; http_header; nocase; fast_pattern; classtype:exploit-kit; sid:2015548; rev:9; metadata:created_at 2012_07_31, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (2)"; flow:established,to_server; content:"/pics/image.gif"; fast_pattern:only; http_uri; content:!"Referer|3a|"; http_header; nocase; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/image\.gif$/U"; classtype:exploit-kit; sid:2016279; rev:8; metadata:created_at 2013_01_25, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - PDF Exploit - Feb 12 2013"; flow:established,to_server; http.uri; content:".pdf"; nocase; fast_pattern; pcre:"/\/w(?:hite|orld|step)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.PDF)$/"; classtype:exploit-kit; sid:2016405; rev:10; metadata:created_at 2013_02_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (3) Mar 07 2013"; flow:established,to_server; urilen:10; http.uri; content:"/jot.class"; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2016556; rev:8; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (7)"; flow:established,to_server; http.uri; content:"/get"; fast_pattern; content:".jpg"; pcre:"/\/(?:w(?:hite|orld)|step)\/get(?:a+|n+)\.jpg/"; classtype:exploit-kit; sid:2016559; rev:18; metadata:created_at 2013_03_09, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious lgfxsrvc.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lgfxsrvc.exe"; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2017678; rev:5; metadata:created_at 2013_11_06, former_category HUNTING, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Visa Phishing Landing Jan 30 2014"; flow:established,to_server; content:"/Verified by Visa"; http_uri; nocase; http_referer; content:!"http|3a 2f 2f|www.crdbbank.com"; nocase; isdataat:!1,relative; classtype:social-engineering; sid:2018045; rev:7; metadata:created_at 2014_01_30, former_category PHISHING, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Bank of America Phish 2015-08-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"onlineid="; depth:9; fast_pattern; content:"&passcode="; distance:0; content:"&fullname="; distance:0; content:"&address="; distance:0; content:"&password="; distance:0; classtype:credential-theft; sid:2031761; rev:4; metadata:created_at 2015_08_19, former_category PHISHING, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic Phishing Landing Uri 2015-11-25"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?usernms="; fast_pattern; pcre:"/\.php\?usernms=[^@]+@[^\r\n]+$/i"; classtype:social-engineering; sid:2022185; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Successful Generic Phish (set) 2016-01-14"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; nocase; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031862; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Generic PDF Online Phish (set) 2016-10-11"; flow:to_server,established; flowbits:set,ET.GenericPDFOnline.Phish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&pass"; nocase; distance:0; content:"&submit="; nocase; distance:0; endswith; classtype:credential-theft; sid:2032631; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_21, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2021_06_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious HTTP Request to .bit domain"; flow:to_server,established; http.host; content:".bit"; fast_pattern; pcre:"/^(?:\x3a\d{1,5})?$/R"; reference:url,normanshark.com/blog/necurs-cc-domains-non-censorable/; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:bad-unknown; sid:2018009; rev:6; metadata:created_at 2014_01_24, former_category HUNTING, updated_at 2021_06_23;)
+
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReverseRAT Activity (POST) M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/h_ttp"; fast_pattern; bsize:6; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,532acbadb8151944650aaecc0a397965; reference:url,blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/; classtype:trojan-activity; sid:2033171; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, malware_family ReverseRAT, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
 
 alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AllaKore CnC Activity"; flow:established,to_server; content:"|3c 7c|"; startswith; content:"SOCKET|7c 3e|"; distance:0; fast_pattern; content:"|3c 7c|END|7c 3e|"; endswith; reference:url,blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/; reference:md5,8f8bad9fb9a1f333bd3380e2698b4236; classtype:command-and-control; sid:2033173; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, malware_family AllaKore, signature_severity Major, tag RAT, updated_at 2021_06_24;)
@@ -62206,10 +62004,6 @@ alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MageCart
 
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)"; flow:established,to_server; tls.sni; content:"api.2ip.ua"; bsize:10; fast_pattern; classtype:bad-unknown; sid:2033214; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2021_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing Landing Page 2021-06-29"; flow:established, from_server; file.data; content:"<title>HOME|20 2d 20|BEZPIECZE|26|amp|3b 23|x143|3b|STWA ADMIN JEDNOSTKA</title>"; fast_pattern; content:"method|3d 22|post|22|";  distance:0; content:"encType|3d 22|multipart/form-data|22|"; distance:0; content:"id|3d 22|rJ6e8Wwhpou|22|"; distance:0; content:"novalidate|3d 22 22|"; classtype:credential-theft; sid:2033216; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_07_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing Landing Page 2021-06-29"; flow:established, from_server; file.data; content:"<title>HOME|20 2d 20|BEZPIECZE|26|amp|3b 23|x143|3b|STWA ADMIN JEDNOSTKA</title>"; fast_pattern; content:"method|3d 22|post|22|";  distance:0; content:"encType|3d 22|multipart/form-data|22|"; distance:0; content:"id|3d 22|rJ6e8Wwhpou|22|"; distance:0; content:"novalidate|3d 22 22|"; classtype:credential-theft; sid:2033217; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_07_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
-
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing Landing Page 2021-06-25"; flow:established,from_server; file.data; content:"<title>Sign In</title>"; content:"role|3d 22|form|22|"; distance:0; content:"action|3d 22|squ.php|22|"; distance:0; content:"method|3d 22|post|22 3e|"; reference:url,app.any.run/tasks/a0625793-31c1-4538-a5c6-e213eb4b8128/; classtype:credential-theft; sid:2033215; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_07_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IndigoZebra APT xCaon/Textpadx Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/kw.asp"; endswith; fast_pattern; http.request_body; content:"d="; startswith; content:"&k="; distance:0; content:"&w="; distance:0; http.header_names; content:!"Referer"; reference:md5,3562bf97997c54d74f58d4c1ad84fcea; reference:url,research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/; classtype:command-and-control; sid:2033219; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_02;)
@@ -62510,8 +62304,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/NitroSteale
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CHIYU IoT Devices - Denial of Service"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/if.cgi?redirect=AccLog.htm"; startswith; content:"&type=go_log_page&page=2781000"; endswith; fast_pattern; http.referer; content:"/AccLog.htm"; endswith; reference:cve,2021-31642; reference:url,www.exploit-db.com/exploits/49937; classtype:denial-of-service; sid:2033362; rev:2; metadata:affected_product IoT, attack_target Client_Endpoint, created_at 2021_07_19, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible MalDoc Retrieving Payload 2021-07-19"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dat"; endswith; pcre:"/\/(?:[0-9]{2,8}\.)?[0-9]{4,16}\.dat$/s";  http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|.NET4.0C|3b 20|.NET4.0E)"; bsize:178; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034452; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_19;)
-
 alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncUploadPrinterDriverPackage"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|3f 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033261; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_20;)
 
 alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncInstallPrinterDriverFromPackage"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|3e 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033260; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_20;)
@@ -62668,6 +62460,8 @@ alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (tomond .ru)"; dns.query; content:"tomond.ru"; nocase; bsize:9; reference:url,twitter.com/IntezerLabs/status/1419625563942227970; classtype:domain-c2; sid:2033438; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
 
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hash - Suspected Meterpreter Reverse Shell (ja3s) M1"; flow:established,from_server; ja3s.hash; content:"e35df3e00ca4ef31d42b34bebaa2f86e"; flowbits:isset,ET.meterpreter.ja3; classtype:command-and-control; sid:2028829; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Meterpreter, signature_severity Major, updated_at 2021_07_26;)
+
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ClipBanker Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/report7.4.php"; bsize:14; fast_pattern; http.request_body; content:"p="; startswith; http.header_names; content:!"Referer"; reference:md5,64db07d60025e04128de8b508673b6fe; reference:url,www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf; classtype:trojan-activity; sid:2033439; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_27;)
 
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY Cisco Data Center Network Manager Version Check Inbound (flowbit set)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fm/fmrest/about/version"; endswith; fast_pattern; flowbits:set,ET.ciscodcnm.1; reference:url,www.exploit-db.com/exploits/47347; classtype:attempted-recon; sid:2033441; rev:1; metadata:created_at 2021_07_27, former_category POLICY, updated_at 2021_07_27;)
@@ -63032,6 +62826,10 @@ alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".cdnimages.xyz"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033620; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
 
+#alert smb any any -> $HOME_NET any (msg:"ET DELETED Possible Attempted SMB RCE Exploitation M1 (CVE-2020-0796)"; flow:established,to_server; content:"|41 8B 47 3C 4C 01 F8 8B 80 88 00 00 00 4C 01 F8 50|"; fast_pattern; reference:url,github.com/chompie1337/SMBGhost_RCE_PoC; reference:cve,2020-0796; classtype:attempted-admin; sid:2030263; rev:3; metadata:affected_product SMBv3, created_at 2020_06_08, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag SMBGhost, updated_at 2021_07_29;)
+
+#alert smb any any -> $HOME_NET any (msg:"ET DELETED Possible Attempted SMB RCE Exploitation M2 (CVE-2020-0796)"; flow:established,to_server; content:"|FF C9 8B 34 8B 4C 01 FE|"; fast_pattern; reference:url,github.com/chompie1337/SMBGhost_RCE_PoC; reference:cve,2020-0796; classtype:attempted-admin; sid:2030264; rev:3; metadata:affected_product SMBv3, created_at 2020_06_08, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag SMBGhost, updated_at 2021_07_29;)
+
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (DNS Service)"; flow:from_server,established; tls.cert_subject; content:".sslip.io"; endswith; nocase; fast_pattern; classtype:policy-violation; sid:2033621; rev:1; metadata:created_at 2021_07_30, former_category POLICY, updated_at 2021_07_30;)
 
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN8 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=api-cdn.net"; nocase; fast_pattern; classtype:domain-c2; sid:2033625; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_30;)
@@ -63110,8 +62908,6 @@ alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SSV Agent
 
 alert udp any any -> $HOME_NET 12345 (msg:"ET EXPLOIT [PwnedPiper] Exploitation Attempt - Small Malformed Translogic Packet (Multiple CVEs)"; dsize:<21; content:"TLPU"; startswith; fast_pattern; content:"|00 00 00 01|"; distance:4; within:4; reference:url,www.armis.com/pwnedPiper; reference:cve,2021-37162; reference:cve,2021-37165; reference:cve,2021-37161; classtype:attempted-admin; sid:2033661; rev:1; metadata:attack_target Server, created_at 2021_08_03, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_03;)
 
-alert udp any any -> $HOME_NET 12345 (msg:"ET EXPLOIT [PwnedPiper] Exploitation Attempt - Large Malformed Translogic Packet (CVE-2021-37164)"; dsize:>369; content:"TLPU"; startswith; fast_pattern;  reference:cve,2021-37164; reference:url,www.armis.com/pwnedPiper; classtype:attempted-admin; sid:2033662; rev:1; metadata:attack_target Server, created_at 2021_08_03, cve CVE_2021_37164, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_03;)
-
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Maldoc CnC Domain in DNS Lookup"; dns.query; content:"cloud-documents.com"; nocase; bsize:19; reference:url,blog.malwarebytes.com/threat-intelligence/2021/07/crimea-manifesto-deploys-vba-rat-using-double-attack-vectors/; classtype:domain-c2; sid:2033663; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_04;)
 
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Maldoc CnC Domain (cloud-documents .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cloud-documents.com"; bsize:19; fast_pattern; reference:url,blog.malwarebytes.com/threat-intelligence/2021/07/crimea-manifesto-deploys-vba-rat-using-double-attack-vectors/; classtype:domain-c2; sid:2033664; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_04;)
@@ -63252,6 +63048,14 @@ alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 Related CnC Domain in
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 Related CnC Domain in DNS Lookup"; dns.query; content:"elecresearch.org"; nocase; bsize:16; classtype:domain-c2; sid:2035802; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
 
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Java request to UNI.ME Domain Set 1"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:c(?:o(?:l(?:leg(?:e(?:(?:confidential|-station|prowler)\.net|s?explained\.com)|iate(?:explained|info)\.com)|(?:o(?:rado-springs-jobs|nexplained)|umnexplore)\.com)|m(?:p(?:uter(?:explained\.com|themes\.net)|assiondefinition\.com)|m(?:oditylingerie|unesinfo|ercekid)\.com)|n(?:ce(?:rtparis\.net|ptsets\.com)|trolwedding\.com)|(?:(?:rnell|upon)explained|peguide)\.com|7\.us)|a(?:(?:(?:mpaign|talog|det)explained|n(?:cersexplained|adadaycore)|p(?:itali[sz]eguide|ricornhi)|b(?:leexplained|indynamic))\.com|r(?:(?:tograph(?:yanalysis|erwhat)|cinomas?explained|scratch-remover|eblack)\.com|insurance-compare\.net)|ce\.us)|h(?:(?:a(?:r(?:med-episodes|les-proxy|tpixel)|p(?:elsinfo|terball)|nnelexplained)|ristmas(?:gift-ideas|motion)|inesenewyearboom|eckingwatch)\.com|(?:orizo|urros)\.es)|(?:e(?:l(?:lularexplained|iac-diet)|ntigrade(?:explained|info))|(?:li(?:nical|ck)|ustomized)explained|r(?:uiseshipdating|iticsmart)|pu-benchmark|nc-cs)\.com|8\.biz|z\.cc)|a(?:(?:ll(?:about(?:(?:(?:collegi|gradu)at|yal)e|s(?:eminary|tudent)|(?:facul|varsi)ty|bestsellers|academic|teaching|harvard|ucla|pro)|babyours)|n(?:(?:tipodesbi|alyzelan)d|onymous-film)|(?:mericas-nexttopmode|gentsbal)l|r(?:chitectureice|lingtonwriter)|c(?:ademicexplaine|tionmo)d|ero(?:flotinfo|bicfund))\.com|u(?:(?:toma(?:tedexplained|kers24)|stralia-airlines|xiliaryverb)\.com|di(?:t(?:jewellery\.com|report\.net)|o-planet\.com))|p(?:(?:rilfools(?:hotel|spin)|ple-airport)\.com|[fh]i\.biz)|ir(?:(?:bnb-coupon|waysinfo)\.com|portshuttleseattle\.net)|v(?:enue(?:domain|hello)\.com|li\.biz)|\.e\.gy)|b(?:(?:a(?:c(?:helorexplained|kpackscope)|by(?:online-shop|revision)|(?:rcelonarea|ggagecoo)l|s(?:icexplained|escope)|ttle-field-3)|e(?:(?:st-hoteldeal|er-calorie|t-award)s|nefitexplained)|u(?:y-invite|dgetyep)|logger-com)\.com|r(?:(?:o(?:adbandinternet-providers|king(?:explained|guide))|unomarsalbum|yan-college)\.com|ea(?:st(?:cancertattoos\.net|explained\.com)|dmachine-recipes\.com))|o(?:(?:(?:om(?:ing|s)|nd)explained|tany(?:explained|info)|dybuildingdomains|rrowings?24)\.com|stoncolleges\.net)|irthcertificatetemplate\.net|3g\.biz)|d(?:e(?:(?:(?:(?:benture|posit)explaine|alershipislan)d|n(?:guefevertreatment|verhowto)|ductguide|veloptea)\.com|(?:xterstreaming|ciduoustrees)\.net)|o(?:(?:ctorate(?:s?explained|info)|llar-converter|gwalking-jobs|texplained|mainsknow)\.com|wnload(?:starcraft|-films|ubuntu)\.net)|(?:a(?:ncecentralsonglist|rtmouthexplained)|na-replication|hcp-server|vd-codec|rivewww)\.com|i(?:(?:s(?:count|ease)explained|nnerparty-recipes|walifile)\.com|rect-golf\.net))|e(?:(?:a(?:r(?:fulexplained|th-clinic)|sy(?:-costumes|repayment))|conomic(?:save|24))\.com|\.gy)|4(?:(?:4qs|h5)\.com|[jp]\.org|ql\.biz)|3(?:vt\.info|gb\.biz|q\.org)|2(?:eat\.com|sf\.biz|u\.se)|8(?:c1\.net|x\.biz)|7(?:c\.org|p\.biz)|11r\.(?:biz|us))(\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017457; rev:5; metadata:created_at 2013_09_13, former_category INFO, updated_at 2021_08_13;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Java request to UNI.ME Domain Set 2"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:f(?:(?:a(?:c(?:ultyexplained|e-bok)|(?:ncy-font|ke-nail)s|ir(?:explained|fuse)|shion-wallpaper|lterguide)|i(?:nanc(?:i(?:al|ng)explained|epets)|rm(?:explained|s24)|lter-coffee)|o(?:r(?:umexplained|ecastbooks|ceestate)|x-drama)|udaninfo)\.com|re(?:e(?:-(?:(?:(?:foodcoupon|angrybird)s|s(?:oundclips|tock)|photoeditor)\.com|music-download\.net)|(?:p(?:owerpointthem|roduct-sampl)es|dom-ofspeech)\.com|fileconverter\.net)|snoever\.com)|l(?:a(?:shplayerdownload\.net|tbelly-diet\.com)|oridaunemploymentclaim\.com|v-downloader\.net)|e(?:rtility-calculator\.net|stivalexplained\.com)|b(?:-smileys\.com|skins\.net))|l(?:(?:i(?:n(?:k(?:explained|master)|colnsbirthdaytea)|(?:ability|ver)explained|(?:berty-saf|ftmov)e|stings(?:biz|red)|teraturemulti)|u(?:ng(?:explained|abscess)|ggageboom)|o(?:cationssecure|ndon-riots|gback))\.com|e(?:(?:a(?:singexplained|ther-trousers)|(?:edsunited-new|d-candle)s|cturer(?:explained|info)|nd(?:ing|er)explained|isure-diving)\.com|u(?:kemiaexplained\.com|e\.biz)|tup\.org)|a(?:guay\.(?:com|es)|-gazzetta\.com)|6\.org)|i(?:n(?:s(?:(?:ur(?:er(?:s(?:explained|24)|explained)|ancesexplained)|ide-film)\.com|(?:pection-camera|taflex)\.net)|d(?:e(?:pendenceday(?:portal|realty)|mnityexplained)\.com|ividual-healthinsurance\.net)|t(?:er(?:estexplained\.com|trigo\.net)|ranet(?:explained|pm)\.com)|(?:(?:vestment|centive)explained|expensivehyper)\.com|f(?:ections?explained\.com|o\.se))|(?:(?:mmersio|sd)nexplained|ronmancom|pone-5)\.com|i(?:nkai|lg)\.biz)|m(?:(?:e(?:tropolis(?:(?:cruis|fac|mov)e|pixel)|(?:lanoma|dical)explained|r(?:idiantotal|cedes-cls)|ntal-healthjobs|morialdaycon|ssenger-mac|ansgift)|i(?:ami(?:-holidays|what)|di-editor)|baexplained)\.com|a(?:r(?:(?:tial-empires|ket-hq)\.com|iogames-online\.net)|n(?:(?:agejoin|ualzap)\.com|ipal-university\.net)|(?:lignanthypertension|gazinedownload)\.net|s(?:on(?:wave|car)|tersexplained)\.com|c2\.org))|e(?:(?:s(?:ta(?:tes(?:mob|fx)|blishstyle)|lexplained)|mploy(?:e(?:eexplained|r24)|mentexplained))\.com|n(?:(?:(?:gagement-photo|able-cookie)s|rollexplained)\.com|trepreneur-ideas\.net)|x(?:(?:(?:hibition|po)explained|ecutive-decision)\.com|tremedeal\.net)|l(?:ect(?:ronicexplained|orate123)\.com|guay\.(?:com|es))|q(?:uityexplained\.com|8\.biz))|g(?:(?:o(?:a(?:d(?:minister|vertize|just)|cademic|llocate)|(?:thic-literatur|handl)e|(?:bailou|conduc)t|govern)|r(?:a(?:duate(?:explained|sinfo)|ndparentsdayplan)|oceryexplained|4)|ym(?:glas|car)s|m[69])\.com|a(?:(?:(?:llaudet|te)explained|mevelocity|rnerguide)\.com|511\.net)|cwsa\.org)|h(?:o(?:(?:me(?:made-biscuits|pageexplained)|(?:nours|tline|using)explained|6)\.com|stel-barcelona\.net)|a(?:r(?:dback(?:city|yoga)|vardexplained)|n(?:dlechange|ukkahbio)|lloweenorange)\.com|y(?:perthyroidsymptoms\.net|d\.me)|ellokittypictures\.net)|j(?:(?:o(?:urnalism(?:explained|info)|hn-grisham|ker-tattoo)|query-examples)\.com|a(?:cksonvillepath\.com|vacollection\.net)|(?:vvg|6)\.org)|k(?:ilometersreach|udosexplained|jyg)\.com)(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017458; rev:5; metadata:created_at 2013_09_13, former_category INFO, updated_at 2021_08_13;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Java request to UNI.ME Domain Set 3"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:p(?:r(?:o(?:pert(?:ies(?:-forsale\.net|winters\.com)|y-(?:singapore|rental)\.net)|(?:fessors|state)explained\.com)|e(?:miums(?:e(?:xplained|ek)|guide)|(?:acher|cinct|late)sinfo|pexplained)\.com|i(?:va(?:te(?:car-sales|explained)\.com|do\.info)|nceton\.me))|e(?:(?:n(?:sionexplained|thousepal|cetruck)|diatricsexplained)\.com|rsonal(?:trainer-certification\.net|-injuryclaims\.com)|tardo\.es)|o(?:(?:wer(?:borrowings?|repayment|debts)|rt(?:land-holidays|alexplained)|intexplained|litical24)\.com|kertexas-holdem\.net)|a(?:(?:ss(?:engersinfo|agepix)|ge(?:explained|as)|cemaker-surgery|ttinson-robert|rk-edu)\.com|loaltocollege\.net)|(?:u(?:blicationgift|pils?info)|ickups(?:articles|gen)|neumoniaexplained|sychologyquotes|lus-sign)\.com|h(?:o(?:toedit(?:orfreedownload\.net|ingsite\.com)|neexplained\.com)|pbb-themes\.com|yscology\.net)|cbp\.net|9\.org)|o(?:n(?:line(?:(?:(?:f(?:o(?:ster|rce)|irstborn|raternal|ulltime)|b(?:r(?:idegroom|owse)|oxoffice)|e(?:(?:valuat|xpress)e|fficient)|-(?:collegecourse|radiostation)|d(?:escendant|aughter|iscusse)|v(?:illage|acant)|re(?:sidence|al))s|c(?:(?:r(?:iti(?:c(?:ize|al)|que)|ew)|o(?:nsider|usin)|a(?:pture|meo)|elluloid)s|ha(?:racters|teau))|a(?:(?:(?:vailabl|doptiv|llianc|pprais)e|ss(?:esse|ay)|unt)s|n(?:(?:cestor|alyze)s|imated)|way)|per(?:sonal-trainer|manents))\.com|mediaconverter\.net)|e-lyrics\.com|amia\.biz)|(?:ver(?:seasexplained|drawnreal)|(?:wnership|ffline)explained|cean(?:ic-cable|you)|rphanagesinfo|klahomafuse)\.com|a(?:klandour\.com|pg\.org))|r(?:e(?:(?:s(?:idenc(?:e(?:attorney|dating|cook|food)|yexplained)|erves(?:development|core))|(?:c(?:o(?:ver(?:ing|ed)|up)|laim)guid|laxationhyp|bateventur)e|g(?:i(?:on(?:private|mentor)|stercommunity)|ainguide)|t(?:r(?:ainingexplained|ieveguide)|ailexplained)|motecontrol-helicopter|viewwinters|payment24)\.com|alestate-perth\.net)|(?:a(?:cetracksinfo|veexplained|iserepair|tetask)|ising-antivirus|bnnetwork)\.com|o(?:(?:o(?:m(?:sfootball|mateco)|fcute)|admodern)\.com|yallondonhospital\.net))|s(?:(?:o(?:(?:lventsourc|ftenguid)e|urceexplained|cietiesinfo|ng-india)|a(?:n(?:antoniosource|diegodiscover)|l(?:aryexplaine|euploa)d)|ta(?:nford(?:explained|info)|(?:bilis|v)eguide|r-treck)|p(?:ecialtyexplained|iralwatch|orts-tab)|ch(?:oolexplained|eduleedu)|ites?explained)\.com|e(?:(?:minar(?:y(?:explained|info)|explained)|c(?:(?:urities|tor)explained|what)|aworld-coupons)\.com|rvertransfer\.net)|m(?:ier\.org|oz\.us)|hellgascard\.net|gba\.biz)|m(?:o(?:(?:t(?:oristsinfo|iveshare)|ntre-breitling|dernexplained|squesinfo)\.com|hamed\.me)|(?:y(?:borrowings|-husband)|ultimediaexplained|inistriesinfo)\.com|mcd\.us)|n(?:(?:a(?:ming(?:mac|our)|uticalfit|vigateadd)|e(?:tworkexplained|w-college))\.com|8\.biz))(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017459; rev:5; metadata:created_at 2013_09_13, former_category INFO, updated_at 2021_08_13;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Java request to UNI.ME Domain Set 4"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:t(?:e(?:(?:l(?:e(?:phoneexplained|comsguide)|learth)|n(?:ured(?:explained|info)|nis-ranking))\.com|mp(?:l(?:ates-gratis\.com|ecollege\.net)|converter\.net)|a(?:ching(?:-certificate\.net|explained\.com)|m\.pro))|r(?:a(?:(?:(?:nsferbyt|de-)e|in(?:eesinf|ge)o|mray)\.com|vel(?:insurance-comparison\.net|agentnerd\.com))|e(?:k-bicycles|nd-online)\.net|uckstool\.com|onco\.es)|(?:o(?:wn(?:housepic|study|euro|meta)|(?:tal-tool|memap)s|pgamebook|olboxsol)|u(?:mors?explained|lsatrain|rn-ons)|attoo-websites|ype-racer|wainfo)\.com|h(?:(?:anksgivinggaming|riftexplained)\.com|e(?:sis-examples\.com|atreparis\.net))|i(?:mezonevendor\.com|dl\.net)|cmn\.biz)|w(?:e(?:b(?:(?:b(?:estseller|ailout)|administer)\.com|site(?:downloader\.net|explained\.com)|developertoolbar\.net)|(?:l(?:lesley|fare)explained|akenguide)\.com)|or(?:th(?:voice|war)\.com|ld-records\.net)|ater(?:front-property\.net|-plants\.com)|(?:riterpics|hoiscan)\.com|pbh\.org|sse\.us)|s(?:(?:t(?:ud(?:ent(?:financecontact|s?explained)|yexplained)|r(?:eetmaphub|ongat)|patricksweightloss|onewhat)|wissairinfo)\.com|u(?:(?:mmertimelyrics|nset-wallpaper|per-committee|itegraphic)\.com|b\.(?:name|cat|es)))|v(?:(?:i(?:llage(?:(?:in|na)no|crystal)|deo(?:-mediaset|explained)|ta(?:minssms|lwow)|rtualexplained)|o(?:lumesynergy|ucheragent|ters24)|a(?:rsityexplained|lentinesproxy)|entureexplained)\.com|qtel\.net|f1\.us)|u(?:n(?:i(?:versityexplained\.com|nstalltool\.net|\.me)|(?:(?:secured|am)explained|ravelguide)\.com|limited-web-hosting\.net)|(?:cla(?:explained|info)|s-inflation|alinfo|zdom)\.com|[04]\.org)|y(?:(?:o(?:u(?:ngstersinfo|rbroking)|mkippursocial)|(?:eshiva|ale)explained|vxs)\.com|nna\.biz)|zwr\.org)(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017460; rev:5; metadata:created_at 2013_09_13, former_category INFO, updated_at 2021_08_13;)
+
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS rConfig ajaxArchiveFiles.php Command Injection Inbound (CVE-2019-19509)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ajaxHandlers/ajaxArchiveFiles.php?path="; fast_pattern; http.uri.raw; content:"/ajaxHandlers/ajaxArchiveFiles.php?path="; pcre:"/^%(?:3B|0A|26|60|7C|24)/Ri"; reference:url,www.exploit-db.com/exploits/47982; reference:cve,2019-19509; classtype:attempted-admin; sid:2033424; rev:3; metadata:attack_target Server, created_at 2021_07_26, cve CVE_2019_19509, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_08_16;)
 
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Apache SkyWalking GraphQL SQL Injection Inbound (CVE-2020-13921)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/graphql"; fast_pattern; http.request_body; content:"|7b 22|query"; nocase; startswith; content:"|27 29|"; pcre:"/^\s?.{0,100}(?:SELECT|UNION|CHAR|LONGVARCHAR|SCHEMA|FROM|WHERE|IFNULL|INSERT|UPDATE)/R"; reference:url,blog.csdn.net/caiqiiqi/article/details/107857173; reference:cve,2020-13921; classtype:attempted-admin; sid:2033403; rev:2; metadata:created_at 2021_07_24, cve CVE_2020_13921, updated_at 2021_08_16;)
@@ -63390,26 +63194,6 @@ alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt St
 
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (defenderupdateav .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"defenderupdateav.com"; bsize:20; fast_pattern; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:domain-c2; sid:2033799; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (LIST)"; flow: to_server,established; tls.sni; content:"LIST-"; startswith; fast_pattern; pcre:"/^LIST-[A-Za-z0-9]{16}\./";  reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033800; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_08_26;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (LS)"; flow: to_server,established; tls.sni; content:"LS-"; startswith; fast_pattern; pcre:"/^LS-[A-Za-z0-9]{16}\./";  reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033801; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (SIZE)"; flow: to_server,established; tls.sni; content:"SIZE-"; startswith; fast_pattern; pcre:"/^SIZE-[A-Za-z0-9]{16}\./";  reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033802; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (LD)"; flow: to_server,established; tls.sni; content:"LD-"; startswith; fast_pattern; pcre:"/^LD-[A-Za-z0-9]{16}\./";  reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033803; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (CB)"; flow: to_server,established; tls.sni; content:"CB-"; startswith; fast_pattern; pcre:"/^CB-[A-Za-z0-9]{16}\./";  reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033804; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (CD)"; flow: to_server,established; tls.sni; content:"CD-"; startswith; fast_pattern; pcre:"/^CD-[A-Za-z0-9]{16}\./";  reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033805; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (EX)"; flow: to_server,established; tls.sni; content:"EX-"; startswith; fast_pattern; pcre:"/^EX-[A-Za-z0-9]{16}\./";  reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033806; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (ALIVE)"; flow: to_server,established; tls.sni; content:"ALIVE-"; startswith; fast_pattern; pcre:"/^ALIVE-[A-Za-z0-9]{16}\./";  reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033807; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (EXIT)"; flow: to_server,established; tls.sni; content:"EXIT-"; startswith; fast_pattern; pcre:"/^EXIT-[A-Za-z0-9]{16}\./";  reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033808; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (finito)"; flow: to_server,established; tls.sni; content:"finito-"; startswith; fast_pattern; pcre:"/^finito-[A-Za-z0-9]{16}\./";  reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033809; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
-
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Default CobaltStrike SSL Certificate"; flow:established,to_client; tls.cert_issuer; content:"C=Earth"; nocase; content:"ST=Cyberspace"; nocase; content:"L=Somewhere"; nocase; content:"O=cobaltstrike"; nocase; content:"OU=AdvancedPenTesting"; nocase; content:"CN=Major Cobalt Strike"; nocase; fast_pattern; reference:url,fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html; classtype:trojan-activity; sid:2030111; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_26;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon (Custom Wordpress Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html"; endswith; http.cookie; content:"wordpress_"; startswith; fast_pattern; pcre:"/^(?:[a-f0-9]{32})=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|Cookie|0d 0a|"; startswith; content:!"Referer"; reference:md5,926ecee0190a5211a9670f369007ec3a; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:command-and-control; sid:2033810; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
@@ -63422,8 +63206,6 @@ alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 SARDONIC CnC Domain in
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Witch.3FA0!tr CnC Actiivty"; flow:established,to_server; http.request_line; content:"POST /?opt=put&type=text"; startswith; fast_pattern; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; http.request_body; content:"&mac="; content:"&pcname="; distance:12; within:8; reference:md5,db7ffa8d3fa480e489c9062b18067f36; classtype:command-and-control; sid:2033814; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Javascript Click and Removal of Download Element"; flow:established, to_client; http.stat_code; content:"200"; file.data; content:"e|2e|setAttribute|28 22|download|22 2c 22 22 29|"; fast_pattern; content:"e|2e|click|28 29 2c|e|2e|remove|28 29|"; distance:0;  reference:url,www.bleepingcomputer.com/news/security/phishing-campaign-uses-upscom-xss-vuln-to-distribute-malware/; classtype:social-engineering; sid:2033816; rev:1; metadata:created_at 2021_08_26, former_category MALWARE, updated_at 2021_08_26;)
-
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 CnC Domain in DNS Lookup"; dns.query; content:"onedrivelive.me"; nocase; bsize:15; classtype:domain-c2; sid:2035796; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_26;)
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 CnC Domain in DNS Lookup"; dns.query; content:"librarycollection.org"; nocase; bsize:21; classtype:domain-c2; sid:2035797; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_26;)
@@ -63448,6 +63230,8 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Document Ste
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/GenCBL.XS CnC Activity"; flow:established,to_server; content:"|30 32 bc|"; startswith; content:"|bc 4d 4a 56 3a 20|"; distance:0; content:"|20 31 20 2d 20 42 75 69 6c 64 20 3a 20|"; distance:0; fast_pattern; reference:md5,9dfd2f831b3672dc0c50b98550d3aa06; classtype:command-and-control; sid:2033819; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_27;)
 
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/SysNt Corp DotNetRAT CnC Activity"; flow:established,to_server; content:"|e8 03 00 00 00 00 00 00 10 00 00 00|"; fast_pattern; startswith; content:"|90 01 00 00 66 00 00 00|"; distance:0; content:"|2d|"; distance:12; within:1; content:"|2d|"; distance:4; within:1; content:"|2d|"; distance:4; within:1; content:"|2d|"; distance:4; within:1; content:"|7c|"; distance:12; within:1; content:"|7c|"; distance:0; content:"|7c|"; distance:2; within:1; reference:md5,98ee48860712d3c06c3a4aa31c14de3a; classtype:command-and-control; sid:2036611; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_27;)
+
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (esnoptdkkiirzewlpgmccbwuynvxjumf .name)"; dns.query; content:"esnoptdkkiirzewlpgmccbwuynvxjumf.name"; nocase; bsize:37; fast_pattern; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033832; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (nfcomizsdseqiomzqrxwvtprxbljkpgd .name)"; dns.query; content:"nfcomizsdseqiomzqrxwvtprxbljkpgd.name"; nocase; bsize:37; fast_pattern; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033829; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
@@ -63508,6 +63292,8 @@ alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNB
 
 alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt M3"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:".exec|28|"; fast_pattern; classtype:attempted-admin; sid:2033855; rev:1; metadata:created_at 2021_08_31, former_category EXPLOIT, updated_at 2021_08_31;)
 
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vodkagats Loader Requesting Payload"; flow:established,to_server; urilen:<50; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.header; content:"User-Agent|3a 20|Microsoft Internet Explorer|0d 0a|"; fast_pattern; startswith; http.header_names; content:!"Accept"; content:!"Cache-"; content:!"Referer"; reference:md5,29feb71dc6e5eeb6dbeeaebee647a5b3; classtype:trojan-activity; sid:2036333; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_31;)
+
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 79"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x9f/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,6168f11bb42ff767a224396c2656ea87; classtype:command-and-control; sid:2020780; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 69"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7a 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9f/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,262d04177c4bec3215db085fc4c44493; classtype:command-and-control; sid:2020770; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
@@ -63528,7 +63314,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PC
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 90"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|31 d9|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x31\xd9/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1fa6460563cddcb165511c6b17ff4637; classtype:command-and-control; sid:2020791; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GCleaner Downloader Activity M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?pub=mix"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"HALF"; bsize:4; fast_pattern; reference:md5,ff4ae9d00058d3e9d5034d043387c4be; reference:url,medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a; classtype:trojan-activity; sid:2032351; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, updated_at 2021_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GCleaner Downloader Activity M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?pub=mix"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"HALF"; bsize:4; fast_pattern; reference:md5,ff4ae9d00058d3e9d5034d043387c4be; reference:url,medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a; classtype:trojan-activity; sid:2032351; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LinkedIn Phishing Landing 2018-02-09 M2"; flow:established,to_client; http.header; content:!"X-LI-UUID|3a|"; nocase; file.data; content:"<title"; nocase; content:"Sign In|20 7c 20|LinkedIn"; nocase; within:40; classtype:social-engineering; sid:2025338; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2021_08_31;)
 
@@ -63636,8 +63422,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN7 JSSLoader Variant Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?id="; startswith; fast_pattern; pcre:"/^[A-Z]{14}$/R"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:url,www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/; reference:md5,bf23c48d111f5a2d3169062428940b1c; classtype:trojan-activity; sid:2033889; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN7, updated_at 2021_09_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed nc (netcat) EXE Inbound"; flow:established,from_server; file.data; content:"MZ"; depth:10; content:"!This program"; distance:0; content:"www.vulnwatch.org/netcat/"; distance:0; fast_pattern; content:"nc [-options]"; distance:0; content:"nc -l -p port"; distance:0;  reference:md5,e0db1d3d47e312ef62e5b0c74dceafe5; classtype:policy-violation; sid:2033890; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_09_02;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed Suspicious Request nc.exe in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nc.exe"; fast_pattern; nocase; endswith; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2033891; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_09_02;)
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)"; dns.query; content:"nowautomation.com"; nocase; bsize:17; reference:url,twitter.com/James_inthe_box/status/1433481199939297308; reference:md5,18c7c940bc6a4e778fbdf4a3e28151a8; classtype:domain-c2; sid:2033892; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_09_02, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
@@ -63686,8 +63470,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BleachGap Ransomw
 
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Lazarus Related Domain (share .bloomcloud .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"share.bloomcloud.org"; bsize:20; fast_pattern; reference:url,twitter.com/ShadowChasing1/status/1433807018867912705; reference:md5,a224350ce67eea6a8d818b85436c5309; reference:md5,02904e802b5dc2f85eec83e3c1948374; reference:md5,bac4acc2544626bac6377fb32c5f244c; classtype:command-and-control; sid:2033903; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_07, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_09_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Syndicasec Encoded Response Embedded in XML HTML Title Tags Inbound"; flow:established,to_client; content:"|3c 3f|xml"; content:"|3c|title|20|type|3d 27|text|27 3e 40|"; distance:0; fast_pattern; content:"|40 3c 2f|title|3e|"; distance:0;  reference:url,www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-mangal-win32syndicasec-used-targeted-attacks-indian-organizations/; reference:md5,f339bbca8e7a5d0f1629212f61b7d351; classtype:command-and-control; sid:2033904; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_07, deployment Perimeter, former_category MALWARE, performance_impact Low, updated_at 2021_09_07;)
-
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex HX Data Platform Pre-Auth RCE Inbound (CVE-2021-1499)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload"; http.request_body; content:"name=|22|"; content:"filename=|22|../../"; fast_pattern; reference:cve,2021-1499; classtype:attempted-admin; sid:2033907; rev:1; metadata:attack_target Server, created_at 2021_09_07, cve CVE_2021_1499, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_07;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/MobiGame Install Stats Checkin M1"; flow:established,to_server; http.request_line; content:"POST /action "; startswith; http.user_agent; content:"Statistics"; bsize:10; http.request_body; content:"|7b 22|hwid|22 3a 22|"; startswith; content:"|22 2c 22|macAddress|22 3a 22|"; distance:0; content:"|22 2c 22|ipAddressLocal|22 3a 22|"; distance:0; fast_pattern; content:"|22 2c 22|installDate|22 3a 22|"; distance:0; reference:md5,18f26612bc642daa9b269660eb585500; classtype:pup-activity; sid:2033909; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_08, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_09_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
@@ -63702,18 +63484,16 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Beapy/Lemon
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.Coinminer Checkin"; flow:established,to_server; content:"|7b 22|CPU_Model|22 3a 22|"; startswith; fast_pattern; content:"|22 2c 22|Elevated|22 3a|"; distance:0; content:"|22|GPU_Model|22 3a 22|"; distance:0; content:"|22|Identity|22 3a 22|"; distance:0; reference:md5,a98df471bde22b7b2d25aae974237363; classtype:coin-mining; sid:2033906; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Coinminer, updated_at 2021_09_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Mingloa CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"page=querycpc/items/&duid="; fast_pattern; content:"&pid="; distance:0; content:"&time="; distance:0; content:"&hash="; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|";  reference:url,news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service; classtype:command-and-control; sid:2033913; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_08;)
-
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing 2021-06-29"; flow:established,from_server; file.data; content:"Webmail Login"; fast_pattern; content:"action|3d 22|process.php|22|"; distance:0; content:"method|3d 22|post|22|"; distance:0; content:"target|3d 22 5f|top|22|"; distance:0; content:"style|3d 22|visibility|3a 22|>"; distance:0; reference:url,app.any.run/tasks/5fcdc0a0-7a79-4bcb-b2fb-3d358571d858/; classtype:social-engineering; sid:2033218; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_09_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Checkin Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Android/iprdr.php"; fast_pattern; bsize:18; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/Timele9527/status/1435495701329317895; reference:md5,28ffba0b074218b0c9ff0360d8791bfd; classtype:trojan-activity; sid:2033914; rev:1; metadata:created_at 2021_09_08, former_category MALWARE, updated_at 2022_04_18;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Checkin Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Apple/script.php?a="; fast_pattern; startswith; http.user_agent; content:"Mozilla/3.0|20 28|compatible|3b 20|Indy|20|Library|29|"; bsize:38; http.header_names; content:!"Referer"; reference:url,twitter.com/Timele9527/status/1435495701329317895; reference:md5,28ffba0b074218b0c9ff0360d8791bfd; classtype:trojan-activity; sid:2033915; rev:1; metadata:created_at 2021_09_08, former_category MALWARE, updated_at 2021_09_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SiameseKitten/Lyceum/Hexane MSIL/Shark Response - 1 Byte XOR Key"; flow:established,from_server; file.data; base64_decode:offset 0; base64_data; content:"|6e 4b 5e 4b|"; content:"|27 20|"; classtype:command-and-control; sid:2033761; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_22, deployment Perimeter, deprecation_reason Performance, former_category MALWARE, malware_family Shark, performance_impact Significant, signature_severity Major, updated_at 2021_09_08;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SiameseKitten/Lyceum/Hexane MSIL/Shark CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?q="; content:"&qi="; distance:0; content:"&q1="; distance:0; content:"&q2="; distance:0; content:"&q3="; distance:0; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/R"; http.user_agent; content:"|28|Windows|20|NT|20|10.0|3b 20|Win64|3b 20|x64|29|"; http.header_names; content:"If-None-Match|0d 0a|Sec-Fetch-Dest|0d 0a|Sec-Fetch-Mode|0d 0a|Sec-Fetch-User|0d 0a|"; nocase; http.header; content:"Sec-Fetch-Dest|3a 20|document|0d|"; fast_pattern; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; reference:url,www.clearskysec.com/siamesekitten/; classtype:command-and-control; sid:2033760; rev:2; metadata:created_at 2021_08_22, former_category MALWARE, malware_family Shark, updated_at 2021_09_08;)
 
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SiameseKitten/Lyceum/Hexane MSIL/Shark Response - 1 Byte XOR Key"; flow:established,from_server; file.data; base64_decode:offset 0; base64_data; content:"|6e 4b 5e 4b|"; content:"|27 20|"; classtype:command-and-control; sid:2033761; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_08_22, deployment Perimeter, deprecation_reason Performance, former_category MALWARE, malware_family Shark, performance_impact Significant, signature_severity Major, updated_at 2021_09_08;)
+
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible IceRat CnC Acitivty"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dow_"; startswith; fast_pattern; content:".txt"; endswith; http.user_agent; content:"Java/"; startswith; reference:url,www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp; classtype:trojan-activity; sid:2031485; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_06, deployment Perimeter, former_category MALWARE, malware_family IceRAT, signature_severity Major, updated_at 2021_09_09;)
 
 alert http any any -> any any (msg:"ET EXPLOIT Possible SolarWinds Orion API Local File Disclosure (SWNetPerfMon.db) (CVE-2020-10148)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/SWNetPerfMon.db.i18n.ashx?"; nocase; fast_pattern; reference:url,gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965; reference:url,kb.cert.org/vuls/id/843464; reference:cve,2020-10148; classtype:web-application-attack; sid:2031460; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category EXPLOIT, updated_at 2021_09_09;)
@@ -63900,8 +63680,6 @@ alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT PiHole Web
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/GenKryptik.FKJZ CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"&pass="; content:"&cookie="; content:"&cc="; content:"&chrome="; content:"&firefox="; content:"&binancepass="; fast_pattern; content:"&paypalpass="; content:"&hwid="; content:"&bit="; http.request_body; content:"PK|03 04|"; reference:md5,b369e6f7f7ed1771110e9017741be7b3; classtype:trojan-activity; sid:2033936; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sidewalk CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|gtuvid|0d 0a|"; fast_pattern; content:"|0d 0a|gtsid|0d 0a|";  reference:url,welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/; classtype:command-and-control; sid:2033937; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_13;)
-
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Checkin"; flow:established,to_server; content:"|20 5b 20|"; content:"|20 5b 20|"; distance:0; content:"[endof]"; endswith; reference:md5,8db6655c0a5cb219c3bbc4bb5fc92e1a; classtype:command-and-control; sid:2033938; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, former_category MALWARE, malware_family njrat, performance_impact Low, signature_severity Major, updated_at 2021_09_13;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SOVA Banking Trojan Activity (bot update)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api?method=bots.update&botid="; startswith; fast_pattern; content:"&param="; distance:0; content:"&value="; distance:0; http.user_agent; content:"okhttp/"; startswith; http.header_names; content:!"Referer"; reference:url,www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html; reference:md5,01b6f0220794476fe19a54c049600ab3; classtype:trojan-activity; sid:2033940; rev:2; metadata:created_at 2021_09_14, former_category MOBILE_MALWARE, updated_at 2021_09_14;)
@@ -63920,8 +63698,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Eyoorun.
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.BEH Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/socket.io/?release="; startswith; fast_pattern; content:"&model="; distance:0; content:"&EIO="; distance:0; content:"&id="; distance:0; content:"&transport="; distance:0; content:"&manf="; distance:0; content:"&sid="; distance:0; http.user_agent; content:"|28|Linux|3b 20|U|3b 20|Android"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"contactsList"; content:"phoneNo"; distance:0; http.header_names; content:!"Referer"; reference:md5,72670e5480849637e86e0daeddbdb43b; reference:url,twitter.com/malwrhunterteam/status/1437787922816806914; classtype:trojan-activity; sid:2033946; rev:1; metadata:created_at 2021_09_14, former_category MOBILE_MALWARE, updated_at 2021_09_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Client Cloaking Javascript Observed"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c|html|3e 3c|head|3e 3c|script|20|src|3d 27|"; content:"Aes|2e|Ctr|2e|decrypt|28|"; nocase; fast_pattern; pcre:"/^(?:[^0-9][a-zA-Z0-9_$]{1,254}),\s*(?:[^0-9][a-zA-Z0-9_$]{1,254}),\s*256\)\x3b/Ri"; content:"document|2e|write|28|output|29|"; distance:0;  reference:url,unit42.paloaltonetworks.com/javascript-based-phishing/; classtype:credential-theft; sid:2033947; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_09_14, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Minor, updated_at 2021_09_14;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/btn_bg.html?contact=true"; fast_pattern; bsize:25; http.cookie; content:"HSID="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.accept; content:"image/jpeg"; bsize:10; http.header_names; content:!"Referer"; reference:url,twitter.com/Unit42_Intel/status/1437787000690683911; reference:url,github.com/pan-unit42/tweets/blob/master/2021-09-13-IOCs-for-TA551-Trickbot-with-Cobalt-Strike-and-DarkVNC.txt; reference:md5,3963abbca3932a7d1e2b77cef1f6d57e; classtype:trojan-activity; sid:2033948; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_14, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_09_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Delf.OKR Variant CnC M1"; flow:established,to_server; stream_size:server,<,5; content:"|3d 22 3f 4b 0a|"; startswith; reference:md5,320564554767ddd328932997067f64a5; classtype:command-and-control; sid:2033949; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_14, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_09_14;)
@@ -63986,8 +63762,6 @@ alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE APT-C-23 Related CnC
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/amazed/alternative.jng"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; http.host; content:".ru"; endswith; reference:md5,0c6eb0ff9121eae3ce6e15f7af8f9909; reference:url,twitter.com/s1ckb017/status/1438458210147520514; classtype:trojan-activity; sid:2033981; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SQUIRRELWAFFLE Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html|3b 20|charset=UTF-8"; bsize:24; file.data; content:"|0d 0d 0d 09 09 09 0a 0a 0a|"; startswith; fast_pattern; pcre:"/^.{4}(?:R(?:k(?:Z(?:GQkBG|CQEY)|BCRUVG)|0FFRkFH|UJDQUE)|Q(?:U(?:V(?:CQ0FB|GQUc)|NCRkI)|kFDQkZC|EJFRUY)|(?:Z(?:AQkVF|GRkJA)R|JBQ0JGQ)g|FFQkNBQQ|dBRUZBRw)/R"; content:"|0a 0a 0a 09 09 09 0d 0d 0d|"; endswith;  reference:url,twitter.com/jaydinbas/status/1437708323038564352; classtype:command-and-control; sid:2033982; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, malware_family SQUIRRELWAFFLE, performance_impact Moderate, signature_severity Major, updated_at 2021_09_17;)
-
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT JBOSS Deserialization Attempt Inbound (CVE-2017-7504)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/jbossmq-httpil/HTTPServerILServlet"; fast_pattern; http.request_body; content:"|AC ED 00|"; reference:url,www.programmersought.com/article/1033574325/; reference:cve,2017-7504; classtype:attempted-admin; sid:2033985; rev:1; metadata:attack_target Server, created_at 2021_09_17, cve CVE_2017_7504, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_17;)
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT/Bitter Related CnC Domain in DNS Lookup"; dns.query; content:"olmajhnservice.com"; nocase; bsize:18; reference:md5,be9bd8ed8a4c052be5cedb0266f50c0d; reference:url,twitter.com/ShadowChasing1/status/1439929215919411206; classtype:domain-c2; sid:2033986; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_20, deployment Perimeter, signature_severity Major, updated_at 2021_09_20;)
@@ -64038,8 +63812,6 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible Outdated Br
 
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible WebShell Access Inbound [exec] M1 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?act=exec"; fast_pattern; content:"&newid="; content:"&pwd="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034006; rev:1; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_09_22, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
 
-#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET DELETED Possible WebShell Access Inbound [exec] M2 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&act=exec"; fast_pattern; content:"?newid="; content:"&pwd="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034007; rev:1; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_12_03, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
-
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible WebShell Access Inbound [upload] M1 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?act=upload"; fast_pattern; content:"&path="; content:"&context="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034009; rev:1; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_09_22, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
 
 alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Possible Mirai Infection Attempt via OS Command Injection Outbound (CVE-2021-32305)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/search.php?search=|22 3b|/bin/bash+wget+http://"; fast_pattern; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/R"; content:"|3b|+"; distance:0; within:50; reference:url,unit42.paloaltonetworks.com/cve-2021-32305-websvn/; reference:cve,2021-32305; classtype:attempted-admin; sid:2033856; rev:3; metadata:created_at 2021_08_31, cve CVE_2021_32305, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2021_09_22;)
@@ -64066,10 +63838,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyTurla CnC Act
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Autodiscover Credentials Leak via Basic Auth"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/autodiscover/autodiscover.xml"; nocase; fast_pattern; http.header; content:"Authorization|3a 20|Basic|20|"; reference:url,guardicore.com/labs/autodiscovering-the-great-leak/; classtype:policy-violation; sid:2034019; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_09_23, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/Spy.Agent.AW Download"; flow:established,to_client; http.response_body; content:"var"; startswith; content:"|5c 78 37 30 5c 78 36 31 5c 78 37 39 5c 78 36 44 5c 78 36 35 5c 78 36 45 5c 78 37 34 5c 78 35 46 5c 78 36 36 5c 78 36 46 5c 78 37 32 5c 78 36 44 5c 78 35 46 5c 78 36 33 5c 78 36 33 5c 78 37 33 5c 78 36 31 5c 78 37 36 5c 78 36 35|"; within:90; fast_pattern; content:"|5c 78 36 35 5c 78 37 30 5c 78 36 31 5c 78 37 39 5c 78 35 46 5c 78 37 33 5c 78 36 35 5c 78 36 33 5c 78 37 35 5c 78 37 32 5c 78 36 35 5c 78 35 46 5c 78 37 30 5c 78 36 31 5c 78 37 39 5c 78 36 44 5c 78 36 35 5c 78 36 45 5c 78 37 34|"; distance:62; within:76;  reference:md5,ade43b2b2cf95ca908b82fe0e76ea54d; classtype:trojan-activity; sid:2034020; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_23;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (REBOL)"; flow:established,to_server; http.user_agent; content:"REBOL"; nocase; startswith;  reference:url,twitter.com/James_inthe_box/status/1441140639169609736; classtype:bad-unknown; sid:2034021; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2021_09_24;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MirrorBlast CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"=bmFtZT"; fast_pattern; pcre:"/(?:JmJ1aWxkP|YnVpbGQ9|ZidWlsZD)/R"; http.user_agent; content:"REBOL"; startswith; reference:url,twitter.com/ffforward/status/1441137165329649664; reference:md5,6b59a4657eb90d92590f5a183d9d1e77; classtype:command-and-control; sid:2034022; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category MALWARE, malware_family MirrorBlast, performance_impact Low, signature_severity Major, updated_at 2021_09_24;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MirrorBlast CnC Activity M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"=dXVpZD"; fast_pattern; content:"LT"; distance:18; within:2; content:"t"; distance:5; within:1; http.user_agent; content:"REBOL"; startswith; reference:url,twitter.com/ffforward/status/1441137165329649664; reference:md5,6b59a4657eb90d92590f5a183d9d1e77; classtype:command-and-control; sid:2034023; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category MALWARE, malware_family MirrorBlast, performance_impact Low, signature_severity Major, updated_at 2021_09_24;)
@@ -64102,8 +63870,6 @@ alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Hyper
 
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex OS Command Injection M2 (CVE-2021-1497)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/auth"; startswith; http.request_body; content:"username="; content:"password="; nocase; fast_pattern; content:"%3bimport|20|"; distance:0; reference:url,swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/; reference:cve,2021-1497; classtype:attempted-admin; sid:2034044; rev:1; metadata:attack_target Server, created_at 2021_09_29, cve CVE_2021_1497, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win64/TrojanDownloader.Age Download Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".docx"; endswith; http.user_agent; content:"unknown"; fast_pattern; bsize:7; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; content:!"Referer";  reference:md5,fd59dd7bb54210a99c1ed677bbfc03a8; classtype:trojan-activity; sid:2034048; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_29;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Colibri Loader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?type=check&uid="; fast_pattern; pcre:"/^[0-9A-F]{16,32}$/Rs"; http.user_agent; content:!"Mozilla"; content:!"Safari"; content:!"Opera"; pcre:"/^[A-Za-z0-9]{16,32}$/"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; content:!"Referer"; reference:md5,9bf1574b794c7937cdbd12a9ff6fba76; classtype:command-and-control; sid:2034049; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_29;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING BulletProofLink Phishkit Password-Processing URL"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"phishing-processor"; fast_pattern; content:".php"; distance:0; reference:url,microsoft.com/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/; classtype:credential-theft; sid:2034047; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_09_29;)
@@ -64176,8 +63942,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Act
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/images/L._SX2_.jpg"; bsize:19; http.host; content:"static.mhysl.org"; bsize:24; fast_pattern; http.user_agent; content:"Mozilla/5.0|20|(Windows|20|NT|20|6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv|3a|11.0)|20|like|20|Gecko"; bsize:68; http.header_names; content:!"Referer"; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/; classtype:trojan-activity; sid:2034082; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fake Anti-Pegasus AV CnC Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/connect?hwid="; fast_pattern; content:"&os="; distance:0; content:"&bits=x"; distance:0; content:"&av="; distance:0; http.header_names; content:!"Referer";  reference:url,blog.talosintelligence.com/2021/09/fakeantipegasusamnesty.html; classtype:command-and-control; sid:2034083; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_01;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Amazon Profile POST (JPEG)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"|ff d8 ff|"; startswith; reference:url,securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/; classtype:command-and-control; sid:2034084; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_10_01;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Amazon Profile POST (PNG)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"|89 50 4e 47|"; startswith; reference:url,securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/; classtype:command-and-control; sid:2034085; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_10_01;)
@@ -64198,10 +63962,6 @@ alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET DOS Possible Mic
 
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed AutoDesk Domain in TLS SNI (api .autodesk .com)"; flow:established,to_server; tls.sni; content:"developer.api.autodesk.com"; bsize:26; fast_pattern; classtype:bad-unknown; sid:2034098; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category HUNTING, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (yawero .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"yawero.com"; bsize:10; fast_pattern;  reference:url,thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks; classtype:command-and-control; sid:2034099; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (sazoya .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"sazoya.com"; bsize:10; fast_pattern;  reference:url,thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks; classtype:domain-c2; sid:2034100; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
-
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Wintervivern Related CnC Domain in DNS Lookup (securetourspd .com)"; dns.query; content:"securetourspd.com"; nocase; bsize:17; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; classtype:domain-c2; sid:2034101; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Wintervivern Related CnC Domain in DNS Lookup (secure-daddy .com)"; dns.query; content:"secure-daddy.com"; nocase; bsize:16; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; classtype:domain-c2; sid:2034102; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
@@ -64248,8 +64008,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Acti
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY AmeriTechnology Group - CHARM Client"; flow:established,to_server; http.request_line; content:"GET /check.asp?co="; startswith; fast_pattern; http.uri; content:"&pc="; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,451f2852e35977a150066afdc5acb318; classtype:policy-violation; sid:2034118; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_10_05;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Tomiris C2 (init)"; flow:established,to_server; content:"|74 00 2b 00 77 00 6c 00 7c 00 76 00 76 00 27 00 30 00 79 00 20 00 29 00|"; offset:0;  reference:url,securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/; classtype:trojan-activity; sid:2034119; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_05;)
-
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Phishkit Message Variables"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"MS_TXT_LOGIN"; nocase; content:"ChangPass_"; nocase; content:"Login_"; nocase; content:"i18nGobal"; nocase; fast_pattern; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2034028; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_05;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Phishkit Javascript - Observed Repetitive Custom CSS Components"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"themes/css/"; fast_pattern; pcre:"/^[a-f0-9]{42}\.css\x27\x29\.then\x28(?:.{1,1000}themes\/css\/[a-f0-9]{42}\.css\x27\x29\.then\x28){5,}/Rsi"; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2034001; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, performance_impact Moderate, signature_severity Major, updated_at 2021_10_05;)
@@ -64294,14 +64052,6 @@ alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Doma
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (www .googlesheetpage .org)"; dns.query; content:"www.googlesheetpage.org"; nocase; bsize:23; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034139; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Ursnif CnC Domain (Gloderuniok .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"gloderuniok.website"; bsize:19; fast_pattern;  reference:url,twitter.com/JAMESWT_MHT/status/1445322477350146054; classtype:domain-c2; sid:2034140; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Ursnif CnC Domain (Vloderuniok .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"vloderuniok.website"; bsize:19; fast_pattern;  reference:url,twitter.com/JAMESWT_MHT/status/1445322477350146054; classtype:domain-c2; sid:2034141; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (Gojihu .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"Gojihu.com"; bsize:10; fast_pattern;  reference:url,thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks; classtype:domain-c2; sid:2034142; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (Yuxicu .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"Yuxicu.com"; bsize:10; fast_pattern;  reference:url,thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks; classtype:domain-c2; sid:2034143; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NSecSoft Remote Monitoring Update/Download Activity M1"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:"|0d 0a|NSEC-UID|0d 0a|"; fast_pattern; http.request_body; content:"|3c|sessions|20|uid|3d 22|"; startswith; content:"|22 20|user|3d 22|"; distance:0; content:"|2f 3e 3c 2f|sessions|3e|"; endswith; reference:md5,4a14459e5dbadb86417483dba7174ffa; classtype:bad-unknown; sid:2034144; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2021_10_06;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ESPecter Bootkit Initialization Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Heart.aspx?ti="; startswith; fast_pattern; content:"&tn="; distance:0; content:"&tg="; distance:0; content:"&tv="; distance:0; http.header_names; content:!"Referer"; reference:url,www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/; classtype:trojan-activity; sid:2034145; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
@@ -64334,7 +64084,7 @@ alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Related Domain in
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Set flow on bmp file get"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".bmp"; http.request_line; content:".bmp HTTP/1."; fast_pattern; flowbits:set,ET.bmp_seen; flowbits:noalert; reference:url,doc.emergingthreats.net/2009083; classtype:not-suspicious; sid:2009083; rev:8; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_10_08;)
 
-#alert tcp $EXTERNAL_NET !5665 -> $HOME_NET any (msg:"ET MALWARE Possible Netwire RAT Client HeartBeat C2"; flow:established,to_client; flowbits:isset,ET.Netwire.HB; dsize:5; content:"|01 00 00 00|"; depth:4; pcre:"/^[\x01-\x4c]$/R"; threshold: type threshold, track by_src, count 3, seconds 60; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,e01c79d227c6315150f7ff0afe40db4c; classtype:command-and-control; sid:2018283; rev:8; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2021_10_08;)
+#alert tcp $EXTERNAL_NET !5665 -> $HOME_NET any (msg:"ET MALWARE Possible Netwire RAT Client HeartBeat C2"; flow:established,to_client; flowbits:isset,ET.Netwire.HB; dsize:5; content:"|01 00 00 00|"; depth:4; pcre:"/^[\x01-\x4c]$/R"; threshold: type threshold, track by_src, count 3, seconds 60; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,e01c79d227c6315150f7ff0afe40db4c; classtype:command-and-control; sid:2018283; rev:8; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2022_05_03;)
 
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Aviatrix Controller Unrestricted File Upload with Path Traversal Inbound (CVE-2021-40870)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"action=set_metric_gw_selections&account_name="; fast_pattern; content:"../../"; distance:0; within:10; content:"&data="; reference:cve,2021-40870; classtype:attempted-admin; sid:2034159; rev:1; metadata:attack_target Server, created_at 2021_10_09, cve CVE_2021_40870, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_09;)
 
@@ -64406,10 +64156,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Limbozar Ra
 
 alert dns $HOME_NET any -> any any (msg:"ET INFO External IP Lookup Domain DNS Lookup (my-ip .io)"; dns.query; dotprefix; content:".my-ip.io"; nocase; endswith; classtype:bad-unknown; sid:2034196; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_10_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Oracle BI Publisher Authentication Bypass (CVE-2019-2616)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/xmlpserver/ReportTemplateService.xls"; bsize:37; fast_pattern; http.header_names; content:!"Referer"; http.request_body; content:"|3c 21|DOCTYPE|20|soap|3a|envelope|20|PUBLIC|20 22 2d 2f 2f|B|2f|A|2f|EN|22 20 22|http"; startswith;  reference:url,nvd.nist.gov/vuln/detail/CVE-2019-2616; reference:cve,2019-2616; classtype:attempted-admin; sid:2034199; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_10_15, cve CVE_2019_2616, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_10_15;)
-
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Interactsh Control Panel (DNS)"; threshold: type both, track by_src, count 1, seconds 600; dns.query; pcre:"/^[a-z0-9]{33}/"; content:".interact.sh"; endswith; fast_pattern;  reference:url,unit42.paloaltonetworks.com/exploits-interactsh/; classtype:trojan-activity; sid:2034201; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/MysterySnail RAT CnC Domain in DNS Lookup"; dns.query; content:"http.ddspadus.com"; nocase; bsize:17; reference:url,securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/; reference:md5,e2f2d2832da0facbd716d6ad298073ca; classtype:domain-c2; sid:2034197; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, signature_severity Major, updated_at 2021_10_15;)
 
 alert dns $HOME_NET any -> any any (msg:"ET INFO Interactsh Domain in DNS Lookup (.interact .sh)"; dns.query; dotprefix; content:".interact.sh"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/exploits-interactsh/; classtype:bad-unknown; sid:2034198; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_10_15;)
@@ -64442,8 +64188,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Stealbit
 
 #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Outbound .png HTTP GET flowbit set"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png"; endswith; flowbits:set,ET.httpget.png; flowbits:noalert; classtype:misc-activity; sid:2034212; rev:1; metadata:created_at 2021_10_18, former_category INFO, updated_at 2021_10_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible BlackByte Ransomware Encryption Key Inbound (fake .png)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:!"|89 50 4E 47 0D 0A 1A 0A|"; startswith; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; flowbits:isset,ET.httpget.png; classtype:command-and-control; sid:2034213; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, malware_family BlackByte, signature_severity Major, tag Ransomware, updated_at 2021_10_19;)
-
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (IcedID CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=*.feedbackfileweb.club"; fast_pattern; classtype:domain-c2; sid:2034214; rev:1; metadata:attack_target Client_and_Server, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_18;)
 
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (IcedID CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=*.iserunifish.club"; fast_pattern; classtype:domain-c2; sid:2034215; rev:1; metadata:attack_target Client_and_Server, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_18;)
@@ -64466,9 +64210,11 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Gr
 
 alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] 445 (msg:"ET MALWARE [CISA AA21-291A] Possible BlackMatter Ransomware Lateral Movement"; content:"|01 00 00 00 00 00 05 00 01 00|"; content:"|2e 00 52 00 45 00 41 00 44 00 4d 00 45 00 2e 00 74 00|"; distance:100; fast_pattern; detection_filter:track by_src, count 4, seconds 1; classtype:command-and-control; sid:2034225; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_19, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family BlackMatter, signature_severity Major, tag Ransomware, updated_at 2021_10_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Observed Malicious SSL/TLS Certificate (MagnitudeEK Associated)"; flow:from_server,established; tls.cert_subject; content:"CN=swissarny.store"; fast_pattern; classtype:exploit-kit; sid:2034226; rev:1; metadata:created_at 2021_10_19, former_category TROJAN, updated_at 2021_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible BlackByte Ransomware Encryption Key Inbound (fake .png)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:!"|89 50 4E 47 0D 0A 1A 0A|"; startswith; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; flowbits:isset,ET.httpget.png; classtype:command-and-control; sid:2034213; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, malware_family BlackByte, signature_severity Major, tag Ransomware, updated_at 2021_10_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Observed Malicious SSL/TLS Certificate (MagnitudeEK Associated)"; flow:from_server,established; tls.cert_subject; content:"CN=rtpdn14.com"; fast_pattern; classtype:exploit-kit; sid:2034227; rev:1; metadata:created_at 2021_10_19, former_category TROJAN, updated_at 2021_10_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (MagnitudeEK Associated)"; flow:from_server,established; tls.cert_subject; content:"CN=swissarny.store"; fast_pattern; classtype:domain-c2; sid:2034226; rev:1; metadata:attack_target Client_and_Server, created_at 2021_10_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (MagnitudeEK Associated)"; flow:from_server,established; tls.cert_subject; content:"CN=rtpdn14.com"; fast_pattern; classtype:domain-c2; sid:2034227; rev:1; metadata:attack_target Client_and_Server, created_at 2021_10_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Wireless IP Camera (P2) WIFICAM Remote Code Execution"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/set_ftp.cgi?"; fast_pattern; content:"loginuse="; content:"next_url=ftp.htm"; content:"loginpas="; reference:url,pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html; classtype:attempted-admin; sid:2030309; rev:4; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, updated_at 2021_10_19;)
 
@@ -64584,8 +64330,6 @@ alert dns $HOME_NET any -> any any (msg:"ET MALWARE CloudAtlas APT Related CnC D
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CloudAtlas APT Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dotm"; endswith; http.host; content:"checklicensekey.com"; fast_pattern; bsize:19; reference:url,twitter.com/h2jazi/status/1453748348964548617; reference:md5,1060678d61ea5152283be60df2472b6f; classtype:trojan-activity; sid:2034284; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sabsik Config Downloader"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_body; content:"|24|url|3d 22|http|3a 2f 2f|"; startswith; content:"|2e|txt|22 3b 0d 0a 24|web|20 3d 20|New|2d|Object|20|System|2e|Net|2e|WebClient|3b|"; distance:0; within:63; fast_pattern;  reference:md5,49eb944fb7f86a9d6649c6a190c782e8; classtype:trojan-activity; sid:2034288; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_28;)
-
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DonotGroup Maldoc Related Domain (digitalresolve .live in TLS SNI)"; flow:established,to_server; tls.sni; content:"digitalresolve.live"; bsize:19; fast_pattern; reference:url,twitter.com/h2jazi/status/1453763622593826825; reference:md5,c531319309db1a034936e245f6414959; reference:url,twitter.com/HONKONE_K/status/1453659791625056261; classtype:domain-c2; sid:2034285; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category MALWARE, malware_family Maldoc, malware_family DonotGroup, signature_severity Major, updated_at 2021_10_28;)
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Maldoc Related Domain in DNS Lookup (digitalresolve .live)"; dns.query; content:"digitalresolve.live"; nocase; bsize:19; reference:url,twitter.com/h2jazi/status/1453763622593826825; reference:md5,c531319309db1a034936e245f6414959; reference:url,twitter.com/HONKONE_K/status/1453659791625056261; classtype:domain-c2; sid:2034286; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category MALWARE, malware_family Maldoc, malware_family DonotGroup, signature_severity Major, updated_at 2021_10_28;)
@@ -64620,8 +64364,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HNB
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HNBU CryptoMiner - Report Request"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//report.php"; endswith; http.header; content:"IPINFO|3a 20 7b 22|status|22 3a 22|"; fast_pattern; http.header_names; content:"|0d 0a|UN|0d 0a|MN|0d 0a|"; reference:md5,c81af89afb924196c0a9f50bce4df130; classtype:command-and-control; sid:2034300; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fake Google Chrome Notifications Installer"; flow:established,to_client; http.response_body; content:"|28|function|20 28 29|"; startswith; content:"callbackName|3a 20 27|onSubInit|27|"; distance:0; content:"workerName|3a 20 27|"; distance:0; content:"serverUrl|3a 20 27|"; distance:0; content:"applicationServerKey|3a 20|"; distance:0; content:"cookieNameS|3a 20 27|notify|2d|p|27|"; fast_pattern; distance:0;  reference:url,rapid7.com/blog/post/2021/10/28/sneaking-through-windows-infostealer-malware-masquerades-as-windows-application; reference:md5,45602bfa86ee9a5e31758a24a0d5cd08; classtype:trojan-activity; sid:2034307; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_29;)
-
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Small.NO Checkin"; flow:established,to_server; stream_size:server,<,5; dsize:76; content:"MB|00 00|"; offset:32; depth:9; content:"|32 2e 32 d5 fd ca bd b0 e6 00 00 00|"; endswith; fast_pattern; reference:md5,e09e70ae301e0816355ad0bfa0ab8707; classtype:command-and-control; sid:2034301; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_29;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SecureDriverUpdater Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/driverupdateservicenewsdu/updateservice.asmx"; bsize:45; http.header; content:"SOAPAction|3a 20 22|http://systweak.com/GetDriverUpdatesData1|22 0d 0a|"; fast_pattern; reference:md5,783aef84f5b315704ff6b064a00e2573; classtype:pup-activity; sid:2034295; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_10_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
@@ -64668,8 +64410,6 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Credential P
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Payment Credential Phish Form"; flow:established,to_client; http.stat_code; content: "200"; file.data; content:"Internal Revenue Service"; nocase; distance:0; content:".php"; distance:0; content:"name|3d 22|amount|22 20|value|3d 22 22|"; fast_pattern; distance:0; content:"id|3d 22|edit|2d|submit|2d|pup|2d|efile|2d|provider|2d|search|22|"; distance:0; reference:md5,55d8e8f74231e50c479d11683c7ab889; classtype:credential-theft; sid:2034326; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible MalDoc Retrieving Payload 2021-11-01"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dat"; endswith; pcre:"/\/(?:[0-9]{2,8}\.)?[0-9]{4,16}\.dat$/U"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.2|3b 20|WOW64|3b 20|Trident/8.0|3b 20|.NET4.0C|3b 20|.NET4.0E|3b 20|.NET|20|CLR|20|2.0.50727|3b 20|.NET|20|CLR|20|3.0.30729|3b 20|.NET|20|CLR|20|3.5.30729|3b 20|InfoPath.3)"; fast_pattern; bsize:162; http.header_names; content:!"Referer";  reference:md5,8eb1525db6bdadce7dae53b15f544bd2; classtype:trojan-activity; sid:2034464; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_02;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA450 Nagual CnC Activity"; flow:established,to_server; urilen:<50; http.method; content:"POST"; http.uri; pcre:"/^\/[a-z]+/"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header; content:"CharSet|3a 20|UTF-8|0d 0a|"; fast_pattern; http.request_body; content:"vl="; startswith; pcre:"/^[0-9D]+$/R"; reference:md5,b0ab12a5a4c232c902cdeba421872c37; classtype:command-and-control; sid:2034325; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_02, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag TA450, updated_at 2021_11_02;)
 
 #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Windows VBScript Engine VbsErase Memory Corruption (CVE-2019-0667)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<script"; content:"Class|20|"; pcre:"/^(?P<class>[A-Z0-9_-]{1,20})\s*.*?(?P<var>[A-Z0-9_-]{1,15})\s*=\s*(?:&amp\x3b|0x|\\x|&?h)*\d{8}\s*.*?(?:ReDim|Dim)\s*(?P=var)\(\d{4,20}\).*?set\s*(?P=var)\(\d+\)\s*=\s*new\s*(?P=class).*?Erase\s*(?P=var).*?Erase\s*(?P=var)/Rsi"; content:"Erase|20|"; fast_pattern; content:"Dim|20|"; reference:cve,2019-0667; classtype:attempted-admin; sid:2033733; rev:4; metadata:attack_target Server, created_at 2021_08_13, cve CVE_2019_0667, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_03;)
@@ -64678,10 +64418,6 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Suspicious PHP
 
 alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Suspicious PHP UNZIP Tool Accessed on Internal Possibly Compromised Server"; flow:established,to_client; file.data; content:"<head><title>PHP UnZIP"; nocase; fast_pattern; content:"<div class=|22|header|22|>PHP UnZIP!!!</div>"; classtype:web-application-attack; sid:2034337; rev:1; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2021_11_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downloaded .bat Disables Windows Defender"; flow:established,to_client; http.content_type; content:"application/x-msdos-program"; file.data; content:"@echo off"; startswith; content:"reg|20|delete|20 22|HKLM|5c|Software|5c|Policies|5c|Microsoft|5c|Windows|20|Defender|22 20 2f|f"; distance:0; fast_pattern;  classtype:trojan-activity; sid:2034338; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downloaded .bat Disables Real Time Monitoring"; flow:established,to_client; http.content_type; content:"application/x-msdos-program"; file.data; content:"@echo off"; startswith; content:"powershell.exe Set-MpPreference -DisableRealtimeMonitoring|20 24|true"; within:66; fast_pattern;  classtype:trojan-activity; sid:2034339; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-59 Related Domain in DNS Lookup"; dns.query; content:"itoxtlthpw.com"; nocase; bsize:14; reference:url,otx.alienvault.com/pulse/61811ddc259f23fdd630e196; classtype:domain-c2; sid:2034334; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category MALWARE, malware_family apt_c_59, signature_severity Major, updated_at 2021_11_03;)
 
 alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers"; flow:established,to_server; http.header; content:"|28 29 20 7b|"; fast_pattern; content:"bash|20 2d|c"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019232; rev:7; metadata:created_at 2014_09_25, updated_at 2021_11_03;)
@@ -64716,14 +64452,10 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Datoploader Activ
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi/BlackNet Checkin"; flow:established,to_server; urilen:100<>325; http.method; content:"GET"; http.uri; content:".php?"; fast_pattern; content:!"?key="; content:!"?token="; content:!"/index.php"; content:!"act=bkw9"; nocase; content:!"?data="; pcre:"/^\/[a-z]{3,10}\.php\?[a-z]{3,10}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:!"DriverUpdate"; http.host; content:!"remocam.com"; content:!"desktopad.com"; content:!"mydlink.com"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,cd2d9c7bd5de6d12718785f495ce1bb4; reference:url,csis.dk/en/csis/news/4472/; classtype:command-and-control; sid:2019378; rev:16; metadata:created_at 2014_10_09, former_category MALWARE, updated_at 2021_11_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/LNK/Agent.GX Javascript Downloader M1"; flow:established,to_client; http.content_type; content:"application/octet-stream"; file.data; content:"|3c|script language|3d 22|javascript|22 3e|"; startswith; content:"GetObject|28 22|winmgmts|3a 22 2b 22 7b|impersonationLevel=impersonate|7d 22 2b 22|"; fast_pattern; distance:0; content:"ExecQuery|28 22|Select|20 2a 20 22 2b 22|from|20 22 2b 22|Win32|5f 22 2b 22|Process|22 29 3b|"; distance:0;  reference:md5,4b9eb054d9f7f5dd8c23cc1d7312013c; classtype:trojan-activity; sid:2034359; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Citibank Phish 2021-11-10"; flow:established,to_server; flowbits:isset,ET.genericphish; http.uri; content:"/citi/"; nocase; fast_pattern; content:".php"; distance:0; http.host; content:".otzo.com"; distance:0; reference:md5,52f9a1141716b47fba9fdbb94f7ddb31; classtype:credential-theft; sid:2034411; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
 alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious Cobalt Strike SSL Certificate (cloudflace-network .digital)"; flow:established,to_client; tls.cert_subject; content:"CN=cloudflace-network.digital"; bsize:29; fast_pattern; reference:url,www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/; classtype:domain-c2; sid:2034356; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_11_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/LNK/Agent.GX Javascript Downloader M2"; flow:established,to_client; http.content_type; content:"application/octet-stream"; file.data; content:"|3c|script language|3d 22|javascript|22 3e|"; startswith; content:"|3d 22|Explore|22 3b|"; distance:0; content:"|22|W|22 2b 22|scr"; distance:0; content:"|2b 22|ipt|22 2b 22 2e|S|22 3b|"; distance:0; content:"|3d 22|aHR0cHM6Ly9kb2NzLmdvb2dsZS5jb20vc3ByZWFkc2hlZXRzL2Qv"; distance:0; fast_pattern;  reference:md5,4b9eb054d9f7f5dd8c23cc1d7312013c; classtype:trojan-activity; sid:2034360; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Citibank Phish Landing Page"; flow:established,to_client; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; file.data; content:"<title>Citibank Online</title>"; nocase; content:"form|20|name|3d 22|undefined|22|"; fast_pattern; distance:0; content:"|2e|php|3f|sessionid"; distance:0; content:"|26|sslchannel|3d|true|22 20|method|3d 22|POST|22|"; distance:0; reference:md5,52f9a1141716b47fba9fdbb94f7ddb31; classtype:credential-theft; sid:2034397; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_09;)
 
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Domain in TLS SNI (stackpatc-technologies .digital)"; flow:established,to_server; tls.sni; content:"stackpatc-technologies.digital"; bsize:30; fast_pattern; reference:url,www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009; classtype:domain-c2; sid:2034357; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_11_08;)
@@ -64746,8 +64478,6 @@ alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain
 
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine AdSelfService Plus - Possible Code Execution via openSSLTool (CVE-2021-40539)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RestAPI/Connection"; http.request_body; content:"methodToCall=openSSLTool"; nocase; content:"+-providerclass"; fast_pattern; content:"+-providerpath"; reference:url,www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html; reference:cve,2021-40539; classtype:attempted-admin; sid:2034365; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_40539, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downloaded Script Disables Firewall/Antivirus"; flow:established,to_client; http.content_type; content:"text/plain"; file.data; content:"|22|C:|5c|Windows|5c|debug|5c|m|5c|winlogon.exe|22|"; content:"netsh advfirewall set allprofiles state off"; within:45; fast_pattern; content:"name like |27 25|Eset|25 27 22| call uninstall /nointeractive";  reference:md5,fcfc0feed527d188d6b2ed3445758511; classtype:trojan-activity; sid:2034395; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible MovableTypePoC RCE Inbound (CVE-2021-20837)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"mt-xmlrpc.cgi"; fast_pattern; http.request_body; content:"<?"; content:"<base64>"; distance:0; base64_decode:offset 0,relative; base64_data; content:"|60|"; startswith; reference:cve,2021-20837; classtype:attempted-admin; sid:2034366; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_20837, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_09;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SiameseKitten/Lyceum/Hexane MSIL/Shark CnC Activity (Beacon)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"s6rt&qi="; fast_pattern; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:command-and-control; sid:2034367; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, malware_family Shark, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
@@ -64840,7 +64570,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jasper URI Path O
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jasper URI Path Observed M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; startswith; content:"/mx_jscript.php"; distance:3; within:15; endswith; fast_pattern; reference:url,twitter.com/c_APT_ure/status/1458388621317246977; classtype:command-and-control; sid:2034428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family JasperLoader, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (Jasper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=uaic.nl"; fast_pattern; reference:url,twitter.com/c_APT_ure/status/1458388621317246977; classtype:domain-c2; sid:2034429; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family JasperLoader, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (Jasper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=uaic.nl"; fast_pattern; reference:url,twitter.com/c_APT_ure/status/1458388621317246977; classtype:domain-c2; sid:2034429; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family JasperLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_11_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
 alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M14"; flow:established,to_client; content:"|cb 79 32 bd|"; depth:4; fast_pattern; content:"|30 8e c5|"; distance:1; within:3; flowbits:isset,ET.Parallax-14; reference:md5,4ffdb788b7971827509fe2e3ccadbae2; classtype:command-and-control; sid:2032527; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_07, deployment Perimeter, former_category MALWARE, malware_family Parallax, performance_impact Low, signature_severity Major, updated_at 2021_11_22;)
 
@@ -64852,40 +64582,16 @@ alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Res
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Parallax CnC Activity (set) M15"; flow:established,to_server; content:"|ed 69 e6 bd|"; startswith; fast_pattern; content:"|fb 5f 07|"; distance:1; within:3; flowbits:set,ET.Parallax-15; flowbits:noalert; reference:md5,bf815840ff00a0c3ba04d47cc2d158ee; classtype:command-and-control; sid:2034430; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family Parallax, signature_severity Major, updated_at 2021_11_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 30003 (msg:"ET MALWARE Possible NGLite Backdoor C2 Traffic (NKN)"; flow:established,to_server; http.request_line; content:"POST|20|/|20|HTTP/1.1"; http.host.raw; content:"seed.nkn.org|3a|"; startswith; fast_pattern; http.user_agent; content:"Go-http-client/"; startswith; http.request_body; content:"|22|address|22 3a|"; content:"|2e|monitor_03|2e|"; within:20;  reference:url,unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/; reference:md5,aedebba95462e9db10b834551e3abc03; classtype:command-and-control; sid:2034438; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family NGLite, signature_severity Major, tag c2, updated_at 2021_11_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity Domain (lurkingnet .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"lurkingnet.com"; bsize:14; fast_pattern; classtype:domain-c2; sid:2034434; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
 
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity Domain (autoconfirmations .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"autoconfirmations.com"; bsize:21; fast_pattern; classtype:domain-c2; sid:2034435; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
 
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity Domain (singlefunctionapp .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"singlefunctionapp.com"; bsize:21; fast_pattern; classtype:domain-c2; sid:2034436; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=|29 2a 28|"; fast_pattern;  reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034437; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_11;)
-
 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M16"; flow:established,to_client; content:"|a0 cd 78 e6|"; startswith; fast_pattern; content:"|ff fc 36|"; distance:1; within:3; flowbits:isset,ET.Parallax-16; reference:md5,36439a5f029df1777b51a34bd454b9d2; classtype:command-and-control; sid:2034433; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family Parallax, signature_severity Major, updated_at 2021_11_11;)
 
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Compromised  Domain (cryptoarenastore .com in TLS SNI) (2021-11-12)"; flow:established,to_server; tls.sni; dotprefix; content:".cryptoarenastore.com"; endswith; fast_pattern; reference:md5,4965ac0316d652fe5026b4b92d563672; classtype:trojan-activity; sid:2034441; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M1"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Application"; fast_pattern;  reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034442; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M2"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Name"; fast_pattern;  reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034443; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M3"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Email"; fast_pattern;  reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034444; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M4"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Server"; fast_pattern;  reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034445; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M5"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Secured"; fast_pattern;  reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034446; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M6"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Type"; fast_pattern;  reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034447; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M7"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=User"; fast_pattern;  reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034448; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M8"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Password"; fast_pattern;  reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034449; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M9"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=SMTP"; fast_pattern;  reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034450; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M10"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=|2f 2a 5c|"; fast_pattern;  reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034451; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
-
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"|2e|cmd|7b|background|2d|color|3a 23|000|3b|color|3a 23|FFF"; content:"|3c|input|20|name|3d 27|postpass|27 20|type|3d 27|password|27 20|size|3d 27|22|27 3e 20 3c|input|20|type|3d 27|submit|27 20|value|3d|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2034439; rev:1; metadata:attack_target Server, created_at 2021_11_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag WebShell, updated_at 2021_11_12, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
 
 alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"|2e|cmd|7b|background|2d|color|3a 23|000|3b|color|3a 23|FFF"; content:"|3c|input|20|name|3d 27|postpass|27 20|type|3d 27|password|27 20|size|3d 27|22|27 3e 20 3c|input|20|type|3d 27|submit|27 20|value|3d|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2034440; rev:1; metadata:attack_target Server, created_at 2021_11_12, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_11_12, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
@@ -64906,10 +64612,6 @@ alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to DynDNS
 
 alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to DynDNS Domain (linkpc .net)"; dns.query; content:".linkpc.net"; nocase; endswith; content:!"www.linkpc.net"; classtype:bad-unknown; sid:2034458; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_11_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_11_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Ultimate POS 4.4 Cross-Site Scripting (XSS) - Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/products"; startswith; http.content_type; content:"multipart/form-data"; startswith; http.cookie; content:"ultimate_pos_session=eyJpdiI6Il"; startswith; fast_pattern; content:"SIsInZhbHVlIjoi"; distance:30; within:20; content:"_token=null&name="; distance:0; content:"|22 3e 3c|iframe src="; distance:0; content:"submit_type=submit"; endswith;  reference:url,exploit-db.com/exploits/50492; classtype:attempted-admin; sid:2034481; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_11_15, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_11_16;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ultimate POS 4.4 Cross-Site Scripting (XSS) - Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/products"; startswith; http.content_type; content:"multipart/form-data"; startswith; http.cookie; content:"ultimate_pos_session=eyJpdiI6Il"; startswith; fast_pattern; content:"SIsInZhbHVlIjoi"; distance:30; within:20; content:"_token=null&name="; distance:0; content:"|22 3e 3c|iframe src="; distance:0; content:"submit_type=submit"; endswith;  reference:url,exploit-db.com/exploits/50492; classtype:attempted-admin; sid:2034482; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_11_15, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_11_16;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Emotet CnC Beacon 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"."; content:!"&"; content:!"-"; http.header_names; content:"|0d 0a|Cookie|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; fast_pattern; http.header; content:"|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Cache-Control|3a 20|no-cache|0d 0a|"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.cookie; bsize:>250; pcre:"/^[A-Za-z0-9]{1,15}=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/i"; reference:md5,bc3532085a0b4febd9eed51aac2180d0; classtype:command-and-control; sid:2034459; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_15, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2021_11_15;)
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike CnC Domain in DNS Lookup (awsmcafee .com)"; dns.query; content:"awsmcafee.com"; nocase; bsize:13; reference:md5,a8e97752bb385cc263d89350518633c2; reference:url,twitter.com/fr0s7_/status/1458150977278726147; classtype:domain-c2; sid:2034462; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
@@ -64920,7 +64622,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Farfli.CUY K
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matanbuchus Loader CnC M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"=eyIzQ0VrIjoi"; fast_pattern; pcre:"/(?:IiwiM2ZlMTEiOi|IsIjNmZTExIjoi|iLCIzZmUxMSI6I)/R"; reference:url,twitter.com/fr0s7_/status/1458823504925798408; classtype:command-and-control; sid:2034466; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, malware_family Matanbuchus, signature_severity Major, updated_at 2021_11_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matanbuchus Loader CnC M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"=eyIzbTd4Ijoi"; fast_pattern; pcre:"/(?:IiwiYXU1byI6I|IsImF1NW8iOi|iLCJhdTVvIjoi)/R"; threshold:type limit, track by_src, count 1, seconds 120; reference:url,twitter.com/fr0s7_/status/1458823504925798408; classtype:trojan-activity; sid:2034469; rev:1; metadata:created_at 2021_11_16, updated_at 2021_11_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matanbuchus Loader CnC M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"=eyIzbTd4Ijoi"; fast_pattern; pcre:"/(?:IiwiYXU1byI6I|IsImF1NW8iOi|iLCJhdTVvIjoi)/R"; threshold:type limit, track by_src, count 1, seconds 120; reference:url,twitter.com/fr0s7_/status/1458823504925798408; classtype:trojan-activity; sid:2034469; rev:1; metadata:created_at 2021_11_16, updated_at 2022_05_03;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Matanbuchus Loader Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_len; byte_test:0,<,100,0,string,dec; http.response_body; content:"eyJoc3pBIjoi"; startswith; fast_pattern; pcre:"/(?:ifQ==|In0=|J9)$/"; threshold:type limit, track by_src, count 1, seconds 120; reference:url,twitter.com/fr0s7_/status/1458823504925798408; classtype:command-and-control; sid:2034470; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, malware_family Matanbuchus, signature_severity Major, updated_at 2021_11_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
@@ -64942,25 +64644,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Danabot Associated Activity (GET)"; flow:established,to_server; http.request_line; content:"GET / HTTP/1.1"; http.user_agent; content:"Power Off"; bsize:9; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/spike-danabot-malware-activity; classtype:trojan-activity; sid:2034471; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_16;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Guangzhou 1GE ONU OS Command Execution (CVE-2020-8958)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"boaform/admin/formPing"; endswith; fast_pattern; http.request_body; content:"target_addr=%3B"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33;  reference:url,www.karansaini.com/os-command-injection-v-sol/; reference:cve,2020-8958; classtype:attempted-admin; sid:2034488; rev:2; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_8958, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET 26800 (msg:"ET MALWARE ABCbot CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/postip"; bsize:11; http.header_names; content:!"Referer"; http.connection; content:"close"; http.content_type; content:"application/x-www-form-url encoded"; http.request_body; content:"OS|3a 20|"; startswith; content:"CPU:"; distance:0; content:"os-name:"; fast_pattern; distance:0; content:"lanip:"; distance:0;  reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034483; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SHOW VARIABLES SQL Injection Attempt in URI"; flow:established,to_server; http.uri; content:"SHOW"; nocase; content:"VARIABLES"; nocase; distance:0; content:!"twitter.com"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.1/en/server-system-variables.html; reference:url,doc.emergingthreats.net/2010965; classtype:web-application-attack; sid:2010965; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2021_11_17;)
-
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Tenda OS Command Injection (CVE-2020-10987) (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"goform/setUsbUnload"; nocase; fast_pattern; content:"deviceName="; nocase; distance:0; content:"tmp"; distance:0; content:"wget"; distance:0;  reference:url,cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits; reference:cve,2020-10987; classtype:attempted-admin; sid:2034489; rev:1; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_10987, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_17;)
-
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Tenda OS Command Injection (CVE-2020-10987) (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"goform/setUsbUnload"; endswith; nocase; fast_pattern; http.request_body; content:"deviceName="; nocase;  reference:url,blog.securityevaluators.com/tenda-ac1900-vulnerabilities-discovered-and-exploited-e8e26aa0bc68; reference:cve,2020-10987; classtype:attempted-admin; sid:2034490; rev:1; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_10987, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_17;)
-
-alert http $EXTERNAL_NET 26800 -> $HOME_NET any (msg:"ET MALWARE ABCbot CnC Instruction (stop)"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_line; content:"HTTP/1.0 200 OK"; http.header; content:"Connection|3a 20|close"; http.response_body; content:"73746f707d1|7c|"; fast_pattern; startswith;  reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034479; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
-
-alert http $EXTERNAL_NET 26800 -> $HOME_NET any (msg:"ET MALWARE ABCbot CnC Instruction (syn)"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_line; content:"HTTP/1.0 200 OK"; http.header; content:"Connection|3a 20|close"; http.response_body; content:"73796e|7c|"; fast_pattern; startswith;  reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034484; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_17;)
-
-alert http $EXTERNAL_NET 26800 -> $HOME_NET any (msg:"ET MALWARE ABCbot CnC Instruction (dns)"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_line; content:"HTTP/1.0 200 OK"; http.header; content:"Connection|3a 20|close"; http.response_body; content:"646e73|7c|"; fast_pattern; startswith;  reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034485; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2021_11_17;)
-
-alert http $EXTERNAL_NET 26800 -> $HOME_NET any (msg:"ET MALWARE ABCbot CnC Instruction (bigudp)"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_line; content:"HTTP/1.0 200 OK"; http.header; content:"Connection|3a 20|close"; http.response_body; content:"626967756470|7c|"; fast_pattern; startswith;  reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034486; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_17;)
-
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Kaseya VSA ManagedITSync SQL Injection (CVE-2017-18362)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"KaseyaCwWebService/ManagedIT.asmx"; nocase; fast_pattern; http.request_body; content:"|27|"; pcre:"/^(?:CREATE|SELECT|INSERT|UPDATE|EXEC)/Ri";  reference:url,github.com/kbni/owlky/blob/master/owlky.py; reference:cve,2017-18362; classtype:attempted-admin; sid:2034492; rev:1; metadata:created_at 2021_11_17, cve CVE_2017_18362, updated_at 2021_11_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SHOW VARIABLES SQL Injection Attempt in URI"; flow:established,to_server; http.uri; content:"SHOW"; nocase; content:"VARIABLES"; nocase; distance:0; content:!"twitter.com"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.1/en/server-system-variables.html; reference:url,doc.emergingthreats.net/2010965; classtype:web-application-attack; sid:2010965; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
 
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/HNAP1/"; nocase; http.header; content:"SOAPAction|3a 20 22|http|3a 2f 2f|purenetworks|2e|com|2f|HNAP1|2f|GetDeviceSettings|2f 60|"; fast_pattern; reference:url,www.exploit-db.com/exploits/37171; reference:cve,2015-2051; classtype:attempted-admin; sid:2034491; rev:2; metadata:created_at 2021_11_17, cve CVE_2015_2051, updated_at 2021_11_17;)
 
@@ -65006,7 +64690,7 @@ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT .NET Framework Re
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT .NET Framework Remote Code Execution Injection (CVE-2020-1147)"; flow:established,to_server; http.method; content:"POST"; http.uri; http.request_body; content:"__SUGGESTIONSCACHE__"; fast_pattern; content:"<DataSet"; nocase; distance:0; content:"System.Data.Services.Internal.ExpandedWrapper"; nocase; distance:0; reference:url,srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html; reference:cve,2020-1147; classtype:attempted-admin; sid:2034510; rev:1; metadata:created_at 2021_11_18, cve CVE_2020_1147, updated_at 2021_11_18;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible TerraMaster TOS RCE Inbound (CVE-2020-28188 CVE-2020-35665)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/makecvs.php?Event="; fast_pattern; pcre:"/(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; http.uri.raw; content:"%20"; reference:url,research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/; reference:cve,2020-28188; reference:cve,2020-35665; classtype:attempted-admin; sid:2031535; rev:3; metadata:attack_target Server, created_at 2021_01_21, cve CVE_2020_28188, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_11_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible TerraMaster TOS RCE Inbound (CVE-2020-28188 CVE-2020-35665)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/makecvs.php?Event="; fast_pattern; pcre:"/(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; http.uri.raw; content:"%20"; reference:url,research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/; reference:cve,2020-28188; reference:cve,2020-35665; classtype:attempted-admin; sid:2031535; rev:3; metadata:attack_target Server, created_at 2021_01_21, cve CVE_2020_28188, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Burp Collaborator Domain in TLS SNI"; flow:established,to_server; tls.sni; dotprefix; content:".burpcollaborator.net"; endswith; fast_pattern; classtype:policy-violation; sid:2034506; rev:2; metadata:created_at 2021_11_18, former_category POLICY, updated_at 2022_03_16;)
 
@@ -65112,14 +64796,6 @@ alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to Commonl
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity Sending Windows Information (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/info.php?"; startswith; content:"=C|3a 5c|Program"; fast_pattern; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; http.request_body; content:"v="; startswith; content:"|20|svchost.exe|20|"; content:"&r="; reference:md5,40de99fb06e52e3364f2cd70f100ff71; reference:url,twitter.com/h2jazi/status/1465402736996933640; classtype:trojan-activity; sid:2034560; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_11_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinotto CnC Activity (hello)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"type=hello"; fast_pattern; content:"&direction="; pcre:"/^(send|receive)/R"; content:"id="; http.header_names; content:!"Referer";  reference:md5,55afe67b0cd4a01f3a9a6621c26b1a49; reference:url,securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/; classtype:trojan-activity; sid:2034562; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_30;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinotto CnC Activity (command)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"type=command"; fast_pattern; content:"&direction="; pcre:"/^(send|receive)/R"; content:"id="; http.header_names; content:!"Referer";  reference:md5,55afe67b0cd4a01f3a9a6621c26b1a49; reference:url,securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/; classtype:trojan-activity; sid:2034563; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_30;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinotto CnC Activity (result)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"type=result"; fast_pattern; content:"&direction="; pcre:"/^(send|receive)/R"; content:"id="; http.header_names; content:!"Referer";  reference:md5,55afe67b0cd4a01f3a9a6621c26b1a49; reference:url,securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/; classtype:trojan-activity; sid:2034564; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_30;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinotto CnC Activity (file)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"type=file"; fast_pattern; content:"&direction="; pcre:"/^(send|receive)/R"; content:"id="; http.header_names; content:!"Referer";  reference:md5,55afe67b0cd4a01f3a9a6621c26b1a49; reference:url,securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/; classtype:trojan-activity; sid:2034565; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, malware_family Chinotto, performance_impact Low, signature_severity Major, updated_at 2021_11_30;)
-
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server SSRF (CVE-2021-40438)"; flow:established,to_server; urilen:>200; http.method; content:"GET"; http.uri; content:"/?unix|3a|"; nocase; fast_pattern; content:"|7c|http"; reference:cve,2021-40438; classtype:attempted-admin; sid:2034566; rev:2; metadata:attack_target Server, created_at 2021_11_30, cve CVE_2021_40438, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_30;)
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.DarkVNC Variant Checkin"; flow:established,to_server; stream_size:server,<,5; content:"|4a 01 4f 97 00 1c 84 df cd 3f 1f eb 14 28 b1 ba fa 0e 7e de 22 e0 33 cb a5 8c 23 75 ea e4 e4 3e|"; startswith; fast_pattern; reference:md5,1e081d3f09f24a81194327628a25c214; reference:url,www.malware-traffic-analysis.net/2021/11/05/index.html; classtype:command-and-control; sid:2034557; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_30;)
@@ -65132,10 +64808,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NetSupport GeoLoca
 
 alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to Commonly Abused Preview Domain (preview-domain .com)"; dns.query; dotprefix; content:".preview-domain.com"; nocase; endswith; classtype:bad-unknown; sid:2034561; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_11_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyAgent C&C Activity (Request)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"update.php?id="; fast_pattern; pcre:"/^[0-9]{9}/R"; content:"&stat="; pcre:"/^[0-9a-zA-Z]{32}/R"; http.connection; content:"Keep-Alive"; bsize:10; http.header_names; content:!"Referer|0d 0a|";  reference:url,trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html; classtype:command-and-control; sid:2034573; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_01;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY curl User-Agent Outbound"; flow:established,to_server; http.user_agent; content:"curl/"; nocase; startswith;  reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013028; rev:6; metadata:created_at 2011_06_14, updated_at 2021_12_01;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING curl User-Agent to Dotted Quad"; flow:established,to_server; http.user_agent; content:"curl/"; startswith; nocase; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; classtype:bad-unknown; sid:2034567; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_12_01;)
 
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Edgewater Networks Edgemarc Blind Command Injection Attempt (CVE-2017-6079)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/config?page=50&form=mainForm"; nocase; fast_pattern; reference:url,github.com/MostafaSoliman/CVE-2017-6079-Blind-Command-Injection-In-Edgewater-Edgemarc-Devices-Exploit/blob/master/CVE-2017-6079.py; reference:cve,2017-6079; classtype:attempted-admin; sid:2034575; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_12_01, cve CVE_2017_6079, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_12_01;)
@@ -65150,9 +64822,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sequence/"; startswith; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,6cc602c79e906a64af6c30581ca77906; reference:url,blog.talosintelligence.com/2021/02/gamaredonactivities.html; classtype:trojan-activity; sid:2034572; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_12_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SpyAgent C&C Activity (Response)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|21|lexec|3b|http"; startswith; fast_pattern; content:"|2e|exe"; endswith;  reference:md5,fbfd9afac42ae8e86193a8e4be085eaf; reference:url,trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html; classtype:command-and-control; sid:2034574; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_01;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matanbuchus Loader CnC M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"Windows-AzureAD-Authentication-Provider/"; startswith; fast_pattern; threshold:type limit, track by_src, count 1, seconds 120; reference:url,twitter.com/fr0s7_/status/1458823504925798408; classtype:command-and-control; sid:2034467; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, malware_family Matanbuchus, signature_severity Major, updated_at 2021_12_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matanbuchus Loader CnC M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"Windows-AzureAD-Authentication-Provider/"; startswith; fast_pattern; threshold:type limit, track by_src, count 1, seconds 120; reference:url,twitter.com/fr0s7_/status/1458823504925798408; classtype:command-and-control; sid:2034467; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, malware_family Matanbuchus, signature_severity Major, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Terse Request for .txt - Likely Hostile"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".txt"; endswith; bsize:6; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2034581; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_03, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_12_03;)
 
@@ -65170,6 +64840,8 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AgentTesla Commun
 
 #alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET DELETED Possible WebShell Access Inbound [upload] M3 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&act=upload"; fast_pattern; content:"&path="; content:"?context="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034011; rev:2; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_12_03, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
 
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET DELETED Possible WebShell Access Inbound [exec] M2 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&act=exec"; fast_pattern; content:"?newid="; content:"&pwd="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034007; rev:2; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_12_03, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
+
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware vCenter Unauthorized File Read Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vcav-"; fast_pattern; content:"?url=file|3a|"; classtype:attempted-admin; sid:2034582; rev:1; metadata:attack_target Server, created_at 2021_12_05, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_05;)
 
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware vCenter SSRF Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vcav-"; fast_pattern; content:"?url=http"; classtype:attempted-admin; sid:2034583; rev:1; metadata:attack_target Server, created_at 2021_12_05, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_05;)
@@ -65262,8 +64934,6 @@ alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Gymdrop Dropp
 
 alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS-Officecmd Remote Code Execution Attempt"; flow:established,to_client; file.data; content:"ms-officecmd|3a|"; nocase; content:"LaunchOfficeAppForResult"; nocase; distance:0; fast_pattern; content:"filename"; nocase; distance:0; content:"|2d 2d|gpu|2d|launcher|3d|"; nocase; distance:0; reference:url,positive.security/blog/ms-officecmd-rce; classtype:attempted-user; sid:2034627; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET HUNTING Suspicious Response (MS-Officecmd)"; flow:established,to_client; http.response_body; content:"ms-officecmd|3a|"; nocase; content:"LaunchOfficeAppForResult"; nocase; distance:0; fast_pattern;  reference:url,positive.security/blog/ms-officecmd-rce; classtype:attempted-admin; sid:2034628; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_12_07;)
-
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (multifuctionscanner .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"multifuctionscanner.club"; isdataat:!1,relative; nocase; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:trojan-activity; sid:2034600; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
 
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Gymdrop Dropper (onlinefitnessanalysis .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"onlinefitnessanalysis.com"; isdataat:!1,relative; nocase; classtype:command-and-control; sid:2034601; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
@@ -65282,8 +64952,6 @@ alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO webhook .site in TLS
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Hikvision IP Camera RCE Attempt (CVE-2021-36260)"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"/SDK/webLanguage"; bsize:16; fast_pattern; http.request_body; content:"|3c|language|3e|"; nocase; pcre:"/(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,github.com/mcw0/PoC/blob/master/CVE-2021-36260.py; reference:url,watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html; reference:url,www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability; reference:cve,2021-36260; classtype:attempted-admin; sid:2034630; rev:2; metadata:affected_product IP_Camera, attack_target Networking_Equipment, created_at 2021_12_08, cve CVE_2021_36260, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_12_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request (Likely Pentester CnC)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pentest-macro?computer=c_"; fast_pattern;  reference:md5,f7ddcef3607b41c593284dde397e35b8; classtype:command-and-control; sid:2034637; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_12_08;)
-
 alert http $HOME_NET any -> any any (msg:"ET INFO Python SimpleHTTP ServerBanner"; flow:established; http.server; content:"SimpleHTTP/"; startswith; content:"Python/"; distance:0; reference:url,wiki.python.org/moin/BaseHttpServer; classtype:misc-activity; sid:2034636; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2021_12_08;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT15/NICKEL KETRUM CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.html?q="; startswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer"; content:"|0d 0a|Connection|0d 0a|Pragma|0d 0a|Content-Type|0d 0a|"; startswith; reference:md5,002267297066965505e5e2ea1db867b4; reference:url,www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe; classtype:trojan-activity; sid:2034633; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category MALWARE, malware_family APT15, signature_severity Major, updated_at 2021_12_08;)
@@ -65354,7 +65022,7 @@ alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apa
 
 alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol lower Bypass (udp) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|lower|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034666; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (bingsearchlib .com)"; dns.query; dotprefix; content:".bingsearchlib.com"; nocase; endswith; reference:url,twitter.com/sans_isc/status/1469305954835521539; reference:cve,2021-44228; classtype:domain-c2; sid:2034670; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_11, cve CVE_2121_44228, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, updated_at 2021_12_11;)
+#alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (bingsearchlib .com)"; dns.query; dotprefix; content:".bingsearchlib.com"; nocase; endswith; reference:url,twitter.com/sans_isc/status/1469305954835521539; reference:cve,2021-44228; classtype:domain-c2; sid:2034670; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, updated_at 2021_12_11;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Retrieving Remote Template (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".docx"; endswith; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/h2jazi/status/1469399194435735553; reference:md5,9127505386ade0774a1671e146e40ed7; classtype:trojan-activity; sid:2034679; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_13;)
 
@@ -65364,12 +65032,6 @@ alert dns $HOME_NET any -> any any (msg:"ET POLICY File Sharing Site in DNS Look
 
 alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; content:"|24 7b|env|3a|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034676; rev:1; metadata:attack_target Server, created_at 2021_12_13, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Tsunami Remote Shell M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/var/"; startswith; content:"pty"; fast_pattern; endswith; bsize:11; pcre:"/^\/var\/(?:run|tmp)\/pty$/U"; http.user_agent; content:"Wget"; startswith; content:!"Referer";  classtype:trojan-activity; sid:2034686; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_13;)
-
-#alert dns $HOME_NET any -> any any (msg:"ET DELETED Kimsuky Related Domain in DNS Lookup"; dns.query; content:"traderstruthrevealed.com"; nocase; bsize:24; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034682; rev:1; metadata:created_at 2021_12_13, former_category MALWARE, updated_at 2021_12_17;)
-
-#alert dns $HOME_NET any -> any any (msg:"ET DELETED Kimsuky Related Domain in DNS Lookup"; dns.query; content:"usrfiles.com"; nocase; bsize:12; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034687; rev:1; metadata:created_at 2021_12_13, former_category MALWARE, updated_at 2021_12_15;)
-
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky Related Domain in DNS Lookup"; dns.query; content:"ausq.inaver.org"; nocase; bsize:15; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034688; rev:1; metadata:created_at 2021_12_13, former_category MALWARE, updated_at 2021_12_13;)
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky Related Domain in DNS Lookup"; dns.query; content:"wnqd.navercloud.org"; nocase; bsize:19; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034689; rev:1; metadata:created_at 2021_12_13, former_category MALWARE, updated_at 2021_12_13;)
@@ -65456,14 +65118,10 @@ alert tcp [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET POLICY GIO
 
 alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY Successful GIOP/IIOP Request Outbound"; flow:established,to_client; flowbits:isset,ET.GIOPsession; stream_size:server,<,50; content:"|47 49 4f 50 01|"; startswith; content:"|01|"; distance:2; within:1; classtype:policy-violation; sid:2034731; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_15, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_15;)
 
-alert http any any -> any any (msg:"ET MALWARE DCRat CnC Activity M12"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?type=__ds_setdata&__ds_setdata_user="; fast_pattern; offset:140; depth:60; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Connection";  reference:md5,b478d340a787b85e086cc951d0696cb1; classtype:command-and-control; sid:2034740; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2021_12_15;)
-
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/FunnyDream Backdoor Related Domain in DNS Lookup (www .carelessnessing .com)"; dns.query; content:"www.carelessnessing.com"; nocase; bsize:23; reference:url,go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf; reference:md5,2f602c6feaa750e7d3b64276b630498a; classtype:domain-c2; sid:2034733; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family TAG_16, signature_severity Major, updated_at 2021_12_15;)
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/FunnyDream Backdoor Related Domain in DNS Lookup (www .weekendorg .com)"; dns.query; content:"www.weekendorg.com"; nocase; bsize:18; reference:md5,04662666c8a97998fb1b2fcf907526e8; reference:md5,1454d4feacdd503c0542f70f44a8edc1; reference:url,go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf; classtype:domain-c2; sid:2034734; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family TAG_16, signature_severity Major, updated_at 2021_12_15;)
 
-alert http any any -> any any (msg:"ET MALWARE DCRat CnC Activity M13"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?type=__ds_getdata&__ds_getdata_user="; fast_pattern; offset:140; depth:60; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Connection";  reference:md5,b478d340a787b85e086cc951d0696cb1; classtype:command-and-control; sid:2034741; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2021_12_15;)
-
 alert dns $HOME_NET any -> any any (msg:"ET INFO Interactsh Domain in DNS Lookup (.interactsh .com)"; dns.query; dotprefix; content:".interactsh.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/exploits-interactsh/; classtype:bad-unknown; sid:2034732; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_12_15;)
 
 alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY Successful LDAPSv3 LDAPS_START_TLS Request Outbound"; flow:established,to_client; flowbits:isset,ET.LDAPSBindRequest; stream_size:server,<,50; content:"|30 24 02 01|"; startswith; content:"|78 1f 0a 01 00 04 00 04 00 8a 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37|"; endswith; fast_pattern; reference:url,ldap.com/ldapv3-wire-protocol-reference-extended/; classtype:policy-violation; sid:2034720; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_14, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_12_15;)
@@ -65482,6 +65140,8 @@ alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE lu0bot Loader HTTP Request M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?"; pcre:"/^[a-f0-9=]{5,12}&ap=/R"; content:"&ap=|20|Mozilla/4.0|20|"; fast_pattern; http.user_agent; content:"Mozilla|2f|4|2e|0|20 28|compatible|3b 20|Win32|3b 20|WinHttp|2e|WinHttpRequest|2e|5|29|"; bsize:57; reference:url,twitter.com/benkow_/status/1469238517066838018; reference:md5,8e343598ba830d20ffc22d2a9c82ad5a; classtype:command-and-control; sid:2034738; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_15;)
 
+#alert dns $HOME_NET any -> any any (msg:"ET DELETED Kimsuky Related Domain in DNS Lookup"; dns.query; content:"usrfiles.com"; nocase; bsize:12; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034687; rev:2; metadata:created_at 2021_12_13, former_category MALWARE, updated_at 2021_12_15;)
+
 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE ELF/Muhstik Botnet CnC Activity"; flow:established,to_server; content:"NICK|20|"; content:"USER|20|"; content:"|3a|muhstik-"; fast_pattern; pcre:"/^[0-9]{8}$/Rm"; reference:md5,81fbe69a36650504b88756074a36c183; reference:md5,d20478a01344026a0ecd60b0b29e9bc1; reference:url,blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/; classtype:command-and-control; sid:2034743; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family Muhstik, signature_severity Major, updated_at 2021_12_15;)
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE ELF/Mirai Botnet CnC Activity"; flow:established,to_server; dsize:11; content:"SWATunknown"; fast_pattern; reference:md5,1348a00488a5b3097681b6463321d84c; reference:url,blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/; classtype:command-and-control; sid:2034744; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2021_12_15;)
@@ -65498,32 +65158,16 @@ alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observ
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (hiduwu .com)"; dns.query; content:"hiduwu.com"; nocase; bsize:10; reference:url,thedfirreport.com/2021/12/13/diavol-ransomware/; classtype:domain-c2; sid:2034754; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DCRat CnC Activity M11"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?data=active"; endswith; fast_pattern; pcre:"/^\/[a-z0-9]{45,60}\/[a-z0-9]{35,65}\/[a-z0-9]{38,60}\.php\?data=active$/U"; http.header_names; content:!"Referer"; content:!"User-Agent"; content:"Connection";  reference:md5,b478d340a787b85e086cc951d0696cb1; classtype:command-and-control; sid:2034739; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2021_12_17;)
-
 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Serialized Java Payload via RMI Response"; flow:established,to_client; stream_size:client,<,100; flowbits:isset,ET.RMIRequest; content:"|51 ac ed|"; startswith; reference:url,blogs.juniper.net/en-us/threat-research/log4j-vulnerability-attackers-shift-focus-from-ldap-to-rmi; classtype:bad-unknown; sid:2034748; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_17, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_17;)
 
 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Unserialized Java Payload via RMI Response"; flow:established,to_client; stream_size:client,<,100; flowbits:isset,ET.RMIRequest; content:"|51 ca fe ba be|"; startswith; reference:url,blogs.juniper.net/en-us/threat-research/log4j-vulnerability-attackers-shift-focus-from-ldap-to-rmi; classtype:bad-unknown; sid:2034749; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_17, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_17;)
 
-alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldap) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034757; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-
-alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http rmi) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034758; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-
-alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034759; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-
-alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034760; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-
-alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034761; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-
-alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034762; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+#alert dns $HOME_NET any -> any any (msg:"ET DELETED Kimsuky Related Domain in DNS Lookup"; dns.query; content:"traderstruthrevealed.com"; nocase; bsize:24; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034682; rev:2; metadata:created_at 2021_12_13, former_category MALWARE, updated_at 2021_12_17;)
 
 alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp dns) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034763; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
 alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034764; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http dns) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034765; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-
-alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034766; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
-
 alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034767; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
 alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034768; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
@@ -65668,8 +65312,6 @@ alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observ
 
 alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (canarytokens .com)"; dns.query; content:".l4j."; nocase; content:".canarytokens.com"; nocase; endswith; fast_pattern; reference:cve,2021-44228; classtype:domain-c2; sid:2034832; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN WordPress HelloThinkCMF Scan"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?a=fetch&content="; startswith; content:"die(@md5(HelloThinkCMF))"; fast_pattern; distance:0; http.header_names; content:!"Referer";  classtype:network-scan; sid:2034838; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2021_12_22, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_12_22;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.5.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.header; content:"Java/1.5."; nocase; reference:url,www.oracle.com/technetwork/java/javase/documentation/index.html; classtype:bad-unknown; sid:2011581; rev:12; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, tag EOL, updated_at 2021_12_22;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.8.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/1.8.0_"; content:!"291"; within:3; reference:url,www.oracle.com/technetwork/java/javase/8u-relnotes-2225394.html; classtype:bad-unknown; sid:2019401; rev:35; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_12_22;)
@@ -65750,8 +65392,6 @@ alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observ
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed JavaScript Event Listener with Clipboard Data"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<script>"; content:"addEventListener|28 27|copy|27|"; distance:0; content:"clipboardData|2e|setData|28 27|text|2f|plain|27|"; fast_pattern; distance:0; content:"sh"; distance:0; content:"|5c|n"; distance:0; content:"</script>"; distance:0; reference:url,www.bleepingcomputer.com/news/security/dont-copy-paste-commands-from-webpages-you-can-get-hacked; classtype:web-application-activity; sid:2034860; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_04, deployment Perimeter, former_category WEB_CLIENT, signature_severity Informational, updated_at 2022_01_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING RDP Authentication Bypass Attempt"; flow:established,to_server; content:"|03 00 00 2f 2a|"; startswith; content:"Cookie: mstshash="; dsize:<60;  reference:url,pastebin.com/PSbQXJYL; classtype:attempted-admin; sid:2034857; rev:2; metadata:affected_product Microsoft_Terminal_Server_RDP, attack_target Server, created_at 2022_01_04, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2022_01_04;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Request M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/"; startswith; content:"?=1"; within:7; fast_pattern; pcre:"/^[678]\d{8}$/R"; http.host; pcre:"/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/"; http.header_names; content:"|0d 0a|Accept|0d 0a|"; startswith; content:"Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|"; reference:url,blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit; reference:md5,c398b504f74500d6a1a47f72bb45bc83; classtype:command-and-control; sid:2034859; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_05, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, performance_impact Moderate, signature_severity Major, updated_at 2022_01_06;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M1"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/octet-stream"; bsize:24; http.server; content:"HFS|20|"; startswith; http.cookie; content:"HFS_SID_="; startswith; http.response_body; content:"Rar!|1a 07 01 00|"; startswith; content:"rundll3222.exe"; within:150; fast_pattern; reference:url,blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit; classtype:trojan-activity; sid:2034856; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_05, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, signature_severity Major, updated_at 2022_01_05;)
@@ -65892,7 +65532,155 @@ alert dns $HOME_NET any -> any any (msg:"ET MALWARE SysJoker Related Domain in D
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE SysJoker Related Domain in DNS Lookup (winaudio-tools .com)"; dns.query; content:"winaudio-tools.com"; nocase; bsize:18; reference:url,www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/; classtype:trojan-activity; sid:2034927; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phish Landing Page 2022-01-14"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"http|2d|equiv|3d|refresh"; content:"email="; distance:0; content:"&.rand=13InboxLight.aspx?n="; fast_pattern; distance:0; content:"&fid="; distance:0; content:"n="; distance:0; content:"&fid="; distance:0; content:"&fav="; distance:0;  reference:md5,43ac0c5346bf8aefc0068c30a34b7d39; classtype:credential-theft; sid:2034928; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_01_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"47:46:41:98:fc:47:5a:2e:a1:76:18:38:b1:f8:0d:ea:e7:99:d0:5f"; classtype:domain-c2; sid:2018736; rev:9; metadata:attack_target Client_and_Server, created_at 2014_06_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|04|svr2"; distance:1; within:5; tls.fingerprint:"0e:03:44:08:34:6e:2c:66:fa:ec:a8:f8:97:24:ea:1f:f6:c7:5a:5e"; reference:md5,87223f535afd8b11dd79c6f39fc059d9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018600; rev:13; metadata:attack_target Client_and_Server, created_at 2014_06_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (CryptoWall C2)"; flow:established,from_server; content:"|20|kpai7ycr7jxqkilp.torexplorer.com"; tls.fingerprint:"0e:dd:72:24:52:c1:2c:68:6f:16:a7:ee:7b:e7:4b:56:e8:9a:6d:b5"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018693; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|1b|corporati-sdfs222222you.com"; fast_pattern:8,20; tls.fingerprint:"19:56:b7:ff:84:f6:f8:41:f5:b5:8d:63:76:88:59:b6:d5:f0:3d:3c"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018694; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|11|evergreen.kiev.ua"; fast_pattern:only; tls.fingerprint:"1a:3f:a8:f8:56:d4:da:64:83:f0:7b:29:40:41:cf:84:2e:b4:e9:b5"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018695; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0e|kilomenter.com"; tls.fingerprint:"25:c3:39:6d:47:d5:df:12:fa:af:dd:06:68:7e:7e:69:f8:fc:6f:e8"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018697; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|21|worldwidetrading-compaanny2you.su"; fast_pattern:9,20; tls.fingerprint:"28:49:e8:47:e0:d5:ba:85:bf:59:18:2a:92:e5:35:41:d5:5f:a8:dc"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018698; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|17|delfi-fro-youindigo.net"; fast_pattern:only; tls.fingerprint:"34:8e:8f:a3:05:d8:b1:e5:fe:d5:3c:07:1e:dd:58:e7:a0:c9:d9:d4"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018699; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Malware C2)"; flow:established,from_server; content:"|0e|jpyjcy0qmd.gov"; fast_pattern:only; tls.fingerprint:"36:ae:19:7c:21:ca:c2:56:0f:6d:6e:dc:a5:0c:46:3e:a0:49:f1:52"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018700; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0d|riffpedia.net"; fast_pattern:only; tls.fingerprint:"46:de:ba:70:b2:f5:e1:7b:a8:54:cf:02:26:ec:5b:df:8f:b0:06:7b"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018701; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0f|slksecurity.com"; fast_pattern:only; tls.fingerprint:"4b:1d:64:c1:63:7a:ae:42:7a:a0:7d:6c:75:6c:13:b9:77:71:56:03"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018702; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|12|billing-service.ru"; fast_pattern:only; tls.fingerprint:"4e:ac:f7:ce:46:3d:ff:ae:b2:40:cb:d9:7a:09:f0:dd:42:08:e7:48"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018704; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0e|ckytiqfles.com"; fast_pattern:only; tls.fingerprint:"4f:b4:c8:1e:f5:c1:bf:0e:2e:53:3d:8c:46:63:40:67:a1:5f:25:fe"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018705; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0e|web-names1.com"; fast_pattern:only; tls.fingerprint:"59:c1:d3:55:1c:d5:43:55:39:10:72:03:0d:21:57:7a:c6:5a:49:83"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018706; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|09|server265"; fast_pattern:only; tls.fingerprint:"65:a7:7d:36:d1:b5:36:65:f6:0d:19:71:89:24:50:4f:7d:3f:95:08"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018707; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|13|statistic4he2om.com"; fast_pattern:only; tls.fingerprint:"69:c6:78:70:7b:fd:48:36:29:15:71:fb:ae:40:04:59:c9:0b:9e:ed"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018708; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|17|delfi-fro-youindigo.com"; tls.fingerprint:"72:ce:ed:55:39:c6:0f:e7:ef:db:c8:7e:77:7f:73:1c:75:d3:ff:ea"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018711; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|10|secureonesee.com"; fast_pattern:only; tls.fingerprint:"74:06:45:7d:94:2e:bc:79:e4:91:45:4c:d5:7d:fc:f9:bc:c8:95:af"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018712; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0f|bitcoin-send.ru"; fast_pattern:only; tls.fingerprint:"78:0e:3b:97:7f:c1:19:e7:a0:e1:cd:51:92:90:9b:a0:ba:95:c8:c7"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018714; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (ZeuS C2)"; flow:established,from_server; content:"|06|lzx.su"; fast_pattern:only; tls.fingerprint:"79:67:bb:dd:e9:c1:17:46:8d:26:cd:de:db:20:e2:1c:46:63:bd:d7"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018715; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|07|server8"; fast_pattern:only; tls.fingerprint:"9d:5f:4b:bd:00:81:77:0e:67:43:31:e9:a0:db:e7:45:c9:85:e8:50"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018716; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (CryptoWall C2)"; flow:established,from_server; content:"|1c|kpai7ycr7jxqkilp.tor2www.com"; tls.fingerprint:"a7:da:82:eb:15:e9:87:09:ba:62:5c:84:3d:bb:e7:ad:d3:24:6a:c9"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018717; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|1a|root@localhost.localdomain"; tls.fingerprint:"a8:c7:79:04:f3:e6:1e:6d:18:2d:7a:69:15:25:c4:09:ff:12:ef:86"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018718; rev:6; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Shylock C2)"; flow:established,from_server; content:"|10|Internet Banking"; fast_pattern:only; tls.fingerprint:"b0:03:44:3e:f1:2b:5f:f4:4b:5a:00:a2:68:d2:09:5b:43:d2:a8:6f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018720; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|15|futuredynamicteam.com"; tls.fingerprint:"b6:02:85:17:c1:0f:e9:e3:10:48:f0:2e:58:53:e5:c1:74:1f:ef:b8"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018721; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak C2)"; flow:established,from_server; content:"|0f|security256.com"; fast_pattern:only; tls.fingerprint:"ba:e6:e4:56:b7:23:9d:2e:01:cd:2a:bb:6a:10:13:9d:96:3c:73:14"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018722; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0f|sec-picture.net"; fast_pattern:only; tls.fingerprint:"c8:7e:eb:70:75:75:e5:23:8d:77:73:10:2d:f1:73:07:2a:bb:bf:0b"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018723; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|1d|planet2wideg2yandex-corti.com"; tls.fingerprint:"c9:b0:97:d6:2d:6f:7b:36:5f:88:fc:ec:1d:a9:4d:ed:5e:d9:32:1f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018724; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0c|kin.pgsox.cc"; fast_pattern:only; tls.fingerprint:"cb:f6:8e:89:9c:14:cd:be:d2:5b:20:d3:98:ce:67:24:d6:0d:e0:a6"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018725; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|10|bitcoin-beta.com"; fast_pattern:only; tls.fingerprint:"d4:fa:65:54:b5:f6:24:3a:50:eb:14:53:e4:40:bb:a5:8d:a5:6f:61"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018726; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|10|invoice-maker.ru"; fast_pattern:only; tls.fingerprint:"d7:b1:19:96:6c:5b:41:dd:99:b2:e1:e1:c8:74:5f:cb:65:f8:09:de"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018727; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|12|poppperdropper.com"; fast_pattern:only; tls.fingerprint:"dd:bd:80:27:40:3b:bd:f2:17:e6:34:53:0b:ee:72:40:ce:d6:8a:8e"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018728; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|10|www.total4me.org"; fast_pattern:only; tls.fingerprint:"df:4b:2f:32:9f:19:f8:a5:02:33:e4:f5:1e:e1:61:6e:b8:0d:c7:f1"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018729; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|06|0bg.ru"; fast_pattern:only; tls.fingerprint:"df:9c:32:dd:ba:0b:e9:6f:08:52:bc:59:3d:a3:d7:82:12:b1:d5:45"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018730; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|10|greengarden1.com"; fast_pattern:only; tls.fingerprint:"e8:52:a3:e8:cd:0b:eb:2d:28:df:62:2e:2c:a4:d5:4d:f4:3c:cc:9f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018731; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|07|server9"; fast_pattern:only; tls.fingerprint:"f5:e2:b6:7a:1e:92:49:ab:ac:d0:4f:68:36:9b:2a:0d:fb:0b:4f:d7"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018732; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0e|fileprofes.com"; fast_pattern:only; tls.fingerprint:"f9:86:e8:fa:b5:55:bb:db:96:9f:f2:4c:48:8c:d9:66:09:43:5e:ec"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018733; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0b|gorms4tu.be"; fast_pattern:only; tls.fingerprint:"ff:15:52:d1:df:5c:d0:0e:c5:69:00:31:9e:9f:24:80:4a:e6:0c:63"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018734; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|pistofon.ru"; distance:1; within:12; content:"|13|someone@pistofon.ru"; fast_pattern:only; tls.fingerprint:"43:cb:f3:ff:69:9b:3d:dc:58:29:17:bd:ff:41:ed:59:13:c7:39:8a"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018746; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|trustasia.asia"; distance:1; within:15; tls.fingerprint:"09:f0:c1:86:37:73:63:98:2c:19:7a:ed:2a:ca:60:2d:ce:4f:cf:16"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018747; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nagchampa.in"; distance:1; within:13; tls.fingerprint:"cd:bc:8b:c2:e9:63:ee:6c:e5:18:e0:6a:92:42:a5:4a:28:19:eb:7f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018851; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"1e:0f:3d:14:42:f9:52:2b:24:25:15:cb:69:68:a1:0b:08:f4:85:7c"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018858; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 ac 31 2f c6 b3 12 c1 f9|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"be:1a:58:4a:85:c8:79:f8:55:5d:98:4f:c3:6b:ef:69:db:6d:8a:d5"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018859; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 dd 04 88 42 80 63 7d af|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"80:ac:8f:7c:a8:c6:dd:1b:5b:23:17:63:e9:09:50:52:40:a9:d1:a6"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018860; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"4d:0f:1f:0f:96:85:ef:f1:24:e5:6a:31:19:2a:2b:ea:e7:88:d8:8b"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018861; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"ab:92:db:cc:12:05:45:36:1d:3a:cc:c5:50:d4:e5:79:67:d4:85:71"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018862; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"f7:41:76:2e:a8:09:4a:8d:95:ad:84:ba:ea:0d:42:e8:0c:e5:84:d0"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018863; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 ab 62 ca a2 20 83 75 2d|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"bc:08:3e:da:9c:3a:84:fa:bf:6d:39:23:7e:bb:7a:d8:65:54:0b:56"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018864; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 f6 57 75 bc c6 71 7c 74|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"0b:b0:85:d5:61:df:07:c8:89:e5:ba:d5:1c:84:63:71:d4:fc:fd:61"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018865; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 cf 22 8c cf e7 2c 1b 1f|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"a9:24:0e:12:4a:b9:4f:16:74:4d:54:c2:50:f2:df:46:1d:dc:39:2b"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018866; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|msvsprot.com"; distance:1; within:13; tls.fingerprint:"ea:ab:3c:a3:76:94:c8:9d:57:b9:21:b4:f3:93:0b:af:de:02:2d:e0"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018910; rev:4; metadata:attack_target Client_and_Server, created_at 2014_08_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|local.domain"; distance:1; within:13; tls.fingerprint:"8f:37:76:15:40:99:b6:c2:dc:34:b8:c3:7f:f5:21:17:21:44:a9:a4"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018911; rev:4; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 08 13 0a|Some-State"; content:"|13 18|Internet Widgits Pty"; within:35; tls.fingerprint:"e5:0e:e9:90:a3:12:b9:e2:e6:8c:46:d1:89:e1:e9:23:81:74:1b:f9"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018915; rev:4; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 08 13 0a|Some-State"; content:"|13 18|Internet Widgits Pty"; within:35; tls.fingerprint:"e6:d3:0c:d0:41:d1:9d:3a:3e:9c:82:e0:b9:e3:e1:67:ad:0f:ee:9f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018916; rev:4; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 ff 7f 8a 27 bf 5c f4 53|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"35:66:21:93:91:b9:56:61:88:b4:c8:02:1e:a3:eb:c6:1c:97:35:c3"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018937; rev:4; metadata:attack_target Client_and_Server, created_at 2014_08_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Malware CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|publicstats.tk"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023529; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag dupe, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|googleforking.com"; distance:1; within:18; tls.fingerprint:"4c:1c:1a:aa:58:80:31:74:58:79:8a:04:db:76:42:8e:ce:55:f1:40"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018703; rev:6; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (HTTPBrowser CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 d3 99 b4 6f 4e 77 43|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021428; rev:4; metadata:attack_target Client_and_Server, created_at 2015_07_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|brutus.neuronio.pt"; distance:1; within:19; content:"|0c|sampo@iki.fi"; distance:0; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021521; rev:4; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|contactcitywell.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021562; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|ghheranon.ad"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021613; rev:3; metadata:attack_target Client_and_Server, created_at 2015_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|idcythef.tj"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021614; rev:3; metadata:attack_target Client_and_Server, created_at 2015_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nntpdinfo.pw"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021899; rev:4; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|fidobeta.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021932; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|makaronypolskie.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021933; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|crenuva.net"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021934; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Malicious SSL certificate detected (Possible Sinkhole)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; distance:0; content:"|0a|infosec.jp"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0e|www.infosec.jp"; distance:1; within:15; content:"snowyowl@jpnsec.com"; distance:0; reference:md5,ef5fa2378307338d4e75dece88158d77; classtype:domain-c2; sid:2022324; rev:4; metadata:attack_target Client_and_Server, created_at 2016_01_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www."; distance:1; within:5; content:".com"; distance:8; within:4; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[a-zA-Z0-9]+\x2e[01]/R"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022480; rev:4; metadata:attack_target Client_and_Server, created_at 2016_02_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sogelfeld.ws"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024083; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Ixeshe CnC)"; flow:established,from_server; content:"|09 00 b5 c7 52 c9 87 81 b5 03|"; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022960; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|12|do.tntcentral.mobi"; fast_pattern:only; tls.fingerprint:"75:02:e5:5d:eb:4d:19:b9:6e:a9:61:26:34:82:4b:2f:b6:ad:96:6d"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018760; rev:6; metadata:attack_target Client_and_Server, created_at 2014_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (ZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|daznukhurebkolsek.net"; distance:1; within:22; tls.fingerprint:"b6:d7:85:2a:e1:ca:32:5f:77:28:d4:64:12:44:8b:01:41:94:0b:c9"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018807; rev:6; metadata:attack_target Client_and_Server, created_at 2014_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|expert-256bitssl.com"; distance:1; within:21; tls.fingerprint:"ca:2e:43:5b:b8:83:60:81:ff:a6:1c:90:2d:b0:5a:4e:0e:11:c7:8f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018913; rev:5; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|19|siefrra1967ga@outlook.com"; distance:1; within:26; tls.fingerprint:"b5:ff:48:e0:d2:15:2e:04:83:f1:8d:50:60:41:46:7a:55:d1:fb:a8"; reference:url,sslbl.abuse.ch; reference:md5,7832ac3ad8275695b8051ab70432e161; classtype:domain-c2; sid:2018917; rev:5; metadata:attack_target Client_and_Server, created_at 2014_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre C2)"; flow:established,from_server; content:"|55 04 07|"; content:"|05|miami"; distance:1; within:6; content:"|55 04 03|"; distance:0; content:"|0c|94.23.236.54"; distance:1; within:13; tls.fingerprint:"b2:ca:f5:a1:82:79:c1:cb:10:da:17:4c:58:1a:71:38:ff:8b:0c:f2"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018940; rev:5; metadata:attack_target Client_and_Server, created_at 2014_08_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
 alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (dik .si in TLS SNI)"; flow:established,to_server; tls.sni; content:"dik.si"; bsize:6; fast_pattern; classtype:bad-unknown; sid:2034932; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_01_18;)
 
@@ -65966,8 +65754,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Tsunami Dow
 
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Citrix ShareFile Storage Zones Controller RCE Attempt (CVE-2021-22941)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload.aspx"; content:"id"; content:"|40|"; distance:0; content:"|2e 2e 2f|"; distance:0; content:"|2e|cshtml"; distance:0; fast_pattern; content:"bp"; content:"accountid"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|"; reference:cve,2021-22941; classtype:attempted-admin; sid:2034972; rev:2; metadata:attack_target Server, created_at 2022_01_25, cve CVE_2021_22941, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Tsunami Remote Shell M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/.x/var/run/tty"; startswith; fast_pattern; pcre:"/^\/\.x\/var\/run\/tty\d$/U"; http.user_agent; content:"Wget"; startswith; http.header_names; content:!"Referer";  classtype:trojan-activity; sid:2034684; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_25;)
-
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (portal .gfinanzen .net)"; dns.query; content:"portal.gfinanzen.net"; nocase; bsize:20; reference:md5,b371e1c2ca2e5718e151760bc4664366; reference:url,twitter.com/czy_1116/status/1485813878550597632; classtype:domain-c2; sid:2034964; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_01_25;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MOBILE_MALWARE AndroidOS/Basbanke.A Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /rdc?method="; fast_pattern; startswith; http.user_agent; content:"okhttp/"; startswith; http.header_names; content:!"Referer"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,220ec1e3effb6f4a4a3acb6b3b3d2e90; reference:url,www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account; classtype:trojan-activity; sid:2034965; rev:1; metadata:attack_target Mobile_Client, created_at 2022_01_25, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_01_25;)
@@ -66004,7 +65790,7 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Powershell Reques
 
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA Authenticated Command Injection Attempt CVE-2021-20039"; flow:established,to_server; http.request_line; content:"POST /cgi-bin/viewcert HTTP/1.1"; fast_pattern; http.request_body; content:"delete"; nocase; content:"CERT"; nocase; distance:0; content:"n"; nocase; content:"perl"; nocase; distance:0; content:"base64"; nocase; within:30; reference:cve,2021-20039; classtype:attempted-admin; sid:2034986; rev:1; metadata:attack_target Server, created_at 2022_01_26, cve CVE_2021_20039, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell with Decimal Encoded RUNPE Downloaded"; flow:established,to_client; http.content_type; content:"text/plain"; startswith; http.response_body; content:"RUNPE"; nocase; content:"31,139,8,0,0,0,0,0,4,0,237,189,7,96"; within:50; fast_pattern; content:"82,101,109,111,116,101,83,105,103,110,101,100"; distance:0; reference:url,blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader; classtype:trojan-activity; sid:2034980; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_01_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell with Decimal Encoded RUNPE Downloaded"; flow:established,to_client; http.content_type; content:"text/plain"; startswith; http.response_body; content:"RUNPE"; nocase; content:"31,139,8,0,0,0,0,0,4,0,237,189,7,96"; within:50; fast_pattern; content:"82,101,109,111,116,101,83,105,103,110,101,100"; distance:0; reference:url,blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader; classtype:trojan-activity; sid:2034980; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
 alert dns $HOME_NET any -> any any (msg:"ET POLICY Suspicious File Sharing Domain in DNS Lookup (drive .cloudplus .one)"; dns.query; content:"drive.cloudplus.one"; nocase; bsize:19; reference:md5,934c7b7c31d84728f0086be9b80ee1e4; reference:url,twitter.com/ShadowChasing1/status/1486542725692284930; reference:url,twitter.com/malwrhunterteam/status/1483853345924255745; classtype:bad-unknown; sid:2034987; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_27, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_01_27;)
 
@@ -66418,8 +66204,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Rel
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /wsusa HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,f8af71e85f5bee6b3fee2fcfd15da893; classtype:trojan-activity; sid:2035222; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET DELETED test CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".to.sv"; nocase; endswith; classtype:trojan-activity; sid:2035217; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_22;)
-
 alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (wa .sv)"; dns.query; content:"wa.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035224; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
 alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (in .sv)"; dns.query; content:"in.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035225; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
@@ -66524,6 +66308,8 @@ alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup APT Related Domai
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/TrojanDownloader.Agent.TXV CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/postUP.php"; endswith; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0)"; http.connection; content:"keep-alive"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Referer"; reference:url,twitter.com/Unit42_Intel/status/1496172957726560257; classtype:trojan-activity; sid:2035271; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_22;)
 
+#alert dns $HOME_NET any -> any any (msg:"ET DELETED test CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".to.sv"; nocase; endswith; classtype:trojan-activity; sid:2035217; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_22;)
+
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReverseRat 2.0 CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"="; http.request_body; content:"|ed bb a7 14 24 02 2e cc 3f f4|"; startswith; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,8306b6dee8aca5ad5b3368cd070d5729; reference:url,twitter.com/malwrhunterteam/status/1494650167877935104; classtype:trojan-activity; sid:2035275; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category MALWARE, malware_family ReverseRAT, signature_severity Major, updated_at 2022_02_23;)
 
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT10 Related Domain in DNS Lookup (microsofts .cc)"; dns.query; dotprefix; content:".microsofts.cc"; nocase; endswith; reference:url,medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934; classtype:domain-c2; sid:2035276; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category MALWARE, malware_family APT10, signature_severity Major, updated_at 2022_02_23;)
@@ -66700,8 +66486,6 @@ alert tcp-stream $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Win32/Age
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (gen)"; flow:established,to_server; content:"|0d 0a 0d 0a|gen="; fast_pattern; http.request_body; content:!"&syncID="; nocase; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030183; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, tag Ransomware, updated_at 2022_02_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Snugy DNS Backdoor CnC Activity (Hostname Send)"; dns.query; bsize:>22; content:"266"; offset:3; depth:8; pcre:"/^[zjr9x]{1}[tmdhpz]{1}[0-9a-z]{1,6}266(?:[a-zA-Z0-9]{1,6})?+\./"; content:!".trendmicro.com"; content:!"cnr.io"; endswith; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-backdoors/; classtype:command-and-control; sid:2031194; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_02_28;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PurpleFox Related Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /i.php?i="; fast_pattern; startswith; http.user_agent; content:"Windows Installer"; bsize:17; http.header_names; content:!"Referer"; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,7f757563585debbbccc3e34664de04fe; reference:md5,c793425d192af8f89b1b8c7e1ea6f792; reference:url,twitter.com/Max_Mal_/status/1498351091066589184; classtype:trojan-activity; sid:2035313; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, signature_severity Major, updated_at 2022_02_28;)
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page 2022-03-01"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"method|3d 22|post|22 20|action|3d 22 2e 2f|index|2e|aspx|3f|code|3d|"; fast_pattern; content:"id|3d 22 5f 5f|VIEWSTATE|22|"; distance:0; content:"id|3d 22 5f 5f|VIEWSTATEGENERATOR|22|"; distance:0; content:"type|3d 22|password|22|"; distance:0; reference:md5,121de0ed6f4ec91eb75bae5ef1d9765b; classtype:credential-theft; sid:2035369; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_01;)
@@ -66756,6 +66540,8 @@ alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zabbix v5.4
 
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M3"; flow:established,to_server; http.uri; content:"/index_sso.php"; startswith; http.cookie; content:"zbx_session="; content:"idXNlcm5hbWVfYXR0cmlidXRlIj"; distance:0; fast_pattern; pcre:"/(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/"; reference:url,blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference:cve,2022-23131; classtype:trojan-activity; sid:2035373; rev:2; metadata:created_at 2022_03_02, cve CVE_2022_23131, updated_at 2022_03_02;)
 
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Ransom.Win32.Blocker.bjat"; flow:established,to_server; http.uri; content:"?&"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; http.header; content:"User-Agent|3a 20|Update"; fast_pattern; classtype:trojan-activity; sid:2017281; rev:5; metadata:created_at 2013_08_06, former_category MALWARE, updated_at 2022_03_02;)
+
 alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/PurpleFox Related Domain in DNS Lookup"; dns.query; content:"oip.xioerabn.site"; nocase; bsize:17; reference:md5,57b8bccf9cb8592ae86b4453cf74b4e8; classtype:domain-c2; sid:2035384; rev:1; metadata:attack_target Client_and_Server, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_03;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/PurpleFox Retrieving File (GET)"; flow:established,to_server; http.request_line; content:"GET /conf.dat HTTP/1.1"; fast_pattern; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE 6.0|3b 20|Windows|20|NT|20|5.0)"; bsize:50; http.header_names; content:!"Referer"; reference:md5,57b8bccf9cb8592ae86b4453cf74b4e8; classtype:trojan-activity; sid:2035385; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, signature_severity Major, updated_at 2022_03_03;)
@@ -66830,8 +66616,6 @@ alert dns $HOME_NET any -> any any (msg:"ET MALWARE SoulSearcher Malware Domain
 
 alert dns $HOME_NET any -> any any (msg:"ET INFO Free Hosting Domain (*.freehostia .com in DNS Lookup)"; dns.query; dotprefix; content:".freehostia.com"; nocase; endswith; classtype:misc-activity; sid:2035422; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pripyat Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /api/endpoint.php HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"cpp-httplib/0.9"; bsize:15; http.request_body; content:"|22|computername|22 3a 22|"; content:"|22|username|22 3a 22|"; distance:0; content:"|22|hashrate|22 3a|"; distance:0; reference:md5,ffb7bbf6e3e3199555b979b46d3789a6; reference:url,twitter.com/3xp0rtblog/status/1501330153900703745; reference:md5,a12ba07fcdb4eb1c1ea65e8fa49ec4ad; classtype:trojan-activity; sid:2035420; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_09;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SoulSearcher Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/msn-msn/log/2/debug?tim="; startswith; fast_pattern; http.host; content:"trc.taboola.com"; http.request_body; content:"|00 00 00 11|"; startswith; byte_jump:4,8,relative,little,post_offset -1; isdataat:!2,relative; content:"|78 9c|"; offset:16; depth:2; reference:url,www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware; reference:md5,9a32e5a45336e705d23adc865bd30704; classtype:command-and-control; sid:2035415; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, former_category MALWARE, malware_family SoulSearcher, performance_impact Low, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SoulSearcher Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/en-my/CMSStyles/style.csx?k="; startswith; fast_pattern; http.host; content:"c.s-microsoft.com"; http.request_body; content:"|00 00 00 11|"; startswith; byte_jump:4,8,relative,little,post_offset -1; isdataat:!2,relative; content:"|78 9c|"; offset:16; depth:2; reference:url,www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware; classtype:command-and-control; sid:2035416; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
@@ -66976,12 +66760,8 @@ alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Discord Doma
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Webdor.NAC Variant CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html?m="; content:"&c="; distance:0; content:"&v="; distance:0; content:"&myID="; content:"/"; within:255; content:"/"; within:10; http.user_agent; content:"Catalyst"; bsize:8; fast_pattern; reference:md5,1e2a28d5f4f03420df7a6766e0e4277c; classtype:trojan-activity; sid:2035456; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_15;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Discord Domain in DNS Lookup (discord .com)"; dns.query; dotprefix; content:"discord.com"; endswith; reference:md5,03f93498e1006ffa3a1f9fcb6170525a; classtype:misc-activity; sid:2035465; rev:1; metadata:created_at 2022_03_15, updated_at 2022_03_15;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/TrojanDownloader.Agent.KUO CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dwn.php"; endswith; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/W"; http.header; content:"DNT: 1"; http.header_names; content:!"Referer"; content:"|0d 0a|Host|0d 0a|DNT|0d 0a|Connection|0d 0a 0d 0a|"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Trident/7.0|3b 20|rv:11.0) like Gecko"; bsize:61; reference:md5,f6cb005907be5516394525da16d427c7; reference:url,seguranca-informatica.pt/brazilian-trojan-impacting-portuguese-users-and-using-the-same-capabilities-seen-in-other-latin-american-threats; classtype:trojan-activity; sid:2035460; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_15;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)"; dns.query; dotprefix; content:"discordapp.com"; endswith; reference:md5,03f93498e1006ffa3a1f9fcb6170525a; classtype:misc-activity; sid:2035466; rev:1; metadata:created_at 2022_03_15, updated_at 2022_03_15;)
-
 alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TP-LINK TL-WR840N RCE Inbound (CVE-2022-25064)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi?2&2"; fast_pattern; http.request_body; content:"|0d 0a|X_TP_FirewallEnabled"; content:"|0d 0a|X_TP_ExternalIPv6Address="; distance:0; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2022-25064; classtype:attempted-admin; sid:2035455; rev:1; metadata:created_at 2022_03_15, cve CVE_2022_25064, former_category EXPLOIT, updated_at 2022_03_15;)
 
 alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE HermeticWizard - WMI Spreader - Remote Process Creation M1"; flow:established,to_server; content:"|05 00 00|"; content:"W|00|i|00|n|00|3|00|2|00|_|00|P|00|r|00|o|00|c|00|e|00|s|00|s|00|"; distance:0; content:"C|00|r|00|e|00|a|00|t|00|e|00|"; within:200; content:"regsvr32|2e|exe|20 2f|s|20 2f|i|20|"; distance:0; fast_pattern; content:"|5c|c"; within:500; pcre:"/^[A-F0-9]{12}/R"; content:"|2e|dll|00|"; within:5; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035418; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_09, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, signature_severity Major, updated_at 2022_03_15;)
@@ -67000,8 +66780,6 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING ZIP file exfiltrat
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING RAR file exfiltration over raw TCP"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"Rar|21 1a 07 00|"; fast_pattern; startswith; content:"|73|"; distance:2; content:"|00 00|"; distance:4; reference:url,forensicswiki.xyz/page/RAR; classtype:misc-activity; sid:2035479; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category HUNTING, performance_impact Moderate, signature_severity Informational, updated_at 2022_03_16;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING PNG image exfiltration over raw TCP"; flow:established,to_server; stream_size:server,<,160; dsize:>11; content:"|89|PNG|0d 0a 1a 0a 00 00 00 0d|IHDR|00 00|"; startswith; flowbits:set,ET.tcpraw.png; reference:md5,a271e5179f0a98a295736bd7a41a39fc; classtype:misc-activity; sid:2035476; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_03_16;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO imPcRemote Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/downloads/impcremote"; depth:21; http.host; content:"impcremote.com"; bsize:14; reference:md5,3d72ee8e1e59b143fa496fa63ca33994; classtype:attempted-admin; sid:2035475; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_16;)
 
 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING RAR file download over raw TCP"; flow:established,to_client; stream_size:client,<,5; dsize:>11; content:"Rar|21 1a 07 00|"; fast_pattern; startswith; content:"|73|"; distance:2; content:"|00 00|"; distance:4; reference:url,forensicswiki.xyz/page/RAR; classtype:misc-activity; sid:2035481; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_03_16;)
@@ -67568,2141 +67346,3151 @@ alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely CryptoWall
 
 alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Loki Locker Ransomware Server Response (Public Key) M1"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text|2f|html|3b 20|charset|3d|UTF|2d|8"; bsize:24; http.content_len; byte_test:0,<=,1000,0,string,dec; http.response_body; content:"|7b 22|public|22 3a 22|"; startswith; fast_pattern; content:"|22 2c 22|message|5f|id|22 3a 22|"; distance:0; content:!"|22 2c 22|"; distance:0; reference:url,blogs.blackberry.com/en/2022/03/lokilocker-ransomware; reference:md5,8aea251877cb4f5ee6cf357831f8620c; reference:url,twitter.com/James_inthe_box/status/1504194638885711872; classtype:trojan-activity; sid:2035512; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2022_03_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Gopher Related User-Agent (aimxxhwpcc)"; flow:established,to_server; http.user_agent; content:"aimxxhwpcc"; bsize:10; fast_pattern; reference:md5,1f1969481fe9bca52d5c01e1a093c1b8; reference:url,www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant; classtype:trojan-activity; sid:2035556; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family AridViper, malware_family TA401, signature_severity Major, updated_at 2022_03_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Gopher Related User-Agent (aimxxhwpcc)"; flow:established,to_server; http.user_agent; content:"aimxxhwpcc"; bsize:10; fast_pattern; reference:md5,1f1969481fe9bca52d5c01e1a093c1b8; reference:url,www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant; classtype:trojan-activity; sid:2035556; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family AridViper, malware_family TA401, signature_severity Major, updated_at 2022_03_22;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarab APT - HeaderTip CnC Domain in DNS Lookup (product2020 .mrbasic .com)"; dns.query; content:"product2020.mrbasic.com"; nocase; bsize:23; reference:url,twitter.com/h2jazi/status/1505887653111209994; reference:md5,1af894a5f23713b557c23078809ed01c; reference:md5,1aba36f72685c12e60fb0922b606417c; classtype:domain-c2; sid:2035557; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family HeaderTip, signature_severity Major, updated_at 2022_03_22;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AllaKore RAT ID Command Observed"; flow:established,to_server; content:"|3c 7c|ID|7c 3e|"; fast_pattern; startswith; content:"|3c 7c|END|7c 3e|"; endswith; classtype:attempted-admin; sid:2035544; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_22;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AllaKore RAT CnC Checkin"; flow:established,to_server; content:"|3c 7c|mainzsoccer|7c|"; fast_pattern; startswith; classtype:attempted-admin; sid:2035542; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sidecopy APT Backdoor Related Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /logs_files HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:46; reference:md5,bc8e094a4fb6c724e6b32a00df6262f9; reference:url,twitter.com/bofheaded/status/1505928947955302401; classtype:trojan-activity; sid:2035558; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2022_03_22;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidecopy APT Backdoor Related Domain in DNS Lookup (kokotech .xyz)"; dns.query; content:"kokotech.xyz"; nocase; bsize:12; reference:md5,bc8e094a4fb6c724e6b32a00df6262f9; reference:url,twitter.com/bofheaded/status/1505928947955302401; classtype:domain-c2; sid:2035559; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2022_03_22;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SUR SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"20:82:92:3F:43:2C:8F:75:B7:EF:0F:6A:D9:3C:8E:5D"; fast_pattern; tls.cert_subject; content:"CN=SUR"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016468; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".kdc/"; fast_pattern; http.header_names; content:!"Referer"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"username="; startswith; content:"_"; distance:0; content:"&cart="; distance:0; content:"&cacogenics="; distance:0; reference:md5,1182940dca705e0b3a8349c9fdf99e10; reference:url,twitter.com/500mk500/status/1505638483691544580; classtype:trojan-activity; sid:2035560; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_22;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AllaKore RAT Set Keep-Alive Observed"; flow:established,to_server; content:"|3c 7c|SETPING|7c|"; fast_pattern; startswith; content:"|3c 7c|END|7c 3e|"; endswith; classtype:attempted-admin; sid:2035543; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".mesh"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/500mk500/status/1505638483691544580; classtype:trojan-activity; sid:2035561; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_22;)
+
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE FlawedGrace CnC Activity"; flow:to_server,established; dsize:14; content:"|47 43 52 47|"; offset:4; depth:4; threshold: type both, track by_src, count 10, seconds 60; reference:md5,2b1215fb65d33fc6206ab227a3b7e75a; classtype:command-and-control; sid:2026773; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_22;)
+
+alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response abuse.ch"; flow:established,to_client; dsize:22; content:"Sinkholed by abuse.ch|0a|"; fast_pattern; classtype:trojan-activity; sid:2020223; rev:4; metadata:created_at 2015_01_21, former_category MALWARE, updated_at 2022_03_22;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (FindPOS)"; flow:established,to_client; tls.cert_serial; content:"00:CD:2D:4A:53:08:27:AA:B4"; fast_pattern; tls.cert_subject; content:"O=Default Company Ltd"; reference:md5,a586db30ab21a02eee9e8ab2ebe8a2b5; reference:url,blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/; classtype:domain-c2; sid:2021289; rev:3; metadata:attack_target Client_and_Server, created_at 2015_06_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (FindPOS)"; flow:established,to_client; tls.cert_serial; content:"00:80:5C:5F:EC:50:39:a2:14"; fast_pattern; tls.cert_subject; content:"O=Default Company Ltd"; reference:md5,a586db30ab21a02eee9e8ab2ebe8a2b5; reference:url,blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/; classtype:domain-c2; sid:2021772; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:9F:B1:5C:37:90:8A:2E:B7"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022095; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:81:32:F4:D9:2C:39:C3:06"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022096; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:B4:78:3D:3F:BF:60:B9:94"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022097; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit)"; flow:established,to_client; tls.cert_serial; content:"00:B4:E9:29:AF:96:2B:99:E2"; fast_pattern; tls.cert_subject; content:"O=Internet Widgits Pty Ltd"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022098; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE SWORD Sending Sword Marker"; flow:established,to_server; content:"|20 20 20 20 2f 2a 0a 40 2a 2a 2a 40 2a 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40|"; fast_pattern; reference:md5,052f5da1734464a985dcd669bff62f93; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016445; rev:3; metadata:created_at 2013_02_20, updated_at 2022_03_22;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY onion.cab tor2web .onion Proxy domain in SNI"; flow:established,to_server; tls.sni; content:".onion.cab"; fast_pattern; endswith; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018879; rev:3; metadata:created_at 2014_08_01, updated_at 2022_03_23;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot .onion Proxy domain in SNI Aug 04 2014"; flow:established,to_server; tls.sni; content:"zxjfcvfvhqfqsrpz."; fast_pattern; startswith; reference:md5,9c40169371adbee467587ab55a61e883; classtype:trojan-activity; sid:2018892; rev:4; metadata:created_at 2014_08_05, former_category TROJAN, updated_at 2022_03_22;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY bridges.torproject.org over TLS with SNI"; flow:established,to_server; tls.sni; content:"bridges.torproject.org"; bsize:22; reference:url,www.torproject.org/docs/bridges.html.en; classtype:policy-violation; sid:2017929; rev:3; metadata:created_at 2014_01_04, updated_at 2022_03_23;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortening Service Domain in DNS Lookup (vtaurl .com)"; dns.query; content:"vtaurl.com"; nocase; bsize:10; classtype:bad-unknown; sid:2035562; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_23;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (vtaurl .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"vtaurl.com"; bsize:10; fast_pattern; classtype:bad-unknown; sid:2035563; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_03_23;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Send-Safe Bulk Mailer SSL Cert - Observed in Spam Campaigns"; flow:established,to_client; tls.cert_subject; content:"C=Unknown, ST=Unknown, L=Unknown, O=Send-Safe, OU=Unknown, CN=Send-Safe"; bsize:71; fast_pattern; reference:md5,837c7af7f376722a0315cb0a7cb12399; classtype:trojan-activity; sid:2022194; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shifr Ransomware Malicious Domain in SNI Observed"; flow:established,to_server; tls.sni; content:"v5t5z6a55ksmt3oh.onion"; startswith; fast_pattern; reference:md5,7a8c9fbfad9a817c0a10fed926f134c2; classtype:trojan-activity; sid:2024486; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_20, deployment Perimeter, former_category MALWARE, malware_family Shifr, signature_severity Major, tag Ransomware, updated_at 2022_03_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Spora Ransomware SSL Certificate Detected"; flow:established,to_client; tls.cert_subject; content:"CN=spora.bz"; fast_pattern; classtype:trojan-activity; sid:2024043; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_09, deployment Perimeter, former_category MALWARE, malware_family Spora, signature_severity Major, tag Ransomware, updated_at 2022_03_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SteamStealer Domain in SNI"; flow:established,to_server; tls.sni; content:"steamdesktopauthenticator.com"; bsize:29; fast_pattern; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:trojan-activity; sid:2025387; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category TROJAN, malware_family Steam_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_03_23;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SteamStealer Malicious SSL Certificate Detected"; flow:established,to_client; tls.cert_subject; content:"CN=steamdesktopauthenticator.com"; fast_pattern; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:domain-c2; sid:2025388; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_02_26, deployment Perimeter, former_category MALWARE, malware_family Steam_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE StrongPity APT SSL Certificate Detected"; flow:established,to_client; tls.cert_subject; content:"CN=mevlut.oncu.example.com"; fast_pattern; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/; classtype:targeted-activity; sid:2025416; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2022_03_23;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ConPtyShell Client Response"; flow:established,to_server; content:"|1b 5b 32 4a 1b 5b 6d 1b 5b 48 1b 5b 48 1b 5d 30 3b|"; startswith; fast_pattern; content:"|5b 32 33 58 1b 5b 32 33|"; distance:0; content:"|43 0d 0a 1b 5b 38 30 58 1b 5b 38 30 43 0d 0a 1b|"; distance:0; reference:url,github.com/antonioCoco/ConPtyShell; classtype:command-and-control; sid:2035565; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ConPtyShell Server Command (whoami)"; flow:established,to_client; content:"|32 35 20 38 30 0a|"; startswith; fast_pattern; content:"whoami"; distance:0; reference:url,github.com/antonioCoco/ConPtyShell; classtype:command-and-control; sid:2035566; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ConPtyShell Server Close Shell"; flow:established,to_client; content:"|32 35 20 38 30 0a|"; startswith; fast_pattern; content:"exit"; distance:0; reference:url,github.com/antonioCoco/ConPtyShell; classtype:command-and-control; sid:2035567; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_23;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SuperFish Possible SSL Cert Signed By Compromised Root CA"; flow:established,to_client; tls.cert_issuer; content:"O=Superfish, Inc."; content:"CN=Superfish, Inc."; fast_pattern; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:trojan-activity; sid:2020493; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)"; flow:established,to_client; tls.cert_subject; content:"OU=SomeOrganizationalUnit"; fast_pattern; classtype:policy-violation; sid:2013659; rev:6; metadata:attack_target Client_Endpoint, created_at 2011_09_15, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (Snake Oil CA)"; flow:established,to_client; tls.cert_issuer; content:"CN=Snake Oil CA"; fast_pattern; classtype:policy-violation; sid:2013295; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_07_21, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Suspected SPECULOOS Backdoor CnC Init Packet Masquerading as SNI Request to live .com"; dsize:186; content:"|16 03 01 00 b5 01 00 00 b1 03 01|"; depth:11; content:"|00 00 48 c0 0a c0 14 00 88 00 87 00 3900 38 c0 0f c0 05 00 84 00 35 c0 07 c0 09 c0 11 c0 13 00 45 00 44 00 66 00 33 00 32 c0 0c c0 0ec0 02 c0 04 00 96 00 41 00 04 00 05 00 2f c0 08c0 12 00 16 00 13 c0 0d c0 03 fe ff 00 0a 02 0100 00 3f 00 00 00 13 00 11 00 00 0e 6c 6f 67 696e 2e 6c 69 76 65 2e 63 6f 6d ff 01 00 01 00 000a 00 08 00 06 00 17 00 18 00 19 00 0b 00 02 01 00 00 23 00 00 33 74 00 00 00 05 00 05 01 00 0000 00|"; distance:32; within:143; fast_pattern; isdataat:!1,relative; reference:url,unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/; classtype:command-and-control; sid:2029910; rev:5; metadata:attack_target Client_Endpoint, created_at 2020_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_23;)
+
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Remote Access - RView - SSL Certificate Seen"; flow:established,to_client; tls.cert_subject; content:"CN=*.rview.com"; fast_pattern; classtype:policy-violation; sid:2020805; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
+
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY DropBox User Content Access over SSL"; flow:established,to_client; tls.cert_subject; content:"CN=*.dropboxusercontent.com"; fast_pattern; reference:url,www.dropbox.com/help/201/en; classtype:policy-violation; sid:2017015; rev:7; metadata:created_at 2013_06_13, updated_at 2022_03_23;)
+
+alert tcp any any -> $HOME_NET 88 (msg:"ET EXPLOIT Possible GoldenPac Priv Esc in-use"; flow:established,to_server; content:"|a0 07 03 05 00 50 80 00 00|"; content:"|a8 05 30 03 02 01 17|"; endswith; threshold: type limit, track by_src, seconds 60, count 1; reference:url,code.google.com/p/impacket/source/browse/trunk/examples/goldenPac.py; reference:cve,CVE-2014-6324; classtype:attempted-admin; sid:2019922; rev:4; metadata:created_at 2014_12_12, updated_at 2022_03_24;)
+
+alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - Data Channel Client Request 2"; flow:established,to_server; content:"CONNECT="; depth:8; content:"8_=_8"; endswith; classtype:trojan-activity; sid:2022707; rev:3; metadata:created_at 2016_04_06, updated_at 2022_03_24;)
+
+alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - CnC Password Exfil"; flow:established,to_server; content:"PASSWORDS="; depth:10; content:"8_=_8"; endswith; classtype:command-and-control; sid:2022709; rev:3; metadata:created_at 2016_04_06, former_category MALWARE, updated_at 2022_03_24;)
+
+alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - CnC"; flow:established,to_server; content:"ACT="; depth:4; content:"8_=_8"; endswith; classtype:command-and-control; sid:2022710; rev:3; metadata:created_at 2016_04_06, former_category MALWARE, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)"; flow:established,to_server; tls.sni; content:"ipinfo.io"; bsize:9; fast_pattern; classtype:external-ip-check; sid:2025331; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2022_03_24;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability M2 (NT Create AndX .so) (CVE-2017-7494)"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|05 00|"; distance:8; within:2; content:"|00 2e 00 73 00 6f 00|"; fast_pattern; endswith; reference:cve,2017-7494; classtype:attempted-admin; sid:2024384; rev:3; metadata:affected_product Linux, attack_target Server, created_at 2017_06_16, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Black Stealer Exfil System Info"; flow:established,to_server; content: "|2b 20 2b 20 2b 20 5b 20|VicTim Info|20 5d 20 2b 20 2b 20 2b|"; depth:120; nocase; fast_pattern; content:"End Stealer|20 3d 20 3d 20 3d 20 3d 20 3d 20 3d|"; nocase; endswith; classtype:trojan-activity; sid:2024790; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category TROJAN, malware_family BlackStealer, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert http any any -> any any (msg:"ET INFO Possible Sandvine PacketLogic Injection"; flow:established,from_server; id:13330; flags:AF; content:"HTTP/1.1 307 Temporary Redirect|0a|Location|3a 20|"; depth:42; fast_pattern; content:"Connection: close|0a 0a|"; endswith; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/; classtype:misc-activity; sid:2025428; rev:3; metadata:attack_target Client_and_Server, created_at 2018_03_13, deployment Datacenter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2022_03_24;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT CnC Checkin"; flow:established,to_server; dsize:<150; content:"aut_sep_"; depth:8; fast_pattern; content:"_sep_"; distance:0; content:"_packet_"; endswith; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:command-and-control; sid:2026581; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT Sending Screen Size"; flow:established,to_server; dsize:<50; content:"sc.op_sep_"; depth:10; nocase; fast_pattern; content:"_packet_"; endswith; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026584; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT Requesting Screenshot"; flow:established,to_client; dsize:<50; content:"SC.CAP_sep_"; depth:11; nocase; content:"_sep_"; distance:0; content:"_packet_"; endswith; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026587; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, malware_family JavaRAT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Winnti Payload - XORed Check-in to Infected System (0xd4413890)"; flow:established,to_server; dsize:<300; content:"|b0 1c 03 d4 90 38 41 d4 2a b4 80 7f|"; depth:12; content:"|04 00|"; endswith; reference:url,medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a; classtype:trojan-activity; sid:2027361; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_17, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag APT, tag Winnti, updated_at 2022_03_24;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HVNC USR Init Detected"; flow:established,to_server; content:"|3b 00 00 00 19 00 00 00 12 01 00 00 2d 55 53 52|"; depth:16; content:"|00|"; endswith; reference:md5,4abde768b70e94093970901438e51cbd; classtype:trojan-activity; sid:2027831; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category TROJAN, malware_family HVNC, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.0)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|d|01|q|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022780; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.1)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|e|01|q|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022781; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.2)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|f|01|q|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022782; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.0)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|d|01|r|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022783; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.1)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|e|01|r|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022784; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.2)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|f|01|r|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022785; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.3)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|g|01|r|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022786; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 10.0)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|d|01|v|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022787; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SDBbot CnC Checkin"; flow:established,to_server; content:"|00 00 de c0|"; depth:4; content:"ver="; distance:0; content:"|0a|domain="; distance:0; content:"|0a|pc="; distance:0; content:"|0a|geo="; distance:0; content:"|0a|os="; distance:0; content:"|0a|rights="; distance:0; content:"|0a|proxyenabled="; distance:0; fast_pattern; content:"|0a|"; endswith; reference:md5,892be85dc60df6bc82568384e83b9b4c; classtype:command-and-control; sid:2031217; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_08, deployment Perimeter, former_category MALWARE, malware_family SDBbot, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/1xxbot CnC Checkin"; flow:established,to_server; dsize:<250; content:"|00|<EOM>Windows|20|"; startswith; fast_pattern; content:"<EOM>"; distance:0; content:"<EOM>"; distance:0; content:"<EOM>"; distance:0; content:"<EOF>"; endswith; reference:md5,9eb50c6cdb59d11b01ca9f069e8ba79d; classtype:command-and-control; sid:2028984; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_15, deployment Perimeter, former_category MALWARE, malware_family 1xxbot, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tick Group Payload - Reporting Error to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?"; content:"=hmo"; endswith; fast_pattern; http.user_agent; content:"|28|Windows|20|NT|20|6.1|3b 20|WOW64|3b|"; http.request_body; pcre:"/^[a-z0-9/=\+]$/i"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/; classtype:command-and-control; sid:2029081; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TickGroup, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tick Group Payload - Submitting Encrypted Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?"; content:"=A1f"; endswith; fast_pattern; http.user_agent; content:"|28|Windows|20|NT|20|6.1|3b 20|WOW64|3b|"; http.request_body; pcre:"/^[a-z0-9/=\+]$/i"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/; classtype:command-and-control; sid:2029082; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TickGroup, updated_at 2022_03_24;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Observed Orange LiveBox Router Information Leakage Attempt (CVE-2018-20377)"; flow:established,to_server; http.request_line; content:"GET|20|"; startswith; content:"/get_getnetworkconf.cgi|20|HTTP/1.1"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,badpackets.net/over-19000-orange-livebox-adsl-modems-are-leaking-their-wifi-credentials; reference:cve,2018-20377; classtype:trojan-activity; sid:2029091; rev:2; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2019_12_03, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Snatch Ransomware - Encryption Finished"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Go-http-client/"; startswith; http.request_body; content:"{|22|host|22 3a 22|"; startswith; content:"|22 2c 22|type|22 3a 22|finished|22 2c 22|username|22 3a 22|"; distance:0; fast_pattern; content:"|22|}"; endswith; http.header_names; content:!"Referer"; reference:md5,46406680a5825b6d1622acb984d4a41d; classtype:command-and-control; sid:2029104; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_10, deployment Perimeter, former_category MALWARE, malware_family Snatch, signature_severity Major, tag Ransomware, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Arechclient2 Backdoor CnC Init"; flow:established,from_server; dsize:<150; content:"|7b 22 54 79 70 65 22 3a 22 45 6e 63 72 79 70 74 69 6f 6e 53 74 61 74 75 73 22 2c 22 53 74 61 74 75 73 22 3a|"; fast_pattern; depth:80; content:"|7d|"; endswith; reference:md5,4ccba79d95dfd7d87b43643058e1cdd0; classtype:command-and-control; sid:2029217; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, malware_family Arechclient2, signature_severity Major, updated_at 2022_03_24;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Arechclient2 Backdoor CnC Keep-Alive"; flow:established,from_server; dsize:<100; content:"|7b 22 54 79 70 65 22 3a 22 53 65 73 73 69 6f 6e 49 44 22 2c 22 53 65 73 73 69 6f 6e 49 44 22 3a 22|"; fast_pattern; depth:50; content:"|7d|"; endswith; reference:md5,4ccba79d95dfd7d87b43643058e1cdd0; classtype:command-and-control; sid:2029219; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, malware_family Arechclient2, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft SQL RCE Attempt (CVE-2020-0618)"; flow:established,to_server; urilen:37; http.method; content:"POST"; http.uri; content:"/ReportServer/pages/ReportViewer.aspx"; http.request_body; content:"NavigationCorrector|24|PageState|3d|NeedsCorrection|26|NavigationCorrector|24|ViewState|3d|"; startswith; fast_pattern; content:"|26 5f 5f|VIEWSTATE|3d|"; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,github.com/euphrat1ca/CVE-2020-0618; classtype:web-application-attack; sid:2029476; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK JSE"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"X-UA-Compatible|3a 20|IE=EmulateIE8|0d 0a|"; file_data; content:"|3c 21|DOCTYPE html|3e 3c|html|3e 3c|head|3e 3c|script language|3d 22|JScript.Encode|22 3e 23 40 7e 5e|"; startswith; fast_pattern; pcre:"/^[^<]+\x0d\x0a<\/script>/R"; content:"|3c 2f|head|3e 3c|body|3e 3c 2f|body|3e 3c 2f|html|3e|"; endswith; reference:url,www.malware-traffic-analysis.net/2020/03/02/index.html; classtype:exploit-kit; sid:2029582; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Suspected SandCat Related CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/socket.io/?EIO="; depth:16; content:"&transport=polling"; endswith; http.request_body; content:"|5b 22|add|20|user|22|,|22|ID_"; offset:5; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,eeecfa2999aea400deb8029d27db125e; classtype:command-and-control; sid:2029619; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StealRat Checkin"; flow:established,to_server; http.uri; content:"/d/"; startswith; fast_pattern; content:".jpg"; endswith; pcre:"/^\/d\/[a-z]+\d+\.jpg$/"; http.header_names; content:!"Referer|0d 0a|"; http.host; content:"www.google.com"; bsize:14; classtype:command-and-control; sid:2017263; rev:4; metadata:created_at 2013_08_01, former_category MALWARE, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Woai.Dropper Config Request"; flow:established,to_server; http.uri; content:"/client/config.ini"; fast_pattern; http.user_agent; content:"MSIE"; content:"|3B 29|"; endswith; reference:md5,0425a66e3b268ef8cbdd481d8e44b227; classtype:trojan-activity; sid:2018102; rev:7; metadata:created_at 2014_02_10, updated_at 2022_03_24;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MSIL/Firebird RAT CnC Checkin"; flow:established,to_server; dsize:<100; content:"|01 00 00 00 ff ff ff ff 01 00 00 00 00 00 00 00 06 01 00 00 00|"; startswith; fast_pattern; content:"|0b|"; endswith; reference:md5,ede8ebfc82463d1e7e6f29ca66f96514; classtype:command-and-control; sid:2029606; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, malware_family Firebird, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Online Scheduling System 1.0 - Authentication Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Online%20Scheduling%20System/login.php"; fast_pattern; http.request_body; content:"username="; depth:9; nocase; content:"&password="; nocase; distance:0; content:"&lgn=Login"; nocase; endswith; reference:url,www.exploit-db.com/exploits/48409; classtype:attempted-admin; sid:2030094; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Web_Server, created_at 2020_05_04, deployment Perimeter, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus.Downloader Campaign Second Stage Executable Request"; flow:established,to_server; http.uri; content:"2p/"; content:".exe"; fast_pattern; endswith; pcre:"/\/p?2p\/[0-9]{1,2}\.exe$/"; reference:md5,ca15e5e96aee8b18ca6f3c185a690cea; classtype:trojan-activity; sid:2018184; rev:7; metadata:created_at 2014_02_27, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus.Downloader Campaign Second Stage Executable Request 10/4/2014"; flow:established,to_server; urilen:<11; http.uri; content:"/2p/"; depth:4; content:".exe"; endswith; fast_pattern; pcre:"/^\/2p\/[a-z]{1,2}\.exe$/"; reference:md5,94d5d99b910f9184573a01873fdc42fc; classtype:trojan-activity; sid:2018385; rev:5; metadata:created_at 2014_04_11, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Hyteod.Downloader CnC Beacon"; flow:established,to_server; http.uri; content:"/payment_gateway/"; startswith; content:".gz"; endswith; pcre:"/\/[a-z0-9]{3,}\.gz$/"; http.user_agent; content:"OperaMini"; depth:9; reference:md5,8258c3d8bab63cacf143cf034e2e7c1a; classtype:command-and-control; sid:2019824; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE rechnung zip file download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"rechnung"; fast_pattern; nocase; content:".zip"; nocase; endswith; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2020622; rev:5; metadata:created_at 2015_03_05, former_category CURRENT_EVENTS, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Geodo/Emotet Downloading PE"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/mss"; fast_pattern; content:".exe"; endswith; pcre:"/\/mss\d+\.exe$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,6c4d198794d1afd2b8bbae6f16bdfaa7; classtype:trojan-activity; sid:2035043; rev:4; metadata:created_at 2015_03_17, former_category MALWARE, updated_at 2022_03_24;)
+
+#alert dns $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible DNS BIND TSIG Denial of Service Attempt (CVE-2020-8617)"; content:"|00|"; distance:0; byte_extract:1,1,rec_name,relative; content:"|00 00 fa 00 ff|"; distance:rec_name; within:5; fast_pattern; content:"|00 10 00 00|"; endswith; reference:cve,2020-8617; classtype:denial-of-service; sid:2030221; rev:2; metadata:attack_target DNS_Server, created_at 2020_05_26, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi/Ursnif/Papras Grabftp Module Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/download/ftp/grabftp"; fast_pattern; content:".bin"; endswith; pcre:"/^\/download\/ftp\/(?:grabftp|grabftp64)\.bin$/"; http.header; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Win64|3B 20|x64)"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,e946b3dba7cd9a44fbbcbc3c7c76e440; classtype:trojan-activity; sid:2021321; rev:4; metadata:created_at 2015_06_23, updated_at 2022_03_24;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RedControle Communicating with CnC"; flow:established,to_server; content:"SE_ND_CO_NN_EC|23|"; depth:15; fast_pattern; content:"|23|"; within:20; content:"|23|"; endswith; reference:url,threatvector.cylance.com/en_us/home/poking-the-bear-three-year-campaign-targets-russian-critical-infrastructure.html; reference:md5,855b937f668ecd90b8be004fd3c24717; classtype:command-and-control; sid:2026724; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category MALWARE, malware_family RedControle, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Phish 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&password="; nocase; distance:0; content:"&changing=Value"; nocase; endswith; classtype:credential-theft; sid:2032461; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized Adobe PDF Online Phish 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?e="; nocase; fast_pattern; pcre:"/\.php\?e=[a-zA-Z0-9+&*-]+(?:\.[a-zA-Z0-9_+&*-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,7}$/"; http.request_body; content:"p="; depth:2; nocase; content:"&submit="; nocase; endswith; classtype:credential-theft; sid:2032462; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Bank Phish 2016-10-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"cpf="; depth:4; nocase; content:"&senha="; nocase; distance:0; content:"&ok=continuar"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032463; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish 2016-11-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"userid="; depth:7; nocase; content:"&password="; nocase; distance:0; content:"&name="; nocase; distance:0; content:"&ssn="; nocase; distance:0; content:"&ccnum="; nocase; distance:0; content:"&cvv2="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&year="; nocase; distance:0; content:"&dob="; nocase; distance:0; content:"&atmpin="; nocase; distance:0; fast_pattern; content:"&add="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&state="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&epass="; nocase; distance:0; content:"&question1="; nocase; distance:0; content:"&continue=Submit+Now"; nocase; endswith; classtype:credential-theft; sid:2032464; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful BB&T Bank Phish 2016-12-15"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; content:"&input=Go"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032467; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fareit/Pony Downloader Checkin 3"; flow:established,to_server; flowbits:set,ET.Fareit.chk; http.method; content:"GET"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.0"; depth:33; content:"Windows 98)"; fast_pattern; endswith; http.accept; content:"*/*"; http.connection; content:"close"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|"; reference:md5,dcc2c110e509fa777ab1460f665bd137; reference:md5,bf422f3aa215d896f55bbe2ebcd25d17; reference:md5,d50c39753ba88daa00bc40848f174168; reference:md5,9544c681ae5c4fe3fdbd4d5c6c90e38e; classtype:command-and-control; sid:2014234; rev:14; metadata:created_at 2012_02_17, former_category MALWARE, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Evil Macro EXE DL mar 15 2016"; flow:established,to_server; http.uri; content:"/image/"; depth:7; content:".exe"; endswith; fast_pattern; pcre:"/^\/image\/(?:data|flags)\/[^\x2f]+\.exe$/i"; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2022622; rev:6; metadata:created_at 2016_03_16, former_category CURRENT_EVENTS, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot Requesting PE"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"ho"; content:"ping/mod_"; within:10; fast_pattern; content:"/"; endswith; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,08aab7cdbfc2446fbca2a2f350df4ea2; classtype:trojan-activity; sid:2019759; rev:8; metadata:created_at 2014_11_20, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KINS/ZeusVM Variant Retrieving Config"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/config"; fast_pattern; content:".jpg"; endswith; pcre:"/\/config[^\x2e\x2f]*?\.jpg$/"; http.header; content:"Cache-Control|3a 20|no-cache"; http.user_agent; pcre:"/(?:\x20MSIE\x20|rv\x3a11)/"; http.connection; content:"close"; nocase; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:trojan-activity; sid:2021528; rev:8; metadata:created_at 2015_07_23, former_category TROJAN, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RansomCrypt Intial Check-in"; flow:established,to_server; http.user_agent; content:"Windows NT 5.1|3b 20|ru|3b|"; content:"Gecko/20100722 Firefox/3.6.12"; endswith; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; classtype:trojan-activity; sid:2016748; rev:6; metadata:created_at 2013_04_10, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 7"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; depth:1; content:"/"; endswith; http.user_agent; pcre:"/(?:MSIE|rv\x3a)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; content:"63"; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|"; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:command-and-control; sid:2025119; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Smoke_Loader, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 2 M2"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/[a-z]{3,6}\/[a-z]{3,6}\.[a-z]{3}$/"; http.cookie; content:"=|3b 20|"; content:"=|3b 20|"; distance:0; content:"=|3b|"; endswith; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|Cookie|0d 0a|Host|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a 0d 0a|"; reference:md5,f12fc711529b48bcef52c5ca0a52335a; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting; classtype:command-and-control; sid:2025291; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category MALWARE, malware_family elise, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] Successful 163 Webmail Phish 2018-07-25"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"application/json"; file.data; content:"{|22|user_id|22|:|22|"; nocase; within:20; content:"|22|,|22|ip|22|:|22|"; nocase; within:15; content:"|22|,|22|add_time|22|:|22|"; nocase; distance:0; content:".163.com|5c 2f 22 2c 22|code|22 3a 22|ok|22|}"; nocase; endswith; fast_pattern; classtype:credential-theft; sid:2025893; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-09-26"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"&formtext1="; nocase; distance:0; content:"&formimage1.x=1&formimage1.y=1"; fast_pattern; nocase; endswith; classtype:credential-theft; sid:2026412; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kraken Ransomware Start Activity 1"; flow:established,to_server; http.uri; content:!"."; content:!"&"; content:!"?"; http.user_agent; content:"-"; offset:2; depth:1; content:"|3a|Begin"; endswith; fast_pattern; pcre:"/^[A-Z]{2}-[0-9]{1,5}\x3aBegin$/"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,09d3bd874d9a303771c89385d938c430; classtype:trojan-activity; sid:2026471; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_11, deployment Perimeter, former_category MALWARE, malware_family Kraken_Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Kraken Ransomware Start Activity 2"; flow:established,to_server; http.uri; content:!"."; content:!"&"; content:!"?"; http.user_agent; content:"-"; offset:2; depth:1; content:"|3a|StartU"; endswith; fast_pattern; pcre:"/^[A-Z]{2}-[0-9]{1,5}\x3aStartU$/"; http.header_names; content:!"Accept"; content:!"Referer"; classtype:trojan-activity; sid:2026472; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_11, deployment Perimeter, former_category MALWARE, malware_family Kraken_Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sidewinder Stage 2 VBS Downloader Reporting Successful Infection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/"; depth:9; content:"/true/true/done"; fast_pattern; endswith; http.user_agent; content:"WinHttp.WinHttpRequest."; http.header_names; content:"Referer"; content:!"Cache"; reference:md5,dfad7d4a7ecb2eed6d69abfbfb5f94c9; reference:url,medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739; classtype:trojan-activity; sid:2026545; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, malware_family Sidewinder, performance_impact Low, signature_severity Major, tag VBS, updated_at 2022_03_24;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for DNSpionage CnC Domain"; dns.query; content:".microsoftonedrive.org"; nocase; fast_pattern; endswith; reference:url,blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html; classtype:command-and-control; sid:2026680; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DNSpionage, tag DNS_tunneling, updated_at 2022_03_24;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"outlooklive.org.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026704; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.toshiba.org.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026705; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.fujitsu.org.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026706; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.asus.org.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026707; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.miria.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026708; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"cloudpallets32.com"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026709; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"contents.bz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026710; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"usasecurefiles.com"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026711; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"freecloud.biz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026712; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"alotile.biz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026713; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"transef.biz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026714; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"fundsxe.com"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026715; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"document.cdn-one.biz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026716; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Win32 Lucky Ransomware Encryption Process Started"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?code="; content:"&file="; distance:0; content:"&size="; distance:0; content:"&sys="; distance:0; content:"&VERSION="; distance:0; content:"&status=begin"; fast_pattern; endswith; http.user_agent; content:"Client"; depth:6; endswith; reference:url,blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/; classtype:trojan-activity; sid:2026726; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category MALWARE, malware_family Satan, signature_severity Major, tag Ransomware, tag Multi_Platform, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lucky Ransomware Reporting Successful File Encryption"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?code="; content:"&file="; distance:0; content:"&size="; distance:0; content:"&sys="; distance:0; content:"&VERSION="; distance:0; content:"&status=done"; fast_pattern; endswith; http.user_agent; content:"Client"; depth:6; endswith; reference:url,blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/; classtype:trojan-activity; sid:2026727; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category MALWARE, malware_family Satan, signature_severity Major, tag Ransomware, tag Multi_Platform, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Unk Downloader 0 Byte POST CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-Length|3a 20|0|0d|"; http.user_agent; content:"xmsSofts_1.0.0_"; depth:15; fast_pattern; content:"|5c|"; endswith; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2026760; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, tag JavaScript, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Retadup CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"4D53473A213A"; content:"20457865637574656420417320"; distance:0; fast_pattern; content:"0D0A"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-retadup-worm-goes-polymorphic-gets-an-autohotkey-variant/; classtype:command-and-control; sid:2027078; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_13, deployment Perimeter, former_category MALWARE, malware_family Retadup, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Unattributed CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"secure-message.online"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:domain-c2; sid:2027222; rev:5; metadata:attack_target Client_and_Server, created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Unattributed CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"internal-message.app"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:domain-c2; sid:2027223; rev:4; metadata:attack_target Client_and_Server, created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Binance Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"binance"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027240; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Ebay Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"ebay"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027242; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Webmail Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"webmail"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027243; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Account Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"account"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027244; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Outlook Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"outlook"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027246; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible DHL Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"dhl"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027247; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Docusign Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"docusign"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027248; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Facebook Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"facebook"; content:".github.io"; endswith; fast_pattern; content:!"facebook.github.io"; depth:18; endswith; classtype:policy-violation; sid:2027275; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Paypal Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"paypal"; fast_pattern; content:".github.io"; endswith; content:!"paypal.github.io"; depth:16; endswith; classtype:policy-violation; sid:2027241; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jenkins Information Disclosure CVE-2017-1000395"; flow:established,to_server; http.method; content:"GET"; depth:3; endswith; http.uri; content:"/securityRealm/user/"; depth:20; fast_pattern; content:"/api/xml"; endswith; http.header_names; content:!"Referer"; reference:cve,2017-1000395; reference:url,jenkins.io/security/advisory/2017-10-11/#user-remote-api-disclosed-users-email-addresses; classtype:web-application-attack; sid:2027347; rev:5; metadata:attack_target Server, created_at 2019_05_10, cve 2017_1000395, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Office Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"office"; fast_pattern; content:".github.io"; endswith; content:!"officedev.github.io"; classtype:policy-violation; sid:2027245; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload Sending Screenshot to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?TOKEN="; content:"&funx=sc&i="; distance:0; fast_pattern; content:".png"; endswith; reference:url,mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg; classtype:targeted-activity; sid:2027681; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MuddyWater, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload Requesting Command from CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|command|2f|"; depth:9; fast_pattern; content:".cmd"; endswith; pcre:"/^\/command\/[A-Fa-f0-9]{8}\-(?:[A-Fa-f0-9]{4}\-){3}[A-Fa-f0-9]{12}\.cmd$/"; reference:url,mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg; classtype:targeted-activity; sid:2027684; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MuddyWater, updated_at 2022_03_24;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible APT Sarhurst/Husar/Hussarini/Hassar CnC Command Response"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<CHECK>"; depth:7; content:"</CHECK><COMMAND>"; distance:0; fast_pattern; content:"</COMMAND>"; endswith; pcre:"/^<CHECK>(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/CHECK>/"; reference:url,www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html; classtype:targeted-activity; sid:2027708; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Eris Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/v1/check"; depth:13; fast_pattern; endswith; http.request_body; content:"|7b 22 75 69 64 22 3a 22|"; depth:8; content:"|22 7d|"; endswith; pcre:"/^\{\x22uid\x22\x3a\x22[a-f0-9]+\x22\}$/si"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:!"Referer"; reference:md5,a4eeec442799c56c3e1aa9761661fb42; reference:url,www.bleepingcomputer.com/news/security/rig-exploit-kit-pushing-eris-ransomware-in-drive-by-downloads/; classtype:command-and-control; sid:2027802; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_05, deployment Perimeter, former_category MALWARE, malware_family Eris, signature_severity Major, tag Ransomware, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Rogue.WinPCDefender Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?machine_id={"; depth:14; fast_pattern; content:"}"; endswith; http.host; content:"anti"; depth:4; http.header_names; content:!"Referer"; reference:md5,aa8def27909596f8477a5374f735eec9; reference:url,www.bleepingcomputer.com/virus-removal/remove-antivirus-pro-2017; classtype:pup-activity; sid:2025358; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_14, deployment Perimeter, former_category ADWARE_PUP, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GlitchPOS CnC Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gate.php?ped="; fast_pattern; content:"&s=1"; endswith; http.header_names; content:!"Referer"; reference:md5,8cfa2adde150918062eb5d6af59d0e2a; classtype:command-and-control; sid:2027912; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/dnscfg.cgi?dnsPrimary="; fast_pattern; content:"&dnsSecondary="; distance:0; content:"&dnsDynamic=0&dnsRefresh=1"; endswith; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027906; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/boafrm/formbasetcpipsetup?dnsmode=dnsmanual&dns1="; fast_pattern; content:"&dns2="; distance:0; content:"&dns3="; distance:0; content:"&dnsrefresh=1"; endswith; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027910; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2016-09-16"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"dhl"; nocase; content:".php"; endswith; http.request_body; content:"email="; depth:6; nocase; fast_pattern; content:"pass="; nocase; distance:0; classtype:credential-theft; sid:2032505; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal (DE) Phish 2016-10-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"login_password="; depth:15; nocase; content:"&submit.x=Soumettre"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032561; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FreeMobile (FR) Phish M1 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"free.fr"; nocase; content:".php"; nocase; endswith; http.request_body; content:"comid="; depth:6; nocase; fast_pattern; content:"&compw="; nocase; distance:0; classtype:credential-theft; sid:2032573; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FreeMobile (FR) Phish M2 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"free.fr"; nocase; content:".php"; nocase; endswith; http.request_body; content:"comid2="; depth:7; nocase; fast_pattern; content:"&compw2="; nocase; distance:0; content:"&addr="; nocase; distance:0; classtype:credential-theft; sid:2032574; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FreeMobile (FR) Phish M3 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"free.fr"; nocase; content:".php"; nocase; endswith; http.request_body; content:"comname="; depth:8; nocase; fast_pattern; content:"&comnum="; nocase; distance:0; content:"&common="; nocase; distance:0; content:"&comy="; nocase; distance:0; content:"&comc="; nocase; distance:0; classtype:credential-theft; sid:2032575; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HBL Bank Phish M1 2016-10-12"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"tp="; depth:3; nocase; content:"&tp2="; nocase; distance:0; content:"&form6="; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032583; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful NatWest Bank Phish M3 2016-10-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"nwolb"; nocase; content:".aspx"; nocase; distance:0; content:".php"; nocase; endswith; http.header; content:"nwolb"; nocase; http.request_body; content:"c1="; nocase; content:"&c2="; nocase; distance:0; fast_pattern; content:"&c3="; nocase; distance:0; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2032597; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful NAB Bank Phish M1 2016-10-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"userid="; depth:7; nocase; content:"&password="; nocase; distance:0; content:"&sbt=Login"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032599; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-10-21"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"mpp/"; content:".php"; nocase; endswith; distance:0; http.header; content:"mpp/"; http.request_body; content:"1="; depth:2; nocase; content:"&2="; nocase; distance:0; content:"&submit.x=Login"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032608; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Outlook Phish 2016-10-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"Email="; depth:6; nocase; content:"&Password="; nocase; distance:0; content:"&SI=Verify"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032594; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Online Phish 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"excel"; nocase; content:".php"; nocase; endswith; http.request_body; content:"X1="; depth:3; nocase; content:"&X2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032568; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Phish 2016-11-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"excel"; nocase; content:".php"; nocase; endswith; http.request_body; content:"email="; depth:6; nocase; content:"&passwd="; nocase; distance:0; fast_pattern; content:"&.save="; nocase; distance:0; classtype:credential-theft; sid:2032625; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Three Step Gmail Phish (1 of 3) 2016-12-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"Email="; depth:6; nocase; content:"&Next=Next"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032648; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Three Step Gmail Phish (3 of 3) 2016-12-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"phoneNumber="; depth:12; nocase; content:"&altemail="; nocase; distance:0; content:"&City="; nocase; distance:0; content:"&submitChallenge=Continue"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032650; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_04_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PDF Online Phish 2016-12-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"pdf"; nocase; content:".php"; nocase; endswith; http.request_body; content:"t1="; depth:3; nocase; content:"X1="; nocase; distance:0; content:"&X2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032726; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/mpp/"; nocase; fast_pattern; content:".php"; nocase; endswith; http.request_body; content:"1="; depth:2; nocase; content:"&2="; nocase; distance:0; content:"&submit.x="; nocase; distance:0; pcre:"/^1=[^%]+(?:@|%40)[^&]+&/"; classtype:credential-theft; sid:2032704; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2016-10-03"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&password="; nocase; distance:0; content:"&submit="; nocase; endswith; pcre:"/^username=[^%]+(?:@|%40)[^&]+&/"; classtype:credential-theft; sid:2032700; rev:9; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (asrgd-uz .weedns.com)"; dns.query; content:"asrgd-uz"; fast_pattern; depth:8; content:".weedns.com"; nocase; endswith; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023025; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (sx4-ws42 .yi.org)"; dns.query; content:"sx4-ws42"; fast_pattern; depth:8; content:".yi.org"; nocase; endswith; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023026; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (we .q.tcow.eu)"; dns.query; content:"we"; depth:2; content:".q.tcow.eu"; nocase; fast_pattern; endswith; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023027; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tflower Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?name="; content:"&state=start"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:md5,53c923d4e39b966ab951f9a3b9d090be; reference:url,www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/; classtype:command-and-control; sid:2028597; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Tflower_Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jquery-"; depth:8; content:".min.js"; endswith; http.header; content:"Referer|3a 20|http|3a|//code.jquery.com/|0d 0a|Accept"; fast_pattern; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; bsize:63; http.accept_enc; content:"gzip, deflate"; bsize:13; http.cookie; content:"__cfduid="; depth:9; isdataat:!172,relative; pcre:"/^[A-Za-z0-9_-]{171}$/Rs"; reference:md5,8c9903db02a29847d04d0fd81dd67046; classtype:command-and-control; sid:2033658; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_22, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Darkhotel Higasia Downloader Requesting Module"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/file/start?session="; depth:20; fast_pattern; content:"&imsi="; within:20; content:".exe"; endswith; reference:md5,0e1ed07bae97d8b1cc4dcfe3d56ea3ee; reference:url,github.com/blackorbird/APT_REPORT/blob/master/Darkhotel/higaisa/higaisa_apt_report.pdf; classtype:command-and-control; sid:2028934; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BottleEK Landing"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; depth:9; endswith; http.content_len; byte_test:0,<,1000,0,string,dec; file.data; content:"<!doctype html>|0d 0a|<html lang=|22|ja|22|>|0d 0a|<head>|0d 0a|<meta http-equiv=|22|Content-Type|22 20|content=|22|text/html|3b 20|charset=UTF-8|22|>|0d 0a|<meta http-equiv=|22|x-ua-compatible|22 20|content=|22|IE=10|22|>|0d 0a|<meta http-equiv=|22|Expires|22 20|content=|22|0|22|>|0d 0a|<meta http-equiv=|22|Pragma|22 20|content=|22|no-cache|22|>|0d 0a|<meta http-equiv=|22|Cache-control|22 20|content=|22|no-cache|22|>|0d 0a|<meta http-equiv=|22|Cache|22 20|content=|22|no-cache|22|>"; content:"<body style=|22|background-color|3a 20|#F4F4F4|3b|font-family|3a|MS PGothic,Arial,Hiragino Kaku Gothic ProN,Osaka,sans-serif|22|>"; distance:0; fast_pattern; content:"/ajax.min.js|22|></script>|0d 0a|<script type=|22|text/javascript|22 20|src=|22|"; distance:0; content:"/main.js|22|></script>|0d 0a|</body>|0d 0a|</html>"; endswith; classtype:exploit-kit; sid:2029122; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2022_03_24;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Liftoh.Downloader Final.html Payload Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dl/"; content:"/final.html"; endswith; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:trojan-activity; sid:2017869; rev:5; metadata:created_at 2013_12_17, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 1 M2"; flow:to_server,established; content:"Cookie|3a 20|A="; fast_pattern; http.method; content:"GET"; http.uri; content:"/"; offset:9; depth:1; content:".html"; nocase; endswith; pcre:"/^\/[a-f0-9]{8}\/\D+\d{8,10}\.html$/i"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,23ace716ec34bfd9c98efd79b23a01af; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:command-and-control; sid:2021275; rev:9; metadata:attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder FreeMobile (FR) Phishing 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"free.fr"; nocase; fast_pattern; content:".php"; nocase; endswith; http.header; content:"free.fr"; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032703; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M8"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; content:!"?"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6."; startswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; pcre:"/^[A-Za-z]{5,20}\x22\x3b\x20filename=\x22[A-Za-z]{5,20}\x22/R"; content:"|0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|"; within:44; content:"|2d 2d 00 00 00 00 00 00 00 00 00 00|"; distance:0; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; http.content_type; content:"multipart/form-data|3b 20|boundary=---------------------------"; startswith; pcre:"/^\d{15}$/R"; http.content_len; byte_test:0,<,5000,0,string,dec; byte_test:0,>,4000,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[A-Z0-9a-z]{2,25}\/){1,10})\sHTTP\/1\.1\r\nReferer\x3a\x20http:\/\/(?:\d{1,3}\.){3}\d{1,3}(?:\x3a[0-9]{2,5})?(?P=urivar)\r\n/"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; depth:59; classtype:command-and-control; sid:2029380; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, tag Emotet, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Onliner Mailer Module Communicating with CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?&1001="; fast_pattern; content:"&req="; distance:1; within:5; content:"&"; endswith; http.protocol; content:"HTTP/1.0"; http.header_names; content:"Accept-Charset"; content:!"Referer"; content:!"Cache"; reference:url,www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/; classtype:command-and-control; sid:2027810; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_06, deployment Perimeter, former_category MALWARE, malware_family Onliner, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GanDownloader CnC Checkin"; flow:established,to_server; http.request_body; content:"|2f 00 00 00|"; depth:4; content:"_"; distance:6; content:"202020202020|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; fast_pattern; pcre:"/^\x2f\x00{3}[A-Z0-9]{6}_[a-f0-9]+\x00{16}$/s"; http.request_line; content:"POST / HTTP/1.1"; depth:15; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:md5,8f0017ed89c2f6639cc2a08bc1e83f1e; classtype:command-and-control; sid:2026946; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_20, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Win32/SocStealer.Socelars C2 Response"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Server-Key|3a 20|"; pcre:"/[A-Za-z0-9]{62}/R"; file.data; content:"[DATA]"; depth:6; fast_pattern; content:"[DATA]"; endswith; classtype:command-and-control; sid:2025458; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_03, deployment Perimeter, former_category MALWARE, malware_family SocStealer, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FOX-SRT ShimRat check-in (Yuok)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Youk$$"; fast_pattern; content:"Youk"; endswith; pcre:"/^(?:php)?Yuok\$\$\d\d/"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022902; rev:6; metadata:created_at 2016_06_15, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FOX-SRT ShimRat check-in (Data)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Data$$"; fast_pattern; content:"Data"; endswith; pcre:"/Data\$\$\d\d/"; http.header_names; content:!"Content-Type"; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022900; rev:9; metadata:created_at 2016_06_15, updated_at 2022_03_24;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MoinMoin twikidraw Action Traversal File Upload"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"?action=twikidraw"; fast_pattern; content:"&target="; distance:0; content:"../moin.wsgi"; endswith; reference:bugtraq,57082; reference:cve,2012-6081; reference:url,packetstormsecurity.com/files/122079/moinmoin_twikidraw.rb.txt; reference:url,exploit-db.com/exploits/25304/; classtype:web-application-attack; sid:2017074; rev:5; metadata:created_at 2013_06_28, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrickBot CnC Initial Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_W"; content:"/5/file/"; endswith; fast_pattern; http.user_agent; content:"curl/"; depth:5; http.header_names; content:!"Accept"; content:!"Referer"; classtype:trojan-activity; sid:2033659; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (OneDrive)"; flow:established,to_server; http.cookie; content:"E=P|3a|"; content:"=|3a|PFzM9cj"; endswith; fast_pattern; http.request_line; content:"GET|20|/preload?manifest=wac|20|HTTP/1.1"; bsize:34; http.header_names; content:!"Referer"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile; classtype:command-and-control; sid:2029743; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible eDellRoot Rogue Root CA"; flow:established,to_client; tls.cert_issuer; content:"CN=eDellRoot"; fast_pattern; reference:url,arstechnica.com/security/2015/11/dell-does-superfish-ships-pcs-with-self-signed-root-certificates/; classtype:trojan-activity; sid:2022134; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_03_24;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/ProtonBot CnC Response"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"newtask|3b|"; depth:8; fast_pattern; content:"|3b|1|3b|http"; within:15; content:".exe"; endswith; reference:url,fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild; reference:md5,efb1db340e78f6799d9fbc5ee08f40fe; classtype:command-and-control; sid:2027382; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Backdoor.Small.ao CnC Checkin"; flow:established,to_server; urilen:8; threshold: type limit, track by_dst, seconds 30, count 1; http.method; content:"POST"; http.uri; content:"/waiting"; fast_pattern; http.user_agent; content:"BC_Vic_"; depth:7; content:"BC_SPL"; endswith; http.header_names; content:"Expect"; content:!"Referer"; content:!"Accept"; content:!"Cache"; reference:md5,e8c9d8ffe8fae54b15262bf9aeb4172c; classtype:command-and-control; sid:2025370; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_19, deployment Perimeter, former_category MALWARE, malware_family Backdoor_Small, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT DSLink 260E Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/action?dns_status=1&dns_poll_timeout="; fast_pattern; content:"&id="; distance:0; content:"&dns_serv_ip_1="; distance:0; content:"&dns_serv_ip_2="; distance:0; content:"&dns_serv_ip_3="; distance:0; content:"&dns_serv_ip_4="; distance:0; content:"&priority=1&cmdadd=add"; endswith; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027908; rev:8; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to avsvmcloud .com"; dns.query; content:".appsync-api."; content:"avsvmcloud.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031324; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to avsvmcloud .com"; flow:established,to_server; http.host; content:".appsync-api."; dotprefix; content:".avsvmcloud.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031338; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (avsvmcloud .com)"; flow:established,to_client; tls.cert_subject; content:".appsync-api."; content:".avsvmcloud.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031341; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Second Stage Payload Inbound 2021-02-19"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bestof/"; content:".exe"; within:20; endswith; http.header; content:"User-Agent|3a 20|AutoHotkey|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,2184931b6412cc900837890a6c5685f6; classtype:trojan-activity; sid:2033044; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Adobe Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"adobe"; fast_pattern; content:".github.io"; endswith; content:!"adobe.github.io"; depth:15; endswith; content:!"adobe-fonts.github.io"; depth:21; endswith; content:!"adobe-type-tools.github.io"; depth:26; endswith; content:!"adobe-apiplatform.github.io"; depth:27; classtype:policy-violation; sid:2027249; rev:8; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon (Bing Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search/?q="; startswith; content:"&go=Search&qs=bs&form="; distance:0; fast_pattern; http.cookie; content:"DUP="; startswith; content:"&T="; distance:0; content:"&A="; distance:0; content:"&IG"; endswith; http.header_names; content:!"Referer"; reference:url,twitter.com/TheDFIRReport/status/1376878123061551104; reference:md5,18b0ca0508f92c5ac6e75b9865b77a51; classtype:trojan-activity; sid:2032354; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Redirect to Adobe Shared Document Phishing M3 2016-04-18"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/pdf.adobe.cloud/"; fast_pattern; content:".php"; endswith; http.referer; content:".php"; endswith; classtype:social-engineering; sid:2032678; rev:10; metadata:attack_target Client_Endpoint, created_at 2016_04_18, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NOBELIUM Win32/VaporRage Loader CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/class-chll.php?session_info=60"; content:"5d"; distance:0; content:"&session="; distance:0; content:"&view_type=12"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4183.83 Safari/537.36"; bsize:102; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cache-"; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset; classtype:trojan-activity; sid:2033057; rev:2; metadata:created_at 2021_06_01, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE S400 RAT Client Checkin via Discord"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord"; depth:7; content:".com"; endswith; http.request_body; content:"content=S-400+RAT+%3a"; startswith; fast_pattern; content:"%0d%0ainformation"; distance:0; reference:md5,41ca8d5782ef5ac7a371b44f51dc48d9; classtype:command-and-control; sid:2034065; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family S400, signature_severity Major, tag RAT, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2021-11-10"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"check.php"; distance:0; http.referer; content:".otzo.com/verification.php"; fast_pattern; endswith; http.request_body; content:"email="; distance:0; content:"&password="; distance:0; reference:md5,11133fb1cdc61aa33e3de226dcdf92d4; classtype:credential-theft; sid:2034412; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Credential Phish 2021-11-16"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-content/plugins/my___fb/meme"; fast_pattern; startswith; content:".php"; endswith; http.request_body; content:"email="; content:"&pass="; distance:0; reference:md5,fdf21f9bdab460feed2f3fccde59b650; classtype:credential-theft; sid:2034487; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT FatPipe Unrestricted File Upload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fpui/"; nocase; fast_pattern; content:"|2e|jsp"; within:30; endswith; reference:url,ic3.gov/Media/News/2021/211117-2.pdf; classtype:attempted-admin; sid:2034531; rev:3; metadata:created_at 2021_11_22, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING BulletProofLink Phishkit Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/email-list/"; fast_pattern; content:".php"; endswith; reference:url,microsoft.com/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/; classtype:credential-theft; sid:2034045; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING BulletProofLink Phishkit Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/email-list/"; fast_pattern; content:".php"; endswith; reference:url,microsoft.com/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/; classtype:credential-theft; sid:2034046; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_24;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NodeBB Path Traversal (CVE-2021-43788)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nodebb|2e|org|2f 3f 5b 5b 2e 2e 2f|"; nocase; fast_pattern; content:"|3a|"; content:"|5d 5d|"; within:50; endswith; reference:url,blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot; reference:cve,2021-43788; classtype:attempted-admin; sid:2034590; rev:2; metadata:attack_target Server, created_at 2021_12_06, cve CVE_2021_43788, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Banking Phish Landing Page 2022-01-11"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"banks"; startswith; content:"pin.php"; fast_pattern; endswith; reference:md5,ed0fb4e78b838c7d9884691efa434dd7; classtype:credential-theft; sid:2034893; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_24;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HVNC BOT Detected"; flow:established,to_server; content:"|3b 00 00 00 19 00 00 00 13 01 00 00 2d 42 4f 54|"; depth:16; content:"|00|"; endswith; reference:md5,4abde768b70e94093970901438e51cbd; classtype:trojan-activity; sid:2027832; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category TROJAN, malware_family HVNC, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ALEXANDR/"; fast_pattern; startswith; content:".rmvb"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,0fee6bb95bfbfeee768f742387d3ddce; reference:md5,81ada96074cbc01655fc3b9b570308cd; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035117; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/clamp/"; fast_pattern; content:".cbl"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,fac3f024711fc5fd3e1d69b994b159bd; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035118; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/globe/"; fast_pattern; content:".cam"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,6662dad691740c832ea2bcde17509d0a; classtype:trojan-activity; sid:2035131; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/courageous/"; fast_pattern; content:".eft"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,6662dad691740c832ea2bcde17509d0a; classtype:trojan-activity; sid:2035132; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/endless/"; fast_pattern; content:".arj"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,2a0269cf18f2f1c055153408f85ab4c6; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035167; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/allocation/"; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,1579a5a8bdca4eda62315116e418b9d6; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035168; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sour/"; fast_pattern; content:".kdp"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,bb1c8ad9f422a39ce6329e93dc060438; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035169; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pretend/"; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,ca9fa910806f5aafd33f0dd48fdc8415; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035170; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+
+alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 3/3 - Malicious NetrServerPasswordSet2 (CVE-2020-1472)"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; content:"|05 00 00|"; startswith; content:"|1e 00|"; offset:22; depth:2; content:"|24 00 00 00 06|"; distance:0; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035262; rev:3; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_03_24;)
+
+alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALCHAMPION MS17-010 Sync Response"; flow:from_server,established; flowbits:isset,ET.ETERNALCHAMPIONsync; content:"|ff|SMB|25 00 00 00 00 98 03 c0 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:4; depth:24; fast_pattern; content:"|7c 00|"; distance:32; within:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; classtype:trojan-activity; sid:2024213; rev:5; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2022_03_24;)
+
+alert udp $HOME_NET 1234 -> $EXTERNAL_NET 4000 (msg:"ET MALWARE NAZAR EYService Pong response"; id:1; content:"101|3b|0000|3b|"; reference:url,blog.malwarelab.pl/posts/nazar_eyservice_comm; classtype:command-and-control; sid:2030055; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert udp $HOME_NET 1234 -> $EXTERNAL_NET 4000 (msg:"ET MALWARE NAZAR EYService OSInfo response"; id:1; content:"100|3b|"; reference:url,blog.malwarelab.pl/posts/nazar_eyservice_comm; classtype:command-and-control; sid:2030056; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Nobelium APT Related Domain in DNS Lookup (theskoolieblog .com)"; dns.query; content:"theskoolieblog.com"; nocase; bsize:18; reference:url,twitter.com/h2jazi/status/1506439550968676360; classtype:domain-c2; sid:2035596; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Nobelium APT Related Domain in DNS Lookup (ernesttheskoolie .com)"; dns.query; content:"ernesttheskoolie.com"; nocase; bsize:20; reference:url,twitter.com/h2jazi/status/1506439550968676360; classtype:domain-c2; sid:2035597; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:C1:3B:57:1A:83:A5:B1:4A"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022099; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:F2:66:4A:29:E0:7E:C2:78"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022227; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (FindPOS)"; flow:established,to_client; tls.cert_serial; content:"00:E0:78:4E:9C:A4:AD:AB:24"; fast_pattern; tls.cert_subject; content:"O=Default Company Ltd"; reference:url,blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/; classtype:domain-c2; sid:2022228; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:F6:DA:A5:22:B2:8B:91:BE"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022232; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:9D:A8:74:C5:50:98:DD:09"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022306; rev:4; metadata:attack_target Client_and_Server, created_at 2015_12_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)"; flow:established,to_client; tls.cert_issuer; content:"AsyncRAT Server"; reference:md5,f69cadedae72d9d1a1d1578b56c39404; classtype:domain-c2; sid:2030673; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_08_11, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)"; flow:established,to_client; tls.cert_subject; content:"AsyncRAT Server"; nocase; classtype:domain-c2; sid:2035607; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (OSX/Keydnap CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=g5wcesdfjzne7255.onion.to"; reference:url,welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials; classtype:domain-c2; sid:2022953; rev:3; metadata:affected_product Mac_OSX, attack_target Client_and_Server, created_at 2016_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag TROJAN_OSX_Keydnap, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Command Fetch"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fecommand.acm"; endswith; fast_pattern; http.header_names; content:!"Referer"; http.connection; content:"Keep-Alive"; reference:url,twitter.com/jaydinbas/status/1506987283630768138; reference:md5,ecd47e596048ad1af9973a21af303465; classtype:trojan-activity; sid:2035605; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Possible Sinkhole)"; flow:established,to_client; tls.cert_subject; content:"O=infosec.jp"; fast_pattern; content:"CN=www.infosec.jp"; content:"snowyowl@jpnsec.com"; distance:0; reference:md5,ef5fa2378307338d4e75dece88158d77; classtype:domain-c2; sid:2022323; rev:3; metadata:attack_target Client_and_Server, created_at 2016_01_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Domain Fetch"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/zs_url.txt?dl=0"; endswith; fast_pattern; http.host; content:"dl.dropboxusercontent.com"; http.header_names; content:!"Referer"; http.connection; content:"Keep-Alive"; reference:url,twitter.com/jaydinbas/status/1506987283630768138; reference:md5,ecd47e596048ad1af9973a21af303465; classtype:trojan-activity; sid:2035606; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_11;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SERVER SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"52:55:38:16:FB:0D:1A:8A:4B:45:04:CB:06:BC:C4:AF"; tls.cert_subject; content:"CN=SERVER"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016467; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24;)
+
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server CnC Sending Executable"; flow:established,to_client; content:"This Program must be"; fast_pattern; content:"|0B 00|"; startswith; content:"|00|MZ"; distance:14; within:3; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,28173e257188ce3b3cc663be661bc2c4; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:command-and-control; sid:2018479; rev:3; metadata:created_at 2014_05_15, former_category MALWARE, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"uid="; startswith; content:"&avtype="; distance:0; content:"&majorv="; fast_pattern; content:"&minorv="; reference:url,twitter.com/jaydinbas/status/1506987283630768138; reference:md5,ecd47e596048ad1af9973a21af303465; classtype:command-and-control; sid:2035592; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert tcp-pkt $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Win32/CrimsonRAT Variant Sending Command (inbound)"; flow:established,to_client; dsize:<20; content:"|69 6e 66 32 6f 3d 63 6f 64 61 6e 64|"; fast_pattern; endswith; reference:md5,9bb081fb563b2905ea52e4b858d392ed; classtype:trojan-activity; sid:2035598; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_03_24;)
+
+alert tcp-pkt $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Win32/CrimsonRAT Variant Sending Command M2 (inbound)"; flow:established,to_client; dsize:<20; content:"|67 65 74 32 61 76 73 3d 61 76 70 72 6f|"; fast_pattern; endswith; reference:md5,9bb081fb563b2905ea52e4b858d392ed; classtype:trojan-activity; sid:2035599; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"dl.dropboxusercontent.com"; bsize:25; fast_pattern; classtype:misc-activity; sid:2035593; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_03_24;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO DropBox User Content Download Access over SSL M2"; flow:established,to_client; tls.cert_subject; content:"CN=dl.dropbox.com"; fast_pattern; classtype:misc-activity; sid:2035594; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_03_24;)
+
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/CrimsonRAT Variant Sending System Information (outbound)"; flow:established,to_server; dsize:<120; content:"|69 6e 73 35 66 6f 3d 75 73 66 73 65 72 3b|"; fast_pattern; depth:20; reference:md5,9bb081fb563b2905ea52e4b858d392ed; classtype:trojan-activity; sid:2035600; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI)"; flow:established,to_server; tls_sni; content:"update.imdt.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:command-and-control; sid:2035568; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 2"; flow:established,to_server; tls_sni; content:"imbbq.co"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035569; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 3"; flow:established,to_server; tls_sni; content:"ds-super-admin.imtokens.money"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035570; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 4"; flow:established,to_server; tls_sni; content:"imtokenss.token-app.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035571; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 5"; flow:established,to_server; tls_sni; content:"xdhbj.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035572; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 6"; flow:established,to_server; tls_sni; content:"update.xzxqsf.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035573; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 7"; flow:established,to_server; tls_sni; content:"metamask.tptokenm.live"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035574; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 8"; flow:established,to_server; tls_sni; content:"two.shayu.la"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035575; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 9"; flow:established,to_server; tls_sni; content:"jdzpfw.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035576; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 10"; flow:established,to_server; tls_sni; content:"bp.tkdt.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035577; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 11"; flow:established,to_server; tls_sni; content:"ok.tkdt.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035578; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 12"; flow:established,to_server; tls_sni; content:"mm.tkdt.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035579; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 20"; flow:established,to_server; tls_sni; content:"token-lon.me"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035580; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 13"; flow:established,to_server; tls_sni; content:"bh.imtoken.sx"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035581; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 14"; flow:established,to_server; tls_sni; content:"ht.imtoken.cn.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035582; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 15"; flow:established,to_server; tls_sni; content:"api.tipi21341.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035583; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 16"; flow:established,to_server; tls_sni; content:"ariodjs.xyz"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035584; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 17"; flow:established,to_server; tls_sni; content:"walletappforbit.web.app"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035585; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 18"; flow:established,to_server; tls_sni; content:"jaxx.su"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035586; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GhostWriter APT Related Cobalt Strike Domain (ao3 .hmgo .pw in TLS SNI)"; flow:established,to_server; tls.sni; content:"ao3.hmgo.pw"; bsize:11; fast_pattern; reference:url,cert.gov.ua/article/38155; reference:url,twitter.com/netresec/status/1506990534547709972; reference:url,tria.ge/220324-p4dl5adghn; reference:md5,b5525108912ee8d5f1519f1b552723e8; classtype:domain-c2; sid:2035601; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Ghostwriter, signature_severity Major, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 19"; flow:established,to_server; tls_sni; content:"jaxx.tf"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035587; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 21"; flow:established,to_server; tls_sni; content:"master-consultas.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035588; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 22"; flow:established,to_server; tls_sni; content:"jaxxwalletinc.live"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035589; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GhostWriter APT Related Cobalt Strike Domain in DNS Lookup (hmgo .pw)"; dns.query; dotprefix; content:".hmgo.pw"; nocase; endswith; reference:url,twitter.com/netresec/status/1506990534547709972; reference:md5,b5525108912ee8d5f1519f1b552723e8; reference:url,tria.ge/220324-p4dl5adghn; classtype:domain-c2; sid:2035602; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Ghostwriter, signature_severity Major, updated_at 2022_03_24;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Empty SSL Certificate - Observed in Cobalt Strike"; flow:from_server,established; tls.cert_subject; content:"C=, ST=, L=, O=, OU=, CN="; endswith; bsize:25; fast_pattern; classtype:targeted-activity; sid:2023629; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 23"; flow:established,to_server; tls_sni; content:"jaxx.podzone.org"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035590; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 24"; flow:established,to_server; tls_sni; content:"saaditrezxie.store"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035591; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GhostWriter APT Related Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/works"; endswith; http.header; content:"Accept|3a 20|application/json|0d 0a|Content-Type|3a 20|application/json|3b 20|charset=UTF-8|0d 0a|"; http.cookie; content:"_token"; startswith; fast_pattern; pcre:"/^[a-zA-Z0-9\/+]{171}=$/R"; reference:url,cert.gov.ua/article/38155; reference:url,tria.ge/220324-p4dl5adghn; reference:url,twitter.com/netresec/status/1506990534547709972; reference:md5,b5525108912ee8d5f1519f1b552723e8; classtype:trojan-activity; sid:2035603; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family CobaltStrike, malware_family Ghostwriter, signature_severity Major, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY tor4u tor2web .onion Proxy domain in SNI"; flow:established,to_server; tls.sni; content:"tor4u.net"; fast_pattern; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018878; rev:3; metadata:created_at 2014_08_01, updated_at 2022_03_24;)
+
+#alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Tor based locker knowledgewiki.info in SNI July 31 2014"; flow:established,to_server; tls.sni; content:"knowledgewiki.info"; fast_pattern; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:trojan-activity; sid:2018877; rev:4; metadata:created_at 2014_08_01, former_category TROJAN, updated_at 2022_03_24;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 8"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; tls.cert_serial; content:"5f:31"; startswith; tls.cert_subject; content:"C=--"; startswith; content:"SomeCity"; distance:0; content:"root@localhost.localdomain"; distance:0; fast_pattern; reference:md5,f58a4369b8176edbde4396dc977c9008; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-030500-0430-99; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; classtype:targeted-activity; sid:2020974; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed IP Lookup Domain (formyip .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"formyip.com"; fast_pattern; classtype:external-ip-check; sid:2024832; rev:4; metadata:created_at 2017_10_10, former_category POLICY, updated_at 2022_03_24;)
+
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY DivX Client SSL Connection via Self-Signed SSL Cert"; flow:established,to_client; tls.cert_subject; content:"DivX, Inc. Certificate Authority"; fast_pattern; classtype:policy-violation; sid:2013300; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_07_23, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cisco IOS Self Signed Certificate Served to External Host"; flow:established,to_client; tls.cert_subject; content:"CN=IOS-Self-Signed-Certificate-"; fast_pattern; classtype:misc-activity; sid:2014617; rev:4; metadata:created_at 2012_04_20, updated_at 2022_03_25;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SodaMaster domain observed in TLS SNI (www. rare-coisns. com)"; flow:established,to_server; tls.sni; content:"www.rare-coisns.com"; fast_pattern; reference:md5,0b182464a2351a9d79c1222bb1fdf35e; reference:md5,037261d5571813b9640921afac8aafbe; reference:md5,c5994f9fe4f58c38a8d2af3021028310; classtype:targeted-activity; sid:2035615; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SodaMaster CnC HTTPS Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/image/look/javascript/index.php"; fast_pattern; startswith; reference:md5,0b182464a2351a9d79c1222bb1fdf35e; reference:md5,037261d5571813b9640921afac8aafbe; reference:md5,c5994f9fe4f58c38a8d2af3021028310; classtype:targeted-activity; sid:2035616; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_25, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SodaMaster CnC HTTPS Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/image/look/javascript/index.php"; fast_pattern; startswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20| MSIE 7.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|.NET4.0C|3b 20|.NET4.0E)"; reference:md5,0b182464a2351a9d79c1222bb1fdf35e; reference:md5,037261d5571813b9640921afac8aafbe; reference:md5,c5994f9fe4f58c38a8d2af3021028310; classtype:targeted-activity; sid:2035617; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_25, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN7 JSSLoader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /?id="; startswith; fast_pattern; http.uri; pcre:"/^\/\?id\=[A-Z]{12,28}[0-9]$/"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:md5,a5bad2da096e9ebbb90845dbadec91fe; reference:md5,253cb5361e43bfb1931fa115336e7c16; reference:md5,dd6d09e0e565ea18b85a18af8e95eb75; reference:url,blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files; classtype:trojan-activity; sid:2035608; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family FIN7, malware_family CarbonSpider, signature_severity Major, updated_at 2022_03_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN7 JSSLoader Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /?id="; startswith; fast_pattern; http.uri; pcre:"/^\/\?id\=[A-Z]{12,28}[0-9]$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:46; reference:md5,6f743e8fda2031db9907a8d6bd0a41a8; reference:url,blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files; classtype:trojan-activity; sid:2035609; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family FIN7, malware_family CarbonSpider, signature_severity Major, updated_at 2022_03_25;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7 JSSLoader Related Domain in DNS Lookup"; dns.query; content:"securmeawards.com"; nocase; bsize:17; reference:md5,0cd9c62063026d4199c941b5f644c5ce; reference:url,blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files; classtype:domain-c2; sid:2035610; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, signature_severity Major, updated_at 2022_03_25;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing domain observed in TLS SNI (info-getting-eu. com)"; flow:established,to_server; tls.sni; content:"info-getting-eu.com"; fast_pattern; classtype:credential-theft; sid:2035619; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category PHISHING, performance_impact Low, updated_at 2022_03_25;)
+
+alert dns $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Webserver Resolving Known Webshell CnC Domain (anonymousfox)"; dns.query; content:"anonymousfox."; startswith; fast_pattern; pcre:"/(?:is|mx|info|co)$/"; reference:url,twitter.com/unmaskparasites/status/1507038308789936150; classtype:bad-unknown; sid:2035612; rev:2; metadata:attack_target Web_Server, created_at 2022_03_25, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2022_03_25;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to BaitAndPhish Domain"; dns.query; dotprefix; content:".important-notification.com"; nocase; endswith; threshold: type limit, track by_dst, count 1, seconds 120; fast_pattern; classtype:misc-activity; sid:2035613; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_25;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Evil Keitaro Set-Cookie Inbound (85937)"; flow:established,from_server; http.stat_code; content:"200"; http.cookie; content:"85937=eyJ0e"; fast_pattern; pcre:"/^[A-Z0-9_\-.]{20,300}\x3b/Ri"; classtype:trojan-activity; sid:2035620; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, deployment SSLDecrypt, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2022_03_25;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 7"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"2c:2f"; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,9ad55b83f2eec0c19873a770b0c86a2f; classtype:targeted-activity; sid:2020972; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+
+alert tls [108.160.162.0/20,162.125.0.0/16,192.189.200.0/23,199.47.216.0/22,205.189.0.0/24,209.99.70.0/24,45.58.64.0/20] 443 -> $HOME_NET any (msg:"ET POLICY Dropbox.com Offsite File Backup in Use"; flow:established,to_client; tls.cert_subject; content:"CN=*.dropbox.com"; fast_pattern; threshold: type limit, count 1, seconds 300, track by_src; reference:url,www.dropbox.com; reference:url,dereknewton.com/2011/04/dropbox-authentication-static-host-ids/; classtype:policy-violation; sid:2012647; rev:7; metadata:created_at 2011_04_07, updated_at 2022_03_25;)
+
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 6"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"09:a9"; fast_pattern; depth:5; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,1dde02ff744fa4e261168e2008fd613a; classtype:targeted-activity; sid:2020971; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 5"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; distance:0; tls.cert_serial; content:"03:5f"; depth:5; tls.cert_subject; content:"*.corp.utilitytelephone.com"; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,4121414c63079b7fa836be00f8d0a93b; classtype:targeted-activity; sid:2020970; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 4"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"0f:0d"; depth:5; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,0e0182694c381f8b68afc5f3ff4c4653; classtype:targeted-activity; sid:2020969; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 3"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"1b:3c"; depth:5; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,181a88c911b10d0fcb4682ae552c0de3; classtype:targeted-activity; sid:2020968; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 2"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"65:5d"; depth:5; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,859f167704b5c138ed9a9d4d3fdc0723; classtype:targeted-activity; sid:2020967; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 1"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"31:d5"; depth:5; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,d5a82520ebf38a0c595367ff0ca89fae; classtype:targeted-activity; sid:2020966; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PHARMSPAM image requested layout viagra_super_active.jpg"; flow:established,to_server; content:"layout"; http_uri; content:"viagra_super_active.jpg"; http_uri; classtype:bad-unknown; sid:2011339; rev:4; metadata:created_at 2010_09_28, updated_at 2022_03_27;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FAKEAV redirecting to fake scanner page - /?777"; flow:established,to_server; content:"/?777"; http_uri; classtype:bad-unknown; sid:2011421; rev:4; metadata:created_at 2010_09_28, updated_at 2022_03_27;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential-Hiloti/FakeAV site access"; flow:established,to_server; content:"?p=p52dcW"; http_uri; pcre:"/\/\?p=p52dcW[A-Za-z]{4}/U"; classtype:trojan-activity; sid:2011591; rev:5; metadata:created_at 2010_10_06, former_category MALWARE, updated_at 2022_03_27;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre or Dyre SSL Cert Jan 22 2015"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.cert_subject; content:"C=CN, ST=ST"; fast_pattern; tls.certs; content:"|06 03 55 04 07|"; pcre:"/^.{2}(?P<var>[a-zA-Z0-9]{24}[01]).+?\x06\x03\x55\x04\x07.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2020290; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2022_03_27;)
+
+alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert M1 (L O)"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.certs; content:"|06 03 55 04 06 13 02|"; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?P<var>[a-zA-Z0-9]{1,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021432; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_27;)
+
+alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert M2 (L CN)"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.certs; content:"|06 03 55 04 06 13 02|"; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; content:"|06 03 55 04 03 0c|"; distance:0; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021433; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_27;)
+
+alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert M3 (O CN)"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.certs; content:"|06 03 55 04 06 13 02|"; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; distance:0; content:"|06 03 55 04 0a 0c|"; distance:0; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021434; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_27;)
+
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 2 2015"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.cert_subject; pcre:"/C=[A-Z]{2}\,/"; content:"ST="; distance:0; content:"L="; distance:0; content:"O="; distance:0; pcre:"/CN=[A-Z]/"; content:"OU="; distance:0; tls.certs; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; distance:0; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; content:"|55 04 0a|"; pcre:"/^.(?P<orgname>.[^01]+).*?\x55\x04\x0b.(?P=orgname)/Rsi"; content:!"Beam Propulsion"; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021743; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_09_03, deployment Perimeter, deprecation_reason Relevance, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_27;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected SmokeLoader Retrieving Next Stage (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/smoke/loader/uploads/"; startswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:md5,bfbf171b4ebc5286c78d718e445c65fb; classtype:trojan-activity; sid:2035623; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_28;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible Windows Binary Observed in SSL/TLS Certificate"; flow:established,from_server; tls.certs; content:"This program cannot be run in DOS mode"; nocase; bsize:>768; reference:url,www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities; classtype:misc-attack; sid:2025315; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_02_06, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2022_03_28;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET [!5800,!445] (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 5"; flow:to_server,established; content:"|15 15|"; offset:2; depth:2; content:!"|15 15|"; within:2; content:"|15 15|"; distance:2; within:2; content:!"|15 15|"; within:2; content:"|15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15|"; fast_pattern; pcre:"/[^\x15][^\x49\x3f\x3e\x28\x69\x2f\x2e\x37\x2a\x29\x2b\x39\x36][\x20-\x27\x2c\x2d\x30\x31\x33-\x36\x38\x3b-\x3d\x40-\x47\x4a-\x4d\x4f\x50-\x5f\x60\x68\x6b-\x6f\x70-\x74\x76-\x7f]{1,14}\x15/R"; reference:md5,05054afcfc6a651a057e47cd0f013c7b; classtype:command-and-control; sid:2020215; rev:6; metadata:created_at 2015_01_20, former_category MALWARE, updated_at 2022_03_28;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TransparentTribe APT Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; http.request_body; content:"symetric="; startswith; fast_pattern; content:"&unsyms="; distance:0; content:"&polls="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,5cbcc3485f4286098b3a111ceec8ce54; reference:md5,14a7002d7787ebc78d76479c73fc2856; classtype:trojan-activity; sid:2035624; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_03_28;)
+
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE TransparentTribe APT Related Backdoor Activity"; flow:established,to_server; dsize:6; content:"|36 6e 46 74 24 31|"; fast_pattern; reference:md5,bc2ef641fc8d709f4c111937353c0ac2; reference:md5,b03e0568a5f26addc51c8a3e32baeb7f; reference:md5,9dadf9ce41994f869e8c35e1917b8238; classtype:trojan-activity; sid:2035625; rev:2; metadata:created_at 2022_03_28, updated_at 2022_03_28;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M3"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/octet-stream"; bsize:24; http.server; content:"HFS|20|"; startswith; fast_pattern; http.cookie; content:"HFS_SID_="; startswith; http.header; content:"|0d 0a|Content|2d|Disposition|3a 20|attachment|3b 20|filename|2a 3d|UTF|2d|8|27 27|"; content:"|3b 20|filename="; distance:1; within:11; content:"|0d 0a|"; distance:1; within:2; endswith; http.response_body; content:"Rar|21 1A 07|"; startswith; content:"|2e|dll"; within:150; reference:md5,930d405c7653dcf36c04e75224a2ff9d; reference:url,www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html; classtype:command-and-control; sid:2035621; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, performance_impact Moderate, signature_severity Major, updated_at 2022_03_28;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M4"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/octet-stream"; bsize:24; http.server; content:"HFS|20|"; startswith; fast_pattern; http.cookie; content:"HFS_SID_="; startswith; http.header; content:"|0d 0a|Content|2d|Disposition|3a 20|attachment|3b 20|filename|2a 3d|UTF|2d|8|27 27|"; content:"|3b 20|filename="; distance:1; within:11; content:"|0d 0a|"; distance:1; within:2; endswith; http.response_body; content:"Rar|21 1A 07|"; startswith; content:"|2e|lnk"; within:150; reference:md5,930d405c7653dcf36c04e75224a2ff9d; reference:url,www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html; classtype:command-and-control; sid:2035622; rev:1; metadata:created_at 2022_03_28, updated_at 2022_03_28;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2022-03-28"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"M09009944646.php"; endswith; fast_pattern; http.request_body; content:"user="; content:"pass="; distance:0; reference:md5,40eff169fa7b8cacdde4499290a57aa5; classtype:credential-theft; sid:2035628; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_28;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX Related Domain in DNS Lookup (ntpserver .xyz)"; dns.query; content:"ntpserver.xyz"; fast_pattern; nocase; bsize:13; reference:md5,09c120d23f986040af202607db6157f0; reference:url,twitter.com/0xrb/status/1508330395250868229; classtype:domain-c2; sid:2035626; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_28;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX Related Domain in DNS Lookup (cxks8 .com)"; dns.query; content:"cxks8.com"; fast_pattern; nocase; bsize:9; reference:md5,99ee1e21a34b0536b120d4a6977fd252; reference:url,twitter.com/0xrb/status/1508330395250868229; classtype:domain-c2; sid:2035627; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_28;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 1"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; tls.cert_serial; content:"12:85"; tls.cert_subject; content:"--"; content:"SomeCity"; distance:0; content:"root@localhost.localdomain"; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021591; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_28;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 2"; flow:established,from_server; tls.cert_subject; content:"www.visionresearch.com"; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021419; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 5"; flow:established,from_server; tls.cert_subject; content:"extranet.qualityplanning.com"; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021422; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_28;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 6"; flow:established,from_server; tls.cert_subject; content:"edadmin.kearsney.com"; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021423; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 7"; flow:established, from_server; tls.cert_subject; content:"redbluffchamber.com"; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021424; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 8"; flow:established,to_client; tls.cert_subject; content:"Connectads.com"; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021425; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 3"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; tls.cert_serial; content:"3d:d6"; tls.cert_subject; content:"--"; content:"SomeCity"; distance:0; content:"root@localhost.localdomain"; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021420; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cobalt Group SSL Certificate Detected"; flow:established,from_server; tls.cert_subject; content:"dns-verifon.com"; reference:md5,26406f5cc72e13c798485f80ad3cbbdb; classtype:targeted-activity; sid:2025438; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_26, deployment Perimeter, former_category TROJAN, malware_family Cobalt_Group, performance_impact Low, signature_severity Major, updated_at 2022_03_29;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WatchGuard CVE-2022-26318 RCE Attempt M1"; flow:established,to_server; http.request_line; content:"POST /agent/login"; startswith; nocase; http.request_body; content:"|3c|methodName|3e|"; content:"login|3c 2f|methodName|3e|"; within:50; fast_pattern; nocase; content:"|3c|member|3e 3c|value|3e 3c|"; distance:0; nocase; content:!"|3e|"; within:400; reference:url,www.greynoise.io/blog/watchguard-cve-2022-26318-rce-detection-iocs-and-prevention-for-defenders; reference:cve,2022-26318; classtype:attempted-admin; sid:2035633; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_03_29, cve CVE_2022_26318, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_03_29;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WatchGuard CVE-2022-26318 RCE Attempt M2"; flow:established,to_server; http.request_line; content:"POST /agent/login"; startswith; fast_pattern; http.content_len; byte_test:0,>,450,0,string,dec; http.request_body; content:"|3c|methodName|3e|"; nocase; content:"login|3c 2f|methodName|3e|"; within:50; nocase; reference:url,attackerkb.com/topics/t8Nrnu99ZE/cve-2022-26318; reference:url,www.greynoise.io/blog/watchguard-cve-2022-26318-rce-detection-iocs-and-prevention-for-defenders; reference:cve,2022-26318; classtype:attempted-admin; sid:2035634; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_03_29, cve CVE_2022_26318, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_03_29;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible WatchGuard CVE-2022-26318 RCE Attempt M3"; flow:established,to_server; http.request_line; content:"POST /agent/login"; startswith; fast_pattern; http.content_len; byte_test:0,>,450,0,string,dec; http.header; content:"Content-Encoding|3a 20|gzip"; http.request_body; content:"|1f 8b|"; startswith; reference:url,attackerkb.com/topics/t8Nrnu99ZE/cve-2022-26318; reference:url,www.greynoise.io/blog/watchguard-cve-2022-26318-rce-detection-iocs-and-prevention-for-defenders; reference:cve,2022-26318; classtype:attempted-admin; sid:2035635; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_03_29, cve CVE_2022_26318, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_03_29;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (kutti .co in TLS SNI)"; flow:established,to_server; tls.sni; content:"kutti.co"; bsize:8; fast_pattern; classtype:bad-unknown; sid:2035640; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_03_29;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange Pre-Auth Path Confusion M1 (CVE-2021-31207)"; flow:established,to_server; http.uri; content:"/autodiscover"; nocase; fast_pattern; content:"Email=autodiscover/"; nocase; flowbits:set,ET.cve.2021.34473; reference:cve,2021-31207; classtype:attempted-admin; sid:2033681; rev:4; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_09, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange SUID Disclosure via SSRF Inbound M1 (CVE-2021-31207)"; flow:established,to_server; http.uri; content:"/autodiscover"; nocase; content:"Email=autodiscover/"; nocase; content:"/mapi/emsmdb"; nocase; distance:0; fast_pattern; reference:cve,2021-31207; classtype:attempted-admin; sid:2033701; rev:3; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_10, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange SUID Disclosure via SSRF Inbound M2 (CVE-2021-31207)"; flow:established,to_server; http.uri; content:"/autodiscover"; nocase; content:"/mapi/emsmdb"; nocase; distance:0; fast_pattern; http.cookie; content:"Email=autodiscover/"; nocase; reference:cve,2021-31207; classtype:attempted-admin; sid:2035648; rev:2; metadata:affected_product MS_Exchange, attack_target Server, created_at 2022_03_29, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange RCE Inbound M2 (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/autodiscover.json?"; content:"/PowerShell/"; nocase; distance:0; content:"X-Rps-CAT="; distance:0; fast_pattern; content:"Email="; distance:0; content:"autodiscover/"; distance:0; within:20; reference:cve,2021-34473; classtype:attempted-admin; sid:2033711; rev:2; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_12, cve CVE_2021_34473, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Abused File Hosting Domain in DNS Lookup (transferxl .com)"; dns.query; dotprefix; content:".transferxl.com"; nocase; endswith; classtype:misc-activity; sid:2035636; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_03_29;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Abused File Hosting Domain (transferxl .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".transferxl.com"; endswith; fast_pattern; classtype:misc-activity; sid:2035637; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_03_29;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Abused File Hosting Domain (transferxl-download .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".transferxl-download.com"; endswith; fast_pattern; classtype:misc-activity; sid:2035638; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_03_29;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Backdoor Related Domain (swordoke .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"swordoke.com"; bsize:12; fast_pattern; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:domain-c2; sid:2035645; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_29;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange RCE Inbound M3 (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/autodiscover.json?"; content:"/PowerShell/"; nocase; distance:0; content:"X-Rps-CAT="; distance:0; fast_pattern; http.cookie; content:"Email="; content:"autodiscover/"; distance:0; within:20; reference:cve,2021-34473; classtype:attempted-admin; sid:2035649; rev:2; metadata:affected_product MS_Exchange, attack_target Server, created_at 2022_03_29, cve CVE_2021_34473, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange Mailbox Enumeration Inbound (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/exchange.asmx"; nocase; fast_pattern; http.request_body; content:"<s"; content:"<m:ResolveNames ReturnFullContactData=|22|true|22| SearchScope=|22|ActiveDirectory|22|>"; distance:0; content:"</m:ResolveNames>"; distance:0; reference:cve,2021-34473; classtype:attempted-admin; sid:2035650; rev:2; metadata:affected_product MS_Exchange, attack_target Server, created_at 2022_03_29, cve CVE_2021_34473, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phish Landing Page 2022-03-29"; http.stat_code; content:"200"; http.content_len; byte_test:0,>=,68000,0,string,dec; file.data; content:!"<html>"; content:"<!-- ####### THIS IS A COMMENT - Visible only in the source editor #########-->"; content:"action="; pcre:"/\.php/Ri"; content:"name=|22|o8|22|"; fast_pattern; content:!"</html>"; reference:md5,60b2c87b34d51bb1ee2196d5b2db4c73; classtype:credential-theft; sid:2035647; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_29;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M1 (CVE-2022-24989)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/module/api.php?mobile/createRaid"; fast_pattern; http.request_body; content:"raidtype|27 3a 20 27|"; nocase; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-24989; classtype:attempted-admin; sid:2035629; rev:2; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24989, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M2 (CVE-2022-24989)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/module/api.php?mobile/createRaid"; fast_pattern; http.request_body; content:"raidtype="; nocase; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-24989; classtype:attempted-admin; sid:2035630; rev:2; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24989, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Information Leak Inbound (CVE-2022-24990)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/module/api.php?mobile/webNasIPS"; fast_pattern; reference:cve,2022-24990; classtype:attempted-recon; sid:2035631; rev:1; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24990, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortening Service Domain in DNS Lookup (kutti .co)"; dns.query; content:"kutti.co"; fast_pattern; nocase; bsize:8; classtype:bad-unknown; sid:2035639; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_29;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Backdoor Related Domain in DNS Lookup (swordoke .com)"; dns.query; content:"swordoke.com"; fast_pattern; nocase; bsize:12; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:domain-c2; sid:2035644; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_29;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Warzone RAT Variant CnC Domain in DNS Lookup (dost .igov-service .net)"; dns.query; content:"dost.igov-service.net"; fast_pattern; nocase; bsize:21; reference:url,decoded.avast.io/threatintel/avast-finds-compromised-philippine-navy-certificate-used-in-remote-access-tool/; reference:md5,49e8853801554d9de4dd281828094c8a; classtype:domain-c2; sid:2035646; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_29;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (wikipedia-book .vote)"; dns.query; content:"wikipedia-book.vote"; nocase; bsize:19; reference:url,blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/; reference:md5,e98774bee4ed490089f6c63b6c676112; classtype:domain-c2; sid:2035652; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, updated_at 2022_03_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Verblecon User Agent Observed"; flow:established,to_server; http.user_agent; content:"VerbleConnectTM"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035659; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_30;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Trojan.Verblecon Related Domain (gaymers .ax in TLS SNI)"; flow:established,to_server; tls.sni; content:"gaymers.ax"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035661; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Trojan.Verblecon Related Domain (jonathanhardwick .me in TLS SNI)"; flow:established,to_server; tls.sni; content:"jonathanhardwick.me"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035663; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Abused Hosting Domain in DNS Lookup (digital-ministry .ru)"; dns.query; content:"digital-ministry.ru"; fast_pattern; nocase; bsize:19; reference:md5,fbe79895053b29ec2cfe99cad3eb83d5; reference:md5,29fe7a619970157adfcecfade1b204be; reference:url,blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/; classtype:bad-unknown; sid:2035654; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_30;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Trojan.Verblecon Related Domain (.verble .rocks in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".verble.rocks"; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035665; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Trojan.Verblecon Related Domain (verble .software in TLS SNI)"; flow:established,to_server; tls.sni; content:"verble.software"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035667; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor Retrieving Task (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?id="; startswith; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"R0VUVEFTSyUlJQ"; startswith; fast_pattern; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:command-and-control; sid:2035642; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor Sending Task Status (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?id="; startswith; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"UFVUVEFTSyUlJ"; startswith; fast_pattern; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:command-and-control; sid:2035643; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor Checkin (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?id="; startswith; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"SU5JVCUl"; startswith; fast_pattern; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:command-and-control; sid:2035641; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_30;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Image Hosting Domain in DNS Lookup (hizliresim .com)"; dns.query; dotprefix; content:".hizliresim.com"; nocase; endswith; classtype:misc-activity; sid:2035655; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_03_30;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed SSL Cert (hizliresim .com)"; flow:established,to_client; tls.cert_subject; content:"hizliresim.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?hizliresim\.com(?!\.)/"; classtype:misc-activity; sid:2035656; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_03_30;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (kisa .link)"; dns.query; dotprefix; content:".kisa.link"; nocase; endswith; classtype:misc-activity; sid:2035657; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_03_30;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortener Service Domain (www .kisa .link in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.kisa.link"; bsize:13; fast_pattern; classtype:misc-activity; sid:2035658; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, signature_severity Major, updated_at 2022_03_30;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Pastebin-style service (note .youdao .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"note.youdao.com"; fast_pattern; reference:url,twitter.com/malwrhunterteam/status/1509160261881667585; reference:md5,6cb6caeffc9a8a27b91835fdad750f90; classtype:misc-activity; sid:2035669; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2022_03_30;)
+
+alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert (fake state)"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.cert_subject; content:"C=AU"; fast_pattern; content:!"ST=Some-State"; tls.certs; content:"|06 03 55 04 06 13 02 41 55|"; content:"|06 03 55 04 08|"; distance:0; pcre:"/^.{2}(?=[A-Z]{0,32}[^A-Z01])(?P<var>[^01]{4,33}[01]).+?\x06\x03\x55\x04\x08.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2019833; rev:10; metadata:attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_31;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspicious Long NULL DNS Request - Possible DNS Tunneling"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|00 0a 00 01|"; distance:70; fast_pattern; content:!"microsoft.com|03|"; classtype:trojan-activity; sid:2029995; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target DNS_Server, created_at 2020_04_22, deployment Perimeter, signature_severity Major, updated_at 2022_03_31;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eterprx .net)"; dns.query; content:"eterprx.net"; nocase; bsize:11; reference:md5,21ccad42f936524b311a8bc102b16752; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; classtype:domain-c2; sid:2035683; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eternitypr .net)"; dns.query; content:"eternitypr.net"; nocase; bsize:14; reference:md5,21ccad42f936524b311a8bc102b16752; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; classtype:domain-c2; sid:2035684; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Eternity Stealer Domain (eternitypr .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"eternitypr.net"; bsize:14; fast_pattern; reference:md5,21ccad42f936524b311a8bc102b16752; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; classtype:domain-c2; sid:2035685; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, signature_severity Major, updated_at 2022_03_31;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Eternity Stealer Domain (eterprx .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"eterprx.net"; bsize:11; fast_pattern; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; reference:md5,21ccad42f936524b311a8bc102b16752; classtype:domain-c2; sid:2035686; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, signature_severity Major, updated_at 2022_03_31;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Eternity Stealer Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /api/accounts HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a 0d 0a|"; bsize:52; http.request_body; content:"growid="; startswith; content:"&password="; distance:0; content:"&stub_token="; distance:0; content:"&mac="; distance:0; content:"&token="; distance:0; content:"&creds="; distance:0; content:"&pcname="; distance:0; content:"&scrurl="; distance:0; reference:md5,21ccad42f936524b311a8bc102b16752; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; classtype:trojan-activity; sid:2035687; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Social Media Credential Phish 2022-03-31"; flow:established,to_server; flowbits:set,ET.genericphish; http.method; content:"POST"; http.uri; content:".php?nick="; fast_pattern; classtype:credential-theft; sid:2035688; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_31;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PlugX/Talisman Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"MCookie|3a 20|"; fast_pattern; pcre:"/^[0-9]-[0-9]-[0-9]{5}-[0-9]\r\n/R"; http.header_names; content:!"Referer|0d 0a|"; content:!"|0d 0a|Accept-"; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,ecab63b6de18073453310a9c4551074b; reference:url,www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html; classtype:trojan-activity; sid:2035689; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, malware_family PlugX, signature_severity Major, updated_at 2022_03_31;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Lightning Stealer Exfil Activity"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"|22|LogChromes|22 3a|"; content:"|22|LogGecko|22 3a|"; content:"|22|Screen|22 3a 7b|"; fast_pattern; content:"|22|Width|22 3a 22|"; distance:0; content:"|22|ScreenshotBase64|22 3a 22|"; distance:0; reference:md5,1b922b6d15085da82e20fee0789a6617; reference:url,twitter.com/3xp0rtblog/status/1509484987401351177; classtype:trojan-activity; sid:2035679; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Stealer, updated_at 2022_03_31;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Spring Cloud Connector RCE Inbound (CVE-2022-22963)"; flow:to_server,established; http.header; content:"spring.cloud.function.routing-expression|3a|"; fast_pattern; reference:cve,2022-22963; classtype:attempted-admin; sid:2035670; rev:1; metadata:attack_target Server, created_at 2022_03_31, cve CVE_2022_22963, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_31;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Common JSP WebShell String Observed in HTTP Header M1"; flow:to_server,established; http.header; content:"request.getParameter|28|"; fast_pattern; nocase; classtype:attempted-admin; sid:2035671; rev:1; metadata:created_at 2022_03_31, former_category INFO, updated_at 2022_03_31;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Common JSP WebShell String Observed in HTTP Header M2"; flow:to_server,established; http.header; content:"executeCmd|28|request.getParameter|28|"; fast_pattern; nocase; classtype:attempted-admin; sid:2035672; rev:1; metadata:created_at 2022_03_31, former_category INFO, updated_at 2022_03_31;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Common JSP WebShell String Observed in HTTP Header M3"; flow:to_server,established; http.header; content:"getRuntime|28 29|.exec"; fast_pattern; nocase; classtype:attempted-admin; sid:2035673; rev:1; metadata:created_at 2022_03_31, updated_at 2022_03_31;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Custom Logo Domain in DNS Lookup (seeklogo .com)"; dns.query; dotprefix; content:".seeklogo.com"; nocase; endswith; classtype:misc-activity; sid:2035690; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_31;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MSIL/Lightning Stealer Domain (panelss .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"panelss.xyz"; bsize:11; fast_pattern; reference:md5,1b922b6d15085da82e20fee0789a6617; reference:url,twitter.com/3xp0rtblog/status/1509484987401351177; classtype:domain-c2; sid:2035680; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_31;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Custom Logo Domain (seeklogo .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"seeklogo.com"; bsize:12; fast_pattern; classtype:misc-activity; sid:2035691; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, signature_severity Informational, updated_at 2022_03_31;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Terse Request to note .youdao .com - Possible Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/yws/api/personal/file/"; content:"?method=download&shareKey="; distance:0; pcre:"/[a-f0-9]{32}$/UR"; http.host; content:"note.youdao.com"; fast_pattern; bsize:15; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; content:!"Referer"; reference:url,twitter.com/malwrhunterteam/status/1509160261881667585; classtype:misc-activity; sid:2035681; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, performance_impact Moderate, signature_severity Informational, updated_at 2022_03_31;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MustangPanda APT Dropper Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|Content-Length|0d 0a|Host|0d 0a 0d 0a|"; bsize:46; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:">"; offset:8; content:">"; distance:1; within:1; content:">"; distance:7; within:1; content:"|2e|exe|5c|"; distance:0; fast_pattern; reference:md5,4a9b98832ba5c2b74f80dadd16b8a079; reference:url,twitter.com/StillAzureH/status/1505823479945625604; classtype:trojan-activity; sid:2035682; rev:2; metadata:created_at 2022_03_31, updated_at 2022_03_31;)
+
+alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Killav.CM CnC Response"; flow:to_client,established; dsize:11; content:"|09 01 00 00 00 00 0b 00 00 00 00|"; startswith; fast_pattern; classtype:trojan-activity; sid:2035693; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
+
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Killav.CM Checkin M2"; dsize:<50; flow:to_server,established; content:"|04 00 00 00 00|"; startswith; content:"|00 00 7E 00 00 00 7E 00|"; distance:0; fast_pattern; content:"|00 00|"; endswith; classtype:trojan-activity; sid:2035694; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deep Panda Downloader User-Agent (mozilla_horizon) GET request observed"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"mozilla_horizon"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; reference:md5,62d52076d41ab6e429a976d48173f29d; classtype:trojan-activity; sid:2035703; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deep Panda CnC Check-In"; flow:established,to_server; content:"CGKU"; fast_pattern; offset:16; depth:4; content:"MB|00 00|"; distance:128; within:4; content:"Win|20|"; distance:24; within:4; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; reference:md5,0b991aca7e5124df471cf8fb9e301673; classtype:trojan-activity; sid:2035707; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Redirection 2022-03-14"; flow:established,to_client; http.stat_code; content:"302"; http.header; content:"location|3a 20|Alert.php|0d 0a|"; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,07b9f93e06a83868a8b9ede2dff48346; classtype:credential-theft; sid:2035462; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_01;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Unk.CoinMiner Downloader"; flow:to_client,established; http.response_body; content:"Get-WMIObject"; startswith; content:"|24|miner_url"; distance:0; fast_pattern; content:"|24|miner_name"; distance:0; content:"|24|miner_cfg_url"; content:"|24|miner_cfg_path"; distance:0; reference:md5,6447bc87415b35532d9c8237a376ba70; classtype:trojan-activity; sid:2035695; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_01;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Image Hosting Domain in DNS Lookup (imgyukle .com)"; dns.query; dotprefix; content:".imgyukle.com"; nocase; endswith; classtype:misc-activity; sid:2035697; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_01;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Image Hosting Domain (imgyukle .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"imgyukle.com"; bsize:12; fast_pattern; classtype:misc-activity; sid:2035698; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, signature_severity Informational, updated_at 2022_04_01;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Image Hosting Domain in DNS Lookup (resimag .com)"; dns.query; dotprefix; content:".resimag.com"; nocase; endswith; classtype:misc-activity; sid:2035699; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_01;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Image Hosting Domain (resimag .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"resimag.com"; bsize:11; fast_pattern; classtype:misc-activity; sid:2035700; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, signature_severity Informational, updated_at 2022_04_01;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Image Hosting Domain (resimupload .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"resimupload.org"; bsize:15; fast_pattern; classtype:misc-activity; sid:2035701; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, signature_severity Informational, updated_at 2022_04_01;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Image Hosting Domain in DNS Lookup (resimupload .org)"; dns.query; dotprefix; content:".resimupload.org"; nocase; endswith; classtype:misc-activity; sid:2035702; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_01;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain (win .mirtonewbacker .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"win.mirtonewbacker.com"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035709; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain (umpulumpu .ru) in TLS SNI"; flow:established,to_server; tls.sni; content:"umpulumpu.ru"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035711; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain (greenblguard .shop) in TLS SNI"; flow:established,to_server; tls.sni; content:"greenblguard.shop"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035713; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain (onetwostep .at) in TLS SNI"; flow:established,to_server; tls.sni; content:"onetwostep.at"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035715; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackGuard_v2 Data Exfiltration Observed"; flow:established,to_server; content:"POST"; content:"?user="; content:"&hwid="; distance:0; content:"&antivirus="; distance:0; content:"&os=Windows"; distance:0; content:"&passCount="; distance:0; content:"&coockieCount="; distance:0; fast_pattern; content:"&walletCount="; distance:0; content:"&telegramCount="; distance:0; content:"&vpnCount="; distance:0; content:"&ftpCount="; distance:0; content:"&country="; content:"multipart/form-data|3b 20|boundary="; distance:0; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035716; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment SSLDecrypt, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_04_01;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NetGear R6700v3 upnpd Buffer Overflow Inbound (CVE-2022-27643)"; flow:to_server,established; http.method; content:"POST"; http.header; content:"SOAPAction|3a|"; nocase; content:"urn:NETGEARROUTER:service:ParentalControl:1#Authenticate"; fast_pattern; nocase; pcre:"/^SOAPAction\x3a\s?urn\x3aNETGEARROUTER\x3aservice\x3aParentalControl\x3a1#Authenticate/Hmi"; http.request_body; content:"<NewMACAddress>"; nocase; pcre:"/^[^<]{30,}<\/NewMACAddress>/Ri"; reference:url,blog.relyze.com/2022/03/cve-2022-27643-netgear-r6700v3-upnpd.html; reference:cve,2022-27643; classtype:attempted-admin; sid:2035717; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_03, cve CVE_2022_27643, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_03;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /async/newtab_ogb HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Sec-Fetch-Site|0d 0a|Sec-Fetch-Mode|0d 0a|Sec-Fetch-Dest|0d 0a|"; content:!"Referer|0d 0a|"; http.cookie; content:"1P_JAR="; startswith; content:"NID="; distance:6; within:4; pcre:"/^[A-Za-z0-9\/_\-\+]{171}=$/R"; reference:md5,e98774bee4ed490089f6c63b6c676112; reference:url,blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/; classtype:trojan-activity; sid:2035653; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Carder Card Checking Tool try2check.me SSL Certificate"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"try2check.me"; within:400; fast_pattern; classtype:pup-activity; sid:2014286; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_02_28, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_04;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SSL Cert Used In Unknown Exploit Kit (ashburn)"; flow:established,to_client; content:"ashburn@gmail.com"; fast_pattern; classtype:exploit-kit; sid:2015717; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_09_20, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_04;)
+
+alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M1"; flow:established,to_server; content:"package|2e|loadlib|28|"; fast_pattern; content:"liblua"; distance:0; content:".popen|28|"; distance:0; reference:url,blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers; reference:url,www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce; reference:cve,2022-0543; classtype:attempted-admin; sid:2035718; rev:2; metadata:affected_product Redis, attack_target Server, created_at 2022_04_04, cve CVE_2022_0543, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_04;)
+
+alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redis RCE Attempt - Dynamic Importing of liblua (CVE-2022-0543)"; flow:established,to_server; content:"package|2e|loadlib|28|"; fast_pattern; content:"liblua"; within:500; reference:url,blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers; reference:url,www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce; reference:cve,2022-0543; classtype:attempted-admin; sid:2035720; rev:2; metadata:affected_product Redis, created_at 2022_04_04, cve CVE_2022_0543, former_category EXPLOIT, updated_at 2022_04_04;)
+
+alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M2"; flow:established,to_server; content:"package|2e|loadlib|28|"; fast_pattern; content:"liblua"; within:500; content:".execute|28|"; distance:0; reference:url,blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers; reference:url,www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce; reference:cve,2022-0543; classtype:attempted-admin; sid:2035719; rev:2; metadata:affected_product Redis, attack_target Server, created_at 2022_04_04, cve CVE_2022_0543, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_04;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".modestoobgyn.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035721; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".chyprediction.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035722; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".againcome.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035723; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".myshortbio.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035724; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".bestsecure2020.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035725; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".findoutcredit.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035726; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".estetictrance.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035727; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".internethabit.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035728; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/POWERPLANT CnC Exfil (Query)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/gate?id="; startswith; http.request_body; content:"UVVFUlk="; bsize:8; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,edb1f62230123abf88231fc1a7190b60; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035729; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_04;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/POWERPLANT CnC Exfil (INIT)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/gate?id="; startswith; http.request_body; content:"SU5JVA=="; depth:8; fast_pattern; content:"TWljcm9zb2Z0IFdpbmRvd3M"; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,edb1f62230123abf88231fc1a7190b60; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035730; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_04;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Instagram Story Viewer Domain in DNS Lookup (dumpor .com)"; dns.query; dotprefix; content:".dumpor.com"; nocase; endswith; classtype:misc-activity; sid:2035736; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Instagram Story Viewer Domain in DNS Lookup (smihub .com)"; dns.query; dotprefix; content:".smihub.com"; nocase; endswith; classtype:misc-activity; sid:2035737; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Instagram Story Viewer Domain in DNS Lookup (greatfon .com)"; dns.query; dotprefix; content:".greatfon.com"; nocase; endswith; classtype:misc-activity; sid:2035738; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Instagram Story Viewer Domain (dumpor .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"dumpor.com"; bsize:10; fast_pattern; classtype:misc-activity; sid:2035739; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to LOADOUT Domain"; dns.query; dotprefix; content:".incongruousance.com"; nocase; endswith; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035731; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to LOADOUT Domain"; dns.query; dotprefix; content:".fashionableeder.com"; nocase; endswith; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035732; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Instagram Story Viewer Domain (smihub .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"smihub.com"; bsize:10; fast_pattern; classtype:misc-activity; sid:2035740; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to LOADOUT Domain"; dns.query; dotprefix; content:".electroncador.com"; nocase; endswith; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035733; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to LOADOUT Domain"; dns.query; dotprefix; content:".spontaneousance.com"; nocase; endswith; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035734; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Instagram Story Viewer Domain (greatfon .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"greatfon.com"; bsize:12; fast_pattern; classtype:misc-activity; sid:2035741; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener  Domain in DNS Lookup (lk .tc)"; dns.query; dotprefix; content:".lk.tc"; nocase; endswith; classtype:misc-activity; sid:2035742; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortener Domain (lk .tc in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".lk.tc"; endswith; fast_pattern; classtype:misc-activity; sid:2035743; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Informational, updated_at 2022_04_04;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LOADOUT CnC Activity"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64|3b 20|rv:6.0) Gecko/20110101 Firefox/69.0"; http.header_names; content:"|0d 0a|content-type|0d 0a|"; content:"|0d 0a|user-agent|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; http.request_body; content:"yoyo="; depth:5; fast_pattern; reference:md5,4d56a1ca28d9427c440ec41b4969caa2; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035735; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_04;)
+
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/users/sign_in"; http.request_body; content:"&user%5Bpassword%5D=123qweQWE%21%40%23"; fast_pattern; pcre:"/^0+(?:&|$)/R"; reference:url,about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/#static-passwords-inadvertently-set-during-omniauth-based-registration; reference:cve,2022-1162; classtype:attempted-user; sid:2035750; rev:1; metadata:attack_target Server, created_at 2022_04_05, cve CVE_2022_1162, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_05;)
+
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/users/sign_in"; http.request_body; content:"|26|user|5b|password|5d 3d|123qweQWE|21 40 23|"; fast_pattern; pcre:"/^0+(?:&|$)/R"; reference:url,about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/#static-passwords-inadvertently-set-during-omniauth-based-registration; reference:cve,2022-1162; classtype:attempted-user; sid:2035751; rev:1; metadata:attack_target Server, created_at 2022_04_05, cve CVE_2022_1162, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_05;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Splashtop Domain (splashtop .com) in TLS SNI"; flow:established,to_server; tls.sni; dotprefix; content:".splashtop.com"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035763; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_05;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Splashtop Domain (splashtop .eu) in TLS SNI"; flow:established,to_server; tls.sni; dotprefix; content:".splashtop.eu"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035765; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_05;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-26210)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/cgi-bin/cstecgi.cgi"; http.request_body; content:"setUpgradeFW"; fast_pattern; content:"FileName|3a 20 3a|"; distance:0; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-26210; classtype:attempted-admin; sid:2035744; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2022_26210, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_05;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-26186)"; flow:to_server,established; http.uri; content:"/cgi-bin/cstecgi.cgi?exportOvpn"; fast_pattern; content:"="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-26186; classtype:attempted-admin; sid:2035745; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2022_26186, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_05;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-25075)"; flow:to_server,established; http.uri; content:"/cgi-bin/downloadFlile.cgi"; fast_pattern; content:"="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-25075; classtype:attempted-admin; sid:2035746; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2022_25075, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_05;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link - RCE Attempt Inbound (CVE-2021-45382)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ddns_check.ccp"; fast_pattern; http.request_body; content:"&ddnsHostName="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2021-45382; classtype:attempted-admin; sid:2035747; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2021_45382, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_05;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (b3astmode)"; flow:to_server,established; http.user_agent; content:"b3astmode"; fast_pattern; bsize:9; classtype:trojan-activity; sid:2035748; rev:1; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_05;)
+
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (b3astmode)"; flow:to_server,established; http.user_agent; content:"b3astmode"; fast_pattern; bsize:9; classtype:trojan-activity; sid:2035749; rev:1; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Lazarus APT Related Backdoor Activity (POST) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"jsessid=60d49d"; fast_pattern; content:"cookie="; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/lazarus-trojanized-defi-app/106195/; reference:md5,0b9f4612cdfe763b3d8c8a956157474a; classtype:trojan-activity; sid:2035692; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_04_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Lazarus APT Related Backdoor Activity (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"jcookie=60d49d"; fast_pattern; content:"cookie="; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/lazarus-trojanized-defi-app/106195/; reference:md5,0b9f4612cdfe763b3d8c8a956157474a; classtype:trojan-activity; sid:2035766; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, malware_family Lazarus, performance_impact Low, signature_severity Major, updated_at 2022_04_05;)
+
+alert dns $HOME_NET any -> any any (msg:"ET INFO Proxy Domain in DNS Lookup (proxynet .io)"; dns.query; dotprefix; content:".proxynet.io"; nocase; endswith; classtype:misc-activity; sid:2035757; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_05;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Proxy Domain (proxynet .io in TLS SNI)"; flow:established,to_server; tls.sni; content:"proxynet.io"; bsize:11; fast_pattern; classtype:misc-activity; sid:2035758; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, signature_severity Informational, updated_at 2022_04_05;)
+
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.USB Variant CnC Activity"; flow:established,to_server; stream_size:server,<,5; content:"|2e d4 d6 19 57 d4 85 ba 0e 9d e5 56 fa 72 db af e5 17 e8 3e 3b 21 b7 26 fc 59 03 db d2 36 32 bb c3 c4 ab 7b 66 74 c4 68 ac 23 5b a3 fc e7 82 6a|"; offset:7; depth:48; reference:md5,c911d93b90bdef05be681a3b31c81679; reference:url,twitter.com/0xrb/status/1509396448387153920; classtype:trojan-activity; sid:2035752; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_05;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Unk.CoinMiner Downloader"; flow:to_client,established; http.content_type; content:"text/plain"; startswith; http.response_body; content:"Remove known miners by known process names"; content:"Write-Output|20 22|Miner Running|22|"; fast_pattern; reference:md5,6ae2d7ab6701bd9b46efe7f5d52b2c46; classtype:trojan-activity; sid:2035753; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_05;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader)"; flow:established,to_client; tls.cert_subject; content:"CN=thechinastyle.com"; bsize:20; fast_pattern; reference:url,www.mandiant.com/resources/evolution-of-fin7; reference:md5,3985b60c6aba7cb38998e3f898fba79a; classtype:trojan-activity; sid:2035754; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, signature_severity Major, updated_at 2022_04_05;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader)"; flow:established,to_client; tls.cert_subject; content:"CN=divorceradio.com"; bsize:19; fast_pattern; reference:url,www.mandiant.com/resources/evolution-of-fin7; reference:md5,3985b60c6aba7cb38998e3f898fba79a; classtype:trojan-activity; sid:2035755; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, signature_severity Major, updated_at 2022_04_05;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader)"; flow:established,to_client; tls.cert_subject; content:"CN=physiciansofficenews.com"; bsize:27; fast_pattern; reference:md5,3985b60c6aba7cb38998e3f898fba79a; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035756; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, signature_severity Major, updated_at 2022_04_05;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page M1 2022-04-05"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Bfrt4DSob5.ico"; fast_pattern; content:"|2e|php|22 20|enctype|3d 22|multipart|2f|form|2d|data|22|"; nocase; distance:0; content:"src|3d 22|poina|2e|png|22|"; distance:0; classtype:credential-theft; sid:2035759; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_05;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page M2 2022-04-05"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c|script|20|images|3d 22|JavaScript|22 3e|"; distance:0; content:"<!--"; distance:0; content:"window|2e|location|3d 22|inzo|2e|html|22 3b|"; fast_pattern; distance:0; content:"// -->"; distance:0; content:"</script>"; distance:0; classtype:credential-theft; sid:2035760; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_05;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page M3 2022-04-05"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"inzo"; content:"|3c|script|20|images|3d 22|JavaScript|22 3e|"; distance:0; content:"<!--"; distance:0; content:"window|2e|location|3d 22|cmzs|2e|html|22 3b|"; fast_pattern; distance:0; content:"// -->"; distance:0; content:"</script>"; distance:0; classtype:credential-theft; sid:2035761; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_05;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 1 Pattern Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.pattern="; fast_pattern; classtype:attempted-admin; sid:2035674; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 2 Suffix Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.suffix="; fast_pattern; classtype:attempted-admin; sid:2035675; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 3 Directory Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.directory="; fast_pattern; classtype:attempted-admin; sid:2035676; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 4 Prefix Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.prefix="; fast_pattern; classtype:attempted-admin; sid:2035677; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Inbound (CVE-2022-22965)"; flow:to_server,established; http.request_body; content:"pipeline.first.pattern="; fast_pattern; content:"pipeline.first.suffix="; content:"pipeline.first.directory="; content:"pipeline.first.prefix="; classtype:attempted-admin; sid:2035678; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Android Infostealer CnC Check-In"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/socket.io/?"; fast_pattern; startswith; content:"model="; content:"EIO="; content:"id="; content:"transport="; content:"release="; content:"manf="; reference:url,lab52.io/blog/complete-dissection-of-an-apk-with-a-suspicious-c2-server/; reference:md5,4f5617ec4668e3406f9bd82dfcf6df6b; classtype:command-and-control; sid:2035770; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spytector Domain (mail .spytector .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"mail.spytector.com"; fast_pattern; reference:md5,1a72533d45c878cf4f35323e57c00887; classtype:trojan-activity; sid:2035772; rev:1; metadata:created_at 2022_04_06, former_category MALWARE, updated_at 2022_04_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Kaspov Related Hex In HTTP Accept Header"; flow:to_server,established; http.method; content:"GET"; http.accept; content:"|d1 69 4a cd 4f a4 77 44 bb 85 c3 6d 8d 4a 84 d6 86 a0 fa 1a af 8b d8 98 05 5e a0|"; startswith; fast_pattern; reference:md5,767370995ad5bdbcdaee2e3123cfe47c; classtype:bad-unknown; sid:2035768; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_06, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2022_04_06;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT28/Sednit SSL Cert"; flow:established,to_client; tls.cert_subject; content:"CN=ngefqevwe"; fast_pattern; reference:md5,f7ee38ca49cd4ae35824ce5738b6e587; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023423; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_06;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO BrowseTor .onion Proxy Service SSL Cert"; flow:established,to_client; tls.cert_subject; content:"CN=*.browsetor.com"; fast_pattern; classtype:bad-unknown; sid:2018396; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_04_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_06;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Likely Hex Executable String"; flow:to_client,established; file_data; content:"4D5A"; content:"63616E6E6F74"; fast_pattern; distance:178; within:12; content:"72756E"; distance:8; within:6; content:"444F53"; distance:8; within:6; classtype:misc-activity; sid:2035769; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_06, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2022_04_06;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Form with Action Value Equal to bit .ly"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<form"; content:"action=|22|http://bit.ly"; fast_pattern; distance:0; classtype:credential-theft; sid:2035767; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_06, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_06;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"www.hona-alrabe3.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035863; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (frances-thomas .com in DNS Lookup)"; dns_query; content:"frances-thomas.com"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035783; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (frances-thomas .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"frances-thomas.com"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035784; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (scott-chapin .com in DNS Lookup)"; dns_query; content:"scott-chapin.com"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035785; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (scott-chapin .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"scott-chapin.com"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035786; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (linda-gaytan .website in DNS Lookup)"; dns_query; content:"linda-gaytan.website"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035787; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (linda-gaytan .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"linda-gaytan.website"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035788; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (david-gardiner .website in DNS Lookup)"; dns_query; content:"david-gardiner.website"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035789; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (david-gardiner .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"david-gardiner.website"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035790; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (amanda-hart .website in DNS Lookup)"; dns_query; content:"amanda-hart.website"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035791; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (amanda-hart .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"amanda-hart.website"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035792; rev:2; metadata:created_at 2022_04_07, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (javan-demsky .website in DNS Lookup)"; dns_query; content:"javan-demsky.website"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035793; rev:2; metadata:created_at 2022_04_07, updated_at 2022_04_07;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (javan-demsky .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"javan-demsky.website"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035794; rev:2; metadata:created_at 2022_04_07, updated_at 2022_04_07;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO ET INFO Observed URL Shortening Service Domain (s59 .site) in TLS SNI"; flow:established,to_server; tls.sni; content:"s59.site"; fast_pattern; classtype:misc-activity; sid:2035871; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (enerflex .org)"; dns.query; dotprefix; content:".enerflex.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035804; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (supportskype .com)"; dns.query; dotprefix; content:".supportskype.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035805; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (alharbitelecom .co)"; dns.query; dotprefix; content:".alharbitelecom.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035806; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (cortanaupdate .co)"; dns.query; dotprefix; content:".cortanaupdate.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035807; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (cortanaservice .com)"; dns.query; dotprefix; content:".cortanaservice.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035808; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (cloudgoogle .co)"; dns.query; dotprefix; content:".cloudgoogle.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035809; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (onedrivelive .me)"; dns.query; dotprefix; content:".onedrivelive.me"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035810; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (edge-cloudservices .com)"; dns.query; dotprefix; content:".edge-cloudservices.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035811; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (online-audible .com)"; dns.query; dotprefix; content:".online-audible.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035812; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (updatedefender .net)"; dns.query; dotprefix; content:".updatedefender.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035813; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (sparrowsgroup .org)"; dns.query; dotprefix; content:".sparrowsgroup.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035814; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (helpdesk-product .com)"; dns.query; dotprefix; content:".helpdesk-product.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035815; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (defenderupdate .ddns .net)"; dns.query; dotprefix; content:".defenderupdate.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035816; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (enerflex .ddns .net)"; dns.query; dotprefix; content:".enerflex.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035817; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (linkedinz .me)"; dns.query; dotprefix; content:".linkedinz.me"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035818; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (khaleejtimes .co)"; dns.query; dotprefix; content:".khaleejtimes.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035819; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (microsoftdefender .info)"; dns.query; dotprefix; content:".microsoftdefender.info"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035820; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (outlookde .live)"; dns.query; dotprefix; content:".outlookde.live"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035821; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (lukoil .in)"; dns.query; dotprefix; content:".lukoil.in"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035822; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (careers-finder .com)"; dns.query; dotprefix; content:".careers-finder.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035823; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (online-chess .live)"; dns.query; dotprefix; content:".online-chess.live"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035824; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (exprogroup .org)"; dns.query; dotprefix; content:".exprogroup.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035825; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (saipem .org)"; dns.query; dotprefix; content:".saipem.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035826; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (mastergatevpn .com)"; dns.query; dotprefix; content:".mastergatevpn.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035827; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (sauditourismguide .com)"; dns.query; dotprefix; content:".sauditourismguide.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035828; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (listen-books .com)"; dns.query; dotprefix; content:".listen-books.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035829; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (updateservices .co)"; dns.query; dotprefix; content:".updateservices.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035830; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (microsoftcdn .co)"; dns.query; dotprefix; content:".microsoftcdn.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035831; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (office-shop .me)"; dns.query; dotprefix; content:".office-shop.me"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035832; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (sharepointnotify .com)"; dns.query; dotprefix; content:".sharepointnotify.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035833; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (globaltalent .in)"; dns.query; dotprefix; content:".globaltalent.in"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035834; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (savemoneytrick .com)"; dns.query; dotprefix; content:".savemoneytrick.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035835; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Vidar Stealer CnC Domain in DNS Lookup"; dns.query; content:"computerprotect.me"; fast_pattern; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/; classtype:trojan-activity; sid:2035872; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (microsoftedgesh .info)"; dns.query; dotprefix; content:".microsoftedgesh.info"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035836; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (outlookdelivery .com)"; dns.query; dotprefix; content:".outlookdelivery.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035837; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (remgrogroup .com)"; dns.query; dotprefix; content:".remgrogroup.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035838; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (onedriveupdate .net)"; dns.query; dotprefix; content:".onedriveupdate.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035839; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Vidar Stealer Domain (computerprotect .me) in TLS SNI"; flow:established,to_server; tls.sni; content:"computerprotect.me"; fast_pattern; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/; classtype:trojan-activity; sid:2035873; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (getadobe .ddns .net)"; dns.query; dotprefix; content:".getadobe.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035840; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (googleservices .co)"; dns.query; dotprefix; content:".googleservices.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035841; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (librarycollection .org)"; dns.query; dotprefix; content:".librarycollection.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035842; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (freechess .live)"; dns.query; dotprefix; content:".freechess.live"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035843; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (elecresearch .org)"; dns.query; dotprefix; content:".elecresearch.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035844; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (applytalents .com)"; dns.query; dotprefix; content:".applytalents.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035845; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (updateddns .ddns .net)"; dns.query; dotprefix; content:".updateddns.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035846; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (mideasthiring .com)"; dns.query; dotprefix; content:".mideasthiring.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035847; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (appslocallogin .online)"; dns.query; dotprefix; content:".appslocallogin.online"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035848; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (apply-jobs .com)"; dns.query; dotprefix; content:".apply-jobs.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035849; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (funnychess .online)"; dns.query; dotprefix; content:".funnychess.online"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035850; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarab APT - HeaderTip CnC Domain in DNS Lookup (product2020 .mrbasic .com)"; dns.query; content:"product2020.mrbasic.com"; nocase; bsize:23; reference:url,twitter.com/h2jazi/status/1505887653111209994; reference:md5,1af894a5f23713b557c23078809ed01c; reference:md5,1aba36f72685c12e60fb0922b606417c; classtype:domain-c2; sid:2035557; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family HeaderTip, signature_severity Major, updated_at 2022_03_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (talent-recruitment .org)"; dns.query; dotprefix; content:".talent-recruitment.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035851; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AllaKore RAT ID Command Observed"; flow:established,to_server; content:"|3c 7c|ID|7c 3e|"; fast_pattern; startswith; content:"|3c 7c|END|7c 3e|"; endswith; classtype:attempted-admin; sid:2035544; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (googleupdate .co)"; dns.query; dotprefix; content:".googleupdate.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035852; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AllaKore RAT CnC Checkin"; flow:established,to_server; content:"|3c 7c|mainzsoccer|7c|"; fast_pattern; startswith; classtype:attempted-admin; sid:2035542; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (updatedns .ddns .net)"; dns.query; dotprefix; content:".updatedns.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035853; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sidecopy APT Backdoor Related Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /logs_files HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:46; reference:md5,bc8e094a4fb6c724e6b32a00df6262f9; reference:url,twitter.com/bofheaded/status/1505928947955302401; classtype:trojan-activity; sid:2035558; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2022_03_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (thefreemovies .net)"; dns.query; dotprefix; content:".thefreemovies.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035854; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidecopy APT Backdoor Related Domain in DNS Lookup (kokotech .xyz)"; dns.query; content:"kokotech.xyz"; nocase; bsize:12; reference:md5,bc8e094a4fb6c724e6b32a00df6262f9; reference:url,twitter.com/bofheaded/status/1505928947955302401; classtype:domain-c2; sid:2035559; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2022_03_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (talktalky .azurewebsites .net)"; dns.query; dotprefix; content:".talktalky.azurewebsites.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035855; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SUR SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"20:82:92:3F:43:2C:8F:75:B7:EF:0F:6A:D9:3C:8E:5D"; fast_pattern; tls.cert_subject; content:"CN=SUR"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016468; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (etisalatonline .com)"; dns.query; dotprefix; content:".etisalatonline.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035856; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".kdc/"; fast_pattern; http.header_names; content:!"Referer"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"username="; startswith; content:"_"; distance:0; content:"&cart="; distance:0; content:"&cacogenics="; distance:0; reference:md5,1182940dca705e0b3a8349c9fdf99e10; reference:url,twitter.com/500mk500/status/1505638483691544580; classtype:trojan-activity; sid:2035560; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (getadobe .net)"; dns.query; dotprefix; content:".getadobe.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035857; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AllaKore RAT Set Keep-Alive Observed"; flow:established,to_server; content:"|3c 7c|SETPING|7c|"; fast_pattern; startswith; content:"|3c 7c|END|7c 3e|"; endswith; classtype:attempted-admin; sid:2035543; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Ordns DNS over HTTPS Domain (Ordns .he .net in TLS SNI)"; flow:established,to_server; threshold: type both, track by_src, count 1, seconds 600; tls.sni; content:"ordns.he.net"; endswith; reference:url,www.blackhillsinfosec.com/dns-over-https-for-cobalt-strike; classtype:misc-activity; sid:2035858; rev:2; metadata:created_at 2022_04_07, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2022_04_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".mesh"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/500mk500/status/1505638483691544580; classtype:trojan-activity; sid:2035561; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Ordns DNS Over HTTPS Certificate Inbound"; flow:established,to_client; threshold: type limit, track by_src, count 1, seconds 300; tls.cert_subject; content:"CN=ordns.he.net"; endswith; fast_pattern; reference:url,developers.cloudflare.com/1.1.1.1/dns-over-https/request-structure/; classtype:misc-activity; sid:2035859; rev:2; metadata:created_at 2022_04_07, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2022_04_07;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE FlawedGrace CnC Activity"; flow:to_server,established; dsize:14; content:"|47 43 52 47|"; offset:4; depth:4; threshold: type both, track by_src, count 10, seconds 60; reference:md5,2b1215fb65d33fc6206ab227a3b7e75a; classtype:command-and-control; sid:2026773; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Winnti Domain"; dns.query; dotprefix; content:".host.skybad.top"; nocase; endswith; reference:md5,c99397d66e49e2def1b17f57cd0c5fb9; classtype:trojan-activity; sid:2035877; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, signature_severity Major, updated_at 2022_04_08;)
 
-alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response abuse.ch"; flow:established,to_client; dsize:22; content:"Sinkholed by abuse.ch|0a|"; fast_pattern; classtype:trojan-activity; sid:2020223; rev:4; metadata:created_at 2015_01_21, former_category MALWARE, updated_at 2022_03_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Winnti Domain"; dns.query; dotprefix; content:".s2.yk.hyi8mc.top"; nocase; endswith; reference:md5,c99397d66e49e2def1b17f57cd0c5fb9; classtype:trojan-activity; sid:2035878; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, signature_severity Major, updated_at 2022_04_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (FindPOS)"; flow:established,to_client; tls.cert_serial; content:"00:CD:2D:4A:53:08:27:AA:B4"; fast_pattern; tls.cert_subject; content:"O=Default Company Ltd"; reference:md5,a586db30ab21a02eee9e8ab2ebe8a2b5; reference:url,blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/; classtype:domain-c2; sid:2021289; rev:3; metadata:attack_target Client_and_Server, created_at 2015_06_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Farfli.CUY CnC Server Response"; flow:established,to_client; content:"|68 78 20 10 00 00 00 01 00 00 00 01 00 00 00 11|"; dsize:16; startswith; fast_pattern; stream_size:server,=,17; reference:md5,c99397d66e49e2def1b17f57cd0c5fb9; classtype:command-and-control; sid:2035879; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_04_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (FindPOS)"; flow:established,to_client; tls.cert_serial; content:"00:80:5C:5F:EC:50:39:a2:14"; fast_pattern; tls.cert_subject; content:"O=Default Company Ltd"; reference:md5,a586db30ab21a02eee9e8ab2ebe8a2b5; reference:url,blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/; classtype:domain-c2; sid:2021772; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Farfli.CUY KeepAlive M2"; flow:established,to_server; content:"|68 78 20 cf 01 00 00 c0 01 00 00 01 00 00 00 cb|"; startswith; fast_pattern; stream_size:client,>,200; reference:md5,87100cb600d876bd022a4d93ce6305a0; classtype:command-and-control; sid:2035880; rev:2; metadata:created_at 2022_04_08, updated_at 2022_04_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:9F:B1:5C:37:90:8A:2E:B7"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022095; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)"; flow:established,to_server; http.uri; content:"/catalog-portal/"; http.request_body; content:"%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22"; nocase; fast_pattern; content:"%6e%65%77%28%29"; nocase; within:200; reference:url,www.vmware.com/security/advisories/VMSA-2022-0011.html; reference:cve,2022-22954; classtype:attempted-admin; sid:2035876; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2022_04_08, cve CVE_2022_22954, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:81:32:F4:D9:2C:39:C3:06"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022096; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)"; flow:established,to_server; http.uri; content:"/catalog-portal/"; http.request_body; content:"|24 7b 22|freemarker|2e|template|2e|utility|2e|Execute|22|"; nocase; fast_pattern; content:"new|28 29 28|"; nocase; within:200; reference:url,www.vmware.com/security/advisories/VMSA-2022-0011.html; reference:cve,2022-22954; classtype:attempted-admin; sid:2035875; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2022_04_08, cve CVE_2022_22954, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:B4:78:3D:3F:BF:60:B9:94"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022097; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)"; flow:established,to_server; http.uri; content:"/catalog-portal/"; content:"|24 7b 22|freemarker|2e|template|2e|utility|2e|Execute|22|"; distance:0; nocase; fast_pattern; content:"new|28 29 28|"; nocase; within:200; reference:url,www.vmware.com/security/advisories/VMSA-2022-0011.html; reference:cve,2022-22954; classtype:attempted-admin; sid:2035874; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2022_04_08, cve CVE_2022_22954, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit)"; flow:established,to_client; tls.cert_serial; content:"00:B4:E9:29:AF:96:2B:99:E2"; fast_pattern; tls.cert_subject; content:"O=Internet Widgits Pty Ltd"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022098; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Havex RAT CnC Server Response HTML Tag"; flow:established,from_server; http.header; content:!"Keep-Alive|3a 20|"; nocase; content:!"Conncection|3a 20|Keep-Alive"; nocase; file_data; content:"|3c|mega http|2d|equiv|3d|"; fast_pattern; content:"|3c 2f|head|3e 3c|body|3e|"; within:200; reference:md5,6557d6518c3f6bcb8b1b2de77165c962; classtype:command-and-control; sid:2018244; rev:5; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2022_04_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE SWORD Sending Sword Marker"; flow:established,to_server; content:"|20 20 20 20 2f 2a 0a 40 2a 2a 2a 40 2a 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40|"; fast_pattern; reference:md5,052f5da1734464a985dcd669bff62f93; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016445; rev:3; metadata:created_at 2013_02_20, updated_at 2022_03_22;)
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Self-Signed Cert Observed in Various Zbot Strains"; flow:established,to_client; tls.cert_subject; content:"O=XX"; fast_pattern; tls.cert_issuer; content:"O=XX"; reference:md5,00e7afce84c84cd70fe329d8bb8c0731; classtype:trojan-activity; sid:2018284; rev:4; metadata:created_at 2014_03_17, updated_at 2022_04_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY onion.cab tor2web .onion Proxy domain in SNI"; flow:established,to_server; tls.sni; content:".onion.cab"; fast_pattern; endswith; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018879; rev:3; metadata:created_at 2014_08_01, updated_at 2022_03_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Denonia DNS Request Over HTTPS (denonia .xyz) M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/resolve?name=gw.denonia.xyz&type=A"; bsize:35; endswith; fast_pattern; http.host; content:"dns.google.com"; http.user_agent; content:"GoKit XHTTP Client"; startswith; http.accept; content:"application/dns-json"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:"|0d 0a|X-Http-Gokit-Requestid|0d 0a|"; reference:url,cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda; classtype:trojan-activity; sid:2035891; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2022_04_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot .onion Proxy domain in SNI Aug 04 2014"; flow:established,to_server; tls.sni; content:"zxjfcvfvhqfqsrpz."; fast_pattern; startswith; reference:md5,9c40169371adbee467587ab55a61e883; classtype:trojan-activity; sid:2018892; rev:4; metadata:created_at 2014_08_05, former_category TROJAN, updated_at 2022_03_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Denonia DNS Request Over HTTPS (denonia .xyz) M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dns-query?name=gw.denonia.xyz&type=A"; bsize:37; endswith; fast_pattern; http.host; content:"cloudflare-dns.com"; http.user_agent; content:"GoKit XHTTP Client"; startswith; http.accept; content:"application/dns-json"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:"|0d 0a|X-Http-Gokit-Requestid|0d 0a|"; reference:url,cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda; classtype:trojan-activity; sid:2035886; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2022_04_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY bridges.torproject.org over TLS with SNI"; flow:established,to_server; tls.sni; content:"bridges.torproject.org"; bsize:22; reference:url,www.torproject.org/docs/bridges.html.en; classtype:policy-violation; sid:2017929; rev:3; metadata:created_at 2014_01_04, updated_at 2022_03_23;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible OpenSSL Infinite Loop Inducing Cert Inbound via TCP (CVE-2022-0778)"; flow:established,to_server; content:"|30 82|"; content:"|30 0a 06 08 2a 86 48 ce 3d 04 03|"; distance:0; content:"|2a 86 48 ce 3d 01 01 02 02 02 b9|"; distance:0; fast_pattern; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 17|"; within:36; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:36; content:"|04 03|"; distance:23; within:2; content:"|00 08|"; distance:1; within:2; reference:url,www.rtcsec.com/article/exploiting-cve-2022-0778-in-openssl-vs-webrtc-platforms/; reference:url,github.com/drago-96/CVE-2022-0778/; reference:cve,2022-0778; classtype:denial-of-service; sid:2035887; rev:2; metadata:affected_product OpenSSL, attack_target Server, created_at 2022_04_11, cve CVE_2022_0778, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortening Service Domain in DNS Lookup (vtaurl .com)"; dns.query; content:"vtaurl.com"; nocase; bsize:10; classtype:bad-unknown; sid:2035562; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_23;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible OpenSSL Infinite Loop Inducing Cert Inbound via UDP (CVE-2022-0778)"; content:"|30 82|"; content:"|30 0a 06 08 2a 86 48 ce 3d 04 03|"; distance:0; content:"|2a 86 48 ce 3d 01 01 02 02 02 b9|"; distance:0; fast_pattern; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 17|"; within:36; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:36; content:"|04 03|"; distance:23; within:2; content:"|00 08|"; distance:1; within:2; reference:url,www.rtcsec.com/article/exploiting-cve-2022-0778-in-openssl-vs-webrtc-platforms/; reference:url,github.com/drago-96/CVE-2022-0778/; reference:cve,2022-0778; classtype:denial-of-service; sid:2035888; rev:2; metadata:affected_product OpenSSL, attack_target Server, created_at 2022_04_11, cve CVE_2022_0778, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (vtaurl .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"vtaurl.com"; bsize:10; fast_pattern; classtype:bad-unknown; sid:2035563; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_03_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed Commonly Abused Domain in DNS Lookup (blogattach .naver .com)"; dns.query; content:"blogattach.naver.com"; nocase; bsize:20; classtype:bad-unknown; sid:2035889; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_11, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Send-Safe Bulk Mailer SSL Cert - Observed in Spam Campaigns"; flow:established,to_client; tls.cert_subject; content:"C=Unknown, ST=Unknown, L=Unknown, O=Send-Safe, OU=Unknown, CN=Send-Safe"; bsize:71; fast_pattern; reference:md5,837c7af7f376722a0315cb0a7cb12399; classtype:trojan-activity; sid:2022194; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Commonly Abused Domain (blogattach .naver .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"blogattach.naver.com"; bsize:20; fast_pattern; classtype:bad-unknown; sid:2035890; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_11, deployment Perimeter, signature_severity Major, updated_at 2022_04_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shifr Ransomware Malicious Domain in SNI Observed"; flow:established,to_server; tls.sni; content:"v5t5z6a55ksmt3oh.onion"; startswith; fast_pattern; reference:md5,7a8c9fbfad9a817c0a10fed926f134c2; classtype:trojan-activity; sid:2024486; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_20, deployment Perimeter, former_category MALWARE, malware_family Shifr, signature_severity Major, tag Ransomware, updated_at 2022_03_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Pegasus Domain in DNS Lookup (alrai .com)"; dns.query; content:"alrai.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035780; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Spora Ransomware SSL Certificate Detected"; flow:established,to_client; tls.cert_subject; content:"CN=spora.bz"; fast_pattern; classtype:trojan-activity; sid:2024043; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_09, deployment Perimeter, former_category MALWARE, malware_family Spora, signature_severity Major, tag Ransomware, updated_at 2022_03_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM Maldoc Remote Template Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ACMS/"; pcre:"/[a-zA-Z0-9]{8}\//UR"; content:"blockchainTemplate"; fast_pattern; reference:url,mp.weixin.qq.com/s/kcIaoB8Yta1zI6Py-uxupA; classtype:trojan-activity; sid:2035902; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, former_category MALWARE, malware_family Lazarus, performance_impact Low, signature_severity Major, updated_at 2022_04_12;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SteamStealer Domain in SNI"; flow:established,to_server; tls.sni; content:"steamdesktopauthenticator.com"; bsize:29; fast_pattern; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:trojan-activity; sid:2025387; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category TROJAN, malware_family Steam_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_03_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Win32/TrojanDownloader.Agent.GEM Domain"; dns.query; dotprefix; content:".naveicoip"; pcre:"/^[a-z]\.(?:tech|online)$/R"; reference:md5,ecd47e596048ad1af9973a21af303465; reference:url,twitter.com/jaydinbas/status/1506987283630768138; classtype:trojan-activity; sid:2035604; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_12;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SteamStealer Malicious SSL Certificate Detected"; flow:established,to_client; tls.cert_subject; content:"CN=steamdesktopauthenticator.com"; fast_pattern; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:domain-c2; sid:2025388; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_02_26, deployment Perimeter, former_category MALWARE, malware_family Steam_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Colibri Loader Domain in DNS Lookup (securetunnel .co)"; dns.query; dotprefix; content:".securetunnel.co"; nocase; endswith; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/; classtype:trojan-activity; sid:2035899; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, signature_severity Major, updated_at 2022_04_12;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE StrongPity APT SSL Certificate Detected"; flow:established,to_client; tls.cert_subject; content:"CN=mevlut.oncu.example.com"; fast_pattern; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/; classtype:targeted-activity; sid:2025416; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2022_03_23;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible NGINX Reference LDAP Query Injection Attack"; flow:established,to_server; http.header; content:"|0d 0a|X-Ldap-Template|3a 20|"; fast_pattern; nocase; content:"|28 7c|"; distance:0; within:5; http.header_names; content:!"Referer|0d 0a|"; reference:url,github.com/nginxinc/nginx-ldap-auth/issues/93; classtype:attempted-admin; sid:2035897; rev:2; metadata:attack_target Web_Server, created_at 2022_04_12, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ConPtyShell Client Response"; flow:established,to_server; content:"|1b 5b 32 4a 1b 5b 6d 1b 5b 48 1b 5b 48 1b 5d 30 3b|"; startswith; fast_pattern; content:"|5b 32 33 58 1b 5b 32 33|"; distance:0; content:"|43 0d 0a 1b 5b 38 30 58 1b 5b 38 30 43 0d 0a 1b|"; distance:0; reference:url,github.com/antonioCoco/ConPtyShell; classtype:command-and-control; sid:2035565; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Farfli.CUY Downloader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/xghk.exe"; bsize:9; endswith; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/W"; http.header_names; content:!"Referer"; reference:md5,c99397d66e49e2def1b17f57cd0c5fb9; classtype:trojan-activity; sid:2035900; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ConPtyShell Server Command (whoami)"; flow:established,to_client; content:"|32 35 20 38 30 0a|"; startswith; fast_pattern; content:"whoami"; distance:0; reference:url,github.com/antonioCoco/ConPtyShell; classtype:command-and-control; sid:2035566; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Snatch Ransomware Checkin (POST)"; flow:established,to_server; http.request_line; content:"POST /news HTTP/1.1"; fast_pattern; http.request_body; content:"|22|pid|22 3a|"; content:"|22|host|22 3a|"; distance:0; content:"|22|type|22 3a|"; distance:0; content:"|22|username|22 3a|"; distance:0; reference:md5,5a9ae5f51c41f2de4f3eca94ddb4ccfd; classtype:trojan-activity; sid:2035898; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ConPtyShell Server Close Shell"; flow:established,to_client; content:"|32 35 20 38 30 0a|"; startswith; fast_pattern; content:"exit"; distance:0; reference:url,github.com/antonioCoco/ConPtyShell; classtype:command-and-control; sid:2035567; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (mail .igov-service .net)"; dns.query; content:"mail.igov-service.net"; nocase; bsize:21; reference:md5,199369f6b6eba1147d7e1bca208d6dab; classtype:domain-c2; sid:2035914; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_13;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SuperFish Possible SSL Cert Signed By Compromised Root CA"; flow:established,to_client; tls.cert_issuer; content:"O=Superfish, Inc."; content:"CN=Superfish, Inc."; fast_pattern; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:trojan-activity; sid:2020493; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js"; endswith; http.cookie; content:"Version=defaultSession-Id="; startswith; fast_pattern; pcre:"/^[a-zA-Z0-9-_]{171}$/R"; http.user_agent; content:!"Android"; content:!"Linux"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,199369f6b6eba1147d7e1bca208d6dab; classtype:trojan-activity; sid:2035915; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)"; flow:established,to_client; tls.cert_subject; content:"OU=SomeOrganizationalUnit"; fast_pattern; classtype:policy-violation; sid:2013659; rev:6; metadata:attack_target Client_Endpoint, created_at 2011_09_15, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Related Domain (mail .igov-service .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"mail.igov-service.net"; bsize:21; fast_pattern; reference:md5,199369f6b6eba1147d7e1bca208d6dab; classtype:domain-c2; sid:2035916; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_13;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (Snake Oil CA)"; flow:established,to_client; tls.cert_issuer; content:"CN=Snake Oil CA"; fast_pattern; classtype:policy-violation; sid:2013295; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_07_21, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarab APT - HeaderTip CnC Domain in DNS Lookup (ebook .port25 .biz)"; dns.query; content:"ebook.port25.biz"; nocase; bsize:16; reference:url,www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/; reference:md5,bb505ef946a80d9d0ff64923a6ca79d9; classtype:domain-c2; sid:2035912; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family HeaderTip, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Suspected SPECULOOS Backdoor CnC Init Packet Masquerading as SNI Request to live .com"; dsize:186; content:"|16 03 01 00 b5 01 00 00 b1 03 01|"; depth:11; content:"|00 00 48 c0 0a c0 14 00 88 00 87 00 3900 38 c0 0f c0 05 00 84 00 35 c0 07 c0 09 c0 11 c0 13 00 45 00 44 00 66 00 33 00 32 c0 0c c0 0ec0 02 c0 04 00 96 00 41 00 04 00 05 00 2f c0 08c0 12 00 16 00 13 c0 0d c0 03 fe ff 00 0a 02 0100 00 3f 00 00 00 13 00 11 00 00 0e 6c 6f 67 696e 2e 6c 69 76 65 2e 63 6f 6d ff 01 00 01 00 000a 00 08 00 06 00 17 00 18 00 19 00 0b 00 02 01 00 00 23 00 00 33 74 00 00 00 05 00 05 01 00 0000 00|"; distance:32; within:143; fast_pattern; isdataat:!1,relative; reference:url,unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/; classtype:command-and-control; sid:2029910; rev:5; metadata:attack_target Client_Endpoint, created_at 2020_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarab APT - HeaderTip CnC Domain in DNS Lookup (mert .my03 .com)"; dns.query; content:"mert.my03.com"; nocase; bsize:13; reference:url,www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/; reference:md5,acd062593f70c00e310c47a3e7873df4; classtype:domain-c2; sid:2035913; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family HeaderTip, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky APT Related Host Data Exfil M4"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\/\?m=[a-z]&p1=[a-z0-9]{8,12}(?:&p2=[^&]+)?(?:&p3=[^&]+)?$/i"; content:"/?m="; fast_pattern; content:"&p1="; distance:1; within:4; http.header_names; content:!"Content-Type"; content:!"Referer"; reference:md5,2d1f1132ab7e80a6a8546dd2ac45bd89; reference:url,download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf; classtype:targeted-activity; sid:2035564; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2022_03_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM Maldoc Remote Template Request M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ACMS/"; fast_pattern; content:"?"; distance:16; within:10; pcre:"/[a-z0-9]{8}\/.*\?[a-z0-9]{3,10}=[a-z0-9]{8,11}$/Ui"; reference:url,mp.weixin.qq.com/s/kcIaoB8Yta1zI6Py-uxupA; classtype:trojan-activity; sid:2035901; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, former_category MALWARE, malware_family Lazarus, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
 
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Remote Access - RView - SSL Certificate Seen"; flow:established,to_client; tls.cert_subject; content:"CN=*.rview.com"; fast_pattern; classtype:policy-violation; sid:2020805; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (showsvc .com)"; dns.query; dotprefix; content:".showsvc.com"; nocase; endswith; classtype:trojan-activity; sid:2035918; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY DropBox User Content Access over SSL"; flow:established,to_client; tls.cert_subject; content:"CN=*.dropboxusercontent.com"; fast_pattern; reference:url,www.dropbox.com/help/201/en; classtype:policy-violation; sid:2017015; rev:7; metadata:created_at 2013_06_13, updated_at 2022_03_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (wicommerece .com)"; dns.query; dotprefix; content:".wicommerece.com"; nocase; endswith; classtype:trojan-activity; sid:2035919; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert tcp any any -> $HOME_NET 88 (msg:"ET EXPLOIT Possible GoldenPac Priv Esc in-use"; flow:established,to_server; content:"|a0 07 03 05 00 50 80 00 00|"; content:"|a8 05 30 03 02 01 17|"; endswith; threshold: type limit, track by_src, seconds 60, count 1; reference:url,code.google.com/p/impacket/source/browse/trunk/examples/goldenPac.py; reference:cve,CVE-2014-6324; classtype:attempted-admin; sid:2019922; rev:4; metadata:created_at 2014_12_12, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (upservicemc .com)"; dns.query; dotprefix; content:".upservicemc.com"; nocase; endswith; classtype:trojan-activity; sid:2035920; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - Data Channel Client Request 2"; flow:established,to_server; content:"CONNECT="; depth:8; content:"8_=_8"; endswith; classtype:trojan-activity; sid:2022707; rev:3; metadata:created_at 2016_04_06, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (netpixelds .com)"; dns.query; dotprefix; content:".netpixelds.com"; nocase; endswith; classtype:trojan-activity; sid:2035921; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - CnC Password Exfil"; flow:established,to_server; content:"PASSWORDS="; depth:10; content:"8_=_8"; endswith; classtype:command-and-control; sid:2022709; rev:3; metadata:created_at 2016_04_06, former_category MALWARE, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (allmyad .com)"; dns.query; dotprefix; content:".allmyad.com"; nocase; endswith; classtype:trojan-activity; sid:2035922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - CnC"; flow:established,to_server; content:"ACT="; depth:4; content:"8_=_8"; endswith; classtype:command-and-control; sid:2022710; rev:3; metadata:created_at 2016_04_06, former_category MALWARE, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (ananoka .com)"; dns.query; dotprefix; content:".ananoka.com"; nocase; endswith; classtype:trojan-activity; sid:2035923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)"; flow:established,to_server; tls.sni; content:"ipinfo.io"; bsize:9; fast_pattern; classtype:external-ip-check; sid:2025331; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (gvgnci .com)"; dns.query; dotprefix; content:".gvgnci.com"; nocase; endswith; classtype:trojan-activity; sid:2035924; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability M2 (NT Create AndX .so) (CVE-2017-7494)"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|05 00|"; distance:8; within:2; content:"|00 2e 00 73 00 6f 00|"; fast_pattern; endswith; reference:cve,2017-7494; classtype:attempted-admin; sid:2024384; rev:3; metadata:affected_product Linux, attack_target Server, created_at 2017_06_16, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (msfbckupsc .com)"; dns.query; dotprefix; content:".msfbckupsc.com"; nocase; endswith; classtype:trojan-activity; sid:2035925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Black Stealer Exfil System Info"; flow:established,to_server; content: "|2b 20 2b 20 2b 20 5b 20|VicTim Info|20 5d 20 2b 20 2b 20 2b|"; depth:120; nocase; fast_pattern; content:"End Stealer|20 3d 20 3d 20 3d 20 3d 20 3d 20 3d|"; nocase; endswith; classtype:trojan-activity; sid:2024790; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category TROJAN, malware_family BlackStealer, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (polanicia .com)"; dns.query; dotprefix; content:".polanicia.com"; nocase; endswith; classtype:trojan-activity; sid:2035926; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert http any any -> any any (msg:"ET INFO Possible Sandvine PacketLogic Injection"; flow:established,from_server; id:13330; flags:AF; content:"HTTP/1.1 307 Temporary Redirect|0a|Location|3a 20|"; depth:42; fast_pattern; content:"Connection: close|0a 0a|"; endswith; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/; classtype:misc-activity; sid:2025428; rev:3; metadata:attack_target Client_and_Server, created_at 2018_03_13, deployment Datacenter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (informaxima .org)"; dns.query; dotprefix; content:".informaxima.org"; nocase; endswith; classtype:trojan-activity; sid:2035927; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT CnC Checkin"; flow:established,to_server; dsize:<150; content:"aut_sep_"; depth:8; fast_pattern; content:"_sep_"; distance:0; content:"_packet_"; endswith; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:command-and-control; sid:2026581; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (worldchangeos .com)"; dns.query; dotprefix; content:".worldchangeos.com"; nocase; endswith; classtype:trojan-activity; sid:2035928; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT Sending Screen Size"; flow:established,to_server; dsize:<50; content:"sc.op_sep_"; depth:10; nocase; fast_pattern; content:"_packet_"; endswith; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026584; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (liongracem .com)"; dns.query; dotprefix; content:".liongracem.com"; nocase; endswith; classtype:trojan-activity; sid:2035929; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT Requesting Screenshot"; flow:established,to_client; dsize:<50; content:"SC.CAP_sep_"; depth:11; nocase; content:"_sep_"; distance:0; content:"_packet_"; endswith; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026587; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, malware_family JavaRAT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (jmarrycs .com)"; dns.query; dotprefix; content:".jmarrycs.com"; nocase; endswith; classtype:trojan-activity; sid:2035930; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Winnti Payload - XORed Check-in to Infected System (0xd4413890)"; flow:established,to_server; dsize:<300; content:"|b0 1c 03 d4 90 38 41 d4 2a b4 80 7f|"; depth:12; content:"|04 00|"; endswith; reference:url,medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a; classtype:trojan-activity; sid:2027361; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_17, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag APT, tag Winnti, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (am-reader .com)"; dns.query; dotprefix; content:".am-reader.com"; nocase; endswith; classtype:trojan-activity; sid:2035931; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HVNC USR Init Detected"; flow:established,to_server; content:"|3b 00 00 00 19 00 00 00 12 01 00 00 2d 55 53 52|"; depth:16; content:"|00|"; endswith; reference:md5,4abde768b70e94093970901438e51cbd; classtype:trojan-activity; sid:2027831; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category TROJAN, malware_family HVNC, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fodcha Bot CnC Checkin"; flow:established,to_server; dsize:5; content:"|ee 00 00 11 ff|"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:command-and-control; sid:2035939; rev:1; metadata:attack_target IoT, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Fodcha, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.0)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|d|01|q|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022780; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Sparkasse Credential Phish M1 2022-04-13"; flow:established,to_server; flowbits:set,ET.sparkassephishlanding; http.method; content:"POST"; http.uri; content:"Code?sslchannel=true&sessionid="; depth:32; http.request_body; content:"vic_browser=n%2Fa&vic_os=n%2Fa&vic_screen=n%2Fa&vic_lang=n%2Fa&vic_flash=n%2Fa&vic_java=n%2Fa&vic_mime=n%2Fa&vic_plugins=n%2Fa&vic_fonts=n%2Fa"; depth:142; fast_pattern; content:"=Submit&login_name="; distance:0; content:"&pin="; distance:0; classtype:credential-theft; sid:2035933; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.1)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|e|01|q|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022781; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Sparkasse Credential Phish M2 2022-04-13"; flow:established,to_server; flowbits:set,ET.sparkassephishlanding; http.method; content:"POST"; http.uri; content:"Code?sslchannel=true&sessionid="; depth:32; http.request_body; content:"=Submit&old_sortcode="; fast_pattern; classtype:credential-theft; sid:2035934; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.2)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|f|01|q|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022782; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Credential Phish Landing Page M1 2022-04-13"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Code?sslchannel=true&sessionid="; fast_pattern; content:"vic_browser"; distance:0; content:"vic_os"; distance:0; content:"vic_lang"; distance:0; content:"vic_flash"; distance:0; content:"vic_java"; distance:0; content:"vic_mime"; distance:0; content:"vic_plugins"; distance:0; content:"vic_fonts"; distance:0; content:"type=|22|password|22|"; distance:0; classtype:credential-theft; sid:2035935; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.0)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|d|01|r|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022783; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Credential Phish Landing Page M2 2022-04-13"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Code?sslchannel=true&sessionid="; fast_pattern; content:"type=|22|password|22|"; distance:0; content:"window.screen.availWidth"; distance:0; content:"window.screen.availHeight"; within:40; content:"jscd.browser"; distance:0; content:"jscd.browserMajorVersion"; within:45; content:"jscd.browserVersion"; within:45; content:"jscd.os"; distance:0; content:"jscd.osVersion"; within:30; content:"jscd.screen"; distance:0; content:"avail_res"; within:50; content:"screen.colorDepth"; within:40; content:"screen.deviceXDPI"; within:45; content:"screen.deviceYDPI"; within:45; content:"language"; distance:0; content:"jscd|2e|flashVersion|3b|"; distance:0; content:"navigator.javaEnabled()"; distance:0; content:"mime"; distance:0; content:"plugins"; distance:0; content:"listFonts().join(',')"; distance:0; classtype:credential-theft; sid:2035936; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.1)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|e|01|r|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022784; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Credential Phish Landing Page M3 2022-04-13"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Code?sslchannel=true&sessionid="; fast_pattern; content:"vic_browser"; distance:0; content:"vic_os"; distance:0; content:"vic_lang"; distance:0; content:"vic_flash"; distance:0; content:"vic_java"; distance:0; content:"vic_mime"; distance:0; content:"vic_plugins"; distance:0; content:"vic_fonts"; distance:0; content:"type=|22|password|22|"; distance:0; classtype:credential-theft; sid:2035937; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.2)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|f|01|r|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022785; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Credential Phish Landing Page M4 2022-04-13"; flow:established,to_client; flowbits:isset,ET.sparkassephishlanding; http.stat_code; content:"200"; file.data; content:"type|3d 22|tel|22|"; distance:0; content:"Personal?sslchannel=true&sessionid="; fast_pattern; content:"sortcode"; classtype:credential-theft; sid:2035938; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.3)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|g|01|r|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022786; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo Domain (ifn1h8ag1g .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"ifn1h8ag1g.com"; bsize:14; fast_pattern; reference:url,www.threatfabric.com/blogs/octo-new-odf-banking-trojan.html; classtype:command-and-control; sid:2035905; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 10.0)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|d|01|v|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022787; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo Domain (s22231232fdnsjds .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"s22231232fdnsjds.top"; bsize:20; fast_pattern; reference:url,www.threatfabric.com/blogs/octo-new-odf-banking-trojan.html; classtype:command-and-control; sid:2035906; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SDBbot CnC Checkin"; flow:established,to_server; content:"|00 00 de c0|"; depth:4; content:"ver="; distance:0; content:"|0a|domain="; distance:0; content:"|0a|pc="; distance:0; content:"|0a|geo="; distance:0; content:"|0a|os="; distance:0; content:"|0a|rights="; distance:0; content:"|0a|proxyenabled="; distance:0; fast_pattern; content:"|0a|"; endswith; reference:md5,892be85dc60df6bc82568384e83b9b4c; classtype:command-and-control; sid:2031217; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_08, deployment Perimeter, former_category MALWARE, malware_family SDBbot, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo Domain (equisdeperson .space in TLS SNI)"; flow:established,to_server; tls.sni; content:"equisdeperson.space"; bsize:19; fast_pattern; reference:url,www.threatfabric.com/blogs/octo-new-odf-banking-trojan.html; classtype:command-and-control; sid:2035907; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/1xxbot CnC Checkin"; flow:established,to_server; dsize:<250; content:"|00|<EOM>Windows|20|"; startswith; fast_pattern; content:"<EOM>"; distance:0; content:"<EOM>"; distance:0; content:"<EOM>"; distance:0; content:"<EOF>"; endswith; reference:md5,9eb50c6cdb59d11b01ca9f069e8ba79d; classtype:command-and-control; sid:2028984; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_15, deployment Perimeter, former_category MALWARE, malware_family 1xxbot, signature_severity Major, updated_at 2022_03_24;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo Domain (xipxesip .design in TLS SNI)"; flow:established,to_server; tls.sni; content:"xipxesip.design"; bsize:15; fast_pattern; reference:url,www.threatfabric.com/blogs/octo-new-odf-banking-trojan.html; classtype:command-and-control; sid:2035908; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tick Group Payload - Reporting Error to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?"; content:"=hmo"; endswith; fast_pattern; http.user_agent; content:"|28|Windows|20|NT|20|6.1|3b 20|WOW64|3b|"; http.request_body; pcre:"/^[a-z0-9/=\+]$/i"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/; classtype:command-and-control; sid:2029081; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TickGroup, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Malicious User-Agent (FastInvoice)"; flow:established,to_server; http.user_agent; content:"FastInvoice"; bsize:11; startswith; fast_pattern; reference:md5,42218b0ce7fc47f80aa239d4f9e000a1; classtype:bad-unknown; sid:2035932; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2022_04_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tick Group Payload - Submitting Encrypted Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?"; content:"=A1f"; endswith; fast_pattern; http.user_agent; content:"|28|Windows|20|NT|20|6.1|3b 20|WOW64|3b|"; http.request_body; pcre:"/^[a-z0-9/=\+]$/i"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/; classtype:command-and-control; sid:2029082; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TickGroup, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TransparentTribe APT Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"@"; content:".php"; endswith; http.user_agent; content:"Python-urllib/"; startswith; http.request_body; content:".exe|25|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f9d7e0af85fd918dd5daf1b50bf649f6; reference:md5,68d73d596a7103e517967f7f4e22cecb; reference:url,blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html; classtype:trojan-activity; sid:2035917; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Observed Orange LiveBox Router Information Leakage Attempt (CVE-2018-20377)"; flow:established,to_server; http.request_line; content:"GET|20|"; startswith; content:"/get_getnetworkconf.cgi|20|HTTP/1.1"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,badpackets.net/over-19000-orange-livebox-adsl-modems-are-leaking-their-wifi-credentials; reference:cve,2018-20377; classtype:trojan-activity; sid:2029091; rev:2; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2019_12_03, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_03_24;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android/SpyLoan.9ef8bf95 Domain (api .dreamloan .cc in TLS SNI)"; flow:established,to_server; tls.sni; content:"api.dreamloan.cc"; bsize:16; fast_pattern; reference:md5,5038f1ae69db7682e99c04947fa467aa; classtype:command-and-control; sid:2035909; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Snatch Ransomware - Encryption Finished"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Go-http-client/"; startswith; http.request_body; content:"{|22|host|22 3a 22|"; startswith; content:"|22 2c 22|type|22 3a 22|finished|22 2c 22|username|22 3a 22|"; distance:0; fast_pattern; content:"|22|}"; endswith; http.header_names; content:!"Referer"; reference:md5,46406680a5825b6d1622acb984d4a41d; classtype:command-and-control; sid:2029104; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_10, deployment Perimeter, former_category MALWARE, malware_family Snatch, signature_severity Major, tag Ransomware, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Agent.PUK Data Exfiltration Request M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"Cache=error"; fast_pattern; content:"Sand="; content:"Data="; content:"Em="; reference:url,hasec.ahnlab.com/ko/33141/; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:md5,e49e41a810730f4bf3d43178e4c84ee5; classtype:trojan-activity; sid:2035946; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Arechclient2 Backdoor CnC Init"; flow:established,from_server; dsize:<150; content:"|7b 22 54 79 70 65 22 3a 22 45 6e 63 72 79 70 74 69 6f 6e 53 74 61 74 75 73 22 2c 22 53 74 61 74 75 73 22 3a|"; fast_pattern; depth:80; content:"|7d|"; endswith; reference:md5,4ccba79d95dfd7d87b43643058e1cdd0; classtype:command-and-control; sid:2029217; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, malware_family Arechclient2, signature_severity Major, updated_at 2022_03_24;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Trojan-Spy.AndroidOS.Agent.abe Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"5iw68rugwfcir37uj8z3r6rfaxwd8g8cdcfcqw62.de"; bsize:43; fast_pattern; reference:md5,ad6f124d00ca05f2a19b5215b85e25a8; classtype:command-and-control; sid:2035910; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Arechclient2 Backdoor CnC Keep-Alive"; flow:established,from_server; dsize:<100; content:"|7b 22 54 79 70 65 22 3a 22 53 65 73 73 69 6f 6e 49 44 22 2c 22 53 65 73 73 69 6f 6e 49 44 22 3a 22|"; fast_pattern; depth:50; content:"|7d|"; endswith; reference:md5,4ccba79d95dfd7d87b43643058e1cdd0; classtype:command-and-control; sid:2029219; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, malware_family Arechclient2, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Agent.PUK Data Exfiltration Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"Cache=fail"; fast_pattern; content:"Sand="; reference:url,hasec.ahnlab.com/ko/33141/; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:md5,e49e41a810730f4bf3d43178e4c84ee5; classtype:trojan-activity; sid:2035947; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft SQL RCE Attempt (CVE-2020-0618)"; flow:established,to_server; urilen:37; http.method; content:"POST"; http.uri; content:"/ReportServer/pages/ReportViewer.aspx"; http.request_body; content:"NavigationCorrector|24|PageState|3d|NeedsCorrection|26|NavigationCorrector|24|ViewState|3d|"; startswith; fast_pattern; content:"|26 5f 5f|VIEWSTATE|3d|"; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,github.com/euphrat1ca/CVE-2020-0618; classtype:web-application-attack; sid:2029476; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2022_03_24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET HUNTING FTP CWD to windows system32 - Suspicious"; flow:established,to_server; content:"CWD C|3a 5c|WINDOWS|5c|system32|5c|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008556; classtype:trojan-activity; sid:2008556; rev:7; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK JSE"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"X-UA-Compatible|3a 20|IE=EmulateIE8|0d 0a|"; file_data; content:"|3c 21|DOCTYPE html|3e 3c|html|3e 3c|head|3e 3c|script language|3d 22|JScript.Encode|22 3e 23 40 7e 5e|"; startswith; fast_pattern; pcre:"/^[^<]+\x0d\x0a<\/script>/R"; content:"|3c 2f|head|3e 3c|body|3e 3c 2f|body|3e 3c 2f|html|3e|"; endswith; reference:url,www.malware-traffic-analysis.net/2020/03/02/index.html; classtype:exploit-kit; sid:2029582; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For an Executable File In a Temp Directory"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"temp|5c|"; nocase; distance:0; content:"|2E|exe|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025702; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2022_04_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Suspected SandCat Related CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/socket.io/?EIO="; depth:16; content:"&transport=polling"; endswith; http.request_body; content:"|5b 22|add|20|user|22|,|22|ID_"; offset:5; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,eeecfa2999aea400deb8029d27db125e; classtype:command-and-control; sid:2029619; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".webm"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,af944c93405d60adc350f94e24a3d5a1; reference:url,twitter.com/souiten/status/1511552820863852544; classtype:trojan-activity; sid:2036210; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StealRat Checkin"; flow:established,to_server; http.uri; content:"/d/"; startswith; fast_pattern; content:".jpg"; endswith; pcre:"/^\/d\/[a-z]+\d+\.jpg$/"; http.header_names; content:!"Referer|0d 0a|"; http.host; content:"www.google.com"; bsize:14; classtype:command-and-control; sid:2017263; rev:4; metadata:created_at 2013_08_01, former_category MALWARE, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious VBS Sending System Information (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Cache=error&Sand="; startswith; fast_pattern; content:"&Data="; distance:0; content:"&Em="; distance:50; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:url,asec.ahnlab.com/ko/33141/; classtype:trojan-activity; sid:2036211; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Woai.Dropper Config Request"; flow:established,to_server; http.uri; content:"/client/config.ini"; fast_pattern; http.user_agent; content:"MSIE"; content:"|3B 29|"; endswith; reference:md5,0425a66e3b268ef8cbdd481d8e44b227; classtype:trojan-activity; sid:2018102; rev:7; metadata:created_at 2014_02_10, updated_at 2022_03_24;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Grafana 8.x Path Traversal (CVE-2021-43798)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/public/plugins/"; fast_pattern; content:"|2f 2e 2e 2f|"; distance:0; within:40; reference:url,github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p; classtype:attempted-admin; sid:2034629; rev:2; metadata:attack_target Server, created_at 2021_12_07, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MSIL/Firebird RAT CnC Checkin"; flow:established,to_server; dsize:<100; content:"|01 00 00 00 ff ff ff ff 01 00 00 00 00 00 00 00 06 01 00 00 00|"; startswith; fast_pattern; content:"|0b|"; endswith; reference:md5,ede8ebfc82463d1e7e6f29ca66f96514; classtype:command-and-control; sid:2029606; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, malware_family Firebird, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE EvilNominatus Ransomware Related Domain in DNS Lookup"; dns.query; content:"i-love-evilnominatuscrypt.000webhostapp.com"; nocase; bsize:43; reference:url,www.clearskysec.com/wp-content/uploads/2022/04/EvilNominatus_Ransomware_7.4.22.pdf; classtype:domain-c2; sid:2036212; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Online Scheduling System 1.0 - Authentication Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Online%20Scheduling%20System/login.php"; fast_pattern; http.request_body; content:"username="; depth:9; nocase; content:"&password="; nocase; distance:0; content:"&lgn=Login"; nocase; endswith; reference:url,www.exploit-db.com/exploits/48409; classtype:attempted-admin; sid:2030094; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Web_Server, created_at 2020_05_04, deployment Perimeter, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/seized.xml"; endswith; fast_pattern; http.user_agent; content:!"Linux"; content:!"Android"; http.header_names; content:!"Referer|0d 0a|"; http.host; content:".ru"; endswith; reference:md5,d6fe6243a9b4293db6384f22524ff709; reference:url,cert.gov.ua/article/39386; classtype:trojan-activity; sid:2036213; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus.Downloader Campaign Second Stage Executable Request"; flow:established,to_server; http.uri; content:"2p/"; content:".exe"; fast_pattern; endswith; pcre:"/\/p?2p\/[0-9]{1,2}\.exe$/"; reference:md5,ca15e5e96aee8b18ca6f3c185a690cea; classtype:trojan-activity; sid:2018184; rev:7; metadata:created_at 2014_02_27, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET INFO Empty POST with Terse Headers Over Non Standard Port"; flow:established,to_server; http.request_line; content:"POST / HTTP/1.1"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; bsize:26; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.content_len; byte_test:0,=,0,0,string,dec; reference:url,twitter.com/3xp0rtblog/status/1509267848958562305; reference:md5,52a46f058ec6b726fe2829a590a15155; classtype:bad-unknown; sid:2036225; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Major, updated_at 2022_04_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus.Downloader Campaign Second Stage Executable Request 10/4/2014"; flow:established,to_server; urilen:<11; http.uri; content:"/2p/"; depth:4; content:".exe"; endswith; fast_pattern; pcre:"/^\/2p\/[a-z]{1,2}\.exe$/"; reference:md5,94d5d99b910f9184573a01873fdc42fc; classtype:trojan-activity; sid:2018385; rev:5; metadata:created_at 2014_04_11, updated_at 2022_03_24;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M1 (CVE-2020-17456)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/system_log.cgi"; http.request_body; content:"&pingIpAddr="; fast_pattern; content:"%3B%"; distance:0; within:5; nocase; reference:cve,2020-17456; classtype:attempted-admin; sid:2035950; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_04_14, cve CVE_2020_17456, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Hyteod.Downloader CnC Beacon"; flow:established,to_server; http.uri; content:"/payment_gateway/"; startswith; content:".gz"; endswith; pcre:"/\/[a-z0-9]{3,}\.gz$/"; http.user_agent; content:"OperaMini"; depth:9; reference:md5,8258c3d8bab63cacf143cf034e2e7c1a; classtype:command-and-control; sid:2019824; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M2 (CVE-2020-17456)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/system_log.cgi"; http.request_body; content:"&pingIpAddr="; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2020-17456; classtype:attempted-admin; sid:2035951; rev:1; metadata:created_at 2022_04_14, cve CVE_2020_17456, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE rechnung zip file download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"rechnung"; fast_pattern; nocase; content:".zip"; nocase; endswith; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2020622; rev:5; metadata:created_at 2015_03_05, former_category CURRENT_EVENTS, updated_at 2022_03_24;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SEOWON INTECH SLC-130 RCE Inbound (No CVE)"; flow:to_server,established; http.method; content:"POST"; http.uri; http.request_body; content:"&queriesCnt="; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; classtype:attempted-admin; sid:2035952; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Geodo/Emotet Downloading PE"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/mss"; fast_pattern; content:".exe"; endswith; pcre:"/\/mss\d+\.exe$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,6c4d198794d1afd2b8bbae6f16bdfaa7; classtype:trojan-activity; sid:2035043; rev:4; metadata:created_at 2015_03_17, former_category MALWARE, updated_at 2022_03_24;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link DWR Command Injection Inbound (CVE-2018-10823)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/chkisg.htm"; content:"%3FSip%"; fast_pattern; nocase; distance:0; content:"%7C"; nocase; distance:0; reference:cve,2018-10823; classtype:attempted-admin; sid:2035953; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, cve CVE_2018_10823, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
 
-#alert dns $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible DNS BIND TSIG Denial of Service Attempt (CVE-2020-8617)"; content:"|00|"; distance:0; byte_extract:1,1,rec_name,relative; content:"|00 00 fa 00 ff|"; distance:rec_name; within:5; fast_pattern; content:"|00 10 00 00|"; endswith; reference:cve,2020-8617; classtype:denial-of-service; sid:2030221; rev:2; metadata:attack_target DNS_Server, created_at 2020_05_26, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT iRZ Mobile Router RCE Inbound M1 (CVE-2022-27226)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/api/crontab"; fast_pattern; http.request_body; content:"|22|tasks|22 3a|"; content:"|22|command|22 3a|"; reference:cve,2022-27226; classtype:attempted-admin; sid:2035954; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, cve CVE_2022_27226, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi/Ursnif/Papras Grabftp Module Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/download/ftp/grabftp"; fast_pattern; content:".bin"; endswith; pcre:"/^\/download\/ftp\/(?:grabftp|grabftp64)\.bin$/"; http.header; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Win64|3B 20|x64)"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,e946b3dba7cd9a44fbbcbc3c7c76e440; classtype:trojan-activity; sid:2021321; rev:4; metadata:created_at 2015_06_23, updated_at 2022_03_24;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Razer Sila Router - Command Injection Attempt Inbound (No CVE)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ubus/"; http.request_body; content:"|22|exec|22|,|7b 22|command|22 3a 22|"; reference:url,www.exploit-db.com/exploits/50865; classtype:attempted-admin; sid:2035955; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RedControle Communicating with CnC"; flow:established,to_server; content:"SE_ND_CO_NN_EC|23|"; depth:15; fast_pattern; content:"|23|"; within:20; content:"|23|"; endswith; reference:url,threatvector.cylance.com/en_us/home/poking-the-bear-three-year-campaign-targets-russian-critical-infrastructure.html; reference:md5,855b937f668ecd90b8be004fd3c24717; classtype:command-and-control; sid:2026724; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category MALWARE, malware_family RedControle, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Razer Sila Router - LFI Attempt Inbound (No CVE)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ubus/"; http.request_body; content:"|22|read|22|,|7b 22|path|22 3a 22|"; reference:url,www.exploit-db.com/exploits/50864; classtype:attempted-admin; sid:2035956; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Phish 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&password="; nocase; distance:0; content:"&changing=Value"; nocase; endswith; classtype:credential-theft; sid:2032461; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Golang HTTP Backdoor CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; http.header; content:"auth_token=|22|XXXXXXX|22|"; fast_pattern; http.request_body; content:"details="; content:"&news="; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:trojan-activity; sid:2035958; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Backdoor, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized Adobe PDF Online Phish 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?e="; nocase; fast_pattern; pcre:"/\.php\?e=[a-zA-Z0-9+&*-]+(?:\.[a-zA-Z0-9_+&*-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,7}$/"; http.request_body; content:"p="; depth:2; nocase; content:"&submit="; nocase; endswith; classtype:credential-theft; sid:2032462; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Golang HTTP Backdoor Requesting Commands"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; http.header; content:"auth_token=|22|XXXXXXX|22|"; http.request_body; content:"news="; content:"&request_for_read="; fast_pattern; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:trojan-activity; sid:2035959; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Backdoor, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Bank Phish 2016-10-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"cpf="; depth:4; nocase; content:"&senha="; nocase; distance:0; content:"&ok=continuar"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032463; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Golang HTTP Backdoor Submitting Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; http.header; content:"auth_token=|22|XXXXXXX|22|"; fast_pattern; http.request_body; content:"answer="; content:"&cid="; content:"&news="; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:trojan-activity; sid:2035960; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Backdoor, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish 2016-11-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"userid="; depth:7; nocase; content:"&password="; nocase; distance:0; content:"&name="; nocase; distance:0; content:"&ssn="; nocase; distance:0; content:"&ccnum="; nocase; distance:0; content:"&cvv2="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&year="; nocase; distance:0; content:"&dob="; nocase; distance:0; content:"&atmpin="; nocase; distance:0; fast_pattern; content:"&add="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&state="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&epass="; nocase; distance:0; content:"&question1="; nocase; distance:0; content:"&continue=Submit+Now"; nocase; endswith; classtype:credential-theft; sid:2032464; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Gamaredon APT Related Malicious Shortcut Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/favicon.ico"; endswith; http.host; content:"military-ukraine."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c0d3a0ab9b47ab9bc81cf5d831053431; reference:md5,7b20e3ac2a4ebf507f6c8358245d5db5; classtype:trojan-activity; sid:2036214; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful BB&T Bank Phish 2016-12-15"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; content:"&input=Go"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032467; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to ShadowPad Domain (supership .dynv6 .net)"; dns.query; content:"supership.dynv6.net"; nocase; bsize:19; reference:url,otx.alienvault.com/pulse/624ff0af271429d152b5a27e; classtype:trojan-activity; sid:2036216; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fareit/Pony Downloader Checkin 3"; flow:established,to_server; flowbits:set,ET.Fareit.chk; http.method; content:"GET"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.0"; depth:33; content:"Windows 98)"; fast_pattern; endswith; http.accept; content:"*/*"; http.connection; content:"close"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|"; reference:md5,dcc2c110e509fa777ab1460f665bd137; reference:md5,bf422f3aa215d896f55bbe2ebcd25d17; reference:md5,d50c39753ba88daa00bc40848f174168; reference:md5,9544c681ae5c4fe3fdbd4d5c6c90e38e; classtype:command-and-control; sid:2014234; rev:14; metadata:created_at 2012_02_17, former_category MALWARE, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to ShadowPad Domain (greatsong .soundcast .me)"; dns.query; content:"greatsong.soundcast.me"; nocase; bsize:22; reference:url,otx.alienvault.com/pulse/624ff0af271429d152b5a27e; classtype:trojan-activity; sid:2036217; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Evil Macro EXE DL mar 15 2016"; flow:established,to_server; http.uri; content:"/image/"; depth:7; content:".exe"; endswith; fast_pattern; pcre:"/^\/image\/(?:data|flags)\/[^\x2f]+\.exe$/i"; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2022622; rev:6; metadata:created_at 2016_03_16, former_category CURRENT_EVENTS, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to ShadowPad Domain (supermarket .ownip .net)"; dns.query; content:"supermarket.ownip.net"; nocase; bsize:21; reference:url,otx.alienvault.com/pulse/624ff0af271429d152b5a27e; classtype:trojan-activity; sid:2036218; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot Requesting PE"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"ho"; content:"ping/mod_"; within:10; fast_pattern; content:"/"; endswith; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,08aab7cdbfc2446fbca2a2f350df4ea2; classtype:trojan-activity; sid:2019759; rev:8; metadata:created_at 2014_11_20, updated_at 2022_03_24;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Remote Code Execution Inbound (CVE-2020-17530)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|25 7b|"; content:".exec|28|"; distance:0; fast_pattern; content:"|29 7d|"; distance:0; reference:url,github.com/CyborgSecurity/CVE-2020-17530; reference:cve,2020-17530; classtype:attempted-admin; sid:2033408; rev:2; metadata:created_at 2021_07_24, cve CVE_2020_17530, former_category WEB_SPECIFIC_APPS, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KINS/ZeusVM Variant Retrieving Config"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/config"; fast_pattern; content:".jpg"; endswith; pcre:"/\/config[^\x2e\x2f]*?\.jpg$/"; http.header; content:"Cache-Control|3a 20|no-cache"; http.user_agent; pcre:"/(?:\x20MSIE\x20|rv\x3a11)/"; http.connection; content:"close"; nocase; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:trojan-activity; sid:2021528; rev:8; metadata:created_at 2015_07_23, former_category TROJAN, updated_at 2022_03_24;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba Lure (Package Delivery)"; flow:established,to_client; content:"|82|"; startswith; content:"jsonrpc"; distance:5; within:8; content:"Your parcel has been sent out.Please check and accept it. http"; fast_pattern; reference:url,team-cymru.com/blog/2022/04/07/moqhao-part-2-continued-european-expansion; classtype:trojan-activity; sid:2036215; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_04_14, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RansomCrypt Intial Check-in"; flow:established,to_server; http.user_agent; content:"Windows NT 5.1|3b 20|ru|3b|"; content:"Gecko/20100722 Firefox/3.6.12"; endswith; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; classtype:trojan-activity; sid:2016748; rev:6; metadata:created_at 2013_04_10, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.longmusic .com Domain"; flow:established,to_server; http.host; content:".longmusic.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035961; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 7"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; depth:1; content:"/"; endswith; http.user_agent; pcre:"/(?:MSIE|rv\x3a)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; content:"63"; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|"; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:command-and-control; sid:2025119; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Smoke_Loader, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.longmusic .com Domain"; dns.query; content:".longmusic.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035962; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 2 M2"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/[a-z]{3,6}\/[a-z]{3,6}\.[a-z]{3}$/"; http.cookie; content:"=|3b 20|"; content:"=|3b 20|"; distance:0; content:"=|3b|"; endswith; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|Cookie|0d 0a|Host|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a 0d 0a|"; reference:md5,f12fc711529b48bcef52c5ca0a52335a; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting; classtype:command-and-control; sid:2025291; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category MALWARE, malware_family elise, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.wikaba .com Domain"; dns.query; content:".wikaba.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035963; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] Successful 163 Webmail Phish 2018-07-25"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"application/json"; file.data; content:"{|22|user_id|22|:|22|"; nocase; within:20; content:"|22|,|22|ip|22|:|22|"; nocase; within:15; content:"|22|,|22|add_time|22|:|22|"; nocase; distance:0; content:".163.com|5c 2f 22 2c 22|code|22 3a 22|ok|22|}"; nocase; endswith; fast_pattern; classtype:credential-theft; sid:2025893; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.wikaba .com Domain"; flow:established,to_server; http.host; content:".wikaba.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035964; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-09-26"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"&formtext1="; nocase; distance:0; content:"&formimage1.x=1&formimage1.y=1"; fast_pattern; nocase; endswith; classtype:credential-theft; sid:2026412; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.zzux .com Domain"; flow:established,to_server; http.host; content:".zzux.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035965; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kraken Ransomware Start Activity 1"; flow:established,to_server; http.uri; content:!"."; content:!"&"; content:!"?"; http.user_agent; content:"-"; offset:2; depth:1; content:"|3a|Begin"; endswith; fast_pattern; pcre:"/^[A-Z]{2}-[0-9]{1,5}\x3aBegin$/"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,09d3bd874d9a303771c89385d938c430; classtype:trojan-activity; sid:2026471; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_11, deployment Perimeter, former_category MALWARE, malware_family Kraken_Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.wikaba .com Domain"; dns.query; content:".wikaba.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035966; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Kraken Ransomware Start Activity 2"; flow:established,to_server; http.uri; content:!"."; content:!"&"; content:!"?"; http.user_agent; content:"-"; offset:2; depth:1; content:"|3a|StartU"; endswith; fast_pattern; pcre:"/^[A-Z]{2}-[0-9]{1,5}\x3aStartU$/"; http.header_names; content:!"Accept"; content:!"Referer"; classtype:trojan-activity; sid:2026472; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_11, deployment Perimeter, former_category MALWARE, malware_family Kraken_Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.wikaba .com Domain"; flow:established,to_server; http.host; content:".wikaba.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035967; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sidewinder Stage 2 VBS Downloader Reporting Successful Infection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/"; depth:9; content:"/true/true/done"; fast_pattern; endswith; http.user_agent; content:"WinHttp.WinHttpRequest."; http.header_names; content:"Referer"; content:!"Cache"; reference:md5,dfad7d4a7ecb2eed6d69abfbfb5f94c9; reference:url,medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739; classtype:trojan-activity; sid:2026545; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, malware_family Sidewinder, performance_impact Low, signature_severity Major, tag VBS, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dumb1 .com Domain"; dns.query; content:".dumb1.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035968; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for DNSpionage CnC Domain"; dns.query; content:".microsoftonedrive.org"; nocase; fast_pattern; endswith; reference:url,blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html; classtype:command-and-control; sid:2026680; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DNSpionage, tag DNS_tunneling, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dumb1 .com Domain"; flow:established,to_server; http.host; content:".dumb1.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035969; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"outlooklive.org.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026704; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onedumb .com Domain"; dns.query; content:".onedumb.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035970; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.toshiba.org.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026705; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onedumb .com Domain"; flow:established,to_server; http.host; content:".onedumb.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035971; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.fujitsu.org.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026706; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.youdontcare .com Domain"; dns.query; content:".youdontcare.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035972; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.asus.org.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026707; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.youdontcare .com Domain"; flow:established,to_server; http.host; content:".youdontcare.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035973; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.miria.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026708; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.yourtrap .com Domain"; dns.query; content:".yourtrap.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035974; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"cloudpallets32.com"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026709; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.yourtrap .com Domain"; flow:established,to_server; http.host; content:".yourtrap.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035975; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"contents.bz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026710; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.2waky .com Domain"; dns.query; content:".2waky.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035976; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"usasecurefiles.com"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026711; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.2waky .com Domain"; flow:established,to_server; http.host; content:".2waky.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035977; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"freecloud.biz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026712; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.sexidude .com Domain"; dns.query; content:".sexidude.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035978; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"alotile.biz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026713; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sexidude .com Domain"; flow:established,to_server; http.host; content:".sexidude.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035979; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"transef.biz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026714; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mefound .com Domain"; dns.query; content:".mefound.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035980; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"fundsxe.com"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026715; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mefound .com Domain"; flow:established,to_server; http.host; content:".mefound.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035981; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"document.cdn-one.biz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026716; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.organiccrap .com Domain"; dns.query; content:".organiccrap.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035982; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Win32 Lucky Ransomware Encryption Process Started"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?code="; content:"&file="; distance:0; content:"&size="; distance:0; content:"&sys="; distance:0; content:"&VERSION="; distance:0; content:"&status=begin"; fast_pattern; endswith; http.user_agent; content:"Client"; depth:6; endswith; reference:url,blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/; classtype:trojan-activity; sid:2026726; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category MALWARE, malware_family Satan, signature_severity Major, tag Ransomware, tag Multi_Platform, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.organiccrap .com Domain"; flow:established,to_server; http.host; content:".organiccrap.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035983; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lucky Ransomware Reporting Successful File Encryption"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?code="; content:"&file="; distance:0; content:"&size="; distance:0; content:"&sys="; distance:0; content:"&VERSION="; distance:0; content:"&status=done"; fast_pattern; endswith; http.user_agent; content:"Client"; depth:6; endswith; reference:url,blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/; classtype:trojan-activity; sid:2026727; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category MALWARE, malware_family Satan, signature_severity Major, tag Ransomware, tag Multi_Platform, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.toythieves .com Domain"; dns.query; content:".toythieves.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035984; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Unk Downloader 0 Byte POST CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-Length|3a 20|0|0d|"; http.user_agent; content:"xmsSofts_1.0.0_"; depth:15; fast_pattern; content:"|5c|"; endswith; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2026760; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, tag JavaScript, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.toythieves .com Domain"; flow:established,to_server; http.host; content:".toythieves.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035985; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Retadup CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"4D53473A213A"; content:"20457865637574656420417320"; distance:0; fast_pattern; content:"0D0A"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-retadup-worm-goes-polymorphic-gets-an-autohotkey-variant/; classtype:command-and-control; sid:2027078; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_13, deployment Perimeter, former_category MALWARE, malware_family Retadup, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.justdied .com Domain"; dns.query; content:".justdied.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035986; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Unattributed CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"secure-message.online"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:domain-c2; sid:2027222; rev:5; metadata:attack_target Client_and_Server, created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.justdied .com Domain"; flow:established,to_server; http.host; content:".justdied.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035987; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Unattributed CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"internal-message.app"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:domain-c2; sid:2027223; rev:4; metadata:attack_target Client_and_Server, created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.jungleheart .com Domain"; dns.query; content:".jungleheart.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035988; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Binance Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"binance"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027240; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.jungleheart .com Domain"; flow:established,to_server; http.host; content:".jungleheart.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035989; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Ebay Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"ebay"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027242; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mrbonus .com Domain"; dns.query; content:".mrbonus.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035990; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Webmail Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"webmail"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027243; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mrbonus .com Domain"; flow:established,to_server; http.host; content:".mrbonus.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035991; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Account Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"account"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027244; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.x24hr .com Domain"; dns.query; content:".x24hr.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035992; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Outlook Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"outlook"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027246; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.x24hr .com Domain"; flow:established,to_server; http.host; content:".x24hr.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035993; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible DHL Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"dhl"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027247; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.fartit .com Domain"; dns.query; content:".fartit.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035994; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Docusign Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"docusign"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027248; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.fartit .com Domain"; flow:established,to_server; http.host; content:".fartit.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035995; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Facebook Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"facebook"; content:".github.io"; endswith; fast_pattern; content:!"facebook.github.io"; depth:18; endswith; classtype:policy-violation; sid:2027275; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.itemdb .com Domain"; dns.query; content:".itemdb.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035996; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Paypal Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"paypal"; fast_pattern; content:".github.io"; endswith; content:!"paypal.github.io"; depth:16; endswith; classtype:policy-violation; sid:2027241; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.itemdb .com Domain"; flow:established,to_server; http.host; content:".itemdb.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035997; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jenkins Information Disclosure CVE-2017-1000395"; flow:established,to_server; http.method; content:"GET"; depth:3; endswith; http.uri; content:"/securityRealm/user/"; depth:20; fast_pattern; content:"/api/xml"; endswith; http.header_names; content:!"Referer"; reference:cve,2017-1000395; reference:url,jenkins.io/security/advisory/2017-10-11/#user-remote-api-disclosed-users-email-addresses; classtype:web-application-attack; sid:2027347; rev:5; metadata:attack_target Server, created_at 2019_05_10, cve 2017_1000395, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.instanthq .com Domain"; dns.query; content:".instanthq.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035998; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Office Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"office"; fast_pattern; content:".github.io"; endswith; content:!"officedev.github.io"; classtype:policy-violation; sid:2027245; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.instanthq .com Domain"; flow:established,to_server; http.host; content:".instanthq.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035999; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload Sending Screenshot to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?TOKEN="; content:"&funx=sc&i="; distance:0; fast_pattern; content:".png"; endswith; reference:url,mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg; classtype:targeted-activity; sid:2027681; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MuddyWater, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.xxuz .com Domain"; dns.query; content:".xxuz.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036000; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload Requesting Command from CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|command|2f|"; depth:9; fast_pattern; content:".cmd"; endswith; pcre:"/^\/command\/[A-Fa-f0-9]{8}\-(?:[A-Fa-f0-9]{4}\-){3}[A-Fa-f0-9]{12}\.cmd$/"; reference:url,mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg; classtype:targeted-activity; sid:2027684; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MuddyWater, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.xxuz .com Domain"; flow:established,to_server; http.host; content:".xxuz.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036001; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible APT Sarhurst/Husar/Hussarini/Hassar CnC Command Response"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<CHECK>"; depth:7; content:"</CHECK><COMMAND>"; distance:0; fast_pattern; content:"</COMMAND>"; endswith; pcre:"/^<CHECK>(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/CHECK>/"; reference:url,www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html; classtype:targeted-activity; sid:2027708; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.jkub .com Domain"; dns.query; content:".jkub.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036002; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Eris Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/v1/check"; depth:13; fast_pattern; endswith; http.request_body; content:"|7b 22 75 69 64 22 3a 22|"; depth:8; content:"|22 7d|"; endswith; pcre:"/^\{\x22uid\x22\x3a\x22[a-f0-9]+\x22\}$/si"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:!"Referer"; reference:md5,a4eeec442799c56c3e1aa9761661fb42; reference:url,www.bleepingcomputer.com/news/security/rig-exploit-kit-pushing-eris-ransomware-in-drive-by-downloads/; classtype:command-and-control; sid:2027802; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_05, deployment Perimeter, former_category MALWARE, malware_family Eris, signature_severity Major, tag Ransomware, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.jkub .com Domain"; flow:established,to_server; http.host; content:".jkub.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036003; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Rogue.WinPCDefender Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?machine_id={"; depth:14; fast_pattern; content:"}"; endswith; http.host; content:"anti"; depth:4; http.header_names; content:!"Referer"; reference:md5,aa8def27909596f8477a5374f735eec9; reference:url,www.bleepingcomputer.com/virus-removal/remove-antivirus-pro-2017; classtype:pup-activity; sid:2025358; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_14, deployment Perimeter, former_category ADWARE_PUP, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.itsaol .com Domain"; dns.query; content:".itsaol.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036004; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GlitchPOS CnC Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gate.php?ped="; fast_pattern; content:"&s=1"; endswith; http.header_names; content:!"Referer"; reference:md5,8cfa2adde150918062eb5d6af59d0e2a; classtype:command-and-control; sid:2027912; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.itsaol .com Domain"; flow:established,to_server; http.host; content:".itsaol.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036005; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/dnscfg.cgi?dnsPrimary="; fast_pattern; content:"&dnsSecondary="; distance:0; content:"&dnsDynamic=0&dnsRefresh=1"; endswith; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027906; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.faqserv .com Domain"; dns.query; content:".faqserv.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036006; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/boafrm/formbasetcpipsetup?dnsmode=dnsmanual&dns1="; fast_pattern; content:"&dns2="; distance:0; content:"&dns3="; distance:0; content:"&dnsrefresh=1"; endswith; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027910; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.faqserv .com Domain"; flow:established,to_server; http.host; content:".faqserv.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036007; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2016-09-16"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"dhl"; nocase; content:".php"; endswith; http.request_body; content:"email="; depth:6; nocase; fast_pattern; content:"pass="; nocase; distance:0; classtype:credential-theft; sid:2032505; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.jetos .com Domain"; dns.query; content:".jetos.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036008; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal (DE) Phish 2016-10-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"login_password="; depth:15; nocase; content:"&submit.x=Soumettre"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032561; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.jetos .com Domain"; flow:established,to_server; http.host; content:".jetos.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036009; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FreeMobile (FR) Phish M1 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"free.fr"; nocase; content:".php"; nocase; endswith; http.request_body; content:"comid="; depth:6; nocase; fast_pattern; content:"&compw="; nocase; distance:0; classtype:credential-theft; sid:2032573; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.qpoe .com Domain"; dns.query; content:".qpoe.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036010; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FreeMobile (FR) Phish M2 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"free.fr"; nocase; content:".php"; nocase; endswith; http.request_body; content:"comid2="; depth:7; nocase; fast_pattern; content:"&compw2="; nocase; distance:0; content:"&addr="; nocase; distance:0; classtype:credential-theft; sid:2032574; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.qpoe .com Domain"; flow:established,to_server; http.host; content:".qpoe.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036011; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FreeMobile (FR) Phish M3 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"free.fr"; nocase; content:".php"; nocase; endswith; http.request_body; content:"comname="; depth:8; nocase; fast_pattern; content:"&comnum="; nocase; distance:0; content:"&common="; nocase; distance:0; content:"&comy="; nocase; distance:0; content:"&comc="; nocase; distance:0; classtype:credential-theft; sid:2032575; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.qhigh .com Domain"; dns.query; content:".qhigh.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036012; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HBL Bank Phish M1 2016-10-12"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"tp="; depth:3; nocase; content:"&tp2="; nocase; distance:0; content:"&form6="; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032583; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.qhigh .com Domain"; flow:established,to_server; http.host; content:".qhigh.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036013; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful NatWest Bank Phish M3 2016-10-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"nwolb"; nocase; content:".aspx"; nocase; distance:0; content:".php"; nocase; endswith; http.header; content:"nwolb"; nocase; http.request_body; content:"c1="; nocase; content:"&c2="; nocase; distance:0; fast_pattern; content:"&c3="; nocase; distance:0; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2032597; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.vizvaz .com Domain"; dns.query; content:".vizvaz.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036014; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful NAB Bank Phish M1 2016-10-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"userid="; depth:7; nocase; content:"&password="; nocase; distance:0; content:"&sbt=Login"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032599; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.vizvaz .com Domain"; flow:established,to_server; http.host; content:".vizvaz.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036015; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-10-21"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"mpp/"; content:".php"; nocase; endswith; distance:0; http.header; content:"mpp/"; http.request_body; content:"1="; depth:2; nocase; content:"&2="; nocase; distance:0; content:"&submit.x=Login"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032608; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mrface .com Domain"; dns.query; content:".mrface.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036016; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Outlook Phish 2016-10-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"Email="; depth:6; nocase; content:"&Password="; nocase; distance:0; content:"&SI=Verify"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032594; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mrface .com Domain"; flow:established,to_server; http.host; content:".mrface.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036017; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Online Phish 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"excel"; nocase; content:".php"; nocase; endswith; http.request_body; content:"X1="; depth:3; nocase; content:"&X2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032568; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.isasecret .com Domain"; dns.query; content:".isasecret.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036018; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Phish 2016-11-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"excel"; nocase; content:".php"; nocase; endswith; http.request_body; content:"email="; depth:6; nocase; content:"&passwd="; nocase; distance:0; fast_pattern; content:"&.save="; nocase; distance:0; classtype:credential-theft; sid:2032625; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.isasecret .com Domain"; flow:established,to_server; http.host; content:".isasecret.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036019; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Three Step Gmail Phish (1 of 3) 2016-12-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"Email="; depth:6; nocase; content:"&Next=Next"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032648; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mrslove .com Domain"; dns.query; content:".mrslove.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036020; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Three Step Gmail Phish (3 of 3) 2016-12-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"phoneNumber="; depth:12; nocase; content:"&altemail="; nocase; distance:0; content:"&City="; nocase; distance:0; content:"&submitChallenge=Continue"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032650; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_04_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mrslove .com Domain"; flow:established,to_server; http.host; content:".mrslove.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036021; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PDF Online Phish 2016-12-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"pdf"; nocase; content:".php"; nocase; endswith; http.request_body; content:"t1="; depth:3; nocase; content:"X1="; nocase; distance:0; content:"&X2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032726; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.americanunfinished .com Domain"; dns.query; content:".americanunfinished.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036022; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/mpp/"; nocase; fast_pattern; content:".php"; nocase; endswith; http.request_body; content:"1="; depth:2; nocase; content:"&2="; nocase; distance:0; content:"&submit.x="; nocase; distance:0; pcre:"/^1=[^%]+(?:@|%40)[^&]+&/"; classtype:credential-theft; sid:2032704; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.americanunfinished .com Domain"; flow:established,to_server; http.host; content:".americanunfinished.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036023; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2016-10-03"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&password="; nocase; distance:0; content:"&submit="; nocase; endswith; pcre:"/^username=[^%]+(?:@|%40)[^&]+&/"; classtype:credential-theft; sid:2032700; rev:9; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.serveusers .com Domain"; dns.query; content:".serveusers.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036024; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (asrgd-uz .weedns.com)"; dns.query; content:"asrgd-uz"; fast_pattern; depth:8; content:".weedns.com"; nocase; endswith; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023025; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.serveusers .com Domain"; flow:established,to_server; http.host; content:".serveusers.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036025; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (sx4-ws42 .yi.org)"; dns.query; content:"sx4-ws42"; fast_pattern; depth:8; content:".yi.org"; nocase; endswith; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023026; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.serveuser .com Domain"; dns.query; content:".serveuser.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036026; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (we .q.tcow.eu)"; dns.query; content:"we"; depth:2; content:".q.tcow.eu"; nocase; fast_pattern; endswith; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023027; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.serveuser .com Domain"; flow:established,to_server; http.host; content:".serveuser.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036027; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tflower Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?name="; content:"&state=start"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:md5,53c923d4e39b966ab951f9a3b9d090be; reference:url,www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/; classtype:command-and-control; sid:2028597; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Tflower_Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.myftp .info Domain"; dns.query; content:".myftp.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036028; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jquery-"; depth:8; content:".min.js"; endswith; http.header; content:"Referer|3a 20|http|3a|//code.jquery.com/|0d 0a|Accept"; fast_pattern; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; bsize:63; http.accept_enc; content:"gzip, deflate"; bsize:13; http.cookie; content:"__cfduid="; depth:9; isdataat:!172,relative; pcre:"/^[A-Za-z0-9_-]{171}$/Rs"; reference:md5,8c9903db02a29847d04d0fd81dd67046; classtype:command-and-control; sid:2033658; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_22, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.myftp .info Domain"; flow:established,to_server; http.host; content:".myftp.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036029; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Darkhotel Higasia Downloader Requesting Module"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/file/start?session="; depth:20; fast_pattern; content:"&imsi="; within:20; content:".exe"; endswith; reference:md5,0e1ed07bae97d8b1cc4dcfe3d56ea3ee; reference:url,github.com/blackorbird/APT_REPORT/blob/master/Darkhotel/higaisa/higaisa_apt_report.pdf; classtype:command-and-control; sid:2028934; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mydad .info Domain"; dns.query; content:".mydad.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036030; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BottleEK Landing"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; depth:9; endswith; http.content_len; byte_test:0,<,1000,0,string,dec; file.data; content:"<!doctype html>|0d 0a|<html lang=|22|ja|22|>|0d 0a|<head>|0d 0a|<meta http-equiv=|22|Content-Type|22 20|content=|22|text/html|3b 20|charset=UTF-8|22|>|0d 0a|<meta http-equiv=|22|x-ua-compatible|22 20|content=|22|IE=10|22|>|0d 0a|<meta http-equiv=|22|Expires|22 20|content=|22|0|22|>|0d 0a|<meta http-equiv=|22|Pragma|22 20|content=|22|no-cache|22|>|0d 0a|<meta http-equiv=|22|Cache-control|22 20|content=|22|no-cache|22|>|0d 0a|<meta http-equiv=|22|Cache|22 20|content=|22|no-cache|22|>"; content:"<body style=|22|background-color|3a 20|#F4F4F4|3b|font-family|3a|MS PGothic,Arial,Hiragino Kaku Gothic ProN,Osaka,sans-serif|22|>"; distance:0; fast_pattern; content:"/ajax.min.js|22|></script>|0d 0a|<script type=|22|text/javascript|22 20|src=|22|"; distance:0; content:"/main.js|22|></script>|0d 0a|</body>|0d 0a|</html>"; endswith; classtype:exploit-kit; sid:2029122; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mydad .info Domain"; flow:established,to_server; http.host; content:".mydad.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036031; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Liftoh.Downloader Final.html Payload Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dl/"; content:"/final.html"; endswith; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:trojan-activity; sid:2017869; rev:5; metadata:created_at 2013_12_17, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mymom .info Domain"; dns.query; content:".mymom.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036032; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 1 M2"; flow:to_server,established; content:"Cookie|3a 20|A="; fast_pattern; http.method; content:"GET"; http.uri; content:"/"; offset:9; depth:1; content:".html"; nocase; endswith; pcre:"/^\/[a-f0-9]{8}\/\D+\d{8,10}\.html$/i"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,23ace716ec34bfd9c98efd79b23a01af; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:command-and-control; sid:2021275; rev:9; metadata:attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mymom .info Domain"; flow:established,to_server; http.host; content:".mymom.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036033; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder FreeMobile (FR) Phishing 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"free.fr"; nocase; fast_pattern; content:".php"; nocase; endswith; http.header; content:"free.fr"; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032703; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mypicture .info Domain"; dns.query; content:".mypicture.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036034; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M8"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; content:!"?"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6."; startswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; pcre:"/^[A-Za-z]{5,20}\x22\x3b\x20filename=\x22[A-Za-z]{5,20}\x22/R"; content:"|0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|"; within:44; content:"|2d 2d 00 00 00 00 00 00 00 00 00 00|"; distance:0; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; http.content_type; content:"multipart/form-data|3b 20|boundary=---------------------------"; startswith; pcre:"/^\d{15}$/R"; http.content_len; byte_test:0,<,5000,0,string,dec; byte_test:0,>,4000,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[A-Z0-9a-z]{2,25}\/){1,10})\sHTTP\/1\.1\r\nReferer\x3a\x20http:\/\/(?:\d{1,3}\.){3}\d{1,3}(?:\x3a[0-9]{2,5})?(?P=urivar)\r\n/"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; depth:59; classtype:command-and-control; sid:2029380; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, tag Emotet, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mypicture .info Domain"; flow:established,to_server; http.host; content:".mypicture.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036035; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Onliner Mailer Module Communicating with CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?&1001="; fast_pattern; content:"&req="; distance:1; within:5; content:"&"; endswith; http.protocol; content:"HTTP/1.0"; http.header_names; content:"Accept-Charset"; content:!"Referer"; content:!"Cache"; reference:url,www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/; classtype:command-and-control; sid:2027810; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_06, deployment Perimeter, former_category MALWARE, malware_family Onliner, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.myz .info Domain"; dns.query; content:".myz.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036036; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GanDownloader CnC Checkin"; flow:established,to_server; http.request_body; content:"|2f 00 00 00|"; depth:4; content:"_"; distance:6; content:"202020202020|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; fast_pattern; pcre:"/^\x2f\x00{3}[A-Z0-9]{6}_[a-f0-9]+\x00{16}$/s"; http.request_line; content:"POST / HTTP/1.1"; depth:15; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:md5,8f0017ed89c2f6639cc2a08bc1e83f1e; classtype:command-and-control; sid:2026946; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_20, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.myz .info Domain"; flow:established,to_server; http.host; content:".myz.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036037; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Win32/SocStealer.Socelars C2 Response"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Server-Key|3a 20|"; pcre:"/[A-Za-z0-9]{62}/R"; file.data; content:"[DATA]"; depth:6; fast_pattern; content:"[DATA]"; endswith; classtype:command-and-control; sid:2025458; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_03, deployment Perimeter, former_category MALWARE, malware_family SocStealer, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.squirly .info Domain"; dns.query; content:".squirly.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036038; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FOX-SRT ShimRat check-in (Yuok)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Youk$$"; fast_pattern; content:"Youk"; endswith; pcre:"/^(?:php)?Yuok\$\$\d\d/"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022902; rev:6; metadata:created_at 2016_06_15, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.squirly .info Domain"; flow:established,to_server; http.host; content:".squirly.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036039; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FOX-SRT ShimRat check-in (Data)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Data$$"; fast_pattern; content:"Data"; endswith; pcre:"/Data\$\$\d\d/"; http.header_names; content:!"Content-Type"; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022900; rev:9; metadata:created_at 2016_06_15, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.toh .info Domain"; dns.query; content:".toh.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036040; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MoinMoin twikidraw Action Traversal File Upload"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"?action=twikidraw"; fast_pattern; content:"&target="; distance:0; content:"../moin.wsgi"; endswith; reference:bugtraq,57082; reference:cve,2012-6081; reference:url,packetstormsecurity.com/files/122079/moinmoin_twikidraw.rb.txt; reference:url,exploit-db.com/exploits/25304/; classtype:web-application-attack; sid:2017074; rev:5; metadata:created_at 2013_06_28, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.toh .info Domain"; flow:established,to_server; http.host; content:".toh.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036041; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrickBot CnC Initial Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_W"; content:"/5/file/"; endswith; fast_pattern; http.user_agent; content:"curl/"; depth:5; http.header_names; content:!"Accept"; content:!"Referer"; classtype:trojan-activity; sid:2033659; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.xxxy .info Domain"; dns.query; content:".xxxy.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036042; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (OneDrive)"; flow:established,to_server; http.cookie; content:"E=P|3a|"; content:"=|3a|PFzM9cj"; endswith; fast_pattern; http.request_line; content:"GET|20|/preload?manifest=wac|20|HTTP/1.1"; bsize:34; http.header_names; content:!"Referer"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile; classtype:command-and-control; sid:2029743; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.xxxy .info Domain"; flow:established,to_server; http.host; content:".xxxy.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036043; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible eDellRoot Rogue Root CA"; flow:established,to_client; tls.cert_issuer; content:"CN=eDellRoot"; fast_pattern; reference:url,arstechnica.com/security/2015/11/dell-does-superfish-ships-pcs-with-self-signed-root-certificates/; classtype:trojan-activity; sid:2022134; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.freewww .info Domain"; dns.query; content:".freewww.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036044; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/ProtonBot CnC Response"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"newtask|3b|"; depth:8; fast_pattern; content:"|3b|1|3b|http"; within:15; content:".exe"; endswith; reference:url,fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild; reference:md5,efb1db340e78f6799d9fbc5ee08f40fe; classtype:command-and-control; sid:2027382; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.freewww .info Domain"; flow:established,to_server; http.host; content:".freewww.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036045; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Backdoor.Small.ao CnC Checkin"; flow:established,to_server; urilen:8; threshold: type limit, track by_dst, seconds 30, count 1; http.method; content:"POST"; http.uri; content:"/waiting"; fast_pattern; http.user_agent; content:"BC_Vic_"; depth:7; content:"BC_SPL"; endswith; http.header_names; content:"Expect"; content:!"Referer"; content:!"Accept"; content:!"Cache"; reference:md5,e8c9d8ffe8fae54b15262bf9aeb4172c; classtype:command-and-control; sid:2025370; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_19, deployment Perimeter, former_category MALWARE, malware_family Backdoor_Small, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.xxxy .biz Domain"; dns.query; content:".xxxy.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036046; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT DSLink 260E Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/action?dns_status=1&dns_poll_timeout="; fast_pattern; content:"&id="; distance:0; content:"&dns_serv_ip_1="; distance:0; content:"&dns_serv_ip_2="; distance:0; content:"&dns_serv_ip_3="; distance:0; content:"&dns_serv_ip_4="; distance:0; content:"&priority=1&cmdadd=add"; endswith; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027908; rev:8; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.xxxy .biz Domain"; flow:established,to_server; http.host; content:".xxxy.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036047; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to avsvmcloud .com"; dns.query; content:".appsync-api."; content:"avsvmcloud.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031324; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.sexxxy .biz Domain"; dns.query; content:".sexxxy.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036048; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to avsvmcloud .com"; flow:established,to_server; http.host; content:".appsync-api."; dotprefix; content:".avsvmcloud.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031338; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sexxxy .biz Domain"; flow:established,to_server; http.host; content:".sexxxy.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036049; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (avsvmcloud .com)"; flow:established,to_client; tls.cert_subject; content:".appsync-api."; content:".avsvmcloud.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031341; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.www1 .biz Domain"; dns.query; content:".www1.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036050; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Second Stage Payload Inbound 2021-02-19"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bestof/"; content:".exe"; within:20; endswith; http.header; content:"User-Agent|3a 20|AutoHotkey|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,2184931b6412cc900837890a6c5685f6; classtype:trojan-activity; sid:2033044; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.www1 .biz Domain"; flow:established,to_server; http.host; content:".www1.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036051; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Adobe Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"adobe"; fast_pattern; content:".github.io"; endswith; content:!"adobe.github.io"; depth:15; endswith; content:!"adobe-fonts.github.io"; depth:21; endswith; content:!"adobe-type-tools.github.io"; depth:26; endswith; content:!"adobe-apiplatform.github.io"; depth:27; classtype:policy-violation; sid:2027249; rev:8; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dhcp .biz Domain"; dns.query; content:".dhcp.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036052; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon (Bing Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search/?q="; startswith; content:"&go=Search&qs=bs&form="; distance:0; fast_pattern; http.cookie; content:"DUP="; startswith; content:"&T="; distance:0; content:"&A="; distance:0; content:"&IG"; endswith; http.header_names; content:!"Referer"; reference:url,twitter.com/TheDFIRReport/status/1376878123061551104; reference:md5,18b0ca0508f92c5ac6e75b9865b77a51; classtype:trojan-activity; sid:2032354; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dhcp .biz Domain"; flow:established,to_server; http.host; content:".dhcp.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036053; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Redirect to Adobe Shared Document Phishing M3 2016-04-18"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/pdf.adobe.cloud/"; fast_pattern; content:".php"; endswith; http.referer; content:".php"; endswith; classtype:social-engineering; sid:2032678; rev:10; metadata:attack_target Client_Endpoint, created_at 2016_04_18, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.edns .biz Domain"; dns.query; content:".edns.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036054; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NOBELIUM Win32/VaporRage Loader CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/class-chll.php?session_info=60"; content:"5d"; distance:0; content:"&session="; distance:0; content:"&view_type=12"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4183.83 Safari/537.36"; bsize:102; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cache-"; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset; classtype:trojan-activity; sid:2033057; rev:2; metadata:created_at 2021_06_01, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.edns .biz Domain"; flow:established,to_server; http.host; content:".edns.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036055; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE S400 RAT Client Checkin via Discord"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord"; depth:7; content:".com"; endswith; http.request_body; content:"content=S-400+RAT+%3a"; startswith; fast_pattern; content:"%0d%0ainformation"; distance:0; reference:md5,41ca8d5782ef5ac7a371b44f51dc48d9; classtype:command-and-control; sid:2034065; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family S400, signature_severity Major, tag RAT, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ftp1 .biz Domain"; dns.query; content:".ftp1.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036056; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2021-11-10"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"check.php"; distance:0; http.referer; content:".otzo.com/verification.php"; fast_pattern; endswith; http.request_body; content:"email="; distance:0; content:"&password="; distance:0; reference:md5,11133fb1cdc61aa33e3de226dcdf92d4; classtype:credential-theft; sid:2034412; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ftp1 .biz Domain"; flow:established,to_server; http.host; content:".ftp1.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036057; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Credential Phish 2021-11-16"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-content/plugins/my___fb/meme"; fast_pattern; startswith; content:".php"; endswith; http.request_body; content:"email="; content:"&pass="; distance:0; reference:md5,fdf21f9bdab460feed2f3fccde59b650; classtype:credential-theft; sid:2034487; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mywww .biz Domain"; dns.query; content:".mywww.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036058; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT FatPipe Unrestricted File Upload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fpui/"; nocase; fast_pattern; content:"|2e|jsp"; within:30; endswith; reference:url,ic3.gov/Media/News/2021/211117-2.pdf; classtype:attempted-admin; sid:2034531; rev:3; metadata:created_at 2021_11_22, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mywww .biz Domain"; flow:established,to_server; http.host; content:".mywww.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036059; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING BulletProofLink Phishkit Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/email-list/"; fast_pattern; content:".php"; endswith; reference:url,microsoft.com/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/; classtype:credential-theft; sid:2034045; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ftpserver .biz Domain"; dns.query; content:".ftpserver.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036060; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING BulletProofLink Phishkit Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/email-list/"; fast_pattern; content:".php"; endswith; reference:url,microsoft.com/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/; classtype:credential-theft; sid:2034046; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ftpserver .biz Domain"; flow:established,to_server; http.host; content:".ftpserver.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036061; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NodeBB Path Traversal (CVE-2021-43788)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nodebb|2e|org|2f 3f 5b 5b 2e 2e 2f|"; nocase; fast_pattern; content:"|3a|"; content:"|5d 5d|"; within:50; endswith; reference:url,blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot; reference:cve,2021-43788; classtype:attempted-admin; sid:2034590; rev:2; metadata:attack_target Server, created_at 2021_12_06, cve CVE_2021_43788, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.wwwhost .biz Domain"; dns.query; content:".wwwhost.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036062; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Banking Phish Landing Page 2022-01-11"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"banks"; startswith; content:"pin.php"; fast_pattern; endswith; reference:md5,ed0fb4e78b838c7d9884691efa434dd7; classtype:credential-theft; sid:2034893; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.wwwhost .biz Domain"; flow:established,to_server; http.host; content:".wwwhost.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036063; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HVNC BOT Detected"; flow:established,to_server; content:"|3b 00 00 00 19 00 00 00 13 01 00 00 2d 42 4f 54|"; depth:16; content:"|00|"; endswith; reference:md5,4abde768b70e94093970901438e51cbd; classtype:trojan-activity; sid:2027832; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category TROJAN, malware_family HVNC, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.moneyhome .biz Domain"; dns.query; content:".moneyhome.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036064; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ALEXANDR/"; fast_pattern; startswith; content:".rmvb"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,0fee6bb95bfbfeee768f742387d3ddce; reference:md5,81ada96074cbc01655fc3b9b570308cd; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035117; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.moneyhome .biz Domain"; flow:established,to_server; http.host; content:".moneyhome.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036065; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/clamp/"; fast_pattern; content:".cbl"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,fac3f024711fc5fd3e1d69b994b159bd; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035118; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.port25 .biz Domain"; dns.query; content:".port25.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036066; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/globe/"; fast_pattern; content:".cam"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,6662dad691740c832ea2bcde17509d0a; classtype:trojan-activity; sid:2035131; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.port25 .biz Domain"; flow:established,to_server; http.host; content:".port25.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036067; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/courageous/"; fast_pattern; content:".eft"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,6662dad691740c832ea2bcde17509d0a; classtype:trojan-activity; sid:2035132; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.esmtp .biz Domain"; dns.query; content:".esmtp.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036068; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/endless/"; fast_pattern; content:".arj"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,2a0269cf18f2f1c055153408f85ab4c6; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035167; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.esmtp .biz Domain"; flow:established,to_server; http.host; content:".esmtp.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036069; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/allocation/"; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,1579a5a8bdca4eda62315116e418b9d6; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035168; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dsmtp .biz Domain"; dns.query; content:".dsmtp.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036070; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sour/"; fast_pattern; content:".kdp"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,bb1c8ad9f422a39ce6329e93dc060438; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035169; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dsmtp .biz Domain"; flow:established,to_server; http.host; content:".dsmtp.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036071; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pretend/"; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,ca9fa910806f5aafd33f0dd48fdc8415; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035170; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.sixth .biz Domain"; dns.query; content:".sixth.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036072; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 3/3 - Malicious NetrServerPasswordSet2 (CVE-2020-1472)"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; content:"|05 00 00|"; startswith; content:"|1e 00|"; offset:22; depth:2; content:"|24 00 00 00 06|"; distance:0; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035262; rev:3; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sixth .biz Domain"; flow:established,to_server; http.host; content:".sixth.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036073; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALCHAMPION MS17-010 Sync Response"; flow:from_server,established; flowbits:isset,ET.ETERNALCHAMPIONsync; content:"|ff|SMB|25 00 00 00 00 98 03 c0 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:4; depth:24; fast_pattern; content:"|7c 00|"; distance:32; within:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; classtype:trojan-activity; sid:2024213; rev:5; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ninth .biz Domain"; dns.query; content:".ninth.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036074; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert udp $HOME_NET 1234 -> $EXTERNAL_NET 4000 (msg:"ET MALWARE NAZAR EYService Pong response"; id:1; content:"101|3b|0000|3b|"; reference:url,blog.malwarelab.pl/posts/nazar_eyservice_comm; classtype:command-and-control; sid:2030055; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ninth .biz Domain"; flow:established,to_server; http.host; content:".ninth.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036075; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert udp $HOME_NET 1234 -> $EXTERNAL_NET 4000 (msg:"ET MALWARE NAZAR EYService OSInfo response"; id:1; content:"100|3b|"; reference:url,blog.malwarelab.pl/posts/nazar_eyservice_comm; classtype:command-and-control; sid:2030056; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.misecure .com Domain"; dns.query; content:".misecure.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036076; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Nobelium APT Related Domain in DNS Lookup (theskoolieblog .com)"; dns.query; content:"theskoolieblog.com"; nocase; bsize:18; reference:url,twitter.com/h2jazi/status/1506439550968676360; classtype:domain-c2; sid:2035596; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.misecure .com Domain"; flow:established,to_server; http.host; content:".misecure.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036077; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Nobelium APT Related Domain in DNS Lookup (ernesttheskoolie .com)"; dns.query; content:"ernesttheskoolie.com"; nocase; bsize:20; reference:url,twitter.com/h2jazi/status/1506439550968676360; classtype:domain-c2; sid:2035597; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.got-game .org Domain"; dns.query; content:".got-game.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036078; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:C1:3B:57:1A:83:A5:B1:4A"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022099; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.got-game .org Domain"; flow:established,to_server; http.host; content:".got-game.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036079; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:F2:66:4A:29:E0:7E:C2:78"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022227; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dns2 .us Domain"; dns.query; content:".dns2.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036080; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (FindPOS)"; flow:established,to_client; tls.cert_serial; content:"00:E0:78:4E:9C:A4:AD:AB:24"; fast_pattern; tls.cert_subject; content:"O=Default Company Ltd"; reference:url,blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/; classtype:domain-c2; sid:2022228; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dns2 .us Domain"; flow:established,to_server; http.host; content:".dns2.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036081; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:F6:DA:A5:22:B2:8B:91:BE"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022232; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.changeip .us Domain"; dns.query; content:".changeip.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036082; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:9D:A8:74:C5:50:98:DD:09"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022306; rev:4; metadata:attack_target Client_and_Server, created_at 2015_12_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.changeip .us Domain"; flow:established,to_server; http.host; content:".changeip.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036083; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)"; flow:established,to_client; tls.cert_issuer; content:"AsyncRAT Server"; reference:md5,f69cadedae72d9d1a1d1578b56c39404; classtype:domain-c2; sid:2030673; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_08_11, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.changeip .biz Domain"; dns.query; content:".changeip.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036084; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)"; flow:established,to_client; tls.cert_subject; content:"AsyncRAT Server"; nocase; classtype:domain-c2; sid:2035607; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.changeip .biz Domain"; flow:established,to_server; http.host; content:".changeip.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036085; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (OSX/Keydnap CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=g5wcesdfjzne7255.onion.to"; reference:url,welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials; classtype:domain-c2; sid:2022953; rev:3; metadata:affected_product Mac_OSX, attack_target Client_and_Server, created_at 2016_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag TROJAN_OSX_Keydnap, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.almostmy .com Domain"; dns.query; content:".almostmy.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036086; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Command Fetch"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fecommand.acm"; endswith; fast_pattern; http.header_names; content:!"Referer"; http.connection; content:"Keep-Alive"; reference:url,twitter.com/jaydinbas/status/1506987283630768138; reference:md5,ecd47e596048ad1af9973a21af303465; classtype:trojan-activity; sid:2035605; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.almostmy .com Domain"; flow:established,to_server; http.host; content:".almostmy.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036087; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Possible Sinkhole)"; flow:established,to_client; tls.cert_subject; content:"O=infosec.jp"; fast_pattern; content:"CN=www.infosec.jp"; content:"snowyowl@jpnsec.com"; distance:0; reference:md5,ef5fa2378307338d4e75dece88158d77; classtype:domain-c2; sid:2022323; rev:3; metadata:attack_target Client_and_Server, created_at 2016_01_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ocry .com Domain"; dns.query; content:".ocry.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036088; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Domain Fetch"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/zs_url.txt?dl=0"; endswith; fast_pattern; http.host; content:"dl.dropboxusercontent.com"; http.header_names; content:!"Referer"; http.connection; content:"Keep-Alive"; reference:url,twitter.com/jaydinbas/status/1506987283630768138; reference:md5,ecd47e596048ad1af9973a21af303465; classtype:trojan-activity; sid:2035606; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ocry .com Domain"; flow:established,to_server; http.host; content:".ocry.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036089; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SERVER SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"52:55:38:16:FB:0D:1A:8A:4B:45:04:CB:06:BC:C4:AF"; tls.cert_subject; content:"CN=SERVER"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016467; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ourhobby .com Domain"; dns.query; content:".ourhobby.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036090; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server CnC Sending Executable"; flow:established,to_client; content:"This Program must be"; fast_pattern; content:"|0B 00|"; startswith; content:"|00|MZ"; distance:14; within:3; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,28173e257188ce3b3cc663be661bc2c4; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:command-and-control; sid:2018479; rev:3; metadata:created_at 2014_05_15, former_category MALWARE, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ourhobby .com Domain"; flow:established,to_server; http.host; content:".ourhobby.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036091; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"uid="; startswith; content:"&avtype="; distance:0; content:"&majorv="; fast_pattern; content:"&minorv="; reference:url,twitter.com/jaydinbas/status/1506987283630768138; reference:md5,ecd47e596048ad1af9973a21af303465; classtype:command-and-control; sid:2035592; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dnsfailover .net Domain"; dns.query; content:".dnsfailover.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036092; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp-pkt $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Win32/CrimsonRAT Variant Sending Command (inbound)"; flow:established,to_client; dsize:<20; content:"|69 6e 66 32 6f 3d 63 6f 64 61 6e 64|"; fast_pattern; endswith; reference:md5,9bb081fb563b2905ea52e4b858d392ed; classtype:trojan-activity; sid:2035598; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnsfailover .net Domain"; flow:established,to_server; http.host; content:".dnsfailover.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036093; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp-pkt $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Win32/CrimsonRAT Variant Sending Command M2 (inbound)"; flow:established,to_client; dsize:<20; content:"|67 65 74 32 61 76 73 3d 61 76 70 72 6f|"; fast_pattern; endswith; reference:md5,9bb081fb563b2905ea52e4b858d392ed; classtype:trojan-activity; sid:2035599; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ygto .com Domain"; dns.query; content:".ygto.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036094; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"dl.dropboxusercontent.com"; bsize:25; fast_pattern; classtype:misc-activity; sid:2035593; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ygto .com Domain"; flow:established,to_server; http.host; content:".ygto.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036095; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO DropBox User Content Download Access over SSL M2"; flow:established,to_client; tls.cert_subject; content:"CN=dl.dropbox.com"; fast_pattern; classtype:misc-activity; sid:2035594; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.gettrials .com Domain"; dns.query; content:".gettrials.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036096; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/CrimsonRAT Variant Sending System Information (outbound)"; flow:established,to_server; dsize:<120; content:"|69 6e 73 35 66 6f 3d 75 73 66 73 65 72 3b|"; fast_pattern; depth:20; reference:md5,9bb081fb563b2905ea52e4b858d392ed; classtype:trojan-activity; sid:2035600; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.gettrials .com Domain"; flow:established,to_server; http.host; content:".gettrials.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036097; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI)"; flow:established,to_server; tls_sni; content:"update.imdt.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:command-and-control; sid:2035568; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.4dq .com Domain"; dns.query; content:".4dq.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036098; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 2"; flow:established,to_server; tls_sni; content:"imbbq.co"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035569; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.4dq .com Domain"; flow:established,to_server; http.host; content:".4dq.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036099; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 3"; flow:established,to_server; tls_sni; content:"ds-super-admin.imtokens.money"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035570; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.4pu .com Domain"; dns.query; content:".4pu.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036100; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 4"; flow:established,to_server; tls_sni; content:"imtokenss.token-app.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035571; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.4pu .com Domain"; flow:established,to_server; http.host; content:".4pu.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036101; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 5"; flow:established,to_server; tls_sni; content:"xdhbj.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035572; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dsmtp .com Domain"; dns.query; content:".dsmtp.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036102; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 6"; flow:established,to_server; tls_sni; content:"update.xzxqsf.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035573; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dsmtp .com Domain"; flow:established,to_server; http.host; content:".dsmtp.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036103; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 7"; flow:established,to_server; tls_sni; content:"metamask.tptokenm.live"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035574; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dsmtp .com Domain"; dns.query; content:".dsmtp.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036104; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 8"; flow:established,to_server; tls_sni; content:"two.shayu.la"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035575; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dsmtp .com Domain"; flow:established,to_server; http.host; content:".dsmtp.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036105; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 9"; flow:established,to_server; tls_sni; content:"jdzpfw.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035576; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mynumber .org Domain"; dns.query; content:".mynumber.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036106; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 10"; flow:established,to_server; tls_sni; content:"bp.tkdt.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035577; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mynumber .org Domain"; flow:established,to_server; http.host; content:".mynumber.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036107; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 11"; flow:established,to_server; tls_sni; content:"ok.tkdt.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035578; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.rebatesrule .net Domain"; dns.query; content:".rebatesrule.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036108; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 12"; flow:established,to_server; tls_sni; content:"mm.tkdt.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035579; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.rebatesrule .net Domain"; flow:established,to_server; http.host; content:".rebatesrule.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036109; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 20"; flow:established,to_server; tls_sni; content:"token-lon.me"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035580; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ezua .com Domain"; dns.query; content:".ezua.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036110; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 13"; flow:established,to_server; tls_sni; content:"bh.imtoken.sx"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035581; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ezua .com Domain"; flow:established,to_server; http.host; content:".ezua.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036111; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 14"; flow:established,to_server; tls_sni; content:"ht.imtoken.cn.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035582; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.sendsmtp .com Domain"; dns.query; content:".sendsmtp.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036112; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 15"; flow:established,to_server; tls_sni; content:"api.tipi21341.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035583; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sendsmtp .com Domain"; flow:established,to_server; http.host; content:".sendsmtp.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036113; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 16"; flow:established,to_server; tls_sni; content:"ariodjs.xyz"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035584; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ssmailer .com Domain"; dns.query; content:".ssmailer.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036114; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 17"; flow:established,to_server; tls_sni; content:"walletappforbit.web.app"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035585; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ssmailer .com Domain"; flow:established,to_server; http.host; content:".ssmailer.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036115; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 18"; flow:established,to_server; tls_sni; content:"jaxx.su"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035586; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.trickip .net Domain"; dns.query; content:".trickip.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036116; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GhostWriter APT Related Cobalt Strike Domain (ao3 .hmgo .pw in TLS SNI)"; flow:established,to_server; tls.sni; content:"ao3.hmgo.pw"; bsize:11; fast_pattern; reference:url,cert.gov.ua/article/38155; reference:url,twitter.com/netresec/status/1506990534547709972; reference:url,tria.ge/220324-p4dl5adghn; reference:md5,b5525108912ee8d5f1519f1b552723e8; classtype:domain-c2; sid:2035601; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Ghostwriter, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.trickip .net Domain"; flow:established,to_server; http.host; content:".trickip.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036117; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 19"; flow:established,to_server; tls_sni; content:"jaxx.tf"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035587; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.trickip .org Domain"; dns.query; content:".trickip.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036118; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 21"; flow:established,to_server; tls_sni; content:"master-consultas.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035588; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.trickip .org Domain"; flow:established,to_server; http.host; content:".trickip.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036119; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 22"; flow:established,to_server; tls_sni; content:"jaxxwalletinc.live"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035589; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dnsrd .com Domain"; dns.query; content:".dnsrd.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036120; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GhostWriter APT Related Cobalt Strike Domain in DNS Lookup (hmgo .pw)"; dns.query; dotprefix; content:".hmgo.pw"; nocase; endswith; reference:url,twitter.com/netresec/status/1506990534547709972; reference:md5,b5525108912ee8d5f1519f1b552723e8; reference:url,tria.ge/220324-p4dl5adghn; classtype:domain-c2; sid:2035602; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Ghostwriter, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnsrd .com Domain"; flow:established,to_server; http.host; content:".dnsrd.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036121; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Empty SSL Certificate - Observed in Cobalt Strike"; flow:from_server,established; tls.cert_subject; content:"C=, ST=, L=, O=, OU=, CN="; endswith; bsize:25; fast_pattern; classtype:targeted-activity; sid:2023629; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.lflinkup .com Domain"; dns.query; content:".lflinkup.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036122; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 23"; flow:established,to_server; tls_sni; content:"jaxx.podzone.org"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035590; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.lflinkup .com Domain"; flow:established,to_server; http.host; content:".lflinkup.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036123; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 24"; flow:established,to_server; tls_sni; content:"saaditrezxie.store"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035591; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.lflinkup .net Domain"; dns.query; content:".lflinkup.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036124; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GhostWriter APT Related Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/works"; endswith; http.header; content:"Accept|3a 20|application/json|0d 0a|Content-Type|3a 20|application/json|3b 20|charset=UTF-8|0d 0a|"; http.cookie; content:"_token"; startswith; fast_pattern; pcre:"/^[a-zA-Z0-9\/+]{171}=$/R"; reference:url,cert.gov.ua/article/38155; reference:url,tria.ge/220324-p4dl5adghn; reference:url,twitter.com/netresec/status/1506990534547709972; reference:md5,b5525108912ee8d5f1519f1b552723e8; classtype:trojan-activity; sid:2035603; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family CobaltStrike, malware_family Ghostwriter, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.lflinkup .net Domain"; flow:established,to_server; http.host; content:".lflinkup.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036125; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY tor4u tor2web .onion Proxy domain in SNI"; flow:established,to_server; tls.sni; content:"tor4u.net"; fast_pattern; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018878; rev:3; metadata:created_at 2014_08_01, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.lflinkup .org Domain"; dns.query; content:".lflinkup.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036126; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Tor based locker knowledgewiki.info in SNI July 31 2014"; flow:established,to_server; tls.sni; content:"knowledgewiki.info"; fast_pattern; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:trojan-activity; sid:2018877; rev:4; metadata:created_at 2014_08_01, former_category TROJAN, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.lflinkup .org Domain"; flow:established,to_server; http.host; content:".lflinkup.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036127; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 8"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; tls.cert_serial; content:"5f:31"; startswith; tls.cert_subject; content:"C=--"; startswith; content:"SomeCity"; distance:0; content:"root@localhost.localdomain"; distance:0; fast_pattern; reference:md5,f58a4369b8176edbde4396dc977c9008; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-030500-0430-99; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; classtype:targeted-activity; sid:2020974; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.lflink .com Domain"; dns.query; content:".lflink.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036128; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed IP Lookup Domain (formyip .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"formyip.com"; fast_pattern; classtype:external-ip-check; sid:2024832; rev:4; metadata:created_at 2017_10_10, former_category POLICY, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.lflink .com Domain"; flow:established,to_server; http.host; content:".lflink.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036129; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY DivX Client SSL Connection via Self-Signed SSL Cert"; flow:established,to_client; tls.cert_subject; content:"DivX, Inc. Certificate Authority"; fast_pattern; classtype:policy-violation; sid:2013300; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_07_23, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.b0tnet .com Domain"; dns.query; content:".b0tnet.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036130; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cisco IOS Self Signed Certificate Served to External Host"; flow:established,to_client; tls.cert_subject; content:"CN=IOS-Self-Signed-Certificate-"; fast_pattern; classtype:misc-activity; sid:2014617; rev:4; metadata:created_at 2012_04_20, updated_at 2022_03_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.b0tnet .com Domain"; flow:established,to_server; http.host; content:".b0tnet.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036131; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SodaMaster domain observed in DNS query (www. rare-coisns. com)"; dns.query; content:"www.rare-coisns.com"; fast_pattern; reference:md5,0b182464a2351a9d79c1222bb1fdf35e; reference:md5,037261d5571813b9640921afac8aafbe; reference:md5,c5994f9fe4f58c38a8d2af3021028310; classtype:targeted-activity; sid:2035614; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_25;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.changeip .net Domain"; dns.query; content:".changeip.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036132; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SodaMaster domain observed in TLS SNI (www. rare-coisns. com)"; flow:established,to_server; tls.sni; content:"www.rare-coisns.com"; fast_pattern; reference:md5,0b182464a2351a9d79c1222bb1fdf35e; reference:md5,037261d5571813b9640921afac8aafbe; reference:md5,c5994f9fe4f58c38a8d2af3021028310; classtype:targeted-activity; sid:2035615; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.changeip .net Domain"; flow:established,to_server; http.host; content:".changeip.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036133; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SodaMaster CnC HTTPS Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/image/look/javascript/index.php"; fast_pattern; startswith; reference:md5,0b182464a2351a9d79c1222bb1fdf35e; reference:md5,037261d5571813b9640921afac8aafbe; reference:md5,c5994f9fe4f58c38a8d2af3021028310; classtype:targeted-activity; sid:2035616; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_25, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_25;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mysecondarydns .com Domain"; dns.query; content:".mysecondarydns.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036134; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SodaMaster CnC HTTPS Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/image/look/javascript/index.php"; fast_pattern; startswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20| MSIE 7.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|.NET4.0C|3b 20|.NET4.0E)"; reference:md5,0b182464a2351a9d79c1222bb1fdf35e; reference:md5,037261d5571813b9640921afac8aafbe; reference:md5,c5994f9fe4f58c38a8d2af3021028310; classtype:targeted-activity; sid:2035617; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_25, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mysecondarydns .com Domain"; flow:established,to_server; http.host; content:".mysecondarydns.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036135; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN7 JSSLoader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /?id="; startswith; fast_pattern; http.uri; pcre:"/^\/\?id\=[A-Z]{12,28}[0-9]$/"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:md5,a5bad2da096e9ebbb90845dbadec91fe; reference:md5,253cb5361e43bfb1931fa115336e7c16; reference:md5,dd6d09e0e565ea18b85a18af8e95eb75; reference:url,blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files; classtype:trojan-activity; sid:2035608; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family FIN7, malware_family CarbonSpider, signature_severity Major, updated_at 2022_03_25;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dynssl .com Domain"; dns.query; content:".dynssl.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036136; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN7 JSSLoader Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /?id="; startswith; fast_pattern; http.uri; pcre:"/^\/\?id\=[A-Z]{12,28}[0-9]$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:46; reference:md5,6f743e8fda2031db9907a8d6bd0a41a8; reference:url,blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files; classtype:trojan-activity; sid:2035609; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family FIN7, malware_family CarbonSpider, signature_severity Major, updated_at 2022_03_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dynssl .com Domain"; flow:established,to_server; http.host; content:".dynssl.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036137; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7 JSSLoader Related Domain in DNS Lookup"; dns.query; content:"securmeawards.com"; nocase; bsize:17; reference:md5,0cd9c62063026d4199c941b5f644c5ce; reference:url,blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files; classtype:domain-c2; sid:2035610; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, signature_severity Major, updated_at 2022_03_25;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mylftv .com Domain"; dns.query; content:".mylftv.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036138; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky APT Related Host Data Exfil M5"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/\?m=[abcde]&p1=[a-f0-9-]{8,25}(?:&p2=[^&]+)?(?:&p3=[^&]+)?$/i"; http.uri.raw; content:"//?m="; depth:5; fast_pattern; content:"&p1="; distance:1; within:4; http.header_names; content:!"Referer|0d 0a|"; reference:md5,0684d80e91581730f814e831f703bf5b; reference:url,twitter.com/s1ckb017/status/1507316584079142915; classtype:trojan-activity; sid:2035611; rev:1; metadata:created_at 2022_03_25, former_category MALWARE, updated_at 2022_03_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mylftv .com Domain"; flow:established,to_server; http.host; content:".mylftv.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036139; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Domain in DNS Lookup (info-getting-eu. com)"; dns.query; content:"info-getting-eu.com"; fast_pattern; classtype:credential-theft; sid:2035618; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category PHISHING, performance_impact Low, updated_at 2022_03_25;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mynetav .com Domain"; dns.query; content:".mynetav.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036140; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing domain observed in TLS SNI (info-getting-eu. com)"; flow:established,to_server; tls.sni; content:"info-getting-eu.com"; fast_pattern; classtype:credential-theft; sid:2035619; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category PHISHING, performance_impact Low, updated_at 2022_03_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mynetav .com Domain"; flow:established,to_server; http.host; content:".mynetav.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036141; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Webserver Resolving Known Webshell CnC Domain (anonymousfox)"; dns.query; content:"anonymousfox."; startswith; fast_pattern; pcre:"/(?:is|mx|info|co)$/"; reference:url,twitter.com/unmaskparasites/status/1507038308789936150; classtype:bad-unknown; sid:2035612; rev:2; metadata:attack_target Web_Server, created_at 2022_03_25, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2022_03_25;)
+alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fodcha Bot CnC Client Heartbeat"; flow:established,to_client; dsize:5; content:"|69 00 00 96 ff|"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:command-and-control; sid:2035940; rev:2; metadata:attack_target IoT, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Fodcha, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to BaitAndPhish Domain"; dns.query; dotprefix; content:".important-notification.com"; nocase; endswith; threshold: type limit, track by_dst, count 1, seconds 120; fast_pattern; classtype:misc-activity; sid:2035613; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_25;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mynetav .net Domain"; dns.query; content:".mynetav.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036142; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Evil Keitaro Set-Cookie Inbound (85937)"; flow:established,from_server; http.stat_code; content:"200"; http.cookie; content:"85937=eyJ0e"; fast_pattern; pcre:"/^[A-Z0-9_\-.]{20,300}\x3b/Ri"; classtype:trojan-activity; sid:2035620; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, deployment SSLDecrypt, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2022_03_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mynetav .net Domain"; flow:established,to_server; http.host; content:".mynetav.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036143; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 7"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"2c:2f"; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,9ad55b83f2eec0c19873a770b0c86a2f; classtype:targeted-activity; sid:2020972; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mynetav .org Domain"; dns.query; content:".mynetav.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036144; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls [108.160.162.0/20,162.125.0.0/16,192.189.200.0/23,199.47.216.0/22,205.189.0.0/24,209.99.70.0/24,45.58.64.0/20] 443 -> $HOME_NET any (msg:"ET POLICY Dropbox.com Offsite File Backup in Use"; flow:established,to_client; tls.cert_subject; content:"CN=*.dropbox.com"; fast_pattern; threshold: type limit, count 1, seconds 300, track by_src; reference:url,www.dropbox.com; reference:url,dereknewton.com/2011/04/dropbox-authentication-static-host-ids/; classtype:policy-violation; sid:2012647; rev:7; metadata:created_at 2011_04_07, updated_at 2022_03_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mynetav .org Domain"; flow:established,to_server; http.host; content:".mynetav.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036145; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 6"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"09:a9"; fast_pattern; depth:5; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,1dde02ff744fa4e261168e2008fd613a; classtype:targeted-activity; sid:2020971; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.homingbeacon .net Domain"; dns.query; content:".homingbeacon.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036146; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 5"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; distance:0; tls.cert_serial; content:"03:5f"; depth:5; tls.cert_subject; content:"*.corp.utilitytelephone.com"; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,4121414c63079b7fa836be00f8d0a93b; classtype:targeted-activity; sid:2020970; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.homingbeacon .net Domain"; flow:established,to_server; http.host; content:".homingbeacon.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036147; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 4"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"0f:0d"; depth:5; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,0e0182694c381f8b68afc5f3ff4c4653; classtype:targeted-activity; sid:2020969; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ikwb .com Domain"; dns.query; content:".ikwb.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036148; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 3"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"1b:3c"; depth:5; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,181a88c911b10d0fcb4682ae552c0de3; classtype:targeted-activity; sid:2020968; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ikwb .com Domain"; flow:established,to_server; http.host; content:".ikwb.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036149; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 2"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"65:5d"; depth:5; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,859f167704b5c138ed9a9d4d3fdc0723; classtype:targeted-activity; sid:2020967; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.acmetoy .com Domain"; dns.query; content:".acmetoy.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036150; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 1"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"31:d5"; depth:5; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,d5a82520ebf38a0c595367ff0ca89fae; classtype:targeted-activity; sid:2020966; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.acmetoy .com Domain"; flow:established,to_server; http.host; content:".acmetoy.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036151; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PHARMSPAM image requested layout viagra_super_active.jpg"; flow:established,to_server; content:"layout"; http_uri; content:"viagra_super_active.jpg"; http_uri; classtype:bad-unknown; sid:2011339; rev:4; metadata:created_at 2010_09_28, updated_at 2022_03_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dnset .com Domain"; dns.query; content:".dnset.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036152; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FAKEAV redirecting to fake scanner page - /?777"; flow:established,to_server; content:"/?777"; http_uri; classtype:bad-unknown; sid:2011421; rev:4; metadata:created_at 2010_09_28, updated_at 2022_03_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnset .com Domain"; flow:established,to_server; http.host; content:".dnset.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036153; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential-Hiloti/FakeAV site access"; flow:established,to_server; content:"?p=p52dcW"; http_uri; pcre:"/\/\?p=p52dcW[A-Za-z]{4}/U"; classtype:trojan-activity; sid:2011591; rev:5; metadata:created_at 2010_10_06, former_category MALWARE, updated_at 2022_03_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.as19557 .net Domain"; dns.query; content:".as19557.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036154; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre or Dyre SSL Cert Jan 22 2015"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.cert_subject; content:"C=CN, ST=ST"; fast_pattern; tls.certs; content:"|06 03 55 04 07|"; pcre:"/^.{2}(?P<var>[a-zA-Z0-9]{24}[01]).+?\x06\x03\x55\x04\x07.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2020290; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2022_03_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.as19557 .net Domain"; flow:established,to_server; http.host; content:".as19557.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036155; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert M1 (L O)"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.certs; content:"|06 03 55 04 06 13 02|"; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?P<var>[a-zA-Z0-9]{1,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021432; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.toshibanetcam .com Domain"; dns.query; content:".toshibanetcam.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036156; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert M2 (L CN)"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.certs; content:"|06 03 55 04 06 13 02|"; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; content:"|06 03 55 04 03 0c|"; distance:0; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021433; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.toshibanetcam .com Domain"; flow:established,to_server; http.host; content:".toshibanetcam.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036157; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert M3 (O CN)"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.certs; content:"|06 03 55 04 06 13 02|"; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; distance:0; content:"|06 03 55 04 0a 0c|"; distance:0; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021434; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_27;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fodcha Bot CnC Heartbeat Response"; flow:established,to_server; dsize:5; content:"|70 00 00 8f ff|"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:command-and-control; sid:2035941; rev:2; metadata:created_at 2022_04_13, former_category MALWARE, malware_family Fodcha, updated_at 2022_04_14;)
 
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 2 2015"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.cert_subject; pcre:"/C=[A-Z]{2}\,/"; content:"ST="; distance:0; content:"L="; distance:0; content:"O="; distance:0; pcre:"/CN=[A-Z]/"; content:"OU="; distance:0; tls.certs; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; distance:0; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; content:"|55 04 0a|"; pcre:"/^.(?P<orgname>.[^01]+).*?\x55\x04\x0b.(?P=orgname)/Rsi"; content:!"Beam Propulsion"; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021743; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_09_03, deployment Perimeter, deprecation_reason Relevance, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.authorizeddns .net Domain"; dns.query; content:".authorizeddns.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036158; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected SmokeLoader Retrieving Next Stage (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/smoke/loader/uploads/"; startswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:md5,bfbf171b4ebc5286c78d718e445c65fb; classtype:trojan-activity; sid:2035623; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.authorizeddns .net Domain"; flow:established,to_server; http.host; content:".authorizeddns.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036159; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible Windows Binary Observed in SSL/TLS Certificate"; flow:established,from_server; tls.certs; content:"This program cannot be run in DOS mode"; nocase; bsize:>768; reference:url,www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities; classtype:misc-attack; sid:2025315; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_02_06, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2022_03_28;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.authorizeddns .org Domain"; dns.query; content:".authorizeddns.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036160; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [!5800,!445] (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 5"; flow:to_server,established; content:"|15 15|"; offset:2; depth:2; content:!"|15 15|"; within:2; content:"|15 15|"; distance:2; within:2; content:!"|15 15|"; within:2; content:"|15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15|"; fast_pattern; pcre:"/[^\x15][^\x49\x3f\x3e\x28\x69\x2f\x2e\x37\x2a\x29\x2b\x39\x36][\x20-\x27\x2c\x2d\x30\x31\x33-\x36\x38\x3b-\x3d\x40-\x47\x4a-\x4d\x4f\x50-\x5f\x60\x68\x6b-\x6f\x70-\x74\x76-\x7f]{1,14}\x15/R"; reference:md5,05054afcfc6a651a057e47cd0f013c7b; classtype:command-and-control; sid:2020215; rev:6; metadata:created_at 2015_01_20, former_category MALWARE, updated_at 2022_03_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.authorizeddns .org Domain"; flow:established,to_server; http.host; content:".authorizeddns.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036161; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TransparentTribe APT Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; http.request_body; content:"symetric="; startswith; fast_pattern; content:"&unsyms="; distance:0; content:"&polls="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,5cbcc3485f4286098b3a111ceec8ce54; reference:md5,14a7002d7787ebc78d76479c73fc2856; classtype:trojan-activity; sid:2035624; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_03_28;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.authorizeddns .us Domain"; dns.query; content:".authorizeddns.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036162; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE TransparentTribe APT Related Backdoor Activity"; flow:established,to_server; dsize:6; content:"|36 6e 46 74 24 31|"; fast_pattern; reference:md5,bc2ef641fc8d709f4c111937353c0ac2; reference:md5,b03e0568a5f26addc51c8a3e32baeb7f; reference:md5,9dadf9ce41994f869e8c35e1917b8238; classtype:trojan-activity; sid:2035625; rev:2; metadata:created_at 2022_03_28, updated_at 2022_03_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.authorizeddns .us Domain"; flow:established,to_server; http.host; content:".authorizeddns.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036163; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M3"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/octet-stream"; bsize:24; http.server; content:"HFS|20|"; startswith; fast_pattern; http.cookie; content:"HFS_SID_="; startswith; http.header; content:"|0d 0a|Content|2d|Disposition|3a 20|attachment|3b 20|filename|2a 3d|UTF|2d|8|27 27|"; content:"|3b 20|filename="; distance:1; within:11; content:"|0d 0a|"; distance:1; within:2; endswith; http.response_body; content:"Rar|21 1A 07|"; startswith; content:"|2e|dll"; within:150; reference:md5,930d405c7653dcf36c04e75224a2ff9d; reference:url,www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html; classtype:command-and-control; sid:2035621; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, performance_impact Moderate, signature_severity Major, updated_at 2022_03_28;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.cleansite .biz Domain"; dns.query; content:".cleansite.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036164; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M4"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/octet-stream"; bsize:24; http.server; content:"HFS|20|"; startswith; fast_pattern; http.cookie; content:"HFS_SID_="; startswith; http.header; content:"|0d 0a|Content|2d|Disposition|3a 20|attachment|3b 20|filename|2a 3d|UTF|2d|8|27 27|"; content:"|3b 20|filename="; distance:1; within:11; content:"|0d 0a|"; distance:1; within:2; endswith; http.response_body; content:"Rar|21 1A 07|"; startswith; content:"|2e|lnk"; within:150; reference:md5,930d405c7653dcf36c04e75224a2ff9d; reference:url,www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html; classtype:command-and-control; sid:2035622; rev:1; metadata:created_at 2022_03_28, updated_at 2022_03_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.cleansite .biz Domain"; flow:established,to_server; http.host; content:".cleansite.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036165; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2022-03-28"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"M09009944646.php"; endswith; fast_pattern; http.request_body; content:"user="; content:"pass="; distance:0; reference:md5,40eff169fa7b8cacdde4499290a57aa5; classtype:credential-theft; sid:2035628; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_28;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.cleansite .info Domain"; dns.query; content:".cleansite.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036166; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX Related Domain in DNS Lookup (ntpserver .xyz)"; dns.query; content:"ntpserver.xyz"; fast_pattern; nocase; bsize:13; reference:md5,09c120d23f986040af202607db6157f0; reference:url,twitter.com/0xrb/status/1508330395250868229; classtype:domain-c2; sid:2035626; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Fodcha Bot Domain"; dns.query; content:"folded.in"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:trojan-activity; sid:2035942; rev:3; metadata:attack_target IoT, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Fodcha, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX Related Domain in DNS Lookup (cxks8 .com)"; dns.query; content:"cxks8.com"; fast_pattern; nocase; bsize:9; reference:md5,99ee1e21a34b0536b120d4a6977fd252; reference:url,twitter.com/0xrb/status/1508330395250868229; classtype:domain-c2; sid:2035627; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.cleansite .info Domain"; flow:established,to_server; http.host; content:".cleansite.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036167; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 1"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; tls.cert_serial; content:"12:85"; tls.cert_subject; content:"--"; content:"SomeCity"; distance:0; content:"root@localhost.localdomain"; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021591; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_28;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.cleansite .us Domain"; dns.query; content:".cleansite.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036168; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 2"; flow:established,from_server; tls.cert_subject; content:"www.visionresearch.com"; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021419; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.cleansite .us Domain"; flow:established,to_server; http.host; content:".cleansite.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036169; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 5"; flow:established,from_server; tls.cert_subject; content:"extranet.qualityplanning.com"; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021422; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_28;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.https443 .net Domain"; dns.query; content:".https443.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036170; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 6"; flow:established,from_server; tls.cert_subject; content:"edadmin.kearsney.com"; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021423; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.https443 .net Domain"; flow:established,to_server; http.host; content:".https443.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036171; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 7"; flow:established, from_server; tls.cert_subject; content:"redbluffchamber.com"; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021424; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.https443 .org Domain"; dns.query; content:".https443.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036172; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 8"; flow:established,to_client; tls.cert_subject; content:"Connectads.com"; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021425; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.https443 .org Domain"; flow:established,to_server; http.host; content:".https443.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036173; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 3"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; tls.cert_serial; content:"3d:d6"; tls.cert_subject; content:"--"; content:"SomeCity"; distance:0; content:"root@localhost.localdomain"; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021420; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mypop3 .net Domain"; dns.query; content:".mypop3.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036174; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cobalt Group SSL Certificate Detected"; flow:established,from_server; tls.cert_subject; content:"dns-verifon.com"; reference:md5,26406f5cc72e13c798485f80ad3cbbdb; classtype:targeted-activity; sid:2025438; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_26, deployment Perimeter, former_category TROJAN, malware_family Cobalt_Group, performance_impact Low, signature_severity Major, updated_at 2022_03_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mypop3 .net Domain"; flow:established,to_server; http.host; content:".mypop3.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036175; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WatchGuard CVE-2022-26318 RCE Attempt M1"; flow:established,to_server; http.request_line; content:"POST /agent/login"; startswith; nocase; http.request_body; content:"|3c|methodName|3e|"; content:"login|3c 2f|methodName|3e|"; within:50; fast_pattern; nocase; content:"|3c|member|3e 3c|value|3e 3c|"; distance:0; nocase; content:!"|3e|"; within:400; reference:url,www.greynoise.io/blog/watchguard-cve-2022-26318-rce-detection-iocs-and-prevention-for-defenders; reference:cve,2022-26318; classtype:attempted-admin; sid:2035633; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_03_29, cve CVE_2022_26318, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_03_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Fodcha Bot Domain"; dns.query; content:"fridgexperts.cc"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:trojan-activity; sid:2035943; rev:2; metadata:attack_target IoT, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Fodcha, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WatchGuard CVE-2022-26318 RCE Attempt M2"; flow:established,to_server; http.request_line; content:"POST /agent/login"; startswith; fast_pattern; http.content_len; byte_test:0,>,450,0,string,dec; http.request_body; content:"|3c|methodName|3e|"; nocase; content:"login|3c 2f|methodName|3e|"; within:50; nocase; reference:url,attackerkb.com/topics/t8Nrnu99ZE/cve-2022-26318; reference:url,www.greynoise.io/blog/watchguard-cve-2022-26318-rce-detection-iocs-and-prevention-for-defenders; reference:cve,2022-26318; classtype:attempted-admin; sid:2035634; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_03_29, cve CVE_2022_26318, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_03_29;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mypop3 .org Domain"; dns.query; content:".mypop3.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036176; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible WatchGuard CVE-2022-26318 RCE Attempt M3"; flow:established,to_server; http.request_line; content:"POST /agent/login"; startswith; fast_pattern; http.content_len; byte_test:0,>,450,0,string,dec; http.header; content:"Content-Encoding|3a 20|gzip"; http.request_body; content:"|1f 8b|"; startswith; reference:url,attackerkb.com/topics/t8Nrnu99ZE/cve-2022-26318; reference:url,www.greynoise.io/blog/watchguard-cve-2022-26318-rce-detection-iocs-and-prevention-for-defenders; reference:cve,2022-26318; classtype:attempted-admin; sid:2035635; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_03_29, cve CVE_2022_26318, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_03_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mypop3 .org Domain"; flow:established,to_server; http.host; content:".mypop3.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036177; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (kutti .co in TLS SNI)"; flow:established,to_server; tls.sni; content:"kutti.co"; bsize:8; fast_pattern; classtype:bad-unknown; sid:2035640; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_03_29;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ssl443 .org Domain"; dns.query; content:".ssl443.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036178; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange Pre-Auth Path Confusion M1 (CVE-2021-31207)"; flow:established,to_server; http.uri; content:"/autodiscover"; nocase; fast_pattern; content:"Email=autodiscover/"; nocase; flowbits:set,ET.cve.2021.34473; reference:cve,2021-31207; classtype:attempted-admin; sid:2033681; rev:4; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_09, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ssl443 .org Domain"; flow:established,to_server; http.host; content:".ssl443.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036179; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange SUID Disclosure via SSRF Inbound M1 (CVE-2021-31207)"; flow:established,to_server; http.uri; content:"/autodiscover"; nocase; content:"Email=autodiscover/"; nocase; content:"/mapi/emsmdb"; nocase; distance:0; fast_pattern; reference:cve,2021-31207; classtype:attempted-admin; sid:2033701; rev:3; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_10, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.iownyour .biz Domain"; dns.query; content:".iownyour.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036180; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange SUID Disclosure via SSRF Inbound M2 (CVE-2021-31207)"; flow:established,to_server; http.uri; content:"/autodiscover"; nocase; content:"/mapi/emsmdb"; nocase; distance:0; fast_pattern; http.cookie; content:"Email=autodiscover/"; nocase; reference:cve,2021-31207; classtype:attempted-admin; sid:2035648; rev:2; metadata:affected_product MS_Exchange, attack_target Server, created_at 2022_03_29, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.iownyour .biz Domain"; flow:established,to_server; http.host; content:".iownyour.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036181; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange RCE Inbound M2 (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/autodiscover.json?"; content:"/PowerShell/"; nocase; distance:0; content:"X-Rps-CAT="; distance:0; fast_pattern; content:"Email="; distance:0; content:"autodiscover/"; distance:0; within:20; reference:cve,2021-34473; classtype:attempted-admin; sid:2033711; rev:2; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_12, cve CVE_2021_34473, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.iownyour .org Domain"; dns.query; content:".iownyour.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036182; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Abused File Hosting Domain in DNS Lookup (transferxl .com)"; dns.query; dotprefix; content:".transferxl.com"; nocase; endswith; classtype:misc-activity; sid:2035636; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_03_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.iownyour .org Domain"; flow:established,to_server; http.host; content:".iownyour.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036183; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Abused File Hosting Domain (transferxl .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".transferxl.com"; endswith; fast_pattern; classtype:misc-activity; sid:2035637; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_03_29;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .biz Domain"; dns.query; content:".onmypc.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036184; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Abused File Hosting Domain (transferxl-download .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".transferxl-download.com"; endswith; fast_pattern; classtype:misc-activity; sid:2035638; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_03_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .biz Domain"; flow:established,to_server; http.host; content:".onmypc.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036185; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Backdoor Related Domain (swordoke .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"swordoke.com"; bsize:12; fast_pattern; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:domain-c2; sid:2035645; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_29;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .info Domain"; dns.query; content:".onmypc.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036186; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange RCE Inbound M3 (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/autodiscover.json?"; content:"/PowerShell/"; nocase; distance:0; content:"X-Rps-CAT="; distance:0; fast_pattern; http.cookie; content:"Email="; content:"autodiscover/"; distance:0; within:20; reference:cve,2021-34473; classtype:attempted-admin; sid:2035649; rev:2; metadata:affected_product MS_Exchange, attack_target Server, created_at 2022_03_29, cve CVE_2021_34473, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .info Domain"; flow:established,to_server; http.host; content:".onmypc.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036187; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange Mailbox Enumeration Inbound (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/exchange.asmx"; nocase; fast_pattern; http.request_body; content:"<s"; content:"<m:ResolveNames ReturnFullContactData=|22|true|22| SearchScope=|22|ActiveDirectory|22|>"; distance:0; content:"</m:ResolveNames>"; distance:0; reference:cve,2021-34473; classtype:attempted-admin; sid:2035650; rev:2; metadata:affected_product MS_Exchange, attack_target Server, created_at 2022_03_29, cve CVE_2021_34473, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .net Domain"; dns.query; content:".onmypc.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036188; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phish Landing Page 2022-03-29"; http.stat_code; content:"200"; http.content_len; byte_test:0,>=,68000,0,string,dec; file.data; content:!"<html>"; content:"<!-- ####### THIS IS A COMMENT - Visible only in the source editor #########-->"; content:"action="; pcre:"/\.php/Ri"; content:"name=|22|o8|22|"; fast_pattern; content:!"</html>"; reference:md5,60b2c87b34d51bb1ee2196d5b2db4c73; classtype:credential-theft; sid:2035647; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .net Domain"; flow:established,to_server; http.host; content:".onmypc.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036189; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M1 (CVE-2022-24989)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/module/api.php?mobile/createRaid"; fast_pattern; http.request_body; content:"raidtype|27 3a 20 27|"; nocase; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-24989; classtype:attempted-admin; sid:2035629; rev:2; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24989, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .org Domain"; dns.query; content:".onmypc.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036190; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M2 (CVE-2022-24989)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/module/api.php?mobile/createRaid"; fast_pattern; http.request_body; content:"raidtype="; nocase; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-24989; classtype:attempted-admin; sid:2035630; rev:2; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24989, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .org Domain"; flow:established,to_server; http.host; content:".onmypc.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036191; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Information Leak Inbound (CVE-2022-24990)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/module/api.php?mobile/webNasIPS"; fast_pattern; reference:cve,2022-24990; classtype:attempted-recon; sid:2035631; rev:1; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24990, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .us Domain"; dns.query; content:".onmypc.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036192; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortening Service Domain in DNS Lookup (kutti .co)"; dns.query; content:"kutti.co"; fast_pattern; nocase; bsize:8; classtype:bad-unknown; sid:2035639; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .us Domain"; flow:established,to_server; http.host; content:".onmypc.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036193; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Backdoor Related Domain in DNS Lookup (swordoke .com)"; dns.query; content:"swordoke.com"; fast_pattern; nocase; bsize:12; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:domain-c2; sid:2035644; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_29;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dubya .info Domain"; dns.query; content:".dubya.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036194; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Warzone RAT Variant CnC Domain in DNS Lookup (dost .igov-service .net)"; dns.query; content:"dost.igov-service.net"; fast_pattern; nocase; bsize:21; reference:url,decoded.avast.io/threatintel/avast-finds-compromised-philippine-navy-certificate-used-in-remote-access-tool/; reference:md5,49e8853801554d9de4dd281828094c8a; classtype:domain-c2; sid:2035646; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dubya .info Domain"; flow:established,to_server; http.host; content:".dubya.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036195; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (wikipedia-book .vote)"; dns.query; content:"wikipedia-book.vote"; nocase; bsize:19; reference:url,blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/; reference:md5,e98774bee4ed490089f6c63b6c676112; classtype:domain-c2; sid:2035652; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, updated_at 2022_03_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dubya .us Domain"; dns.query; content:".dubya.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036196; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Verblecon User Agent Observed"; flow:established,to_server; http.user_agent; content:"VerbleConnectTM"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035659; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dubya .us Domain"; flow:established,to_server; http.host; content:".dubya.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036197; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (gaymers .ax)"; dns.query; content:"gaymers.ax"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035660; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, updated_at 2022_03_30;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dubya .biz Domain"; dns.query; content:".dubya.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036198; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Trojan.Verblecon Related Domain (gaymers .ax in TLS SNI)"; flow:established,to_server; tls.sni; content:"gaymers.ax"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035661; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dubya .biz Domain"; flow:established,to_server; http.host; content:".dubya.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036199; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (jonathanhardwick .me)"; dns.query; content:"jonathanhardwick.me"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035662; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dubya .net Domain"; dns.query; content:".dubya.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036200; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Trojan.Verblecon Related Domain (jonathanhardwick .me in TLS SNI)"; flow:established,to_server; tls.sni; content:"jonathanhardwick.me"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035663; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dubya .net Domain"; flow:established,to_server; http.host; content:".dubya.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036201; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Abused Hosting Domain in DNS Lookup (digital-ministry .ru)"; dns.query; content:"digital-ministry.ru"; fast_pattern; nocase; bsize:19; reference:md5,fbe79895053b29ec2cfe99cad3eb83d5; reference:md5,29fe7a619970157adfcecfade1b204be; reference:url,blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/; classtype:bad-unknown; sid:2035654; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_30;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.wwwhost .us Domain"; dns.query; content:".wwwhost.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036202; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (.verble .rocks)"; dns.query; dotprefix; content:".verble.rocks"; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035664; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.wwwhost .us Domain"; flow:established,to_server; http.host; content:".wwwhost.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036203; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Trojan.Verblecon Related Domain (.verble .rocks in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".verble.rocks"; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035665; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.zyns .com Domain"; flow:established,to_server; http.host; content:".zyns.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036204; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (verble .software)"; dns.query; content:"verble.software"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035666; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.otzo .com Domain"; flow:established,to_server; http.host; content:".otzo.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036205; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Trojan.Verblecon Related Domain (verble .software in TLS SNI)"; flow:established,to_server; tls.sni; content:"verble.software"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035667; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dns-report .com Domain"; flow:established,to_server; http.host; content:".dns-report.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036206; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor Retrieving Task (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?id="; startswith; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"R0VUVEFTSyUlJQ"; startswith; fast_pattern; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:command-and-control; sid:2035642; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dns1 .us Domain"; flow:established,to_server; http.host; content:".dns1.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036207; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor Sending Task Status (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?id="; startswith; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"UFVUVEFTSyUlJ"; startswith; fast_pattern; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:command-and-control; sid:2035643; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_30;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.changeip .co Domain"; dns.query; content:".changeip.co"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036208; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor Checkin (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?id="; startswith; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"SU5JVCUl"; startswith; fast_pattern; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:command-and-control; sid:2035641; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.changeip .co Domain"; flow:established,to_server; http.host; content:".changeip.co"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036209; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Image Hosting Domain in DNS Lookup (hizliresim .com)"; dns.query; dotprefix; content:".hizliresim.com"; nocase; endswith; classtype:misc-activity; sid:2035655; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_03_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Golang HTTP Backdoor Connectivity Check"; flow:established,to_server; http.method; http.request_line; content:"POST /GO/"; fast_pattern; content:".php"; endswith; http.accept_enc; bsize:1; content:"*"; http.content_len; bsize:1; content:"0"; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:command-and-control; sid:2035957; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Backdoor, updated_at 2022_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed SSL Cert (hizliresim .com)"; flow:established,to_client; tls.cert_subject; content:"hizliresim.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?hizliresim\.com(?!\.)/"; classtype:misc-activity; sid:2035656; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_03_30;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortening Service Domain in DNS Lookup (maxiurl .com)"; dns.query; content:"maxiurl.com"; nocase; bsize:11; classtype:misc-activity; sid:2036226; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_15;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (kisa .link)"; dns.query; dotprefix; content:".kisa.link"; nocase; endswith; classtype:misc-activity; sid:2035657; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_03_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (maxiurl .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"maxiurl.com"; bsize:11; fast_pattern; classtype:misc-activity; sid:2036227; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, signature_severity Informational, updated_at 2022_04_15;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortener Service Domain (www .kisa .link in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.kisa.link"; bsize:13; fast_pattern; classtype:misc-activity; sid:2035658; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, signature_severity Major, updated_at 2022_03_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (bnt2 .live)"; dns.query; content:"bnt2.live"; nocase; bsize:9; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036231; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Pastebin-style service note .youdao .com  in DNS query"; dns.query; content:"note.youdao.com"; fast_pattern; reference:url,twitter.com/malwrhunterteam/status/1509160261881667585; reference:md5,6cb6caeffc9a8a27b91835fdad750f90; classtype:misc-activity; sid:2035668; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2022_03_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (signin .dedyn .io)"; dns.query; content:"signin.dedyn.io"; nocase; bsize:15; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036232; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Pastebin-style service (note .youdao .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"note.youdao.com"; fast_pattern; reference:url,twitter.com/malwrhunterteam/status/1509160261881667585; reference:md5,6cb6caeffc9a8a27b91835fdad750f90; classtype:misc-activity; sid:2035669; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2022_03_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (archery .dedyn .io)"; dns.query; content:"archery.dedyn.io"; nocase; bsize:16; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036233; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
 
-alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert (fake state)"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.cert_subject; content:"C=AU"; fast_pattern; content:!"ST=Some-State"; tls.certs; content:"|06 03 55 04 06 13 02 41 55|"; content:"|06 03 55 04 08|"; distance:0; pcre:"/^.{2}(?=[A-Z]{0,32}[^A-Z01])(?P<var>[^01]{4,33}[01]).+?\x06\x03\x55\x04\x08.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2019833; rev:10; metadata:attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (market .vinam .me)"; dns.query; content:"market.vinam.me"; nocase; bsize:15; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036234; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspicious Long NULL DNS Request - Possible DNS Tunneling"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|00 0a 00 01|"; distance:70; fast_pattern; content:!"microsoft.com|03|"; classtype:trojan-activity; sid:2029995; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target DNS_Server, created_at 2020_04_22, deployment Perimeter, signature_severity Major, updated_at 2022_03_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (market .dedyn .io)"; dns.query; content:"market.dedyn.io"; nocase; bsize:15; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036235; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eterprx .net)"; dns.query; content:"eterprx.net"; nocase; bsize:11; reference:md5,21ccad42f936524b311a8bc102b16752; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; classtype:domain-c2; sid:2035683; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".db2"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,db9df7f1bcfba0346d9e7de729c018a2; reference:url,twitter.com/500mk500/status/1515002456882786310; classtype:trojan-activity; sid:2036228; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_15;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eternitypr .net)"; dns.query; content:"eternitypr.net"; nocase; bsize:14; reference:md5,21ccad42f936524b311a8bc102b16752; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; classtype:domain-c2; sid:2035684; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bluebox Data Exfiltration"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?ver="; fast_pattern; content:"corp="; content:"os="; content:"softid="; content:"hid="; content:"macadd="; content:"md5="; content:"rand="; content:"subid="; http.user_agent; content:"IEhook"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b13718f353c8c0ea51a15733e035199e; classtype:pup-activity; sid:2036236; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2022_04_18;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Eternity Stealer Domain (eternitypr .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"eternitypr.net"; bsize:14; fast_pattern; reference:md5,21ccad42f936524b311a8bc102b16752; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; classtype:domain-c2; sid:2035685; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, signature_severity Major, updated_at 2022_03_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY [TW] IPFS Protocol HTTP Headers Observed"; flow:established,to_client; http.header_names; content:"|0d 0a|X-Ipfs-"; nocase; fast_pattern; threshold: type threshold, track by_src, count 10, seconds 30; classtype:misc-activity; sid:2036229; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_04_15;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Eternity Stealer Domain (eterprx .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"eterprx.net"; bsize:11; fast_pattern; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; reference:md5,21ccad42f936524b311a8bc102b16752; classtype:domain-c2; sid:2035686; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, signature_severity Major, updated_at 2022_03_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY [TW] IPFS File Request Observed"; flow:established,to_server; http.uri; content:"/ipfs/"; fast_pattern; pcre:"/^[a-z0-9]{40,}/Ri"; threshold: type threshold, track by_src, count 10, seconds 30; classtype:misc-activity; sid:2036230; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_04_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Eternity Stealer Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /api/accounts HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a 0d 0a|"; bsize:52; http.request_body; content:"growid="; startswith; content:"&password="; distance:0; content:"&stub_token="; distance:0; content:"&mac="; distance:0; content:"&token="; distance:0; content:"&creds="; distance:0; content:"&pcname="; distance:0; content:"&scrurl="; distance:0; reference:md5,21ccad42f936524b311a8bc102b16752; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; classtype:trojan-activity; sid:2035687; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Bumblebee Loader User-Agent (bumblebee)"; flow:established,to_server; http.user_agent; content:"bumblebee"; bsize:9; fast_pattern; reference:md5,555b77d23549e231c8d7f0b003cc5164; reference:md5,3f34d94803e9c8bc0a9cd09f507bc515; reference:url,www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/; reference:url,blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/; classtype:trojan-activity; sid:2036237; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, deployment SSLDecrypt, former_category USER_AGENTS, malware_family Bumblebee_Loader, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Social Media Credential Phish 2022-03-31"; flow:established,to_server; flowbits:set,ET.genericphish; http.method; content:"POST"; http.uri; content:".php?nick="; fast_pattern; classtype:credential-theft; sid:2035688; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (hojimizeg .com)"; dns.query; content:"hojimizeg.com"; nocase; bsize:13; reference:url,www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/; classtype:domain-c2; sid:2036238; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PlugX/Talisman Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"MCookie|3a 20|"; fast_pattern; pcre:"/^[0-9]-[0-9]-[0-9]{5}-[0-9]\r\n/R"; http.header_names; content:!"Referer|0d 0a|"; content:!"|0d 0a|Accept-"; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,ecab63b6de18073453310a9c4551074b; reference:url,www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html; classtype:trojan-activity; sid:2035689; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, malware_family PlugX, signature_severity Major, updated_at 2022_03_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (notixow .com)"; dns.query; content:"notixow.com"; nocase; bsize:11; reference:url,www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/; classtype:domain-c2; sid:2036239; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Lightning Stealer Exfil Activity"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"|22|LogChromes|22 3a|"; content:"|22|LogGecko|22 3a|"; content:"|22|Screen|22 3a 7b|"; fast_pattern; content:"|22|Width|22 3a 22|"; distance:0; content:"|22|ScreenshotBase64|22 3a 22|"; distance:0; reference:md5,1b922b6d15085da82e20fee0789a6617; reference:url,twitter.com/3xp0rtblog/status/1509484987401351177; classtype:trojan-activity; sid:2035679; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Stealer, updated_at 2022_03_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (rewujisaf .com)"; dns.query; content:"rewujisaf.com"; nocase; bsize:13; reference:url,www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/; classtype:trojan-activity; sid:2036240; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Spring Cloud Connector RCE Inbound (CVE-2022-22963)"; flow:to_server,established; http.header; content:"spring.cloud.function.routing-expression|3a|"; fast_pattern; reference:cve,2022-22963; classtype:attempted-admin; sid:2035670; rev:1; metadata:attack_target Server, created_at 2022_03_31, cve CVE_2022_22963, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matrix Max Stealer Exfiltration Observed"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:60; http.request_body; content:"zipx=UEsDBBQ"; startswith; fast_pattern; reference:md5,e8573f06d342ae05ece8d1be111669c4; reference:url,twitter.com/James_inthe_box/status/1516049381539004418; classtype:trojan-activity; sid:2036245; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment SSLDecrypt, former_category MALWARE, malware_family Matrix_Max, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Common JSP WebShell String Observed in HTTP Header M1"; flow:to_server,established; http.header; content:"request.getParameter|28|"; fast_pattern; nocase; classtype:attempted-admin; sid:2035671; rev:1; metadata:created_at 2022_03_31, former_category INFO, updated_at 2022_03_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE - Trojan.Proxy.PPAgent.t (updateb)"; flow:established,to_server; http.uri; content:"/updateb.php?p="; nocase; pcre:"/updateb\.php\?p=\d/i"; flowbits:isset,BT.ppagent.updatea; flowbits:unset,BT.ppagent.updatea; reference:url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738; reference:url,doc.emergingthreats.net/2003116; classtype:trojan-activity; sid:2003116; rev:8; metadata:created_at 2010_07_30, updated_at 2022_04_18;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Common JSP WebShell String Observed in HTTP Header M2"; flow:to_server,established; http.header; content:"executeCmd|28|request.getParameter|28|"; fast_pattern; nocase; classtype:attempted-admin; sid:2035672; rev:1; metadata:created_at 2022_03_31, former_category INFO, updated_at 2022_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl ASCII"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"clickurl="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005478; classtype:web-application-attack; sid:2005478; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Common JSP WebShell String Observed in HTTP Header M3"; flow:to_server,established; http.header; content:"getRuntime|28 29|.exec"; fast_pattern; nocase; classtype:attempted-admin; sid:2035673; rev:1; metadata:created_at 2022_03_31, updated_at 2022_03_31;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"D="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006614; classtype:web-application-attack; sid:2006614; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Custom Logo Domain in DNS Lookup (seeklogo .com)"; dns.query; dotprefix; content:".seeklogo.com"; nocase; endswith; classtype:misc-activity; sid:2035690; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ExplorerHijack Trojan HTTP Checkin"; flow:established,to_server; http.uri; content:"php?i="; content:"&v="; content:"&win=Windows"; content:"&un="; content:"&uv="; content:"&s="; content:"&onl="; content:"&ip="; content:"&f="; reference:url,doc.emergingthreats.net/2007700; classtype:command-and-control; sid:2007700; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_04_18;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MSIL/Lightning Stealer Domain (panelss .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"panelss.xyz"; bsize:11; fast_pattern; reference:md5,1b922b6d15085da82e20fee0789a6617; reference:url,twitter.com/3xp0rtblog/status/1509484987401351177; classtype:domain-c2; sid:2035680; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_31;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MSIL/Crimson Rat CnC Exfil"; flow:established,to_server; content:"|00 00 00|ent4rme"; offset:2; depth:10; fast_pattern; content:"|20 7c 20|"; distance:0; content:"|23|runtimebroker"; distance:0; threshold:type limit, track by_src, count 5, seconds 600; reference:md5,3829791a486b0b9ccb80ffcb7177c19c; reference:url,twitter.com/0xrb/status/1515979150515122178; classtype:command-and-control; sid:2036241; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Crimson, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Custom Logo Domain (seeklogo .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"seeklogo.com"; bsize:12; fast_pattern; classtype:misc-activity; sid:2035691; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, signature_severity Informational, updated_at 2022_03_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pointpack.kr Related Trojan Checkin"; flow:established,to_server; http.uri; content:"php?"; content:"kind="; content:"&pid="; content:"&ver="; content:"&uniq="; content:"&addresses="; content:"&hdmacid="; content:"&dllver="; content:"&subv="; reference:url,doc.emergingthreats.net/2008260; classtype:command-and-control; sid:2008260; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Terse Request to note .youdao .com - Possible Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/yws/api/personal/file/"; content:"?method=download&shareKey="; distance:0; pcre:"/[a-f0-9]{32}$/UR"; http.host; content:"note.youdao.com"; fast_pattern; bsize:15; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; content:!"Referer"; reference:url,twitter.com/malwrhunterteam/status/1509160261881667585; classtype:misc-activity; sid:2035681; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, performance_impact Moderate, signature_severity Informational, updated_at 2022_03_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Win32.Small.avu HTTP Checkin"; flow:established,to_server; http.uri; content:"m="; content:"&a="; content:"&r="; content:"&os="; content:"00000"; pcre:"/\/s_\d\d_\d+\?/"; pcre:"/&os=[0-9a-z]{40}/i"; reference:url,doc.emergingthreats.net/2008412; classtype:command-and-control; sid:2008412; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MustangPanda APT Dropper Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|Content-Length|0d 0a|Host|0d 0a 0d 0a|"; bsize:46; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:">"; offset:8; content:">"; distance:1; within:1; content:">"; distance:7; within:1; content:"|2e|exe|5c|"; distance:0; fast_pattern; reference:md5,4a9b98832ba5c2b74f80dadd16b8a079; reference:url,twitter.com/StillAzureH/status/1505823479945625604; classtype:trojan-activity; sid:2035682; rev:2; metadata:created_at 2022_03_31, updated_at 2022_03_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Password Stealer (PSW.Win32.Magania Family) GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"pass="; content:"type="; content:"host="; content:"port="; content:"name="; content:"pc="; content:"user="; content:"ip="; content:"version="; http.header; content:"User-Agent|3a| NR"; reference:url,www.f-secure.com/v-descs/trojan-psw_w32_magania.shtml; reference:url,www.threatexpert.com/reports.aspx?find=Trojan-PWS.Magania; reference:url,doc.emergingthreats.net/2009094; classtype:trojan-activity; sid:2009094; rev:8; metadata:created_at 2010_07_30, updated_at 2022_04_18;)
 
-alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Killav.CM CnC Response"; flow:to_client,established; dsize:11; content:"|09 01 00 00 00 00 0b 00 00 00 00|"; startswith; fast_pattern; classtype:trojan-activity; sid:2035693; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Swizzor Family GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"szclientid="; content:"szmac="; content:"szusername="; content:"szver="; content:"mode="; content:"value="; content:"systype="; content:"rid="; content:"szname="; content:"szpaname="; content:"palen="; content:"szpapaname="; content:"chksum="; reference:md5,ed06e3cd6f57fc260194bf9fa224181e; reference:url,doc.emergingthreats.net/2009441; classtype:trojan-activity; sid:2009441; rev:7; metadata:created_at 2010_07_30, updated_at 2022_04_18;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Killav.CM Checkin M2"; dsize:<50; flow:to_server,established; content:"|04 00 00 00 00|"; startswith; content:"|00 00 7E 00 00 00 7E 00|"; distance:0; fast_pattern; content:"|00 00|"; endswith; classtype:trojan-activity; sid:2035694; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Antivirus2010 Checkin port 8082"; flow:established,to_server; http.uri; content:"/ask?"; content:"&u="; content:"a="; content:"&m="; content:"&h="; reference:url,blog.emsisoft.com/2010/08/09/antivirus2010-userinit-and-then-some-more/; reference:url,doc.emergingthreats.net/2011473; classtype:command-and-control; sid:2011473; rev:5; metadata:created_at 2010_09_29, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deep Panda Downloader User-Agent (mozilla_horizon) GET request observed"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"mozilla_horizon"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; reference:md5,62d52076d41ab6e429a976d48173f29d; classtype:trojan-activity; sid:2035703; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Java Archive sent when remote host claims to send an image"; flow:established,to_client; http.content_type; content:!"application/java-archive"; content:"image"; nocase; startswith; file.data; content:"PK"; depth:2; content:"META-INF/MANIFEST"; distance:0; fast_pattern; classtype:trojan-activity; sid:2014288; rev:6; metadata:created_at 2012_02_28, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deep Panda Domain in DNS Lookup (vpn2 .smi1egate .com)"; dns.query; content:"vpn2.smi1egate.com"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; reference:md5,0b991aca7e5124df471cf8fb9e301673; classtype:trojan-activity; sid:2035704; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET MISC RuggedCom factory account backdoor"; flow:established,to_client; flowbits:isset,ET.RUGGED.BANNER; content:"Enter User Name|3A|"; pcre:"/Enter User Name\x3a(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*\s*(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*f(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*a(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*c(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*t(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*o(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*r(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*y(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*[\r\n]/"; reference:url,www.exploit-db.com/exploits/18779/; reference:url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars; classtype:attempted-admin; sid:2014646; rev:5; metadata:created_at 2012_04_28, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deep Panda Domain in DNS Lookup (svn1 .smi1egate .com)"; dns.query; content:"svn1.smi1egate.com"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; classtype:trojan-activity; sid:2035705; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SNET EK Downloading Payload"; flow:established,to_server; http.uri; content:"get"; content:"?src="; fast_pattern; distance:0; content:"snet"; endswith; pcre:"/\?src=[a-z]+snet$/"; http.user_agent; content:" WinHttp.WinHttpRequest"; classtype:exploit-kit; sid:2016566; rev:5; metadata:created_at 2013_03_14, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deep Panda Domain in DNS Lookup (giga .gnisoft .com)"; dns.query; content:"giga.gnisoft.com"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; classtype:trojan-activity; sid:2035706; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Rawin - Landing Page Received"; flow:established,to_client; file.data; content:"<body bgcolor=|22|"; pcre:"/^[0-9a-f]{6}/R"; content:"<body bgcolor=|22|"; pcre:"/^[0-9a-f]{6}/Ri"; content:"|22 20|>|0a|<applet"; within:11; fast_pattern; classtype:exploit-kit; sid:2017177; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_24, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2022_04_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deep Panda CnC Check-In"; flow:established,to_server; content:"CGKU"; fast_pattern; offset:16; depth:4; content:"MB|00 00|"; distance:128; within:4; content:"Win|20|"; distance:24; within:4; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; reference:md5,0b991aca7e5124df471cf8fb9e301673; classtype:trojan-activity; sid:2035707; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neurevt.A/Betabot Check-in 4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!".aspx"; http.user_agent; content:!"SmadavStat"; http.host; content:!"lavasoft.com"; http.request_body; content:!"Zerto.ZVM"; content:!"id1="; content:"1="; content:"2="; distance:0; content:"3="; distance:0; content:"4="; distance:0; fast_pattern; pcre:"/&(?P<vname>[a-z]+)1=[A-F0-9]+&(?P=vname)2=[A-F0-9]+&(?P=vname)3=[A-F0-9]+&(?P=vname)4=[A-F0-9]/"; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|"; depth:16; content:!"Referer"; content:!"Accept"; reference:md5,5eada3ed47d7557df375d8798d2e0a8b; classtype:trojan-activity; sid:2018784; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category TROJAN, malware_family Neurevt, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Redirection 2022-03-14"; flow:established,to_client; http.stat_code; content:"302"; http.header; content:"location|3a 20|Alert.php|0d 0a|"; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,07b9f93e06a83868a8b9ede2dff48346; classtype:credential-theft; sid:2035462; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Adwind/jSocket SSL Cert (assylias.Inc)"; flow:established,to_client; tls.cert_serial; content:"1F:23:9D:BD"; tls.cert_subject; content:"O=assylias.Inc"; fast_pattern; reference:md5,4e5c28fab23b35dea2d48a1c2db32b56; reference:md5,b102c26e04e97bda97b11bfe7366e61e; classtype:trojan-activity; sid:2020728; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Unk.CoinMiner Downloader"; flow:to_client,established; http.response_body; content:"Get-WMIObject"; startswith; content:"|24|miner_url"; distance:0; fast_pattern; content:"|24|miner_name"; distance:0; content:"|24|miner_cfg_url"; content:"|24|miner_cfg_path"; distance:0; reference:md5,6447bc87415b35532d9c8237a376ba70; classtype:trojan-activity; sid:2035695; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jun 14 2016"; flow:established,to_client; file.data; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 64 69 76|"; within:20; pcre:"/^(?:\x20id=\x22\d+\x22)?\x20style=\x22(?=[^\x22\r\n]*top\x3a\x20-\d{3}px\x3b)(?=[^\x22\r\n]*left\x3a-\d{3}px\x3b)(?=[^\x22\r\n]*position\x3a\x20absolute\x3b)[^\x22\r\n]*\x22>\x20<iframe[^\r\n>]*><\x2f/R"; content:"|69 27 2b 27 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 27 29 3b|"; within:19; fast_pattern; isdataat:!4,relative; classtype:exploit-kit; sid:2022898; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/WindowsDefender Bypass Download Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/kill.bat"; bsize:9; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/W"; http.accept_enc; content:"gzip, deflate"; bsize:13; http.accept; content:"text/html"; startswith; reference:md5,a59277f422139a3c2341eee166eda629; classtype:trojan-activity; sid:2035696; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_01;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO QUIC UDP Internet Connections Protocol Client Hello (OUTBOUND)"; flow:to_server; content:"|80 01|CHLO"; content:"PAD"; content:"SNI"; content:"CCS"; content:"PDMD"; content:"VERS"; nocase; flowbits:set,ET.QUIC.FirstClientHello; reference:url,tools.ietf.org/html/draft-tsvwg-quic-protocol-00; classtype:protocol-command-decode; sid:2022996; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Image Hosting Domain in DNS Lookup (imgyukle .com)"; dns.query; dotprefix; content:".imgyukle.com"; nocase; endswith; classtype:misc-activity; sid:2035697; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET HUNTING SUSPICIOUS Path to BusyBox"; flow:established,to_server; content:"/bin/busybox"; flowbits:set,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:suspicious-filename-detect; sid:2023016; rev:2; metadata:attack_target Server, created_at 2016_08_08, deployment Datacenter, former_category TELNET, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Image Hosting Domain (imgyukle .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"imgyukle.com"; bsize:12; fast_pattern; classtype:misc-activity; sid:2035698; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, signature_severity Informational, updated_at 2022_04_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK NOP Sled Sep 22 2016 (b641)"; flow:established,to_client; file.data; content:"LGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdIF"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023271; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Image Hosting Domain in DNS Lookup (resimag .com)"; dns.query; dotprefix; content:".resimag.com"; nocase; endswith; classtype:misc-activity; sid:2035699; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK NOP Sled Sep 22 2016 (b642)"; flow:established,to_client; file.data; content:"pdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NVEX"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023272; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Image Hosting Domain (resimag .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"resimag.com"; bsize:11; fast_pattern; classtype:misc-activity; sid:2035700; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, signature_severity Informational, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK NOP Sled Sep 22 2016 (b643)"; flow:established,to_client; file.data; content:"4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGYUJ"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023273; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Image Hosting Domain (resimupload .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"resimupload.org"; bsize:15; fast_pattern; classtype:misc-activity; sid:2035701; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, signature_severity Informational, updated_at 2022_04_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK Slight Sep 22 2016 (b641)"; flow:established,to_client; file.data; content:"x7soyTdaNq94NWpdLGZ4NWpd"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023274; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Image Hosting Domain in DNS Lookup (resimupload .org)"; dns.query; dotprefix; content:".resimupload.org"; nocase; endswith; classtype:misc-activity; sid:2035702; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK Slight Sep 22 2016 (b642)"; flow:established,to_client; file.data; content:"MlADchNaR0LGZ4NWpdLGZ4N"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023275; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (win .mirtonewbacker .com)"; dns.query; content:"win.mirtonewbacker.com"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035708; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK Slight Sep 22 2016 (b643)"; flow:established,to_client; file.data; content:"azTEhyWNbKGpdLGZ4NWpdLG"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023276; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain (win .mirtonewbacker .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"win.mirtonewbacker.com"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035709; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK March 15 2017 M2"; flow:established,to_client; file.data; content:"<iframe"; within:7; pcre:"/^(?:\s+style=\x27hidden\x27)?\s+src=\x27https?\x3a[^>\x22\x27]+[\x22\x27]\s*width=\x270\x27\s+/Ri"; content:"|68 65 69 67 68 74 3d 27 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c|"; within:34; isdataat:100; classtype:exploit-kit; sid:2024093; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_17, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (umpulumpu .ru)"; dns.query; content:"umpulumpu.ru"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035710; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M3 B643"; flow:established,to_client; file.data; content:"|4e6f636e636f4d7a49334e6a6370|"; pcre:"/(?:NocncoMjE3Ni|Y2hydygyMTc2K|jaHJ3KDIxNzYp)/"; classtype:exploit-kit; sid:2024361; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain (umpulumpu .ru) in TLS SNI"; flow:established,to_server; tls.sni; content:"umpulumpu.ru"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035711; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Disdain EK Landing Aug 23 2017"; flow:established,to_client; flowbits:isset,ET.DisDain.EK; http.stat_code; content:"200"; file.data; content:"document.write("; content:"w6UKpvNSUQKuCVmSVlTLELdj"; distance:0; within:75; classtype:exploit-kit; sid:2024612; rev:4; metadata:created_at 2017_08_23, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (greenblguard .shop)"; dns.query; content:"greenblguard.shop"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035712; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP [PTsecurity] Adware/Rukometa(LoadMoney) Fake PNG File"; flow:established,to_client; flowbits:isset,ETPTadmoney; http.stat_code; content:"200"; file.data; content:"|89 50 4e 47 0d 0a 1a 0a|"; depth:8; byte_jump:2,8,from_beginning,little; isdataat:20,relative; isdataat:!21,relative; content:!"IHDR"; offset:12; depth:4; classtype:pup-activity; sid:2024699; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Internet, former_category ADWARE_PUP, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain (greenblguard .shop) in TLS SNI"; flow:established,to_server; tls.sni; content:"greenblguard.shop"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035713; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 3"; flow:established,to_client; content:"|17 03|"; depth:2; content:"|00 40|"; distance:1; within:2; fast_pattern; stream_size:server, >,1789; stream_size:server,<,2124; stream_size:client, >,447; stream_size:client, <,1722; flowbits:isset, FB332502_0; flowbits:unset, FB332502_0; flowbits:set, FB332502_1; flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024753; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (onetwostep .at)"; dns.query; content:"onetwostep.at"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035714; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [:32768] (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 4"; flow:established,to_server; content:"|1703|"; depth:2; byte_test:2, >=,1024, 1, relative; byte_test:2, <=,1100, 1, relative; stream_size:server, >,1889; stream_size:server, <,2124; stream_size:client, >,1476; stream_size:client, <,1722; flowbits:isset, FB332502_1; flowbits:unset, FB332502_1; flowbits:set, FB332502_2; flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024754; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain (onetwostep .at) in TLS SNI"; flow:established,to_server; tls.sni; content:"onetwostep.at"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035715; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Oct 16 2016"; flow:established,to_client; file.data; content:"Windows Defender Alert"; nocase; fast_pattern; content:"Virus Detected"; nocase; distance:0; content:"Reset Your Computer"; nocase; distance:0; content:"<audio autoplay"; nocase; distance:0; classtype:social-engineering; sid:2024845; rev:4; metadata:created_at 2017_10_16, former_category WEB_CLIENT, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackGuard_v2 Data Exfiltration Observed"; flow:established,to_server; content:"POST"; content:"?user="; content:"&hwid="; distance:0; content:"&antivirus="; distance:0; content:"&os=Windows"; distance:0; content:"&passCount="; distance:0; content:"&coockieCount="; distance:0; fast_pattern; content:"&walletCount="; distance:0; content:"&telegramCount="; distance:0; content:"&vpnCount="; distance:0; content:"&ftpCount="; distance:0; content:"&country="; content:"multipart/form-data|3b 20|boundary="; distance:0; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035716; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment SSLDecrypt, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_04_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (dyoravdkiavfkbkx in DNS Lookup)"; dns.query; content:"dyoravdkiavfkbkx"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025507; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NetGear R6700v3 upnpd Buffer Overflow Inbound (CVE-2022-27643)"; flow:to_server,established; http.method; content:"POST"; http.header; content:"SOAPAction|3a|"; nocase; content:"urn:NETGEARROUTER:service:ParentalControl:1#Authenticate"; fast_pattern; nocase; pcre:"/^SOAPAction\x3a\s?urn\x3aNETGEARROUTER\x3aservice\x3aParentalControl\x3a1#Authenticate/Hmi"; http.request_body; content:"<NewMACAddress>"; nocase; pcre:"/^[^<]{30,}<\/NewMACAddress>/Ri"; reference:url,blog.relyze.com/2022/03/cve-2022-27643-netgear-r6700v3-upnpd.html; reference:cve,2022-27643; classtype:attempted-admin; sid:2035717; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_03, cve CVE_2022_27643, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (dypmoywmjrevboat in DNS Lookup)"; dns.query; content:"dypmoywmjrevboat"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025508; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /async/newtab_ogb HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Sec-Fetch-Site|0d 0a|Sec-Fetch-Mode|0d 0a|Sec-Fetch-Dest|0d 0a|"; content:!"Referer|0d 0a|"; http.cookie; content:"1P_JAR="; startswith; content:"NID="; distance:6; within:4; pcre:"/^[A-Za-z0-9\/_\-\+]{171}=$/R"; reference:md5,e98774bee4ed490089f6c63b6c676112; reference:url,blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/; classtype:trojan-activity; sid:2035653; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (jjjooyeohgghgtwn in DNS Lookup)"; dns.query; content:"jjjooyeohgghgtwn"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025509; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Carder Card Checking Tool try2check.me SSL Certificate"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"try2check.me"; within:400; fast_pattern; classtype:pup-activity; sid:2014286; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_02_28, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (lvanwwbyabcfevyi in DNS Lookup)"; dns.query; content:"lvanwwbyabcfevyi"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025510; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SSL Cert Used In Unknown Exploit Kit (ashburn)"; flow:established,to_client; content:"ashburn@gmail.com"; fast_pattern; classtype:exploit-kit; sid:2015717; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_09_20, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (uxwavkmttywsuynt in DNS Lookup)"; dns.query; content:"uxwavkmttywsuynt"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025511; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M1"; flow:established,to_server; content:"package|2e|loadlib|28|"; fast_pattern; content:"liblua"; distance:0; content:".popen|28|"; distance:0; reference:url,blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers; reference:url,www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce; reference:cve,2022-0543; classtype:attempted-admin; sid:2035718; rev:2; metadata:affected_product Redis, attack_target Server, created_at 2022_04_04, cve CVE_2022_0543, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (yaynawvtuqcarjwc in DNS Lookup)"; dns.query; content:"yaynawvtuqcarjwc"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025512; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redis RCE Attempt - Dynamic Importing of liblua (CVE-2022-0543)"; flow:established,to_server; content:"package|2e|loadlib|28|"; fast_pattern; content:"liblua"; within:500; reference:url,blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers; reference:url,www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce; reference:cve,2022-0543; classtype:attempted-admin; sid:2035720; rev:2; metadata:affected_product Redis, created_at 2022_04_04, cve CVE_2022_0543, former_category EXPLOIT, updated_at 2022_04_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BKransomware Domain (3whyfziey2vr41yq in DNS Lookup)"; dns.query; content:"3whyfziey2vr41yq"; depth:16; reference:md5,892da86e60236c5aaf26e5025af02513; classtype:trojan-activity; sid:2025559; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M2"; flow:established,to_server; content:"package|2e|loadlib|28|"; fast_pattern; content:"liblua"; within:500; content:".execute|28|"; distance:0; reference:url,blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers; reference:url,www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce; reference:cve,2022-0543; classtype:attempted-admin; sid:2035719; rev:2; metadata:affected_product Redis, attack_target Server, created_at 2022_04_04, cve CVE_2022_0543, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing Jun 28 2017"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:!"https://*.paypal.com"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; content:"|26 23|x50|3b 26 23|x61|3b 26 23|x79|3b 26 23|x50|3b 26 23|x61|3b 26 23|x6C|3b|"; fast_pattern; within:50; content:"</title>"; distance:0; classtype:social-engineering; sid:2025660; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".modestoobgyn.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035721; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Struts ognl inbound OGNL injection remote code execution attempt"; flow:established,to_server; http.uri; content:"${"; content:"ognl|2E|"; distance:0; fast_pattern; reference:cve,2018-11776; classtype:attempted-admin; sid:2026031; rev:3; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_08_24, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Minor, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".chyprediction.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035722; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Win32/Remcos RAT Checkin 51"; flow:established,to_server; stream_size:server,=,1; content:"|4139 2f55 647c c126 8775 8f|"; depth:11; reference:md5,4f3cc55c79b37a52d8f087dbf7093dcd; classtype:command-and-control; sid:2026433; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_02, deployment Perimeter, former_category MALWARE, malware_family Remcos, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".againcome.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035723; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kraken C2 Domain Observed (kraken656kn6wyyx in DNS Lookup)"; dns.query; content:"kraken656kn6wyyx"; depth:16; reference:url,go.recordedfuture.com/hubfs/reports/cta-2018-1030.pdf; classtype:command-and-control; sid:2026640; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_20, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Kraken_Ransomware, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".myshortbio.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035724; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/Agent.NZH CnC Response"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"File not found.|0a 3c 21 2d 2d|"; within:30; fast_pattern; content:"-->"; distance:0; classtype:command-and-control; sid:2026987; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_27, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".bestsecure2020.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035725; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF.SystemdMiner C2 Domain in DNS Lookup"; dns.query; content:"aptgetgxqs3secda"; depth:16; reference:url,blog.netlab.360.com/systemdminer-when-a-botnet-borrows-another-botnets-infrastructure/; classtype:command-and-control; sid:2027351; rev:4; metadata:affected_product Linux, attack_target Server, created_at 2019_05_13, deployment Datacenter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".findoutcredit.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035726; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF.SystemdMiner C2 Domain in DNS Lookup"; dns.query; content:"rapid7cpfqnwxodo"; depth:16; reference:url,blog.netlab.360.com/systemdminer-when-a-botnet-borrows-another-botnets-infrastructure/; classtype:command-and-control; sid:2027352; rev:4; metadata:affected_product Linux, attack_target Server, created_at 2019_05_13, deployment Datacenter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".estetictrance.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035727; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Thanatos Ransomware Variant Pico User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1) Pico/"; startswith; classtype:trojan-activity; sid:2029306; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".internethabit.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035728; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspected Malicious Telegram Communication (POST)"; flow:established,to_server; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http.header; content:"|0d 0a|Accept-Language|3a 20|en-US,*|0d 0a|User-Agent|3a 20|Mozilla/5.0|0d 0a|Host|3a 20|"; fast_pattern; http.content_len; byte_test:0,=,40,0,string,dec; http.request_line; content:"POST /api HTTP/1.1"; depth:18; isdataat:!1,relative; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; isdataat:!1,relative; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:98; isdataat:!1,relative; reference:md5,fe5338aee73b3aae375d7192067dc5c8; reference:url,www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/; classtype:misc-activity; sid:2029634; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/POWERPLANT CnC Exfil (Query)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/gate?id="; startswith; http.request_body; content:"UVVFUlk="; bsize:8; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,edb1f62230123abf88231fc1a7190b60; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035729; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE ActionSpy CnC (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ps/upinfo"; bsize:10; fast_pattern; http.user_agent; content:"android"; bsize:7; http.header; content:"Content-Encoding|3a 20|encrypted|0d 0a|"; reference:md5,43f1891a9c0d8fc69e273095708d9238; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/; classtype:command-and-control; sid:2030342; rev:2; metadata:attack_target Mobile_Client, created_at 2020_06_15, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/POWERPLANT CnC Exfil (INIT)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/gate?id="; startswith; http.request_body; content:"SU5JVA=="; depth:8; fast_pattern; content:"TWljcm9zb2Z0IFdpbmRvd3M"; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,edb1f62230123abf88231fc1a7190b60; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035730; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Gootkit Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.php?"; startswith; fast_pattern; pcre:"/^[1-z]{13}=[0-9]{16}$/R"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5|29|"; http.header_names; content:!"Referer"; reference:md5,82ddc740b8ff3aa4d818d1b421e0231e; classtype:trojan-activity; sid:2033022; rev:2; metadata:created_at 2021_05_24, former_category MALWARE, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Instagram Story Viewer Domain in DNS Lookup (dumpor .com)"; dns.query; dotprefix; content:".dumpor.com"; nocase; endswith; classtype:misc-activity; sid:2035736; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed OWA Phishing Landing Page 2021-08-20"; flow:established,to_client; file.data; content:"<title>Outlook Web App</title>"; fast_pattern; content:"<form action|3d 22|save.php|22|"; content:"method|3d 22|POST|22|"; distance:0; content:"name|3d 22|logonForm|22|"; distance:0; content:"id|3d 22|logonForm|22|"; distance:0; content:"enctype|3d 22|application/x-www-form-urlencoded|22|"; distance:0; content:"autocomplete|3d 22|off|22 3e|"; distance:0; reference:url,app.any.run/tasks/40a14763-96a6-4897-86c4-2b4693a0034b/; classtype:social-engineering; sid:2033748; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_20, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Instagram Story Viewer Domain in DNS Lookup (smihub .com)"; dns.query; dotprefix; content:".smihub.com"; nocase; endswith; classtype:misc-activity; sid:2035737; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [!80,!443] (msg:"ET MALWARE Win32/Numando Banker CnC Activity"; flow:established,to_server; content:"<|7c|>1<|7c|>"; offset:7; content:"<|7c|>Microsoft|20|Windows"; distance:0; content:"<|7c|>0<|7c|>"; distance:0; reference:md5,fec2f560619b88d9846fe03db6841e91; reference:url,www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/; classtype:trojan-activity; sid:2033983; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Instagram Story Viewer Domain in DNS Lookup (greatfon .com)"; dns.query; dotprefix; content:".greatfon.com"; nocase; endswith; classtype:misc-activity; sid:2035738; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Outdated Browser Landing Page M3"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"!|5c|n|5c|nWebsite work well"; fast_pattern; nocase; reference:url,blog.group-ib.com/perswaysion; classtype:misc-activity; sid:2033998; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Instagram Story Viewer Domain (dumpor .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"dumpor.com"; bsize:10; fast_pattern; classtype:misc-activity; sid:2035739; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Credential Phish Credit Card Payment Data Exfil"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Internal Revenue Service"; nocase; content:"form action=|22|c5.php|22|"; fast_pattern; distance:0; content:"name|3d 22|amount|22 20|value|3d 22 22|"; distance:0; content:"PROCEED"; distance:0; reference:md5,55d8e8f74231e50c479d11683c7ab889; classtype:credential-theft; sid:2034328; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to LOADOUT Domain"; dns.query; dotprefix; content:".incongruousance.com"; nocase; endswith; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035731; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert http $HOME_NET any -> any any (msg:"ET INFO Python BaseHTTP ServerBanner"; flow:established; http.server; content:"BaseHTTP/"; startswith; content:"Python/"; distance:0; reference:url,wiki.python.org/moin/BaseHttpServer; classtype:misc-activity; sid:2034635; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to LOADOUT Domain"; dns.query; dotprefix; content:".fashionableeder.com"; nocase; endswith; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035732; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Kimsuky Related Malicious VBScript"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Content-Encoding|3a 20|gzip"; http.response_body; content:"language|3d|javascript|3e|document|2e|write|28|unescape|28 27|"; content:"%47%65%74%4F%62%6A%65%63%74%28%22%22%6E%65%77%3A"; content:"%2E%76%62%73%20%26%40%65%63%68%6F%20%55%52%4C%20%3D%20%22%22"; distance:0; within:285; fast_pattern; content:"%73%65%6C%66%2E%63%6C%6F%73%65"; reference:md5,d74f268b986fecfa03b81029dd134811; classtype:trojan-activity; sid:2034697; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Instagram Story Viewer Domain (smihub .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"smihub.com"; bsize:10; fast_pattern; classtype:misc-activity; sid:2035740; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater APT Related Maldoc Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getCommand?guid="; startswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:md5,c9ab403bd43649b5fd57efac4bf83b7c; reference:md5,748ae5af58e52e940ab806bdbbe61c4c; reference:url,twitter.com/ShadowChasing1/status/1475819281648553986; classtype:trojan-activity; sid:2034844; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_12_28, deployment Perimeter, former_category MALWARE, malware_family MuddyWater, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to LOADOUT Domain"; dns.query; dotprefix; content:".electroncador.com"; nocase; endswith; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035733; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Metawallet Phish 2022-01-13"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"metawallet"; fast_pattern; content:".php"; endswith; http.request_body; content:"WoRd1="; content:"WoRd2="; distance:0; content:"WoRd3="; distance:0; content:"WoRd4="; distance:0; content:"WoRd5="; distance:0; content:"WoRd6="; distance:0; content:"WoRd7="; distance:0; content:"WoRd8="; distance:0; content:"WoRd9="; distance:0; content:"WoRd10="; distance:0; content:"WoRd11="; distance:0; content:"WoRd12="; distance:0; reference:md5,7ddee3930807ab2a21afe8c5760b2b13; classtype:credential-theft; sid:2034915; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to LOADOUT Domain"; dns.query; dotprefix; content:".spontaneousance.com"; nocase; endswith; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035734; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tiggre Variant Activity Sending System Files (POST)"; flow:established,to_server; http.request_line; content:"POST /up/up.php HTTP/1.1"; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|boundary=---------------------"; startswith; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"form-data|3b 20|name=|22|file|22 3b|"; reference:md5,a023ece310a490a87e77c9bb28b6415b; classtype:trojan-activity; sid:2034962; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Instagram Story Viewer Domain (greatfon .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"greatfon.com"; bsize:12; fast_pattern; classtype:misc-activity; sid:2035741; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Valyria.6015 CnC Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/eln-images/"; startswith; fast_pattern; http.user_agent; content:"WindowsPowerShell/"; http.header_names; content:!"Referer"; reference:md5,a118a3030807156eca8f805b8b83ce1f; classtype:trojan-activity; sid:2035223; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener  Domain in DNS Lookup (lk .tc)"; dns.query; dotprefix; content:".lk.tc"; nocase; endswith; classtype:misc-activity; sid:2035742; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish 2022-03-02"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/proccess/log.php"; fast_pattern; http.request_body; content:"FromPreSignIn_SIP=Y"; content:"&RSA_DEVPRINT="; distance:0; content:"&QQ1="; distance:0; reference:md5,023f93be3b12f211c5db927f234290ad; classtype:credential-theft; sid:2035379; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortener Domain (lk .tc in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".lk.tc"; endswith; fast_pattern; classtype:misc-activity; sid:2035743; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Informational, updated_at 2022_04_04;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|00|"; offset:1; depth:1; content:"|01 00|"; distance:19; within:2; byte_test:4,>,128,20,relative,little; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103158; rev:8; metadata:created_at 2010_09_23, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LOADOUT CnC Activity"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64|3b 20|rv:6.0) Gecko/20110101 Firefox/69.0"; http.header_names; content:"|0d 0a|content-type|0d 0a|"; content:"|0d 0a|user-agent|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; http.request_body; content:"yoyo="; depth:5; fast_pattern; reference:md5,4d56a1ca28d9427c440ec41b4969caa2; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035735; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_04;)
+alert tcp-pkt $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Rat CnC Server Response"; flow:established,to_client; content:"|00 00 00|ent2rmezi="; offset:2; depth:13; fast_pattern; threshold:type limit, track by_src, count 5, seconds 600; reference:md5,3829791a486b0b9ccb80ffcb7177c19c; reference:url,twitter.com/0xrb/status/1515979150515122178; classtype:command-and-control; sid:2036242; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Crimson, signature_severity Major, tag c2, updated_at 2022_04_18;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/users/sign_in"; http.request_body; content:"&user%5Bpassword%5D=123qweQWE%21%40%23"; fast_pattern; pcre:"/^0+(?:&|$)/R"; reference:url,about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/#static-passwords-inadvertently-set-during-omniauth-based-registration; reference:cve,2022-1162; classtype:attempted-user; sid:2035750; rev:1; metadata:attack_target Server, created_at 2022_04_05, cve CVE_2022_1162, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zingo/GinzoStealer Stealer Exfiltration Observed"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/g1nzo.php?"; startswith; fast_pattern; content:"data="; content:"countc="; content:"countp="; content:"country="; content:"ip="; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:60; reference:md5,b918a1b21063907a9bbf4dda8259bd78; reference:url,blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html; classtype:trojan-activity; sid:2036246; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family ZingoStealer, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/users/sign_in"; http.request_body; content:"|26|user|5b|password|5d 3d|123qweQWE|21 40 23|"; fast_pattern; pcre:"/^0+(?:&|$)/R"; reference:url,about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/#static-passwords-inadvertently-set-during-omniauth-based-registration; reference:cve,2022-1162; classtype:attempted-user; sid:2035751; rev:1; metadata:attack_target Server, created_at 2022_04_05, cve CVE_2022_1162, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Blackguard_v3.5 Domain (ritmflow .online) in TLS SNI"; flow:established,to_server; tls.sni; content:"ritmflow.online"; bsize:15; fast_pattern; reference:md5,dce3c6ed046018eac08f82942401123d; reference:url,twitter.com/3xp0rtblog/status/1516092338065612804; classtype:trojan-activity; sid:2036247; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Blackguard_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Splashtop Domain in DNS Lookup (splashtop .com)"; dns.query; dotprefix; content:".splashtop.com"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035762; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_05;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson CnC Server Command (info) M3"; flow:established,to_client; dsize:18; content:"|0d 00 00 00 00|inf2o=command"; threshold:type limit,track by_dst, count 5,seconds 600; reference:md5,fdd625f11ae39b85d4c0f794e8570abe; classtype:command-and-control; sid:2036243; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Crimson, signature_severity Major, tag c2, updated_at 2022_04_18;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Splashtop Domain (splashtop .com) in TLS SNI"; flow:established,to_server; tls.sni; dotprefix; content:".splashtop.com"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035763; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_05;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MSIL/Crimson Client Command Response (info)"; flow:established,to_server; content:"|00 00 00 00|"; offset:1; depth:4; content:"inx7fo=usder"; distance:0; fast_pattern; content:"|00 00 00 00 7c|"; distance:1; within:5; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; threshold:type limit, track by_src, count 5, seconds 600; reference:md5,fdd625f11ae39b85d4c0f794e8570abe; classtype:command-and-control; sid:2036244; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Crimson, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Splashtop Domain in DNS Lookup (splashtop .eu)"; dns.query; dotprefix; content:".splashtop.eu"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035764; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Blackguard_v3.5 Domain in DNS Lookup (ritmflow .online)"; dns.query; content:"ritmflow.online"; nocase; bsize:15; reference:md5,dce3c6ed046018eac08f82942401123d; reference:url,twitter.com/3xp0rtblog/status/1516092338065612804; classtype:trojan-activity; sid:2036248; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, malware_family Blackguard_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Splashtop Domain (splashtop .eu) in TLS SNI"; flow:established,to_server; tls.sni; dotprefix; content:".splashtop.eu"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035765; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful CSIS Credential Phish"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/policy/id1383729472034823098/United-States-Nonpaper-on-Iran.pdf/"; fast_pattern; http.referer; content:!"csis.org"; http.request_body; content:"email="; content:"password"; classtype:credential-theft; sid:2034255; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_26, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-26210)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/cgi-bin/cstecgi.cgi"; http.request_body; content:"setUpgradeFW"; fast_pattern; content:"FileName|3a 20 3a|"; distance:0; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-26210; classtype:attempted-admin; sid:2035744; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2022_26210, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_05;)
+alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Oracle SQL Injection utl_inaddr call in URI"; flow:established,to_server; http.uri; content:"utl_inaddr.get_host"; nocase; fast_pattern; classtype:attempted-admin; sid:2015749; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-26186)"; flow:to_server,established; http.uri; content:"/cgi-bin/cstecgi.cgi?exportOvpn"; fast_pattern; content:"="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-26186; classtype:attempted-admin; sid:2035745; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2022_26186, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M1"; flow:established,to_server; http.uri.raw; pcre:"/^\/(?:icons|cgi-bin)/"; content:"/.%2e/%2e%2e/%2e%2e/%2e%2e/"; reference:url,httpd.apache.org/security/vulnerabilities_24.html; reference:url,twitter.com/HackerGautam/status/1445412108863041544; reference:cve,2021-41773; classtype:attempted-admin; sid:2034124; rev:4; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2021_10_05, cve CVE_2021_41773, deployment Perimeter, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-25075)"; flow:to_server,established; http.uri; content:"/cgi-bin/downloadFlile.cgi"; fast_pattern; content:"="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-25075; classtype:attempted-admin; sid:2035746; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2022_25075, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M2"; flow:established,to_server; http.uri.raw; pcre:"/^\/(?:icons|cgi-bin)/"; content:"/.%2e/.%2e/.%2e/.%2e/"; reference:url,httpd.apache.org/security/vulnerabilities_24.html; reference:url,github.com/iilegacyyii/PoC-CVE-2021-41773/blob/main/CVE-2021-41773.py; reference:cve,2021-41773; classtype:attempted-admin; sid:2034125; rev:4; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2021_10_05, cve CVE_2021_41773, deployment Perimeter, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link - RCE Attempt Inbound (CVE-2021-45382)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ddns_check.ccp"; fast_pattern; http.request_body; content:"&ddnsHostName="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2021-45382; classtype:attempted-admin; sid:2035747; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2021_45382, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_05;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M3"; flow:established,to_server; http.uri.raw; pcre:"/^\/(?:icons|cgi-bin)/"; content:"/.%2e/%2e%2e/.%2e/"; reference:cve,2021-41773; classtype:attempted-admin; sid:2034128; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2021_10_06, cve CVE_2021_41773, deployment Perimeter, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (b3astmode)"; flow:to_server,established; http.user_agent; content:"b3astmode"; fast_pattern; bsize:9; classtype:trojan-activity; sid:2035748; rev:1; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_05;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Potential Forced OGNL Evaluation - HTTP Header"; flow:to_server,established; http.header; content:"|25 7b|"; fast_pattern; content:"|7d|"; distance:0; classtype:misc-activity; sid:2036223; rev:2; metadata:created_at 2022_04_14, deprecation_reason Performance, former_category HUNTING, performance_impact Significant, updated_at 2022_04_19;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (b3astmode)"; flow:to_server,established; http.user_agent; content:"b3astmode"; fast_pattern; bsize:9; classtype:trojan-activity; sid:2035749; rev:1; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_05;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Potential Forced OGNL Evaluation - HTTP Body"; flow:to_server,established; http.request_body; content:"|25 7b|"; fast_pattern; content:"|7d|"; distance:0; classtype:misc-activity; sid:2036224; rev:2; metadata:created_at 2022_04_14, deprecation_reason Performance, former_category HUNTING, performance_impact Significant, updated_at 2022_04_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Lazarus APT Related Backdoor Activity (POST) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"jsessid=60d49d"; fast_pattern; content:"cookie="; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/lazarus-trojanized-defi-app/106195/; reference:md5,0b9f4612cdfe763b3d8c8a956157474a; classtype:trojan-activity; sid:2035692; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_04_05;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Potential Forced OGNL Evaluation - HTTP URI"; flow:to_server,established; http.uri; content:"|25 7b|"; fast_pattern; content:"|7d|"; distance:0; classtype:misc-activity; sid:2036222; rev:2; metadata:created_at 2022_04_14, deprecation_reason Performance, former_category HUNTING, performance_impact Moderate, updated_at 2022_04_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Lazarus APT Related Backdoor Activity (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"jcookie=60d49d"; fast_pattern; content:"cookie="; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/lazarus-trojanized-defi-app/106195/; reference:md5,0b9f4612cdfe763b3d8c8a956157474a; classtype:trojan-activity; sid:2035766; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, malware_family Lazarus, performance_impact Low, signature_severity Major, updated_at 2022_04_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)"; flow:established,to_server; tls.sni; content:"nominally.ru"; bsize:12; fast_pattern; reference:md5,b918a1b21063907a9bbf4dda8259bd78; reference:url,blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html; classtype:domain-c2; sid:2036249; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, malware_family ZingoStealer, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Proxy Domain in DNS Lookup (proxynet .io)"; dns.query; dotprefix; content:".proxynet.io"; nocase; endswith; classtype:misc-activity; sid:2035757; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zingo/GinzoStealer Data Exfiltration M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22|ginzoarchive|2e|zip|22 0d 0a|Content|2d|Type|3a 20|application|2f|octet|2d|stream|0d 0a 0d 0a|PK|03 04|"; fast_pattern; reference:md5,b918a1b21063907a9bbf4dda8259bd78; reference:url,blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html; classtype:trojan-activity; sid:2036250; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family ZingoStealer, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Proxy Domain (proxynet .io in TLS SNI)"; flow:established,to_server; tls.sni; content:"proxynet.io"; bsize:11; fast_pattern; classtype:misc-activity; sid:2035758; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, signature_severity Informational, updated_at 2022_04_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zingo/GinzoStealer Downloading Additional Payloads"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.host; dotprefix; content:".nominally.ru"; endswith; fast_pattern; reference:url,blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html; classtype:trojan-activity; sid:2036251; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, malware_family ZingoStealer, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.USB Variant CnC Activity"; flow:established,to_server; stream_size:server,<,5; content:"|2e d4 d6 19 57 d4 85 ba 0e 9d e5 56 fa 72 db af e5 17 e8 3e 3b 21 b7 26 fc 59 03 db d2 36 32 bb c3 c4 ab 7b 66 74 c4 68 ac 23 5b a3 fc e7 82 6a|"; offset:7; depth:48; reference:md5,c911d93b90bdef05be681a3b31c81679; reference:url,twitter.com/0xrb/status/1509396448387153920; classtype:trojan-activity; sid:2035752; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected TA404 APT Related Activity M1"; flow:established,to_server; http.uri; content:".asp?prd_fld=racket"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:!"Linux"; content:!"Android"; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical; classtype:trojan-activity; sid:2036257; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Unk.CoinMiner Downloader"; flow:to_client,established; http.content_type; content:"text/plain"; startswith; http.response_body; content:"Remove known miners by known process names"; content:"Write-Output|20 22|Miner Running|22|"; fast_pattern; reference:md5,6ae2d7ab6701bd9b46efe7f5d52b2c46; classtype:trojan-activity; sid:2035753; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected TA404 APT Related Activity M2"; flow:established,to_server; http.uri; content:".jsp?prd_fld_racket"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:!"Linux"; content:!"Android"; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical; classtype:trojan-activity; sid:2036258; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader)"; flow:established,to_client; tls.cert_subject; content:"CN=thechinastyle.com"; bsize:20; fast_pattern; reference:url,www.mandiant.com/resources/evolution-of-fin7; reference:md5,3985b60c6aba7cb38998e3f898fba79a; classtype:trojan-activity; sid:2035754; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, signature_severity Major, updated_at 2022_04_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (dafom .dev)"; dns.query; content:"dafom.dev"; nocase; bsize:9; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036259; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader)"; flow:established,to_client; tls.cert_subject; content:"CN=divorceradio.com"; bsize:19; fast_pattern; reference:url,www.mandiant.com/resources/evolution-of-fin7; reference:md5,3985b60c6aba7cb38998e3f898fba79a; classtype:trojan-activity; sid:2035755; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, signature_severity Major, updated_at 2022_04_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed DPRK Related APT User-Agent (dafom)"; flow:established,to_server; http.user_agent; content:"dafom"; bsize:5; fast_pattern; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:bad-unknown; sid:2036260; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, deployment SSLDecrypt, former_category USER_AGENTS, signature_severity Informational, updated_at 2022_04_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader)"; flow:established,to_client; tls.cert_subject; content:"CN=physiciansofficenews.com"; bsize:27; fast_pattern; reference:md5,3985b60c6aba7cb38998e3f898fba79a; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035756; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, signature_severity Major, updated_at 2022_04_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (tokenais .com)"; dns.query; content:"tokenais.com"; nocase; bsize:12; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036261; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page M1 2022-04-05"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Bfrt4DSob5.ico"; fast_pattern; content:"|2e|php|22 20|enctype|3d 22|multipart|2f|form|2d|data|22|"; nocase; distance:0; content:"src|3d 22|poina|2e|png|22|"; distance:0; classtype:credential-theft; sid:2035759; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (cryptais .com)"; dns.query; content:"cryptais.com"; nocase; bsize:12; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036262; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page M2 2022-04-05"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c|script|20|images|3d 22|JavaScript|22 3e|"; distance:0; content:"<!--"; distance:0; content:"window|2e|location|3d 22|inzo|2e|html|22 3b|"; fast_pattern; distance:0; content:"// -->"; distance:0; content:"</script>"; distance:0; classtype:credential-theft; sid:2035760; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (alticgo .com)"; dns.query; content:"alticgo.com"; nocase; bsize:11; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036263; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page M3 2022-04-05"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"inzo"; content:"|3c|script|20|images|3d 22|JavaScript|22 3e|"; distance:0; content:"<!--"; distance:0; content:"window|2e|location|3d 22|cmzs|2e|html|22 3b|"; fast_pattern; distance:0; content:"// -->"; distance:0; content:"</script>"; distance:0; classtype:credential-theft; sid:2035761; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (esilet .com)"; dns.query; content:"esilet.com"; nocase; bsize:10; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036264; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_04_19;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 1 Pattern Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.pattern="; fast_pattern; classtype:attempted-admin; sid:2035674; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (vasepinay .com)"; dns.query; content:"vasepinay.com"; nocase; bsize:13; reference:url,twitter.com/Max_Mal_/status/1514729699011928073; classtype:domain-c2; sid:2036265; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_19;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 2 Suffix Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.suffix="; fast_pattern; classtype:attempted-admin; sid:2035675; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (dixavokij .com)"; dns.query; content:"dixavokij.com"; nocase; bsize:13; reference:url,twitter.com/Max_Mal_/status/1514729699011928073; classtype:domain-c2; sid:2036266; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_19;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 3 Directory Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.directory="; fast_pattern; classtype:attempted-admin; sid:2035676; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
+alert tcp any any -> any 3389 (msg:"ET SCAN RDP Connection Attempt from Nmap"; flow:established,to_server; content:"|00 00 00 00 00|Cookie|3a 20|mstshash|3d|nmap|0d 0a|"; fast_pattern; reference:url,github.com/nmap/nmap/blob/4b46fa7097673f157e7b93e72f0c8b3249c54b4c/nselib/rdp.lua#L211; classtype:network-scan; sid:2036252; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category SCAN, performance_impact Low, signature_severity Minor, updated_at 2022_04_19;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 4 Prefix Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.prefix="; fast_pattern; classtype:attempted-admin; sid:2035677; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request To Suspicious Filename via Powershell (key)"; flow:established,to_server; http.uri; content:"/key"; startswith; bsize:4; http.user_agent; content:"Mozilla/"; startswith; content:") WindowsPowerShell/"; distance:0; fast_pattern; reference:md5,5ec22f6399ec0c51d120d27ecd26f2be; classtype:bad-unknown; sid:2036267; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2022_04_19;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Inbound (CVE-2022-22965)"; flow:to_server,established; http.request_body; content:"pipeline.first.pattern="; fast_pattern; content:"pipeline.first.suffix="; content:"pipeline.first.directory="; content:"pipeline.first.prefix="; classtype:attempted-admin; sid:2035678; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request To Suspicious Filename via Powershell (payload)"; flow:established,to_server; http.uri; content:"/payload"; startswith; bsize:8; fast_pattern; http.user_agent; content:"Mozilla/"; startswith; content:") WindowsPowerShell/"; distance:0; reference:md5,5ec22f6399ec0c51d120d27ecd26f2be; classtype:bad-unknown; sid:2036268; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2022_04_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Android Infostealer CnC Check-In"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/socket.io/?"; fast_pattern; startswith; content:"model="; content:"EIO="; content:"id="; content:"transport="; content:"release="; content:"manf="; reference:url,lab52.io/blog/complete-dissection-of-an-apk-with-a-suspicious-c2-server/; reference:md5,4f5617ec4668e3406f9bd82dfcf6df6b; classtype:command-and-control; sid:2035770; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win/Malware.Filetour Variant Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/A.php"; bsize:6; fast_pattern; http.user_agent; content:"wx"; http.request_body; content:"a"; content:"&v="; distance:0; content:"&h="; distance:0; content:"&r="; distance:0; reference:md5,467d78992086ffb4194a866981c33be2; classtype:bad-unknown; sid:2036269; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category ADWARE_PUP, malware_family Win_Malware_Filetour, signature_severity Major, updated_at 2022_04_29;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spytector Domain DNS Lookup (mail .spytector .com)"; dns.query; content:"mail.spytector.com"; fast_pattern; reference:md5,1a72533d45c878cf4f35323e57c00887; classtype:trojan-activity; sid:2035771; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win/Malware.FileTour Variant Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/bind/?appid="; depth:18; content:"&version="; distance:0; content:"&hwid="; distance:0; content:"&runid="; distance:0; http.host; content:"dayzcheats.ru"; bsize:13; fast_pattern; reference:md5,467d78992086ffb4194a866981c33be2; classtype:bad-unknown; sid:2036270; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2022_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spytector Domain (mail .spytector .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"mail.spytector.com"; fast_pattern; reference:md5,1a72533d45c878cf4f35323e57c00887; classtype:trojan-activity; sid:2035772; rev:1; metadata:created_at 2022_04_06, former_category MALWARE, updated_at 2022_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win/Malware.FileTour Variant Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/B.php?a="; content:"&v="; distance:0; content:"&h="; distance:0; content:"&r="; distance:0; reference:md5,467d78992086ffb4194a866981c33be2; classtype:bad-unknown; sid:2036271; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2022_04_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Kaspov Related Hex In HTTP Accept Header"; flow:to_server,established; http.method; content:"GET"; http.accept; content:"|d1 69 4a cd 4f a4 77 44 bb 85 c3 6d 8d 4a 84 d6 86 a0 fa 1a af 8b d8 98 05 5e a0|"; startswith; fast_pattern; reference:md5,767370995ad5bdbcdaee2e3123cfe47c; classtype:bad-unknown; sid:2035768; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_06, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2022_04_06;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded WebUI Login Attempt M1"; flow:established,to_server; http.header; content:"Authorization|3a 20|Basic|20|YWRtaW46ezEyMjEzQkQxLTY5QzctNDg2Mi04NDNELTI2MDUwMEQxREE0MH0|3d|"; fast_pattern; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036254; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT28/Sednit SSL Cert"; flow:established,to_client; tls.cert_subject; content:"CN=ngefqevwe"; fast_pattern; reference:md5,f7ee38ca49cd4ae35824ce5738b6e587; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023423; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_06;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Stack Overflow in Base64 Authorization Mechanism M1"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Authorization|3a 20|Basic|20|YWRtaW46"; fast_pattern; content:!"|0d 0a|"; within:500; http.request_body; content:"|3c 3f|xml|20|"; startswith; content:"clientType|3d 22|WEB|22|"; distance:0; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036255; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (akhbar-almasdar .com)"; dns.query; content:"akhbar-almasdar.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035773; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Stack Overflow in Base64 Authorization Mechanism M2"; flow:established,to_server; http.method; content:"POST"; http.cookie; content:"auInfo|3d|YWRtaW46"; fast_pattern; content:!"|3b|"; within:500; http.request_body; content:"|3c 3f|xml|20|"; startswith; content:"clientType|3d 22|WEB|22|"; distance:0; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036256; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (akhbar-islamyah .com)"; dns.query; content:"akhbar-islamyah.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035774; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC WebUI RCE ADD Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/editBlackAndWhiteList"; bsize:22; http.request_body; content:"clientType|3d 22|WEB|22 3e|"; content:"|3c|addressType|3e|ip|3c 2f|addressType|3e 3c|ip|3e|"; distance:0; fast_pattern; pcre:"/^(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036253; rev:2; metadata:created_at 2022_04_19, updated_at 2022_04_19;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (akhbarnew .com)"; dns.query; content:"akhbarnew.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035775; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
+alert tcp any any -> $HOME_NET 4567 (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded Credential ConfigSyncProc Login Attempt"; flow:established,to_server; stream_size:server,<,5; dsize:38; content:"{D79E94C5-70F0-46BD-965B-E17497CCB598}"; startswith; flowbits:set,ET.tvt_stage1; reference:url,raw.githubusercontent.com/mcw0/PoC/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:trojan-activity; sid:2036272; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (al-nusr .net)"; dns.query; content:"al-nusr.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035776; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
+alert tcp any any -> $HOME_NET 4567 (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded Credential ConfigSyncProc System Details Request"; flow:established,to_server; content:"GET /"; startswith; content:"|0d 0a|{D79E94C5-70F0-46BD-965B-E17497CCB598}|20|1|0d 0a 0d 0a|"; fast_pattern; flowbits:isset,ET.tvt_stage1; reference:url,raw.githubusercontent.com/mcw0/PoC/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:trojan-activity; sid:2036273; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (al-taleanews .net)"; dns.query; content:"al-taleanews.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035777; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded WebUI Login Attempt M2"; flow:established,to_server; http.header; content:"Authorization|3a 20|Basic|20|cm9vdDp7MTIyMTNCRDEtNjlDNy00ODYyLTg0M0QtMjYwNTAwRDFEQTQwfQ|3d 3d|"; fast_pattern; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036274; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_20;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (al-taleanewsonline .net)"; dns.query; content:"al-taleanewsonline.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035778; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
+alert tcp any any -> $HOME_NET 4567 (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC ConfigSyncProc RCE Attempt"; flow:established,to_server; content:"GET /saveSystemConfig"; depth:21; content:"|0d 0a|{D79E94C5-70F0-46BD-965B-E17497CCB598}|20|2|0d 0a 0d 0a|DAAAAAEAAAADAAAAIQACAAEABA"; distance:0; fast_pattern; flowbits:isset,ET.tvt_stage1; reference:url,raw.githubusercontent.com/mcw0/PoC/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:trojan-activity; sid:2036275; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (al7erak247 .com)"; dns.query; content:"al7erak247.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035779; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Microsoft Connection Test"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/connecttest.txt"; bsize:16; http.host; content:"www.msftconnecttest.com"; bsize:23; fast_pattern; classtype:bad-unknown; sid:2031071; rev:2; metadata:created_at 2020_10_21, former_category INFO, performance_impact Low, updated_at 2022_04_20;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO BrowseTor .onion Proxy Service SSL Cert"; flow:established,to_client; tls.cert_subject; content:"CN=*.browsetor.com"; fast_pattern; classtype:bad-unknown; sid:2018396; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_04_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DPRK APT Related Maldoc Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"c__"; content:"ENTERWindows"; distance:0; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,twitter.com/h2jazi/status/1516443236264521740; reference:md5,9f2235f0d07bd903c947b17caa82ded4; classtype:trojan-activity; sid:2036277; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_20;)
 
-#alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Pegasus Domain in DNS Lookup (alrai .com)"; dns.query; content:"alrai.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035780; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (beastmodser .club)"; dns.query; content:"beastmodser.club"; nocase; bsize:16; reference:md5,aa8bd550de4f4dee6ab0bfca82848d44; reference:url,twitter.com/h2jazi/status/1516443236264521740; reference:md5,9f2235f0d07bd903c947b17caa82ded4; classtype:domain-c2; sid:2036278; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_20;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (alrainew .com)"; dns.query; content:"alrainew.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035781; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DPRK APT Related Maldoc Activity (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Macro_Opened_"; startswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,twitter.com/h2jazi/status/1516443236264521740; reference:md5,aa8bd550de4f4dee6ab0bfca82848d44; classtype:trojan-activity; sid:2036279; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Likely Hex Executable String"; flow:to_client,established; file_data; content:"4D5A"; content:"63616E6E6F74"; fast_pattern; distance:178; within:12; content:"72756E"; distance:8; within:6; content:"444F53"; distance:8; within:6; classtype:misc-activity; sid:2035769; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_06, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2022_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win64/CobaltStrike.Beacon.J CnC Checkin"; flow:established,to_server; http.uri; content:"/apiv8/"; startswith; http.header; content:"|0d 0a|X-Client: notevil|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:url,cert.gov.ua/article/39708; classtype:trojan-activity; sid:2036281; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (arabia-islamion .com)"; dns.query; content:"arabia-islamion.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035782; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike X-Client Header (notevil)"; flow:established,to_server; http.header; content:"|0d 0a|X-Client: notevil|0d 0a|"; fast_pattern; reference:url,cert.gov.ua/article/39708; classtype:trojan-activity; sid:2036282; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Form with Action Value Equal to bit .ly"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<form"; content:"action=|22|http://bit.ly"; fast_pattern; distance:0; classtype:credential-theft; sid:2035767; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_06, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.APBB Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//alert/7/"; bsize:10; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,d2e2f0a2e553075d7968e55e15cd49a1; classtype:command-and-control; sid:2036318; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"login-service.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035860; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.RFS Variant Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".bin?ver="; fast_pattern; content:"&lip="; distance:0; content:"&mac="; isdataat:!13,relative; http.user_agent; content:"Mozilla|2f|4|2e|0|20 28|compatible|3b 20|MSIE|20|6|2e|0|3b 20|Windows|20|NT|20|5|2e|1|3b 20|SV1|3b 20 2e|NET|20|CLR|20|2|2e|0|2e|50727|3b 29|"; bsize:76; reference:md5,014d2e1a31ce397e7a5e3ba8edc45344; classtype:trojan-activity; sid:2036276; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag c2, updated_at 2022_04_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"rss-me.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035861; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/STEALBIT Data Exfiltration Tool Activity (PUT)"; flow:established,to_server; http.uri; pcre:"/^\/[A-F0-9]{33}$/"; http.method; content:"PUT"; http.request_body; content:"DAV2"; depth:10; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/; reference:url,www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool; classtype:trojan-activity; sid:2036280; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_20;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"talabatt.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035862; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Pastebin Style Domain in DNS Lookup (pastetext .net)"; dns.query; content:"pastetext.net"; nocase; bsize:13; classtype:bad-unknown; sid:2036287; rev:1; metadata:created_at 2022_04_21, former_category INFO, updated_at 2022_04_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"www.hona-alrabe3.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035863; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Pastebin Style Domain (pastetext .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"pastetext.net"; bsize:13; fast_pattern; classtype:bad-unknown; sid:2036288; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, signature_severity Informational, updated_at 2022_04_21;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"cozmo-store.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035864; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Shuckworm CnC Exfil M1"; flow:established,to_server; http.uri; content:"/baby.php"; startswith; content:"/baby"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0)"; startswith; content:"::/.beagle/."; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine; classtype:trojan-activity; sid:2036291; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_21;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"www.al7eraknews.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035865; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Shuckworm CnC Exfil M2"; flow:established,to_server; http.uri; content:"/begun.php"; startswith; bsize:10; http.user_agent; content:"Mozilla/5.0 (Linux"; startswith; content:"::/.balance/."; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine; classtype:trojan-activity; sid:2036292; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_21;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"khilafah-islamic.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035866; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5612 (msg:"ET MALWARE Win32/Pterodo CnC VNC Connect Request"; flow:established,to_server; content:"|49 44 3a|"; depth:3; pcre:"/^\d+?\x00/R"; content:"|3a 5c|"; distance:0; content:"\\Contacts|00|Driver"; fast_pattern; distance:0; content:"Hood.exe"; distance:0; within:10; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine; classtype:command-and-control; sid:2036293; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_21;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"mobiles-security.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035867; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)"; dns.query; content:"pool.hashvault.pro"; nocase; bsize:18; classtype:coin-mining; sid:2036289; rev:1; metadata:created_at 2022_04_21, former_category COINMINER, performance_impact Significant, signature_severity Major, updated_at 2022_04_21;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"unsubscribe-now.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035868; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/CrimsonRAT Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /indexer.php HTTP/1.1"; http.request_body; content:"q="; startswith; content:"|7c|ver="; distance:0; fast_pattern; content:"|7c 7c|"; within:4; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Accept"; reference:url,twitter.com/0xrb/status/1517052777167732736?s=21&t=zTZ6AqU3_DB36dZ3DE1HCg; reference:md5,41702a1959b1b7038237d75330b904b6; classtype:trojan-activity; sid:2036290; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, malware_family CrimsonRAT, signature_severity Major, updated_at 2022_04_21;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"mangoutlet.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035869; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Extention Payload Fetch"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/archive.zip?iver="; startswith; bsize:<20; fast_pattern; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036294; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (frances-thomas .com in DNS Lookup)"; dns_query; content:"frances-thomas.com"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035783; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/un?iver="; startswith; fast_pattern; content:"&did="; distance:0; content:"&ver="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036295; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (frances-thomas .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"frances-thomas.com"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035784; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Browser Hijacker Query Redirection"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"search?ext=properties&is"; startswith; fast_pattern; content:"&q="; distance:0; content:"&ver="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036296; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (scott-chapin .com in DNS Lookup)"; dns_query; content:"scott-chapin.com"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035785; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Browser Hijacker Sync"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"sync?ext=Properties&ver="; startswith; fast_pattern; content:"&dd="; distance:0; content:"&info="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036297; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (scott-chapin .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"scott-chapin.com"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035786; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Browser Hijacker Home Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"hb?ext="; startswith; fast_pattern; content:"&ver="; distance:0; content:"&is="; distance:0; content:"&dd="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036298; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (linda-gaytan .website in DNS Lookup)"; dns_query; content:"linda-gaytan.website"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035787; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M1"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"MHwwf"; startswith; fast_pattern; content:"f"; distance:7; within:1; base64_decode:bytes 250; base64_data; pcre:"/%(?:USERPROFILE|APPDATA)%/i"; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:md5,1cde32d54a0f0f2ddad79d7df6a7419f; classtype:command-and-control; sid:2035881; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (linda-gaytan .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"linda-gaytan.website"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035788; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Browser Hijacker (getAd)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"ad?ext=Properties"; startswith; fast_pattern; content:"&ver="; distance:0; content:"&dd="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036299; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (david-gardiner .website in DNS Lookup)"; dns_query; content:"david-gardiner.website"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035789; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M2"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"MHwxf"; startswith; fast_pattern; content:"f"; distance:7; within:1; base64_decode:bytes 250; base64_data; pcre:"/%(?:USERPROFILE|APPDATA)%/i"; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:md5,1cde32d54a0f0f2ddad79d7df6a7419f; classtype:command-and-control; sid:2035882; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (david-gardiner .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"david-gardiner.website"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035790; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M3"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"MXwwf"; startswith; fast_pattern; content:"f"; distance:7; within:1; base64_decode:bytes 250; base64_data; pcre:"/%(?:USERPROFILE|APPDATA)%/i"; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:md5,1cde32d54a0f0f2ddad79d7df6a7419f; classtype:command-and-control; sid:2035883; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (amanda-hart .website in DNS Lookup)"; dns_query; content:"amanda-hart.website"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035791; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"MXwxf"; startswith; fast_pattern; content:"f"; distance:7; within:1; base64_decode:bytes 250; base64_data; pcre:"/%(?:USERPROFILE|APPDATA)%/i"; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:md5,1cde32d54a0f0f2ddad79d7df6a7419f; classtype:command-and-control; sid:2035884; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (amanda-hart .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"amanda-hart.website"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035792; rev:2; metadata:created_at 2022_04_07, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Agent.OGR!tr.pws Stealer"; flow:established,to_server; http.request_line; content:"POST / HTTP/1.1"; bsize:15; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|profile|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|profile_id|22|"; fast_pattern; distance:0; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|hwid|22|"; distance:0; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22|"; distance:0; reference:url,twitter.com/James_inthe_box/status/1517238542434414592; reference:md5,21e2215738a8e9c9d1ed1e1f66cff10e; classtype:trojan-activity; sid:2036316; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (javan-demsky .website in DNS Lookup)"; dns_query; content:"javan-demsky.website"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035793; rev:2; metadata:created_at 2022_04_07, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Interesting Content-Type Inbound (application/x-sh)"; flow:established,from_server; http.header; content:"Content-Type|3a 20|application/x-sh"; fast_pattern; pcre:"/^(?:\x3b|\r\n)/R"; reference:url,developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types; classtype:policy-violation; sid:2031747; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_03_02, deployment Perimeter, former_category HUNTING, performance_impact Significant, signature_severity Informational, updated_at 2022_04_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (javan-demsky .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"javan-demsky.website"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035794; rev:2; metadata:created_at 2022_04_07, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Domain in DNS Lookup (filetransfer .io)"; dns.query; content:"filetransfer.io"; nocase; bsize:15; classtype:bad-unknown; sid:2036310; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO ET INFO URL Shortening Service Domain in DNS Lookup (s59 .site)"; dns.query; content:"s59.site"; fast_pattern; classtype:bad-unknown; sid:2035870; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Commonly Abused File Sharing Domain (filetransfer .io in TLS SNI)"; flow:established,to_server; tls.sni; content:"filetransfer.io"; bsize:15; fast_pattern; classtype:bad-unknown; sid:2036311; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO ET INFO Observed URL Shortening Service Domain (s59 .site) in TLS SNI"; flow:established,to_server; tls.sni; content:"s59.site"; fast_pattern; classtype:misc-activity; sid:2035871; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackCat Ransomware Related Domain in TLS SNI (updatedaemon .com)"; flow:established,to_server; tls.sni; content:"updatedaemon.com"; startswith; fast_pattern; reference:md5,e76fd61eea3bf2073d29c6aa963bc34b; reference:url,www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html; classtype:domain-c2; sid:2036312; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (enerflex .org)"; dns.query; dotprefix; content:".enerflex.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035804; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackCat Ransomware Related Domain in DNS Lookup (updatedaemon .com)"; dns.query; content:"updatedaemon.com"; fast_pattern; endswith; nocase; reference:md5,e76fd61eea3bf2073d29c6aa963bc34b; reference:url,www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html; classtype:domain-c2; sid:2036313; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (supportskype .com)"; dns.query; dotprefix; content:".supportskype.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035805; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed BlackCat Ransomware Related SSL Cert (updatedaemon .com)"; flow:established,to_client; tls.cert_subject; content:"CN=updatedaemon.com"; bsize:19; fast_pattern; reference:md5,e76fd61eea3bf2073d29c6aa963bc34b; reference:url,www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html; classtype:domain-c2; sid:2036314; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (alharbitelecom .co)"; dns.query; dotprefix; content:".alharbitelecom.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035806; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed External IP Lookup Domain (icanhazip .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"icanhazip.com"; bsize:13; fast_pattern; classtype:external-ip-check; sid:2036304; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (cortanaupdate .co)"; dns.query; dotprefix; content:".cortanaupdate.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035807; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kratos Silent Miner Checkin via Discord"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord"; depth:7; content:".com"; endswith; http.request_body; content:"|22|name|22 3a 22|Kratos|20|Silent|20|"; fast_pattern; content:"|22|name|22 3a 22|PC|20|Name|3a 22 2c 22|value|22 3a 22|"; reference:md5,7ca63bab6e05704d2c7b48461e563f4c; classtype:command-and-control; sid:2036305; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (cortanaservice .com)"; dns.query; dotprefix; content:".cortanaservice.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035808; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Blacktech Plead CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx?m="; fast_pattern; pcre:"/^[0-9]{10}$/R"; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE|20|8.0|3b 20|Win32)"; bsize:41; http.header_names; content:!"Referer|0d 0a|"; reference:url,twitter.com/GlobalNTT_JP/status/1517061187107946496; classtype:trojan-activity; sid:2036315; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family BlackTech, signature_severity Major, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (cloudgoogle .co)"; dns.query; dotprefix; content:".cloudgoogle.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035809; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zingo/GinzoStealer Data Command List Fetch"; flow:established,to_server; http.request_line; content:"GET /ginzolist.txt HTTP/1.1"; bsize:27; fast_pattern; isdataat:!1,relative; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:url,twitter.com/struppigel/status/1506933328599044100; reference:md5,5009e04920d5fb95f8a02265f89d25a5; classtype:trojan-activity; sid:2036317; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family ZingoStealer, malware_family Ginzo, signature_severity Major, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (onedrivelive .me)"; dns.query; dotprefix; content:".onedrivelive.me"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035810; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banca Monte dei Paschi di Siena Credential Phish 2022-04-22"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"userType=&cod="; fast_pattern; content:"&pin="; distance:0; content:"&tel="; distance:0; classtype:credential-theft; sid:2036319; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (edge-cloudservices .com)"; dns.query; dotprefix; content:".edge-cloudservices.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035811; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 000Stealer Data Exfiltration M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/call?key="; bsize:42; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; bsize:69; http.request_body; content:"PK|03 04|"; byte_test:1,<=,20,0,relative; content:"ProcessList.txt"; fast_pattern; distance:0; content:"Screenshot.png"; distance:0; reference:md5,3f9c1455992239f4efe31f0e56773433; classtype:trojan-activity; sid:2036321; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family 000Stealer, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (online-audible .com)"; dns.query; dotprefix; content:".online-audible.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035812; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 000Stealer CnC Checkin"; flow:established,to_server; http.request_line; content:"POST|20|/ping|20|"; startswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.content_len; byte_test:0,=,36,0,string,dec; http.request_body; content:"key="; startswith; pcre:"/^key=[A-F0-9]{32}$/"; reference:md5,3f9c1455992239f4efe31f0e56773433; reference:url,twitter.com/3xp0rtblog/status/1509978637189419008; classtype:trojan-activity; sid:2036306; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family 000Stealer, performance_impact Low, signature_severity Major, updated_at 2022_04_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (updatedefender .net)"; dns.query; dotprefix; content:".updatedefender.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035813; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Banca Monte dei Paschi di Siena Credential Phish Landing Page 2022-04-22"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Banca MPS"; content:"|3c|form|20|method|3d 22|POST|22 20|id|3d 22|includeCodUser|22 20|class|3d 22|margin|5f|login|5f|header|20|includeCodUser|20|dB|5f|box|5f|container|22 3e|"; nocase; distance:0; fast_pattern; content:"name=|22|userType|22|"; distance:0; content:"name=|22|cod|22|"; distance:0; content:"name=|22|pin|22|"; distance:0; content:"name=|22|tel|22|"; distance:0; content:"id=|22|loginOtp1|22|"; distance:0; classtype:credential-theft; sid:2036320; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (sparrowsgroup .org)"; dns.query; dotprefix; content:".sparrowsgroup.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035814; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (forummanazera .sk)"; dns.query; dotprefix; content:".forummanazera.sk"; nocase; endswith; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell; classtype:trojan-activity; sid:2036322; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (helpdesk-product .com)"; dns.query; dotprefix; content:".helpdesk-product.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035815; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (reality .skarabeus .sk)"; dns.query; dotprefix; content:".reality.skarabeus.sk"; nocase; endswith; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell; classtype:trojan-activity; sid:2036323; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (defenderupdate .ddns .net)"; dns.query; dotprefix; content:".defenderupdate.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035816; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (msrousinov .cz)"; dns.query; content:"msrousinov.cz"; nocase; bsize:13; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036324; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (enerflex .ddns .net)"; dns.query; dotprefix; content:".enerflex.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035817; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (googleprovider .ru)"; dns.query; content:"googleprovider.ru"; nocase; bsize:17; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036325; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (linkedinz .me)"; dns.query; dotprefix; content:".linkedinz.me"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035818; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (profiit .fiit .stuba .sk)"; dns.query; content:"profiit.fiit.stuba.sk"; nocase; bsize:21; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036326; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (khaleejtimes .co)"; dns.query; dotprefix; content:".khaleejtimes.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035819; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (freetips .php5 .sk)"; dns.query; content:"freetips.php5.sk"; nocase; bsize:16; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036327; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (microsoftdefender .info)"; dns.query; dotprefix; content:".microsoftdefender.info"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035820; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (sivpici .php5 .sk)"; dns.query; content:"sivpici.php5.sk"; nocase; bsize:15; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036328; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (outlookde .live)"; dns.query; dotprefix; content:".outlookde.live"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035821; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (hotel-boss .eu)"; dns.query; content:"hotel-boss.eu"; nocase; bsize:13; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036329; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (lukoil .in)"; dns.query; dotprefix; content:".lukoil.in"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035822; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (limousine-service .cz)"; dns.query; content:"limousine-service.cz"; nocase; bsize:20; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036330; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (careers-finder .com)"; dns.query; dotprefix; content:".careers-finder.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035823; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (ms .rousinov .cz)"; dns.query; content:"ms.rousinov.cz"; nocase; bsize:14; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036331; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (online-chess .live)"; dns.query; dotprefix; content:".online-chess.live"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035824; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (vavave .xf .cz)"; dns.query; content:"vavave.xf.cz"; nocase; bsize:12; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036332; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (exprogroup .org)"; dns.query; dotprefix; content:".exprogroup.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035825; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 000Stealer Data Exfiltration M1"; flow:established,to_server; http.request_line; content:"POST|20|/call?key="; fast_pattern; pcre:"/^[a-f0-9]{32}\x20/R"; http.header; content:"Content|2d|Type|3a 20|multipart|2f|form|2d|data|3b 20|boundary|3d|"; pcre:"/^[a-f0-9]{60}\x0d\x0a/R"; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22 5b|"; distance:0; content:"|5d 20|"; distance:2; within:2; content:"|20 5b|"; distance:32; within:2; content:"|5d 22 0d 0a|Content|2d|Type|3a 20|application|2f|octet|2d|stream|0d 0a 0d 0a|PK|03 04|"; distance:19; within:50; reference:md5,3f9c1455992239f4efe31f0e56773433; reference:url,twitter.com/3xp0rtblog/status/1509978637189419008; classtype:trojan-activity; sid:2036307; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family 000Stealer, performance_impact Low, signature_severity Major, tag c2, updated_at 2022_04_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (saipem .org)"; dns.query; dotprefix; content:".saipem.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035826; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackTech FlagPro Dropper Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".htmld?flag"; fast_pattern; pcre:"/^(?:pro)?=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,1b39dcc5de43d2840d6992a561e34eec; reference:url,twitter.com/GlobalNTT_JP/status/1517061187107946496; classtype:trojan-activity; sid:2036309; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family BlackTech, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (mastergatevpn .com)"; dns.query; dotprefix; content:".mastergatevpn.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035827; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check"; flow:established,to_server; http.request_line; content:"GET / "; startswith; http.host; dotprefix; content:".google.com"; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Accept"; reference:md5,7ca63bab6e05704d2c7b48461e563f4c; classtype:trojan-activity; sid:2036303; rev:2; metadata:created_at 2022_04_22, former_category HUNTING, performance_impact Moderate, updated_at 2022_04_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (sauditourismguide .com)"; dns.query; dotprefix; content:".sauditourismguide.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035828; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Archie EK Payload Checkin GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/log?log="; depth:9; http.host; content:!"gigwise.com"; endswith; content:!"cleanerapp.net"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,41c0cdde6be5166606008b2d02f3a128; classtype:exploit-kit; sid:2019680; rev:7; metadata:created_at 2014_11_08, former_category MALWARE, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (listen-books .com)"; dns.query; dotprefix; content:".listen-books.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035829; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Remote Management Software Domain (syncromsp .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".syncromsp.com"; endswith; fast_pattern; classtype:bad-unknown; sid:2036347; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, signature_severity Informational, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (updateservices .co)"; dns.query; dotprefix; content:".updateservices.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035830; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed Remote Management Software Domain in DNS Lookup (syncromsp .com)"; dns.query; dotprefix; content:".syncromsp.com"; nocase; endswith; classtype:bad-unknown; sid:2036348; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (microsoftcdn .co)"; dns.query; dotprefix; content:".microsoftcdn.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035831; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Terse Request For Bitbucket Snippet"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/|21|api/2.0/snippets/"; startswith; http.host; content:"bitbucket.org"; bsize:13; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; classtype:bad-unknown; sid:2036349; rev:1; metadata:created_at 2022_04_25, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (office-shop .me)"; dns.query; dotprefix; content:".office-shop.me"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035832; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Suspicious Reversed String Inbound (Powershell)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"llehSrewoP"; nocase; classtype:bad-unknown; sid:2036350; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (sharepointnotify .com)"; dns.query; dotprefix; content:".sharepointnotify.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035833; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Suspicious Reversed String Inbound (Winmgmts)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3a|stmgmniw"; nocase; classtype:bad-unknown; sid:2036351; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (globaltalent .in)"; dns.query; dotprefix; content:".globaltalent.in"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035834; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Innostealer Domain in DNS Lookup (windows11-upgrade .com)"; dns.query; content:"windows11-upgrade"; startswith; pcre:"/[0-9]{1,2}/R"; content:".com"; endswith; reference:url,twitter.com/JAMESWT_MHT/status/1517822757567971329; reference:url,www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/; classtype:trojan-activity; sid:2036363; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, malware_family Innostealer, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (savemoneytrick .com)"; dns.query; dotprefix; content:".savemoneytrick.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035835; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed File Sharing Domain (drive .protonmail .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"drive.protonmail.com"; bsize:20; fast_pattern; classtype:bad-unknown; sid:2036352; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, signature_severity Informational, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Vidar Stealer CnC Domain in DNS Lookup"; dns.query; content:"computerprotect.me"; fast_pattern; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/; classtype:trojan-activity; sid:2035872; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO File Sharing Domain in DNS Lookup (drive .protonmail .com)"; dns.query; content:"drive.protonmail.com"; nocase; bsize:20; classtype:bad-unknown; sid:2036353; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (microsoftedgesh .info)"; dns.query; dotprefix; content:".microsoftedgesh.info"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035836; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Innostealer Domain in DNS Lookup (windows-11info .com)"; dns.query; content:"windows-11info"; startswith; fast_pattern; pcre:"/\d{1,2}/R"; content:".com"; endswith; reference:url,twitter.com/JAMESWT_MHT/status/1517822757567971329; reference:url,www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/; classtype:trojan-activity; sid:2036364; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, malware_family Innostealer, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (outlookdelivery .com)"; dns.query; dotprefix; content:".outlookdelivery.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035837; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Innostealer Domain in DNS Lookup (windows11-infoserver .com)"; dns.query; content:"windows11-infoserver"; fast_pattern; startswith; pcre:"/[0-9]{1,2}/R"; content:".com"; endswith; reference:url,twitter.com/JAMESWT_MHT/status/1517822757567971329; reference:url,www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/; classtype:trojan-activity; sid:2036365; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, malware_family Innostealer, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (remgrogroup .com)"; dns.query; dotprefix; content:".remgrogroup.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035838; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Innostealer Domain (windows11-upgrade .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"windows11-upgrade"; startswith; fast_pattern; pcre:"/[0-9]{1,2}/R"; content:".com"; endswith; reference:url,twitter.com/JAMESWT_MHT/status/1517822757567971329; reference:url,www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/; classtype:trojan-activity; sid:2036366; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, malware_family Innostealer, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (onedriveupdate .net)"; dns.query; dotprefix; content:".onedriveupdate.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035839; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Innostealer Domain (windows-11info .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"windows-11info"; startswith; fast_pattern; pcre:"/[0-9]{1,2}/R"; content:".com"; endswith; reference:url,twitter.com/JAMESWT_MHT/status/1517822757567971329; reference:url,www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/; classtype:trojan-activity; sid:2036367; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, malware_family Innostealer, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Vidar Stealer Domain (computerprotect .me) in TLS SNI"; flow:established,to_server; tls.sni; content:"computerprotect.me"; fast_pattern; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/; classtype:trojan-activity; sid:2035873; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Innostealer Domain (windows11-infoserver .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"windows11-infoserver"; startswith; fast_pattern; pcre:"/[0-9]{1,2}/R"; content:".com"; endswith; reference:url,twitter.com/JAMESWT_MHT/status/1517822757567971329; reference:url,www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/; classtype:trojan-activity; sid:2036368; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, malware_family Innostealer, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (getadobe .ddns .net)"; dns.query; dotprefix; content:".getadobe.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035840; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING IRS Credential Phish Domain in DNS Lookup (supportmicrohere .com)"; dns.query; dotprefix; content:".supportmicrohere.com"; nocase; endswith; reference:url,resecurity.com/blog/article/cybercriminals-deliver-irs-tax-scams-phishing-campaigns-by-mimicking-government-vendors; classtype:misc-activity; sid:2036358; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (googleservices .co)"; dns.query; dotprefix; content:".googleservices.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035841; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING IRS Credential Phish Domain in DNS Lookup (jbdelmarket .com)"; dns.query; dotprefix; content:".jbdelmarket.com"; nocase; endswith; reference:url,resecurity.com/blog/article/cybercriminals-deliver-irs-tax-scams-phishing-campaigns-by-mimicking-government-vendors; classtype:misc-activity; sid:2036359; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (librarycollection .org)"; dns.query; dotprefix; content:".librarycollection.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035842; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.VAZ Bot CnC Checkin (StatusTime)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"botid="; startswith; fast_pattern; content:"&statustime="; distance:0; reference:url,twitter.com/3xp0rtblog/status/1517792795481755648; reference:md5,61e3920e4a8e3f84d3e53d12bb454036; classtype:trojan-activity; sid:2036354; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (freechess .live)"; dns.query; dotprefix; content:".freechess.live"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035843; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert for IRS Credential Phish Domain (supportmicrohere .com)"; flow:established,to_client; tls.cert_subject; content:"supportmicrohere.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?supportmicrohere\.com(?!\.)/"; reference:url,resecurity.com/blog/article/cybercriminals-deliver-irs-tax-scams-phishing-campaigns-by-mimicking-government-vendors; classtype:domain-c2; sid:2036360; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (elecresearch .org)"; dns.query; dotprefix; content:".elecresearch.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035844; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert IRS Credential Phish Domain (jbdelmarket .com)"; flow:established,to_client; tls.cert_subject; content:"jbdelmarket.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?jbdelmarket\.com(?!\.)/"; reference:url,resecurity.com/blog/article/cybercriminals-deliver-irs-tax-scams-phishing-campaigns-by-mimicking-government-vendors; classtype:domain-c2; sid:2036361; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (applytalents .com)"; dns.query; dotprefix; content:".applytalents.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035845; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.VAZ Bot CnC Checkin (Comands)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"botid="; startswith; fast_pattern; content:"&comands="; distance:0; reference:url,twitter.com/3xp0rtblog/status/1517792795481755648; reference:md5,61e3920e4a8e3f84d3e53d12bb454036; classtype:trojan-activity; sid:2036355; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (updateddns .ddns .net)"; dns.query; dotprefix; content:".updateddns.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035846; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.VAZ Bot CnC Checkin (Checkupdate)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"botid="; startswith; fast_pattern; content:"&chekupdate="; distance:0; reference:url,twitter.com/3xp0rtblog/status/1517792795481755648; reference:md5,61e3920e4a8e3f84d3e53d12bb454036; classtype:trojan-activity; sid:2036356; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (mideasthiring .com)"; dns.query; dotprefix; content:".mideasthiring.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035847; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.VAZ Bot CnC Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"botid="; startswith; fast_pattern; content:"&botip="; distance:0; content:"&botcountry="; distance:0; content:"&botcc="; distance:0; content:"&status"; distance:0; content:"&statustime="; distance:0; content:"&version="; distance:0; reference:url,twitter.com/3xp0rtblog/status/1517792795481755648; reference:md5,61e3920e4a8e3f84d3e53d12bb454036; classtype:trojan-activity; sid:2036357; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (appslocallogin .online)"; dns.query; dotprefix; content:".appslocallogin.online"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035848; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GOLDBACKDOOR Domain in DNS Lookup (main .dailynk .us)"; dns.query; content:"main.dailynk.us"; nocase; bsize:15; reference:url,stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf; classtype:targeted-activity; sid:2036369; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, malware_family GOLDBACKDOOR, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (apply-jobs .com)"; dns.query; dotprefix; content:".apply-jobs.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035849; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GOLDBACKDOOR Domain in DNS Lookup (lit-peak-25706 .herokuapp .com)"; dns.query; content:"lit-peak-25706.herokuapp.com"; nocase; bsize:28; reference:url,stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf; classtype:targeted-activity; sid:2036370; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, malware_family GOLDBACKDOOR, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (funnychess .online)"; dns.query; dotprefix; content:".funnychess.online"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035850; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GOLDBACKDOOR Domain (main .dailynk .us) in TLS SNI"; flow:established,to_server; tls.sni; content:"main.dailynk.us"; bsize:15; fast_pattern; reference:url,stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf; classtype:targeted-activity; sid:2036371; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, malware_family GOLDBACKDOOR, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (talent-recruitment .org)"; dns.query; dotprefix; content:".talent-recruitment.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035851; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GOLDBACKDOOR Domain (lit-peak-25706 .herokuapp .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"lit-peak-25706.herokuapp.com"; bsize:28; fast_pattern; reference:url,stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf; classtype:targeted-activity; sid:2036372; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, malware_family GOLDBACKDOOR, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (googleupdate .co)"; dns.query; dotprefix; content:".googleupdate.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035852; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful IRS Credential Phish 2022-04-25"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/geoAPIChecker/geochecker.php"; bsize:29; fast_pattern; http.content_type; content:"WebKitFormBoundary"; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|ai|22|"; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|pr|22|"; distance:0; reference:url,resecurity.com/blog/article/cybercriminals-deliver-irs-tax-scams-phishing-campaigns-by-mimicking-government-vendors; classtype:credential-theft; sid:2036362; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (updatedns .ddns .net)"; dns.query; dotprefix; content:".updatedns.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035853; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Innostealer Domain in DNS Lookup (seventyfor .site)"; dns.query; content:"seventyfor.site"; nocase; bsize:15; reference:url,www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/; reference:url,twitter.com/JAMESWT_MHT/status/1517822757567971329; classtype:trojan-activity; sid:2036373; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, malware_family Innostealer, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (thefreemovies .net)"; dns.query; dotprefix; content:".thefreemovies.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035854; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Innostealer Domain in DNS Lookup windows-server031 .com)"; dns.query; content:"windows-server"; fast_pattern; startswith; pcre:"/[0-9]{1,3}/R"; content:".com"; endswith; reference:url,twitter.com/JAMESWT_MHT/status/1517822757567971329; reference:url,www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/; classtype:trojan-activity; sid:2036374; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, malware_family Innostealer, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (talktalky .azurewebsites .net)"; dns.query; dotprefix; content:".talktalky.azurewebsites.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035855; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Tech Support/Refund Scam Landing Inbound 2022/04/25"; flow:established,from_server; content:"|20|-|20|Router|20|Login|20|-|20|"; fast_pattern; content:"and|20|IP|20|address.|20|Both|20|are|20|the|20|best|20|ways|20|to|20|login"; classtype:social-engineering; sid:2036337; rev:1; metadata:created_at 2022_04_25, former_category PHISHING, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (etisalatonline .com)"; dns.query; dotprefix; content:".etisalatonline.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035856; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing)"; flow:from_server,established; content:"routeronspot.online"; fast_pattern; classtype:social-engineering; sid:2036338; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag SocEng, updated_at 2022_04_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (getadobe .net)"; dns.query; dotprefix; content:".getadobe.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035857; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing)"; flow:from_server,established; content:"howtosetuprouter.com"; fast_pattern; classtype:social-engineering; sid:2036339; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag SocEng, updated_at 2022_04_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Ordns DNS over HTTPS Domain (Ordns .he .net in TLS SNI)"; flow:established,to_server; threshold: type both, track by_src, count 1, seconds 600; tls.sni; content:"ordns.he.net"; endswith; reference:url,www.blackhillsinfosec.com/dns-over-https-for-cobalt-strike; classtype:misc-activity; sid:2035858; rev:2; metadata:created_at 2022_04_07, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2022_04_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing)"; flow:from_server,established; content:"netgearnewextndersetup."; fast_pattern; classtype:social-engineering; sid:2036340; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag SocEng, updated_at 2022_04_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Ordns DNS Over HTTPS Certificate Inbound"; flow:established,to_client; threshold: type limit, track by_src, count 1, seconds 300; tls.cert_subject; content:"CN=ordns.he.net"; endswith; fast_pattern; reference:url,developers.cloudflare.com/1.1.1.1/dns-over-https/request-structure/; classtype:misc-activity; sid:2035859; rev:2; metadata:created_at 2022_04_07, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2022_04_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing)"; flow:from_server,established; content:"mywifiextnetsetup.net"; fast_pattern; classtype:social-engineering; sid:2036341; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag SocEng, updated_at 2022_04_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Winnti Domain"; dns.query; dotprefix; content:".host.skybad.top"; nocase; endswith; reference:md5,c99397d66e49e2def1b17f57cd0c5fb9; classtype:trojan-activity; sid:2035877; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, signature_severity Major, updated_at 2022_04_08;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing)"; flow:from_server,established; content:"simplisafeloginn.com"; fast_pattern; classtype:social-engineering; sid:2036342; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag SocEng, updated_at 2022_04_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Winnti Domain"; dns.query; dotprefix; content:".s2.yk.hyi8mc.top"; nocase; endswith; reference:md5,c99397d66e49e2def1b17f57cd0c5fb9; classtype:trojan-activity; sid:2035878; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, signature_severity Major, updated_at 2022_04_08;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing)"; flow:from_server,established; content:"newextenderlogins.com"; fast_pattern; classtype:social-engineering; sid:2036343; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag SocEng, updated_at 2022_04_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Farfli.CUY CnC Server Response"; flow:established,to_client; content:"|68 78 20 10 00 00 00 01 00 00 00 01 00 00 00 11|"; dsize:16; startswith; fast_pattern; stream_size:server,=,17; reference:md5,c99397d66e49e2def1b17f57cd0c5fb9; classtype:command-and-control; sid:2035879; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_04_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing)"; flow:from_server,established; content:"dllinkaplo.com"; fast_pattern; classtype:social-engineering; sid:2036344; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag SocEng, updated_at 2022_04_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Farfli.CUY KeepAlive M2"; flow:established,to_server; content:"|68 78 20 cf 01 00 00 c0 01 00 00 01 00 00 00 cb|"; startswith; fast_pattern; stream_size:client,>,200; reference:md5,87100cb600d876bd022a4d93ce6305a0; classtype:command-and-control; sid:2035880; rev:2; metadata:created_at 2022_04_08, updated_at 2022_04_08;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Innostealer Domain (windows-server031 .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"windows-server"; fast_pattern; startswith; pcre:"/[0-9]{1,3}/R"; content:".com"; endswith; reference:url,twitter.com/JAMESWT_MHT/status/1517822757567971329; reference:url,www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/; classtype:trojan-activity; sid:2036375; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)"; flow:established,to_server; http.uri; content:"/catalog-portal/"; http.request_body; content:"%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22"; nocase; fast_pattern; content:"%6e%65%77%28%29"; nocase; within:200; reference:url,www.vmware.com/security/advisories/VMSA-2022-0011.html; reference:cve,2022-22954; classtype:attempted-admin; sid:2035876; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2022_04_08, cve CVE_2022_22954, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_08;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing)"; flow:from_server,established; content:"routrelogn.net"; fast_pattern; classtype:social-engineering; sid:2036345; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag SocEng, updated_at 2022_04_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)"; flow:established,to_server; http.uri; content:"/catalog-portal/"; http.request_body; content:"|24 7b 22|freemarker|2e|template|2e|utility|2e|Execute|22|"; nocase; fast_pattern; content:"new|28 29 28|"; nocase; within:200; reference:url,www.vmware.com/security/advisories/VMSA-2022-0011.html; reference:cve,2022-22954; classtype:attempted-admin; sid:2035875; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2022_04_08, cve CVE_2022_22954, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_08;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing)"; flow:from_server,established; content:"d-linksroutlocaal.co"; fast_pattern; classtype:social-engineering; sid:2036346; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag SocEng, updated_at 2022_04_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)"; flow:established,to_server; http.uri; content:"/catalog-portal/"; content:"|24 7b 22|freemarker|2e|template|2e|utility|2e|Execute|22|"; distance:0; nocase; fast_pattern; content:"new|28 29 28|"; nocase; within:200; reference:url,www.vmware.com/security/advisories/VMSA-2022-0011.html; reference:cve,2022-22954; classtype:attempted-admin; sid:2035874; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2022_04_08, cve CVE_2022_22954, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_08;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Innostealer Domain (seventyfor .site) in TLS SNI"; flow:established,to_server; tls.sni; content:"seventyfor.site"; bsize:15; fast_pattern; reference:url,twitter.com/JAMESWT_MHT/status/1517822757567971329; reference:url,www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/; classtype:trojan-activity; sid:2036376; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, malware_family Innostealer, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Havex RAT CnC Server Response HTML Tag"; flow:established,from_server; http.header; content:!"Keep-Alive|3a 20|"; nocase; content:!"Conncection|3a 20|Keep-Alive"; nocase; file_data; content:"|3c|mega http|2d|equiv|3d|"; fast_pattern; content:"|3c 2f|head|3e 3c|body|3e|"; within:200; reference:md5,6557d6518c3f6bcb8b1b2de77165c962; classtype:command-and-control; sid:2018244; rev:5; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2022_04_18;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT WSO2 Server RCE (CVE-2022-29464)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/fileupload/toolsAny"; startswith; bsize:20; http.request_body; content:"name=|22 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f|repository/deployment/server/"; fast_pattern; content:".jsp|22 0d 0a|"; distance:0; reference:url,github.com/hakivvi/CVE-2022-29464; reference:cve,CVE-2022-29464; reference:cve,2022-29464; classtype:trojan-activity; sid:2036378; rev:2; metadata:affected_product HTTP_Server, attack_target Web_Server, created_at 2022_04_26, cve CVE_2022_29464, deployment Internet, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_26;)
 
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Self-Signed Cert Observed in Various Zbot Strains"; flow:established,to_client; tls.cert_subject; content:"O=XX"; fast_pattern; tls.cert_issuer; content:"O=XX"; reference:md5,00e7afce84c84cd70fe329d8bb8c0731; classtype:trojan-activity; sid:2018284; rev:4; metadata:created_at 2014_03_17, updated_at 2022_04_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Bot CnC Checkin (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?register=V2luZG93"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d4fdd80e3f4b1ef0e6c3904d91e5d319; classtype:bad-unknown; sid:2036381; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_26, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Major, updated_at 2022_04_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Denonia DNS Request Over HTTPS (denonia .xyz) M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/resolve?name=gw.denonia.xyz&type=A"; bsize:35; endswith; fast_pattern; http.host; content:"dns.google.com"; http.user_agent; content:"GoKit XHTTP Client"; startswith; http.accept; content:"application/dns-json"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:"|0d 0a|X-Http-Gokit-Requestid|0d 0a|"; reference:url,cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda; classtype:trojan-activity; sid:2035891; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2022_04_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Bot CnC Beacon (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?beacon=V2luZG93"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d4fdd80e3f4b1ef0e6c3904d91e5d319; classtype:bad-unknown; sid:2036382; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_26, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Major, updated_at 2022_04_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Denonia DNS Request Over HTTPS (denonia .xyz) M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dns-query?name=gw.denonia.xyz&type=A"; bsize:37; endswith; fast_pattern; http.host; content:"cloudflare-dns.com"; http.user_agent; content:"GoKit XHTTP Client"; startswith; http.accept; content:"application/dns-json"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:"|0d 0a|X-Http-Gokit-Requestid|0d 0a|"; reference:url,cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda; classtype:trojan-activity; sid:2035886; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2022_04_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Account Credential Phish 2022-04-26"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/name.php"; bsize:9; http.referer; content:"invoice.html"; endswith; fast_pattern; http.header.raw; content:"X|2d|Requested|2d|With|3a 20|XMLHttpRequest"; http.request_body; content:"userName="; depth:9; content:"&password="; distance:0; classtype:credential-theft; sid:2036379; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_26, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_29;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible OpenSSL Infinite Loop Inducing Cert Inbound via TCP (CVE-2022-0778)"; flow:established,to_server; content:"|30 82|"; content:"|30 0a 06 08 2a 86 48 ce 3d 04 03|"; distance:0; content:"|2a 86 48 ce 3d 01 01 02 02 02 b9|"; distance:0; fast_pattern; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 17|"; within:36; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:36; content:"|04 03|"; distance:23; within:2; content:"|00 08|"; distance:1; within:2; reference:url,www.rtcsec.com/article/exploiting-cve-2022-0778-in-openssl-vs-webrtc-platforms/; reference:url,github.com/drago-96/CVE-2022-0778/; reference:cve,2022-0778; classtype:denial-of-service; sid:2035887; rev:2; metadata:affected_product OpenSSL, attack_target Server, created_at 2022_04_11, cve CVE_2022_0778, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [ConnectWise CRU] Java ECDSA (Psychic) TLS Signature (CVE-2022-21449)"; flow:established, to_client; content:"|16 03 03|"; content:"|0c|"; distance:2; within:1; content:"|04 03 00 08 30 06 02 01 00 02 01 00|"; distance:0; tag:session,5,packets; reference:url,github.com/thack1/CVE-2022-21449; reference:cve,2022-21449; classtype:targeted-activity; sid:2036377; rev:1; metadata:created_at 2022_04_26, cve CVE_2022_21449, updated_at 2022_04_26;)
 
-alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible OpenSSL Infinite Loop Inducing Cert Inbound via UDP (CVE-2022-0778)"; content:"|30 82|"; content:"|30 0a 06 08 2a 86 48 ce 3d 04 03|"; distance:0; content:"|2a 86 48 ce 3d 01 01 02 02 02 b9|"; distance:0; fast_pattern; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 17|"; within:36; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:36; content:"|04 03|"; distance:23; within:2; content:"|00 08|"; distance:1; within:2; reference:url,www.rtcsec.com/article/exploiting-cve-2022-0778-in-openssl-vs-webrtc-platforms/; reference:url,github.com/drago-96/CVE-2022-0778/; reference:cve,2022-0778; classtype:denial-of-service; sid:2035888; rev:2; metadata:affected_product OpenSSL, attack_target Server, created_at 2022_04_11, cve CVE_2022_0778, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Credential Phish Landing Page 2022-04-26"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:100; content:")http://localhost:"; distance:0; fast_pattern; content:"microsoft_logo.svg"; distance:0; nocase; content:"Your account or password is incorrect. Please try again using your password."; distance:0; content:"type=|22|password|22|"; distance:0; content:"/index_files/home.js"; distance:0; classtype:credential-theft; sid:2036380; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_26, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed Commonly Abused Domain in DNS Lookup (blogattach .naver .com)"; dns.query; content:"blogattach.naver.com"; nocase; bsize:20; classtype:bad-unknown; sid:2035889; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_11, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious SSL Certificate detected (Observed in US Government Bid Credential Phish)"; flow:established,to_client; tls.cert_subject; content:".gov.procurement."; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?\.gov\.procurement\.(?!\.)/"; classtype:bad-unknown; sid:2036393; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_04_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Commonly Abused Domain (blogattach .naver .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"blogattach.naver.com"; bsize:20; fast_pattern; classtype:bad-unknown; sid:2035890; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_11, deployment Perimeter, signature_severity Major, updated_at 2022_04_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Commonly Abused SSL/TLS Certificate Observed (mylnavyfederal .com)"; flow:established,to_client; tls.cert_subject; content:"CN=*.mylnavyfederal.com"; bsize:23; fast_pattern; reference:md5,1f28014859bd7cc1a4240aebb5241af0; classtype:bad-unknown; sid:2036389; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM Maldoc Remote Template Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ACMS/"; pcre:"/[a-zA-Z0-9]{8}\//UR"; content:"blockchainTemplate"; fast_pattern; reference:url,mp.weixin.qq.com/s/kcIaoB8Yta1zI6Py-uxupA; classtype:trojan-activity; sid:2035902; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, former_category MALWARE, malware_family Lazarus, performance_impact Low, signature_severity Major, updated_at 2022_04_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TraderTraitor CnC Domain (alticgo .com) in DNS Lookup"; dns.query; content:"alticgo.com"; nocase; bsize:11; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; classtype:domain-c2; sid:2036394; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Win32/TrojanDownloader.Agent.GEM Domain"; dns.query; dotprefix; content:".naveicoip"; pcre:"/^[a-z]\.(?:tech|online)$/R"; reference:md5,ecd47e596048ad1af9973a21af303465; reference:url,twitter.com/jaydinbas/status/1506987283630768138; classtype:trojan-activity; sid:2035604; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TraderTraitor CnC Domain (cryptais .com) in DNS Lookup"; dns.query; content:"cryptais.com"; nocase; bsize:12; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; classtype:domain-c2; sid:2036395; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Colibri Loader Domain in DNS Lookup (securetunnel .co)"; dns.query; dotprefix; content:".securetunnel.co"; nocase; endswith; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/; classtype:trojan-activity; sid:2035899; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, signature_severity Major, updated_at 2022_04_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TraderTraitor CnC Domain (tokenais .com) in DNS Lookup"; dns.query; content:"tokenais.com"; nocase; bsize:12; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; classtype:domain-c2; sid:2036396; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible NGINX Reference LDAP Query Injection Attack"; flow:established,to_server; http.header; content:"|0d 0a|X-Ldap-Template|3a 20|"; fast_pattern; nocase; content:"|28 7c|"; distance:0; within:5; http.header_names; content:!"Referer|0d 0a|"; reference:url,github.com/nginxinc/nginx-ldap-auth/issues/93; classtype:attempted-admin; sid:2035897; rev:2; metadata:attack_target Web_Server, created_at 2022_04_12, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TraderTraitor CnC Domain (aideck .net) in DNS Lookup"; dns.query; content:"aideck.net"; nocase; bsize:10; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; classtype:domain-c2; sid:2036397; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Farfli.CUY Downloader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/xghk.exe"; bsize:9; endswith; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/W"; http.header_names; content:!"Referer"; reference:md5,c99397d66e49e2def1b17f57cd0c5fb9; classtype:trojan-activity; sid:2035900; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TraderTraitor CnC Domain (www .esilet .com) in DNS Lookup"; dns.query; content:"www.esilet.com"; nocase; bsize:14; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; classtype:domain-c2; sid:2036398; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Snatch Ransomware Checkin (POST)"; flow:established,to_server; http.request_line; content:"POST /news HTTP/1.1"; fast_pattern; http.request_body; content:"|22|pid|22 3a|"; content:"|22|host|22 3a|"; distance:0; content:"|22|type|22 3a|"; distance:0; content:"|22|username|22 3a|"; distance:0; reference:md5,5a9ae5f51c41f2de4f3eca94ddb4ccfd; classtype:trojan-activity; sid:2035898; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TraderTraitor CnC Domain (creaideck .com) in DNS Lookup"; dns.query; content:"creaideck.com"; nocase; bsize:13; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; classtype:domain-c2; sid:2036399; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (mail .igov-service .net)"; dns.query; content:"mail.igov-service.net"; nocase; bsize:21; reference:md5,199369f6b6eba1147d7e1bca208d6dab; classtype:domain-c2; sid:2035914; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TraderTraitor CnC Domain (dafom .dev) in DNS Lookup"; dns.query; content:"dafom.dev"; nocase; bsize:9; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; classtype:domain-c2; sid:2036400; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js"; endswith; http.cookie; content:"Version=defaultSession-Id="; startswith; fast_pattern; pcre:"/^[a-zA-Z0-9-_]{171}$/R"; http.user_agent; content:!"Android"; content:!"Linux"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,199369f6b6eba1147d7e1bca208d6dab; classtype:trojan-activity; sid:2035915; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TraderTraitor Domain (alticgo .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"alticgo.com"; bsize:11; fast_pattern; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; classtype:trojan-activity; sid:2036401; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Related Domain (mail .igov-service .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"mail.igov-service.net"; bsize:21; fast_pattern; reference:md5,199369f6b6eba1147d7e1bca208d6dab; classtype:domain-c2; sid:2035916; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_13;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TraderTraitor Domain (cryptais .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"cryptais.com"; bsize:12; fast_pattern; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; classtype:trojan-activity; sid:2036402; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarab APT - HeaderTip CnC Domain in DNS Lookup (ebook .port25 .biz)"; dns.query; content:"ebook.port25.biz"; nocase; bsize:16; reference:url,www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/; reference:md5,bb505ef946a80d9d0ff64923a6ca79d9; classtype:domain-c2; sid:2035912; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family HeaderTip, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TraderTraitor Domain (tokenais .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"tokenais.com"; bsize:12; fast_pattern; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; classtype:trojan-activity; sid:2036403; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarab APT - HeaderTip CnC Domain in DNS Lookup (mert .my03 .com)"; dns.query; content:"mert.my03.com"; nocase; bsize:13; reference:url,www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/; reference:md5,acd062593f70c00e310c47a3e7873df4; classtype:domain-c2; sid:2035913; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family HeaderTip, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TraderTraitor Domain (aideck .net) in TLS SNI"; flow:established,to_server; tls.sni; content:"aideck.net"; bsize:10; fast_pattern; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; classtype:trojan-activity; sid:2036404; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM Maldoc Remote Template Request M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ACMS/"; fast_pattern; content:"?"; distance:16; within:10; pcre:"/[a-z0-9]{8}\/.*\?[a-z0-9]{3,10}=[a-z0-9]{8,11}$/Ui"; reference:url,mp.weixin.qq.com/s/kcIaoB8Yta1zI6Py-uxupA; classtype:trojan-activity; sid:2035901; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, former_category MALWARE, malware_family Lazarus, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TraderTraitor Domain (www .esilet .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"www.esilet.com"; bsize:14; fast_pattern; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; classtype:trojan-activity; sid:2036405; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (showsvc .com)"; dns.query; dotprefix; content:".showsvc.com"; nocase; endswith; classtype:trojan-activity; sid:2035918; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TraderTraitor Domain (creaideck .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"creaideck.com"; bsize:13; fast_pattern; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; classtype:trojan-activity; sid:2036406; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (wicommerece .com)"; dns.query; dotprefix; content:".wicommerece.com"; nocase; endswith; classtype:trojan-activity; sid:2035919; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TraderTraitor Domain (dafom .dev) in TLS SNI"; flow:established,to_server; tls.sni; content:"dafom.dev"; bsize:9; fast_pattern; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; classtype:trojan-activity; sid:2036407; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (upservicemc .com)"; dns.query; dotprefix; content:".upservicemc.com"; nocase; endswith; classtype:trojan-activity; sid:2035920; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DPRK APT Related Maldoc Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:".exe_svchost.exe_"; fast_pattern; content:"ENTER"; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,twitter.com/souiten/status/1519167359918911488; reference:md5,1dd007b44034bb3ce127b553873171e5; classtype:trojan-activity; sid:2036390; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (netpixelds .com)"; dns.query; dotprefix; content:".netpixelds.com"; nocase; endswith; classtype:trojan-activity; sid:2035921; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TraderTraitor dafom CnC Checkin M1 (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/oauth/checkupdate.php"; content:"os="; content:"email="; http.user_agent; content:"dafom"; nocase; fast_pattern; reference:url,gist.github.com/travisbgreen/01e1fdf239a9d302b14584bc82f68a2a; reference:url,www.cisa.gov/uscert/ncas/alerts/aa22-108a; classtype:trojan-activity; sid:2036408; rev:1; metadata:created_at 2022_04_27, updated_at 2022_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (allmyad .com)"; dns.query; dotprefix; content:".allmyad.com"; nocase; endswith; classtype:trojan-activity; sid:2035922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TraderTraitor dafom CnC Checkin M2 (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/update/"; content:"os="; content:"email="; http.user_agent; content:"dafom"; nocase; fast_pattern; reference:url,gist.github.com/travisbgreen/01e1fdf239a9d302b14584bc82f68a2a; reference:url,www.cisa.gov/uscert/ncas/alerts/aa22-108a; classtype:trojan-activity; sid:2036409; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (ananoka .com)"; dns.query; dotprefix; content:".ananoka.com"; nocase; endswith; classtype:trojan-activity; sid:2035923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TraderTraitor AlticGO CnC Checkin (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/update/"; http.user_agent; content:"AlticGO/1.1.0"; nocase; fast_pattern; reference:url,gist.github.com/travisbgreen/01e1fdf239a9d302b14584bc82f68a2a; reference:url,www.cisa.gov/uscert/ncas/alerts/aa22-108a; classtype:trojan-activity; sid:2036410; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (gvgnci .com)"; dns.query; dotprefix; content:".gvgnci.com"; nocase; endswith; classtype:trojan-activity; sid:2035924; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1"; flow:to_client,established; http.content_type; content:"text/html"; file_data; content:"var _0x"; fast_pattern; pcre:"/^[a-f0-9]+/Ri"; content:"_0x"; within:100; content:"_0x"; within:100; content:!"FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT"; content:!"/cdn-cgi/bm/cv/result?req_id="; reference:url,github.com/javascript-obfuscator/javascript-obfuscator; classtype:misc-activity; sid:2036300; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category HUNTING, performance_impact Significant, signature_severity Informational, updated_at 2022_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (msfbckupsc .com)"; dns.query; dotprefix; content:".msfbckupsc.com"; nocase; endswith; classtype:trojan-activity; sid:2035925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M2"; flow:to_client,established; http.content_type; content:"text/html"; file_data; content:"function _0x"; fast_pattern; pcre:"/^[a-f0-9]+/Ri"; content:"_0x"; within:100; content:"_0x"; within:100; content:!"FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT"; content:!"/cdn-cgi/bm/cv/result?req_id="; reference:url,github.com/javascript-obfuscator/javascript-obfuscator; classtype:misc-activity; sid:2036301; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category HUNTING, performance_impact Significant, signature_severity Informational, updated_at 2022_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (polanicia .com)"; dns.query; dotprefix; content:".polanicia.com"; nocase; endswith; classtype:trojan-activity; sid:2035926; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M3"; flow:to_client,established; http.content_type; content:"text/html"; file_data; content:"return _0x"; fast_pattern; pcre:"/^[a-f0-9]+/Ri"; content:"_0x"; within:100; content:"_0x"; within:100; content:!"FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT"; content:!"/cdn-cgi/bm/cv/result?req_id="; reference:url,github.com/javascript-obfuscator/javascript-obfuscator; classtype:misc-activity; sid:2036302; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category HUNTING, performance_impact Significant, signature_severity Informational, updated_at 2022_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (informaxima .org)"; dns.query; dotprefix; content:".informaxima.org"; nocase; endswith; classtype:trojan-activity; sid:2035927; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA410 APT FlowCloud Hardcoded Request (POST)"; flow:established,to_server; content:"|0d 0a|X-Requested-With|3a 20|ShockwaveFlash/20.0.0.306|0d 0a|"; http.request_line; content:"POST /messagebroker/amf HTTP/1.1"; fast_pattern; http.referer; content:"http|3a 2f 2f|s.peheavens.com/html/portlet/ext/draco/resources/draco_manager.swf/"; http.cookie; content:"COOKIE_SUPPORT="; startswith; content:"JSESSIONID="; distance:0; content:"COMPANY_ID="; distance:0; content:"ID="; distance:0; content:"PASSWORD="; distance:0; content:"LOGIN="; distance:0; content:"SCREEN_NAME"; distance:0; content:"GUEST_LANGUAGE_ID="; distance:0; reference:url,www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/; classtype:trojan-activity; sid:2036391; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, former_category MALWARE, malware_family TA410, signature_severity Major, updated_at 2022_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (worldchangeos .com)"; dns.query; dotprefix; content:".worldchangeos.com"; nocase; endswith; classtype:trojan-activity; sid:2035928; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA410 APT LookBack Client HTTP Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/status.php?r="; http.accept; content:"text/html, application/xhtml+xml, */*"; bsize:37; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.accept_enc; content:"gzip, deflate"; bsize:13; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; endswith; http.request_body; content:"id=1&op=report&status="; fast_pattern; startswith; reference:url,www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/; classtype:trojan-activity; sid:2036412; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_28, deployment Perimeter, former_category MALWARE, malware_family TA410, signature_severity Major, updated_at 2022_04_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (liongracem .com)"; dns.query; dotprefix; content:".liongracem.com"; nocase; endswith; classtype:trojan-activity; sid:2035929; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [ESET] TA410 APT LookBack HTTP Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"image/gif"; bsize:9; http.header; pcre:"/^ETag\x3a\x20[0-9]{6}-[0-9]{3,5}-[0-9]{8}\r\n/m"; file.data; content:"|c2 2e ab 48|"; depth:4; fast_pattern; reference:url,www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/; reference:url,github.com/eset/malware-ioc/tree/master/ta410; classtype:trojan-activity; sid:2036413; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_28, deployment Perimeter, former_category MALWARE, malware_family TA410, signature_severity Major, updated_at 2022_04_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (jmarrycs .com)"; dns.query; dotprefix; content:".jmarrycs.com"; nocase; endswith; classtype:trojan-activity; sid:2035930; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MoneroOcean Installer Batch Script Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"echo MoneroOcean mining"; content:"set WALLET="; content:"|3a|WALLET_LEN_OK"; content:"|22|EXP_MONERO_HASHRATE%"; fast_pattern; classtype:trojan-activity; sid:2036411; rev:1; metadata:created_at 2022_04_28, former_category MALWARE, updated_at 2022_04_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (am-reader .com)"; dns.query; dotprefix; content:".am-reader.com"; nocase; endswith; classtype:trojan-activity; sid:2035931; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nobelium APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/1/members/me/boards?key=664f145b65b9ea751df4dd21a96601f0&token=39daa5890c85fba874a352473b2fa9a97c7839223422411c22f22970f3b71ecc"; fast_pattern; http.host; content:"api.trello.com"; bsize:14; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:"(iPad|3b 20|CPU|20|OS|20|"; reference:md5,c4df0507f56e30b264c848c6096b69ae; reference:url,inquest.net/blog/2022/04/18/nobelium-israeli-embassy-maldoc; classtype:trojan-activity; sid:2036417; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Nobelium, signature_severity Major, updated_at 2022_04_28;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fodcha Bot CnC Checkin"; flow:established,to_server; dsize:5; content:"|ee 00 00 11 ff|"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:command-and-control; sid:2035939; rev:1; metadata:attack_target IoT, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Fodcha, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE China Based APT Related Domain in DNS Lookup (p1 .offline-microsoft .com)"; dns.query; content:"p1.offline-microsoft.com"; nocase; bsize:24; reference:md5,04b8a9e6f70e567a99ea728b9f0dee18; reference:md5,ee3f5fa62fc6faa7d130c26e03e148e2; reference:url,twitter.com/h2jazi/status/1519769346867879938; classtype:domain-c2; sid:2036418; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Sparkasse Credential Phish M1 2022-04-13"; flow:established,to_server; flowbits:set,ET.sparkassephishlanding; http.method; content:"POST"; http.uri; content:"Code?sslchannel=true&sessionid="; depth:32; http.request_body; content:"vic_browser=n%2Fa&vic_os=n%2Fa&vic_screen=n%2Fa&vic_lang=n%2Fa&vic_flash=n%2Fa&vic_java=n%2Fa&vic_mime=n%2Fa&vic_plugins=n%2Fa&vic_fonts=n%2Fa"; depth:142; fast_pattern; content:"=Submit&login_name="; distance:0; content:"&pin="; distance:0; classtype:credential-theft; sid:2035933; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE China Based APT Related Domain in DNS Lookup (portal .super-encrypt .com)"; dns.query; content:"portal.super-encrypt.com"; nocase; bsize:24; reference:md5,5897e67e491a9d8143f6d45803bc8ac8; reference:url,twitter.com/h2jazi/status/1519769346867879938; classtype:domain-c2; sid:2036419; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Sparkasse Credential Phish M2 2022-04-13"; flow:established,to_server; flowbits:set,ET.sparkassephishlanding; http.method; content:"POST"; http.uri; content:"Code?sslchannel=true&sessionid="; depth:32; http.request_body; content:"=Submit&old_sortcode="; fast_pattern; classtype:credential-theft; sid:2035934; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortening Service Domain in DNS Lookup (gg-l .xyz)"; dns.query; content:"gg-l.xyz"; nocase; bsize:8; classtype:bad-unknown; sid:2036420; rev:1; metadata:created_at 2022_04_29, former_category INFO, updated_at 2022_04_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Credential Phish Landing Page M1 2022-04-13"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Code?sslchannel=true&sessionid="; fast_pattern; content:"vic_browser"; distance:0; content:"vic_os"; distance:0; content:"vic_lang"; distance:0; content:"vic_flash"; distance:0; content:"vic_java"; distance:0; content:"vic_mime"; distance:0; content:"vic_plugins"; distance:0; content:"vic_fonts"; distance:0; content:"type=|22|password|22|"; distance:0; classtype:credential-theft; sid:2035935; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (gg-l .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"gg-l.xyz"; bsize:8; fast_pattern; classtype:bad-unknown; sid:2036421; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_29, deployment Perimeter, signature_severity Informational, updated_at 2022_04_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Credential Phish Landing Page M2 2022-04-13"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Code?sslchannel=true&sessionid="; fast_pattern; content:"type=|22|password|22|"; distance:0; content:"window.screen.availWidth"; distance:0; content:"window.screen.availHeight"; within:40; content:"jscd.browser"; distance:0; content:"jscd.browserMajorVersion"; within:45; content:"jscd.browserVersion"; within:45; content:"jscd.os"; distance:0; content:"jscd.osVersion"; within:30; content:"jscd.screen"; distance:0; content:"avail_res"; within:50; content:"screen.colorDepth"; within:40; content:"screen.deviceXDPI"; within:45; content:"screen.deviceYDPI"; within:45; content:"language"; distance:0; content:"jscd|2e|flashVersion|3b|"; distance:0; content:"navigator.javaEnabled()"; distance:0; content:"mime"; distance:0; content:"plugins"; distance:0; content:"listFonts().join(',')"; distance:0; classtype:credential-theft; sid:2035936; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Abused Redirect Service SSL Cert (svc .dynamics .com)"; flow:established,to_client; tls.cert_subject; content:"CN=*.svc.dynamics.com"; bsize:21; fast_pattern; classtype:bad-unknown; sid:2036422; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_29, deployment Perimeter, former_category INFO, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_04_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Credential Phish Landing Page M3 2022-04-13"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Code?sslchannel=true&sessionid="; fast_pattern; content:"vic_browser"; distance:0; content:"vic_os"; distance:0; content:"vic_lang"; distance:0; content:"vic_flash"; distance:0; content:"vic_java"; distance:0; content:"vic_mime"; distance:0; content:"vic_plugins"; distance:0; content:"vic_fonts"; distance:0; content:"type=|22|password|22|"; distance:0; classtype:credential-theft; sid:2035937; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed File Sharing Domain (www .cloudme .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.cloudme.com"; bsize:15; fast_pattern; classtype:bad-unknown; sid:2036423; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_29, deployment Perimeter, signature_severity Informational, updated_at 2022_04_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Credential Phish Landing Page M4 2022-04-13"; flow:established,to_client; flowbits:isset,ET.sparkassephishlanding; http.stat_code; content:"200"; file.data; content:"type|3d 22|tel|22|"; distance:0; content:"Personal?sslchannel=true&sessionid="; fast_pattern; content:"sortcode"; classtype:credential-theft; sid:2035938; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO File Retrieved from File Sharing Site (cloudme .com)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/v1/ws2/|3a|"; startswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Sec-Fetch-Site|0d 0a|Sec-Fetch-Mode|0d 0a|Sec-Fetch-User|0d 0a|Sec-Fetch-Dest|0d 0a|Accept-Encoding|0d 0a|"; classtype:bad-unknown; sid:2036424; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_04_29;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo Domain (ifn1h8ag1g .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"ifn1h8ag1g.com"; bsize:14; fast_pattern; reference:url,www.threatfabric.com/blogs/octo-new-odf-banking-trojan.html; classtype:command-and-control; sid:2035905; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/WindowsDefender Bypass Download Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/kill.bat"; bsize:9; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/W"; http.connection; content:"Keep-Alive"; nocase; reference:md5,a59277f422139a3c2341eee166eda629; classtype:trojan-activity; sid:2035696; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_29;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo Domain (s22231232fdnsjds .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"s22231232fdnsjds.top"; bsize:20; fast_pattern; reference:url,www.threatfabric.com/blogs/octo-new-odf-banking-trojan.html; classtype:command-and-control; sid:2035906; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [ConnectWise CRU] Java ECDSA (Psychic) Signed JWT Bypass (CVE-2022-21449)"; flow:established, to_server; http.header; content:"Authorization|3a 20|Bearer|20|"; pcre:"/(yJ0eXAiOiJKV1Qi|InR5cCI6IkpXVCJ)/HR"; content:"JhbGciOiJFUzI1Ni"; distance:0; fast_pattern; content:"MAYCAQACAQA|0d 0a|"; endswith; tag:session,5,packets; reference:cve,CVE-2022-21449; reference:cve,2022-21449; classtype:web-application-activity; sid:2036392; rev:3; metadata:affected_product Java, attack_target Server, created_at 2022_04_27, cve CVE_2022_21449, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo Domain (equisdeperson .space in TLS SNI)"; flow:established,to_server; tls.sni; content:"equisdeperson.space"; bsize:19; fast_pattern; reference:url,www.threatfabric.com/blogs/octo-new-odf-banking-trojan.html; classtype:command-and-control; sid:2035907; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.D Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/maid4u_4251/dl.php?sid="; startswith; fast_pattern; content:"&agent="; distance:16; http.user_agent; content:"Linux|3b 20|Android|20|"; http.header; content:"X-Requested-With|3a 20|com.company.gamename|0d 0a|"; content:!"Referer|3a 20|"; reference:md5,71341fc2958e65d208f2770185c61d7a; reference:url,www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/; classtype:trojan-activity; sid:2036425; rev:1; metadata:created_at 2022_04_29, updated_at 2022_04_29;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo Domain (xipxesip .design in TLS SNI)"; flow:established,to_server; tls.sni; content:"xipxesip.design"; bsize:15; fast_pattern; reference:url,www.threatfabric.com/blogs/octo-new-odf-banking-trojan.html; classtype:command-and-control; sid:2035908; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nerbian RAT CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pub/health_check.php"; fast_pattern; bsize:21; http.user_agent; content:"Go-http-client/1.1"; bsize:18; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; bsize:39; reference:md5,9cca59eec5af63e42cd845b67cf6df89; reference:md5,5d5bc970f975341558b8d2c225ca0115; reference:url,twitter.com/pr0xylife/status/1519704793593307136; classtype:trojan-activity; sid:2036426; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Malicious User-Agent (FastInvoice)"; flow:established,to_server; http.user_agent; content:"FastInvoice"; bsize:11; startswith; fast_pattern; reference:md5,42218b0ce7fc47f80aa239d4f9e000a1; classtype:bad-unknown; sid:2035932; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2022_04_13;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible VMware Workspace ONE Access RCE via Server-Side Template Injection Inbound (CVE-2022-22954)"; flow:to_server,established; http.uri; content:"/catalog-portal/ui/oauth/verify?"; http.uri.raw; content:"&deviceUdid=%24%7b"; fast_pattern; nocase; reference:cve,2022-22954; classtype:attempted-admin; sid:2036416; rev:1; metadata:attack_target Server, created_at 2022_04_29, cve CVE_2022_22954, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TransparentTribe APT Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"@"; content:".php"; endswith; http.user_agent; content:"Python-urllib/"; startswith; http.request_body; content:".exe|25|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f9d7e0af85fd918dd5daf1b50bf649f6; reference:md5,68d73d596a7103e517967f7f4e22cecb; reference:url,blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html; classtype:trojan-activity; sid:2035917; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nerbian RAT Data Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/pub/health_check.php"; fast_pattern; bsize:21; http.user_agent; content:"Go-http-client/1.1"; bsize:18; http.header_names; content:!"Referer|0d 0a|"; http.content_type; content:"multipart/form-data|3b 20|boundary="; depth:30; pcre:"/[a-f0-9]{60}$/R"; http.request_body; content:"name=|22|addr_post|22|"; content:"name=|22|port_post|22|"; content:"name=|22|auth_post|22|"; content:"name=|22|session_key|22|"; content:"name=|22|data_post|22|"; reference:md5,9cca59eec5af63e42cd845b67cf6df89; reference:md5,5d5bc970f975341558b8d2c225ca0115; reference:url,twitter.com/pr0xylife/status/1519704793593307136; classtype:trojan-activity; sid:2036427; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_29;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android/SpyLoan.9ef8bf95 Domain (api .dreamloan .cc in TLS SNI)"; flow:established,to_server; tls.sni; content:"api.dreamloan.cc"; bsize:16; fast_pattern; reference:md5,5038f1ae69db7682e99c04947fa467aa; classtype:command-and-control; sid:2035909; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET [1024:] (msg:"ET MALWARE Win32/Farfli.BAL CnC Activity"; flow:established,to_server; http.request_line; content:"GET /2112.html|20|"; startswith; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; reference:md5,32547c9f7c7c870ee12fdf944e8afb34; classtype:trojan-activity; sid:2036453; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DNS Query to VBS/Agent.PUK Domain"; dns.query; content:"fserverone.webcindario.com"; fast_pattern; reference:url,hasec.ahnlab.com/ko/33141/; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:md5,e49e41a810730f4bf3d43178e4c84ee5; classtype:trojan-activity; sid:2035944; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
+#alert udp any any -> $DNS_SERVERS 53 (msg:"ET DELETED BIND9 msg->reserved Assertion DoS Packet Inbound (CVE-2016-2776)"; dsize:>512; content:"|00 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; content:"|00 00 01 00 01|"; distance:0; content:"|00 00 FA|"; distance:0; reference:cve,cve-2016-2776; reference:url,blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html; classtype:attempted-dos; sid:2023317; rev:4; metadata:affected_product BIND, attack_target Server, created_at 2016_10_04, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_29;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DNS Query to VBS/Agent.PUK Domain"; dns.query; content:"cmaildowninvoice.webcindario.com"; fast_pattern; reference:url,hasec.ahnlab.com/ko/33141/; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:md5,e49e41a810730f4bf3d43178e4c84ee5; classtype:trojan-activity; sid:2035945; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET [:1024] (msg:"ET MALWARE Likely Mirai Related Outbound Shell Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bins.sh"; bsize:8; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; threshold:type threshold, track by_src, count 5, seconds 60; reference:md5,66767161f67d5fdf18ab25e292aece88; classtype:trojan-activity; sid:2036454; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_29, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2022_04_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Agent.PUK Data Exfiltration Request M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"Cache=error"; fast_pattern; content:"Sand="; content:"Data="; content:"Em="; reference:url,hasec.ahnlab.com/ko/33141/; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:md5,e49e41a810730f4bf3d43178e4c84ee5; classtype:trojan-activity; sid:2035946; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA452 Related Domain in DNS Lookup"; dns.query; dotprefix; content:".joexpediagroup.com"; nocase; endswith; reference:url,blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/; classtype:domain-c2; sid:2036557; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_02, deployment Perimeter, former_category MALWARE, malware_family APT34, malware_family TA452, signature_severity Major, updated_at 2022_05_02;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Trojan-Spy.AndroidOS.Agent.abe Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"5iw68rugwfcir37uj8z3r6rfaxwd8g8cdcfcqw62.de"; bsize:43; fast_pattern; reference:md5,ad6f124d00ca05f2a19b5215b85e25a8; classtype:command-and-control; sid:2035910; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA452 Related Domain in DNS Lookup"; dns.query; dotprefix; content:".asiaworldremit.com"; nocase; endswith; reference:url,blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/; classtype:domain-c2; sid:2036558; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_02, deployment Perimeter, former_category MALWARE, malware_family APT34, malware_family TA452, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Agent.PUK Data Exfiltration Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"Cache=fail"; fast_pattern; content:"Sand="; reference:url,hasec.ahnlab.com/ko/33141/; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:md5,e49e41a810730f4bf3d43178e4c84ee5; classtype:trojan-activity; sid:2035947; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA452 Related Domain in DNS Lookup"; dns.query; dotprefix; content:".uber-asia.com"; nocase; endswith; classtype:domain-c2; sid:2036559; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_02, deployment Perimeter, former_category MALWARE, malware_family APT34, malware_family TA452, signature_severity Major, updated_at 2022_05_02;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET HUNTING FTP CWD to windows system32 - Suspicious"; flow:established,to_server; content:"CWD C|3a 5c|WINDOWS|5c|system32|5c|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008556; classtype:trojan-activity; sid:2008556; rev:7; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2022_04_13;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M1"; flow:to_server,established; http.uri; content:"?dest="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036428; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For an Executable File In a Temp Directory"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"temp|5c|"; nocase; distance:0; content:"|2E|exe|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025702; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2022_04_13;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M2"; flow:to_server,established; http.uri; content:"?redirect="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036429; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".webm"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,af944c93405d60adc350f94e24a3d5a1; reference:url,twitter.com/souiten/status/1511552820863852544; classtype:trojan-activity; sid:2036210; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_13;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M3"; flow:to_server,established; http.uri; content:"?uri="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036430; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious VBS Sending System Information (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Cache=error&Sand="; startswith; fast_pattern; content:"&Data="; distance:0; content:"&Em="; distance:50; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:url,asec.ahnlab.com/ko/33141/; classtype:trojan-activity; sid:2036211; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_14;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M4"; flow:to_server,established; http.uri; content:"?path="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036431; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Grafana 8.x Path Traversal (CVE-2021-43798)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/public/plugins/"; fast_pattern; content:"|2f 2e 2e 2f|"; distance:0; within:40; reference:url,github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p; classtype:attempted-admin; sid:2034629; rev:2; metadata:attack_target Server, created_at 2021_12_07, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_14;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M5"; flow:to_server,established; http.uri; content:"?continue="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036432; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE EvilNominatus Ransomware Related Domain in DNS Lookup"; dns.query; content:"i-love-evilnominatuscrypt.000webhostapp.com"; nocase; bsize:43; reference:url,www.clearskysec.com/wp-content/uploads/2022/04/EvilNominatus_Ransomware_7.4.22.pdf; classtype:domain-c2; sid:2036212; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2022_04_14;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M6"; flow:to_server,established; http.uri; content:"?url="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036433; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/seized.xml"; endswith; fast_pattern; http.user_agent; content:!"Linux"; content:!"Android"; http.header_names; content:!"Referer|0d 0a|"; http.host; content:".ru"; endswith; reference:md5,d6fe6243a9b4293db6384f22524ff709; reference:url,cert.gov.ua/article/39386; classtype:trojan-activity; sid:2036213; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_14;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M7"; flow:to_server,established; http.uri; content:"?window="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036434; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET INFO Empty POST with Terse Headers Over Non Standard Port"; flow:established,to_server; http.request_line; content:"POST / HTTP/1.1"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; bsize:26; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.content_len; byte_test:0,=,0,0,string,dec; reference:url,twitter.com/3xp0rtblog/status/1509267848958562305; reference:md5,52a46f058ec6b726fe2829a590a15155; classtype:bad-unknown; sid:2036225; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Major, updated_at 2022_04_15;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M8"; flow:to_server,established; http.uri; content:"?next="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036435; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M1 (CVE-2020-17456)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/system_log.cgi"; http.request_body; content:"&pingIpAddr="; fast_pattern; content:"%3B%"; distance:0; within:5; nocase; reference:cve,2020-17456; classtype:attempted-admin; sid:2035950; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_04_14, cve CVE_2020_17456, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M9"; flow:to_server,established; http.uri; content:"?data="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036436; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M2 (CVE-2020-17456)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/system_log.cgi"; http.request_body; content:"&pingIpAddr="; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2020-17456; classtype:attempted-admin; sid:2035951; rev:1; metadata:created_at 2022_04_14, cve CVE_2020_17456, updated_at 2022_04_14;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M10"; flow:to_server,established; http.uri; content:"?reference="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036437; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SEOWON INTECH SLC-130 RCE Inbound (No CVE)"; flow:to_server,established; http.method; content:"POST"; http.uri; http.request_body; content:"&queriesCnt="; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; classtype:attempted-admin; sid:2035952; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M11"; flow:to_server,established; http.uri; content:"?site="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036438; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link DWR Command Injection Inbound (CVE-2018-10823)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/chkisg.htm"; content:"%3FSip%"; fast_pattern; nocase; distance:0; content:"%7C"; nocase; distance:0; reference:cve,2018-10823; classtype:attempted-admin; sid:2035953; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, cve CVE_2018_10823, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M12"; flow:to_server,established; http.uri; content:"?html="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036439; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT iRZ Mobile Router RCE Inbound M1 (CVE-2022-27226)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/api/crontab"; fast_pattern; http.request_body; content:"|22|tasks|22 3a|"; content:"|22|command|22 3a|"; reference:cve,2022-27226; classtype:attempted-admin; sid:2035954; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, cve CVE_2022_27226, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M13"; flow:to_server,established; http.uri; content:"?val="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036440; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Razer Sila Router - Command Injection Attempt Inbound (No CVE)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ubus/"; http.request_body; content:"|22|exec|22|,|7b 22|command|22 3a 22|"; reference:url,www.exploit-db.com/exploits/50865; classtype:attempted-admin; sid:2035955; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M14"; flow:to_server,established; http.uri; content:"?validate="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036441; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Razer Sila Router - LFI Attempt Inbound (No CVE)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ubus/"; http.request_body; content:"|22|read|22|,|7b 22|path|22 3a 22|"; reference:url,www.exploit-db.com/exploits/50864; classtype:attempted-admin; sid:2035956; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M15"; flow:to_server,established; http.uri; content:"?domain="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036442; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Golang HTTP Backdoor CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; http.header; content:"auth_token=|22|XXXXXXX|22|"; fast_pattern; http.request_body; content:"details="; content:"&news="; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:trojan-activity; sid:2035958; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Backdoor, updated_at 2022_04_18;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M16"; flow:to_server,established; http.uri; content:"?callback="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036443; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Golang HTTP Backdoor Requesting Commands"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; http.header; content:"auth_token=|22|XXXXXXX|22|"; http.request_body; content:"news="; content:"&request_for_read="; fast_pattern; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:trojan-activity; sid:2035959; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Backdoor, updated_at 2022_04_18;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M17"; flow:to_server,established; http.uri; content:"?return="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036444; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Golang HTTP Backdoor Submitting Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; http.header; content:"auth_token=|22|XXXXXXX|22|"; fast_pattern; http.request_body; content:"answer="; content:"&cid="; content:"&news="; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:trojan-activity; sid:2035960; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Backdoor, updated_at 2022_04_18;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M18"; flow:to_server,established; http.uri; content:"?page="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036445; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Gamaredon APT Related Malicious Shortcut Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/favicon.ico"; endswith; http.host; content:"military-ukraine."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c0d3a0ab9b47ab9bc81cf5d831053431; reference:md5,7b20e3ac2a4ebf507f6c8358245d5db5; classtype:trojan-activity; sid:2036214; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_14;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M19"; flow:to_server,established; http.uri; content:"?feed="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036446; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to ShadowPad Domain (supership .dynv6 .net)"; dns.query; content:"supership.dynv6.net"; nocase; bsize:19; reference:url,otx.alienvault.com/pulse/624ff0af271429d152b5a27e; classtype:trojan-activity; sid:2036216; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M20"; flow:to_server,established; http.uri; content:"?host="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036447; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to ShadowPad Domain (greatsong .soundcast .me)"; dns.query; content:"greatsong.soundcast.me"; nocase; bsize:22; reference:url,otx.alienvault.com/pulse/624ff0af271429d152b5a27e; classtype:trojan-activity; sid:2036217; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M21"; flow:to_server,established; http.uri; content:"?port="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036448; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to ShadowPad Domain (supermarket .ownip .net)"; dns.query; content:"supermarket.ownip.net"; nocase; bsize:21; reference:url,otx.alienvault.com/pulse/624ff0af271429d152b5a27e; classtype:trojan-activity; sid:2036218; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M22"; flow:to_server,established; http.uri; content:"?to="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036449; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Remote Code Execution Inbound (CVE-2020-17530)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|25 7b|"; content:".exec|28|"; distance:0; fast_pattern; content:"|29 7d|"; distance:0; reference:url,github.com/CyborgSecurity/CVE-2020-17530; reference:cve,2020-17530; classtype:attempted-admin; sid:2033408; rev:2; metadata:created_at 2021_07_24, cve CVE_2020_17530, former_category WEB_SPECIFIC_APPS, updated_at 2022_04_14;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M23"; flow:to_server,established; http.uri; content:"?out="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036450; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba Lure (Package Delivery)"; flow:established,to_client; content:"|82|"; startswith; content:"jsonrpc"; distance:5; within:8; content:"Your parcel has been sent out.Please check and accept it. http"; fast_pattern; reference:url,team-cymru.com/blog/2022/04/07/moqhao-part-2-continued-european-expansion; classtype:trojan-activity; sid:2036215; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_04_14, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_04_14;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M24"; flow:to_server,established; http.uri; content:"?view="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036451; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.longmusic .com Domain"; flow:established,to_server; http.host; content:".longmusic.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035961; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M25"; flow:to_server,established; http.uri; content:"?dir="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036452; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.longmusic .com Domain"; dns.query; content:".longmusic.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035962; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Interactsh Control Panel (DNS)"; threshold: type both, track by_src, count 1, seconds 600; dns.query; pcre:"/^[a-z0-9]{33}/"; content:".interact.sh"; endswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/exploits-interactsh/; classtype:trojan-activity; sid:2034201; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.wikaba .com Domain"; dns.query; content:".wikaba.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035963; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/SodaMaster domain observed in DNS query (www. rare-coisns. com)"; dns.query; content:"www.rare-coisns.com"; fast_pattern; reference:md5,0b182464a2351a9d79c1222bb1fdf35e; reference:md5,037261d5571813b9640921afac8aafbe; reference:md5,c5994f9fe4f58c38a8d2af3021028310; classtype:targeted-activity; sid:2035614; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.wikaba .com Domain"; flow:established,to_server; http.host; content:".wikaba.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035964; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Splashtop Domain in DNS Lookup (splashtop .eu)"; dns.query; dotprefix; content:".splashtop.eu"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035764; rev:2; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.zzux .com Domain"; flow:established,to_server; http.host; content:".zzux.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035965; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Pastebin-style service note .youdao .com  in DNS query"; dns.query; content:"note.youdao.com"; fast_pattern; reference:url,twitter.com/malwrhunterteam/status/1509160261881667585; reference:md5,6cb6caeffc9a8a27b91835fdad750f90; classtype:misc-activity; sid:2035668; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.wikaba .com Domain"; dns.query; content:".wikaba.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035966; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO ET INFO URL Shortening Service Domain in DNS Lookup (s59 .site)"; dns.query; content:"s59.site"; fast_pattern; classtype:bad-unknown; sid:2035870; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.wikaba .com Domain"; flow:established,to_server; http.host; content:".wikaba.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035967; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected Snugy DNS Backdoor Initial Beacon"; content:"|00 00 01 00 01|"; endswith; dns.query; bsize:>19; content:"646"; offset:2; depth:5; fast_pattern; pcre:"/^[qbedm]{1}[a-zA-Z]{1,3}646[a-zA-Z0-9]{1,3}+\./"; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-backdoors/; reference:md5,162959ebfd839229969d5e830c7d1dbc; classtype:command-and-control; sid:2031193; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_05_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dumb1 .com Domain"; dns.query; content:".dumb1.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035968; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"login-service.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035860; rev:3; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dumb1 .com Domain"; flow:established,to_server; http.host; content:".dumb1.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035969; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (al7erak247 .com)"; dns.query; content:"al7erak247.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035779; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onedumb .com Domain"; dns.query; content:".onedumb.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035970; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (arabia-islamion .com)"; dns.query; content:"arabia-islamion.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035782; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onedumb .com Domain"; flow:established,to_server; http.host; content:".onedumb.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035971; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (al-nusr .net)"; dns.query; content:"al-nusr.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035776; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.youdontcare .com Domain"; dns.query; content:".youdontcare.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035972; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"khilafah-islamic.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035866; rev:3; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.youdontcare .com Domain"; flow:established,to_server; http.host; content:".youdontcare.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035973; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Deep Panda Domain in DNS Lookup (vpn2 .smi1egate .com)"; dns.query; content:"vpn2.smi1egate.com"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; reference:md5,0b991aca7e5124df471cf8fb9e301673; classtype:trojan-activity; sid:2035704; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.yourtrap .com Domain"; dns.query; content:".yourtrap.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035974; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to VBS/Agent.PUK Domain"; dns.query; content:"fserverone.webcindario.com"; fast_pattern; reference:url,hasec.ahnlab.com/ko/33141/; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:md5,e49e41a810730f4bf3d43178e4c84ee5; classtype:trojan-activity; sid:2035944; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.yourtrap .com Domain"; flow:established,to_server; http.host; content:".yourtrap.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035975; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"www.al7eraknews.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035865; rev:3; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.2waky .com Domain"; dns.query; content:".2waky.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035976; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (greenblguard .shop)"; dns.query; content:"greenblguard.shop"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035712; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.2waky .com Domain"; flow:established,to_server; http.host; content:".2waky.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035977; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"talabatt.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035862; rev:3; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.sexidude .com Domain"; dns.query; content:".sexidude.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035978; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (jonathanhardwick .me)"; dns.query; content:"jonathanhardwick.me"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035662; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sexidude .com Domain"; flow:established,to_server; http.host; content:".sexidude.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035979; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (akhbarnew .com)"; dns.query; content:"akhbarnew.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035775; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mefound .com Domain"; dns.query; content:".mefound.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035980; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (.verble .rocks)"; dns.query; dotprefix; content:".verble.rocks"; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035664; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mefound .com Domain"; flow:established,to_server; http.host; content:".mefound.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035981; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (win .mirtonewbacker .com)"; dns.query; content:"win.mirtonewbacker.com"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035708; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.organiccrap .com Domain"; dns.query; content:".organiccrap.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035982; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to VBS/Agent.PUK Domain"; dns.query; content:"cmaildowninvoice.webcindario.com"; fast_pattern; reference:url,hasec.ahnlab.com/ko/33141/; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:md5,e49e41a810730f4bf3d43178e4c84ee5; classtype:trojan-activity; sid:2035945; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.organiccrap .com Domain"; flow:established,to_server; http.host; content:".organiccrap.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035983; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Deep Panda Domain in DNS Lookup (svn1 .smi1egate .com)"; dns.query; content:"svn1.smi1egate.com"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; classtype:trojan-activity; sid:2035705; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.toythieves .com Domain"; dns.query; content:".toythieves.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035984; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"unsubscribe-now.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035868; rev:3; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.toythieves .com Domain"; flow:established,to_server; http.host; content:".toythieves.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035985; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"mobiles-security.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035867; rev:3; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.justdied .com Domain"; dns.query; content:".justdied.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035986; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (alrainew .com)"; dns.query; content:"alrainew.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035781; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.justdied .com Domain"; flow:established,to_server; http.host; content:".justdied.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035987; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"mangoutlet.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035869; rev:3; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.jungleheart .com Domain"; dns.query; content:".jungleheart.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035988; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (onetwostep .at)"; dns.query; content:"onetwostep.at"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035714; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.jungleheart .com Domain"; flow:established,to_server; http.host; content:".jungleheart.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035989; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Generic Phishing Domain in DNS Lookup (info-getting-eu. com)"; dns.query; content:"info-getting-eu.com"; fast_pattern; classtype:credential-theft; sid:2035618; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category PHISHING, performance_impact Low, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mrbonus .com Domain"; dns.query; content:".mrbonus.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035990; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)"; dns.query; dotprefix; content:"discordapp.com"; endswith; reference:md5,03f93498e1006ffa3a1f9fcb6170525a; classtype:misc-activity; sid:2035466; rev:2; metadata:created_at 2022_03_15, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mrbonus .com Domain"; flow:established,to_server; http.host; content:".mrbonus.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035991; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spytector Domain DNS Lookup (mail .spytector .com)"; dns.query; content:"mail.spytector.com"; fast_pattern; reference:md5,1a72533d45c878cf4f35323e57c00887; classtype:trojan-activity; sid:2035771; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.x24hr .com Domain"; dns.query; content:".x24hr.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035992; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (al-taleanews .net)"; dns.query; content:"al-taleanews.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035777; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.x24hr .com Domain"; flow:established,to_server; http.host; content:".x24hr.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035993; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (akhbar-islamyah .com)"; dns.query; content:"akhbar-islamyah.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035774; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.fartit .com Domain"; dns.query; content:".fartit.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035994; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"cozmo-store.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035864; rev:3; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.fartit .com Domain"; flow:established,to_server; http.host; content:".fartit.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035995; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (verble .software)"; dns.query; content:"verble.software"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035666; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.itemdb .com Domain"; dns.query; content:".itemdb.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035996; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET EXPLOIT_KIT Observed BottleEK Domain in DNS Lookup 2021-04-15"; dns.query; content:"ctgame.tk"; nocase; bsize:9; reference:url,twitter.com/nao_sec/status/1381100024919035908; classtype:domain-c2; sid:2032764; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.itemdb .com Domain"; flow:established,to_server; http.host; content:".itemdb.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035997; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (umpulumpu .ru)"; dns.query; content:"umpulumpu.ru"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035710; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.instanthq .com Domain"; dns.query; content:".instanthq.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035998; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"rss-me.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035861; rev:3; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.instanthq .com Domain"; flow:established,to_server; http.host; content:".instanthq.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035999; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Buer - DomainInfo Domain"; flow:established,to_server; dns.query; content:"officewestunionbank.com"; bsize:23; reference:md5,0731679c5f99e8ee65d8b29a3cabfc6b; classtype:domain-c2; sid:2032893; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_04_30, deployment Perimeter, former_category MALWARE, malware_family Buer, signature_severity Major, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.xxuz .com Domain"; dns.query; content:".xxuz.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036000; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed Discord Domain in DNS Lookup (discord .com)"; dns.query; dotprefix; content:"discord.com"; endswith; reference:md5,03f93498e1006ffa3a1f9fcb6170525a; classtype:misc-activity; sid:2035465; rev:2; metadata:created_at 2022_03_15, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.xxuz .com Domain"; flow:established,to_server; http.host; content:".xxuz.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036001; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (akhbar-almasdar .com)"; dns.query; content:"akhbar-almasdar.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035773; rev:3; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.jkub .com Domain"; dns.query; content:".jkub.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036002; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (gaymers .ax)"; dns.query; content:"gaymers.ax"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035660; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.jkub .com Domain"; flow:established,to_server; http.host; content:".jkub.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036003; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (al-taleanewsonline .net)"; dns.query; content:"al-taleanewsonline.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035778; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.itsaol .com Domain"; dns.query; content:".itsaol.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036004; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected Snugy DNS Backdoor CnC Activity (Hostname Send)"; dns.query; bsize:>22; content:"266"; offset:3; depth:8; pcre:"/^[zjr9x]{1}[tmdhpz]{1}[0-9a-z]{1,6}266(?:[a-zA-Z0-9]{1,6})?+\./"; content:!".trendmicro.com"; content:!"cnr.io"; endswith; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-backdoors/; classtype:command-and-control; sid:2031194; rev:4; metadata:attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.itsaol .com Domain"; flow:established,to_server; http.host; content:".itsaol.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036005; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed Phish Domain in DNS Query (daviviendapersonalingresos .live) 2021-04-15"; dns.query; content:"daviviendapersonalingresos.live"; nocase; bsize:31; reference:url,twitter.com/TeamDreier/status/1382230430108254209; classtype:credential-theft; sid:2032763; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.faqserv .com Domain"; dns.query; content:".faqserv.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036006; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Splashtop Domain in DNS Lookup (splashtop .com)"; dns.query; dotprefix; content:".splashtop.com"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035762; rev:2; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.faqserv .com Domain"; flow:established,to_server; http.host; content:".faqserv.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036007; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed Phish Domain in DNS Query (daviviendapersonalingresos .xyz) 2021-04-15"; dns.query; content:"daviviendapersonalingresos.xyz"; nocase; bsize:30; reference:url,twitter.com/TeamDreier/status/1382230430108254209; classtype:credential-theft; sid:2032765; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.jetos .com Domain"; dns.query; content:".jetos.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036008; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Deep Panda Domain in DNS Lookup (giga .gnisoft .com)"; dns.query; content:"giga.gnisoft.com"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; classtype:trojan-activity; sid:2035706; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.jetos .com Domain"; flow:established,to_server; http.host; content:".jetos.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036009; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL user name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; content:!"|29|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2102650; rev:4; metadata:created_at 2010_09_23, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.qpoe .com Domain"; dns.query; content:".qpoe.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036010; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+#alert http any any -> $HTTP_SERVERS any (msg:"ET DELETED Possible CVE-2014-6271 Attempt in HTTP Version Number"; flow:established,to_server; http.protocol; content:"|28 29 20 7b|"; startswith; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019236; rev:7; metadata:created_at 2014_09_25, former_category WEB_SERVER, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.qpoe .com Domain"; flow:established,to_server; http.host; content:".qpoe.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036011; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (006)"; flow:established,to_server; http.user_agent; content:"00"; depth:2; pcre:"/00\d+$/"; reference:url,doc.emergingthreats.net/bin/view/Main/2006388; classtype:pup-activity; sid:2006388; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.qhigh .com Domain"; dns.query; content:".qhigh.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036012; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY User-Agent (Launcher)"; flow:established,to_server; http.user_agent; content:"Launcher"; nocase; content:!"EpicGamesLauncher"; depth:17; content:!"7Launcher"; reference:url,doc.emergingthreats.net/2010645; classtype:policy-violation; sid:2010645; rev:12; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.qhigh .com Domain"; flow:established,to_server; http.host; content:".qhigh.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036013; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY curl User-Agent Outbound"; flow:established,to_server; http.user_agent; content:"curl/"; nocase; startswith; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013028; rev:7; metadata:created_at 2011_06_14, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.vizvaz .com Domain"; dns.query; content:".vizvaz.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036014; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (Agent and 5 or 6 digits)"; flow:established,to_server; http.user_agent; content:"Agent"; depth:5; pcre:"/^Agent\d{5,6}$/i"; http.host; content:!"cloud.10jqka.com.cn"; content:!".maxthon.com"; classtype:trojan-activity; sid:2013315; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag User_Agent, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.vizvaz .com Domain"; flow:established,to_server; http.host; content:".vizvaz.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036015; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Likseput.A Checkin"; flow:established,to_server; http.header; content:"|5c|"; within:64; content:"Host|3a 20|"; distance:0; content:!"|0d 0a|"; distance:-6; within:2; http.user_agent; content:"5|2e|"; startswith; pcre:"/^5\.[0-2]\x20\d\d\x3a\d\d\x20/"; reference:md5,4b6f5e62d7913fc1ab6c71b5b909ecbf; classtype:command-and-control; sid:2016450; rev:7; metadata:created_at 2012_01_12, former_category MALWARE, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mrface .com Domain"; dns.query; content:".mrface.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036016; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njRAT CnC Command (ll)"; flow:established,to_server; dsize:<350; content:"|00|ll"; depth:8; fast_pattern; content:"Win|20|"; distance:0; pcre:"/^\d{1,5}\x00ll/i"; reference:md5,ac7b1fdc679fdbd3cb0cd8a3e30ecddb; classtype:command-and-control; sid:2021176; rev:6; metadata:created_at 2015_06_02, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mrface .com Domain"; flow:established,to_server; http.host; content:".mrface.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036017; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Downloader.Small.BIL CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?a=Te"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; startswith; reference:md5,4C669A60719FC1051FB336CB25B209FD; classtype:command-and-control; sid:2025147; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_13, deployment Perimeter, former_category MALWARE, malware_family Downloader_Small_BIL, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.isasecret .com Domain"; dns.query; content:".isasecret.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036018; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Inbound (aw)"; flow:established,to_client; dsize:<50; content:"aw|7c 7c 7c|"; fast_pattern; nocase; depth:5; content:"|7c|"; isdataat:!1,relative; reference:md5,ca075cb808eb6f69ab5ea82d7acb3f39; classtype:command-and-control; sid:2029697; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.isasecret .com Domain"; flow:established,to_server; http.host; content:".isasecret.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036019; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Moist Stealer CnC Exfil"; flow:established,to_server; http.uri; content:".php?id="; content:"&caption="; distance:0; content:"|20|Moist|20|Stealer|20|gate|20|detected|20|new|20|log!"; nocase; distance:0; fast_pattern; content:"User|3a|"; nocase; distance:0; content:"IP|3a|"; nocase; distance:0; http.request_body; content:"].zip|0d 0a|"; http.header_names; content:!"Referer"; reference:md5,f855dffcbd21d4e4a59eed5a7a392af9; classtype:command-and-control; sid:2030900; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Moist_Stealer, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mrslove .com Domain"; dns.query; content:".mrslove.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036020; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS Oracle WebLogic RCE Shell Inbound M2 (CVE-2020-14882)"; flow:established,to_server; http.uri.raw; content:"/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel="; content:"com.tangosol.coherence.mvel2.sh.ShellSession("; distance:0; within:75; http.uri; content:"com.tangosol.coherence.mvel2.sh.ShellSession("; fast_pattern; content:"java.lang.Runtime.getRuntime("; distance:0; content:".exec"; distance:0; reference:url,isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/; reference:url,packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html; reference:cve,2020-14882; classtype:attempted-user; sid:2031147; rev:3; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_10_30, cve CVE_2020_14882, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mrslove .com Domain"; flow:established,to_server; http.host; content:".mrslove.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036021; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SSLv2 Used in Session"; flow:established,to_server; ssl_version:sslv2; reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031488; rev:2; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.americanunfinished .com Domain"; dns.query; content:".americanunfinished.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036022; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SSLv3 Used in Session"; flow:established,to_server; ssl_version:sslv3; reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031489; rev:2; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.americanunfinished .com Domain"; flow:established,to_server; http.host; content:".americanunfinished.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036023; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TLSv1.1 Used in Session"; flow:established,to_server; tls.version:1.1; reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031490; rev:2; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.serveusers .com Domain"; dns.query; content:".serveusers.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036024; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TLSv1.0 Used in Session"; flow:established,to_server; tls.version:1.0; reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031491; rev:2; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.serveusers .com Domain"; flow:established,to_server; http.host; content:".serveusers.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036025; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Suspicious GitHack TLS SNI Request - Possible PurpleFox EK"; flow:established,to_server; tls.sni; content:".githack."; content:!".githack.com"; endswith; classtype:exploit-kit; sid:2032481; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family PurpleFox, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.serveuser .com Domain"; dns.query; content:".serveuser.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036026; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (QiHoo Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"."; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,image/webp,image/apng,*/*|3b|q=0.8"; bsize:85; content:!"application/signed-exchange"; http.user_agent; content:"Mozilla/5.0 (Linux|3b 20|Android 4.1.1|3b 20|Nexus 7 Build/JRO03D) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.166 Safari"; bsize:123; content:!"Safari/535.19"; http.cookie; content:"__guid="; depth:7; content:"|3b|opqopq="; distance:0; fast_pattern; content:"|3b|QiHooGUID="; distance:0; content:"|3b|"; endswith; http.header_names; content:!"Accept-"; content:!"Referer"; classtype:command-and-control; sid:2032746; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_11, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.serveuser .com Domain"; flow:established,to_server; http.host; content:".serveuser.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036027; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Google Webcrawler User-Agent (Mediapartners-Google)"; flow:established,to_server; http.user_agent; content:"Mediapartners-Google"; nocase; classtype:not-suspicious; sid:2032978; rev:2; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2022_05_03, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.myftp .info Domain"; dns.query; content:".myftp.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036028; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Yandex Webcrawler User-Agent (YandexBot)"; flow:established,to_server; http.user_agent; content:"YandexBot"; nocase; classtype:not-suspicious; sid:2032979; rev:2; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2022_05_03, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.myftp .info Domain"; flow:established,to_server; http.host; content:".myftp.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036029; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN DuckDuckGo Webcrawler User-Agent (DuckDuckBot)"; flow:established,to_server; http.user_agent; content:"DuckDuckBot"; nocase; classtype:not-suspicious; sid:2032980; rev:2; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2022_05_03, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mydad .info Domain"; dns.query; content:".mydad.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036030; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Bing Webcrawler User-Agent (BingBot)"; flow:established,to_server; http.user_agent; content:"bingbot"; nocase; classtype:not-suspicious; sid:2032981; rev:2; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2022_05_03, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mydad .info Domain"; flow:established,to_server; http.host; content:".mydad.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036031; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Naver Webcrawler User-Agent (Naver.me)"; flow:established,to_server; http.user_agent; content:"naver.me"; nocase; classtype:not-suspicious; sid:2032982; rev:2; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2022_05_03, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mymom .info Domain"; dns.query; content:".mymom.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036032; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Ask Webcrawler User-Agent"; flow:established,to_server; http.user_agent; content:"Ask Jeeves"; nocase; classtype:not-suspicious; sid:2033164; rev:2; metadata:attack_target Web_Server, created_at 2021_06_23, deployment Perimeter, former_category POLICY, signature_severity Informational, tag WebCrawler, updated_at 2022_05_03, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mymom .info Domain"; flow:established,to_server; http.host; content:".mymom.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036033; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing Landing Page 2021-06-29"; flow:established,to_client; file.data; content:"<title>HOME|20 2d 20|BEZPIECZE|26|amp|3b 23|x143|3b|STWA ADMIN JEDNOSTKA</title>"; fast_pattern; content:"method|3d 22|post|22|"; distance:0; content:"encType|3d 22|multipart/form-data|22|"; distance:0; content:"id|3d 22|rJ6e8Wwhpou|22|"; distance:0; content:"novalidate|3d 22 22|"; classtype:credential-theft; sid:2033216; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mypicture .info Domain"; dns.query; content:".mypicture.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036034; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing Landing Page 2021-06-29"; flow:established,to_client; file.data; content:"<title>HOME|20 2d 20|BEZPIECZE|26|amp|3b 23|x143|3b|STWA ADMIN JEDNOSTKA</title>"; fast_pattern; content:"method|3d 22|post|22|"; distance:0; content:"encType|3d 22|multipart/form-data|22|"; distance:0; content:"id|3d 22|rJ6e8Wwhpou|22|"; distance:0; content:"novalidate|3d 22 22|"; classtype:credential-theft; sid:2033217; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mypicture .info Domain"; flow:established,to_server; http.host; content:".mypicture.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036035; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert udp any any -> $HOME_NET 12345 (msg:"ET EXPLOIT [PwnedPiper] Exploitation Attempt - Large Malformed Translogic Packet (CVE-2021-37164)"; dsize:>369; content:"TLPU"; startswith; fast_pattern; reference:cve,2021-37164; reference:url,www.armis.com/pwnedPiper; classtype:attempted-admin; sid:2033662; rev:2; metadata:attack_target Server, created_at 2021_08_03, cve CVE_2021_37164, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.myz .info Domain"; dns.query; content:".myz.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036036; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (LIST)"; flow:established,to_server; tls.sni; content:"LIST-"; startswith; fast_pattern; pcre:"/^LIST-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033800; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.myz .info Domain"; flow:established,to_server; http.host; content:".myz.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036037; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (LS)"; flow:established,to_server; tls.sni; content:"LS-"; startswith; fast_pattern; pcre:"/^LS-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033801; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.squirly .info Domain"; dns.query; content:".squirly.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036038; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (SIZE)"; flow:established,to_server; tls.sni; content:"SIZE-"; startswith; fast_pattern; pcre:"/^SIZE-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033802; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.squirly .info Domain"; flow:established,to_server; http.host; content:".squirly.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036039; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (LD)"; flow:established,to_server; tls.sni; content:"LD-"; startswith; fast_pattern; pcre:"/^LD-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033803; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.toh .info Domain"; dns.query; content:".toh.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036040; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (CB)"; flow:established,to_server; tls.sni; content:"CB-"; startswith; fast_pattern; pcre:"/^CB-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033804; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.toh .info Domain"; flow:established,to_server; http.host; content:".toh.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036041; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (CD)"; flow:established,to_server; tls.sni; content:"CD-"; startswith; fast_pattern; pcre:"/^CD-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033805; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.xxxy .info Domain"; dns.query; content:".xxxy.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036042; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (EX)"; flow:established,to_server; tls.sni; content:"EX-"; startswith; fast_pattern; pcre:"/^EX-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033806; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.xxxy .info Domain"; flow:established,to_server; http.host; content:".xxxy.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036043; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (ALIVE)"; flow:established,to_server; tls.sni; content:"ALIVE-"; startswith; fast_pattern; pcre:"/^ALIVE-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033807; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.freewww .info Domain"; dns.query; content:".freewww.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036044; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (EXIT)"; flow:established,to_server; tls.sni; content:"EXIT-"; startswith; fast_pattern; pcre:"/^EXIT-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033808; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.freewww .info Domain"; flow:established,to_server; http.host; content:".freewww.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036045; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (finito)"; flow:established,to_server; tls.sni; content:"finito-"; startswith; fast_pattern; pcre:"/^finito-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033809; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.xxxy .biz Domain"; dns.query; content:".xxxy.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036046; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Javascript Click and Removal of Download Element"; flow:established, to_client; http.stat_code; content:"200"; file.data; content:"e|2e|setAttribute|28 22|download|22 2c 22 22 29|"; fast_pattern; content:"e|2e|click|28 29 2c|e|2e|remove|28 29|"; distance:0; reference:url,www.bleepingcomputer.com/news/security/phishing-campaign-uses-upscom-xss-vuln-to-distribute-malware/; classtype:social-engineering; sid:2033816; rev:2; metadata:created_at 2021_08_26, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.xxxy .biz Domain"; flow:established,to_server; http.host; content:".xxxy.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036047; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed nc (netcat) EXE Inbound"; flow:established,to_client; file.data; content:"MZ"; depth:10; content:"!This program"; distance:0; content:"www.vulnwatch.org/netcat/"; distance:0; fast_pattern; content:"nc [-options]"; distance:0; content:"nc -l -p port"; distance:0; reference:md5,e0db1d3d47e312ef62e5b0c74dceafe5; classtype:policy-violation; sid:2033890; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.sexxxy .biz Domain"; dns.query; content:".sexxxy.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036048; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Syndicasec Encoded Response Embedded in XML HTML Title Tags Inbound"; flow:established,to_client; content:"|3c 3f|xml"; content:"|3c|title|20|type|3d 27|text|27 3e 40|"; distance:0; fast_pattern; content:"|40 3c 2f|title|3e|"; distance:0; reference:url,www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-mangal-win32syndicasec-used-targeted-attacks-indian-organizations/; reference:md5,f339bbca8e7a5d0f1629212f61b7d351; classtype:command-and-control; sid:2033904; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_07, deployment Perimeter, former_category MALWARE, performance_impact Low, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sexxxy .biz Domain"; flow:established,to_server; http.host; content:".sexxxy.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036049; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Mingloa CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"page=querycpc/items/&duid="; fast_pattern; content:"&pid="; distance:0; content:"&time="; distance:0; content:"&hash="; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:url,news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service; classtype:command-and-control; sid:2033913; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.www1 .biz Domain"; dns.query; content:".www1.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036050; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sidewalk CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|gtuvid|0d 0a|"; fast_pattern; content:"|0d 0a|gtsid|0d 0a|"; reference:url,welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/; classtype:command-and-control; sid:2033937; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.www1 .biz Domain"; flow:established,to_server; http.host; content:".www1.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036051; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Client Cloaking Javascript Observed"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c|html|3e 3c|head|3e 3c|script|20|src|3d 27|"; content:"Aes|2e|Ctr|2e|decrypt|28|"; nocase; fast_pattern; pcre:"/^(?:[^0-9][a-zA-Z0-9_$]{1,254}),\s*(?:[^0-9][a-zA-Z0-9_$]{1,254}),\s*256\)\x3b/Ri"; content:"document|2e|write|28|output|29|"; distance:0; reference:url,unit42.paloaltonetworks.com/javascript-based-phishing/; classtype:credential-theft; sid:2033947; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_09_14, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Minor, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dhcp .biz Domain"; dns.query; content:".dhcp.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036052; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SQUIRRELWAFFLE Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html|3b 20|charset=UTF-8"; bsize:24; file.data; content:"|0d 0d 0d 09 09 09 0a 0a 0a|"; startswith; fast_pattern; pcre:"/^.{4}(?:R(?:k(?:Z(?:GQkBG|CQEY)|BCRUVG)|0FFRkFH|UJDQUE)|Q(?:U(?:V(?:CQ0FB|GQUc)|NCRkI)|kFDQkZC|EJFRUY)|(?:Z(?:AQkVF|GRkJA)R|JBQ0JGQ)g|FFQkNBQQ|dBRUZBRw)/R"; content:"|0a 0a 0a 09 09 09 0d 0d 0d|"; endswith; reference:url,twitter.com/jaydinbas/status/1437708323038564352; classtype:command-and-control; sid:2033982; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, malware_family SQUIRRELWAFFLE, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dhcp .biz Domain"; flow:established,to_server; http.host; content:".dhcp.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036053; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/Spy.Agent.AW Download"; flow:established,to_client; http.response_body; content:"var"; startswith; content:"|5c 78 37 30 5c 78 36 31 5c 78 37 39 5c 78 36 44 5c 78 36 35 5c 78 36 45 5c 78 37 34 5c 78 35 46 5c 78 36 36 5c 78 36 46 5c 78 37 32 5c 78 36 44 5c 78 35 46 5c 78 36 33 5c 78 36 33 5c 78 37 33 5c 78 36 31 5c 78 37 36 5c 78 36 35|"; within:90; fast_pattern; content:"|5c 78 36 35 5c 78 37 30 5c 78 36 31 5c 78 37 39 5c 78 35 46 5c 78 37 33 5c 78 36 35 5c 78 36 33 5c 78 37 35 5c 78 37 32 5c 78 36 35 5c 78 35 46 5c 78 37 30 5c 78 36 31 5c 78 37 39 5c 78 36 44 5c 78 36 35 5c 78 36 45 5c 78 37 34|"; distance:62; within:76; reference:md5,ade43b2b2cf95ca908b82fe0e76ea54d; classtype:trojan-activity; sid:2034020; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.edns .biz Domain"; dns.query; content:".edns.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036054; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (REBOL)"; flow:established,to_server; http.user_agent; content:"REBOL"; nocase; startswith; reference:url,twitter.com/James_inthe_box/status/1441140639169609736; classtype:bad-unknown; sid:2034021; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.edns .biz Domain"; flow:established,to_server; http.host; content:".edns.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036055; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win64/TrojanDownloader.Age Download Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".docx"; endswith; http.user_agent; content:"unknown"; fast_pattern; bsize:7; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; content:!"Referer"; reference:md5,fd59dd7bb54210a99c1ed677bbfc03a8; classtype:trojan-activity; sid:2034048; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ftp1 .biz Domain"; dns.query; content:".ftp1.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036056; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fake Anti-Pegasus AV CnC Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/connect?hwid="; fast_pattern; content:"&os="; distance:0; content:"&bits=x"; distance:0; content:"&av="; distance:0; http.header_names; content:!"Referer"; reference:url,blog.talosintelligence.com/2021/09/fakeantipegasusamnesty.html; classtype:command-and-control; sid:2034083; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ftp1 .biz Domain"; flow:established,to_server; http.host; content:".ftp1.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036057; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (yawero .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"yawero.com"; bsize:10; fast_pattern; reference:url,thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks; classtype:command-and-control; sid:2034099; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mywww .biz Domain"; dns.query; content:".mywww.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036058; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (sazoya .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"sazoya.com"; bsize:10; fast_pattern; reference:url,thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks; classtype:domain-c2; sid:2034100; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mywww .biz Domain"; flow:established,to_server; http.host; content:".mywww.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036059; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Tomiris C2 (init)"; flow:established,to_server; content:"|74 00 2b 00 77 00 6c 00 7c 00 76 00 76 00 27 00 30 00 79 00 20 00 29 00|"; offset:0; reference:url,securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/; classtype:trojan-activity; sid:2034119; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ftpserver .biz Domain"; dns.query; content:".ftpserver.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036060; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Ursnif CnC Domain (Gloderuniok .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"gloderuniok.website"; bsize:19; fast_pattern; reference:url,twitter.com/JAMESWT_MHT/status/1445322477350146054; classtype:domain-c2; sid:2034140; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ftpserver .biz Domain"; flow:established,to_server; http.host; content:".ftpserver.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036061; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Ursnif CnC Domain (Vloderuniok .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"vloderuniok.website"; bsize:19; fast_pattern; reference:url,twitter.com/JAMESWT_MHT/status/1445322477350146054; classtype:domain-c2; sid:2034141; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.wwwhost .biz Domain"; dns.query; content:".wwwhost.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036062; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (Gojihu .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"Gojihu.com"; bsize:10; fast_pattern; reference:url,thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks; classtype:domain-c2; sid:2034142; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.wwwhost .biz Domain"; flow:established,to_server; http.host; content:".wwwhost.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036063; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (Yuxicu .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"Yuxicu.com"; bsize:10; fast_pattern; reference:url,thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks; classtype:domain-c2; sid:2034143; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.moneyhome .biz Domain"; dns.query; content:".moneyhome.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036064; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Oracle BI Publisher Authentication Bypass (CVE-2019-2616)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/xmlpserver/ReportTemplateService.xls"; bsize:37; fast_pattern; http.header_names; content:!"Referer"; http.request_body; content:"|3c 21|DOCTYPE|20|soap|3a|envelope|20|PUBLIC|20 22 2d 2f 2f|B|2f|A|2f|EN|22 20 22|http"; startswith; reference:url,nvd.nist.gov/vuln/detail/CVE-2019-2616; reference:cve,2019-2616; classtype:attempted-admin; sid:2034199; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_10_15, cve CVE_2019_2616, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.moneyhome .biz Domain"; flow:established,to_server; http.host; content:".moneyhome.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036065; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sabsik Config Downloader"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_body; content:"|24|url|3d 22|http|3a 2f 2f|"; startswith; content:"|2e|txt|22 3b 0d 0a 24|web|20 3d 20|New|2d|Object|20|System|2e|Net|2e|WebClient|3b|"; distance:0; within:63; fast_pattern; reference:md5,49eb944fb7f86a9d6649c6a190c782e8; classtype:trojan-activity; sid:2034288; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.port25 .biz Domain"; dns.query; content:".port25.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036066; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fake Google Chrome Notifications Installer"; flow:established,to_client; http.response_body; content:"|28|function|20 28 29|"; startswith; content:"callbackName|3a 20 27|onSubInit|27|"; distance:0; content:"workerName|3a 20 27|"; distance:0; content:"serverUrl|3a 20 27|"; distance:0; content:"applicationServerKey|3a 20|"; distance:0; content:"cookieNameS|3a 20 27|notify|2d|p|27|"; fast_pattern; distance:0; reference:url,rapid7.com/blog/post/2021/10/28/sneaking-through-windows-infostealer-malware-masquerades-as-windows-application; reference:md5,45602bfa86ee9a5e31758a24a0d5cd08; classtype:trojan-activity; sid:2034307; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.port25 .biz Domain"; flow:established,to_server; http.host; content:".port25.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036067; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downloaded .bat Disables Windows Defender"; flow:established,to_client; http.content_type; content:"application/x-msdos-program"; file.data; content:"@echo off"; startswith; content:"reg|20|delete|20 22|HKLM|5c|Software|5c|Policies|5c|Microsoft|5c|Windows|20|Defender|22 20 2f|f"; distance:0; fast_pattern; classtype:trojan-activity; sid:2034338; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.esmtp .biz Domain"; dns.query; content:".esmtp.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036068; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downloaded .bat Disables Real Time Monitoring"; flow:established,to_client; http.content_type; content:"application/x-msdos-program"; file.data; content:"@echo off"; startswith; content:"powershell.exe Set-MpPreference -DisableRealtimeMonitoring|20 24|true"; within:66; fast_pattern; classtype:trojan-activity; sid:2034339; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.esmtp .biz Domain"; flow:established,to_server; http.host; content:".esmtp.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036069; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/LNK/Agent.GX Javascript Downloader M1"; flow:established,to_client; http.content_type; content:"application/octet-stream"; file.data; content:"|3c|script language|3d 22|javascript|22 3e|"; startswith; content:"GetObject|28 22|winmgmts|3a 22 2b 22 7b|impersonationLevel=impersonate|7d 22 2b 22|"; fast_pattern; distance:0; content:"ExecQuery|28 22|Select|20 2a 20 22 2b 22|from|20 22 2b 22|Win32|5f 22 2b 22|Process|22 29 3b|"; distance:0; reference:md5,4b9eb054d9f7f5dd8c23cc1d7312013c; classtype:trojan-activity; sid:2034359; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dsmtp .biz Domain"; dns.query; content:".dsmtp.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036070; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/LNK/Agent.GX Javascript Downloader M2"; flow:established,to_client; http.content_type; content:"application/octet-stream"; file.data; content:"|3c|script language|3d 22|javascript|22 3e|"; startswith; content:"|3d 22|Explore|22 3b|"; distance:0; content:"|22|W|22 2b 22|scr"; distance:0; content:"|2b 22|ipt|22 2b 22 2e|S|22 3b|"; distance:0; content:"|3d 22|aHR0cHM6Ly9kb2NzLmdvb2dsZS5jb20vc3ByZWFkc2hlZXRzL2Qv"; distance:0; fast_pattern; reference:md5,4b9eb054d9f7f5dd8c23cc1d7312013c; classtype:trojan-activity; sid:2034360; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dsmtp .biz Domain"; flow:established,to_server; http.host; content:".dsmtp.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036071; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downloaded Script Disables Firewall/Antivirus"; flow:established,to_client; http.content_type; content:"text/plain"; file.data; content:"|22|C:|5c|Windows|5c|debug|5c|m|5c|winlogon.exe|22|"; content:"netsh advfirewall set allprofiles state off"; within:45; fast_pattern; content:"name like |27 25|Eset|25 27 22| call uninstall /nointeractive"; reference:md5,fcfc0feed527d188d6b2ed3445758511; classtype:trojan-activity; sid:2034395; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.sixth .biz Domain"; dns.query; content:".sixth.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036072; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=|29 2a 28|"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034437; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sixth .biz Domain"; flow:established,to_server; http.host; content:".sixth.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036073; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET 30003 (msg:"ET MALWARE Possible NGLite Backdoor C2 Traffic (NKN)"; flow:established,to_server; http.request_line; content:"POST|20|/|20|HTTP/1.1"; http.host.raw; content:"seed.nkn.org|3a|"; startswith; fast_pattern; http.user_agent; content:"Go-http-client/"; startswith; http.request_body; content:"|22|address|22 3a|"; content:"|2e|monitor_03|2e|"; within:20; reference:url,unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/; reference:md5,aedebba95462e9db10b834551e3abc03; classtype:command-and-control; sid:2034438; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family NGLite, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ninth .biz Domain"; dns.query; content:".ninth.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036074; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M1"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Application"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034442; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ninth .biz Domain"; flow:established,to_server; http.host; content:".ninth.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036075; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M2"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Name"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034443; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.misecure .com Domain"; dns.query; content:".misecure.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036076; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M3"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Email"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034444; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.misecure .com Domain"; flow:established,to_server; http.host; content:".misecure.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036077; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M4"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Server"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034445; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.got-game .org Domain"; dns.query; content:".got-game.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036078; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M5"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Secured"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034446; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.got-game .org Domain"; flow:established,to_server; http.host; content:".got-game.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036079; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M6"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Type"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034447; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dns2 .us Domain"; dns.query; content:".dns2.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036080; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M7"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=User"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034448; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dns2 .us Domain"; flow:established,to_server; http.host; content:".dns2.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036081; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M8"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Password"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034449; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.changeip .us Domain"; dns.query; content:".changeip.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036082; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M9"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=SMTP"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034450; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.changeip .us Domain"; flow:established,to_server; http.host; content:".changeip.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036083; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M10"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=|2f 2a 5c|"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034451; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.changeip .biz Domain"; dns.query; content:".changeip.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036084; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible MalDoc Retrieving Payload 2021-07-19"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dat"; endswith; pcre:"/\/(?:[0-9]{2,8}\.)?[0-9]{4,16}\.dat$/s"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|.NET4.0C|3b 20|.NET4.0E)"; bsize:178; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034452; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.changeip .biz Domain"; flow:established,to_server; http.host; content:".changeip.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036085; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible MalDoc Retrieving Payload 2021-11-01"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dat"; endswith; pcre:"/\/(?:[0-9]{2,8}\.)?[0-9]{4,16}\.dat$/U"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.2|3b 20|WOW64|3b 20|Trident/8.0|3b 20|.NET4.0C|3b 20|.NET4.0E|3b 20|.NET|20|CLR|20|2.0.50727|3b 20|.NET|20|CLR|20|3.0.30729|3b 20|.NET|20|CLR|20|3.5.30729|3b 20|InfoPath.3)"; fast_pattern; bsize:162; http.header_names; content:!"Referer"; reference:md5,8eb1525db6bdadce7dae53b15f544bd2; classtype:trojan-activity; sid:2034464; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.almostmy .com Domain"; dns.query; content:".almostmy.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036086; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET 26800 -> $HOME_NET any (msg:"ET MALWARE ABCbot CnC Instruction (stop)"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_line; content:"HTTP/1.0 200 OK"; http.header; content:"Connection|3a 20|close"; http.response_body; content:"73746f707d1|7c|"; fast_pattern; startswith; reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034479; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.almostmy .com Domain"; flow:established,to_server; http.host; content:".almostmy.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036087; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Ultimate POS 4.4 Cross-Site Scripting (XSS) - Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/products"; startswith; http.content_type; content:"multipart/form-data"; startswith; http.cookie; content:"ultimate_pos_session=eyJpdiI6Il"; startswith; fast_pattern; content:"SIsInZhbHVlIjoi"; distance:30; within:20; content:"_token=null&name="; distance:0; content:"|22 3e 3c|iframe src="; distance:0; content:"submit_type=submit"; endswith; reference:url,exploit-db.com/exploits/50492; classtype:attempted-admin; sid:2034481; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_11_15, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ocry .com Domain"; dns.query; content:".ocry.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036088; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ultimate POS 4.4 Cross-Site Scripting (XSS) - Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/products"; startswith; http.content_type; content:"multipart/form-data"; startswith; http.cookie; content:"ultimate_pos_session=eyJpdiI6Il"; startswith; fast_pattern; content:"SIsInZhbHVlIjoi"; distance:30; within:20; content:"_token=null&name="; distance:0; content:"|22 3e 3c|iframe src="; distance:0; content:"submit_type=submit"; endswith; reference:url,exploit-db.com/exploits/50492; classtype:attempted-admin; sid:2034482; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_11_15, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ocry .com Domain"; flow:established,to_server; http.host; content:".ocry.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036089; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET 26800 (msg:"ET MALWARE ABCbot CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/postip"; bsize:11; http.header_names; content:!"Referer"; http.connection; content:"close"; http.content_type; content:"application/x-www-form-url encoded"; http.request_body; content:"OS|3a 20|"; startswith; content:"CPU:"; distance:0; content:"os-name:"; fast_pattern; distance:0; content:"lanip:"; distance:0; reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034483; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ourhobby .com Domain"; dns.query; content:".ourhobby.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036090; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET 26800 -> $HOME_NET any (msg:"ET MALWARE ABCbot CnC Instruction (syn)"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_line; content:"HTTP/1.0 200 OK"; http.header; content:"Connection|3a 20|close"; http.response_body; content:"73796e|7c|"; fast_pattern; startswith; reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034484; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ourhobby .com Domain"; flow:established,to_server; http.host; content:".ourhobby.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036091; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET 26800 -> $HOME_NET any (msg:"ET MALWARE ABCbot CnC Instruction (dns)"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_line; content:"HTTP/1.0 200 OK"; http.header; content:"Connection|3a 20|close"; http.response_body; content:"646e73|7c|"; fast_pattern; startswith; reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034485; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dnsfailover .net Domain"; dns.query; content:".dnsfailover.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036092; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET 26800 -> $HOME_NET any (msg:"ET MALWARE ABCbot CnC Instruction (bigudp)"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_line; content:"HTTP/1.0 200 OK"; http.header; content:"Connection|3a 20|close"; http.response_body; content:"626967756470|7c|"; fast_pattern; startswith; reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034486; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnsfailover .net Domain"; flow:established,to_server; http.host; content:".dnsfailover.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036093; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Guangzhou 1GE ONU OS Command Execution (CVE-2020-8958)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"boaform/admin/formPing"; endswith; fast_pattern; http.request_body; content:"target_addr=%3B"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:url,www.karansaini.com/os-command-injection-v-sol/; reference:cve,2020-8958; classtype:attempted-admin; sid:2034488; rev:3; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_8958, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ygto .com Domain"; dns.query; content:".ygto.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036094; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Tenda OS Command Injection (CVE-2020-10987) (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"goform/setUsbUnload"; nocase; fast_pattern; content:"deviceName="; nocase; distance:0; content:"tmp"; distance:0; content:"wget"; distance:0; reference:url,cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits; reference:cve,2020-10987; classtype:attempted-admin; sid:2034489; rev:2; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_10987, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ygto .com Domain"; flow:established,to_server; http.host; content:".ygto.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036095; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Tenda OS Command Injection (CVE-2020-10987) (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"goform/setUsbUnload"; endswith; nocase; fast_pattern; http.request_body; content:"deviceName="; nocase; reference:url,blog.securityevaluators.com/tenda-ac1900-vulnerabilities-discovered-and-exploited-e8e26aa0bc68; reference:cve,2020-10987; classtype:attempted-admin; sid:2034490; rev:2; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_10987, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.gettrials .com Domain"; dns.query; content:".gettrials.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036096; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Kaseya VSA ManagedITSync SQL Injection (CVE-2017-18362)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"KaseyaCwWebService/ManagedIT.asmx"; nocase; fast_pattern; http.request_body; content:"|27|"; pcre:"/^(?:CREATE|SELECT|INSERT|UPDATE|EXEC)/Ri"; reference:url,github.com/kbni/owlky/blob/master/owlky.py; reference:cve,2017-18362; classtype:attempted-admin; sid:2034492; rev:2; metadata:created_at 2021_11_17, cve CVE_2017_18362, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.gettrials .com Domain"; flow:established,to_server; http.host; content:".gettrials.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036097; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinotto CnC Activity (hello)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"type=hello"; fast_pattern; content:"&direction="; pcre:"/^(send|receive)/R"; content:"id="; http.header_names; content:!"Referer"; reference:md5,55afe67b0cd4a01f3a9a6621c26b1a49; reference:url,securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/; classtype:trojan-activity; sid:2034562; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.4dq .com Domain"; dns.query; content:".4dq.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036098; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinotto CnC Activity (command)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"type=command"; fast_pattern; content:"&direction="; pcre:"/^(send|receive)/R"; content:"id="; http.header_names; content:!"Referer"; reference:md5,55afe67b0cd4a01f3a9a6621c26b1a49; reference:url,securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/; classtype:trojan-activity; sid:2034563; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.4dq .com Domain"; flow:established,to_server; http.host; content:".4dq.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036099; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinotto CnC Activity (result)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"type=result"; fast_pattern; content:"&direction="; pcre:"/^(send|receive)/R"; content:"id="; http.header_names; content:!"Referer"; reference:md5,55afe67b0cd4a01f3a9a6621c26b1a49; reference:url,securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/; classtype:trojan-activity; sid:2034564; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.4pu .com Domain"; dns.query; content:".4pu.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036100; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinotto CnC Activity (file)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"type=file"; fast_pattern; content:"&direction="; pcre:"/^(send|receive)/R"; content:"id="; http.header_names; content:!"Referer"; reference:md5,55afe67b0cd4a01f3a9a6621c26b1a49; reference:url,securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/; classtype:trojan-activity; sid:2034565; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, malware_family Chinotto, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.4pu .com Domain"; flow:established,to_server; http.host; content:".4pu.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036101; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyAgent C&C Activity (Request)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"update.php?id="; fast_pattern; pcre:"/^[0-9]{9}/R"; content:"&stat="; pcre:"/^[0-9a-zA-Z]{32}/R"; http.connection; content:"Keep-Alive"; bsize:10; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html; classtype:command-and-control; sid:2034573; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dsmtp .com Domain"; dns.query; content:".dsmtp.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036102; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SpyAgent C&C Activity (Response)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|21|lexec|3b|http"; startswith; fast_pattern; content:"|2e|exe"; endswith; reference:md5,fbfd9afac42ae8e86193a8e4be085eaf; reference:url,trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html; classtype:command-and-control; sid:2034574; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dsmtp .com Domain"; flow:established,to_server; http.host; content:".dsmtp.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036103; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET HUNTING Suspicious Response (MS-Officecmd)"; flow:established,to_client; http.response_body; content:"ms-officecmd|3a|"; nocase; content:"LaunchOfficeAppForResult"; nocase; distance:0; fast_pattern; reference:url,positive.security/blog/ms-officecmd-rce; classtype:attempted-admin; sid:2034628; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dsmtp .com Domain"; dns.query; content:".dsmtp.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036104; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request (Likely Pentester CnC)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pentest-macro?computer=c_"; fast_pattern; reference:md5,f7ddcef3607b41c593284dde397e35b8; classtype:command-and-control; sid:2034637; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dsmtp .com Domain"; flow:established,to_server; http.host; content:".dsmtp.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036105; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Tsunami Remote Shell M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/.x/var/run/tty"; startswith; fast_pattern; pcre:"/^\/\.x\/var\/run\/tty\d$/U"; http.user_agent; content:"Wget"; startswith; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034684; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mynumber .org Domain"; dns.query; content:".mynumber.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036106; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Tsunami Remote Shell M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/var/"; startswith; content:"pty"; fast_pattern; endswith; bsize:11; pcre:"/^\/var\/(?:run|tmp)\/pty$/U"; http.user_agent; content:"Wget"; startswith; content:!"Referer"; classtype:trojan-activity; sid:2034686; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mynumber .org Domain"; flow:established,to_server; http.host; content:".mynumber.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036107; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DCRat CnC Activity M11"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?data=active"; endswith; fast_pattern; pcre:"/^\/[a-z0-9]{45,60}\/[a-z0-9]{35,65}\/[a-z0-9]{38,60}\.php\?data=active$/U"; http.header_names; content:!"Referer"; content:!"User-Agent"; content:"Connection"; reference:md5,b478d340a787b85e086cc951d0696cb1; classtype:command-and-control; sid:2034739; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.rebatesrule .net Domain"; dns.query; content:".rebatesrule.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036108; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http any any -> any any (msg:"ET MALWARE DCRat CnC Activity M12"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?type=__ds_setdata&__ds_setdata_user="; fast_pattern; offset:140; depth:60; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Connection"; reference:md5,b478d340a787b85e086cc951d0696cb1; classtype:command-and-control; sid:2034740; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.rebatesrule .net Domain"; flow:established,to_server; http.host; content:".rebatesrule.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036109; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http any any -> any any (msg:"ET MALWARE DCRat CnC Activity M13"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?type=__ds_getdata&__ds_getdata_user="; fast_pattern; offset:140; depth:60; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Connection"; reference:md5,b478d340a787b85e086cc951d0696cb1; classtype:command-and-control; sid:2034741; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ezua .com Domain"; dns.query; content:".ezua.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036110; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldap) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034757; rev:3; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ezua .com Domain"; flow:established,to_server; http.host; content:".ezua.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036111; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http rmi) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034758; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.sendsmtp .com Domain"; dns.query; content:".sendsmtp.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036112; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034759; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sendsmtp .com Domain"; flow:established,to_server; http.host; content:".sendsmtp.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036113; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034760; rev:3; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ssmailer .com Domain"; dns.query; content:".ssmailer.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036114; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034761; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ssmailer .com Domain"; flow:established,to_server; http.host; content:".ssmailer.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036115; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034762; rev:3; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.trickip .net Domain"; dns.query; content:".trickip.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036116; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http dns) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034765; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.trickip .net Domain"; flow:established,to_server; http.host; content:".trickip.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036117; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034766; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.trickip .org Domain"; dns.query; content:".trickip.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036118; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN WordPress HelloThinkCMF Scan"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?a=fetch&content="; startswith; content:"die(@md5(HelloThinkCMF))"; fast_pattern; distance:0; http.header_names; content:!"Referer"; classtype:network-scan; sid:2034838; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2021_12_22, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.trickip .org Domain"; flow:established,to_server; http.host; content:".trickip.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036119; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING RDP Authentication Bypass Attempt"; flow:established,to_server; content:"|03 00 00 2f 2a|"; startswith; content:"Cookie: mstshash="; dsize:<60; reference:url,pastebin.com/PSbQXJYL; classtype:attempted-admin; sid:2034857; rev:3; metadata:affected_product Microsoft_Terminal_Server_RDP, attack_target Server, created_at 2022_01_04, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dnsrd .com Domain"; dns.query; content:".dnsrd.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036120; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phish Landing Page 2022-01-14"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"http|2d|equiv|3d|refresh"; content:"email="; distance:0; content:"&.rand=13InboxLight.aspx?n="; fast_pattern; distance:0; content:"&fid="; distance:0; content:"n="; distance:0; content:"&fid="; distance:0; content:"&fav="; distance:0; reference:md5,43ac0c5346bf8aefc0068c30a34b7d39; classtype:credential-theft; sid:2034928; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnsrd .com Domain"; flow:established,to_server; http.host; content:".dnsrd.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036121; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeamTNT Related Domain in DNS Lookup (chimaera .cc)"; dns.query; content:"chimaera.cc"; nocase; bsize:11; reference:url,blog.talosintelligence.com/2022/04/teamtnt-targeting-aws-alibaba.html; classtype:domain-c2; sid:2036455; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_03, deployment Perimeter, former_category MALWARE, malware_family TeamTNT, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.lflinkup .com Domain"; dns.query; content:".lflinkup.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036122; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky APT Related Host Data Exfil M5"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/\?m=[abcde]&p1=[a-f0-9-]{8,40}(?:&p2=[^&]+)?(?:&p3=[^&]+)?$/i"; http.uri.raw; content:"//?m="; depth:5; fast_pattern; content:"&p1="; distance:1; within:4; http.header_names; content:!"Referer|0d 0a|"; reference:md5,0684d80e91581730f814e831f703bf5b; reference:url,twitter.com/s1ckb017/status/1507316584079142915; classtype:trojan-activity; sid:2035611; rev:2; metadata:created_at 2022_03_25, former_category MALWARE, malware_family Kimsuky, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.lflinkup .com Domain"; flow:established,to_server; http.host; content:".lflinkup.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036123; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pripyat Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/endpoint.php"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"cpp-httplib/0.9"; bsize:15; http.request_body; content:"|22|computername|22 3a 22|"; content:"|22|username|22 3a 22|"; distance:0; content:"|22|hashrate|22 3a|"; distance:0; reference:md5,ffb7bbf6e3e3199555b979b46d3789a6; reference:url,twitter.com/3xp0rtblog/status/1501330153900703745; reference:md5,a12ba07fcdb4eb1c1ea65e8fa49ec4ad; classtype:trojan-activity; sid:2035420; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.lflinkup .net Domain"; dns.query; content:".lflinkup.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036124; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related Domain in DNS Lookup (onlinestockwatch .net)"; dns.query; content:"onlinestockwatch.net"; nocase; bsize:20; reference:url,twitter.com/ESETresearch/status/1521735320852643840; classtype:domain-c2; sid:2036459; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_04, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_05_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.lflinkup .net Domain"; flow:established,to_server; http.host; content:".lflinkup.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036125; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky APT PebbleDash Related Activity (GET)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/test.php"; bsize:9; fast_pattern; http.accept; content:"|2a 2f 2a|"; http.connection; content:"Keep-Alive"; http.header_names; content:!"Referer"; http.request_body; content:"sep="; startswith; content:"&uid="; distance:0; reference:md5,946f787c129bf469298aa881fb0843f4; classtype:trojan-activity; sid:2036509; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.lflinkup .org Domain"; dns.query; content:".lflinkup.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036126; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Survey Credential Phish M5 2022-04-04"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"async.php"; endswith; http.referer; content:"?affId="; content:"&c1="; distance:0; content:"&c2="; distance:0; content:"&c3="; distance:0; http.request_body; content:"pageType=leadPage&method=importClick"; fast_pattern; classtype:credential-theft; sid:2036473; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.lflinkup .org Domain"; flow:established,to_server; http.host; content:".lflinkup.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036127; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Survey Credential Phish Landing Page 2022-04-04"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"plushLoaded"; content:"TP init"; distance:0; content:"/urlshort_test/uid_long="; distance:0; content:"exitClickHandler"; distance:0; content:"trackAnswer"; distance:0; content:"/survey/survey"; distance:0; fast_pattern; content:"setConversion"; distance:0; content:"setProductImpression"; distance:0; content:"setServerPixel"; distance:0; content:"trackProductClick"; distance:0; content:"loadSurveyQuestions"; distance:0; reference:md5,d4490a79d7192656f3c25258ef436291; classtype:credential-theft; sid:2036476; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.lflink .com Domain"; dns.query; content:".lflink.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036128; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT dotCMS Arbitrary File Upload Attempt (CVE-2022-26352) M1"; flow:established,to_server; http.request_line; content:"POST|20|/api/content/|20|"; startswith; fast_pattern; http.content_type; content:"multipart/form-data|3b|"; startswith; http.request_body; content:"filename=|22 2e 2e 2f|"; reference:url,blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/; reference:url,www.dotcms.com/security/SI-62; reference:cve,2022-26352; classtype:attempted-admin; sid:2036457; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2022_05_04, cve CVE_2022_26352, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_05_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.lflink .com Domain"; flow:established,to_server; http.host; content:".lflink.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036129; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT dotCMS Arbitrary File Upload Attempt (CVE-2022-26352) M2"; flow:established,to_server; http.request_line; content:"PUT|20|/api/content/|20|"; startswith; fast_pattern; http.content_type; content:"multipart/form-data|3b|"; startswith; http.request_body; content:"filename=|22 2e 2e 2f|"; reference:url,blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/; reference:url,www.dotcms.com/security/SI-62; reference:cve,2022-26352; classtype:attempted-admin; sid:2036458; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2022_05_04, cve CVE_2022_26352, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_05_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.b0tnet .com Domain"; dns.query; content:".b0tnet.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036130; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Survey Credential Phish M6 2022-04-04"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"async.php"; endswith; fast_pattern; http.referer; content:"?affId="; content:"&c1="; distance:0; content:"&c2="; distance:0; content:"&c3="; distance:0; http.request_body; content:"firstName="; content:"&lastName="; distance:0; content:"&address1="; distance:0; content:"&postalCode="; distance:0; content:"&city="; distance:0; content:"&phone="; distance:0; content:"&phoneNumber="; distance:0; content:"&emailAddress="; distance:0; content:"&cartId="; distance:0; content:"&orderItems="; distance:0; content:"&billShipSame="; distance:0; content:"&state="; distance:0; content:"&country="; distance:0; content:"&method=importLead"; distance:0; classtype:credential-theft; sid:2036474; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.b0tnet .com Domain"; flow:established,to_server; http.host; content:".b0tnet.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036131; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Survey Credential Phish M7 2022-04-04"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"async.php"; endswith; fast_pattern; http.referer; content:"/checkout.php"; http.request_body; content:"paySource=CREDITCARD"; content:"&browserData="; distance:0; content:"&cardNumber="; distance:0; content:"&cardSecurityCode="; distance:0; content:"&cardMonth="; distance:0; content:"&cardYear="; distance:0; content:"&method=importOrder"; distance:0; content:"&redirectsTo=thankyou.php"; distance:0; content:"&errorRedirectsTo="; distance:0; content:"&paySourceId="; distance:0; content:"&achAccountHolderType="; distance:0; content:"&achAccountType="; distance:0; content:"&achAccountNumber="; distance:0; content:"&achRoutingNumber="; distance:0; content:"&achNameOnCheck="; distance:0; content:"&iban="; distance:0; content:"&ddbic="; distance:0; content:"&accountHolder="; distance:0; content:"&orderItems="; distance:0; classtype:credential-theft; sid:2036475; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.changeip .net Domain"; dns.query; content:".changeip.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036132; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Survey Credential Phish M1 2022-04-04"; flow:established,to_server; http.request_line; content:"POST /survey/survey"; startswith; fast_pattern; http.referer; content:"/survey"; content:"/source="; distance:0; content:"/subid="; distance:0; content:"/nrp="; distance:0; isdataat:!33,relative; pcre:"/\/nrp=[a-f0-9]{32}$/"; http.request_body; content:"method=SetProductImpression&product="; content:"tracking_id="; distance:0; classtype:credential-theft; sid:2036460; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.changeip .net Domain"; flow:established,to_server; http.host; content:".changeip.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036133; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Survey Credential Phish M2 2022-04-04"; flow:established,to_server; http.request_line; content:"POST /survey/survey"; startswith; fast_pattern; http.referer; content:"/survey"; content:"/source="; distance:0; content:"/subid="; distance:0; content:"/nrp="; distance:0; isdataat:!33,relative; pcre:"/\/nrp=[a-f0-9]{32}$/"; http.request_body; content:"method=SetConversion&survey="; content:"&campaign="; distance:0; content:"&source="; content:"&subid=subid"; distance:0; content:"&tracking_id="; distance:0; classtype:credential-theft; sid:2036461; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mysecondarydns .com Domain"; dns.query; content:".mysecondarydns.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036134; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Survey Credential Phish M3 2022-04-04"; flow:established,to_server; http.request_line; content:"POST /survey/survey"; startswith; fast_pattern; http.referer; content:"/survey"; content:"/source="; distance:0; content:"/subid="; distance:0; content:"/nrp="; distance:0; http.request_body; content:"method=SetServerPixel&survey="; content:"&campaign="; distance:0; content:"&tracking_id="; content:"&token="; distance:0; content:"&nrp="; distance:0; pcre:"/nrp=[a-f0-9]{32}/"; content:"&returnedClient="; distance:0; classtype:credential-theft; sid:2036471; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mysecondarydns .com Domain"; flow:established,to_server; http.host; content:".mysecondarydns.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036135; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Survey Credential Phish M4 2022-04-04"; flow:established,to_server; http.request_line; content:"POST /survey/survey"; startswith; fast_pattern; http.referer; content:"/survey"; content:"/source="; distance:0; content:"/subid="; distance:0; content:"/nrp="; distance:0; http.request_body; content:"method=SetProductClick&product="; content:"&tracking_id="; distance:0; classtype:credential-theft; sid:2036472; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dynssl .com Domain"; dns.query; content:".dynssl.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036136; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DeathStalker APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api?req="; startswith; http.host; content:".pythonanywhere.com"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,871d64d8330d956593545dfff069194e; reference:md5,6161845ad2c2a2e830f249df4e0c502a; reference:url,securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/; reference:url,usa.kaspersky.com/about/press-releases/2020_infamous-hacker-for-hire-group-death-stalker-hits-the-americas-and-europe-with-new-power-pepper-malware; classtype:trojan-activity; sid:2036462; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family DeathStalker, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dynssl .com Domain"; flow:established,to_server; http.host; content:".dynssl.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036137; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Retrieving Remote Template (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dotx?v="; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,twitter.com/ShadowChasing1/status/1522181041489776641; reference:md5,a49bcddba6ec46c5868b46db6202cb76; classtype:trojan-activity; sid:2036463; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mylftv .com Domain"; dns.query; content:".mylftv.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036138; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (daji8 .me)"; dns.query; dotprefix; content:".daji8.me"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036477; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mylftv .com Domain"; flow:established,to_server; http.host; content:".mylftv.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036139; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (fbi .am)"; dns.query; dotprefix; content:".fbi.am"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036478; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mynetav .com Domain"; dns.query; content:".mynetav.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036140; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (11i .me)"; dns.query; dotprefix; content:".11i.me"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036479; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mynetav .com Domain"; flow:established,to_server; http.host; content:".mynetav.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036141; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (shopingchina .net)"; dns.query; dotprefix; content:".shopingchina.net"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036480; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fodcha Bot CnC Client Heartbeat"; flow:established,to_client; dsize:5; content:"|69 00 00 96 ff|"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:command-and-control; sid:2035940; rev:2; metadata:attack_target IoT, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Fodcha, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (googie .ph)"; dns.query; dotprefix; content:".googie.ph"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036481; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mynetav .net Domain"; dns.query; content:".mynetav.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036142; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (daj8 .me)"; dns.query; dotprefix; content:".daj8.me"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036482; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mynetav .net Domain"; flow:established,to_server; http.host; content:".mynetav.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036143; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (rootkit .tools)"; dns.query; dotprefix; content:".rootkit.tools"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036483; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mynetav .org Domain"; dns.query; content:".mynetav.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036144; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (github .wiki)"; dns.query; dotprefix; content:".github.wiki"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036484; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mynetav .org Domain"; flow:established,to_server; http.host; content:".mynetav.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036145; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (mircrosoftscoulds .com)"; dns.query; dotprefix; content:".mircrosoftscoulds.com"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036485; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.homingbeacon .net Domain"; dns.query; content:".homingbeacon.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036146; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (whoamis .info)"; dns.query; dotprefix; content:".whoamis.info"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036486; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.homingbeacon .net Domain"; flow:established,to_server; http.host; content:".homingbeacon.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036147; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (adobe .name)"; dns.query; dotprefix; content:".adobe.name"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036487; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ikwb .com Domain"; dns.query; content:".ikwb.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036148; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (dajuw .com)"; dns.query; dotprefix; content:".dajuw.com"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036488; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ikwb .com Domain"; flow:established,to_server; http.host; content:".ikwb.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036149; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (adobe-flash .wiki)"; dns.query; content:"adobe-flash.wiki"; nocase; bsize:16; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036489; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.acmetoy .com Domain"; dns.query; content:".acmetoy.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036150; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (update .adobe .wiki)"; dns.query; content:"update.adobe.wiki"; nocase; bsize:17; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036490; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.acmetoy .com Domain"; flow:established,to_server; http.host; content:".acmetoy.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036151; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (flash .wy886066 .com)"; dns.query; content:"flash.wy886066.com"; nocase; bsize:18; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036491; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dnset .com Domain"; dns.query; content:".dnset.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036152; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (linux .wy01 .vip)"; dns.query; content:"linux.wy01.vip"; nocase; bsize:14; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036492; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnset .com Domain"; flow:established,to_server; http.host; content:".dnset.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036153; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (exmail .googie .com .ph)"; dns.query; content:"exmail.googie.com.ph"; nocase; bsize:20; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036494; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.as19557 .net Domain"; dns.query; content:".as19557.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036154; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (linux .wy01 .com)"; dns.query; content:"linux.wy01.com"; nocase; bsize:14; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036495; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.as19557 .net Domain"; flow:established,to_server; http.host; content:".as19557.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036155; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (mmimdown .oss-cn-hongkong .aliyuncs .com)"; dns.query; content:"mmimdown.oss-cn-hongkong.aliyuncs.com"; nocase; bsize:37; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036496; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.toshibanetcam .com Domain"; dns.query; content:".toshibanetcam.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036156; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (agph .ivi66 .net)"; dns.query; content:"agph.ivi66.net"; nocase; bsize:14; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036497; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.toshibanetcam .com Domain"; flow:established,to_server; http.host; content:".toshibanetcam.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036157; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup"; dns.query; content:"|66 75 63 6b 65 72|youmm.nmb.bet"; nocase; bsize:19; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036493; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fodcha Bot CnC Heartbeat Response"; flow:established,to_server; dsize:5; content:"|70 00 00 8f ff|"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:command-and-control; sid:2035941; rev:2; metadata:created_at 2022_04_13, former_category MALWARE, malware_family Fodcha, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup"; dns.query; content:"fbi.|66 75 63 6b|bc.com"; nocase; bsize:14; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036498; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.authorizeddns .net Domain"; dns.query; content:".authorizeddns.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036158; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 Downloader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tt/ll"; bsize:6; fast_pattern; http.connection; content:"Keep-Alive"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; content:!"Referer"; content:!"User-Agent"; reference:md5,71eae5c5a8c5a466c73f6a83b92dbfbc; classtype:trojan-activity; sid:2036468; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, former_category MALWARE, malware_family PoshC2, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.authorizeddns .net Domain"; flow:established,to_server; http.host; content:".authorizeddns.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036159; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.4nmn .com Domain"; flow:established,to_server; http.host; content:".4nmn.com"; endswith; reference:url,alviy.com/redirect/4nmn.com; classtype:bad-unknown; sid:2036469; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.authorizeddns .org Domain"; dns.query; content:".authorizeddns.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036160; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING [TW] Internet Computer Domain Observed"; dns.query; content:".ic0.app"; endswith; reference:url,internetcomputer.org; classtype:misc-activity; sid:2036464; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_05_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.authorizeddns .org Domain"; flow:established,to_server; http.host; content:".authorizeddns.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036161; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING [TW] Internet Computer HTTP Request Observed"; flow:established,to_server; http.host; content:".ic0.app"; reference:url,internetcomputer.org; classtype:misc-activity; sid:2036465; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.authorizeddns .us Domain"; dns.query; content:".authorizeddns.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036162; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING [TW] Internet Computer HTTP Referer Observed"; flow:established,to_server; http.referer; content:".ic0.app/"; reference:url,internetcomputer.org; classtype:misc-activity; sid:2036466; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_05_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.authorizeddns .us Domain"; flow:established,to_server; http.host; content:".authorizeddns.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036163; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Internet Computer HTTP Location Redirect Observed"; flow:established,to_client; http.location; content:".ic0.app"; reference:url,internetcomputer.org; classtype:misc-activity; sid:2036467; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.cleansite .biz Domain"; dns.query; content:".cleansite.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036164; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 4nmn .com Domain"; dns.query; dotprefix; content:".4nmn.com"; nocase; endswith; reference:url,alviy.com/redirect/4nmn.com; classtype:misc-activity; sid:2036470; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, signature_severity Informational, updated_at 2022_05_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.cleansite .biz Domain"; flow:established,to_server; http.host; content:".cleansite.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036165; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PhantomNet/Smanager Related Domain in DNS Lookup"; dns.query; content:"ny.nsd-gov-pk.com"; nocase; bsize:17; reference:md5,a0ffa124d3d275874380728224980ca8; reference:url,twitter.com/nao_sec/status/1521453116024971264; classtype:domain-c2; sid:2036507; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.cleansite .info Domain"; dns.query; content:".cleansite.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036166; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Cryxos Stealer Variant Sending Data to Telegram (POST)"; flow:established,to_server; http.uri; content:"/bot1257337675:AAHDZVp72afEEmv4n6WqVFZ-_CxfvOedcso/"; fast_pattern; startswith; http.host; content:"api.telegram."; startswith; classtype:trojan-activity; sid:2036508; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_05_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Fodcha Bot Domain"; dns.query; content:"folded.in"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:trojan-activity; sid:2035942; rev:3; metadata:attack_target IoT, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Fodcha, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY F5 BIG-IP Exposed REST API GET (flowbit set)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mgmt/shared/authn/login"; fast_pattern; flowbits:set,ET.F5.exposed.api; flowbits:noalert; classtype:policy-violation; sid:2036504; rev:1; metadata:created_at 2022_05_06, updated_at 2022_05_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.cleansite .info Domain"; flow:established,to_server; http.host; content:".cleansite.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036167; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET POLICY F5 BIG-IP Publicly Accessible Exposed REST API Detected"; flow:from_server,established; http.stat_code; content:"401"; file.data; content:"resterrorresponse"; fast_pattern; flowbits:isset,ET.F5.exposed.api; classtype:policy-violation; sid:2036505; rev:1; metadata:created_at 2022_05_06, updated_at 2022_05_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.cleansite .us Domain"; dns.query; content:".cleansite.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036168; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Origami.b / Donot DNS Lookup"; dns.query; content:"uniqueupdatesfrtetheupdateing.live"; nocase; bsize:34; reference:md5,350204a366fd3a2b1b9b80e6891c0df3; classtype:domain-c2; sid:2036500; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_05_06, deployment Perimeter, signature_severity Major, updated_at 2022_05_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.cleansite .us Domain"; flow:established,to_server; http.host; content:".cleansite.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036169; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Trojan-Spy.AndroidOS.Origami.b / Donot Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"uniqueupdatesfrtetheupdateing.live"; bsize:34; fast_pattern; reference:md5,350204a366fd3a2b1b9b80e6891c0df3; classtype:domain-c2; sid:2036501; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_05_06, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.https443 .net Domain"; dns.query; content:".https443.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036170; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Eternity Stealer Screen Capture Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/clipper/"; startswith; fast_pattern; content:"install="; content:"wallets="; content:"user="; content:"comp="; content:"ip="; content:"country="; content:"city="; http.host; content:".onion"; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Proxy-Connection|0d 0a 0d 0a|"; bsize:52; http.request_body; content:"|ff d8 ff e0|"; content:"JFIF"; distance:2; within:4; reference:md5,c4b46a2d0898e9ba438366f878cd74bd; classtype:trojan-activity; sid:2036541; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, former_category MALWARE, malware_family Eternity_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_05_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.https443 .net Domain"; flow:established,to_server; http.host; content:".https443.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036171; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Eternity Stealer Data Exfiltration Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/stealer/"; startswith; fast_pattern; content:"pwds="; content:"cards="; content:"wlts="; content:"files="; content:"user="; content:"comp="; content:"ip="; content:"country="; content:"city="; content:"tag="; content:"domains="; content:"ad="; http.host; content:".onion"; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Proxy-Connection|0d 0a 0d 0a|"; bsize:52; http.request_body; content:"PK|03 04|"; byte_test:1,<=,20,0,relative; content:"Information.txt"; distance:0; reference:md5,c4b46a2d0898e9ba438366f878cd74bd; classtype:trojan-activity; sid:2036542; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, former_category MALWARE, malware_family Eternity_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_05_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.https443 .org Domain"; dns.query; content:".https443.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036172; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M1"; flow:established,to_server; http.uri; content:"/utag/lbg/main/prod/utag.15.js/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036510; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.https443 .org Domain"; flow:established,to_server; http.host; content:".https443.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036173; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Eternity Stealer CnC Domain in DNS Lookup (wasabiwallet .online)"; dns.query; content:"wasabiwallet.online"; nocase; bsize:19; reference:md5,c4b46a2d0898e9ba438366f878cd74bd; classtype:trojan-activity; sid:2036543; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, malware_family Eternity_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_05_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mypop3 .net Domain"; dns.query; content:".mypop3.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036174; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M2"; flow:established,to_server; http.uri; content:"/babel-polyfill/6.3.14/polyfill.min.js=/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036511; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mypop3 .net Domain"; flow:established,to_server; http.host; content:".mypop3.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036175; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M3"; flow:established,to_server; http.uri; content:"/adServingData/PROD/TMClient/6/8736/"; startswith;fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036512; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Fodcha Bot Domain"; dns.query; content:"fridgexperts.cc"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:trojan-activity; sid:2035943; rev:2; metadata:attack_target IoT, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Fodcha, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
+alert udp $HOME_NET any -> any ![80,443] (msg:"ET MALWARE Trojan.Win32.DLOADR.TIOIBEPQ CnC Traffic"; dsize:24; content:"|30 00|"; startswith; content:"|00 04 00 00 00 10 00 00 00 00 00 00|"; distance:9; fast_pattern; endswith; threshold:type limit, count 1, seconds 120, track by_src; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036499; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Win32_DLOADR_TIOIBEPQ, performance_impact Low, signature_severity Major, updated_at 2022_05_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mypop3 .org Domain"; dns.query; content:".mypop3.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036176; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M4"; flow:established,to_server; http.uri; content:"/advanced_search/"; startswith;fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036513; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mypop3 .org Domain"; flow:established,to_server; http.host; content:".mypop3.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036177; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M5"; flow:established,to_server; http.uri; content:"/async/newtab/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036514; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ssl443 .org Domain"; dns.query; content:".ssl443.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036178; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M6"; flow:established,to_server; http.uri; content:"/bh/sync/aol/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036515; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ssl443 .org Domain"; flow:established,to_server; http.host; content:".ssl443.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036179; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M7"; flow:established,to_server; http.uri; content:"/bootstrap/3.1.1/bootstrap.min.js/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036516; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.iownyour .biz Domain"; dns.query; content:".iownyour.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036180; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M8"; flow:established,to_server; http.uri; content:"/branch-locator/search.asp/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036517; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.iownyour .biz Domain"; flow:established,to_server; http.host; content:".iownyour.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036181; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M9"; flow:established,to_server; http.uri; content:"/business/home.asp&ved=/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036518; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.iownyour .org Domain"; dns.query; content:".iownyour.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036182; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M10"; flow:established,to_server; http.uri; content:"/cdba"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036519; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.iownyour .org Domain"; flow:established,to_server; http.host; content:".iownyour.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036183; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M11"; flow:established,to_server; http.uri; content:"/classroom/sharewidget/widget_stable.html"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036520; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .biz Domain"; dns.query; content:".onmypc.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036184; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M12"; flow:established,to_server; http.uri; content:"/client_204/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036521; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .biz Domain"; flow:established,to_server; http.host; content:".onmypc.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036185; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M13"; flow:established,to_server; http.uri; content:"/load/pages/index.php/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036522; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .info Domain"; dns.query; content:".onmypc.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036186; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M15"; flow:established,to_server; http.uri; content:"/TOS/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036523; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .info Domain"; flow:established,to_server; http.host; content:".onmypc.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036187; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M16"; flow:established,to_server; http.uri; content:"/trader-update/history&pd=/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036524; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .net Domain"; dns.query; content:".onmypc.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036188; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M17"; flow:established,to_server; http.uri; content:"/types/translation/v1/articles/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036525; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .net Domain"; flow:established,to_server; http.host; content:".onmypc.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036189; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M18"; flow:established,to_server; http.uri; content:"/uasclient/0.1.34/modules/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036526; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .org Domain"; dns.query; content:".onmypc.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036190; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M19"; flow:established,to_server; http.uri; content:"/usersync/tradedesk/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036527; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .org Domain"; flow:established,to_server; http.host; content:".onmypc.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036191; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M20"; flow:established,to_server; http.uri; content:"/webhp/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036528; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .us Domain"; dns.query; content:".onmypc.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036192; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M21"; flow:established,to_server; http.uri; content:"/work/embedded/search/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036529; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .us Domain"; flow:established,to_server; http.host; content:".onmypc.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036193; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M22"; flow:established,to_server; http.uri; content:"/GoPro5/black/2018/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036530; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dubya .info Domain"; dns.query; content:".dubya.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036194; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M23"; flow:established,to_server; http.uri; content:"/Philips/v902/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036531; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dubya .info Domain"; flow:established,to_server; http.host; content:".dubya.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036195; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M24"; flow:established,to_server; http.uri; content:"/cisben/marketq/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036532; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dubya .us Domain"; dns.query; content:".dubya.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036196; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M25"; flow:established,to_server; http.uri; content:"/qqzddddd/2018/load.php/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036533; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dubya .us Domain"; flow:established,to_server; http.host; content:".dubya.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036197; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M26"; flow:established,to_server; http.uri; content:"/vfe01s/1/vsopts.js/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036534; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dubya .biz Domain"; dns.query; content:".dubya.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036198; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M27"; flow:established,to_server; http.uri; content:"/vssf/wppo/site/bgroup/visitor/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036535; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dubya .biz Domain"; flow:established,to_server; http.host; content:".dubya.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036199; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M28"; flow:established,to_server; http.uri; content:"/putil/2018/0/11/po.html/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036536; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dubya .net Domain"; dns.query; content:".dubya.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036200; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M29"; flow:established,to_server; http.uri; content:"/wpaas/load.php/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036537; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dubya .net Domain"; flow:established,to_server; http.host; content:".dubya.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036201; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M30"; flow:established,to_server; http.uri; content:"/web/20110920084728/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036538; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.wwwhost .us Domain"; dns.query; content:".wwwhost.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036202; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M31"; flow:established,to_server; http.uri; content:"/business/retail-business/insurance.asp/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036539; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.wwwhost .us Domain"; flow:established,to_server; http.host; content:".wwwhost.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036203; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M32"; flow:established,to_server; http.uri; content:"/status/995598521343541248/query=/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036540; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.zyns .com Domain"; flow:established,to_server; http.host; content:".zyns.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036204; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Trend Micro Phishing Simulation Service"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>You could have been phished"; nocase; content:"Trend Micro Phish Insight provides a phishing simulation service"; nocase; fast_pattern; threshold:type limit, count 1, seconds 600, track by_src; classtype:social-engineering; sid:2036506; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_05_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.otzo .com Domain"; flow:established,to_server; http.host; content:".otzo.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036205; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass (CVE 2022-1388) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mgmt/tm/util/bash"; fast_pattern; bsize:18; http.header; content:"Authorization|3a 20|Basic YWRtaW46"; http.connection; content:"x-F5-Auth-Token"; nocase; http.header_names; content:!"Referer"; content:"X-F5-Auth-Token"; http.request_body; content:"command"; content:"run"; distance:0; content:"utilCmdArgs"; distance:0; flowbits:set,ET.F5AuthBypass; reference:cve,2022-1388; classtype:attempted-admin; sid:2036546; rev:2; metadata:attack_target Web_Server, created_at 2022_05_09, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dns-report .com Domain"; flow:established,to_server; http.host; content:".dns-report.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036206; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Suspicious HTTP Connection Header Observed"; flow:established,to_server; http.connection; content:!"upgrade"; nocase; content:!"keep-alive"; nocase; content:!"close"; nocase; http.header_names; content:"|0d 0a|Connection|0d 0a|"; fast_pattern; nocase; classtype:misc-activity; sid:2036551; rev:2; metadata:created_at 2022_05_06, former_category HUNTING, updated_at 2022_05_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dns1 .us Domain"; flow:established,to_server; http.host; content:".dns1.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036207; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Stonefly APT Related Domain in DNS Lookup (semiconductboard .com)"; dns.query; content:"semiconductboard.com"; nocase; bsize:20; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage; classtype:domain-c2; sid:2036544; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_09, deployment Perimeter, former_category MALWARE, malware_family Stonefly, signature_severity Major, updated_at 2022_05_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.changeip .co Domain"; dns.query; content:".changeip.co"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036208; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Stonefly APT Related Domain in DNS Lookup (tecnojournals .com)"; dns.query; content:"tecnojournals.com"; nocase; bsize:17; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage; classtype:domain-c2; sid:2036545; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_09, deployment Perimeter, former_category MALWARE, malware_family Stonefly, signature_severity Major, updated_at 2022_05_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.changeip .co Domain"; flow:established,to_server; http.host; content:".changeip.co"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036209; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass Server Response (CVE 2022-1388)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"kind"; content:"tm|3a|util|3a|bash|3a|runstate"; fast_pattern; distance:0; content:"command"; distance:0; content:"run"; distance:0; content:"utilCmdArgs"; distance:0; content:"commandResult"; distance:0; flowbits:isset,ET.F5AuthBypass; reference:cve,2022-1388; classtype:trojan-activity; sid:2036547; rev:1; metadata:attack_target Web_Server, created_at 2022_05_09, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Golang HTTP Backdoor Connectivity Check"; flow:established,to_server; http.method; http.request_line; content:"POST /GO/"; fast_pattern; content:".php"; endswith; http.accept_enc; bsize:1; content:"*"; http.content_len; bsize:1; content:"0"; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:command-and-control; sid:2035957; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Backdoor, updated_at 2022_04_14;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Sophos Firewall Authentication Bypass (CVE-2022-1040)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/userportal/Controller?"; fast_pattern; startswith; content:"mode="; content:"operation="; content:"datagrid="; content:"json="; http.header; content:"X-Requested-With|3a 20|XMLHttpRequest"; http.header_names; content:!"Referer"; flowbits:set,ET.SophosAuthBypass; reference:cve,2022-1040; reference:url,attackerkb.com/topics/cdXl2NL3cR/cve-2022-1040; classtype:attempted-admin; sid:2036548; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_05_09, cve CVE_2022_1040, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortening Service Domain in DNS Lookup (maxiurl .com)"; dns.query; content:"maxiurl.com"; nocase; bsize:11; classtype:misc-activity; sid:2036226; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_15;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Wacatac.B Loader CnC Checkin"; flow:established,to_server; content:"REELIP>"; distance:0; fast_pattern; content:"SETMAC>"; distance:0; content:"SETCOMPUTERNAME>"; distance:0; content:"SETPARENT>"; distance:0; content:"SETOS>"; distance:0; content:"SETDATE>"; distance:0; content:"CLIENTID>"; distance:0; content:"CHECKVERSION>"; distance:0; reference:md5,f787cefe0e82f5605fb91d6987781a6b; classtype:trojan-activity; sid:2036564; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_09, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2022_05_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (maxiurl .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"maxiurl.com"; bsize:11; fast_pattern; classtype:misc-activity; sid:2036227; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, signature_severity Informational, updated_at 2022_04_15;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Sophos Firewall Authentication Bypass (CVE-2022-1040) Server Response M1"; flow:established,to_client; flowbits:isset,ET.SophosAuthBypass; file.data; content:"{|22|status|22 3a 22|Session Expired|22|}"; fast_pattern; reference:cve,2022-1040; reference:url,attackerkb.com/topics/cdXl2NL3cR/cve-2022-1040; classtype:attempted-admin; sid:2036549; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_05_09, cve CVE_2022_1040, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (bnt2 .live)"; dns.query; content:"bnt2.live"; nocase; bsize:9; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036231; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Sophos Firewall Authentication Bypass (CVE-2022-1040) Server Response M2"; flow:established,to_client; flowbits:isset,ET.SophosAuthBypass; file.data; content:"{|22|status|22 3a 22|-2|22|}"; fast_pattern; reference:cve,2022-1040; reference:url,attackerkb.com/topics/cdXl2NL3cR/cve-2022-1040; classtype:attempted-admin; sid:2036550; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_05_09, cve CVE_2022_1040, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (signin .dedyn .io)"; dns.query; content:"signin.dedyn.io"; nocase; bsize:15; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036232; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BluStealer Related Domain in DNS Lookup (premium12 .web-hosting .com)"; dns.query; content:"premium12.web-hosting.com"; nocase; bsize:25; reference:url,blog.minerva-labs.com/a-new-blustealer-loader-uses-direct-syscalls-to-evade-edrs; reference:md5,953b2013a8b0d4be5368a65fc74c93f4; classtype:bad-unknown; sid:2036552; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_10, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_05_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (archery .dedyn .io)"; dns.query; content:"archery.dedyn.io"; nocase; bsize:16; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036233; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/SilentBreak Related Domain in DNS Lookup (eleed .cloud)"; dns.query; content:"eleed.cloud"; nocase; bsize:11; reference:url,securelist.com/a-new-secret-stash-for-fileless-malware/106393/; classtype:domain-c2; sid:2036553; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (market .vinam .me)"; dns.query; content:"market.vinam.me"; nocase; bsize:15; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036234; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/SilentBreak Related Domain in DNS Lookup (eleed .online)"; dns.query; content:"eleed.online"; nocase; bsize:12; reference:url,securelist.com/a-new-secret-stash-for-fileless-malware/106393/; classtype:domain-c2; sid:2036554; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (market .dedyn .io)"; dns.query; content:"market.dedyn.io"; nocase; bsize:15; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036235; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/SilentBreak Related Domain in DNS Lookup"; dns.query; content:"opswat.info"; nocase; bsize:11; reference:url,securelist.com/a-new-secret-stash-for-fileless-malware/106393/; classtype:domain-c2; sid:2036555; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_10, deployment Perimeter, signature_severity Major, updated_at 2022_05_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".db2"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,db9df7f1bcfba0346d9e7de729c018a2; reference:url,twitter.com/500mk500/status/1515002456882786310; classtype:trojan-activity; sid:2036228; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_15;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT F5 BIG-IP iControl REST authentication bypass attempt (CVE 2022-1388) M2"; flow:established,to_server; http.method; content:!"GET"; http.uri; content:"/mgmt/tm"; startswith; http.header; content:"Authorization|3a 20|Basic YWRtaW46"; http.connection; content:"x-F5-Auth-Token"; nocase; http.header_names; content:!"Referer"; content:"X-F5-Auth-Token"; fast_pattern; threshold:type limit, count 1, seconds 60, track by_src; reference:cve,2022-1388; classtype:trojan-activity; sid:2036556; rev:1; metadata:attack_target Web_Server, created_at 2022_05_10, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bluebox Data Exfiltration"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?ver="; fast_pattern; content:"corp="; content:"os="; content:"softid="; content:"hid="; content:"macadd="; content:"md5="; content:"rand="; content:"subid="; http.user_agent; content:"IEhook"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b13718f353c8c0ea51a15733e035199e; classtype:pup-activity; sid:2036236; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2022_04_18;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DirectsX Checkin Response"; flow:established,from_server; stream_size:server,<,30; dsize:25; content:"|19 00 00 00|"; offset:17; depth:4; content:!"|00 00|"; within:2; content:!"|ff ff|"; within:2; content:!"_loc"; reference:url,public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf; classtype:command-and-control; sid:2019633; rev:3; metadata:created_at 2014_11_04, former_category MALWARE, updated_at 2022_05_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY [TW] IPFS Protocol HTTP Headers Observed"; flow:established,to_client; http.header_names; content:"|0d 0a|X-Ipfs-"; nocase; fast_pattern; threshold: type threshold, track by_src, count 10, seconds 30; classtype:misc-activity; sid:2036229; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_04_15;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO External IP Lookup Domain Domain in DNS Lookup (ipbase .com)"; dns.query; content:"ipbase.com"; nocase; bsize:10; classtype:bad-unknown; sid:2036560; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_11, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_05_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY [TW] IPFS File Request Observed"; flow:established,to_server; http.uri; content:"/ipfs/"; fast_pattern; pcre:"/^[a-z0-9]{40,}/Ri"; threshold: type threshold, track by_src, count 10, seconds 30; classtype:misc-activity; sid:2036230; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_04_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed External IP Lookup Domain (ipbase .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"ipbase.com"; bsize:10; fast_pattern; classtype:bad-unknown; sid:2036561; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_11, deployment Perimeter, signature_severity Major, updated_at 2022_05_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Bumblebee Loader User-Agent (bumblebee)"; flow:established,to_server; http.user_agent; content:"bumblebee"; bsize:9; fast_pattern; reference:md5,555b77d23549e231c8d7f0b003cc5164; reference:md5,3f34d94803e9c8bc0a9cd09f507bc515; reference:url,www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/; reference:url,blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/; classtype:trojan-activity; sid:2036237; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, deployment SSLDecrypt, former_category USER_AGENTS, malware_family Bumblebee_Loader, signature_severity Major, updated_at 2022_04_18;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO External File Sharing Service Domain (api .anonfile .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"api.anonfile.com"; bsize:16; fast_pattern; classtype:bad-unknown; sid:2036562; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_11, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_05_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (hojimizeg .com)"; dns.query; content:"hojimizeg.com"; nocase; bsize:13; reference:url,www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/; classtype:domain-c2; sid:2036238; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO External File Sharing Domain in DNS Lookup (anonfile .com)"; dns.query; dotprefix; content:".anonfile.com"; nocase; endswith; classtype:bad-unknown; sid:2036563; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_11, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_05_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (notixow .com)"; dns.query; content:"notixow.com"; nocase; bsize:11; reference:url,www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/; classtype:domain-c2; sid:2036239; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Wacatac.B Payload Download"; flow:established,to_client; content:"DOWNLOADANDEXECUTE>"; fast_pattern; reference:md5,f787cefe0e82f5605fb91d6987781a6b; classtype:trojan-activity; sid:2036565; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (rewujisaf .com)"; dns.query; content:"rewujisaf.com"; nocase; bsize:13; reference:url,www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/; classtype:trojan-activity; sid:2036240; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Throwback CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:"|0d 0a|Connection|0d 0a|Pragma|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Host|0d 0a 0d 0a|"; endswith; content:!"Referer"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"pd="; fast_pattern; startswith; pcre:"/^(?:[A-Za-z0-9~+/]{4})*(?:[A-Za-z0-9~+/]{2}==|[A-Za-z0-9~+/]{3}=|[A-Za-z0-9~+/]{4})$/R"; reference:url,github.com/silentbreaksec/Throwback; classtype:trojan-activity; sid:2036590; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_12, deployment Perimeter, former_category MALWARE, malware_family Throwback, signature_severity Major, updated_at 2022_05_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matrix Max Stealer Exfiltration Observed"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:60; http.request_body; content:"zipx=UEsDBBQ"; startswith; fast_pattern; reference:md5,e8573f06d342ae05ece8d1be111669c4; reference:url,twitter.com/James_inthe_box/status/1516049381539004418; classtype:trojan-activity; sid:2036245; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment SSLDecrypt, former_category MALWARE, malware_family Matrix_Max, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Throwback Server Response (Incoming)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>404 Not Found</title>"; content:"<h1>Not Found</h1>"; distance:0; content:"<hidden stup1fy|20|"; distance:0; fast_pattern; reference:url,github.com/silentbreaksec/Throwback; classtype:trojan-activity; sid:2036591; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_12, deployment Perimeter, former_category MALWARE, malware_family Throwback, signature_severity Major, updated_at 2022_05_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE - Trojan.Proxy.PPAgent.t (updateb)"; flow:established,to_server; http.uri; content:"/updateb.php?p="; nocase; pcre:"/updateb\.php\?p=\d/i"; flowbits:isset,BT.ppagent.updatea; flowbits:unset,BT.ppagent.updatea; reference:url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738; reference:url,doc.emergingthreats.net/2003116; classtype:trojan-activity; sid:2003116; rev:8; metadata:created_at 2010_07_30, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded ipconfig sent via HTTP URI M1"; flow:established,to_server; http.uri; content:"V2luZG93cyBJUCBDb25maWd1cmF0aW9u"; fast_pattern; pcre:"/(?:Q29ubmVjdGlvbi1zcGVjaWZpYyBETlMgU3VmZml4|Nvbm5lY3Rpb24tc3BlY2lmaWMgRE5TIFN1ZmZpe|Db25uZWN0aW9uLXNwZWNpZmljIEROUyBTdWZmaX)/R"; reference:md5,1df312629294f2de70a335a751a13a28; classtype:unknown; sid:2036566; rev:1; metadata:attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2022_05_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl ASCII"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"clickurl="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005478; classtype:web-application-attack; sid:2005478; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded ipconfig sent via HTTP URI M2"; flow:established,to_server; http.uri; content:"dpbmRvd3MgSVAgQ29uZmlndXJhdGlvb"; fast_pattern; pcre:"/(?:Q29ubmVjdGlvbi1zcGVjaWZpYyBETlMgU3VmZml4|Nvbm5lY3Rpb24tc3BlY2lmaWMgRE5TIFN1ZmZpe|Db25uZWN0aW9uLXNwZWNpZmljIEROUyBTdWZmaX)/R"; reference:md5,1df312629294f2de70a335a751a13a28; classtype:unknown; sid:2036567; rev:1; metadata:attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2022_05_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"D="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006614; classtype:web-application-attack; sid:2006614; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded ipconfig sent via HTTP URI M3"; flow:established,to_server; http.uri; content:"XaW5kb3dzIElQIENvbmZpZ3VyYXRpb2"; fast_pattern; pcre:"/(?:Q29ubmVjdGlvbi1zcGVjaWZpYyBETlMgU3VmZml4|Nvbm5lY3Rpb24tc3BlY2lmaWMgRE5TIFN1ZmZpe|Db25uZWN0aW9uLXNwZWNpZmljIEROUyBTdWZmaX)/R"; reference:md5,1df312629294f2de70a335a751a13a28; classtype:unknown; sid:2036568; rev:1; metadata:attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2022_05_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ExplorerHijack Trojan HTTP Checkin"; flow:established,to_server; http.uri; content:"php?i="; content:"&v="; content:"&win=Windows"; content:"&un="; content:"&uv="; content:"&s="; content:"&onl="; content:"&ip="; content:"&f="; reference:url,doc.emergingthreats.net/2007700; classtype:command-and-control; sid:2007700; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP URI M1"; flow:established,to_server; http.uri; content:"VjJsdVpHOTNjeUJKVUNCRGIyNW1hV2QxY21GMGFXOX"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036572; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MSIL/Crimson Rat CnC Exfil"; flow:established,to_server; content:"|00 00 00|ent4rme"; offset:2; depth:10; fast_pattern; content:"|20 7c 20|"; distance:0; content:"|23|runtimebroker"; distance:0; threshold:type limit, track by_src, count 5, seconds 600; reference:md5,3829791a486b0b9ccb80ffcb7177c19c; reference:url,twitter.com/0xrb/status/1515979150515122178; classtype:command-and-control; sid:2036241; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Crimson, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP URI M2"; flow:established,to_server; http.uri; content:"YybHVaRzkzY3lCSlVDQkRiMjVtYVdkMWNtRjBhVzl1"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036573; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pointpack.kr Related Trojan Checkin"; flow:established,to_server; http.uri; content:"php?"; content:"kind="; content:"&pid="; content:"&ver="; content:"&uniq="; content:"&addresses="; content:"&hdmacid="; content:"&dllver="; content:"&subv="; reference:url,doc.emergingthreats.net/2008260; classtype:command-and-control; sid:2008260; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP URI M3"; flow:established,to_server; http.uri; content:"WMmx1Wkc5M2N5QkpVQ0JEYjI1bWFXZDFjbUYwYVc5d"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036574; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Win32.Small.avu HTTP Checkin"; flow:established,to_server; http.uri; content:"m="; content:"&a="; content:"&r="; content:"&os="; content:"00000"; pcre:"/\/s_\d\d_\d+\?/"; pcre:"/&os=[0-9a-z]{40}/i"; reference:url,doc.emergingthreats.net/2008412; classtype:command-and-control; sid:2008412; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP URI M4"; flow:established,to_server; http.uri; content:"ZHBibVJ2ZDNNZ1NWQWdRMjl1Wm1sbmRYSmhkR2x2Y"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036575; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Password Stealer (PSW.Win32.Magania Family) GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"pass="; content:"type="; content:"host="; content:"port="; content:"name="; content:"pc="; content:"user="; content:"ip="; content:"version="; http.header; content:"User-Agent|3a| NR"; reference:url,www.f-secure.com/v-descs/trojan-psw_w32_magania.shtml; reference:url,www.threatexpert.com/reports.aspx?find=Trojan-PWS.Magania; reference:url,doc.emergingthreats.net/2009094; classtype:trojan-activity; sid:2009094; rev:8; metadata:created_at 2010_07_30, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP URI M5"; flow:established,to_server; http.uri; content:"RwYm1SdmQzTWdTVkFnUTI5dVptbG5kWEpoZEdsdm"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036576; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Swizzor Family GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"szclientid="; content:"szmac="; content:"szusername="; content:"szver="; content:"mode="; content:"value="; content:"systype="; content:"rid="; content:"szname="; content:"szpaname="; content:"palen="; content:"szpapaname="; content:"chksum="; reference:md5,ed06e3cd6f57fc260194bf9fa224181e; reference:url,doc.emergingthreats.net/2009441; classtype:trojan-activity; sid:2009441; rev:7; metadata:created_at 2010_07_30, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP URI M6"; flow:established,to_server; http.uri; content:"kcGJtUnZkM01nU1ZBZ1EyOXVabWxuZFhKaGRHbHZi"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036577; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Antivirus2010 Checkin port 8082"; flow:established,to_server; http.uri; content:"/ask?"; content:"&u="; content:"a="; content:"&m="; content:"&h="; reference:url,blog.emsisoft.com/2010/08/09/antivirus2010-userinit-and-then-some-more/; reference:url,doc.emergingthreats.net/2011473; classtype:command-and-control; sid:2011473; rev:5; metadata:created_at 2010_09_29, former_category MALWARE, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP URI M7"; flow:established,to_server; http.uri; content:"WGFXNWtiM2R6SUVsUUlFTnZibVpwWjNWeVlYUnBiM"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036578; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Java Archive sent when remote host claims to send an image"; flow:established,to_client; http.content_type; content:!"application/java-archive"; content:"image"; nocase; startswith; file.data; content:"PK"; depth:2; content:"META-INF/MANIFEST"; distance:0; fast_pattern; classtype:trojan-activity; sid:2014288; rev:6; metadata:created_at 2012_02_28, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP URI M8"; flow:established,to_server; http.uri; content:"hhVzVrYjNkeklFbFFJRU52Ym1acFozVnlZWFJwYj"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036579; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET MISC RuggedCom factory account backdoor"; flow:established,to_client; flowbits:isset,ET.RUGGED.BANNER; content:"Enter User Name|3A|"; pcre:"/Enter User Name\x3a(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*\s*(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*f(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*a(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*c(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*t(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*o(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*r(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*y(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*[\r\n]/"; reference:url,www.exploit-db.com/exploits/18779/; reference:url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars; classtype:attempted-admin; sid:2014646; rev:5; metadata:created_at 2012_04_28, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP URI M9"; flow:established,to_server; http.uri; content:"YYVc1a2IzZHpJRWxRSUVOdmJtWnBaM1Z5WVhScGIy"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036580; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SNET EK Downloading Payload"; flow:established,to_server; http.uri; content:"get"; content:"?src="; fast_pattern; distance:0; content:"snet"; endswith; pcre:"/\?src=[a-z]+snet$/"; http.user_agent; content:" WinHttp.WinHttpRequest"; classtype:exploit-kit; sid:2016566; rev:5; metadata:created_at 2013_03_14, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP Requset Body M1"; flow:established,to_server; http.request_body; content:"VjJsdVpHOTNjeUJKVUNCRGIyNW1hV2QxY21GMGFXOX"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036581; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Rawin - Landing Page Received"; flow:established,to_client; file.data; content:"<body bgcolor=|22|"; pcre:"/^[0-9a-f]{6}/R"; content:"<body bgcolor=|22|"; pcre:"/^[0-9a-f]{6}/Ri"; content:"|22 20|>|0a|<applet"; within:11; fast_pattern; classtype:exploit-kit; sid:2017177; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_24, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP Requset Body M2"; flow:established,to_server; http.request_body; content:"YybHVaRzkzY3lCSlVDQkRiMjVtYVdkMWNtRjBhVzl1"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036582; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neurevt.A/Betabot Check-in 4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!".aspx"; http.user_agent; content:!"SmadavStat"; http.host; content:!"lavasoft.com"; http.request_body; content:!"Zerto.ZVM"; content:!"id1="; content:"1="; content:"2="; distance:0; content:"3="; distance:0; content:"4="; distance:0; fast_pattern; pcre:"/&(?P<vname>[a-z]+)1=[A-F0-9]+&(?P=vname)2=[A-F0-9]+&(?P=vname)3=[A-F0-9]+&(?P=vname)4=[A-F0-9]/"; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|"; depth:16; content:!"Referer"; content:!"Accept"; reference:md5,5eada3ed47d7557df375d8798d2e0a8b; classtype:trojan-activity; sid:2018784; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category TROJAN, malware_family Neurevt, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP Requset Body M3"; flow:established,to_server; http.request_body; content:"WMmx1Wkc5M2N5QkpVQ0JEYjI1bWFXZDFjbUYwYVc5d"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036583; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Adwind/jSocket SSL Cert (assylias.Inc)"; flow:established,to_client; tls.cert_serial; content:"1F:23:9D:BD"; tls.cert_subject; content:"O=assylias.Inc"; fast_pattern; reference:md5,4e5c28fab23b35dea2d48a1c2db32b56; reference:md5,b102c26e04e97bda97b11bfe7366e61e; classtype:trojan-activity; sid:2020728; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP Requset Body M4"; flow:established,to_server; http.request_body; content:"ZHBibVJ2ZDNNZ1NWQWdRMjl1Wm1sbmRYSmhkR2x2Y"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036584; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jun 14 2016"; flow:established,to_client; file.data; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 64 69 76|"; within:20; pcre:"/^(?:\x20id=\x22\d+\x22)?\x20style=\x22(?=[^\x22\r\n]*top\x3a\x20-\d{3}px\x3b)(?=[^\x22\r\n]*left\x3a-\d{3}px\x3b)(?=[^\x22\r\n]*position\x3a\x20absolute\x3b)[^\x22\r\n]*\x22>\x20<iframe[^\r\n>]*><\x2f/R"; content:"|69 27 2b 27 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 27 29 3b|"; within:19; fast_pattern; isdataat:!4,relative; classtype:exploit-kit; sid:2022898; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP Requset Body M5"; flow:established,to_server; http.request_body; content:"RwYm1SdmQzTWdTVkFnUTI5dVptbG5kWEpoZEdsdm"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036585; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO QUIC UDP Internet Connections Protocol Client Hello (OUTBOUND)"; flow:to_server; content:"|80 01|CHLO"; content:"PAD"; content:"SNI"; content:"CCS"; content:"PDMD"; content:"VERS"; nocase; flowbits:set,ET.QUIC.FirstClientHello; reference:url,tools.ietf.org/html/draft-tsvwg-quic-protocol-00; classtype:protocol-command-decode; sid:2022996; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP Requset Body M6"; flow:established,to_server; http.request_body; content:"kcGJtUnZkM01nU1ZBZ1EyOXVabWxuZFhKaGRHbHZi"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036586; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET HUNTING SUSPICIOUS Path to BusyBox"; flow:established,to_server; content:"/bin/busybox"; flowbits:set,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:suspicious-filename-detect; sid:2023016; rev:2; metadata:attack_target Server, created_at 2016_08_08, deployment Datacenter, former_category TELNET, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP Requset Body M7"; flow:established,to_server; http.request_body; content:"WGFXNWtiM2R6SUVsUUlFTnZibVpwWjNWeVlYUnBiM"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036587; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK NOP Sled Sep 22 2016 (b641)"; flow:established,to_client; file.data; content:"LGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdIF"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023271; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP Requset Body M8"; flow:established,to_server; http.request_body; content:"hhVzVrYjNkeklFbFFJRU52Ym1acFozVnlZWFJwYj"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036588; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK NOP Sled Sep 22 2016 (b642)"; flow:established,to_client; file.data; content:"pdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NVEX"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023272; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP Requset Body M9"; flow:established,to_server; http.request_body; content:"YYVc1a2IzZHpJRWxRSUVOdmJtWnBaM1Z5WVhScGIy"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036589; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK NOP Sled Sep 22 2016 (b643)"; flow:established,to_client; file.data; content:"4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGYUJ"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023273; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Get2 Downloader Activity"; flow:established,to_server; http.user_agent; content:"CIBA|3b 20|MS-RTC LM 8|29|"; endswith; http.method; content:"POST"; classtype:trojan-activity; sid:2028642; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK Slight Sep 22 2016 (b641)"; flow:established,to_client; file.data; content:"x7soyTdaNq94NWpdLGZ4NWpd"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023274; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
+alert http any any -> $HOME_NET any (msg:"ET HUNTING Base64 Encoded ipconfig In Server Response M1"; flow:established,to_client; http.response_body; content:"aXBjb25maW"; fast_pattern; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036569; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK Slight Sep 22 2016 (b642)"; flow:established,to_client; file.data; content:"MlADchNaR0LGZ4NWpdLGZ4N"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023275; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
+alert http any any -> $HOME_NET any (msg:"ET HUNTING Base64 Encoded ipconfig In Server Response M2"; flow:established,to_client; http.response_body; content:"lwY29uZmln"; fast_pattern; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036570; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK Slight Sep 22 2016 (b643)"; flow:established,to_client; file.data; content:"azTEhyWNbKGpdLGZ4NWpdLG"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023276; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
+alert http any any -> $HOME_NET any (msg:"ET HUNTING Base64 Encoded ipconfig In Server Response M3"; flow:established,to_client; http.response_body; content:"pcGNvbmZpZ"; fast_pattern; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036571; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK March 15 2017 M2"; flow:established,to_client; file.data; content:"<iframe"; within:7; pcre:"/^(?:\s+style=\x27hidden\x27)?\s+src=\x27https?\x3a[^>\x22\x27]+[\x22\x27]\s*width=\x270\x27\s+/Ri"; content:"|68 65 69 67 68 74 3d 27 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c|"; within:34; isdataat:100; classtype:exploit-kit; sid:2024093; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_17, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Cryptowallet Credential Phish 2022-05-12"; flow:established,to_server; http.request_line; content:"POST /"; startswith; http.host; content:!"trustwallet.com"; content:!"metamask.io"; http.request_body; content:"submitted=true&passphrase="; startswith; fast_pattern; reference:md5,4df173b9e3c2615141978e361c62815b; classtype:credential-theft; sid:2036593; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_12, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M3 B643"; flow:established,to_client; file.data; content:"|4e6f636e636f4d7a49334e6a6370|"; pcre:"/(?:NocncoMjE3Ni|Y2hydygyMTc2K|jaHJ3KDIxNzYp)/"; classtype:exploit-kit; sid:2024361; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
+alert tcp any any -> any 443 (msg:"ET MALWARE Malicious ELF Activity"; dsize:<50; content:"OpenSSL-1.0.0-fipps"; startswith; fast_pattern; reference:md5,eb7ba9f7424dffdb7d695b00007a3c6d; classtype:trojan-activity; sid:2036592; rev:1; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2022_05_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_05_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Disdain EK Landing Aug 23 2017"; flow:established,to_client; flowbits:isset,ET.DisDain.EK; http.stat_code; content:"200"; file.data; content:"document.write("; content:"w6UKpvNSUQKuCVmSVlTLELdj"; distance:0; within:75; classtype:exploit-kit; sid:2024612; rev:4; metadata:created_at 2017_08_23, updated_at 2022_04_18;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT [Rapid7] Zyxel ZTP setWanPortSt mtu Parameter Exploit Attempt (CVE 2022-30525)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ztp/cgi-bin/handler"; fast_pattern; bsize:20; http.request_body; content:"setWanPortSt"; content:"mtu"; pcre:"/^["']\s*:\s*["']\s*[^0-9]+/Ri"; reference:cve,2022-30525; reference:url,www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/; classtype:misc-attack; sid:2036596; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_05_16, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP [PTsecurity] Adware/Rukometa(LoadMoney) Fake PNG File"; flow:established,to_client; flowbits:isset,ETPTadmoney; http.stat_code; content:"200"; file.data; content:"|89 50 4e 47 0d 0a 1a 0a|"; depth:8; byte_jump:2,8,from_beginning,little; isdataat:20,relative; isdataat:!21,relative; content:!"IHDR"; offset:12; depth:4; classtype:pup-activity; sid:2024699; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Internet, former_category ADWARE_PUP, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky APT Related Host Data Exfil M4"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\/\?m=[a-z]&p1=[a-z0-9]{8,12}(?:&p2=[^&]+)?(?:&p3=[^&]+)?$/i"; content:"/?m="; fast_pattern; content:"&p1="; distance:1; within:4; content:!","; http.header_names; content:!"Content-Type"; content:!"Referer"; reference:md5,2d1f1132ab7e80a6a8546dd2ac45bd89; reference:url,download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf; classtype:targeted-activity; sid:2035564; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2022_05_16;)
 
-#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 3"; flow:established,to_client; content:"|17 03|"; depth:2; content:"|00 40|"; distance:1; within:2; fast_pattern; stream_size:server, >,1789; stream_size:server,<,2124; stream_size:client, >,447; stream_size:client, <,1722; flowbits:isset, FB332502_0; flowbits:unset, FB332502_0; flowbits:set, FB332502_1; flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024753; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PennyWise Stealer Data Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/getfile"; bsize:8; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:60; http.request_body; content:"*PennyWise v"; fast_pattern; content:"*Browsers:*"; distance:0; content:"*Wallets:*"; distance:0; content:"*YouTube:*"; distance:0; content:"*Grabber:*"; distance:0; content:"PK|03 04|"; distance:0; byte_test:1,<=,20,0,relative; content:"Information.txt"; distance:0; reference:md5,6aa187bd65ee038e2e8c895a0b6a2977; classtype:trojan-activity; sid:2036597; rev:1; metadata:created_at 2022_05_16, former_category MALWARE, malware_family pennywise_stealer, updated_at 2022_05_16;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [:32768] (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 4"; flow:established,to_server; content:"|1703|"; depth:2; byte_test:2, >=,1024, 1, relative; byte_test:2, <=,1100, 1, relative; stream_size:server, >,1889; stream_size:server, <,2124; stream_size:client, >,1476; stream_size:client, <,1722; flowbits:isset, FB332502_1; flowbits:unset, FB332502_1; flowbits:set, FB332502_2; flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024754; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Borr Stealer Variant Sending System Information"; flow:established,to_server; content:"Content-length|3a|"; content:!"|20|"; distance:0; within:1; content:"UserId|3a|"; content:!"|20|"; distance:0; within:1; content:"Crypto|3a|"; content:!"|20|"; distance:0; within:1; content:"Passworld|3a|"; fast_pattern; content:!"|20|"; distance:0; within:1; content:"Cookies|3a|"; content:!"|20|"; distance:0; within:1; content:"PK"; distance: 200; content:"Processes.txt"; distance:0; content:"User Information.txt"; distance:0; reference:url,twitter.com/3xp0rtblog/status/1522491866834472960; reference:md5,d4d4b796efaf717170edf1a90eeb2a0d; reference:md5,69aef5f237246dec6ef82dda0982e46b; reference:md5,c7175f875b79020acc88eda29100e6d7; classtype:trojan-activity; sid:2036595; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Oct 16 2016"; flow:established,to_client; file.data; content:"Windows Defender Alert"; nocase; fast_pattern; content:"Virus Detected"; nocase; distance:0; content:"Reset Your Computer"; nocase; distance:0; content:"<audio autoplay"; nocase; distance:0; classtype:social-engineering; sid:2024845; rev:4; metadata:created_at 2017_10_16, former_category WEB_CLIENT, updated_at 2022_04_18;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Attempted ThinkPHP < 5.2.x RCE Inbound (CVE-2018-20062)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"_method=__construct&filter[]=assert&method=get&server[REQUEST_METHOD]"; fast_pattern; nocase; reference:url,www.exploit-db.com/exploits/46150; reference:cve,2018-20062; classtype:web-application-attack; sid:2036598; rev:1; metadata:attack_target Web_Server, created_at 2022_05_17, cve CVE_2018_20062, deployment Perimeter, former_category EXPLOIT, signature_severity Informational, updated_at 2022_05_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (dyoravdkiavfkbkx in DNS Lookup)"; dns.query; content:"dyoravdkiavfkbkx"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025507; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Attempted ThinkPHP < 5.2.x RCE Outbound (CVE-2018-20062)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"_method=__construct&filter[]=assert&method=get&server[REQUEST_METHOD]"; fast_pattern; nocase; reference:url,www.exploit-db.com/exploits/46150; reference:cve,2018-20062; classtype:web-application-attack; sid:2036599; rev:1; metadata:attack_target Web_Server, created_at 2022_05_17, cve CVE_2018_20062, deployment Perimeter, former_category EXPLOIT, signature_severity Informational, updated_at 2022_05_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (dypmoywmjrevboat in DNS Lookup)"; dns.query; content:"dypmoywmjrevboat"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025508; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IceApple User-Agent observed"; flow:established,to_server; http.user_agent; content:"Microsoft Office/16.0 |28|Windows NT 10.0|3b 20|Microsoft Outlook 16.0.4551|3b 20|Pro|29|"; http.header_names; content:!"Referer"; reference:url,www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework.pdf; classtype:trojan-activity; sid:2036602; rev:2; metadata:attack_target Server, created_at 2022_05_17, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family IceApple, performance_impact Low, signature_severity Major, updated_at 2022_05_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (jjjooyeohgghgtwn in DNS Lookup)"; dns.query; content:"jjjooyeohgghgtwn"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025509; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Restylink Domain in DNS Lookup ( .differentfor .com)"; dns.query; dotprefix; content:"..differentfor.com"; nocase; endswith; reference:url,insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies; classtype:trojan-activity; sid:2036603; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_17, deployment Perimeter, malware_family Restylink, performance_impact Low, signature_severity Major, updated_at 2022_05_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (lvanwwbyabcfevyi in DNS Lookup)"; dns.query; content:"lvanwwbyabcfevyi"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025510; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Restylink Domain in DNS Lookup ( .mbusabc .com)"; dns.query; dotprefix; content:"..mbusabc.com"; nocase; endswith; reference:url,insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies; classtype:trojan-activity; sid:2036604; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_17, deployment Perimeter, malware_family Restylink, performance_impact Low, signature_severity Major, updated_at 2022_05_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (uxwavkmttywsuynt in DNS Lookup)"; dns.query; content:"uxwavkmttywsuynt"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025511; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Restylink Domain in DNS Lookup ( .disknxt .com)"; dns.query; dotprefix; content:"..disknxt.com"; nocase; endswith; reference:url,insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies; classtype:trojan-activity; sid:2036605; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_17, deployment Perimeter, malware_family Restylink, performance_impact Low, signature_severity Major, updated_at 2022_05_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (yaynawvtuqcarjwc in DNS Lookup)"; dns.query; content:"yaynawvtuqcarjwc"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025512; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Restylink Domain in DNS Lookup ( .officehoster .com)"; dns.query; dotprefix; content:"..officehoster.com"; nocase; endswith; reference:url,insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies; classtype:trojan-activity; sid:2036606; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_17, deployment Perimeter, malware_family Restylink, performance_impact Low, signature_severity Major, updated_at 2022_05_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BKransomware Domain (3whyfziey2vr41yq in DNS Lookup)"; dns.query; content:"3whyfziey2vr41yq"; depth:16; reference:md5,892da86e60236c5aaf26e5025af02513; classtype:trojan-activity; sid:2025559; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Restylink Domain in DNS Lookup ( .spffusa .org)"; dns.query; dotprefix; content:"..spffusa.org"; nocase; endswith; reference:url,insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies; classtype:trojan-activity; sid:2036607; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_17, deployment Perimeter, malware_family Restylink, performance_impact Low, signature_severity Major, updated_at 2022_05_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing Jun 28 2017"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:!"https://*.paypal.com"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; content:"|26 23|x50|3b 26 23|x61|3b 26 23|x79|3b 26 23|x50|3b 26 23|x61|3b 26 23|x6C|3b|"; fast_pattern; within:50; content:"</title>"; distance:0; classtype:social-engineering; sid:2025660; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Restylink Domain in DNS Lookup ( .sseekk .xyz)"; dns.query; dotprefix; content:"..sseekk.xyz"; nocase; endswith; reference:url,insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies; classtype:trojan-activity; sid:2036608; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_17, deployment Perimeter, malware_family Restylink, performance_impact Low, signature_severity Major, updated_at 2022_05_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Struts ognl inbound OGNL injection remote code execution attempt"; flow:established,to_server; http.uri; content:"${"; content:"ognl|2E|"; distance:0; fast_pattern; reference:cve,2018-11776; classtype:attempted-admin; sid:2026031; rev:3; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_08_24, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Minor, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Restylink Domain in DNS Lookup ( .youmiuri .com)"; dns.query; dotprefix; content:"..youmiuri.com"; nocase; endswith; reference:url,insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies; classtype:trojan-activity; sid:2036609; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_17, deployment Perimeter, malware_family Restylink, performance_impact Low, signature_severity Major, updated_at 2022_05_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Win32/Remcos RAT Checkin 51"; flow:established,to_server; stream_size:server,=,1; content:"|4139 2f55 647c c126 8775 8f|"; depth:11; reference:md5,4f3cc55c79b37a52d8f087dbf7093dcd; classtype:command-and-control; sid:2026433; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_02, deployment Perimeter, former_category MALWARE, malware_family Remcos, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Cryptowallet Mining Pool Scam Landing Page"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"d|20 3d 20|navigator|2e|userAgent"; content:"return|20|d|2e|includes|28 22|hbWallet|22 29 20 3f 20 22|"; content:"|22 20 3a 20|d|2e|includes|28 22|coinbase|22 29 20 3f 20 22|Coinbase"; content:"|22 20 3a 20|d|2e|includes|28 22|CriOS|22 29 20 3f 20 22|MetaMask"; fast_pattern; content:"|22 20 3a 20|d|2e|includes|28 22|imToken|22 29 20 3f 20 22|imToken"; content:"|22 20 3a 20|d|2e|includes|28 22|bitpie|22 29 20 3f 20 22|"; content:"|22 20 3a 20|d|2e|includes|28 22|TokenPocket|22 29 20 3f 20 22|TokenPocket"; classtype:credential-theft; sid:2036601; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kraken C2 Domain Observed (kraken656kn6wyyx in DNS Lookup)"; dns.query; content:"kraken656kn6wyyx"; depth:16; reference:url,go.recordedfuture.com/hubfs/reports/cta-2018-1030.pdf; classtype:command-and-control; sid:2026640; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_20, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Kraken_Ransomware, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SiMay RAT Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.request_line; content:"&shareKey=cfae45c9e7cc8a7734b72abe98235dd1 HTTP/1.0"; fast_pattern; endswith; http.host; content:"note.youdao.com"; reference:md5,a641b3b81153936c6a3d3d99fe8d9736; reference:md5,8205ccb910dc783efcd7d480ef1bd7d9; reference:url,www.sentinelone.com/wp-content/uploads/2022/04/SiMay-RAT.pdf; classtype:trojan-activity; sid:2036600; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_17, deployment Perimeter, former_category MALWARE, malware_family SiMayRAT, signature_severity Major, updated_at 2022_05_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/Agent.NZH CnC Response"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"File not found.|0a 3c 21 2d 2d|"; within:30; fast_pattern; content:"-->"; distance:0; classtype:command-and-control; sid:2026987; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_27, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlueShtorm Infostealer Data Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload.php"; endswith; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:60; http.request_body; content:"filename|3d 22|Log.zip|22 0d 0a|"; fast_pattern; content:"PK|03 04|"; distance:0; byte_test:1,<=,20,0,relative; content:"System Info.txt"; distance:0; reference:md5,1b02c34f6a49e9ba0c9b9a834a052c13; reference:url,twitter.com/3xp0rtblog/status/1526603444898959362; classtype:trojan-activity; sid:2036610; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_17, deployment Perimeter, former_category MALWARE, malware_family BlueShtorm_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_05_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF.SystemdMiner C2 Domain in DNS Lookup"; dns.query; content:"aptgetgxqs3secda"; depth:16; reference:url,blog.netlab.360.com/systemdminer-when-a-botnet-borrows-another-botnets-infrastructure/; classtype:command-and-control; sid:2027351; rev:4; metadata:affected_product Linux, attack_target Server, created_at 2019_05_13, deployment Datacenter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/NetDooka Framework Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"|0d 0a|Expect|3a 20|100-continue|0d 0a|"; http.request_body; content:"get_address"; bsize:11; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html; reference:md5,b9ec139e567f88cf9287676ac431c4ab; classtype:trojan-activity; sid:2036612; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_05_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF.SystemdMiner C2 Domain in DNS Lookup"; dns.query; content:"rapid7cpfqnwxodo"; depth:16; reference:url,blog.netlab.360.com/systemdminer-when-a-botnet-borrows-another-botnets-infrastructure/; classtype:command-and-control; sid:2027352; rev:4; metadata:affected_product Linux, attack_target Server, created_at 2019_05_13, deployment Datacenter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, updated_at 2022_04_18;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/NetDooka Framework RAT Sending Session ID"; flow:established,to_server; dsize:12; content:"|e8 03 00 00|"; startswith; fast_pattern; reference:url,www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html; reference:md5,e13d4a4b5eaef60643ce56013fe94344; classtype:trojan-activity; sid:2036613; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag RAT, updated_at 2022_05_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Thanatos Ransomware Variant Pico User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1) Pico/"; startswith; classtype:trojan-activity; sid:2029306; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/NetDooka Framework RAT Sending System Information M1"; flow:established,to_server; content:"|90 01 00 00|"; fast_pattern; pcre:"/(?:[0-9A-F]{2}(?:-)?){16}\x7c/R"; reference:url,www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html; reference:md5,e13d4a4b5eaef60643ce56013fe94344; classtype:trojan-activity; sid:2036614; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag RAT, updated_at 2022_05_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspected Malicious Telegram Communication (POST)"; flow:established,to_server; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http.header; content:"|0d 0a|Accept-Language|3a 20|en-US,*|0d 0a|User-Agent|3a 20|Mozilla/5.0|0d 0a|Host|3a 20|"; fast_pattern; http.content_len; byte_test:0,=,40,0,string,dec; http.request_line; content:"POST /api HTTP/1.1"; depth:18; isdataat:!1,relative; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; isdataat:!1,relative; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:98; isdataat:!1,relative; reference:md5,fe5338aee73b3aae375d7192067dc5c8; reference:url,www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/; classtype:misc-activity; sid:2029634; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_04_18;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/NetDooka Framework RAT Sending File"; flow:established,to_server; dsize:12; content:"|13 00 00 00|"; startswith; fast_pattern; reference:url,www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html; reference:md5,e13d4a4b5eaef60643ce56013fe94344; classtype:trojan-activity; sid:2036615; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag RAT, updated_at 2022_05_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE ActionSpy CnC (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ps/upinfo"; bsize:10; fast_pattern; http.user_agent; content:"android"; bsize:7; http.header; content:"Content-Encoding|3a 20|encrypted|0d 0a|"; reference:md5,43f1891a9c0d8fc69e273095708d9238; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/; classtype:command-and-control; sid:2030342; rev:2; metadata:attack_target Mobile_Client, created_at 2020_06_15, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Powershell/CustomRAT CnC Domain in DNS Lookup (kleinm .de)"; dns.query; content:"kleinm.de"; nocase; bsize:9; reference:url,blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/; classtype:trojan-activity; sid:2036622; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, malware_family PowerShell_CustomRAT, performance_impact Low, signature_severity Major, updated_at 2022_05_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Gootkit Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.php?"; startswith; fast_pattern; pcre:"/^[1-z]{13}=[0-9]{16}$/R"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5|29|"; http.header_names; content:!"Referer"; reference:md5,82ddc740b8ff3aa4d818d1b421e0231e; classtype:trojan-activity; sid:2033022; rev:2; metadata:created_at 2021_05_24, former_category MALWARE, updated_at 2022_04_18;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PowerShell/CustomRAT Domain (kleinm .de) in TLS SNI"; flow:established,to_server; tls.sni; content:"kleinm.de"; bsize:9; fast_pattern; reference:url,blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/; classtype:trojan-activity; sid:2036623; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, malware_family PowerShell_CustomRAT, performance_impact Low, signature_severity Major, updated_at 2022_05_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed OWA Phishing Landing Page 2021-08-20"; flow:established,to_client; file.data; content:"<title>Outlook Web App</title>"; fast_pattern; content:"<form action|3d 22|save.php|22|"; content:"method|3d 22|POST|22|"; distance:0; content:"name|3d 22|logonForm|22|"; distance:0; content:"id|3d 22|logonForm|22|"; distance:0; content:"enctype|3d 22|application/x-www-form-urlencoded|22|"; distance:0; content:"autocomplete|3d 22|off|22 3e|"; distance:0; reference:url,app.any.run/tasks/40a14763-96a6-4897-86c4-2b4693a0034b/; classtype:social-engineering; sid:2033748; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_20, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerShell/CustomRAT CnC Traffic"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; http.header_names; content:!"Referer"; content:"X-Request-ID"; fast_pattern; http.request_body; content:"type"; content:"newclient"; distance:0; content:"result"; content:"pwd"; content:"cuser"; content:"hostname"; content:"clientid"; reference:url,blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/; classtype:trojan-activity; sid:2036624; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [!80,!443] (msg:"ET MALWARE Win32/Numando Banker CnC Activity"; flow:established,to_server; content:"<|7c|>1<|7c|>"; offset:7; content:"<|7c|>Microsoft|20|Windows"; distance:0; content:"<|7c|>0<|7c|>"; distance:0; reference:md5,fec2f560619b88d9846fe03db6841e91; reference:url,www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/; classtype:trojan-activity; sid:2033983; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Axie Infinity Credential Phish M1 2022-05-18"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ronin.php"; bsize:10; http.request_body; content:"kos=Ronin+Wallet"; fast_pattern; classtype:credential-theft; sid:2036618; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Outdated Browser Landing Page M3"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"!|5c|n|5c|nWebsite work well"; fast_pattern; nocase; reference:url,blog.group-ib.com/perswaysion; classtype:misc-activity; sid:2033998; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Axie Infinity Credential Phish M2 2022-05-18"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/meta.php"; bsize:9; http.request_body; content:"kos=MetaMask"; fast_pattern; classtype:credential-theft; sid:2036619; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Credential Phish Credit Card Payment Data Exfil"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Internal Revenue Service"; nocase; content:"form action=|22|c5.php|22|"; fast_pattern; distance:0; content:"name|3d 22|amount|22 20|value|3d 22 22|"; distance:0; content:"PROCEED"; distance:0; reference:md5,55d8e8f74231e50c479d11683c7ab889; classtype:credential-theft; sid:2034328; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Axie Infinity Credential Phish Landing Page M3 2022-05-18"; http.request_line; content:"GET /"; startswith; http.host; content:"axieinfinity.com"; bsize:16; http.referer; content:"/tel.php"; endswith; reference:md5,f8aedfea2bb3f01e129cffc1e670645e; classtype:credential-theft; sid:2036621; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_18;)
 
-alert http $HOME_NET any -> any any (msg:"ET INFO Python BaseHTTP ServerBanner"; flow:established; http.server; content:"BaseHTTP/"; startswith; content:"Python/"; distance:0; reference:url,wiki.python.org/moin/BaseHttpServer; classtype:misc-activity; sid:2034635; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2022_04_18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/NetDooka Framework RAT Sending System Information M2"; flow:established,to_server; content:"|90 01 00 00|"; fast_pattern; pcre:"/(?:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\x7c/R"; reference:url,www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html; reference:md5,ff672b6d51815ef9c86e163bfd23f1a5; classtype:trojan-activity; sid:2036616; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_05_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Kimsuky Related Malicious VBScript"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Content-Encoding|3a 20|gzip"; http.response_body; content:"language|3d|javascript|3e|document|2e|write|28|unescape|28 27|"; content:"%47%65%74%4F%62%6A%65%63%74%28%22%22%6E%65%77%3A"; content:"%2E%76%62%73%20%26%40%65%63%68%6F%20%55%52%4C%20%3D%20%22%22"; distance:0; within:285; fast_pattern; content:"%73%65%6C%66%2E%63%6C%6F%73%65"; reference:md5,d74f268b986fecfa03b81029dd134811; classtype:trojan-activity; sid:2034697; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Axie Infinity Credential Phish Landing Page M2 2022-05-18"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|3c|title|3e|Login|20 7c 20|Axie|20|Infinity|3c 2f|title|3e|"; content:"|3c|form|20|method|3d 22|POST|22 20|action|3d 22 2f|tel|2e|php|22|"; distance:0; fast_pattern; content:"|3c|form|20|method|3d 22|POST|22 20|action|3d 22 2f|meta|2e|php|22 3e|"; distance:0; reference:md5,f8aedfea2bb3f01e129cffc1e670645e; classtype:credential-theft; sid:2036620; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater APT Related Maldoc Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getCommand?guid="; startswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:md5,c9ab403bd43649b5fd57efac4bf83b7c; reference:md5,748ae5af58e52e940ab806bdbbe61c4c; reference:url,twitter.com/ShadowChasing1/status/1475819281648553986; classtype:trojan-activity; sid:2034844; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_12_28, deployment Perimeter, former_category MALWARE, malware_family MuddyWater, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Axie Infinity Credential Phish Landing Page M1 2022-05-18"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|3c|title|3e|Login|20 7c 20|Axie|20|Infinity|3c 2f|title|3e|"; content:"|3c|form|20|method|3d 22|POST|22 20|action|3d 22 2f|ronin|2e|php|22 3e|"; distance:0; fast_pattern; content:"|3c|form|20|method|3d 22|POST|22 20|action|3d 22 2f|meta|2e|php|22 3e|"; distance:0; reference:md5,f8aedfea2bb3f01e129cffc1e670645e; classtype:credential-theft; sid:2036617; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Metawallet Phish 2022-01-13"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"metawallet"; fast_pattern; content:".php"; endswith; http.request_body; content:"WoRd1="; content:"WoRd2="; distance:0; content:"WoRd3="; distance:0; content:"WoRd4="; distance:0; content:"WoRd5="; distance:0; content:"WoRd6="; distance:0; content:"WoRd7="; distance:0; content:"WoRd8="; distance:0; content:"WoRd9="; distance:0; content:"WoRd10="; distance:0; content:"WoRd11="; distance:0; content:"WoRd12="; distance:0; reference:md5,7ddee3930807ab2a21afe8c5760b2b13; classtype:credential-theft; sid:2034915; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Credit Card Scraper Domain in DNS Lookup (authorizen .net)"; dns.query; content:"authorizen.net"; nocase; bsize:14; reference:url,www.ic3.gov/Media/News/2022/220516.pdf; classtype:credential-theft; sid:2036625; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tiggre Variant Activity Sending System Files (POST)"; flow:established,to_server; http.request_line; content:"POST /up/up.php HTTP/1.1"; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|boundary=---------------------"; startswith; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"form-data|3b 20|name=|22|file|22 3b|"; reference:md5,a023ece310a490a87e77c9bb28b6415b; classtype:trojan-activity; sid:2034962; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible PHP Backdoor Command Execution"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; content:"=system|28 27|"; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.ic3.gov/Media/News/2022/220516.pdf; classtype:trojan-activity; sid:2036626; rev:1; metadata:affected_product PHP, attack_target Web_Server, created_at 2022_05_18, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, performance_impact Low, signature_severity Major, updated_at 2022_05_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Valyria.6015 CnC Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/eln-images/"; startswith; fast_pattern; http.user_agent; content:"WindowsPowerShell/"; http.header_names; content:!"Referer"; reference:md5,a118a3030807156eca8f805b8b83ce1f; classtype:trojan-activity; sid:2035223; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/maps/overlaybfpr?q="; startswith; fast_pattern; http.cookie; content:"SRCHD=AF=NOFORM|3b|_SS="; startswith; pcre:"/^[A-Za-z0-9+=/]{172}$/R"; http.user_agent; content:"Mozilla/5.0|20|"; startswith; reference:md5,50b3fb6a2cf209d4bcbea0546e82f58f; reference:url,blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html; classtype:trojan-activity; sid:2036632; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_19, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_05_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish 2022-03-02"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/proccess/log.php"; fast_pattern; http.request_body; content:"FromPreSignIn_SIP=Y"; content:"&RSA_DEVPRINT="; distance:0; content:"&QQ1="; distance:0; reference:md5,023f93be3b12f211c5db927f234290ad; classtype:credential-theft; sid:2035379; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReVBShell Command Response"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cmd"; bsize:4; http.header_names; content:"|0d 0a|Connection|0d 0a|Content-Type|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Host|0d 0a 0d 0a|"; bsize:72; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|cmd|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|result|22 3b 20|filename=|22|cmdoutput|22|"; reference:url,github.com/bitsadmin/ReVBShell; classtype:trojan-activity; sid:2036636; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_19, deployment Perimeter, former_category MALWARE, malware_family ReVBShell, performance_impact Low, signature_severity Major, updated_at 2022_05_19;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|00|"; offset:1; depth:1; content:"|01 00|"; distance:19; within:2; byte_test:4,>,128,20,relative,little; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103158; rev:8; metadata:created_at 2010_09_23, updated_at 2022_04_18;)
+alert tcp [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET POLICY ScreenConnect-ConnectWise Initial Checkin Packet"; dsize:<600; content:"|87 15 10 00 00 00 00 00 00 00 00 00 00 00 00 00|"; startswith; fast_pattern; classtype:policy-violation; sid:2036627; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_19, deployment Perimeter, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2022_05_19;)
 
-alert tcp-pkt $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Rat CnC Server Response"; flow:established,to_client; content:"|00 00 00|ent2rmezi="; offset:2; depth:13; fast_pattern; threshold:type limit, track by_src, count 5, seconds 600; reference:md5,3829791a486b0b9ccb80ffcb7177c19c; reference:url,twitter.com/0xrb/status/1515979150515122178; classtype:command-and-control; sid:2036242; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Crimson, signature_severity Major, tag c2, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Transparent Tribe APT Related Domain in DNS Lookup"; dns.query; content:"millitarytocorp.com"; nocase; bsize:19; reference:md5,7f3d3a055ecb5a6f787b0afbd373af88; reference:url,twitter.com/h2jazi/status/1527331543206617101; classtype:domain-c2; sid:2036633; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_19, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_05_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zingo/GinzoStealer Stealer Exfiltration Observed"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/g1nzo.php?"; startswith; fast_pattern; content:"data="; content:"countc="; content:"countp="; content:"country="; content:"ip="; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:60; reference:md5,b918a1b21063907a9bbf4dda8259bd78; reference:url,blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html; classtype:trojan-activity; sid:2036246; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family ZingoStealer, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed URL Shortening Service SSL/TLS Cert (rb.gy)"; flow:from_server,established; tls.cert_subject; content:"CN=rb.gy"; fast_pattern; classtype:policy-violation; sid:2036628; rev:1; metadata:created_at 2022_05_19, former_category POLICY, updated_at 2022_05_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Blackguard_v3.5 Domain (ritmflow .online) in TLS SNI"; flow:established,to_server; tls.sni; content:"ritmflow.online"; bsize:15; fast_pattern; reference:md5,dce3c6ed046018eac08f82942401123d; reference:url,twitter.com/3xp0rtblog/status/1516092338065612804; classtype:trojan-activity; sid:2036247; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Blackguard_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Spox Phishkit HTTP POST Observed"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Login/Spox/Mail/Mail1"; endswith; http.request_body; content:"spox_b00T="; startswith; fast_pattern; content:"&username="; content:"&password="; content:"&spox="; content:"&token="; classtype:social-engineering; sid:2036629; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson CnC Server Command (info) M3"; flow:established,to_client; dsize:18; content:"|0d 00 00 00 00|inf2o=command"; threshold:type limit,track by_dst, count 5,seconds 600; reference:md5,fdd625f11ae39b85d4c0f794e8570abe; classtype:command-and-control; sid:2036243; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Crimson, signature_severity Major, tag c2, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Spox Phishkit Landing Page Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<!-- Meta BY Spox"; content:"<!-- ICONS BY Spox"; content:"href=|22|Spox/Files"; fast_pattern; classtype:social-engineering; sid:2036630; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MSIL/Crimson Client Command Response (info)"; flow:established,to_server; content:"|00 00 00 00|"; offset:1; depth:4; content:"inx7fo=usder"; distance:0; fast_pattern; content:"|00 00 00 00 7c|"; distance:1; within:5; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; threshold:type limit, track by_src, count 5, seconds 600; reference:md5,fdd625f11ae39b85d4c0f794e8570abe; classtype:command-and-control; sid:2036244; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Crimson, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android ERMAC Banker (PL) Related Domain in DNS Lookup (bolt-food .site)"; dns.query; content:"bolt-food.site"; nocase; bsize:14; reference:md5,1e0586aef0f106031260fecb412c5cdf; reference:url,twitter.com/ESETresearch/status/1526897310231322630; classtype:domain-c2; sid:2036634; rev:1; metadata:attack_target Mobile_Client, created_at 2022_05_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_05_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Blackguard_v3.5 Domain in DNS Lookup (ritmflow .online)"; dns.query; content:"ritmflow.online"; nocase; bsize:15; reference:md5,dce3c6ed046018eac08f82942401123d; reference:url,twitter.com/3xp0rtblog/status/1516092338065612804; classtype:trojan-activity; sid:2036248; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, malware_family Blackguard_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish Observed"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mainnet.php?token="; fast_pattern; http.request_body; content:"adsad="; startswith; content:"&asdjdf="; classtype:social-engineering; sid:2036631; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful CSIS Credential Phish"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/policy/id1383729472034823098/United-States-Nonpaper-on-Iran.pdf/"; fast_pattern; http.referer; content:!"csis.org"; http.request_body; content:"email="; content:"password"; classtype:credential-theft; sid:2034255; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_26, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android ERMAC Banker (PL) Domain (bolt-food .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"bolt-food.site"; bsize:14; fast_pattern; reference:url,twitter.com/ESETresearch/status/1526897310231322630; reference:md5,1e0586aef0f106031260fecb412c5cdf; classtype:domain-c2; sid:2036635; rev:1; metadata:attack_target Mobile_Client, created_at 2022_05_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_05_19;)
 
-alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Oracle SQL Injection utl_inaddr call in URI"; flow:established,to_server; http.uri; content:"utl_inaddr.get_host"; nocase; fast_pattern; classtype:attempted-admin; sid:2015749; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SEO/Malvertising Executable Landing exe2.php"; flow:established,to_server; content:"/exe2.php?wm_id=acc"; http_uri; classtype:trojan-activity; sid:2011916; rev:5; metadata:created_at 2010_11_10, updated_at 2022_05_19;)
 
-alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M1"; flow:established,to_server; http.uri.raw; pcre:"/^\/(?:icons|cgi-bin)/"; content:"/.%2e/%2e%2e/%2e%2e/%2e%2e/"; reference:url,httpd.apache.org/security/vulnerabilities_24.html; reference:url,twitter.com/HackerGautam/status/1445412108863041544; reference:cve,2021-41773; classtype:attempted-admin; sid:2034124; rev:4; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2021_10_05, cve CVE_2021_41773, deployment Perimeter, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DCRat Related CnC Domain in DNS Lookup"; dns.query; content:"dcrat.ru"; nocase; bsize:8; reference:url,blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains; classtype:domain-c2; sid:2036637; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_20, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2022_05_20;)
 
-alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M2"; flow:established,to_server; http.uri.raw; pcre:"/^\/(?:icons|cgi-bin)/"; content:"/.%2e/.%2e/.%2e/.%2e/"; reference:url,httpd.apache.org/security/vulnerabilities_24.html; reference:url,github.com/iilegacyyii/PoC-CVE-2021-41773/blob/main/CVE-2021-41773.py; reference:cve,2021-41773; classtype:attempted-admin; sid:2034125; rev:4; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2021_10_05, cve CVE_2021_41773, deployment Perimeter, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DCRat Related CnC Domain in DNS Lookup"; dns.query; content:"crystalfiles.ru"; nocase; bsize:15; reference:url,blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains; classtype:domain-c2; sid:2036638; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_20, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2022_05_20;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M3"; flow:established,to_server; http.uri.raw; pcre:"/^\/(?:icons|cgi-bin)/"; content:"/.%2e/%2e%2e/.%2e/"; reference:cve,2021-41773; classtype:attempted-admin; sid:2034128; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2021_10_06, cve CVE_2021_41773, deployment Perimeter, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DCRat)"; flow:established,to_client; tls.cert_subject; content:"CN=*.dcrat.ru"; bsize:13; fast_pattern; reference:url,blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains; classtype:domain-c2; sid:2036639; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_20, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_20;)
 
-#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Potential Forced OGNL Evaluation - HTTP Header"; flow:to_server,established; http.header; content:"|25 7b|"; fast_pattern; content:"|7d|"; distance:0; classtype:misc-activity; sid:2036223; rev:2; metadata:created_at 2022_04_14, deprecation_reason Performance, former_category HUNTING, performance_impact Significant, updated_at 2022_04_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DCRat Related Domain (crystalfiles .ru in TLS SNI)"; flow:established,to_server; tls.sni; content:"crystalfiles.ru"; bsize:15; fast_pattern; reference:url,blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains; classtype:domain-c2; sid:2036640; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_20, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2022_05_20;)
 
-#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Potential Forced OGNL Evaluation - HTTP Body"; flow:to_server,established; http.request_body; content:"|25 7b|"; fast_pattern; content:"|7d|"; distance:0; classtype:misc-activity; sid:2036224; rev:2; metadata:created_at 2022_04_14, deprecation_reason Performance, former_category HUNTING, performance_impact Significant, updated_at 2022_04_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE oRAT Related CnC Domain in DNS Lookup"; dns.query; content:"darwin.github.wiki"; nocase; bsize:18; reference:url,www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win; reference:md5,bb1b4d6fe8940438ecbe94e54fdee0af; classtype:trojan-activity; sid:2036641; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_20, deployment Perimeter, former_category MALWARE, malware_family oRAT, signature_severity Major, updated_at 2022_05_20;)
 
-#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Potential Forced OGNL Evaluation - HTTP URI"; flow:to_server,established; http.uri; content:"|25 7b|"; fast_pattern; content:"|7d|"; distance:0; classtype:misc-activity; sid:2036222; rev:2; metadata:created_at 2022_04_14, deprecation_reason Performance, former_category HUNTING, performance_impact Moderate, updated_at 2022_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE J-Spy JSP webshell response"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"File Manager"; content:"Database Manager"; content:"Port Scan"; content:"Execute Command"; content:"J-spy Root"; fast_pattern; reference:url,github.com/dingody/jspy; classtype:trojan-activity; sid:2036647; rev:1; metadata:attack_target Web_Server, created_at 2022_05_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)"; flow:established,to_server; tls.sni; content:"nominally.ru"; bsize:12; fast_pattern; reference:md5,b918a1b21063907a9bbf4dda8259bd78; reference:url,blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html; classtype:domain-c2; sid:2036249; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, malware_family ZingoStealer, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE J-Spy JSP webshell request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".jsp"; endswith; http.referer; content:".jsp"; endswith; http.request_body; content:"action="; fast_pattern; startswith; pcre:"/^(?:FileManager|PortScan|ExecuteCommand|DatabaseManager)/R"; reference:url,github.com/dingody/jspy; classtype:trojan-activity; sid:2036648; rev:1; metadata:attack_target Web_Server, created_at 2022_05_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family J_spy, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2022_05_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zingo/GinzoStealer Data Exfiltration M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22|ginzoarchive|2e|zip|22 0d 0a|Content|2d|Type|3a 20|application|2f|octet|2d|stream|0d 0a 0d 0a|PK|03 04|"; fast_pattern; reference:md5,b918a1b21063907a9bbf4dda8259bd78; reference:url,blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html; classtype:trojan-activity; sid:2036250; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family ZingoStealer, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Bitter APT Related Domain in DNS Lookup (emshedulersvc .com)"; dns.query; content:"emshedulersvc.com"; nocase; bsize:17; reference:md5,6e4b4eb701f3410ebfb5925db32b25dc; reference:url,twitter.com/k3yp0d/status/1527656133837594624; classtype:domain-c2; sid:2036642; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_20, deployment Perimeter, former_category MALWARE, malware_family Bitter, signature_severity Major, updated_at 2022_05_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zingo/GinzoStealer Downloading Additional Payloads"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.host; dotprefix; content:".nominally.ru"; endswith; fast_pattern; reference:url,blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html; classtype:trojan-activity; sid:2036251; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, malware_family ZingoStealer, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Bitter APT Related Domain in DNS Lookup (huandocimama .com)"; dns.query; dotprefix; content:".huandocimama.com"; nocase; endswith; reference:md5,6e4b4eb701f3410ebfb5925db32b25dc; reference:url,twitter.com/k3yp0d/status/1527656133837594624; classtype:domain-c2; sid:2036643; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_20, deployment Perimeter, former_category MALWARE, malware_family Bitter, signature_severity Major, updated_at 2022_05_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected TA404 APT Related Activity M1"; flow:established,to_server; http.uri; content:".asp?prd_fld=racket"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:!"Linux"; content:!"Android"; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical; classtype:trojan-activity; sid:2036257; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Bitter APT Related Domain in DNS Lookup (diyefosterfeeds .com)"; dns.query; content:"diyefosterfeeds.com"; nocase; bsize:19; reference:md5,6e4b4eb701f3410ebfb5925db32b25dc; reference:url,twitter.com/k3yp0d/status/1527656133837594624; classtype:trojan-activity; sid:2036644; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected TA404 APT Related Activity M2"; flow:established,to_server; http.uri; content:".jsp?prd_fld_racket"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:!"Linux"; content:!"Android"; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical; classtype:trojan-activity; sid:2036258; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitter APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/profiles.php?profiles="; fast_pattern; pcre:"/^[A-Za-z]{15,20}$/R"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:md5,6e4b4eb701f3410ebfb5925db32b25dc; reference:url,twitter.com/k3yp0d/status/1527656133837594624; classtype:trojan-activity; sid:2036645; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_20, deployment Perimeter, former_category MALWARE, malware_family Bitter, signature_severity Major, updated_at 2022_05_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (dafom .dev)"; dns.query; content:"dafom.dev"; nocase; bsize:9; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036259; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitter APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vis.php?st="; fast_pattern; http.user_agent; content:"Windows Installer"; bsize:17; reference:md5,6e4b4eb701f3410ebfb5925db32b25dc; reference:url,twitter.com/k3yp0d/status/1527656133837594624; classtype:trojan-activity; sid:2036646; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_20, deployment Perimeter, former_category MALWARE, malware_family Bitter, signature_severity Major, updated_at 2022_05_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed DPRK Related APT User-Agent (dafom)"; flow:established,to_server; http.user_agent; content:"dafom"; bsize:5; fast_pattern; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:bad-unknown; sid:2036260; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, deployment SSLDecrypt, former_category USER_AGENTS, signature_severity Informational, updated_at 2022_04_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED GENERIC Likely Malicious Fake IE Downloading .exe"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; endswith; content:!"download_helper.ns"; http.header; content:!"softdl.360tpcdn.com"; http.user_agent; content:"|20|MSIE|20|"; http.host; content:!"microsoft.com"; content:!"adobe.com"; content:!"360safe.com"; content:!"cfbeta.razersynapse.com"; content:!"download.windowsupdate.com"; content:!"gladmainnew.morningstar.com"; http.connection; content:"close"; nocase; http.header_names; content:!"Accept-Encoding"; content:!"Referer"; classtype:trojan-activity; sid:2018403; rev:16; metadata:created_at 2014_04_22, former_category MALWARE, updated_at 2022_05_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (tokenais .com)"; dns.query; content:"tokenais.com"; nocase; bsize:12; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036261; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup"; dns.query; content:"mailcantonfair.cssc.info"; nocase; bsize:24; reference:url,mp.weixin.qq.com/s/qsGxZIiTsuI7o-_XmiHLHg; classtype:domain-c2; sid:2036653; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_23, deployment Perimeter, former_category MALWARE, malware_family Sidewinder, signature_severity Major, updated_at 2022_05_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (cryptais .com)"; dns.query; content:"cryptais.com"; nocase; bsize:12; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036262; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
+alert tcp $HOME_NET ![80,8080] -> $EXTERNAL_NET any (msg:"ET HUNTING PNG image exfiltration over raw TCP"; flow:established,to_server; stream_size:server,<,160; dsize:>11; content:"|89|PNG|0d 0a 1a 0a 00 00 00 0d|IHDR|00 00|"; startswith; flowbits:set,ET.tcpraw.png; reference:md5,a271e5179f0a98a295736bd7a41a39fc; classtype:misc-activity; sid:2035476; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_05_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (alticgo .com)"; dns.query; content:"alticgo.com"; nocase; bsize:11; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036263; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TWISTEDPANDA CnC Domain in DNS Lookup (img .elliotterusties .com)"; dns.query; content:"img.elliotterusties.com"; nocase; bsize:23; reference:url,research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/; classtype:targeted-activity; sid:2036655; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_23, deployment Perimeter, malware_family TwistedPanda, performance_impact Low, signature_severity Major, updated_at 2022_05_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (esilet .com)"; dns.query; content:"esilet.com"; nocase; bsize:10; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036264; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_04_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TWISTEDPANDA CnC Domain in DNS Lookup (www .miniboxmail .com)"; dns.query; content:"www.miniboxmail.com"; nocase; bsize:19; reference:url,research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/; classtype:targeted-activity; sid:2036656; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_23, deployment Perimeter, malware_family TwistedPanda, performance_impact Low, signature_severity Major, updated_at 2022_05_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (vasepinay .com)"; dns.query; content:"vasepinay.com"; nocase; bsize:13; reference:url,twitter.com/Max_Mal_/status/1514729699011928073; classtype:domain-c2; sid:2036265; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TWISTEDPANDA CnC Domain in DNS Lookup (www .microtreely .com)"; dns.query; content:"www.microtreely.com"; nocase; bsize:19; reference:url,research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/; classtype:targeted-activity; sid:2036657; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_23, deployment Perimeter, malware_family TwistedPanda, performance_impact Low, signature_severity Major, updated_at 2022_05_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (dixavokij .com)"; dns.query; content:"dixavokij.com"; nocase; bsize:13; reference:url,twitter.com/Max_Mal_/status/1514729699011928073; classtype:domain-c2; sid:2036266; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TWISTEDPANDA CnC Domain in DNS Lookup (www .minzdravros .com)"; dns.query; content:"www.minzdravros.com"; nocase; bsize:19; reference:url,research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/; classtype:targeted-activity; sid:2036658; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_23, deployment Perimeter, malware_family TwistedPanda, performance_impact Low, signature_severity Major, updated_at 2022_05_23;)
 
-alert tcp any any -> any 3389 (msg:"ET SCAN RDP Connection Attempt from Nmap"; flow:established,to_server; content:"|00 00 00 00 00|Cookie|3a 20|mstshash|3d|nmap|0d 0a|"; fast_pattern; reference:url,github.com/nmap/nmap/blob/4b46fa7097673f157e7b93e72f0c8b3249c54b4c/nselib/rdp.lua#L211; classtype:network-scan; sid:2036252; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category SCAN, performance_impact Low, signature_severity Minor, updated_at 2022_04_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TWISTEDPANDA Domain in TLS SNI (www .miniboxmail .com)"; flow:established,to_server; tls.sni; content:"www.miniboxmail.com"; bsize:19; fast_pattern; reference:url,research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/; classtype:targeted-activity; sid:2036659; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_23, deployment Perimeter, malware_family TwistedPanda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request To Suspicious Filename via Powershell (key)"; flow:established,to_server; http.uri; content:"/key"; startswith; bsize:4; http.user_agent; content:"Mozilla/"; startswith; content:") WindowsPowerShell/"; distance:0; fast_pattern; reference:md5,5ec22f6399ec0c51d120d27ecd26f2be; classtype:bad-unknown; sid:2036267; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2022_04_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TWISTEDPANDA Domain in TLS SNI (www .microtreely .com)"; flow:established,to_server; tls.sni; content:"www.microtreely.com"; bsize:19; fast_pattern; reference:url,research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/; classtype:targeted-activity; sid:2036660; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_23, deployment Perimeter, malware_family TwistedPanda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request To Suspicious Filename via Powershell (payload)"; flow:established,to_server; http.uri; content:"/payload"; startswith; bsize:8; fast_pattern; http.user_agent; content:"Mozilla/"; startswith; content:") WindowsPowerShell/"; distance:0; reference:md5,5ec22f6399ec0c51d120d27ecd26f2be; classtype:bad-unknown; sid:2036268; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2022_04_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TWISTEDPANDA Domain in TLS SNI (www .minzdravros .com)"; flow:established,to_server; tls.sni; content:"www.minzdravros.com"; bsize:19; fast_pattern; reference:url,research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/; classtype:targeted-activity; sid:2036661; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_23, deployment Perimeter, malware_family TwistedPanda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win/Malware.Filetour Variant Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/A.php"; bsize:6; fast_pattern; http.user_agent; content:"wx"; http.request_body; content:"a"; content:"&v="; distance:0; content:"&h="; distance:0; content:"&r="; distance:0; reference:md5,467d78992086ffb4194a866981c33be2; classtype:bad-unknown; sid:2036269; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2022_04_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TWISTEDPANDA Domain in TLS SNI (img .elliotterusties .com)"; flow:established,to_server; tls.sni; content:"img.elliotterusties.com"; bsize:23; fast_pattern; reference:url,research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/; classtype:targeted-activity; sid:2036662; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_23, deployment Perimeter, malware_family TwistedPanda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win/Malware.FileTour Variant Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/bind/?appid="; depth:18; content:"&version="; distance:0; content:"&hwid="; distance:0; content:"&runid="; distance:0; http.host; content:"dayzcheats.ru"; bsize:13; fast_pattern; reference:md5,467d78992086ffb4194a866981c33be2; classtype:bad-unknown; sid:2036270; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2022_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Upatre Header Structure 2"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:!"Taitus"; content:!"Sling/"; content:!"Updexer/"; content:!"Lightworks"; http.host; content:!"sophosupd.com"; content:!"sophosupd.net"; http.accept; content:"text/*,|20|application/*"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host"; depth:26; classtype:trojan-activity; sid:2018635; rev:15; metadata:created_at 2014_07_03, former_category MALWARE, updated_at 2022_05_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win/Malware.FileTour Variant Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/B.php?a="; content:"&v="; distance:0; content:"&h="; distance:0; content:"&r="; distance:0; reference:md5,467d78992086ffb4194a866981c33be2; classtype:bad-unknown; sid:2036271; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2022_04_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Vidar Variant/Mars Stealer Resources Download"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|50 4b|"; startswith; content:"softokn3.dll"; distance:28; within:12; fast_pattern; bsize:>15000; reference:md5,880924e5583978c615dd03ff89648093; reference:url,twitter.com/X__Junior/status/1528046444963323904"; classtype:trojan-activity; sid:2036654; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_23;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded WebUI Login Attempt M1"; flow:established,to_server; http.header; content:"Authorization|3a 20|Basic|20|YWRtaW46ezEyMjEzQkQxLTY5QzctNDg2Mi04NDNELTI2MDUwMEQxREE0MH0|3d|"; fast_pattern; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036254; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /request HTTP/1.1"; bsize:21; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Cache-Control|0d 0a|Cookie|0d 0a 0d 0a|"; bsize:33; http.header; content:"|0d 0a|Cache-Control|3a 20|no-cache|0d 0a|"; http.cookie; content:"PHPSESSID="; startswith; pcre:"/^PHPSESSID=[a-z0-9]{26}$/C"; reference:md5,880924e5583978c615dd03ff89648093; reference:url,twitter.com/X__Junior/status/1528046444963323904; classtype:trojan-activity; sid:2036667; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_24;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Stack Overflow in Base64 Authorization Mechanism M1"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Authorization|3a 20|Basic|20|YWRtaW46"; fast_pattern; content:!"|0d 0a|"; within:500; http.request_body; content:"|3c 3f|xml|20|"; startswith; content:"clientType|3d 22|WEB|22|"; distance:0; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036255; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SolarView Compact Command Injection Inbound (CVE-2022-29303)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/conf_mail.php"; fast_pattern; http.request_body; content:"mail_address="; pcre:"/^\s?(?:[\x3b\x0a\x26\x60\x7c\x24]|%(3b|0a|26|60|7c|24))/Ri"; reference:cve,2022-29303; classtype:attempted-admin; sid:2036649; rev:1; metadata:attack_target Server, created_at 2022_05_23, cve CVE_2022_29303, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_23;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Stack Overflow in Base64 Authorization Mechanism M2"; flow:established,to_server; http.method; content:"POST"; http.cookie; content:"auInfo|3d|YWRtaW46"; fast_pattern; content:!"|3b|"; within:500; http.request_body; content:"|3c 3f|xml|20|"; startswith; content:"clientType|3d 22|WEB|22|"; distance:0; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036256; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Telesquare SDT-CW3B1 1.1.0 - OS Command Injection (CVE-2021-46422)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/admin.cgi?Command=sysCommand&Cmd="; fast_pattern; startswith; http.header_names; content:!"Referer"; reference:cve,2021-46422; reference:url,twitter.com/momika233/status/1528742287072980992; classtype:attempted-admin; sid:2036663; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_05_23, cve CVE_2021_46422, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_23;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC WebUI RCE ADD Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/editBlackAndWhiteList"; bsize:22; http.request_body; content:"clientType|3d 22|WEB|22 3e|"; content:"|3c|addressType|3e|ip|3c 2f|addressType|3e 3c|ip|3e|"; distance:0; fast_pattern; pcre:"/^(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036253; rev:2; metadata:created_at 2022_04_19, updated_at 2022_04_19;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Default Apache CouchDB Erlang Cookie Observed (CVE-2022-24706)"; flow:established,to_server; content:"|00 15|r|01 02 03 04|"; startswith; content:"|8b f4 e6 ad dd 72 a9 c4 c4 71 47 08 d2 94 15 28|"; fast_pattern; reference:cve,2022-24706; classtype:attempted-admin; sid:2036650; rev:1; metadata:attack_target Server, created_at 2022_05_23, cve CVE_2022_24706, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_23;)
 
-alert tcp any any -> $HOME_NET 4567 (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded Credential ConfigSyncProc Login Attempt"; flow:established,to_server; stream_size:server,<,5; dsize:38; content:"{D79E94C5-70F0-46BD-965B-E17497CCB598}"; startswith; flowbits:set,ET.tvt_stage1; reference:url,raw.githubusercontent.com/mcw0/PoC/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:trojan-activity; sid:2036272; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] 4369 (msg:"ET INFO External Host Querying Erlang Port Mapper Daemon"; flow:established,to_server; dsize:3; content:"|00 01 6e|"; fast_pattern; classtype:misc-activity; sid:2036651; rev:1; metadata:created_at 2022_05_23, updated_at 2022_05_23;)
 
-alert tcp any any -> $HOME_NET 4567 (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded Credential ConfigSyncProc System Details Request"; flow:established,to_server; content:"GET /"; startswith; content:"|0d 0a|{D79E94C5-70F0-46BD-965B-E17497CCB598}|20|1|0d 0a 0d 0a|"; fast_pattern; flowbits:isset,ET.tvt_stage1; reference:url,raw.githubusercontent.com/mcw0/PoC/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:trojan-activity; sid:2036273; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Python CTX Library Backdoor Domain in DNS Lookup (anti-theft-web .herokuapp .com)"; dns.query; content:"anti-theft-web.herokuapp.com"; nocase; bsize:28; reference:url,isc.sans.edu/forums/diary/ctx+Python+Library+Updated+with+Extra+Features/28678/; classtype:trojan-activity; sid:2036670; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_24, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_24;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded WebUI Login Attempt M2"; flow:established,to_server; http.header; content:"Authorization|3a 20|Basic|20|cm9vdDp7MTIyMTNCRDEtNjlDNy00ODYyLTg0M0QtMjYwNTAwRDFEQTQwfQ|3d 3d|"; fast_pattern; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036274; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_20;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Python CTX Library Backdoor Domain (anti-theft-web .herokuapp .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"anti-theft-web.herokuapp.com"; bsize:28; fast_pattern; reference:url,isc.sans.edu/forums/diary/ctx+Python+Library+Updated+with+Extra+Features/28678/; classtype:trojan-activity; sid:2036671; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_24, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_24;)
 
-alert tcp any any -> $HOME_NET 4567 (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC ConfigSyncProc RCE Attempt"; flow:established,to_server; content:"GET /saveSystemConfig"; depth:21; content:"|0d 0a|{D79E94C5-70F0-46BD-965B-E17497CCB598}|20|2|0d 0a 0d 0a|DAAAAAEAAAADAAAAIQACAAEABA"; distance:0; fast_pattern; flowbits:isset,ET.tvt_stage1; reference:url,raw.githubusercontent.com/mcw0/PoC/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:trojan-activity; sid:2036275; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Malicious Rust Crate Related Domain in DNS Lookup (api .kakn .li)"; dns.query; content:"api.kakn.li"; nocase; bsize:11; reference:md5,95413bef1d4923a1ab88dddfacf8b382; reference:md5,1c9418a81371c351c93165c427e70e8d; reference:url,www.sentinelone.com/labs/cratedepression-rust-supply-chain-attack-infects-cloud-ci-pipelines-with-go-malware/; reference:url,github.com/MythicAgents/poseidon; classtype:domain-c2; sid:2036664; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Microsoft Connection Test"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/connecttest.txt"; bsize:16; http.host; content:"www.msftconnecttest.com"; bsize:23; fast_pattern; classtype:bad-unknown; sid:2031071; rev:2; metadata:created_at 2020_10_21, former_category INFO, performance_impact Low, updated_at 2022_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win/Malware.Filetour Variant Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/B.php?a="; fast_pattern; content:"&v="; distance:0; content:"&h="; content:"&r="; http.header_names; content:!"Referer"; reference:md5,527c4c13a656923be49ab2ff4c6738c0; classtype:bad-unknown; sid:2036672; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_24, deployment Perimeter, former_category ADWARE_PUP, malware_family Win_Malware_Filetour, performance_impact Low, signature_severity Major, updated_at 2022_05_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DPRK APT Related Maldoc Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"c__"; content:"ENTERWindows"; distance:0; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,twitter.com/h2jazi/status/1516443236264521740; reference:md5,9f2235f0d07bd903c947b17caa82ded4; classtype:trojan-activity; sid:2036277; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win/Malware.Filetour Variant Checkin M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/bind/?appid="; fast_pattern; content:"&version="; distance:0; content:"&hwid="; distance:0; content:"&runid="; distance:0; http.header_names; content:!"Referer"; reference:md5,527c4c13a656923be49ab2ff4c6738c0; classtype:bad-unknown; sid:2036673; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_24, deployment Perimeter, former_category ADWARE_PUP, malware_family Win_Malware_Filetour, performance_impact Low, signature_severity Major, updated_at 2022_05_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (beastmodser .club)"; dns.query; content:"beastmodser.club"; nocase; bsize:16; reference:md5,aa8bd550de4f4dee6ab0bfca82848d44; reference:url,twitter.com/h2jazi/status/1516443236264521740; reference:md5,9f2235f0d07bd903c947b17caa82ded4; classtype:domain-c2; sid:2036278; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_20;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Anonymous File Sharing Service (fromsmash .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"fromsmash.com"; bsize:13; fast_pattern; classtype:bad-unknown; sid:2036665; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_24, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_05_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DPRK APT Related Maldoc Activity (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Macro_Opened_"; startswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,twitter.com/h2jazi/status/1516443236264521740; reference:md5,aa8bd550de4f4dee6ab0bfca82848d44; classtype:trojan-activity; sid:2036279; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Anonymous File Sharing Domain in DNS Lookup (fromsmash .com)"; dns.query; content:"fromsmash.com"; nocase; bsize:13; classtype:bad-unknown; sid:2036666; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_24, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_05_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win64/CobaltStrike.Beacon.J CnC Checkin"; flow:established,to_server; http.uri; content:"/apiv8/"; startswith; http.header; content:"|0d 0a|X-Client: notevil|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:url,cert.gov.ua/article/39708; classtype:trojan-activity; sid:2036281; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish 2022-05-24"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/get-001.php"; bsize:12; fast_pattern; http.request_body; content:"disini="; startswith; content:"&disana="; distance:0; reference:md5,07a19eb967e8de16aa8dc953d7186499; classtype:credential-theft; sid:2036668; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike X-Client Header (notevil)"; flow:established,to_server; http.header; content:"|0d 0a|X-Client: notevil|0d 0a|"; fast_pattern; reference:url,cert.gov.ua/article/39708; classtype:trojan-activity; sid:2036282; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page 2022-05-24"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"get-001.php"; fast_pattern; content:"type|3d 22|email|22|"; distance:0; content:"type|3d 22|password|22|"; distance:0; classtype:credential-theft; sid:2036669; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.APBB Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//alert/7/"; bsize:10; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,d2e2f0a2e553075d7968e55e15cd49a1; classtype:command-and-control; sid:2036318; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GuLoader Domain in DNS Lookup (zoneofzenith .com)"; dns.query; dotprefix; content:".zoneofzenith.com"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader; classtype:trojan-activity; sid:2036674; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_24, deployment Perimeter, malware_family GuLoader, performance_impact Low, signature_severity Major, updated_at 2022_05_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.RFS Variant Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".bin?ver="; fast_pattern; content:"&lip="; distance:0; content:"&mac="; isdataat:!13,relative; http.user_agent; content:"Mozilla|2f|4|2e|0|20 28|compatible|3b 20|MSIE|20|6|2e|0|3b 20|Windows|20|NT|20|5|2e|1|3b 20|SV1|3b 20 2e|NET|20|CLR|20|2|2e|0|2e|50727|3b 29|"; bsize:76; reference:md5,014d2e1a31ce397e7a5e3ba8edc45344; classtype:trojan-activity; sid:2036276; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag c2, updated_at 2022_04_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader/Win.MalXll.R466354 Payload Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/intelpro/"; startswith; content:".exe"; endswith; within:10; http.accept; content:"|2a 2f 2a|"; http.header; http.connection; content:"Keep-Alive"; bsize:10; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; reference:md5,70cf3943b421f495fe56a9573d513eba; reference:url,asec.ahnlab.com/ko/34497/; classtype:trojan-activity; sid:2036681; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/STEALBIT Data Exfiltration Tool Activity (PUT)"; flow:established,to_server; http.uri; pcre:"/^\/[A-F0-9]{33}$/"; http.method; content:"PUT"; http.request_body; content:"DAV2"; depth:10; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/; reference:url,www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool; classtype:trojan-activity; sid:2036280; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SiMay RAT Activity M2 (GET)"; flow:established,to_server; http.method; content:"GET"; http.request_line; content:"&shareKey=f83f6c6da089d58ea8538c71344b8e64 HTTP/1.0"; fast_pattern; endswith; http.host; content:"note.youdao.com"; reference:md5,d99b6ea197ed91d2a3348b03bb56514d; reference:md5,8205ccb910dc783efcd7d480ef1bd7d9; reference:url,www.sentinelone.com/wp-content/uploads/2022/04/SiMay-RAT.pdf; classtype:trojan-activity; sid:2036679; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, former_category MALWARE, malware_family SiMayRAT, signature_severity Major, updated_at 2022_05_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Pastebin Style Domain in DNS Lookup (pastetext .net)"; dns.query; content:"pastetext.net"; nocase; bsize:13; classtype:bad-unknown; sid:2036287; rev:1; metadata:created_at 2022_04_21, former_category INFO, updated_at 2022_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fwlink"; bsize:7; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/5.0|3b 20|MATM)"; bsize:76; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/; classtype:trojan-activity; sid:2036675; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_05_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Pastebin Style Domain (pastetext .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"pastetext.net"; bsize:13; fast_pattern; classtype:bad-unknown; sid:2036288; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, signature_severity Informational, updated_at 2022_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/visit.js"; bsize:9; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/5.0|3b 20|yie9)"; bsize:76; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/; classtype:trojan-activity; sid:2036676; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_05_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Shuckworm CnC Exfil M1"; flow:established,to_server; http.uri; content:"/baby.php"; startswith; content:"/baby"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0)"; startswith; content:"::/.beagle/."; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine; classtype:trojan-activity; sid:2036291; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cm"; bsize:3; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|3b 20|BOIE9|3b|ENUSMSE)"; bsize:78; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/; classtype:trojan-activity; sid:2036677; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_05_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Shuckworm CnC Exfil M2"; flow:established,to_server; http.uri; content:"/begun.php"; startswith; bsize:10; http.user_agent; content:"Mozilla/5.0 (Linux"; startswith; content:"::/.balance/."; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine; classtype:trojan-activity; sid:2036292; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ptj"; bsize:4; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|3b 20|FunWebProducts|3b 20|IE0006_ver1|3b|EN_GB)"; bsize:98; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/; classtype:trojan-activity; sid:2036678; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_05_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5612 (msg:"ET MALWARE Win32/Pterodo CnC VNC Connect Request"; flow:established,to_server; content:"|49 44 3a|"; depth:3; pcre:"/^\d+?\x00/R"; content:"|3a 5c|"; distance:0; content:"\\Contacts|00|Driver"; fast_pattern; distance:0; content:"Hood.exe"; distance:0; within:10; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine; classtype:command-and-control; sid:2036293; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Patchwork APT Related Domain in DNS Lookup (dayspringdesk .xyz)"; dns.query; content:"dayspringdesk.xyz"; nocase; bsize:17; reference:md5,729dd4604fda4b19146d8f33509a43f6; reference:url,twitter.com/ShadowChasing1/status/1529423701913251840; reference:url,twitter.com/katechondic/status/1529378164237008896; classtype:domain-c2; sid:2036680; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, former_category MALWARE, malware_family Patchwork, signature_severity Major, updated_at 2022_05_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)"; dns.query; content:"pool.hashvault.pro"; nocase; bsize:18; classtype:coin-mining; sid:2036289; rev:1; metadata:created_at 2022_04_21, former_category COINMINER, performance_impact Significant, signature_severity Major, updated_at 2022_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patchwork APT Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"uuid="; startswith; fast_pattern; content:"&fname="; distance:0; content:"&fcat="; distance:0; content:"&fsize="; distance:0; content:"&fdata="; distance:0; content:"&Isping="; distance:0; content:"&Status="; distance:0; reference:md5,729dd4604fda4b19146d8f33509a43f6; reference:url,twitter.com/RedDrip7/status/1529403598165004289; reference:url,twitter.com/katechondic/status/1529378164237008896; classtype:trojan-activity; sid:2036683; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, former_category MALWARE, malware_family Patchwork, signature_severity Major, tag RAT, updated_at 2022_05_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/CrimsonRAT Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /indexer.php HTTP/1.1"; http.request_body; content:"q="; startswith; content:"|7c|ver="; distance:0; fast_pattern; content:"|7c 7c|"; within:4; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Accept"; reference:url,twitter.com/0xrb/status/1517052777167732736?s=21&t=zTZ6AqU3_DB36dZ3DE1HCg; reference:md5,41702a1959b1b7038237d75330b904b6; classtype:trojan-activity; sid:2036290; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, malware_family CrimsonRAT, signature_severity Major, updated_at 2022_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patchwork APT Related Activity M2 (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"IP="; startswith; fast_pattern; content:"&User="; distance:0; content:"&uuid="; distance:0; content:"&Isping="; distance:0; reference:md5,729dd4604fda4b19146d8f33509a43f6; reference:url,twitter.com/RedDrip7/status/1529403598165004289; reference:url,twitter.com/katechondic/status/1529378164237008896; classtype:trojan-activity; sid:2036684; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, former_category MALWARE, malware_family Patchwork, signature_severity Major, tag RAT, updated_at 2022_05_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1"; flow:to_client,established; file_data; content:"var _0x"; fast_pattern; pcre:"/^[a-f0-9]+/Ri"; content:"_0x"; within:100; content:"_0x"; within:100; reference:url,github.com/javascript-obfuscator/javascript-obfuscator; classtype:misc-activity; sid:2036300; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category HUNTING, performance_impact Significant, signature_severity Informational, updated_at 2022_04_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible JARM Fingerprinting Client Hello via tls1_2_forward"; flow:established,to_client; tls.version:1.2; content:"|00 16 00 33 00 67 c0 9e c0 a2 00 9e 00 39 00 6b c0 9f c0 a3 00 9f 00 45 00 be 00 88 00 c4 00 9a c0 08 c0 09 c0 23 c0 ac c0 ae c0 2b c0 0a c0 24 c0 ad c0 af c0 2c c0 72 c0 73 cc a9 13 02 13 01 cc 14 c0 07 c0 12 c0 13 c0 27 c0 2f c0 14 c0 28 c0 30 c0 60 c0 61 c0 76 c0 77 cc a8 13 05 13 04 13 03 cc 13 c0 11 00 0a 00 2f 00 3c c0 9c c0 a0 00 9c 00 35 00 3d c0 9d c0 a1 00 9d 00 41 00 ba 00 84 00 c0 00 07 00 04 00 05|"; fast_pattern; content:"|02|hq|03|h2c|02|h2|06|spdy/3|06|spdy/2|06|spdy/1|08|http/1.1|08|http/1.0|08|http/0.9"; content:"|03 03 03 02 03 01|"; endswith; reference:url,engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a; classtype:misc-activity; sid:2036690; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_05_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M2"; flow:to_client,established; file_data; content:"function _0x"; fast_pattern; pcre:"/^[a-f0-9]+/Ri"; content:"_0x"; within:100; content:"_0x"; within:100; reference:url,github.com/javascript-obfuscator/javascript-obfuscator; classtype:misc-activity; sid:2036301; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category HUNTING, performance_impact Significant, signature_severity Informational, updated_at 2022_04_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible JARM Fingerprinting Client Hello via tls1_2_reverse"; flow:established,to_client; content:"|16 03 03|"; startswith; content:"|00 05 00 04 00 07 00 c0 00 84 00 ba 00 41 00 9d c0 a1 c0 9d 00 3d 00 35 00 9c c0 a0 c0 9c 00 3c 00 2f 00 0a c0 11 cc 13 13 03 13 04 13 05 cc a8 c0 77 c0 76 c0 61 c0 60 c0 30 c0 28 c0 14 c0 2f c0 27 c0 13 c0 12 c0 07 cc 14 13 01 13 02 cc a9 c0 73 c0 72 c0 2c c0 af c0 ad c0 24 c0 0a c0 2b c0 ae c0 ac c0 23 c0 09 c0 08 00 9a 00 c4 00 88 00 be 00 45 00 9f c0 a3 c0 9f 00 6b 00 39 00 9e c0 a2 c0 9e 00 67 00 33 00 16|"; fast_pattern; content:"|08|http/0.9|08|http/1.0|08|http/1.1|06|spdy/1|06|spdy/2|06|spdy/3|02|h2|03|h2c|02|hq"; content:"|03 01 03 02 03 03|"; endswith; reference:url,engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a; classtype:misc-activity; sid:2036691; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_05_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M3"; flow:to_client,established; file_data; content:"return _0x"; fast_pattern; pcre:"/^[a-f0-9]+/Ri"; content:"_0x"; within:100; content:"_0x"; within:100; reference:url,github.com/javascript-obfuscator/javascript-obfuscator; classtype:misc-activity; sid:2036302; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category HUNTING, performance_impact Significant, signature_severity Informational, updated_at 2022_04_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible JARM Fingerprinting Client Hello via tls1_2_top_half"; flow:established,to_client; tls.version:1.2; content:"|c0 12 c0 07 cc 14 13 01 13 02 cc a9 c0 73 c0 72 c0 2c c0 af c0 ad c0 24 c0 0a c0 2b c0 ae c0 ac c0 23 c0 09 c0 08 00 9a 00 c4 00 88 00 be 00 45 00 9f c0 a3 c0 9f 00 6b 00 39 00 9e c0 a2 c0 9e 00 67 00 33 00 16|"; fast_pattern; content:"|08|http/0.9|08|http/1.0|08|http/1.1|06|spdy/1|06|spdy/2|06|spdy/3|02|h2|03|h2c|02|hq"; reference:url,engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a; classtype:misc-activity; sid:2036692; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_05_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Extention Payload Fetch"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/archive.zip?iver="; startswith; bsize:<20; fast_pattern; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036294; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible JARM Fingerprinting Client Hello via tls1_2_bottom_half"; flow:established,to_client; tls.version:1.2; content:"|c0 13 c0 27 c0 2f c0 14 c0 28 c0 30 c0 60 c0 61 c0 76 c0 77 cc a8 13 05 13 04 13 03 cc 13 c0 11 00 0a 00 2f 00 3c c0 9c c0 a0 00 9c 00 35 00 3d c0 9d c0 a1 00 9d 00 41 00 ba 00 84 00 c0 00 07 00 04 00 05|"; fast_pattern; content:"|08|http/0.9|08|http/1.0|06|spdy/1|06|spdy/2|06|spdy/3|03|h2c|02|hq"; reference:url,engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a; classtype:misc-activity; sid:2036693; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_05_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/un?iver="; startswith; fast_pattern; content:"&did="; distance:0; content:"&ver="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036295; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible JARM Fingerprinting Client Hello via tls1_2_middle_out"; flow:established,to_client; tls.version:1.2; content:"|c0 12 c0 13 c0 07 c0 27 cc 14 c0 2f 13 01 c0 14 13 02 c0 28 cc a9 c0 30 c0 73 c0 60 c0 72 c0 61 c0 2c c0 76 c0 af c0 77 c0 ad cc a8 c0 24 13 05 c0 0a 13 04 c0 2b 13 03 c0 ae cc 13 c0 ac c0 11 c0 23 00 0a c0 09 00 2f c0 08 00 3c 00 9a c0 9c 00 c4 c0 a0 00 88 00 9c 00 be 00 35 00 45 00 3d 00 9f c0 9d c0 a3 c0 a1 c0 9f 00 9d 00 6b 00 41 00 39 00 ba 00 9e 00 84 c0 a2 00 c0 c0 9e 00 07 00 67 00 04 00 33 00 05 00 16|"; fast_pattern; content:"|02|hq|03|h2c|06|spdy/3|06|spdy/2|06|spdy/1|08|http/1.0|08|http/0.9"; reference:url,engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a; classtype:misc-activity; sid:2036694; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_05_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Browser Hijacker Query Redirection"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"search?ext=properties&is"; startswith; fast_pattern; content:"&q="; distance:0; content:"&ver="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036296; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible JARM Fingerprinting Client Hello via tls1_1_middle_out"; flow:established,to_client; tls.version:1.1; content:"|00 16 00 33 00 67 c0 9e c0 a2 00 9e 00 39 00 6b c0 9f c0 a3 00 9f 00 45 00 be 00 88 00 c4 00 9a c0 08 c0 09 c0 23 c0 ac c0 ae c0 2b c0 0a c0 24 c0 ad c0 af c0 2c c0 72 c0 73 cc a9 13 02 13 01 cc 14 c0 07 c0 12 c0 13 c0 27 c0 2f c0 14 c0 28 c0 30 c0 60 c0 61 c0 76 c0 77 cc a8 13 05 13 04 13 03 cc 13 c0 11 00 0a 00 2f 00 3c c0 9c c0 a0 00 9c 00 35 00 3d c0 9d c0 a1 00 9d 00 41 00 ba 00 84 00 c0 00 07 00 04 00 05|"; fast_pattern; content:"|08|http/0.9|08|http/1.0|08|http/1.1|06|spdy/1|06|spdy/2|06|spdy/3|02|h2|03|h2c|02|hq"; reference:url,engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a; classtype:misc-activity; sid:2036695; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_05_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Browser Hijacker Sync"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"sync?ext=Properties&ver="; startswith; fast_pattern; content:"&dd="; distance:0; content:"&info="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036297; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible JARM Fingerprinting Client Hello via tls1_3_forward"; flow:established,to_client; tls.version:1.3; content:"|00 16 00 33 00 67 c0 9e c0 a2 00 9e 00 39 00 6b c0 9f c0 a3 00 9f 00 45 00 be 00 88 00 c4 00 9a c0 08 c0 09 c0 23 c0 ac c0 ae c0 2b c0 0a c0 24 c0 ad c0 af c0 2c c0 72 c0 73 cc a9 13 02 13 01 cc 14 c0 07 c0 12 c0 13 c0 27 c0 2f c0 14 c0 28 c0 30 c0 60 c0 61 c0 76 c0 77 cc a8 13 05 13 04 13 03 cc 13 c0 11 00 0a 00 2f 00 3c c0 9c c0 a0 00 9c 00 35 00 3d c0 9d c0 a1 00 9d 00 41 00 ba 00 84 00 c0 00 07 00 04 00 05|"; fast_pattern; content:"|02|hq|03|h2c|02|h2|06|spdy/3|06|spdy/2|06|spdy/1|08|http/1.1|08|http/1.0|08|http/0.9"; content:"|03 04 03 03 03 02 03 01|"; endswith; reference:url,engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a; classtype:misc-activity; sid:2036696; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_05_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Browser Hijacker Home Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"hb?ext="; startswith; fast_pattern; content:"&ver="; distance:0; content:"&is="; distance:0; content:"&dd="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036298; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible JARM Fingerprinting Client Hello via tls1_3_reverse"; flow:established,to_client; content:"|16 03 01|"; startswith; content:"|00 05 00 04 00 07 00 c0 00 84 00 ba 00 41 00 9d c0 a1 c0 9d 00 3d 00 35 00 9c c0 a0 c0 9c 00 3c 00 2f 00 0a c0 11 cc 13 13 03 13 04 13 05 cc a8 c0 77 c0 76 c0 61 c0 60 c0 30 c0 28 c0 14 c0 2f c0 27 c0 13 c0 12 c0 07 cc 14 13 01 13 02 cc a9 c0 73 c0 72 c0 2c c0 af c0 ad c0 24 c0 0a c0 2b c0 ae c0 ac c0 23 c0 09 c0 08 00 9a 00 c4 00 88 00 be 00 45 00 9f c0 a3 c0 9f 00 6b 00 39 00 9e c0 a2 c0 9e 00 67 00 33 00 16|"; fast_pattern; content:"|08|http/0.9|08|http/1.0|08|http/1.1|06|spdy/1|06|spdy/2|06|spdy/3|02|h2|03|h2c|02|hq"; content:"|03 01 03 02 03 03 03 04|"; endswith; reference:url,engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a; classtype:misc-activity; sid:2036697; rev:1; metadata:created_at 2022_05_25, updated_at 2022_05_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M1"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"MHwwf"; startswith; fast_pattern; content:"f"; distance:7; within:1; base64_decode:bytes 250; base64_data; pcre:"/%(?:USERPROFILE|APPDATA)%/i"; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:md5,1cde32d54a0f0f2ddad79d7df6a7419f; classtype:command-and-control; sid:2035881; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible JARM Fingerprinting Client Hello via tls1_3_reverse"; flow:established,to_client; content:"|16 03 01|"; startswith; content:"|00 05 00 04 00 07 00 c0 00 84 00 ba 00 41 00 9d c0 a1 c0 9d 00 3d 00 35 00 9c c0 a0 c0 9c 00 3c 00 2f 00 0a c0 11 cc 13 13 03 13 04 13 05 cc a8 c0 77 c0 76 c0 61 c0 60 c0 30 c0 28 c0 14 c0 2f c0 27 c0 13 c0 12 c0 07 cc 14 13 01 13 02 cc a9 c0 73 c0 72 c0 2c c0 af c0 ad c0 24 c0 0a c0 2b c0 ae c0 ac c0 23 c0 09 c0 08 00 9a 00 c4 00 88 00 be 00 45 00 9f c0 a3 c0 9f 00 6b 00 39 00 9e c0 a2 c0 9e 00 67 00 33 00 16|"; fast_pattern; content:"|08|http/0.9|08|http/1.0|08|http/1.1|06|spdy/1|06|spdy/2|06|spdy/3|02|h2|03|h2c|02|hq"; content:"|03 01 03 02 03 03 03 04|"; endswith; reference:url,engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a; classtype:misc-activity; sid:2036698; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_05_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Browser Hijacker (getAd)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"ad?ext=Properties"; startswith; fast_pattern; content:"&ver="; distance:0; content:"&dd="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036299; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible JARM Fingerprinting Client Hello via tls1_3_invalid"; flow:established,to_client; content:"|16 03 01|"; startswith; content:"|00 16 00 33 00 67 c0 9e c0 a2 00 9e 00 39 00 6b c0 9f c0 a3 00 9f 00 45 00 be 00 88 00 c4 00 9a c0 08 c0 09 c0 23 c0 ac c0 ae c0 2b c0 0a c0 24 c0 ad c0 af c0 2c c0 72 c0 73 cc a9 cc 14 c0 07 c0 12 c0 13 c0 27 c0 2f c0 14 c0 28 c0 30 c0 60 c0 61 c0 76 c0 77 cc a8 cc 13 c0 11 00 0a 00 2f 00 3c c0 9c c0 a0 00 9c 00 35 00 3d c0 9d c0 a1 00 9d 00 41 00 ba 00 84 00 c0 00 07 00 04 00 05|"; fast_pattern; content:"|08|http/0.9|08|http/1.0|08|http/1.1|06|spdy/1|06|spdy/2|06|spdy/3|02|h2|03|h2c|02|hq"; content:"|03 01 03 02 03 03 03 04|"; endswith; reference:url,engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a; classtype:misc-activity; sid:2036699; rev:1; metadata:created_at 2022_05_25, updated_at 2022_05_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M2"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"MHwxf"; startswith; fast_pattern; content:"f"; distance:7; within:1; base64_decode:bytes 250; base64_data; pcre:"/%(?:USERPROFILE|APPDATA)%/i"; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:md5,1cde32d54a0f0f2ddad79d7df6a7419f; classtype:command-and-control; sid:2035882; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible JARM Fingerprinting Client Hello via tls1_3_middle_out"; flow:established,to_client; content:"|16 03 01|"; startswith; content:"|c0 12 c0 13 c0 07 c0 27 cc 14 c0 2f 13 01 c0 14 13 02 c0 28 cc a9 c0 30 c0 73 c0 60 c0 72 c0 61 c0 2c c0 76 c0 af c0 77 c0 ad cc a8 c0 24 13 05 c0 0a 13 04 c0 2b 13 03 c0 ae cc 13 c0 ac c0 11 c0 23 00 0a c0 09 00 2f c0 08 00 3c 00 9a c0 9c 00 c4 c0 a0 00 88 00 9c 00 be 00 35 00 45 00 3d 00 9f c0 9d c0 a3 c0 a1 c0 9f 00 9d 00 6b 00 41 00 39 00 ba 00 9e 00 84 c0 a2 00 c0 c0 9e 00 07 00 67 00 04 00 33 00 05 00 16|"; fast_pattern; content:"|02|hq|03|h2c|02|h2|06|spdy/3|06|spdy/2|06|spdy/1|08|http/1.1|08|http/1.0|08|http/0.9"; content:"|03 04 03 03 03 02 03 01|"; endswith; reference:url,engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a; classtype:misc-activity; sid:2036700; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_05_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M3"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"MXwwf"; startswith; fast_pattern; content:"f"; distance:7; within:1; base64_decode:bytes 250; base64_data; pcre:"/%(?:USERPROFILE|APPDATA)%/i"; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:md5,1cde32d54a0f0f2ddad79d7df6a7419f; classtype:command-and-control; sid:2035883; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_21;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Bablosoft BAS Related Domain in DNS Lookup (bablosoft .com)"; dns.query; dotprefix; content:".bablosoft.com"; nocase; endswith; reference:url,team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/; classtype:bad-unknown; sid:2036685; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_26, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_05_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"MXwxf"; startswith; fast_pattern; content:"f"; distance:7; within:1; base64_decode:bytes 250; base64_data; pcre:"/%(?:USERPROFILE|APPDATA)%/i"; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:md5,1cde32d54a0f0f2ddad79d7df6a7419f; classtype:command-and-control; sid:2035884; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Bablosoft BAS Related SSL Cert (bablosoft .com)"; flow:established,to_client; tls.cert_subject; content:"CN=bablosoft.com"; bsize:16; fast_pattern; reference:url,team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/; classtype:bad-unknown; sid:2036686; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_26, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_05_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Agent.OGR!tr.pws Stealer"; flow:established,to_server; http.request_line; content:"POST / HTTP/1.1"; bsize:15; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|profile|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|profile_id|22|"; fast_pattern; distance:0; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|hwid|22|"; distance:0; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22|"; distance:0; reference:url,twitter.com/James_inthe_box/status/1517238542434414592; reference:md5,21e2215738a8e9c9d1ed1e1f66cff10e; classtype:trojan-activity; sid:2036316; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to bablosoft Domain (bablosoft .com)"; dns.query; dotprefix; content:".bablosoft.com"; nocase; endswith; reference:url,team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/; classtype:bad-unknown; sid:2036703; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_26, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Domain in DNS Lookup (filetransfer .io)"; dns.query; content:"filetransfer.io"; nocase; bsize:15; classtype:bad-unknown; sid:2036310; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SocGholish Related Domain in DNS Lookup (irsbusinessaudit .net)"; dns.query; content:"irsbusinessaudit.net"; nocase; bsize:20; reference:url,medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee; classtype:domain-c2; sid:2036687; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_26, deployment Perimeter, former_category MALWARE, malware_family SocGholish, signature_severity Major, updated_at 2022_05_26;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Commonly Abused File Sharing Domain (filetransfer .io in TLS SNI)"; flow:established,to_server; tls.sni; content:"filetransfer.io"; bsize:15; fast_pattern; classtype:bad-unknown; sid:2036311; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SocGholish Related Domain in DNS Lookup (irsgetwell .net)"; dns.query; content:"irsgetwell.net"; nocase; bsize:14; reference:url,medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee; classtype:domain-c2; sid:2036688; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_26, deployment Perimeter, former_category MALWARE, malware_family SocGholish, signature_severity Major, updated_at 2022_05_26;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackCat Ransomware Related Domain in TLS SNI (updatedaemon .com)"; flow:established,to_server; tls.sni; content:"updatedaemon.com"; startswith; fast_pattern; reference:md5,e76fd61eea3bf2073d29c6aa963bc34b; reference:url,www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html; classtype:domain-c2; sid:2036312; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Maldoc Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"|3a 3a|"; content:"_"; distance:0; content:"|3a 3a|/."; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,9f89075a81920a6602f8ed5faccd8854; reference:url,twitter.com/500mk500/status/1529825325609168896; classtype:trojan-activity; sid:2036682; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_26, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_05_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackCat Ransomware Related Domain in DNS Lookup (updatedaemon .com)"; dns.query; content:"updatedaemon.com"; fast_pattern; endswith; nocase; reference:md5,e76fd61eea3bf2073d29c6aa963bc34b; reference:url,www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html; classtype:domain-c2; sid:2036313; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Credential Phish 2022-05-26"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"source=dropbox-office&email="; startswith; fast_pattern; content:"&password="; distance:0; reference:md5,5fbed67f70900d85754d690e2760fc1f; classtype:social-engineering; sid:2036701; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed BlackCat Ransomware Related SSL Cert (updatedaemon .com)"; flow:established,to_client; tls.cert_subject; content:"CN=updatedaemon.com"; bsize:19; fast_pattern; reference:md5,e76fd61eea3bf2073d29c6aa963bc34b; reference:url,www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html; classtype:domain-c2; sid:2036314; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Spy.Agent.CVT CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.host; content:".onion"; endswith; http.request_line; content:".onion/stealer/"; fast_pattern; http.uri; content:"/stealer/"; startswith; content:"?pwds="; distance:8; content:"&cards="; within:12; content:"&wlts="; within:8; content:"&files="; within:10; content:"&user="; distance:0; content:"&ip="; distance:0; reference:md5,c5ba2308ef1f4c2735f61c249076622d; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036689; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_26;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed External IP Lookup Domain (icanhazip .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"icanhazip.com"; bsize:13; fast_pattern; classtype:external-ip-check; sid:2036304; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Credito Emiliano Credential Phish Landing Page 2022-05-26"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c|title|3e|Mobile|20|Banking|20 2d 20|Accesso|3c 2f|title|3e|"; content:"jQuery|28 27 23|scadenza|27 29 2e|payform|28 27|formatCardExpiry|27 29 3b|"; fast_pattern; distance:0; content:"jQuery|28 27 23|carta|27 29 2e|payform|28 27|formatCardNumber|27 29 3b|"; distance:0; content:"method|3d 22|POST|22 20|action|3d 22|index|2e|php|22|"; distance:0; content:"type|3d 22|password|22|"; distance:0; reference:md5,ddae39f72f8e48fe26aa70dbbd8e660a; classtype:social-engineering; sid:2036702; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kratos Silent Miner Checkin via Discord"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord"; depth:7; content:".com"; endswith; http.request_body; content:"|22|name|22 3a 22|Kratos|20|Silent|20|"; fast_pattern; content:"|22|name|22 3a 22|PC|20|Name|3a 22 2c 22|value|22 3a 22|"; reference:md5,7ca63bab6e05704d2c7b48461e563f4c; classtype:command-and-control; sid:2036305; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Potential External VMware vRealize Automation Authentication Bypass Vulnerability"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/SAAS/auth/login/embeddedauthbroker/callback"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"protected_state"; content:"userstore"; content:"username"; content:"password"; content:"userstoreDisplay"; content:"horizonRelayState"; content:"stickyConnectorId"; content:"action"; reference:url,horizon3.ai/vmware-authentication-bypass-vulnerability-cve-2022-22972-technical-deep-dive/; classtype:attempted-admin; sid:2036725; rev:1; metadata:affected_product VMware, created_at 2022_05_27, former_category INFO, signature_severity Informational, updated_at 2022_05_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Blacktech Plead CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx?m="; fast_pattern; pcre:"/^[0-9]{10}$/R"; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE|20|8.0|3b 20|Win32)"; bsize:41; http.header_names; content:!"Referer|0d 0a|"; reference:url,twitter.com/GlobalNTT_JP/status/1517061187107946496; classtype:trojan-activity; sid:2036315; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family BlackTech, signature_severity Major, updated_at 2022_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (cugdwpnykghx .ru) in DNS Lookup"; dns.query; content:"cugdwpnykghx.ru"; nocase; bsize:15; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036712; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zingo/GinzoStealer Data Command List Fetch"; flow:established,to_server; http.request_line; content:"GET /ginzolist.txt HTTP/1.1"; bsize:27; fast_pattern; isdataat:!1,relative; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:url,twitter.com/struppigel/status/1506933328599044100; reference:md5,5009e04920d5fb95f8a02265f89d25a5; classtype:trojan-activity; sid:2036317; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family ZingoStealer, malware_family Ginzo, signature_severity Major, updated_at 2022_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (zpuxmwmwdxxk .ru) in DNS Lookup"; dns.query; content:"zpuxmwmwdxxk.ru"; nocase; bsize:15; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036713; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banca Monte dei Paschi di Siena Credential Phish 2022-04-22"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"userType=&cod="; fast_pattern; content:"&pin="; distance:0; content:"&tel="; distance:0; classtype:credential-theft; sid:2036319; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (rhjebiuujydv .ru) in DNS Lookup"; dns.query; content:"rhjebiuujydv.ru"; nocase; bsize:15; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036714; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 000Stealer Data Exfiltration M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/call?key="; bsize:42; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; bsize:69; http.request_body; content:"PK|03 04|"; byte_test:1,<=,20,0,relative; content:"ProcessList.txt"; fast_pattern; distance:0; content:"Screenshot.png"; distance:0; reference:md5,3f9c1455992239f4efe31f0e56773433; classtype:trojan-activity; sid:2036321; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family 000Stealer, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (rwwmefkauiaa .ru) in DNS Lookup"; dns.query; content:"rwwmefkauiaa.ru"; nocase; bsize:15; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036715; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 000Stealer CnC Checkin"; flow:established,to_server; http.request_line; content:"POST|20|/ping|20|"; startswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.content_len; byte_test:0,=,36,0,string,dec; http.request_body; content:"key="; startswith; pcre:"/^key=[A-F0-9]{32}$/"; reference:md5,3f9c1455992239f4efe31f0e56773433; reference:url,twitter.com/3xp0rtblog/status/1509978637189419008; classtype:trojan-activity; sid:2036306; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family 000Stealer, performance_impact Low, signature_severity Major, updated_at 2022_04_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (sanlygeljek .ru) in DNS Lookup"; dns.query; content:"sanlygeljek.ru"; nocase; bsize:14; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036716; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Banca Monte dei Paschi di Siena Credential Phish Landing Page 2022-04-22"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Banca MPS"; content:"|3c|form|20|method|3d 22|POST|22 20|id|3d 22|includeCodUser|22 20|class|3d 22|margin|5f|login|5f|header|20|includeCodUser|20|dB|5f|box|5f|container|22 3e|"; nocase; distance:0; fast_pattern; content:"name=|22|userType|22|"; distance:0; content:"name=|22|cod|22|"; distance:0; content:"name=|22|pin|22|"; distance:0; content:"name=|22|tel|22|"; distance:0; content:"id=|22|loginOtp1|22|"; distance:0; classtype:credential-theft; sid:2036320; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (sinelnikovd .ru) in DNS Lookup"; dns.query; content:"sinelnikovd.ru"; nocase; bsize:14; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036717; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (forummanazera .sk)"; dns.query; dotprefix; content:".forummanazera.sk"; nocase; endswith; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell; classtype:trojan-activity; sid:2036322; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (wzqyuwtdxyee .ru) in DNS Lookup"; dns.query; content:"wzqyuwtdxyee.ru"; nocase; bsize:15; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036718; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (reality .skarabeus .sk)"; dns.query; dotprefix; content:".reality.skarabeus.sk"; nocase; endswith; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell; classtype:trojan-activity; sid:2036323; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (zyzkikpfewuf .ru) in DNS Lookup"; dns.query; content:"zyzkikpfewuf.ru"; nocase; bsize:15; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036719; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (msrousinov .cz)"; dns.query; content:"msrousinov.cz"; nocase; bsize:13; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036324; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (ckrddvcveumq .ru) in DNS Lookup"; dns.query; content:"ckrddvcveumq.ru"; nocase; bsize:15; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036720; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (googleprovider .ru)"; dns.query; content:"googleprovider.ru"; nocase; bsize:17; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036325; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (dwrfqitgvmqn .ru) in DNS Lookup"; dns.query; content:"dwrfqitgvmqn.ru"; nocase; bsize:15; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036721; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (profiit .fiit .stuba .sk)"; dns.query; content:"profiit.fiit.stuba.sk"; nocase; bsize:21; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036326; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (aztkiryhetxx .ru) in DNS Lookup"; dns.query; content:"aztkiryhetxx.ru"; nocase; bsize:15; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036722; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (freetips .php5 .sk)"; dns.query; content:"freetips.php5.sk"; nocase; bsize:16; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036327; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (dvizhdom .ru) in DNS Lookup"; dns.query; content:"dvizhdom.ru"; nocase; bsize:11; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036723; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (sivpici .php5 .sk)"; dns.query; content:"sivpici.php5.sk"; nocase; bsize:15; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036328; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Zero Content-Length HTTP POST with data (outbound)"; flow:established,to_server; http.method; content:"POST"; http.content_len; content:"0"; bsize:1; endswith; http.request_body; bsize:>0; classtype:bad-unknown; sid:2011819; rev:5; metadata:created_at 2010_10_15, former_category POLICY, updated_at 2022_05_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (hotel-boss .eu)"; dns.query; content:"hotel-boss.eu"; nocase; bsize:13; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036329; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Grandoreiro Banking Trojan DGA Domain in DNS Lookup (freedynamicdns. org)"; dns.query; content:"iuc1"; fast_pattern; startswith; pcre:"/^[\da-z]{11}/R"; content:".freedynamicdns.org"; distance:0; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/grandoreiro-banking-malware-resurfaces-for-tax-season/; classtype:trojan-activity; sid:2036724; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (limousine-service .cz)"; dns.query; content:"limousine-service.cz"; nocase; bsize:20; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036330; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish 2022-05-27"; flow:established,to_server; http.method; content:"POST"; http.referer; content:"|2e|xyz|2f|app|3f|"; fast_pattern; http.request_body; content:"name|3d 22|kontonummer|22|"; content:"name|3d 22|pin|22|"; distance:0; classtype:credential-theft; sid:2036707; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (ms .rousinov .cz)"; dns.query; content:"ms.rousinov.cz"; nocase; bsize:14; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036331; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ING Credential Phish Landing Page 2022-05-27"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c|title|3e|ING|2d|DiBa|20|Internetbanking|20 2b 20|Brokerage|3c 2f|title|3e|"; content:"name|3d 22|kontonummer|22 20|value|3d 22|Exclusive|20|dynamic|20|migration|22|"; distance:0; fast_pattern; content:"name|3d 22|pin|22|"; distance:0; classtype:credential-theft; sid:2036708; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (vavave .xf .cz)"; dns.query; content:"vavave.xf.cz"; nocase; bsize:12; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036332; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Faebook Credential Phish Landing Page M1 2022-05-27"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Facebook Security</title>"; content:"id=|3d 22|u_0_c|22|"; distance:0; content:"<form action=|22|Login_to_Facebook.html|22| method=|22|POST|22|>"; fast_pattern; classtype:credential-theft; sid:2036709; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_05_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 000Stealer Data Exfiltration M1"; flow:established,to_server; http.request_line; content:"POST|20|/call?key="; fast_pattern; pcre:"/^[a-f0-9]{32}\x20/R"; http.header; content:"Content|2d|Type|3a 20|multipart|2f|form|2d|data|3b 20|boundary|3d|"; pcre:"/^[a-f0-9]{60}\x0d\x0a/R"; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22 5b|"; distance:0; content:"|5d 20|"; distance:2; within:2; content:"|20 5b|"; distance:32; within:2; content:"|5d 22 0d 0a|Content|2d|Type|3a 20|application|2f|octet|2d|stream|0d 0a 0d 0a|PK|03 04|"; distance:19; within:50; reference:md5,3f9c1455992239f4efe31f0e56773433; reference:url,twitter.com/3xp0rtblog/status/1509978637189419008; classtype:trojan-activity; sid:2036307; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family 000Stealer, performance_impact Low, signature_severity Major, tag c2, updated_at 2022_04_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Faebook Credential Phish Landing Page M2 2022-05-27"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Facebook Security</title>"; content:"<form action=|22|MK1.php|22| method=|22|POST|22|>"; distance:0; fast_pattern;content:"type=|22|password|22|"; distance:0; classtype:credential-theft; sid:2036710; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_05_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackTech FlagPro Dropper Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".htmld?flag"; fast_pattern; pcre:"/^(?:pro)?=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,1b39dcc5de43d2840d6992a561e34eec; reference:url,twitter.com/GlobalNTT_JP/status/1517061187107946496; classtype:trojan-activity; sid:2036309; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family BlackTech, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (paknavy .comsats .xyz)"; dns.query; content:"paknavy.comsats.xyz"; nocase; bsize:19; reference:md5,251ff44ae978e2140dd02f00b3f093a0; reference:url,twitter.com/ShadowChasing1/status/1530002383392350208; reference:url,twitter.com/__0XYC__/status/1529707301979947009; classtype:domain-c2; sid:2036706; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, former_category MALWARE, malware_family Sidewinder, signature_severity Major, updated_at 2022_05_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check"; flow:established,to_server; http.request_line; content:"GET / "; startswith; http.host; dotprefix; content:".google.com"; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Accept"; reference:md5,7ca63bab6e05704d2c7b48461e563f4c; classtype:trojan-activity; sid:2036303; rev:2; metadata:created_at 2022_04_22, former_category HUNTING, performance_impact Moderate, updated_at 2022_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page 2022-05-27"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"class=|22|containerr|22|"; content:"<form action=|22|submit.php|22| method=|22|post|22|>"; distance:0; fast_pattern; content:"id=|22|password|22|"; distance:0; content:"id=|22|password2|22|"; distance:0; classtype:credential-theft; sid:2036711; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)